A man’s spirit broke on Jan.11, 2013. Under unrelenting pressure from federal prosecutors and facing 35 years in prison, Aaron Swartz, 26, co-founder of Demand Progress and a member of the developing team for the RSS feed, Creative Commons and Infogrami — who at the time was severely and chronically depressed — killed himself.
One year after later, the law that ultimately convinced him to take his life, the Computer Fraud and Abuse Act, not only remains on the books, but is poised to be expanded under recently-proposed legislation. This newly-proposed amendment would give prosecutors expanded leeway in pursuing computer crimes and threatens to expand the range of who can be prosecuted for “access violations.”
Beyond the grandiosity of the loss to the Internet and intellectual communities, one of the most proactive activists for the freedom of knowledge and for free access to the Internet was lost with the death of Swartz.
Under Swartz’s “Guerilla Open Access Manifesto,” in which Swartz decried the selling of research under the current for-profit educational journal selling system, Swartz attempted to download 4.8 million academic journals from JSTOR in 2011 for free distribution. The laptop that Swartz used was connected to the Massachusetts Institute of Technology’s network without permission, and federal prosecutors used this as justification to indict Swartz for trespassing charges and offenses under the CFAA.
The case against Swartz was famously analogized by Quartz as being similar to someone facing 35 years in prison for checking out too many library books. Swartz had both legal access to the MIT network and to JSTOR. Despite this, Swartz was hit with 13 separate felony charges.
In a failed attempt toward creating an example of dissuading other “crusaders,” federal prosecutors pushed for a guilty plea and prison time — despite the fact that the injured party, JSTOR, sought no charges and was not involved in the prosecution. In the aftermath of Swartz’s death, legal experts argued that the CFAA was too broad and allowed prosecutors avenues to “find” crimes that could and should otherwise be written off as annoyances.
Last Wednesday, Sen. Patrick Leahy, in the wake of the Target data theft, in which the credit card data and personally-identifiable data for as many as 110 million customers were stolen over the holiday shopping season, reintroduced the Personal Data Privacy and Security Act — which he first introduced in 2005 and has reintroduced every year since.
According to Leahy, the bill will standardize the disclosure rules and response procedures for businesses that have had customer data stolen.
“The recent data breach at Target … is a reminder that developing a comprehensive national strategy to protect data privacy and cybersecurity remains one of the most challenging and important issues facing our nation,” Leahy said in a statement.
The legislation would criminalize attempts to hide customer-damaging security breaches, force higher standards for the protection of databases containing personally-identifying information and set up a nationwide standard for alerting customers of a data breach. Sens. Al Franken, Charles Schumer and Richard Blumenthal have all signed on as co-sponsors to the bill.
“This is a comprehensive bill that not only addresses the need to provide Americans with notice when they have been victims of a data breach, but that also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place,” Leahy added.
Despite this, a key provision of the Personal Data Privacy and Security Act would amend the CFAA so that the law would read “Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.”
The addition of the clause “for the completed offense” to the CFAA would, in a legal sense, criminalize the entire evolution of a crime — from conception to execution.
In effect, four simple words theoretically expand the range of the CFAA from actual committers of access and intellectual property crimes to anyone who may have talked about or mentioned an actual occurrence — regardless of how innocent the mention may be. All the prosecutor would have to do is argue that the mention helped influence the decision to commit the act.
Excesses in prosecution
This is helping to confuse an already conflicted legal landscape in which prosecutors are arguing corporate interest cases with the same ferocity as public interest cases. One such example is the 2011 case of Pulte Homes v. Laborers’ International Union of North America, et al. In this case, Pulte Homes sued the LIUNA for damages under the CFAA after the LIUNA encouraged its members to call and email the company after a contested termination of a represented member. The volume of emails crashed Pulte Homes’ email server.
Matthew Keys, on March 14, 2013, was indicted under the CFAA in the U.S. District Court for the Eastern District of California. Keys, who was a social media journalist for Fox 40, a Tribune Company-owned television station in Los Angeles, was accused of giving access to the Tribune content-management system to members of Anonymous, who — in the totality of its mischief — changed one Los Angeles Times’ headline to read “PRESSURE BUILDS IN HOUSE TO ELECT CHIPPY 1337” — an inside joke. The indictment indicated that the time and damage the intrusion created was “at least $5,000 in value” with Tribune spending another $5,000 in response to the incursion.
Instead of seeking the $10,000 in damages he caused in a situation in which no one was harmed and no permanent harm to property occurred, $250,000 in damages and up to 25 years in prison is being sought.
Last June, Jeremy Hammond pled guilty under a “non-cooperating plea agreement” — which frees prosecutors from having to honor any sentencing arrangements with Hammond — to one count of violating the CFAA. Hammond allegedly hacked intelligence contractor Stratfor and stole internal emails and documents that highlighted the firm’s role in surveilling on political protesters on behalf of the government and private clients. The information Hammond allegedly stole was made available to the media and WikiLeaks, with Hammond seeking no financial gain.
By definition, this would make Hammond a whistleblower. However, due in part to Hammond’s admitted involvement with Anonymous, Hammond was sentenced in November to the maximum available sentence — 10 years.
Corporate interest v. personal liberties
Congress has expanded the CFAA five times since its introduction in 1984. Over the years, the law went from providing a legal basis toward prosecuting network hackers and data thefts to providing legal cover for any violation for “terms of service” or “inconvenience crimes.”
In practical terms, this mutation has made the government capable of defending private contracts, moving an issue that would normally be handled in civil litigation and adding a criminal penalty to it. This creates the perception that the government is more willing to protect corporate interests than safeguard private liberties.
One year after Swartz’s death and in light of revelations of aggressive government online surveillance both at home and abroad, the realization that nothing has been done toward balancing prosecutorial powers concerning access to the Internet is startling. While political gridlock and a focus on bigger issues — such as the recent government shutdown — can help explain the failure of two separate legislative packages meant to address the issue, the introduction of Leahy’s amendment suggests an undeniable impression that fairness under the law is sacrificable to “grander” thoughts, such as “national security” and “corporate protection.”