By Jessica Mendelson and Robert Milligan
The death of Aaron Swartz, a well-known coder, entrepreneur and political activist, has resulted in increased scrutiny of the federal Computer Fraud and Abuse Act (“CFAA”), a law some condemn as arcane and draconian but supported by others as necessary to combat illegal hacking and data theft.
Mr. Swartz helped to create RSS, a tool which allows users to subscribe to online information. He was also a digital activist and innovator and pushed to make information on the internet free and publicly accessible. Mr. Swartz was found dead in his New York apartment on January 11.
At the time of his death, Mr. Swartz was facing federal prosecution for allegedly gaining illegal access to JSTOR, a subscription service allowing users to access a variety of academic journals. Mr. Swartz allegedly wanted to “liberate” the journals in the database and make them publicly accessible. According to various reports, Mr. Swartz allegedly initially downloaded articles from JSTOR through a guest account on the Massachusetts Institute of Technology (“MIT”) network. Through the use of a program called “keepgrabbing,” Mr. Swartz allegedly was able to circumvent JSTOR’s limits on the number of articles a single person could download. However, after MIT and JSTOR caught on and disabled his access multiple times, Mr. Swartz allegedly broke into a utility closet on MIT’s campus where he was able to connect his computer directly to the university network. In total, Mr. Swartz allegedly downloaded around 4.8 million articles from JSTOR. In July 2011, Mr. Swartz was indicted on federal charges, including wire fraud and thirteen separate violations of the CFAA. For these crimes, Mr. Swartz faced up to thirty-five years in prison, as well as millions of dollars worth of fines.
The specific charges that Mr. Swartz violated the CFAA alleged Mr. Swartz “intentionally accessed a computer without authorization or exceeded authorized access.” 18 U.S.C. 1020(a)(2)(c). As we have previously mentioned, under this section of the CFAA, there are two main theories of liability: the agency theory, and the computer usage theory. Under the agency theory, which is typically used in the employment context, when the employee accesses a computer or network to further interests adverse to the employer, such actions terminate his or her agency relationship and, thus the person loses any authority to access the computer. Under the computer usage theory, a violation of a computer usage policy or internet terms of service can serve as a basis for holding someone liable under the CFAA, Thus, for example, a person who is authorized to access a company computer, but uses that access to steal or damage valuable company data in violation of a computer usage policy, would be liable for his or her wrongful conduct, under the CFAA.
Mr. Swartz’s family reportedly blames his death on “intimidation” from an overzealous prosecutor. A petition to remove the U.S. Attorney prosecuting the case, already has 25,000 signatures, and is awaiting a response from the White House.
Some see Mr. Swartz’s death as the result of prosecutorial intimidation. Others express frustration with the current state of the CFAA, arguing it has been amended so many times that it no longer makes sense. In the past, others have supported a stronger and more robust CFAA.
Although the law may be broad, and the associated penalties severe, some experts argue that prosecutors acted in accordance with the law in bringing charges against him. According to a recent post on a legal blog, Orin Kerr, a law professor at George Washington University and frequent contributor to the blog The Volokh Conspiracy, “the charges were based on established caselaw” and did not involve aggressive prosecutorial overreach. In Swatz’s case, Mr. Kerr argues, unauthorized access is pretty clear: Mr. Swartz circumvented code-based barriers, and then played “a cat and mouse game” where he tried to access the database and JSTOR repeatedly tried to block him. One criminal defense attorney, interviewed in an NPR segment, questioned whether computer hacking should be crime but acknowledged that was an issue for Congress and that Congress had decided to make it a crime and concluded that prosecutors have an obligation to enforce the law.
Mr. Swartz’s death has resulted in a call for change by some, as they express a need for “a public conversation about what the laws should prohibit and how severe they should be.” In the wake of Mr. Swartz’s death, some legislators, advocates and media have come out in support of a change to the CFAA. Darrell Issa (R-California), the head of the House Oversight Committee recently announced plans to launch an investigation into the charges Mr. Swartz faced. “I’m not condoning his hacking, but . . . had he been a journalist and taken that same material that he gained from MIT, he would have been praised for it. It would have been like the Pentagon Papers,” Mr. Issa told The Huffington Post.
Zoe Lofgren (D-California), a member of the House of Representatives, has already proposed an amendment to the CFAA. In a recent public statement on Reddit, she discusses the “inappropriate efforts undertaken by the U.S. government” and the importance of preventing “a repeat of the abuses of power he experienced.” Ms. Lofgren expresses concern over the “vague wording” of the CFAA, which could criminalize everyday behavior by claiming “that violating an online service’s user agreement or terms of service is a violation of the CFFA and the wire fraud statute.” The law Ms. Lofgren proposes, which will be known as Aaron’s Law, would modify the definition of exceeds authorized access. As the law stands now, the phrase is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” Under Aaron’s law, the phrase “alter” would become “alter, but does not include access in violation of an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.”
Such a change to the CFAA, which seems intended to limit prosecutorial discretion, would likely significantly limit creative prosecutorial interpretations of the CFAA and effectively end criminal and civil liability under the CFAA based on violations of computer usage and terms of service policies. This change would likely result in the demise of the computer usage theory, however, how the proposed law would impact the agency theory adopted in some jurisdictions as discussed above would remain to be seen. Aaron’s law could prove frustrating for some employers, who may support a strong CFAA to combat employee data theft, because state causes of action and remedies can be insufficient to deal with unauthorized computer access by former employees who steal company data.
We will keep you apprised of significant development in this evolving debate over the future of the CFAA.