How to Fix America's Harmful Hacking Laws
CREDIT: Fer Gregory/Shutterstock.com
Many technology-law experts feel there's too much leeway for prosecutors under the 1986 Computer Fraud and Abuse Act, allowing prosecutors to rack up serious charges for what may seem like minor offenses to outsiders.
The Aaron Swartz case may be a perfect example of such overreach. The young programmer, who was indicted twice under the CFAA, faced 50 years in prison for allegedly downloading 4 million academic-journal articles.
Swartz hanged himself in his Brooklyn apartment last week, two days after his lawyer and prosecutors reportedly failed to reach a plea deal.
Adam Goldstein, an attorney advocate at the Student Press Law Center in Arlington, Va., said, "the language of [the CFAA] could be tighter, [but] that's not why things are going horribly wrong" with computer-related prosecutions.
"What's going wrong with these prosecutions," he said, "is that any prosecutor in any corner of the country can prosecute a computer crime, even though he or she may know absolutely nothing about computers and have only a rudimentary understanding of what the laws were even designed to prohibit."
In the Swartz case, the online archive from which Swartz downloaded the journal articles chose not to press charges.
But the U.S. attorney for Massachusetts, Carmen Ortiz, did.
Not only did her office issue a four-count indictment of Swartz in July 2011, with maximum penalties of 35 years in prison, but in September 2012 it superseded the original filing with a 13-count indictment that added 15 more years.
"These sentences make no sense to me," said Chester Wisniewski, a senior security analyst in the Vancouver, British Columbia, office of the British firm Sophos. "While I take copyright and digital crime very seriously, I can't explain or justify these penalties."
On Wednesday (Jan. 16), Ortiz issued a statement that she and her office didn't really intend to throw Swartz into prison for five decades.
"There was no evidence against Mr. Swartz indicating that he committed his acts for personal financial gain," Ortiz said. "This office sought an appropriate sentence that matched the alleged conduct — a sentence that we would recommend to the judge of six months in a low-security setting."
The charges against Swartz were dropped after his suicide.
"In my experience, U.S. attorneys tend to throw the book at defendants," said former federal public defender Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation in San Francisco.
"The 'tough' prosecutors are the ones who get promoted and have their careers advanced," he said. "This isn't unique to Aaron's case or the CFAA: it's a problem in federal criminal law, period."
Robert Graham, chief executive officer of Errata Security in Atlanta, said it comes down to the way the CFAA and related laws were written.
"Laws target the means rather than the ends," Graham said. "This allows you to be prosecuted because you use the same means [as a criminal], but for legitimate ends. Almost anybody can be prosecuted for illegal use of a computer if prosecutors wanted to."
Christopher Soghoian, a senior policy analyst at the American Civil Liberties Union, was more blunt.
"The offenses that Swartz was accused of were not motivated by profit, nor did they involve actual hacking," Soghoian said.
"Federal prosecutors could and should have shown restraint in their case against Swartz and instead focused their limited resources investigating other, more serious computer hacking crimes."
A legislative solution
Is Congress likely to craft and pass legislation to fix the CFAA? Many, if not most, members of Congress don't know much about how computers work.
Meanwhile, leading lawmakers and government officials have been telling the public that hackers have the capability to destroy America.
Some experts we spoke to think reform of the CFAA and related statutes might be possible even in such a political environment.
"Change has to come from them [Congress], ultimately, and I'm convinced if we get enough people concerned about the abuse of this law, there can be some meaningful reform," Fakhoury said. "They did, after all, drop SOPA [the Stop Online Piracy Act] when it became clear there was a lot of dissatisfaction with it."
"I think we can trust Congress to do this, honestly, because I think they know that they don't understand these crimes," Goldstein said. "I believe they can understand that their ignorance is doing harm. And what member of Congress wants to oppose creating a system that will better prosecute electronic crimes?"
Rep. Zoe Lofgren, D-Calif., introduced a bill Tuesday (Jan. 15) to amend the CFAA and a related fraud statute.
Her proposal, which she called "Aaron's Law," would exclude violations of private agreements and obligations, such terms-of-service agreements, acceptable-use policies and employment contracts, from being considered unauthorized access.
It would, in essence, mean you'd no longer be breaking the law by using a friend's Netflix account.
It's not clear whether Lofgren's amendment would have prevented Swartz's prosecution, however.
A prosecutor might have argued that Swartz, who used MIT's on-campus network to download the archived journal articles, was not associated with MIT and hence was not party to the contractual agreement MIT had with the academic archive.
(Swartz was associated with Harvard and was entitled to access the archive from Harvard's network using Harvard's paid subscription.)
Graham was less optimistic about the prospect for legislative reform, observing that Congress responds "to the will of the people, and the people don't understand this issue, either."
"The people don't know how computers work. It's all witchcraft to them," he added. "Hackers are witches; the people want to see them burned."
Instead, Graham suggested abolishing the CFAA entirely.
"The solution is not to reform it, but remove it," he said. "Focus on the actual crimes, such as espionage or stealing money, and not on the idea of 'accessing a computer without authorization.'"
Special experts for special cases
Goldstein, on the other hand, thinks the solution to handling electronic infractions already exists — it just isn't being used properly.
"When we have an area of the law we think is really complicated, we set up some kind of body, either investigative or judicial, to help ensure the laws are enforced correctly," he said.
"After Sept. 11, the federal government realized that terrorism cases are sophisticated, subtle and aren't easy for your average cops and prosecutors to identify. The Department of Justice set up the Joint Terrorism Task Force (JTTF), a clearing house for terrorism information with local groups of experts set up to analyze and prosecute terrorism crimes.
"The Patriot Act itself also directed the Secret Service to set up the Electronic Crimes Task Force," Goldstein said. "But electronic crime prosecutions just aren't being 'cleared' through ECTF the same way terrorism prosecutions are cleared through JTTF.
"If you search the ECTF website, Aaron's name doesn't come up, which makes you wonder what the heck it's for. So what needs to happen, really and truly, is for the ECTF to become a branch of the Department of Justice like the JTTF, so it [becomes] able to meaningfully involve itself in these cases the way JTTF does."