The Volokh Conspiracy

Last month, I blogged about why I agreed to represent Andrew Auernheimer pro bono in his appeal before the Third Circuit. Tomorrow’s Washington Post has a front-page story by Jerry Markon focusing on the case. It begins:

Their guns drawn, a dozen federal agents, police and forensics experts kicked in the door of a run-down two-story home in Arkansas shortly after dawn, barged inside and ordered the occupants to put their hands on their heads.

The target of the raid was neither terrorist nor bank robber. He was a 24-year-old computer hacker suspected of handing off stolen e-mail addresses to the media.

With that, the Justice Department began a case that has come to symbolize what some lawyers and civil libertarians see as overreach in the government’s campaign against cybercrime.

The hacker, Andrew Auernheimer, was convicted and sentenced last month to more than three years in prison for obtaining about 120,000 e-mail addresses of iPad users from AT&T’s Web site — including New York Mayor Michael R. Bloomberg (I), Hollywood executive Harvey Weinstein and other prominent figures — and giving them to the Web site Gawker. When it happened three years ago, the data breach jolted federal officials because it affected one of the nation’s most prominent companies and triggered fears about the security of increasingly popular mobile devices.

Yet only a few, heavily redacted e-mail addresses were published, court documents show. No one’s account was broken into. AT&T fixed the problem in about an hour, and a company official testified that there probably was not enough evidence to sue the hackers.

The case highlights a growing debate over how to define right and wrong in the digital age, what is public and proprietary online, and how far law enforcement should go in pursuing cybercrime.

The Obama administration is confronting what it calls a vast cybersecurity threat, and the Justice Department is waging aggressive efforts, including against national security threats such as cyberterrorism and cyber-espionage. But a series of recent cases involving other types of online activity has prompted criticism that the crackdown may also be scooping up minor hackers who may see themselves as political or anti-corporate activists.

On a related note, the latest issue of the ABA Journal has this article: Hacker’s Hell: Many Want to Narrow the Computer Fraud and Abuse Act.

Today the Ninth Circuit handed down its long-awaited en banc decision in United States v. Cotterman, a case on the lawfulness of searching a computer at the border. (My prior posts are here, here, here, and here.) Today the Ninth Circuit announced a special rule for computer searches: Although a “review of computer files” can occur without reasonable suspicion, the “forensic examination” of a computer at the border requires reasonable suspicion because it is “akin to reading a diary line by line looking for mention of criminal activity—plus looking at everything the writer may have erased.” Here’s the key part of the analysis:

The relevant inquiry, as always, is one of reasonableness. But that reasonableness determination must account for differences in property. Unlike searches involving a reassembled gas tank, or small hole in the bed of a pickup truck, which have minimal or no impact beyond the search itself—and little implication for an individual’s dignity and privacy interests—the exposure of confidential and personal information has permanence. It cannot be undone. Accordingly, the uniquely sensitive nature of data on electronic devices carries with it a significant expectation of privacy and thus renders an exhaustive exploratory search more intrusive than with other forms of property.

After their initial search at the border, customs agents made copies of the hard drives and performed forensic evaluations of the computers that took days to turn up contraband. It was essentially a computer strip search. An exhaustive forensic search of a copied laptop hard drive intrudes upon privacy and dignity interests to a far greater degree than a cursory search at the border. It is little comfort to assume that the government—for now—does not have the time or resources to seize and search the millions of devices that accompany the millions of travelers who cross our borders. It is the potential unfettered dragnet effect that is troublesome.

We have confidence in the ability of law enforcement to distinguish a review of computer files from a forensic examination. We do not share the alarm expressed by the concurrence and the dissent that the standard we announce will prove unmanageable or give border agents a “Sophie’s choice” between thorough searches and Bivens actions.

In dissent, Judge M. Smith responds:

While I share some of the majority’s concerns about the steady erosion of our personal privacy in this digital age, the majority’s decision to create a reasonable suspicion requirement for some property searches at the border so muddies current border search doctrine that border agents will be left to divine on an ad hoc basis whether a property search is sufficiently “comprehensive and intrusive” to require reasonable suspicion, or sufficiently “unintrusive” to come within the traditional border search exception. Requiring border patrol agents to determine that reasonable suspicion exists prior to performing a basic forensic examination of a laptop or other electronic devices discourages such searches, leaving our borders open to electronicallysavvyterrorists and criminals who may hereafter carry their equipment and data across our borders with little fear of detection. In fact, the majority opinion makes such a legal bouillabaisse out of the previously unambiguous border search doctrine, that I sincerely hope the Supreme Court will grant certiorari, and reverse the holding in this case regarding the level of suspicion necessary to search electronic devices at the border, for the sake of our national security, and the consistency of
our national border search law.

And Judge Callahan adds:

Regrettably the majority, dispensing with these wellsettled, sensible, and binding principles [from Supreme Court caselaw], lifts our anchor and charts a course for muddy waters. Now border agents, instead of knowing that they may search anyand all property that crosses the border for illegal articles, must ponder whether their searches are sufficiently “comprehensive and intrusive,” to require reasonable suspicion, and whether they have such suspicion. In most cases the answer is going to be as clear as, well, mud. We’re due for another course correction.

Fascinating.

And there’s another interesting twist, at least if I have read the record correctly (and I hope readers will correct me if I’m wrong). Long-time readers may recall the long-running friction between the Ninth Circuit and DOJ over how to litigate border search exception cases. DOJ has generally refused to argue that there is reasonable suspicion in order to keep open Supreme Court review if/when the Ninth Circuit takes a narrow view of the exception. Specifically, DOJ has wanted to avoid the situation in which the Ninth Circuit establishes a reasonable suspicion standard, finds reasonable suspicion, and thus prevents DOJ from being able to file a cert petition to reverse the Ninth Circuit’s conclusion that reasonable suspicion is required. As I noted in this post in 2011, DOJ declined to argue that there was reasonable suspicion in Cotterman, presumably so it could seek Supreme Court review if the Ninth Circuit ruled for the defense.

In the en banc decision today, however, the Ninth Circuit goes on to determine that there is reasonable suspicion and that DOJ therefore wins the case. That is, after holding that reasonable suspicion is required, the en banc court goes on to say that reasonable suspicion existed to search Cotterman’s computer and thus that DOJ wins and the district court has to deny the suppression motion. Ordinarily, then, this would mean that DOJ cannot seek further review: After all, it won the case. I wonder, though: Does the principle of Camreta v. Greene allow DOJ to obtain review of Cotterman anyway to seek a review of the underlying question of whether reasonable suspicion is required?

Anyway, I’m finishing up an article to ship to the law reviews later today, so I doubt I’ll be able to blog more on Cotterman at least for the next few hours. But it’s a fascinating case, and I’ll plan to blog more on it later.

Will Congress amend the Computer Fraud and Abuse Act in light of the Aaron Swartz case? Don’t expect reforms any time soon, Politico suggests:

Despite some recent momentum, there’s not much clamor for change coming from the White House — and as expected, the Justice Department, which once tried to expand the penalties of the so-called Computer Fraud and Abuse Act, has been silent.

While there’s a new reform push on Capitol Hill backed by a few powerful members, the key committees with jurisdiction have other plans in mind — and their agendas are packed with immigration reform and gun control. More than that, Congress actually has been fond of stronger punishments for some offenders.

It’s not to say the principles known as Aaron’s Law won’t ever reach the president’s desk in some form — just that all the Internet hype and rallying mark only the beginning of a new and lengthy political journey.

I think that’s probably right, unfortunately. Narrowing federal criminal law is always hard, both because elected officials don’t want to seem ‘soft on crime’ and because the head of the executive branch has the veto power. Plus, on this issue specifically, the Internet companies and service providers that have a lot of influence on the Hill aren’t natural allies with civil libertarians. Those companies want their customers to feel that using their products is private, which can lead companies to favor expanding privacy protections in the context of government investigations. But when it comes to the substantive criminal laws, those same companies tend to see themselves as victims of computer crimes (whether from outside hackers or insiders). As a result, they tend to be wary of narrowing the laws. So as the Politico story says, expect a lengthy political journey. And keep an eye out for how the courts construe the CFAA, too: There’s a lot of uncertainty that courts will have to grapple with regardless of whether Congress takes up the issue.

I have been beating the drum on the need to narrow the Computer Fraud and Abuse Act for a decade or so, so I was happy to see today’s cartoon for “Tom the Dancing Bug” pick up the cause, too. I don’t know if I can reprint the cartoon here copyright reasons, but you can click here to see it. For my related op-ed from 2011, see here. And for a video of me ranting about the broad scope of the CFAA — or at least coming as close as I come to ranting — see here at the 44:10 mark (and pardon the echo).

In the spirit of the post, I thought I would also reprint the conclusion of the CFAA chapter in the 3rd edition of my Computer Crime Law casebook. As lawyers and law students know, it is common for law school casebooks to supplement cases with extensive “notes and questions” offering additional points and questions for further thought. Here’s the last “note” in the chapter:

The scope of criminal liability for computer misuse is very broad. A critic of existing law might say that the legislature’s basic approach is to criminalize everything and then rely on prosecutorial discretion to select appropriate cases for criminal punishment.

Is this criticism accurate? And if it is, do you think the legislature has acted wisely? Computer technologies and social practices change rapidly, and it may be difficult for the law to keep up. Is it sensible for legislatures to impose broad criminal liability ex ante, so that prosecutors are rarely or never in a position of being unable to charge a worthy case? Or should the legislature only impose liability narrowly, so that new computer technologies can evolve without the threat of criminal punishment? Do you trust prosecutors to charge only appropriate cases? Does the threat of criminal punishment have a significant chilling effect on legitimate computer use?

In a recent post, I suggested a way to narrow the Computer Fraud and Abuse Act, 18 U.S.C. 1030. In narrowing that law, I intentionally excluded the problem of “insiders” who might misuse computers. There are really two situations to worry about. First, there’s the Aleynikov problem: an employee at a company who is thinking of leaving the company might access the computers of his employer and copy valuable data to help start a competing business or sell the data. Second, there’s the Rodriguez problem: A government employee might misuse sensitive government databases.

I don’t think these facts should fit under 18 U.S.C. 1030 because they deal with a different kind of problem; it’s hard to fit them in to 1030 without causing incredibly broad liability. But I do think it’s fair to want to criminalize such conduct with a different statute. So I have drafted such a proposal and posted it here: Proposal for 18 U.S.C. 1031, Employee Misuse of Computer Information. My proposal isn’t perfect, and I’d want to fiddle with it a bit myself, but the idea is to enact a narrow statute to deal with the specific problems of insiders.

UPDATE: I have updated the draft a bit in response to commenters, and I thought I would add an explanation in response to this comment:

Why does the federal law and your proposal have to address the technology — computers — rather than the underlying wrongful conduct: stealing a company’s information or improper use of government property.

Presumably someone who takes hundreds of documents from Goldman Sachs’ file cabinets, and uses those documents to start a rival business, is no less culpable than the Aleynikov problem.

The reason is two-fold. For part (a), Employee Misuse of Information for Private Financial Gain, the statute is necessary because the circuit courts have interpreted the transportation of stolen goods statute, 18 U.S.C. 2314, to not apply to computer data. If an employee steals paper documents or makes a photocopy of the paper documents and carries the document or paper copy across state lines, then the emplioyee violates 18 U.S.C. 2314. See United States v. Bottone. On the other hand, if an employee makes an electronic copy and e-mails the documents across state lines, then the statute is not violated. See United States v. Aleynikov. It would be possible to amend 2314 instead to encompass valuable data, of course, but that is actually a broader approach than the proposal I have made here, and it raises all sorts of complex conceptual problems for when data counts as being “stolen.”

I think reasonable people can disagree about the need for part (b), Misuse of Personal Information by Government Employees. I don’t have particularly strong feelings about it either way. But I think a computer-specific approach makes sense here for two reasons. First, I don’t think there are paper databases of personal information anymore; the facts tend to involve computers. Second, there is no general prohibition on “improper use of government property.” There is a prohibition on theft of government property, but it would not apply in such circumstances under United States v. Collins, which is discussed in this thoughtful student case comment. Congress could try to draft a general misuse of government property statute that is not computer-specific, but again, it would seem to require a much broader statute than what I am proposing.

There has been a lot of interest in amending the Computer Fraud and Abuse Act in light of the Aaron Swartz prosecution. I have drafted some changes and uploaded a red-lined version here.

My proposal has lots of parts, but the big ones are: (1) eliminating liability for exceeding authorized access, (2) tightening the felony thresholds throughout the statute, and (c) eliminating several sections of the statute, including 1030(a)(3) and (a)(4), which are redundant, and 1030(g), the civil liability provision which is chiefly responsible for the overly expansive readings of the statute.

No rewriting of a statute is going to be perfect, but perhaps this proposed redrafting will be of interest to some who are debating the future of this statute.

Two quick links related to the Aaron Swartz prosecution:

1) Duke lawprof Jamie Boyle has posted a thoughtful reply to my two posts on the Aaron Swartz case over at The Public Domain. I plan to post a response to Jamie when I have time to do so — in a day or two, I hope — but in the meantime I wanted at least to recognize his post and provide the link for interested readers.

2) Senator Cornyn has sent a letter to Attorney General Holder asking for a detailed explanation from Holder of why DOJ exercised its discretion in the Swartz case as it did. Senator Cornyn is my former boss, so maybe I am biased here, but I think that’s a productive way to get DOJ to say more about its perspective on the case. It will be interesting to see how DOJ responds.

Among the questions raised by the Cornyn letter is whether DOJ policy gives U.S. Attorneys the discretion to charge cases consistent with the gravity of the wrongdoing in the case. The answer has changed over time. Traditionally, the answer was “yes.” In 2003, however, then-AG John Ashroft announced a new policy essentially eliminating that discretion. With narrow exceptions, all federal prosecutors were required to “charge and pursue the most serious, readily provable offense or offenses that are supported by the facts of the case.” In 2010, however, AG Eric Holder overturned the Ashcroft policy with a new memo restoring the traditional role of prosecutorial discretion. You can read the 2010 Holder policy here.

This is the second in a series of posts on the Aaron Swartz prosecution. In my first post, I analyzed whether the charges that were brought against Swartz were justified as a matter of law. In this post, I consider whether the prosecutors in the case properly exercised their discretion. As some readers may know, prosecutors generally have the discretion to decline to prosecute a case; once they charge a case, they have the discretion to offer or not offer a plea deal; and once they offer the plea deal, they have some discretion to set the terms of the offer that they will accept. This post considers whether the prosecutors abused that discretion.

To provide some attempted answers, I’m going to break down the question into four different issues: First, was any criminal punishment appropriate in the case? Second, if so, how much criminal punishment was appropriate? Third, who is to blame if the punishment was excessive and the government’s tactics were overzealous? And fourth, does the Swartz case show the need to amend the Computer Fraud and Abuse Act, and if so, how?

This is a very long post, so here’s a summary of where I come out on these four questions.

On the first question, I think that some kind of criminal punishment was appropriate in this case. Swartz had announced his commitment to violating the law as a moral imperative in order to effectively nullify existing federal laws on access to information. When someone engages in civil disobedience and intentionally violates a criminal law to achieve such an anti-democratic policy goal through unlawful means — and when there are indications in both words and deeds that he will continue to do so — it is proper for the criminal law to impose a punishment under the law that the individual intentionally violated. (Indeed, usually that is the point of civil disobedience: The entire point is to be punished to draw attention to the law that is deemed unjust.)  As that appears to be the case here, I think some punishment was appropriate.

On the second question, I think the proper level of punishment in this case would be based primarily on the principle of what lawyers call “special deterrence.” In plain English, here’s the key question: What punishment was the minimum necessary to deter Swartz from continuing to try to use unlawful means to achieve his reform goals? I don’t think I know the answer to that question, but that’s the question I would answer to determine the proper level of punishment. The prosecution’s plea offer of 6 months in jail and a felony conviction may have been much more than was needed to persuade Swartz not to engage in unlawful and anti-demoratic means to pursue his policy goals in the future. If so, then I think it was too severe. But it depends on how much punishment was necessary to deter Swartz from using unlawful means to pursue his policy goals. In my view, that’s the question that we need to answer in order to say what punishment was appropriate in Swartz’s case.

On the third question, the issue of who was to blame if the prosecution was too severe, I think it’s important to realize that what happened in the Swartz case happens it lots and lots of federal criminal cases. Yes, the prosecutors tried to force a plea deal by scaring the defendant with arguments that he would be locked away for a long time if he was convicted at trial. Yes, the prosecutors filed a superseding indictment designed to scare Swartz evem more in to pleading guilty (it actually had no effect on the likely sentence, but it’s a powerful scare tactic). Yes, the prosecutors insisted on jail time and a felony conviction as part of a plea. But it is not particularly surprising for federal prosecutors to use those tactics. What’s unusual about the Swartz case is that it involved a highly charismatic defendant with very powerful friends in a position to object to these common practices. That’s not to excuse what happened, but rather to direct the energy that is angry about what happened. If you want to end these tactics, don’t just complain about the Swartz case. Don’t just complain when the defendant happens to be a brilliant guy who went to Stanford and hangs out with Larry Lessig. Instead, complain that this is business as usual in federal criminal cases around the country — mostly with defendants who no one has ever heard of and who get locked up for years without anyone else much caring.

On the fourth issue, yes, the Swartz case does point to a serious problem with the Computer Fraud and Abuse Act. But that problem is not the definition of “unauthorized access,” as some people seem to believe. (That definition is a problem, but with the Nosal case from the Ninth Circuit and likely Supreme Court review in the next year or so, I think the Courts are likely to take care of it.) Rather, the problem raised by the Swartz case is one I’ve been fighting for years: Felony liability under the statute is triggered much too easily. The law needs to draw a distinction between low-level crimes and more serious crimes, and current law does so poorly. I would recommend two changes. First, the felony enhancements for 1030(a)(2) are much too broad. I would significantly narrow them. Second, I would repeal 1030(a)(4), which is redundant as it only a combination of 1030(a)(2) and the wire fraud statute, 18 U.S.C. 1343. It therefore only leads to extra and redundant charges to confuse juries, and is better off repealed.

So that’s my overall take. Let’s take it issue by issue.

II. Was Any Criminal Punishment Proper in the Swartz Case?

Let’s start question of whether any criminal charges at all were appropriate in this case. In order to answer that, we need to focus on what Swartz planned to do. Swartz was arrested in the middle of his planned course of conduct, so we need to make an educated guess about what his plan was. Granted, some have argued that the fact that Swartz was caught mid-way means that there was no harm in the Swartz case and he should not be punished. But I think that approach is mistaken. When the police catch someone in the course of criminal conduct and intervene mid-way, the punishment is properly based on what the person was in the course of doing rather than how much he succeeded before he was caught.

So what was Swartz’s plan? From what I can tell, Swartz was a remarkable and unusually focused person, and there are substantial reasons to think he acted with a pretty specific plan in mind. Although he never went to law school, Swartz was a serious legal nerd. He hung out with lots of lawyers, and he was passionately involved in debates on legal topics. He went to the Supreme Court argument in Eldred v. Reno as Larry Lessig’s personal guest when he was only 15 years old. More recently, he was deeply involved in the recent debate over SOPA. He was quite informed about the law and interested in it. I know from an e-mail he once sent me that he was a “big fan” of my work — his words — which suggests he was pretty deep in the details of laws like the Computer Fraud and Abuse Act, under which he was ultimately charged.

In figuring out what Swartz was doing, we have an unusual source: Swartz’s own words. In 2008, Swartz published an essay that he labeled the Guerilla Open Access Manifesto. In the essay, Swartz argues that there is a moral imperative to engage in civil disobedience and break laws that limits access to academic articles and to make those articles available wherever they are restricted. Engaging in civil disobedience can nullify the law by making it impossible to enforce, Swartz suggests. Here’s the essay, which is worth reading in full:

Information is power. But like all power, there are those who want to keep it for themselves. The world’s entire scientific and cultural heritage, published over centuries in books and journals, is increasingly being digitized and locked up by a handful of private corporations. Want to read the papers featuring the most famous results of the sciences? You’ll need to send enormous amounts to publishers like Reed Elsevier.

There are those struggling to change this. The Open Access Movement has fought valiantly to ensure that scientists do not sign their copyrights away but instead ensure their work is published on the Internet, under terms that allow anyone to access it. But even under the best scenarios, their work will only apply to things published in the future. Everything up until now will have been lost.

That is too high a price to pay. Forcing academics to pay money to read the work of their colleagues? Scanning entire libraries but only allowing the folks at Google to read them? Providing scientific articles to those at elite universities in the First World, but not to children in the Global South? It’s outrageous and unacceptable.

“I agree,” many say, “but what can we do? The companies hold the copyrights, they make enormous amounts of money by charging for access, and it’s perfectly legal — there’s nothing we can do to stop them.” But there is something we can, something that’s already being done: we can fight back.

Those with access to these resources — students, librarians, scientists — you have been given a privilege. You get to feed at this banquet of knowledge while the rest of the world is locked out. But you need not — indeed, morally, you cannot — keep this privilege for yourselves. You have a duty to share it with the world. And you have: trading passwords with colleagues, filling download requests for friends.

Meanwhile, those who have been locked out are not standing idly by. You have been sneaking through holes and climbing over fences, liberating the information locked up by the publishers and sharing them with your friends.

But all of this action goes on in the dark, hidden underground. It’s called stealing or piracy, as if sharing a wealth of knowledge were the moral equivalent of plundering a ship and murdering its crew. But sharing isn’t immoral — it’s a moral imperative. Only those blinded by greed would refuse to let a friend make a copy.

Large corporations, of course, are blinded by greed. The laws under which they operate require it — their shareholders would revolt at anything less. And the politicians they have bought off back them, passing laws giving them the exclusive power to decide who can make copies.

There is no justice in following unjust laws. It’s time to come into the light and, in the grand tradition of civil disobedience, declare our opposition to this private theft of public culture.

We need to take information, wherever it is stored, make our copies and share them with the world. We need to take stuff that’s out of copyright and add it to the archive. We need to buy secret databases and put them on the Web. We need to download scientific journals and upload them to file sharing networks. We need to fight for Guerilla Open Access.

With enough of us, around the world, we’ll not just send a strong message opposing the privatization of knowledge — we’ll make it a thing of the past. Will you join us?

As far as I can tell, this “manifesto” was not just a casual remark or random thought. Rather, it seems to have been a set of principles Swartz believed in quite passionately. And his conduct appears to reflect that commitment. In the same year Swartz published the manifesto, he participated in the effort to download the entire contents of PACER. That led to an FBI investigation but no charges. And then the MIT/JSTOR incident followed soon after, in 2010, which led to the criminal charges in this case.

If I’m right about what Swartz was trying to do, then I think some kind of criminal prosecution is appropriate in this case. The evidence suggests to me that this was not a one-time mistake or an impulsive decision. Rather, Swartz was acting very deliberately with a quite far-reaching goal: he was intentionally breaking the law in the short run to achieve a long-run goal of nullifying the protections of a set of democratically-enacted laws that he opposed.

And Swartz knew that the means he used to obtain the JSTOR database was unauthorized. He was playing a long-term cat-and-mouse game with MIT and JSTOR in which they repeatedly tried to get him off the network and he repeatedly figured out ways to get back on and get the files he wanted. He didn’t break into the closet because he liked closets; he was trying to find a way to do what MIT and JSTOR were trying to block. He wasn’t hiding his face from the video camera in the MIT closet out of shyness; he knew that he was doing something illegal and he was trying not to get caught. And when the police spotted him, he wasn’t surprised that they wanted to talk to him: According to the police report, he jumped off his bike and tried to outrun the police on foot. Further, Swartz’s conduct had real costs to others, ranging from costs to MIT in dealing with responding to his conduct to lost access to JSTOR for a few days for the entire campus.

In these circumstances, it seems to me that at least *some* criminal responsibility is appropriate. We can debate what the proper punishment should be — more on that in a minute — but I don’t think it would have been right to just let Swartz go ahead with his plan to intentionally violate the law, releasing millions of articles onto file-sharing networks, without the law responding at least in some way. The great tradition of civil disobedience is to intentionally violate the law and proudly bear the consequences in order to change public opinion and eventually change the law, not to violate the law in secret and try to render the law you oppose unenforceable  while avoiding punishment. So I think some kind of criminal punishment is appropriate.

Some have argued that criminal prosecution was inappropriate because JSTOR did not favor prosecution. The problem with this view, in my opinion, is that JSTOR is not the only party with rights at stake here. MIT is also a party with rights at stake: Swartz imposed costs and inconvenience on MIT’s network and its users, and we know MIT called the police and helped the Secret Service catch Swartz. The copyright owners of the copyrighted articles that Swartz was trying to release on file-sharing networks were also parties with rights at stake: Democratically-enacted laws gave them control over that articles that Swartz was trying to defeat. And I would argue that the public also had a broad interest. To the extent Swartz’s goal was to nullify the effect of a democratically-enacted law that he opposed — which seems to be the gist of the manifesto — he was trying to eliminate options that the the public otherwise had in dealing with access to new technologies based on the public’s beliefs about optimal social policy. The reaction of JSTOR doesn’t consider or reflect any of these additional interests, so I don’t think it should strongly influence the government’s decision of whether to prosecute.

III. What Was the Appropriate Punishment in the Aaron Swartz Case?

Now let’s turn to what may be the next question. What punishment was proper? Did prosecutors go too far? To answer that, we need a benchmark of how much punishment was enough. And to answer that, we need to look at the social harms involved in the conduct. Swartz was caught before he executed his plan, so there were relatively minimal harms from the plan that was stopped before it succeeded. But as I’ve explained above, it seems like Aaron was committed to a long-term plan to continue to engage in such conduct, including through unlawful means. In his view, this was not a one-off, or an impulsive decision. Rather, he felt that there was a moral imperative to violate laws that he saw as unjust.  And critically, he didn’t want to violate those laws in a symbolic way just to bring attention to laws he saw as unjust.  Swartz was not acting in the grand tradition of civil disobedience in which one willingly draws punishment to  bring attention to the unjustness of the law.  In his own words, he didn’t want to “just send a strong message opposing the privatization of knowledge.” Rather, he wanted to change the facts on the ground to make his preferred world a  fait accompli.   That is, he wanted to make the laws unenforceable, winning the debate unilaterally outside of Congress. In his words, he wanted to act so that the democratically-enacted laws that allowed privatization of knowledge would become “a thing of the past.”

Given that commitment, I think one appropriate benchmark for the proper punishment is based on what legal scholars call “special deterrence.” In plain English, the question is this: What is the minimum punishment that was needed to persuade Swartz not to do this sort of thing in the future? To my mind, the answer to that question provides a reasonable benchmark to determine the proper punishment. By all accounts, Swartz was a tremendously brilliant guy with an incredibly bright future. His death is a tremendous tragedy. But had he lived, we would all have been better off with a future in which Swartz directed his incredible talents to pursuing his ideas through lawful means rather than unlawful means. Many people — and many readers of this post in particular — share Swartz’s sense of good social policy. But we live in a democracy.   We might not like all the rules in a democracy, but the way to change those rules is through democratic change.  Swartz could have tried to be punished under the law to bring attention to the law in the hope of changing it through the democratic process.  But instead he had something anti-democratic in mind. I think it’s pretty clear that in a democratic system, that kind of anti-democratic cause is something that we should disfavor.  You can break the law to draw punishment, but the ultimate goal of traditional civil disobedience is achieving change through the legal means of democracy.  Swartz had something else in mind, it seems;  changing the law de facto by his unilateral action. Given the importance of the difference, a punishment that was the minimum sufficient to persuade Swartz to follow the law in the future seems appropriate.

This brings up the difficulty that we don’t know exactly what penalty would have persuaded Swartz to follow the law in the future. So I’ll ask those who knew Swartz best: What do you think would have been sufficient to persuade Swartz to abandon the moral imperative of civil disobedience and instead agree to pursue change through only legal means? I’ll defer here to the people who knew Swartz best, with whatever they think the right answer is. Would probation have been enough? A month of home confinement? Jail time? I really don’t know. It may be that the answer was unknowable.

To my mind, this is one of the puzzles about Swartz. On one hand, he was deeply committed to civil disobedience and to the moral imperative of breaking unjust laws. On the other hand, he seems to have had his soul crushed by the prospect that he would spend time in jail. This is an unusual combination. Usually the decision to engage in civil disobedience comes along with a willingness to take the punishment that the law imposes. But despite Swartz’s apparent interest in legal questions, he seems to have made his decision with a blind spot to the penalties that would actually follow. It’s a strange situation: Swartz was really interested in the law, and he knew he was violating the law. He knew a lot of lawyers who would have told him that this would likely happen if he went ahead with his plan. But there was some apparent blind spot that led him to act anyway.

Continue reading ‘The Criminal Charges Against Aaron Swartz (Part 2: Prosecutorial Discretion)’ »

The Internet activist Aaron Swartz has died from an apparent suicide. Swartz was facing a criminal trial in April on charges arising from his effort to “liberate” the JSTOR database, and there has been a lot of commentary accusing the prosecutors in his case of having abused their role in ways that contributed to Swartz’s tragic death. Swartz’s friend Larry Lessig led the way by angrily condemning the prosecutors who charged Swartz as “bullies” who acted like they “had caught the 9/11 terrorists red-handed.” According to Lessig, the prosecutors acted in an “the most absurd or extreme way” and “don’t deserve to have the power of the United States government.” A lot of people seem to agree, and today’s media has picked up the story. The New York Times is running a headline, “A Data Crusader, a Defendant and Now, a Cause.” The Associated Press has a somewhat similar story, “Swartz’ Death Fuels Debate Over Computer Crime”.

The criticisms of the Swartz prosecution concern two different questions. The first question is the law. Were the charges against Swartz based on a fair reading of the laws? Or was the prosecution being overly aggressive or relying on strained theories in charging Swartz as it did? The second question is discretion and judgment. The DOJ has the discretion to charge cases or not, and prosecutors can agree to different plea deals or even agree to have charges dismissed. Were the prosecutors in this case unfair in how they exercised discretion, or did they act irresponsibly in the case in how they exercised the discretion that the law grants them?

I hope to answer these questions in two posts. In the first post, I’m going to try and answer the first question — the law — as informed by my background as a specialist in this particular area of law who has testified on these statutes before Congress, defended computer crime cases involving these statutes, and helped prosecute them, too. In a subsequent post, I’ll try to answer the second question, the exercise of prosecutorial discretion.

This is going to be a long post, so here’s the summary of my conclusion on the first question: I think the charges against Swartz were based on a fair reading of the law. None of the charges involved aggressive readings of the law or any apparent prosecutorial overreach. All of the charges were based on established caselaw. Indeed, once the decision to charge the case had been made, the charges brought here were pretty much what any good federal prosecutor would have charged. This is different from what a lot of people are hearing on the Internets, so I realize this post isn’t going to be popular. But I’ll explain my position in some detail, starting with the facts and then turning to the law, and then I’ll open it up for comments. And in a subsequent post, I’ll take on the second question of whether prosecutors properly exercised their discretion in the decision to charge the case and during plea negotiations.

I. The Facts Alleged in the Indictment

Here’s the indictment filed in Swartz’ case. Based on the indictment and news coverage of the case, the following is my current understanding of the facts:

JSTOR is an organization that sells universities, libraries, and publishers access to a database of over 1,000 academic journals. For a large research unversity, JSTOR charges as much as $50,000 a year for an annual subscription fee, at least parts of which go to pay copyright fees to the owners of the articles in the databases. The JSTOR database is not freely available: Normally, a username and password are required to access it. But if you access the site from a computer network owned by a university that has purchased a subscription, you can access the site without a username and password from their network. Users of the service then have to agree to use JSTOR in a particular way when they log in to the site; they generally can download one article at a time, but the JSTOR software is configured to block efforts to download large groups of articles.

Aaron Swartz decided to “liberate” the entire JSTOR database. He wanted everyone to have access to all of the journals in the database, so he came up with a plan to gain access to the database and copy it so he could make it publicly available to everyone via filesharing networks. Swartz lived in the Boston area, and he had legitimate access to the JSTOR database using Harvard’s network, where he was a fellow. But Swartz decided not to use Harvard’s network for what he had planned. Instead, he used MIT’s network across town. Swartz did not have an account or formal relationship with MIT, but MIT is known for having relatively open account practices.

In Swartz’ first attempt, he purchased a laptop, went into a building at MIT, and used the MIT wireless network to create a guest account on MIT’s network. He then accessed JSTOR and executed a program called “keepgrabbing” that circumvented JSTOR’s limits on how many articles a person could download — thus enabling Swartz to start to download a massive number of articles. MIT and JSTOR eventually caught on to what was happening, and they blocked Swartz’s computer from being able to access the MIT network by banning the IP address that he had been assigned.

Swartz responded by changing his IP address, and it took a few hours before JSTOR noticed and blocked his new IP address. To try to stop Swartz from just changing IP addresses again, JSTOR then blocked a range of IP addresses from MIT and contacted MIT for more help. MIT responded by canceling the new account and blocking Swartz’ computer from accessing the MIT address by banning his MAC address, a unique identifier associated with his laptop.

Undeterred, Swartz tried again. This time he brought a new laptop and also spoofed the MAC address from his old one to circumvent the ban. Using the two latops and the program designed to circumvent JSTOR’s limits on downloading articles, he started to download a significant chunk of JSTOR’s database. A day or two later, JSTOR responded by blocking all of MIT’s access to JSTOR for a few days.

Again undeterred, Swartz came up with a different plan. Instead of trying to connect to the MIT network wirelessly, Swartz broke into a closet in the basement of a building at MIT and connected his computer directly to the network — hiding his computer under a box so no one would see it. Over a month or two period, he succeeded in downloading a major portion of JSTOR’s database.

Investigators were on to Swartz at this point, however. They installed a video camera in the closet to catch Swartz when he accessed the closet to swap out storage devices or retrieve his computer. Swartz was caught on camera, and he even seems to have realized that he was being filmed; at one point he was filmed entering the closet using his bicycle helmet as a mask to avoid being identified. (Here’s the picture.) Swartz was spotted on MIT’s campus soon after by the police and tried to run away, but he was then caught and arrested. Federal charges followed.

II. The Legal Charges Brought Against Swartz

The indictment against Swartz alleged several different crimes. A bunch of the crimes overlap, but that doesn’t mean that they are really treated separately: At sentencing the general practice is to take the most serious of the crimes as the basis for the sentence and to mostly ignore the rest. But the ordinary practice is to charge all the possible offenses committed in the indictment, even if they overlap, and then let the jury sort them out at trial or else drop some of the charges in a plea deal. Here are the different offenses charged, with a legal analysis of each.

(a) Wire Fraud. The Wire Fraud statute, 18 U.S.C. 1343, prohibits a scheme to gain “property” by false pretenses. This strikes me as a pretty strong charge here. The false pretenses are provided by the false identification and spoofing of Swartz’ IP address and MAC address. Swartz was trying to trick JSTOR into giving him access to their database after they had specifically tried their best to ban him from doing so. And the “property” was the contents of the JSTOR database itself.

Some might argue that the contents of the JSTOR database should not be considered “property.” But I think that’s a hard argument to make in light of United States v. Seidlitz, 589 F.2d 152 (4th Cir. 1978). In Seiditz, a former employee of a company named OSI used the username and passowrd of another employee of the company to login and try to download a text-editing program named WYLBUR used for business applications. Seidlitz argued that the program was not “property” because the WYLBUR program was widely used by different companies. But the court disagreed:

Even though software systems similar to OSI’s WYLBUR were in use at non-OSI facilities, the evidence that OSI invested substantial sums to modify the system to suit its peculiar needs, that OSI enjoyed a multi-million dollar competitive advantage because of WYLBUR, and that OSI took steps to prevent persons other than clients and employees from using the system permitted a finding that the pilfered data was the property of OSI and not, as the defendant contends, property in the public domain subject to appropriation by persons such as himself.

That reasoning seems to apply reasonably well to the JSTOR database, too. See also Carpenter v. United States, 484 U.S. 19 (1987) (recognizing a property right for purposes of federal fraud statutes for a business in confidentiality and use of information to appear in a forthcoming publication). It’s possible to argue that Seidlitz is distinguishable, but I think it’s an uphill battle.

(b) Computer Fraud. The next charges were brought under the Computer Fraud statute, 18 U.S.C. 1030(a)(4), which is a close cousin of the Wire Fraud statute. The two are usually charged together in computer crime cases, and there isn’t really all that much that separates them that we need to dwell on here. So let’s move on to the next crime.

(c) Unauthorized Access. The next charge was unauthorized access to a computer to obtain information valued more than $5,000, in violation of 18 U.S.C. 1030(a)(2)(C) and 18 U.S.C. 1030(c)(2)(B)(iii). I think this charge was a fair one. There are two notable legal issues here. First, was the information valued at more than $5,000? The answer is clearly yes under the leading case of United States v. Batti, 631 F.3d 371 (6th Cir. 2011). Batti dealt with the $5,000 requirement in the context of a video that was difficult to value. The Sixth Circuit concluded that the $5,000 refers to the value of the information obtained, not any loss or harm to the alleged victim in the case. Further, the court authorized the following methodology when “information obtained by a violation of § 1030(c)(2)(B)(iii) does not have a readily ascertainable market value.” In such cases, the court held, “it is reasonable to use the cost of production as a means to determine the value of the information obtained.” Creating thousands of journals over many years obviously costs more than $5,000, so that element is easily satisfied.

The second issue is whether Swartz exceeded authorized access to the JSTOR computer. As regular readers know, I have been fighting overly broad readings of “unauthorized access” for well over a decade as a scholar, defense attorney, and op-ed writer. But I think it’s pretty clear that Swartz exceeded his authorized access here. JSTOR has a password-protected database that Swartz was trying to copy by circumventing code-based barriers to large-scale acces, and Swartz was playing a cat-and-mouse game in which he kept trying to gain access to the database and JSTOR kept trying to block him. They blocked his IP address; he changed it. They blocked his MAC address; he spoofed it. They blocked access and he broke into a restricted closet and connected directly to MIT’s network. This is not merely a case of breaching a written policy. Rather, this is a case of circumventing code-based restrictions by circumventing identification restrictions. I don’t see how that is particularly different from using someone else’s password, which is the quintessential access without authorization. So I think unauthorized access is established here, too.

(d) Computer Damage. The final charge brought was exceeding authorized access and thereby impairing the availability or integrity of information in ways that cause more than $5,000 or loss or involve more than 10 computers, in violation of 18 U.S.C. 1030(a)(5)(B) and 1030(c)(4)(A)(i)(I) & (VI). This is a plausible charge, although we’d need to know more details about the case to know if it is fully merited. I’ve already covered the elements of authorized access, so we can adopt that analysis above here and move on to the other elements.

To get to $5,000 in a 1030(a)(5) case, the easiest and most widely-accepted methodology in the caselaw is to focus on the time spent responding to the unauthorized access. Courts would generally just consider the hours spent by MIT and JSTOR in responding to Swartz and multiply those hours to get to an overall dollar figure. See, e.g., United States v. Middleton, 231 F.3d 1207 (9th Cir. 2000); United States v. Millot, 433 F.3d 1057 (8th Cir. 2006). It sounds like MIT and JSTOR spent a lot of dealing with Swartz. If so, the time alone should pretty quickly get up to and over the $5,000 threshold. So while we don’t know the facts in detail, that was probably enough.

The impairment of availability or integrity element would probably be satisfied, as well, although again we don’t have much in the way of needed detail to know for sure. The leading case here is Pulte Homes, Inc. v. Laborers’ International Union of North America, 648 F.3d 295 (6th Cir. 2011), which adopted a broad view of this requirement, holding that this is satisfied by “a transmission that weakens a sound computer system — or, similarly, one that diminishes a plaintiff’s ability to use data or a system.” The indictment alleges that Swartz’s conduct impaired the working of the JSTOR database but doesn’t give us much detail, so it’s hard to be sure. Also, DOJ might be able to use JSTOR’s decision to cut off access to JSTOR on MIT’s network as an impairment of availability on the network. But I think this is a bit of a stretch, for two reasons. First, it’s hard to know exactly where to place the responsibility for the impairment. Did Swartz cause it, or did JSTOR? And more significantly, does access to a particular service from some users really constitute an impairment of availability of the JSTOR computer itself? I’m not sure, but I’m wary of that argument. So the 1030(a)(5) charges are plausible, but we would need to know more facts to know for sure if they were justified.

III. Conclusion

My conclusion, at least based on what we know so far, is that the legal charges against Swartz were pretty much legit. Three of them are pretty strong; one is plausible but we would need to know more facts to be sure. Of course, there may have been reasons not to charge Swartz even though he had violated these statutes or to offer him a lenient plea. I’ll take on those questions in my next post. But to the extent we’re focused on just what the law is, I think that what Swartz was alleged to have done fits pretty well with the charges that were brought.

Last year, I posted about a recently-filed criminal prosecution in which the federal government was charging a state fraud scheme involving poker machines under the Computer Fraud and Abuse Act:

Andrew Nestor learned of a programming flaw in certain video poker machines used in Las Vegas. By using a certain feature and playing a particular combination, a person could trick the poker machine into paying out winnings at a higher rate than it should have. Nestor played the combination, and he was able to receive winnings that he was not entitled to have. At this stage, it sounds like a state law offense of theft or fraud. Nestor stole the money from the machine by fraud.

But was a federal crime committed, as opposed to a state crime? Federal prosecutors love to charge fraud cases under the wire fraud statute, 18 U.S.C. 1343, but that wouldn’t work here. Liability under the wire fraud statute requires a crossing of state lines, while here all the action occurred in a single room. So instead the government charged Nestor with a CFAA violation, and specifically 18 U.S.C. 1030(a)(4), which punishes “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”

Note that there is no longer a requirement of crossing state lines, as there is in the case of the wire fraud statute. Instead, the only federal hook is that the computer be a “protected computer.” But that’s really no federal hook at all: Protected computers are defined as any computers that can be regulated under the Commerce Clause power, which paired with Gonzales v. Raich seems to be any computers, period. So voila, there is federal jurisdiction over the state law crime because a computer is involved.

Of course, whether the government can use 1030(a)(4) to federalize state law fraud schemes involving computers depends on the legal interpretation of “accesses . . . without authorization, or exceeds authorized access,” which is the main issue involved in cases like United States v. Nosal, currently pending before the en banc Ninth Circuit. In the Nestor case, I assume DOJ’s view is that it is implicitly unauthorized to exploit a programming error in a computer in order to commit a fraud. I think this reading essentially reads “without authorization, or exceeds authorized access” out of the statute, and instead treats 1030(a)(4) as punishing fraud committed using any computer, period. But we’ll see what the district court does with the motion to dismiss in Nestor, which may in turn depend on what the en banc Ninth Circuit does in Nosal.

This morning, Magistrate Judge Johnston filed his report and recommendation in the case recommending that the indictment be dismissed for two reasons. First, according to Magistrate Judge Johnston, the video poker machines are not protected computers because there is insufficient evidence that the machines had an impact on interstate commerce:

In order to be classified as a “protected computer,” a computer must be used in or affect interstate or foreign commerce or communication. 18 U.S.C. § 1030(e)(2)(B). The Government argues that video poker machines affect interstate commerce because “[c]ustomers from all over the country travel to Nevada to play Las Vegas’ gaming machines.” Response (#68) at 5. This argument fails for two reasons. First, this supposed effect on interstate commerce only holds up in the aggregate. While it may be true that the entire Las Vegas gambling industry attracts customers from all over the country, the Government cannot show that individual video poker machines have such an effect on interstate commerce. Second, to follow the Government’s interpretation of the term “protected computer” would divorce the function of the device, i.e. logical, arithmetic, or storage functions, from its supposed effects on interstate commerce. Computers connected to the internet are “protected computers” because this part of their designed function allows them to engage in interstate commerce. Likewise, the function of the radio system in Mitra was to connect with a federally regulated channel of interstate commerce. While any individual computer connected to the internet, or the Mitra radio system, can instantaneously engage in interstate commerce, an individual video poker machine has no such
connection to the wider world.

I have problems with broad theories of the Computer Fraud and Abuse Act, and especially its lack of statutory federalism limitations, but I think this position misunderstands the relevant law. As I pointed out in this post in 2009, the 2008 amendments to the definition of “protected computer” changed the scope of the protected computer in a critical way:

In 2008, Section 207 of the Former Vice President Protection Act, Pub.L. 110-326, expanded the definition of protected computer regulated by the statute to a computer that is “used in or affecting interstate or foreign commerce or communication” (new language in italics), and removed the requirement that information obtained had to be information that crossed state lines.

The switch from prohibiting conduct “in interstate commerce” to regulating conduct “affecting interstate commerce” is easy to overlook, but it turns out to be a critical change. When Congress uses the phrase “affecting interstate commerce,” that is generally understood to express Congress’s intent to regulate as far as the Commerce Clause will allow. See Russell v. United States, 471 U.S. 858, 849 (1985) (noting that prohibition regulating conduct “affecting interstate or foreign commerce” expresses “an intent by Congress to exercise its full power under the Commerce Clause”); Scarborough v. United States, 431 U.S. 563, 571 (1977) (“Congress is aware of the distinction between legislation limited to activities ‘in commerce’ and an assertion of its full Commerce Clause power so as to cover all activity substantially affecting interstate commerce.”). When Congress uses the jurisdictional hook of “affecting interstate commerce,” or its close cousin “affecting interstate or foreign commerce,” then the scope of the jurisdictional hook is generally understood to be defined by Commerce Clause jurisprudence.

But here’s the rub. Under Gonzales v. Raich, 545 U.S. 1 (2005), it seems awfully difficult to find any computer or any type of data that is actually beyond the scope of the federal commerce power. If you can aggregate the effect of all computers and all data, you’re going to identify a rational basis for identifying a substantial effect on interstate commerce. Maybe I’m just too much of a Commerce Clause pessimist — and if so, please let me know in the comment thread — but it seems to me that under Raich, if it’s a computer, it’s going to be a computer that Congress can regulate. See, e.g., United States v. Jeronimo-Bautista, 425 F.3d 1266 (10th Cir. 2005).

The end result: In the last two years, Congress has essentially gutted the idea of computer crimes that are beyond the reach of the federal government. If a computer is involved — any computer — it’s very likely to be a federal issue. The federal government can always decline to prosecute a case, and it can consider the fact that it’s just a local crime in the course of making that call. But that’s a matter of discretion, not law. For those of us who care about federalism, it’s a very sad state of affairs.

In light of this statutory change, Judge Johnston’s concern that the impact on interstate commerce “only holds up in the aggregate” misses the point. The only limit to the definition of “protected computer” is the Commerce Clause, and under Raich courts must consider the aggregate to determine the impact on interstate commerce. (Judge Johnston’s reliance on the Mitra precedent is problematic because Mitra was decided in 2005, three years before the statute was amendmed).

Second, Magistrate Judge Johnston concludes that use of the video poker machines to win money by exploiting the programming error did not “exceed authorized access” under the Ninth Circuit’s recent en banc decision in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012):

[W]hen playing ordinary, non-video poker at a casino there is an intermediary, namely the dealer, who is employed by the casino and who upholds and enforces the rules. When playing video poker, on the other hand, the rules are upheld and enforced by the gambling software itself. The Defendants argue that they could not have possibly exceeded their authorized access, because the bounds of their authorized access were defined by what the gaming software would allow. Any selections that would have exceeded that authorization should have been regulated by the software and made unavailable. The software is designed to regulate what selections are allowed and what results may be produced. Like the human casino employee, the software acts as the gatekeeper, stopping any unauthorized access in the event that a player tries to do something that falls outside the rules.

The Ninth Circuit’s most recent opinion interpreting the meaning of “exceeds authorized access” makes clear that the Government’s proposed interpretation of the statute in the present case is untenable. In U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), the government argued that “exceeds authorized access” should “refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information.” The government in Nosal asserted that the word “so” in the definition of “exceeds authorized access” should be read to mean “in that manner,” which it claimed referred to use restrictions. Nosal, 676 F.3d at 857. Writing for the court, Chief Judge Kozinski stated that “[t]he government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.” . . . .

Here, the Government has asserted that, although the Defendants were authorized to play the video poker machines and access information for that purpose, the way that they used the information exceeded their authorization. This argument is directly analogous to the government’s argument in Nosal and it fares no better here. As Nosal makes clear, the CFAA does not regulate the way individuals use the information which they are otherwise authorized to access. Here, the Defendants’ alleged actions did not exceed their authorized access.

I think this is a hard issue, and I find the question of exceeding authorized access trickier than the judge suggests. If you take seriously the notion that “the software acts as the gatekeeper,” then no one can ever violate the Computer Fraud and Abuse Act. That kind of reasoning leads to the bizarre result that if you can do it then it was necessarily authorized. On the other hand, the government’s reasoning in this case does seem to be the same reasoning that it relied on in Nosal. It’s also worth noting that in United States v. Morris, 926 F2d 504 (2d Cir. 1991), the Second Circuit held that using a command to gain access in a way contrary to its “intended function” makes that access “without authorization.” The idea was that exploiting a security flaw to gain access is not authorized because computer programs are implicitly limited to their generally intended use. Does exploiting a programming error to obtain money a user is not entitled to obtain implicitly “exceed authorized access” under the rationale of Morris? Or is Morris limited to controls on access on a computer, whereas here the issue was not access to the computer but rather obtaining funds from it?

I find this a hard case, but my very tentative conclusion is that the court was right on this issue. The first reason is the text of 1030(a)(4). That text requires two different elements to be proven: first, access without authorization or exceeding authorized access, and second, that “by means of such conduct” the defendant “furthers the intended fraud and obtains anything of value.” It seems to me that the government’s theory in this case appears to collapse the two elements: It treats the act of the fraud as implicitly exceeding authorized access. But that effectively eliminates the fraud requirement out of 1030(a)(4). Second, the notion of unauthorized access in 18 U.S.C. 1030 is focused on access to computers and access to data stored on them. Here the scheme was not to obtain data, but to obtain money: It was a fraud scheme, but not a scheme to trespass on to the machine or invade privacy. So on balance my tentative view is that the court was right on this issue, although I think it’s a tricky question.

UDPATE: For a related post, see this 2005 entry, Treating Machines Like People.

The latest draft cybersecurity bill contains information sharing provisions that were heavily negotiated between the Obama administration and privacy groups. This effort at compromise has yielded the usual ambiguous praise from privacy groups. The Electronic Frontier Foundation pronounced itself “pleased” but then complained that the measure still “contains broad language around the ability for companies to use security as a reason to partake in ‘nearly unlimited’ data monitoring of users.”

In fact, the privacy groups have added so much baggage to the information sharing provisions that the new law is nearly useless to private sector companies who want to improve cybersecurity.  And it may actually impose an entire new regulatory and liability yoke on companies that treat cybersecurity seriously.

It’s worth remembering why the information sharing provisions are necessary. The reason is that, with the support of privacy groups in years past, Congress prohibited many companies from sharing customer information with the government in the absence of a subpoena. Congress also authorized states to adopt “two-party consent” restrictions on interception of communications. In an age of widespread network intrusions, both of these laws have the effect of protecting hackers and spies.

How so? Controlling spearphishing requires that incoming packets be monitored for malware; and that in turn means intercepting the communications. Since it’s unlikely the attacker who is sending malware will consent to such monitoring, this monitoring creates legal risks in two-party consent states. Similarly, unless private companies can tell the government in real time which of their customers are sending malware, the government cannot protect itself. All of the bills pending in Congress override these poorly conceived and overbroad privacy provisions.

Privacy groups don’t like to be reminded that privacy laws they supported are now protecting bad guys, so it’s no surprise that they aren’t comfortable with the new bills. I suspect they’d rather have no bill at all than admit that the old privacy laws contributed to the fix we’re in. 

If that was their goal, they’ve just about managed to achieve it. They’ve made information sharing so complex that it’s nearly impossible to do. Indeed, there’s a real risk that the new provisions will end up creating new limitations on information sharing, new liabilities for security officers, and new legal protections for the people breaking into our networks.

To see how, let’s take a simple example. A company, US Petroleum, asks its ISP to monitor incoming messages for malware. A week later, the ISP tells US Petroleum that it has detected malware that it attributes to the Peoples Liberation Army. In fact, because it exchanges information with other companies and the government, it can name the unit and perhaps even the individuals who launched the attack; it further assesses based on those sources that the intrusion was aimed at helping Chinese state oil companies outbid US Petroleum on crucial offshore tracts.

US Petroleum decides not to take this lying down. It prepares a press release denouncing the PLA’s intrusions and asks its lawyers whether it can sue its bid-stealing Chinese competitor. Then its lawyers reread the information sharing provisions of the 2012 cybersecurity bill. Sections 701 and 702 both say that private companies who obtain threat indicators of this sort under the law must “make reasonable efforts to safeguard … information that can be used to identify specific persons from unauthorized access or acquisition.” And section 702 further says that a private entity may not disclose threat indicators to a private entity that is “reasonably likely to violate” the elaborate restrictions imposed on the use of threat indicators.

On its face, then, the new law prohibits US Petroleum from using the information it obtained from its ISP to name and shame the attacker. After all, publicly releasing the attacker’s name is not a “reasonable effort to safeguard” the attacker’s identity, and public disclosure of the data by definition supplies the information to parties who will not abide by the law’s restrictions on handling such information.

In short, the new provisions demanded by the privacy groups could just as easily be called the “Hacker Protection Act of 2012.”

The price of eliminating two unfortunate laws that protect hackers, it turns out, is a new and far more elaborate scheme for regulating how private entities handle and publicize attacks on their system — a scheme that also protects hackers.

To add to the irony, the new law creates special first amendment protections for critical infrastructure companies at the same time that it imposes sweeping, direct and burdensome restrictions on the first amendment rights of US Petroleum.

The one saving grace is that the new legislation only regulates information obtained “under” the legislation. Under section 707(a), information obtained lawfully in some other way is not supposed to be regulated. But this is a dubious protection for US Petroleum, which cannot be sure it didn’t obtain the information that way. After all, it’s quite possible that some of the ISP’s monitoring occurred in a two-party consent state; if so, that information was likely obtained “under” section 702. Or the ISP may have picked up clues about the attacker’s identity “under” section 701(b) by participating in an exchange of information with the government. Uncertainty about the source of such information means that the protection the new law gives to attackers may actually be wider than existing law.

That’s true not just because the definition of protected “threat indicator” is quite broad but also because the new law is so affirmative and sweeping in laying down rules for handling such information. While the legislation doesn’t in so many words give the PLA a cause of action against US Petroleum for its planned press release, anyone reading the law could reasonably fear that a court would say, “Congress clearly prohibited certain actions, and we cannot presume that it meant its rules to be ignored without penalty. Therefore, we will allow lawsuits to enforce the rules that Congress set.”

To counter this inclination, US Petroleum cannot point to a single law expressly allowing it to gather information on its network, or to authorize monitoring by its ISP (in fact, in a two party consent state, that authorization itself may create liability), or to speak openly about the attack. All the company can say in its defense is that no law prohibited it from speaking out before the new bill passed. A prudent lawyer might conclude that, in lawsuits as in life, nothing rarely beats something.

The new privacy provisions, in short, make the task of sharing information to defeat hackers harder than it is today. In place of two bad privacy laws – one of which only restricts the flow of data to the government – the new bill creates an entire regime of restrictions on private handling of private data, a regime whose scope is indeterminable but whose deterrent effect on information sharing will be great.

The privacy groups that demanded this as the price for correcting their old errors have outdone themselves.

The Senate’s big cybersecurity bill has finally surfaced officially, and the hearing will be tomorrow at 2:30 DC time in front of the Homeland Security and Government Affairs Committee. After Sen. Rockefeller and Sec. Napolitano, I’ll be part of a panel that includes Gov. Tom Ridge, Scott Charney of Microsoft, and Jim Lewis of the Center for Strategic and International Studies.

Here’s the first few pages of my prepared testimony. The rest is up on Skating on Stilts, for those who just have to see my take on how to draft cybersecurity emergency authorities.

Mr. Chairman, Ranking Member Collins, members of the committee, it is an honor to testify before you on such a vitally important topic. I have been concerned with cybersecurity for two decades, both in my private practice and in my public service career, as general counsel to the National Security Agency and, later, to the Robb-Silberman commission that assessed U.S. intelligence capabilities on weapons of mass destruction, and, more recently, as assistant secretary for policy at the Department of Homeland Security. In those two decades, security holes in computer networks have evolved from occasionally interesting intelligence opportunities into a full-fledged counterintelligence crisis. Today, network insecurity is not just an intelligence concern. It could easily cause the United States to lose its next serious military confrontation.

Moore’s Outlaws: The Exponential Growth of the Cybersecurity Threat-

Our vulnerabilities, and their consequences, are growing at an exponential rate. We’ve all heard of Moore’s Law. What we face today, though, are Moore’s outlaws: criminals and spies whose ability to penetrate networks and to cause damage is increasing exponentially thanks to the growing complexity, vulnerability, and ubiquity of insecure networks. If we don’t do something, and soon, we will suffer network failures that dramatically change our lives and futures, both as individuals and as a nation.

It doesn’t take a high security clearance or great technical expertise to understand this threat. It follows from two or three simple facts.

Fact One. Breaking into computer networks to steal secrets has never been easier, despite all the security measures we encounter on those networks.

Why do I say that? Simple. In recent months, we have learned that some of the most security-conscious institutions on the planet have been compromised. HBGary, RSA, Verisign, and DigiNotar are all in the network security business; they understand how to protect secrets on line — if anyone does. But RSA was electronically attacked and its most important business secrets, the keys to its security business, were stolen. HBGary lost control of its CEO’s email correspondence to a group of online vigilantes, and its CEO lost his job as a result. DigiNotar, a Dutch entity that issues online credentials, was compromised by a hacker working with Iranian security forces. Six weeks after the breach became public, DigiNotar was out of business. I think it’s fair to say that these security-conscious companies would have done whatever they could to prevent these disclosures, but they failed. They were unable to secure their networks.

Actually, the same is true for governments. The Defense Department used to say that attacks on its systems had never penetrated the classified networks. Now it has disclosed that this is no longer true. Defense contractors have also been compromised, and with them, the designs for our most recent weapons systems.

That is the first fact: No network, no matter how important its secrets and no matter how security conscious its owner, can be seen as secure in today’s world. Attackers have an excellent chance of breaking in and stealing secrets. And here is the second:

Fact Two. Once the attackers are in, they don’t have to stop at stealing secrets. They can cause severe physical damage just by manipulating the digital systems they have compromised.

When I was at DHS, we demonstrated that hackers could cause a large generator to self-destruct, just by sending the generator commands over the network. More recently, the Stuxnet malware is believed to have crippled Iran’s uranium enrichment efforts for months, simply by infecting the computerized industrial control system responsible for Iran’s centrifuges. That was good news for people who think that Iran’s nuclear program is dangerous. But Stuxnet was also a proof of concept, showing that network flaws can be used to cause massive damage to any machinery that relies on computerized industrial controls.

And what machinery runs on such controls? Pretty much everything necessary to sustain our society: refineries, pipelines, electric power, water, and sewage systems. Worse, the industrial control systems that run these necessities are not really designed with cybersecurity in mind. In fact, there is reason to believe that Windows networks running on the Internet are much more secure than industrial control systems. At a minimum, we can say with confidence that industrial control systems are no better protected than the systems that failed at RSA, Verisign, HBGary, and DigiNotar.

Cyberweapons pose a real threat to the United States. Those two facts lead to a third, common-sense conclusion: Any nation that feels the need to prepare for a military confrontation with the United States has already begun developing cyberweapons. Cyberweapons are especially potent against the United States. That’s because they are deniable; figuring out who has launched a cyberattack will be very difficult, making our other military assets less useful in deterring attacks. Cyberweapons are also asymmetric; they cause more harm in developed nations than in less advanced societies. And perhaps most importantly, such weapons can overturn the American war experience of the last sixty years – that conflicts will be fought far away, at a time and place of our choosing. Any nation expecting a conflict with the American military would be enthusiastic about developing a weapon that can cause massive civilian suffering on our home front before a single shot has been fired on the battle lines.

Now that such a weapon is within their reach, the impact could be unprecedented. We have no experience with losing large parts of our power, refinery, water and sewage systems all at once. The closest we’ve come was New Orleans after Katrina. And there, everyone knew beforehand that the disaster was coming. Preparations had been made, and most people left the city well in advance. They went to places where the infrastructure still worked, while organized military and civilian relief efforts rapidly moved in to help those who remained. Even so, the breakdown in order and the human suffering was extreme.

Thanks to growing cyber insecurity, all Americans now live in a digital New Orleans, with Katrina just offshore. And not one Katrina, but many. Computer exploits that we once thought were the work of large nations such as Russia or China now seem to be within the capability of countries like Iran and North Korea. If I am right that computer insecurity continues to grow worse each year, then the sophistication needed to launch a cyberattack will continue to decline, and soon such attacks will be within the capability of criminal gangs and online vigilantes like Anonymous.

Disaster is not inevitable. We can head this threat off if we treat it seriously. We may have years before suffering an attack of this kind. We do not have decades. We must begin now to protect our critical infrastructure from attack. And so far, we have done little.

...

Another source of resistance comes from advocates who claim that this bill is somehow similar to the Stop Online Piracy Act, or SOPA. If the bill reaches the floor, they threaten, it will meet the same fate as SOPA.

Well, to paraphrase Sen. Bentsen in the 1988 vice-presidential debate, I knew SOPA, I opposed SOPA, and Mr. Chairman, this bill is no SOPA.

I took a very early stand against SOPA, and I’m proud to have played a role in forcing its reconsideration. SOPA was a bad idea because it would have given a little help to one industry while making everyone who uses the Internet much less secure. That criticism of SOPA struck a chord with Americans because we all use the Internet with a nagging fear that our security is at risk. That security concern was at the heart of the early opposition to SOPA. This bill, in a real sense, is the opposite of SOPA. It addresses the entirely justified security concerns of ordinary users.

There is another reason not to heed the advocates who oppose this title. They’re the guys who got us into this fix.

...

I’ve blogged a lot about the Ninth Circuit’s en banc case in United States v. Nosal, on the scope of the Computer Fraud and Abuse Act — and more specifically, on whether it’s a federal crime to violate an express written restriction on using a computer. You can watch last Thursday’s oral argument in the case here:

Chief Judge Kozinski presided, and he seemed pretty clearly on the side that I’ve been advocating here at the blog, in the Drew case, in my recent testimony, and in my law review articles. I was very pleased to see that, although I wasn’t surprised in light of Judge Kozinski’s libertarian streak. At the same time, I don’t think we have enough information to count votes accurately, as only about four judges spoke in ways that might have indicated their views (two for Nosal, two for the United States, I believe). I’m cautiously optimistic, but we’ll have to see how the votes shake out in the end.

I’ll hide my more detailed reactions below the break for the handful of CFAA nerds in the VC readership .....

Continue reading ‘Thoughts on the Oral Arguments in United States v. Nosal’ »

I recently read Popular Mechanics’ riveting article reconstructing the last minutes Air France 447, which in 2009 disappeared without explanation over the Atlantic between Rio and Paris. Using the cockpit transcript, the article reveals that the pilots essentially flew a fully functioning passenger jet into the sea. Why?  It appears that a temporary loss of flight speed data and then the disconnection of autopilot systems panicked a copilot into lifting the nose of the plane.  He then more or less kept the stick pulled all the way back as the plane lost forward speed and plunged into the ocean, paying no attention to dozens of blared stall warnings. Here’s a bit of the transcript and Popular Mechanics’ commentary:

02:10:55 (Robert) Putain!
Damn it!
Another of the pitot tubes begins to function once more. The cockpit’s avionics are now all functioning normally. The flight crew has all the information that they need to fly safely, and all the systems are fully functional. The problems that occur from this point forward are entirely due to human error.
02:11:03 (Bonin) Je suis en TOGA, hein?
I’m in TOGA, huh?
Bonin’s statement here offers a crucial window onto his reasoning. TOGA is an acronym for Take Off, Go Around. When a plane is taking off or aborting a landing—”going around”—it must gain both speed and altitude as efficiently as possible. At this critical phase of flight, pilots are trained to increase engine speed to the TOGA level and raise the nose to a certain pitch angle.
Clearly, here Bonin is trying to achieve the same effect: He wants to increase speed and to climb away from danger. But he is not at sea level; he is in the far thinner air of 37,500 feet. The engines generate less thrust here, and the wings generate less lift. Raising the nose to a certain angle of pitch does not result in the same angle of climb, but far less. Indeed, it can—and will—result in a descent.
While Bonin’s behavior is irrational, it is not inexplicable. Intense psychological stress tends to shut down the part of the brain responsible for innovative, creative thought. Instead, we tend to revert to the familiar and the well-rehearsed. Though pilots are required to practice hand-flying their aircraft during all phases of flight as part of recurrent training, in their daily routine they do most of their hand-flying at low altitude—while taking off, landing, and maneuvering. It’s not surprising, then, that amid the frightening disorientation of the thunderstorm, Bonin reverted to flying the plane as if it had been close to the ground, even though this response was totally ill-suited to the situation.

The article offers a final observation on what things were like in that cockpit, minutes from the crash:

Over the decades, airliners have been built with increasingly automated flight-control functions. These have the potential to remove a great deal of uncertainty and danger from aviation. But they also remove important information from the attention of the flight crew. While the airplane’s avionics track crucial parameters such as location, speed, and heading, the human beings can pay attention to something else. But when trouble suddenly springs up and the computer decides that it can no longer cope—on a dark night, perhaps, in turbulence, far from land—the humans might find themselves with a very incomplete notion of what’s going on. They’ll wonder: What instruments are reliable, and which can’t be trusted? What’s the most pressing threat? What’s going on? Unfortunately, the vast majority of pilots will have little experience in finding the answers.

That all sounds right.  But like everything else these days, it made me think about cyberwar.  Some of the most effective tactics used by our adversaries have a social engineering component.  That is, they know how humans react to certain situations and take advantage of that reaction to gain control of our computers.  They know we’re likely to open messages and click on links sent by superiors in our organization. They know we will accept friend requests from people who are already connected to a lot of our friends.  Stuxnet took advantage of social engineering of a sort by making sure that the systems reported normal activity to the humans in the control center while sending abnormal requests to the machines.  The humans believed what their controls told them.

What does this have to do with the crash of AF447?  The reaction of the AF447 pilots was tragically human.  Once we lose faith in computer systems, especially in an emergency, all of us are likely to ask, “What instruments are reliable, and which can’t be trusted? What’s the most pressing threat? What’s going on?” And if we have only minutes to make a decision, we’re likely to lock on a fragment of our training and keep trying it. The evidence that we’re failing disastrously just makes us pull harder on the stick.

So:  Why can’t that reaction be engineered? Put another way, could a hacker have caused the AF447 crash, not by directly overriding the pilots but by manipulating their very human reactions? I should stress that I don’t believe a hacker did that.  Quite the reverse. I’m asking whether future cyberattacks will try to manipulate the human beings behind the computers.

On reflection, the answer is obvious.  All of war is an effort to manipulate the opponent into a different, defeated frame of mind. But the logical conclusions are pretty troubling. Even as we begin to deploy automated defenses against remote sabotage, attackers will turn to social engineering to defeat them. Once again, this gives the offense far more options than the defense.

Thus, imagine that we decide to improve our cyberdefenses by redesigning critical military or civilian systems so that computers alone cannot cause catastrophic missteps. That’s good, but it simply challenges the attacker to find a way to influence not just the computers but also the humans – to panic the humans into a catastrophic misstep. Even if the attacker can’t fly our planes into the sea, maybe he can get our pilots to do it for him. Even if he can’t cross the air gap to bring down our nuclear plants, he might be able to fake an emergency in the operations center that leads to the same outcome.

As AF447 shows, the key to such an attack is to create doubts about what is true in a situation where decisions must be made in minutes.  Then, as AF447 shows, humans revert to muscle memory and to training, which in some cases can lead rather predictably to disaster.

We’re already seeing rudimentary social engineering in cyberattacks.  We need to get ready for something a lot more sophisticated.

Law.com has reprinted this helpful story on the Ninth Circuit en banc arguments to be held later this week in United States v. Nosal.