News

11:08 AM
Connect Directly
RSS
E-Mail
50%
50%

Hacking Law Critics Demand Change After Swartz Suicide

Proposed legislation seeks to end felony charges related to 'unauthorized access,' but legal experts say bigger fixes are needed.

In the wake of the suicide of activist Aaron Swartz, numerous legal, privacy, and security experts have demanded that Congress rein in the Computer Fraud and Abuse Act (CFAA) to prevent prosecutors from treating minor crimes as felonies.

"The CFAA's vague language, broad reach, and harsh punishments combine to create a powerful weapon for overeager prosecutors to unleash on people they don't like," said Marcia Hofmann, a senior staff attorney at privacy rights group Electronic Frontier Foundation, in a blog post.

Swartz co-created the RSS 1.0 specification, helped establish Reddit, was widely respected for his campaigning for open access to information, and had long suffered from depression. He also faced a 35-year jail sentence after being arrested in 2011 on hacking charges, for allegedly using the Massachusetts Institute of Technology's network to download millions of academic articles from the JSTOR academic database.

Swartz, who in 2011 served as a fellow at the Harvard University Safra Center for Ethics, characterized the downloading as an act of civil disobedience, since many of the papers featured on JSTOR stemmed from publicly funded research. Prosecutors, however, charged Swartz with 13 felony violations, including wire fraud, computer fraud, "recklessly damaging" a computer, and unauthorized access.

[ For more on Swartz's role in the debate over online content and copyright, see The Crying Need To Punish Cyber Crime Fairly. ]

In response, Rep. Zoe Lofgren (D-Calif.) Tues. proposed legislation that would "exclude certain violations of agreements or contractual obligations" from the CFAA. In effect, her bill would prevent someone from being prosecuted solely for violating a site's acceptable use policy or terms of service agreement.

"The CFAA was the hook for the government's bullying of @aaronsw. This law would remove that hook," said Lofgren in a Reddit post. "In a single line: no longer would it be a felony to breach a contract."

Would Lofgren's proposed legislation truly reform CFAA? "The Swartz case does point to a serious problem with the Computer Fraud and Abuse Act," said Orin S. Kerr, a professor of law at the George Washington University Law School, in a blog post that recommends specific changes to the CFAA.

But, he said, a fix requires more than altering the "unacceptable access" provisions of CFAA -- which by the way is already likely to happen via a case involving David Nosal being reviewed by the Supreme Court. "The problem raised by the Swartz case is one I've been fighting for years: Felony liability under the statute is triggered much too easily. The law needs to draw a distinction between low-level crimes and more serious crimes, and current law does so poorly."

Many people have also accused federal prosecutors in the Swartz case of acting inappropriately. "The charges were ridiculous and trumped-up," Rep. Jared Polis (D-Colo.) told The Hill. "It's absurd that he was made a scapegoat. I would hope that this doesn't happen to anyone else."

Furthermore, attorney Lawrence Lessig -- who runs Harvard's Safra Center for Ethics -- said that JSTOR officials requested that the U.S. government not prosecute Swartz. JSTOR likewise released an undated statement noting that Swartz returned all copies of the documents he'd downloaded, and said it had settled any civil claims against him as of June 2011. MIT, however, reportedly declined to request that prosecutors not pursue charges against Swartz, who allegedly accessed JSTOR after breaking into a server closet at MIT, where he wasn't a student.

Federal prosecutors, of course, ultimately did charge Swartz, and said publicly that they planned to press for a seven-year sentence if the case went to trial.

After Swartz's death, his family accused the prosecutors of "intimidation and prosecutorial overreach," saying they'd helped drive him to commit suicide. His family also accused MIT of being complicit in his death. In response, MIT said it would launch an internal investigation into its involvement, and appointed computer science professor Hal Abelson, a founding director of Creative Commons and the Free Software Foundation, to lead the inquiry.

In the wake of a petition filed with the White House that demands her firing, the lead federal prosecutor in Swartz's case, Carmen Ortiz, released a statement Wed. defending her approach. "This office's conduct was appropriate in bringing and handling this case," she said, and noted that because of the nature of Swartz's crimes, prosecutors were seeking "an appropriate sentence that matched the alleged conduct -- a sentence that we would recommend to the judge of six months in a low-security setting."

But prosecutors, using what legal experts have said is standard operating procedure, had been increasing pressure on Swartz to settle. Notably, prosecutors first charged Swartz on four felony counts, which carried a maximum penalty of 35 years in jail and a $1 million fine. Later, however, they filed a superseding indictment adding seven more CFAA felony violations as well as two felony wire-fraud charges, which could have imposed even more jail time, fines and restitution requirements.

Prior to the scheduled April 1 start date for his trial, prosecutors then offered Swartz their deal: plead guilty to all charges, and the jail time will be reduced to serving just six months in a low-security setting.

Some critics of CFAA and of the prosecutors' handling of the case, say that any system -- including current plea-bargaining practices -- that allows prosecutors to threaten an imprisonment of 35 years or more when they see only a six-month incarceration as being commensurate with the crime, is inherently unfair and prone to corruption.

When choosing an endpoint protection product, IT focuses too much on malware detection capabilities and not enough on end users. So instead of building a lab to run three or four endpoint protection products through a gauntlet of malware, get your users in on the decision process. Find out more in the How To Pick Endpoint Protection report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
rhovestadt021
50%
50%
rhovestadt021,
User Rank: Apprentice
1/17/2013 | 7:31:29 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
If they go and take the teeth out of the law then they might as well repeal it all together as it will be relatively useless at stopping anyone. As has been said he didn't steal just a few documents, that would be civil disobedience, he stole millions of documents that's a crime plain and simple. A crime that is compounded by the fact that he broke into a Network Closet so he could do so. The only part of this whole thing I disagree with is the DA threatening a long jail term and huge fine, when that is not what they would have requested to begin with. [By the way i also disagree with plea deals as they do not serve the people, but thats a different discussion]. It's time prosecutors, in general, were up front about things, this just makes them look like shysters.
GAProgrammer
50%
50%
GAProgrammer,
User Rank: Apprentice
1/17/2013 | 7:10:50 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
I couldn't agree more. They are taking the public perception that prosecutors just pick people they don't like to file charges against. They can never use this against you if you don't do the crime. Leave it alone. It's more of these idiots who think hacking is romantic that are pushing this. Breaking the law is breaking the law, not matter how "noble" you think your intentions are.
mgentry300
50%
50%
mgentry300,
User Rank: Apprentice
1/17/2013 | 6:49:18 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
The suicide is unfortunate but it's ridiculous and ignorant to demand that hacking laws should be lessened to prevent accused criminals from committing suicide. There's nothing minor about illegally downloading 4.8 million documents, especially after taking the time to physically access a wiring closet to hack the network.

Look, the Dept of Defense estimates that it endures 400 million cyber-attacks every year. All it takes is a single major attack to succeed. Cyber-threats are much bigger than most people realize, and its effects are greater than 9/11 by several magnitudes.
<<   <   Page 2 / 2
Audio Interviews
Archived Audio Interviews
This radio show will provide listeners with guidance from Dell Storage experts, who can help you explore ways to simplify workload management while achieving a balance of price and performance.
Slideshows
White Papers
Register for Network Computing Newsletters
Current Issue
2014 State of Unified Communications
2014 State of Unified Communications
If you thought consumerization killed UC, think again: 70% of our 488 respondents have or plan to put systems in place. Of those, 34% will roll UC out to 76% or more of their user base. And there’s some good news for UCaaS providers.
Video
Twitter Feed
Cartoon