It’s been almost a month since hacker-activist Aaron Swartz took his own life at the age of 26, driven—according to those who knew him—by a combination of depression and the threat of jail time. The latter was a result of federal charges under the Computer Fraud and Abuse Act for an incident involving documents he downloaded from the JSTOR research archives. While proposals have been made for changes to the law as a result of his death, it’s important to think about all the other hackers [http://www.wired.com/opinion/2013/02/we-need-to-think-beyond-the-aaron-in-aarons-law/] who might be caught by the same net, even if they aren’t as appealing as Swartz.
In the wake of his suicide, Swartz’s case quickly became a cause célèbre, and a group of legislators—including Darrell Issa (R-Calif.), who was also instrumental in the fight against SOPA and PIPA—recently asked the Justice Department to look into the behavior of the U.S. attorney’s office in pressing for a severe penalty against the young hacker. Zoe Lofgren (D-Calif.) has also proposed a number of changes to the Computer Fraud and Abuse Act that would prevent the state from going after others for what Swartz did.
Among other things, those changes—some of which were proposed by users of Reddit during a session with Lofgren last month—would prevent prosecutors from pressing charges for simple breaches of a website’s terms of service or user agreement, which is one of the clauses in the CFAA that was used against Swartz. Changing a computer’s hardware address (which Swartz did to avoid detection) would also not qualify as criminal hacking.
But while Aaron Swartz’s experience has drawn some much-needed attention to the problems with outdated laws like the Computer Fraud and Abuse Act—which was written in 1986, before the Web was even invented—we shouldn’t forget that others have also been hit with this overly broad and vague piece of legislation, even though they haven’t become popular causes the way Swartz has.
As Marcia Hoffman of the Electronic Frontier Foundation has pointed out, one of the most problematic parts of the CFAA is that the law makes it a crime to access a computer or website “without authorization” or in a way that “exceeds authorized access,” but those terms are never really defined. In a number of cases, prosecutors have defined them to mean that anyone accessing a Web-based service in any way that isn’t explicitly approved by the terms of use is committing a crime under the act.
In 2008, for example, prosecutors used this aspect of the law to go after a woman who created a MySpace profile using an assumed name (although a judge declined to hear the case)—and as one security researcher has explained, the same principle could easily be used to charge anyone who simply goes to a website without the explicit permission of the owner.
One of those who has been caught in this particular net is almost the polar opposite of Aaron Swartz, although both were clearly hackers: Andrew Auernheimer, who is known by the online handle Weev, has also been found guilty and is facing potential jail time for unauthorized access to a computer or Web service. In his case, Weev and a fellow hacker collected a list of AT&T (T) customer e-mail addresses by generating random URLs at the AT&T website and then gave them to Gawker in what they said was an attempt to draw attention to AT&T’s lax security measures.
Unlike Swartz, who has been hailed by most of his friends and acquaintances—including such luminaries as Creative Commons founder Lawrence Lessig and even the creator of the World Wide Web, Sir Tim Berners-Lee—as a force for good and a crusader for openness and other just causes, Weev is somewhat notorious for being an online troll who reportedly delights in causing mischief, aggravation, and hurt feelings wherever he goes.
All of that may make him less than appealing as a public cause, but the flaws in the Computer Fraud and Abuse Act are just as obvious in his case: In fact, what Weev did barely even qualifies as hacking, since he simply generated random iPad ID numbers and used those to get the AT&T e-mail addresses. In other words, the addresses were freely available and not hidden behind technological locks or passwords of any kind (Weev also made no attempt to use them or sell them).
The bottom line is that the CFAA isn’t worth scrapping or rewriting just because it was used to go after Swartz, or even Weev—the biggest issue is that it is so broad and technologically ignorant that it can be used to criminalize behavior that should barely even register as a nuisance, let alone a crime. Swartz’s downloading of JSTOR documents wasn’t serious enough for the archive to press charges, yet the prosecutor chose to threaten the young hacker with jail time.
At its best, hacking of the kind that both Swartz and Weev engaged in is no different than the kind that Microsoft (MSFT) founder Bill Gates employed when he let loose a worm that shut down a corporate computer network when he was 14. Within reason, testing the limits of computer systems and revealing security holes is something for which we should be thanking hackers—or possibly admonishing them—not sentencing them to prison terms.
Also from GigaOM:
The Challenge of the Smart Grid Customer (subscription required)
Inside Aereo: New Photos of the Tech That’s Changing How We Watch TV
The Connected Car of the Future (Infographic)
Why Big Data Matters and Why Data-ism Doesn’t
Seven Major Energy Trends to Watch for in 2013, Via DOE Bigwig David Sandalow
