Swartz suicide shines light on federal anti-hacking law

Federal Computer Fraud and Abuse Act is applied too broadly in alleged data theft cases, critics say

The suicide of Internet activist and pioneer Aaron Swartz has focused attention on what some activists say is the overzealous use of the federal Computer Fraud and Abuse Act anti-hacking statute.

Swartz, 26, hanged himself last Friday, apparently over concerns stemming for the prospect of spending up to 35 years in prison on hacking-related charges.

[MIT to probe its role in Aaron Swartz's suicide and Senators push for changes in cybercrime law]

Federal prosecutors had indicted Swartz on 13 counts of felony hacking and wire fraud related to the alleged theft of millions of documents from JSTOR, an online library of literary journals and scholarly documents sold by subscription to universities and other institutions.

Several charges against Swartz were tied to alleged CFAA violations.

Swartz's death prompted calls by some legal experts for a review of CFAA. A petition launched Monday on the White House's website that called for reforming the anti-hacking law had garnered about 550 signatures.

The CFAA, enacted by Congress in 1986, makes it illegal to knowingly access a computer without authorization, to exceed authorized use of a system, or to to access information valued at more than $5,000.

In intent and spirit, CFAA is an online anti-trespassing law targeting criminal hackers who break into systems to steal or sabotage data. Penalties range from five-years prison sentences to life in prison.

Federal prosecutors in Massachusetts alleged that Swartz violated the provisions of the law by allegedly misusing guest access privileges on Massachusetts Institute of Technology's network to systematically access and download a huge number of documents from JSTOR.

In court documents, prosecutors alleged that while a Fellow at Harvard University's Safra Center for Ethics between Sept. 2010 and Jan 2011, Swartz registered for guest access on MITs network using a fictitious name and temporary email address.

They alleged that over the course of a few weeks,

According to the documents, Swartz allegedly downloaded over two million JSTOR documents over a two-week period by using a variety of deliberate, evasive tactics designed to confound JSTOR controls.

Swartz maintained that the sole motivation for accessing the scholarly documents was to make them freely available on the Internet.

In a blog post , Orin Kerr, a professor of law at the George Washington University Law School noted that from a strictly legal standpoint, the charges against Swartz were based on what appears to have been a fair application of the CFAA and federal wire fraud laws.

Even so, legions of Swartz supporters appeared outraged that he faced a long prison term.

"The government should never have thrown the book at Aaron for accessing MIT's network and downloading scholarly research," the Electronic Frontier Foundation (EFF) said in a blog post Monday. The CFAA's broad reach and vague language help the government unfairly bring a potentially crippling criminal prosecution against Swartz, the EFF said.

"Aaron's tragedy also shines a spotlight on a couple profound flaws of the Computer Fraud and Abuse Act in particular, and gives us an opportunity to think about how to address them," the rights group noted.

Hanni Fakhoury, staff attorney at the EFF said that a big problems with the law is its loose definitions of key terms, including those related to unauthorized access to data. Over the years, creative prosecutors have taken advantage of the law and applied it to situations that it was never meant to tackle, Fakhoury said.

For example, Fakhoury cited the case of Lori Drew, who was indicted on charges related to her creation of a Myspace page using a fake name to tease a teenage girl. The girl later committed suicide.

Federal prosecutors indicted Drew on charges that she accessed Myspace's computers without authorization and that she had exceeded her authorized access to the system when she registered the profile using a fake name.

A federal judge eventually overturned a jury verdict that she violated the CFAA statute.

The case illustrates how the language of the law can be used to criminalize violations of a website's terms of service agreements, Fakhoury said. "Creative and aggressive prosecutors have taken advantage of the ambiguity of some of the terms of the law to cover violations of terms of policy," he said.

In recent years, several employers have turned to the CFAA in data theft cases involving past or current employees. Federal courts have been somewhat split on how to deal with such cases,

In 2012, the U.S. Court of Appeals for the Ninth Circuit held that an employee with valid access to corporate data could not be held liable under CFAA if he or she later misused that access to steal or sabotage the data.

The judges in that case noted that CFAA applied specifically to external hackers and violations of computer access controls.

Last September, the U.S. Court of Appeals for the Fourth Circuit came to the same conclusion in a case involving an individual who used his valid access right to misappropriate data from his employer.

The Fourth Circuit judges characterized CFAA as a statute that could not be used to target individuals who access computers or information in bad faith, or who disregard a use policy.

Other appellate courts, including the Eleventh, Fifth and Seventh Circuit courts however have arrived at the opposite conclusion, ruling that CFAA can be used to prosecute individuals in such cases.

The vastly different interpretations of the statute by various courts shows why CFAA needs to be reviewed, Fakhoury noted.

"What has happened over the years is that the CFAA has been amended and extended by Congress so much it has become a very complicated patchwork of laws that has gone well beyond any of its original [intent]," said Eric Goldman, a professor at the Santa Clara University School of Law in California.

The problem with the CFAA is that it could be used to prosecute relatively minor crimes, Goldman said.

"Anyone who misrepresents their name, age, location or other information when signing up for a web service is in a sense violating that site's terms of service and could theoretically at least be in violation of the CFAA," he said.

"We have this very broad federal anti-trespassing statue that is incredibly powerful," Goldman said

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Copyright © 2013 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon