Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Hacking Law Critics Demand Change After Swartz Suicide

In the wake of the suicide of activist Aaron Swartz, numerous legal, privacy, and security experts have demanded that Congress rein in the Computer Fraud and Abuse Act (CFAA) to prevent prosecutors from treating minor crimes as felonies.

"The CFAA's vague language, broad reach, and harsh punishments combine to create a powerful weapon for overeager prosecutors to unleash on people they don't like," said Marcia Hofmann, a senior staff attorney at privacy rights group Electronic Frontier Foundation, in a blog post.

Swartz co-created the RSS 1.0 specification, helped establish Reddit, was widely respected for his campaigning for open access to information, and had long suffered from depression. He also faced a 35-year jail sentence after being arrested in 2011 on hacking charges, for allegedly using the Massachusetts Institute of Technology's network to download millions of academic articles from the JSTOR academic database.

Swartz, who in 2011 served as a fellow at the Harvard University Safra Center for Ethics, characterized the downloading as an act of civil disobedience, since many of the papers featured on JSTOR stemmed from publicly funded research. Prosecutors, however, charged Swartz with 13 felony violations, including wire fraud, computer fraud, "recklessly damaging" a computer, and unauthorized access.

[ For more on Swartz's role in the debate over online content and copyright, see The Crying Need To Punish Cyber Crime Fairly. ]

In response, Rep. Zoe Lofgren (D-Calif.) Tues. proposed legislation that would "exclude certain violations of agreements or contractual obligations" from the CFAA. In effect, her bill would prevent someone from being prosecuted solely for violating a site's acceptable use policy or terms of service agreement.

"The CFAA was the hook for the government's bullying of @aaronsw. This law would remove that hook," said Lofgren in a Reddit post. "In a single line: no longer would it be a felony to breach a contract."

Would Lofgren's proposed legislation truly reform CFAA? "The Swartz case does point to a serious problem with the Computer Fraud and Abuse Act," said Orin S. Kerr, a professor of law at the George Washington University Law School, in a blog post that recommends specific changes to the CFAA.

But, he said, a fix requires more than altering the "unacceptable access" provisions of CFAA -- which by the way is already likely to happen via a case involving David Nosal being reviewed by the Supreme Court. "The problem raised by the Swartz case is one I've been fighting for years: Felony liability under the statute is triggered much too easily. The law needs to draw a distinction between low-level crimes and more serious crimes, and current law does so poorly."

Many people have also accused federal prosecutors in the Swartz case of acting inappropriately. "The charges were ridiculous and trumped-up," Rep. Jared Polis (D-Colo.) told The Hill. "It's absurd that he was made a scapegoat. I would hope that this doesn't happen to anyone else."

Furthermore, attorney Lawrence Lessig -- who runs Harvard's Safra Center for Ethics -- said that JSTOR officials requested that the U.S. government not prosecute Swartz. JSTOR likewise released an undated statement noting that Swartz returned all copies of the documents he'd downloaded, and said it had settled any civil claims against him as of June 2011. MIT, however, reportedly declined to request that prosecutors not pursue charges against Swartz, who allegedly accessed JSTOR after breaking into a server closet at MIT, where he wasn't a student.

Federal prosecutors, of course, ultimately did charge Swartz, and said publicly that they planned to press for a seven-year sentence if the case went to trial.

After Swartz's death, his family accused the prosecutors of "intimidation and prosecutorial overreach," saying they'd helped drive him to commit suicide. His family also accused MIT of being complicit in his death. In response, MIT said it would launch an internal investigation into its involvement, and appointed computer science professor Hal Abelson, a founding director of Creative Commons and the Free Software Foundation, to lead the inquiry.

In the wake of a petition filed with the White House that demands her firing, the lead federal prosecutor in Swartz's case, Carmen Ortiz, released a statement Wed. defending her approach. "This office's conduct was appropriate in bringing and handling this case," she said, and noted that because of the nature of Swartz's crimes, prosecutors were seeking "an appropriate sentence that matched the alleged conduct -- a sentence that we would recommend to the judge of six months in a low-security setting."

But prosecutors, using what legal experts have said is standard operating procedure, had been increasing pressure on Swartz to settle. Notably, prosecutors first charged Swartz on four felony counts, which carried a maximum penalty of 35 years in jail and a $1 million fine. Later, however, they filed a superseding indictment adding seven more CFAA felony violations as well as two felony wire-fraud charges, which could have imposed even more jail time, fines and restitution requirements.

Prior to the scheduled April 1 start date for his trial, prosecutors then offered Swartz their deal: plead guilty to all charges, and the jail time will be reduced to serving just six months in a low-security setting.

Some critics of CFAA and of the prosecutors' handling of the case, say that any system -- including current plea-bargaining practices -- that allows prosecutors to threaten an imprisonment of 35 years or more when they see only a six-month incarceration as being commensurate with the crime, is inherently unfair and prone to corruption.

When choosing an endpoint protection product, IT focuses too much on malware detection capabilities and not enough on end users. So instead of building a lab to run three or four endpoint protection products through a gauntlet of malware, get your users in on the decision process. Find out more in the How To Pick Endpoint Protection report. (Free registration required.)