How Computer-Hacking Laws Make You a Criminal
Aaron Swartz at the the 2009 Boston Wiki Meetup.
CREDIT: Sage Ross/Creative Commons
In 1970, a 14-year-old boy dialed into a nationwide computer network, uploaded a virus he had written and caused the entire network to crash.
That boy was Bill Gates. Five years later, he founded Microsoft.
A few years later, two young men went around college dorms in California selling boxes of wires that let students bypass telephone-company restrictions and make long-distance calls for free.
Those young men were Steve Jobs and Steve Wozniak, and a later venture they started, Apple, is now the most valuable company in the world.
In 2010, another young man, who had already founded a multimillion-dollar company, broke into a utility closet at the Massachusetts Institute of Technology.
He hooked up a laptop to the campus network and downloaded 4 million academic journal articles, most of them in the public domain, from a paid archive to which he had a subscription.
He was arrested, indicted twice on multiple counts of fraud and, at a trial that was to have begun in April, faced 50 years in federal prison and a $1 million fine.
His name was Aaron Swartz, and last week he hanged himself.
More computers, more prosecutions
The difference between the fates of Gates, Jobs and Wozniak on the one hand, and of Swartz on the other, originates with the Computer Fraud and Abuse Act.
The CFAA is a 1986 law, section 1030 of the federal criminal code, which makes any unauthorized access into a protected network or computer a federal crime and permits harsh penalties for those convicted.
But 1986 was a long time ago. Today, any Web server can be defined as a protected computer, and almost anything can be defined as unauthorized access.
Use your roommate's Netflix account to watch movies on your iPad? You're violating the CFAA.
Trim the URLs of articles on the New York Times website so you can read them for free? You're breaking federal law.
Check your Facebook page at work, even if your employer forbids it? Better call your lawyer.
If that sounds ridiculous, here's a fact: Andrew "Weev" Auernheimer, a well-known "gray hat" hacker, was convicted in November of fraud and conspiracy for harvesting data from a publicly accessible server. He's facing up to 10 years in prison at his sentencing next month.
There weren't any passwords protecting the data Auernheimer and his friend, who later testified against him, downloaded. All they did was change numbers in URLs and press "return." But according to the CFAA, they were breaking the law.
Back to the future
"The punishments for these crimes are hugely disproportionate to the offenses listed," said Adam Goldstein, an attorney advocate at the Student Press Law Center in Arlington, Va. "We wrote these laws based on the 1980s view of the worst-case scenario of hacking in a networked world."
To Robert Graham, chief executive officer of Errata Security in Atlanta, the CFAA is "hopelessly out of date, and can be used to prosecute anybody for almost anything."
"The issue is 'authorization,'" Graham said. "Back in 1986, everyone had to be explicitly authorized to use a computer with an assigned username and password.
"But today, with the Web, we access computers with reckless abandon without knowing whether we are authorized or not," he added. "When you click on a URL, you are technically in violation of the law as it was designed."
Swartz was facing more prison time than he would have if he'd committed a serious physical crime, such as assault, burglary, grand theft larceny or involuntary manslaughter.
"Why the penalties are stiffer for e-crime does not make sense," said Chester Wisniewski, an American who works as a senior security analyst in the Vancouver, British Columbia, office of the British security firm Sophos. "These penalties are more in line with murder than theft."
"There is a serious problem in federal criminal law where the use of a computer ratchets up a criminal sentence dramatically out of proportion from the harm caused," said Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation in San Francisco.
"We wrote laws designed to punish the worst monsters of William Gibson's nightmares," Goldstein said. "We're wielding them against people who download journal articles and steal naked pictures from Scarlett Johansson."
Tomorrow: How the CFAA is abused, and how it might be amended.