The January 11, 2013 suicide of internet activist Aaron Swartz has sparked a debate about the proper scope and application of the criminal provisions of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq.
Two days after his death, The New York Times reported that Aaron’s “family said in part: ‘Aaron’s death is not simply a personal tragedy. It is the product of a criminal justice system rife with intimidation and prosecutorial overreach. Decisions made by officials in the Massachusetts U.S. attorney’s office and at M.I.T. contributed to his death.’” Similarly, The Rolling Stone reported on January 23 that “Swartz’s friends and family have said they believe he was driven to his death by a justice system that hounded him needlessly over an alleged crime with no real victims,” and “Swartz’s tragic death has already begun forcing lawmakers to start rethinking our draconian computer laws. And House Oversight Committee Chairman Darrell Issa (R-California) even promised an investigation of the Justice Department prosecutors who did their best to send a young Internet pioneer to prison.”
Yet, George Washington University Law School’s Professor Orin S. Kerr of The Volokh Conspiracy has committed to writing a two-part post as an apology for the prosecution of Aaron. Part 1 of Professor Kerr’s post summarizes the criminal charges against Aaron, describes the alleged criminal conduct and explains that: “Aaron Swartz decided to ‘liberate’ the entire JSTOR database[, much of which is copyrighted, according to the indictment.] He wanted everyone to have access to all of the journals in the database, so he came up with a plan to gain access to the database and copy it so he could make it publicly available to everyone via filesharing networks.” Professor Kerr tentatively concludes: “I think the charges against Swartz were based on a fair reading of the law. None of the charges involved aggressive readings of the law or any apparent prosecutorial overreach. All of the charges were based on established caselaw. Indeed, once the decision to charge the case had been made, the charges brought here were pretty much what any good federal prosecutor would have charged.”
Stanford Law School’s Professor Jennifer Granick disagrees, and she chastises Professor Kerr for lumping Aaron’s alleged conduct of “circumventing code-based restrictions” in with the crime of ”using someone else’s password, which is the quintessential access without authorization” proscribed by the CFAA because, as Professor Granick explained, “[u]sing another person’s password gets you access to their files. Circumventing the JSTOR/MIT efforts to block him merely got Aaron _fast_ access to files he was already authorized to download.” Professor Granick, like Professor Kerr, has written a two-part blog post, entitled Towards Learning from Losing Aaron Swartz.
The outcry surrounding Aaron’s suicide is understandable. As JSTOR recognizes: “He was a truly gifted person who made important contributions to the development of the internet and the web from which we all benefit.” Yet a reform of the CFAA should be based on desired, rational outcomes, not a grief reaction to the tragic loss of Aaron Swartz.
Accordingly, any proposal for immediate reform should be received with equally immediate skepticism. To illustrate, Forbes has reported that “an ‘Aaron’s Law’ that’s already been proposed to make those reforms may need serious tweaking if it’s going to prevent the next overzealous hacker crackdown.” More specifically, Forbes quotes Tor Ekeland, the attorney for convicted hacker Andrew Auernheimer (a/k/a Weev), who recognizes that “[t]he [CFAA] is a prosecutor’s wet dream and a defendant’s nightmare,” “[a]mending the definition of unauthorized access to exclude [terms of service] violations is just putting a band aid on a gaping, gushing wound.”
Professor Granick proposes that we learn from losing Aaron. I agree. But the lessons from the loss of such genius should be infinitely more thoughtful and intricate than some myopic fix of the CFAA.