Congress: Is Computer Law Too Tough on Hackers?
The mood was understandably somber when friends and well-wishers gathered last week to pay tribute to the late Internet activist Aaron Swartz. A host of speakers, including members of Congress from both parties, lamented the wasted talent of the 26-year-old prodigy who dedicated his life to the liberation of information.
“He wanted to make the world a better place,” said Swartz’s father, Bob Swartz, at the Feb. 4 event at the Cannon House Office Building. “For this he was hounded to his death by the government.”
Swartz’s supporters have channeled their emotions into fighting what they view as the cause of his death: overzealous prosecutors and a statute they consider vague and unfairly harsh even for minor computer crimes. The Justice Department used that statute, the 1986 Computer Fraud and Abuse Act, to threaten Swartz with up to 35 years in prison and a fine of up to $1 million, and he committed suicide last month, an action his family blames squarely on the prosecutors’ threats.
Swartz, a Reddit co-founder, was arrested in 2011 for downloading 4.8 million academic articles from JSTOR, a subscription-based academic journal service. He later turned over his hard drives that contained the articles, and JSTOR elected not to pursue the case. But U.S. Attorney Carmen M. Ortiz did not relent, charging Swartz with wire fraud, computer fraud, unlawfully obtaining information from a protected computer and recklessly damaging a protected computer.
“Stealing is stealing, whether you use a computer command or a crowbar, and whether you take documents, data or dollars,” Ortiz said at the time of the July 2011 indictment.
For years, law enforcement officials and prosecutors have lobbied Congress to up the penalties for hacking and other computer crimes, repeatedly invoking the argument that hackers are increasingly working with, or are sponsored by, organized crime or foreign states, and aren’t simply smart kids showing off in their parents’ basements.
“There has been a sense in Congress that ratcheting up the penalties on criminal laws was an easy giveaway to DOJ to get something they wanted,” said Cindy Cohn, legal director of the Electronic Frontier Foundation, an Internet freedom group.
But now some lawmakers are suggesting that prosecutors — and perhaps Congress — may have overreached, and they are taking a new look at the Computer Fraud and Abuse Act.
“The crime and the punishment did not fit” for Swartz, House Oversight and Government Reform Chairman Darrell Issa, R-Calif., said at the memorial. “This wasn’t a big case.”
Rep. Alan Grayson, D-Fla., declared that “prosecution should not be persecution,” while Sen. Ron Wyden, D-Ore., blamed a “poorly written criminal law” for labeling Swartz a dangerous criminal.
Critics of the Computer Fraud and Abuse Act argue that the statute has several problems. First, some courts have found that under the law, violating the terms of service for a network, product or system could potentially trigger criminal penalties, such as those faced by Swartz for violating JSTOR’s terms of service. Second, Cohn said the law bans even minor technical workarounds, meaning users who try to alter how they use a program or access data, common behavior among programmers and hackers, could potentially face charges.
Finally, the penalty scheme for CFAA imposes almost entirely felonies, according to Cohn, with little room for misdemeanors. Cohn said prosecutors were only able to threaten Swartz with so much jail time because the CFAA penalties are out of proportion with the actual offenses; she argued that the lawmakers who approved such penalties could have hardly expected that they would be used as they were against Swartz.
Congress has seen previous attempts to clarify the law, including an amendment last year from Senate Judiciary ranking member Charles E. Grassley, R-Iowa, and Sen. Al Franken, D-Minn., that would have altered the terms of service portion. The latest effort comes after Swartz’s death and has been dubbed “Aaron’s law” by Wyden and Rep. Zoe Lofgren, D-Calif.
The two have circulated a draft of the bill that would address the way the law handles both terms of service violations and technical workarounds. They are currently seeking bipartisan sponsors and are expected to unveil the legislation in the coming days.
The legislation would define words such as “system” and “unauthorized access” in ways that would have constrained how the prosecutors could have charged Swartz, had the bill been law at the time of his indictment, according to David Segal, executive director of the Internet freedom group Demand Progress.
But the draft of Aaron’s law still doesn’t address the issue of penalties, and its future remains cloudy. House Judiciary Chairman Robert W. Goodlatte, R-Va., said his committee is looking into the issue but called it premature to promise a hearing; a Senate Judiciary Committee spokesman indicated that panel has no plans to take up changes to the CFAA.
That leaves the House Oversight and Government Reform Committee, where Issa and ranking member Elijah E. Cummings, D-Md., have requested a briefing from the Justice Department on its prosecution of Swartz. The briefing is expected in the coming days, after which committee leaders will have a better idea of how to proceed. Senate Minority Whip John Cornyn, R-Texas, has also written to Attorney General Eric H. Holder Jr. regarding the Swartz prosecution, which is now inextricably linked to the broader issue of how computer crimes are prosecuted.
The Justice Department has already pushed back against the notion it persecuted Swartz, with Ortiz releasing a statement last month defending her office’s conduct. Ortiz claims that prosecutors sought a sentence of six months and denies ever telling Swartz’s attorneys they intended to seek maximum penalties under the law.
“The prosecutors recognized that there was no evidence against Mr. Swartz indicating that he committed his acts for personal financial gain, and they recognized that his conduct — while a violation of the law — did not warrant the severe punishments authorized by Congress and called for by the sentencing guidelines in appropriate cases,” Ortiz said.
“I know that there is little I can say to abate the anger felt by those who believe that this office’s prosecution of Mr. Swartz was unwarranted and somehow led to the tragic result of him taking his own life,” she added.
Segal said he anticipates the main resistance to changing the CFAA will come from the Justice Department, which has consistently pushed to increase sentences for computer crimes. He argued that the department was trying to “map pre-Internet law onto the Internet.”
“That’s exactly the problem, we’ve got this intractable institution that’s not reflective, and obsessed with a blunt, binary conception of right and wrong,” Segal said of the Justice Department. “We’re trying to organize to figure out how to push back against their efforts, which I assume have already commenced.”