Compliance Management, Government Regulations, Threat Management

Death of Swartz could yield reform of anti-hacking law

The suicide of Aaron Swartz, the computer programmer and freedom-of-information activist who was slapped with computer intrusion charges that could have imprisoned him for 35 years, may prompt changes to a federal anti-hacking statute that many view as overly broad, heavy-handed and outdated.

Rep. Zoe Lofgren, D-Calif., on Tuesday introduced a proposal (PDF), nicknamed "Aaron's Law," that would amend the Computer Fraud and Abuse Act (CFAA) to "exclude certain violations of agreements or contractual obligations, relating to internet service, from the purview of certain criminal prohibitions..."

In 2011, Swartz was charged under that provision when he accessed the network of the Massachusetts Institute of Technology to allegedly download more than four million articles from JSTOR, a database of academic journals. He never intended to sell them, only to make them freely available as part of an act of civil disobedience.

"We should prevent what happened to Aaron from happening to other internet users," Lofgren wrote on social news site Reddit, where she announced the proposal. (Swartz was Reddit's co-founder). "Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties. When our laws need to be modified, Congress has a responsibility to act."

Had Lofgren's proposal been law, legal experts agree that it would have at least lessened the charges Swartz was facing and limited the amount of time he could have faced in prison.

Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation, told SCMagazine on Wednesday that the digital rights group has long believed that the CFAA contains wording that is too broad and vague, and opens the door for potential prosecutorial overreach. In particular, it states that a person can violate the law simply by exceeding authorized access, which could mean doing something as seemingly trivial as posting false information on one's Facebook profile, a violation of the social networking site's terms of service, or, in the case of Swartz, "downloading files in an efficient way that may be inconsiderate of other people's use of the network."

In addition, the penalties in CFAA are too severe, Fakhoury said. Specifically, its misdemeanor provision is too narrow, and most of the law's possible offenses are classified as felonies, with a maximum punishment beginning at five years in prison.

He said Lofgren's proposal essentially would "codify" a recent decision by the 9th U.S. Circuit Court of Appeals in San Francisco.

That decision said employees who violate their organization's user policies – which may include something as simple as visiting a website they are not supposed to – do not violate the CFAA. The ruling (PDF) involved the case of David Nosal, a former manager at executive search firm Korn/Ferry. He was charged with convincing three of his former co-workers to use their valid login credentials to access and download customer lists and then transfer them to him so he could start a competing company.

Swartz, meanwhile, allegedly used a software program to automate the downloading process and evade detection by monitoring systems, prosecutors said. The massive amount of downloads damaged JSTOR's computers, brought down some of its servers and prevented some MIT computers from accessing research.

But according to an expert witness who was helping the defense prepare for Swartz's upcoming trial, MIT's network is widely known as one of academia's most open and unrestricted, and, while Swartz allegedly broke into a wiring closet and used a custom computer script that enabled him to download the mass quantity of articles, he did not perpetrate a conventional hack.

"Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing 'Save As' from your favorite browser," said the witness, Alex Stamos, CTO of Artemis Internet.

In addition to Logren's measure, a petition has been filed to reform the CFAA, as well as another to remove from office the prosecutor in Swartz's case, Carmen Ortiz. The White House must respond once 25,000 signatures are reached.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.