Swartz suicide shines light on federal anti-hacking law
Federal Computer Fraud and Abuse Act is applied too broadly in alleged data theft cases, critics say
Computerworld - The suicide of Internet activist and pioneer Aaron Swartz has focused attention on what some activists say is the overzealous use of the federal Computer Fraud and Abuse Act (CFAA) anti-hacking statute.
Swartz, 26, hanged himself last Friday, apparently over concerns stemming for the prospect of spending up to 35 years in prison on hacking-related charges.
Federal prosecutors had indicted Swartz on 13 counts of felony hacking and wire fraud related to the alleged theft of millions of documents from JSTOR, an online library of literary journals and scholarly documents sold by subscription to universities and other institutions.
Several charges against Swartz were tied to alleged CFAA violations.
Swartz's death prompted calls by some legal experts for a review of CFAA. A petition launched Monday on the White House's website that called for reforming the anti-hacking law had garnered about 550 signatures.
The CFAA, enacted by Congress in 1986, makes it illegal to knowingly access a computer without authorization, to exceed authorized use of a system, or to to access information valued at more than $5,000.
In intent and spirit, CFAA is an online anti-trespassing law targeting criminal hackers who break into systems to steal or sabotage data. Penalties range from five-years prison sentences to life in prison.
Federal prosecutors in Massachusetts alleged that Swartz violated the provisions of the law by allegedly misusing guest access privileges on Massachusetts Institute of Technology's network to systematically access and download a huge number of documents from JSTOR.
In court documents, prosecutors alleged that while a Fellow at Harvard University's Safra Center for Ethics between Sept. 2010 and Jan 2011, Swartz registered for guest access on MITs network using a fictitious name and temporary email address.
According to the documents, Swartz downloaded more than two million JSTOR documents over a two-week period by using a variety of deliberate, evasive tactics designed to confound JSTOR controls.
Swartz maintained that the sole motivation for accessing the scholarly documents was to make them freely available on the Internet.
In a blog post , Orin Kerr, a professor of law at the George Washington University Law School noted that from a strictly legal standpoint, the charges against Swartz were based on what appears to have been a fair application of the CFAA and federal wire fraud laws.
Even so, legions of Swartz supporters appeared outraged that he faced a long prison term.
"The government should never have thrown the book at Aaron for accessing MIT's network and downloading scholarly research," the Electronic Frontier Foundation (EFF) said in a blog post Monday. The CFAA's broad reach and vague language help the government unfairly bring a potentially crippling criminal prosecution against Swartz, the EFF said.
"Aaron's tragedy also shines a spotlight on a couple profound flaws of the Computer Fraud and Abuse Act in particular, and gives us an opportunity to think about how to address them," the rights group noted.
Hanni Fakhoury, staff attorney at the EFF said that a big problems with the law is its loose definitions of key terms, including those related to unauthorized access to data. Over the years, creative prosecutors have taken advantage of the law and applied it to situations that it was never meant to tackle, Fakhoury said.
- Everything You Know About Enterprise Security Is Wrong
- UK man charged with hacking Federal Reserve
- McAfee Offers Global Response to Nationalized Malware
- Tech Industry Praises Cybersecurity Framework From White House
- Ransomware like Cryptolocker uses Bitcoin, other virtual currencies for payment
- Trial for alleged Silk Road creator Ross Ulbricht set for November
- Target attack shows danger of remotely accessible HVAC systems
- U.S. is investigating Target data breach, AG Holder says
- Russian man pleads guilty in SpyEye malware case
- Suspected email hackers for hire charged in four countries
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts