News

11:08 AM
Connect Directly
RSS
E-Mail
50%
50%

Hacking Law Critics Demand Change After Swartz Suicide

Proposed legislation seeks to end felony charges related to 'unauthorized access,' but legal experts say bigger fixes are needed.

In the wake of the suicide of activist Aaron Swartz, numerous legal, privacy, and security experts have demanded that Congress rein in the Computer Fraud and Abuse Act (CFAA) to prevent prosecutors from treating minor crimes as felonies.

"The CFAA's vague language, broad reach, and harsh punishments combine to create a powerful weapon for overeager prosecutors to unleash on people they don't like," said Marcia Hofmann, a senior staff attorney at privacy rights group Electronic Frontier Foundation, in a blog post.

Swartz co-created the RSS 1.0 specification, helped establish Reddit, was widely respected for his campaigning for open access to information, and had long suffered from depression. He also faced a 35-year jail sentence after being arrested in 2011 on hacking charges, for allegedly using the Massachusetts Institute of Technology's network to download millions of academic articles from the JSTOR academic database.

Swartz, who in 2011 served as a fellow at the Harvard University Safra Center for Ethics, characterized the downloading as an act of civil disobedience, since many of the papers featured on JSTOR stemmed from publicly funded research. Prosecutors, however, charged Swartz with 13 felony violations, including wire fraud, computer fraud, "recklessly damaging" a computer, and unauthorized access.

[ For more on Swartz's role in the debate over online content and copyright, see The Crying Need To Punish Cyber Crime Fairly. ]

In response, Rep. Zoe Lofgren (D-Calif.) Tues. proposed legislation that would "exclude certain violations of agreements or contractual obligations" from the CFAA. In effect, her bill would prevent someone from being prosecuted solely for violating a site's acceptable use policy or terms of service agreement.

"The CFAA was the hook for the government's bullying of @aaronsw. This law would remove that hook," said Lofgren in a Reddit post. "In a single line: no longer would it be a felony to breach a contract."

Would Lofgren's proposed legislation truly reform CFAA? "The Swartz case does point to a serious problem with the Computer Fraud and Abuse Act," said Orin S. Kerr, a professor of law at the George Washington University Law School, in a blog post that recommends specific changes to the CFAA.

But, he said, a fix requires more than altering the "unacceptable access" provisions of CFAA -- which by the way is already likely to happen via a case involving David Nosal being reviewed by the Supreme Court. "The problem raised by the Swartz case is one I've been fighting for years: Felony liability under the statute is triggered much too easily. The law needs to draw a distinction between low-level crimes and more serious crimes, and current law does so poorly."

Many people have also accused federal prosecutors in the Swartz case of acting inappropriately. "The charges were ridiculous and trumped-up," Rep. Jared Polis (D-Colo.) told The Hill. "It's absurd that he was made a scapegoat. I would hope that this doesn't happen to anyone else."

Furthermore, attorney Lawrence Lessig -- who runs Harvard's Safra Center for Ethics -- said that JSTOR officials requested that the U.S. government not prosecute Swartz. JSTOR likewise released an undated statement noting that Swartz returned all copies of the documents he'd downloaded, and said it had settled any civil claims against him as of June 2011. MIT, however, reportedly declined to request that prosecutors not pursue charges against Swartz, who allegedly accessed JSTOR after breaking into a server closet at MIT, where he wasn't a student.

Federal prosecutors, of course, ultimately did charge Swartz, and said publicly that they planned to press for a seven-year sentence if the case went to trial.

After Swartz's death, his family accused the prosecutors of "intimidation and prosecutorial overreach," saying they'd helped drive him to commit suicide. His family also accused MIT of being complicit in his death. In response, MIT said it would launch an internal investigation into its involvement, and appointed computer science professor Hal Abelson, a founding director of Creative Commons and the Free Software Foundation, to lead the inquiry.

In the wake of a petition filed with the White House that demands her firing, the lead federal prosecutor in Swartz's case, Carmen Ortiz, released a statement Wed. defending her approach. "This office's conduct was appropriate in bringing and handling this case," she said, and noted that because of the nature of Swartz's crimes, prosecutors were seeking "an appropriate sentence that matched the alleged conduct -- a sentence that we would recommend to the judge of six months in a low-security setting."

But prosecutors, using what legal experts have said is standard operating procedure, had been increasing pressure on Swartz to settle. Notably, prosecutors first charged Swartz on four felony counts, which carried a maximum penalty of 35 years in jail and a $1 million fine. Later, however, they filed a superseding indictment adding seven more CFAA felony violations as well as two felony wire-fraud charges, which could have imposed even more jail time, fines and restitution requirements.

Prior to the scheduled April 1 start date for his trial, prosecutors then offered Swartz their deal: plead guilty to all charges, and the jail time will be reduced to serving just six months in a low-security setting.

Some critics of CFAA and of the prosecutors' handling of the case, say that any system -- including current plea-bargaining practices -- that allows prosecutors to threaten an imprisonment of 35 years or more when they see only a six-month incarceration as being commensurate with the crime, is inherently unfair and prone to corruption.

When choosing an endpoint protection product, IT focuses too much on malware detection capabilities and not enough on end users. So instead of building a lab to run three or four endpoint protection products through a gauntlet of malware, get your users in on the decision process. Find out more in the How To Pick Endpoint Protection report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
ANON1246232522481
50%
50%
ANON1246232522481,
User Rank: Apprentice
1/28/2013 | 8:13:33 AM
re: Hacking Law Critics Demand Change After Swartz Suicide
Having done more research on this subject, please check for yourself. The local prosecutor was letting him off with a warning, the Feds step in and went for the big hit. He access files he had a right to, he was a member, he just did it after hours and in a MDF closet. He did return the files and the matter was settled with the local prosecutor.

The Feds came in and wanted a big name from the charges as she has plans on running for office.

In this situation where is the fairness? Do you really believe that someone should be hounded to death? Driven to bankrupcy in defending themself?

Laws have been used as clubs before. Such laws need to be changed so that they do what is intended. Anybody remember Phil Katz? Thanks to a lawsuit we have PKZip. Anybody really believe that you can copyright a file extentsion. The courts do not understand computer technology, and cannot make an informed decision without that knowledge.
jedimasterduke
50%
50%
jedimasterduke,
User Rank: Apprentice
1/22/2013 | 3:47:28 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
From the article: "But prosecutors, using what legal experts have said is standard operating procedure, had been increasing pressure on Swartz to settle. Notably, prosecutors first charged Swartz on four felony counts, which carried a maximum penalty of 35 years in jail and a $1 million fine. Later, however, they filed a superseding indictment adding seven more CFAA felony violations as well as two felony wire-fraud charges, which could have imposed even more jail time, fines and restitution requirements."

Using threats to force someone to do what they don't want to do; isn't this what is commonly referred to as blackmail?
Zman7
50%
50%
Zman7,
User Rank: Apprentice
1/19/2013 | 7:45:27 AM
re: Hacking Law Critics Demand Change After Swartz Suicide
"In response, Rep. Zoe Lofgren (D-Calif.) Tues. proposed legislation that would "exclude certain violations of agreements or contractual obligations" from the CFAA. In effect, her bill would prevent someone from being prosecuted solely for violating a site's acceptable use policy or terms of service agreement."

Maybe she wants to just release everyone from honoring any type of a contract. Why not? I'd like to get out of my mortgage payments too.

She sounds as nutty as Jarod Polis who was also quoted.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Strategist
1/18/2013 | 9:56:16 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
Hacking is hacking. Murder is murder. Theft is theft. That doesn't seem like a very nuanced system of justice. You can change a whole law based on this outcome, and that's exactly what's being proposed.
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
1/18/2013 | 7:36:57 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
Good, let's use your B&E offense as comparison. The laws vary state to state but a quick sampling reveals average sentence on first offense (non weapon bearing) to be 6-18 months. With an offensive weapon (gun, knife) then you can go to 5 years. Isn't then 35 years suspiciously harsh to overzealous? I also read it as addressing the verbage of the CFAA which largely targeted federal or financial systems of compelling federal interest and leverages other established laws. The CFAA has since been used for cases of questionable federal interest like the Playstation 3 and schools which spied on their students.
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
1/18/2013 | 5:25:48 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
The other question, perhaps more pertinent than complete products off of MSDN, is if academic reports are of any value if they are not publicly available to read? If I publish a report and keep it locked away that noone can see it, who benefits? Only those who fear having their ideas/theories challenged.

It sounds like JSTOR was willing to prosecute if they didn't get them back (perhaps because they did not have backup copies) and once returned it was no longer an issue for them (they settled whether that implies monetary compensation or otherwise). So why prosecute if noone is crying foul? Seems to be a clear case of vendictive bullying of someone not so easily manipulated and that was a source of embarrassment to the rule enforcers. Not to mention it seems the kid lacked a determined support network and that is tragic.
Melanie Rodier
50%
50%
Melanie Rodier,
User Rank: Apprentice
1/17/2013 | 9:19:44 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
I agree. Hacking is hacking, as is breaking and entering. It doesn't matter what your goal is, however 'noble' you think it is. The possible jail sentence did seem harsh, particularly given to the often much more lenient sentences dished out to hard criminals. Still, the way the events unfolded is very sad but you can't change a whole law based on this outcome.
kharrison212
50%
50%
kharrison212,
User Rank: Apprentice
1/17/2013 | 9:14:32 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
How does one return files stolen from a network? There could be copies and backups all over the place. While JSTOR may be a non profit they do have expenses associated with the content, they also protected their system requiring accounts and passwords to access the data. Did they settle to avoid the public eye or do they really not care if their material is released to the general public with no chance of later recovering it? What would Microsoft do if their MSDN content was stolen, would they accept a disk saying that is all there is. I suspect the Mathworks wouldn't like to have their software stolen either.
Leo Regulus
50%
50%
Leo Regulus,
User Rank: Apprentice
1/17/2013 | 8:12:00 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
I'm not sure that we really need to change existing law. I think more that we probably need to look more carefully at its' application. I mean, for example, do Federal Authorities use this much enthusiasm when pursuing persons who have falsified information on required background checks for purchasing a firearm?
Is this pursuit of 'Justice' more powered by outrage of the Egomania of self-important Politicians, Academicians, Business people etc.? People who were nonchalant enough as to leave their stuff out in the street where children could play with it. Now, people seeking revenge.

Is this really anymore than street BULLYING?

Hey, C'mon guys, GROW UP ! We just lost not only one of the more brilliant minds of our time, but also a precious Human Being.

Aaron, I never knew you. By whatever you may have deemed Holy, may you be Blessed.
bknabe
50%
50%
bknabe,
User Rank: Apprentice
1/17/2013 | 8:06:25 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
He took the documents and returned them. He didn't distribute them. The prosecutors tried to make an example of him, and it backfired. The whole system is broken, and needs to be changed.

The CFAA is so broad that I doubt anyone reading this article would be safe from prosecution if an agency decided to use it against them.
Page 1 / 2   >   >>
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Research: 2014 State of the Data Center
Research: 2014 State of the Data Center
Our latest survey shows growing demand, fixed budgets, and good reason why resellers and vendors must fight to remain relevant. One thing's for sure: The data center is poised for a wild ride, and no one wants to be left behind.
Video
Twitter Feed