The Volokh Conspiracy

Last month, I blogged about why I agreed to represent Andrew Auernheimer pro bono in his appeal before the Third Circuit. Tomorrow’s Washington Post has a front-page story by Jerry Markon focusing on the case. It begins:

Their guns drawn, a dozen federal agents, police and forensics experts kicked in the door of a run-down two-story home in Arkansas shortly after dawn, barged inside and ordered the occupants to put their hands on their heads.

The target of the raid was neither terrorist nor bank robber. He was a 24-year-old computer hacker suspected of handing off stolen e-mail addresses to the media.

With that, the Justice Department began a case that has come to symbolize what some lawyers and civil libertarians see as overreach in the government’s campaign against cybercrime.

The hacker, Andrew Auernheimer, was convicted and sentenced last month to more than three years in prison for obtaining about 120,000 e-mail addresses of iPad users from AT&T’s Web site — including New York Mayor Michael R. Bloomberg (I), Hollywood executive Harvey Weinstein and other prominent figures — and giving them to the Web site Gawker. When it happened three years ago, the data breach jolted federal officials because it affected one of the nation’s most prominent companies and triggered fears about the security of increasingly popular mobile devices.

Yet only a few, heavily redacted e-mail addresses were published, court documents show. No one’s account was broken into. AT&T fixed the problem in about an hour, and a company official testified that there probably was not enough evidence to sue the hackers.

The case highlights a growing debate over how to define right and wrong in the digital age, what is public and proprietary online, and how far law enforcement should go in pursuing cybercrime.

The Obama administration is confronting what it calls a vast cybersecurity threat, and the Justice Department is waging aggressive efforts, including against national security threats such as cyberterrorism and cyber-espionage. But a series of recent cases involving other types of online activity has prompted criticism that the crackdown may also be scooping up minor hackers who may see themselves as political or anti-corporate activists.

On a related note, the latest issue of the ABA Journal has this article: Hacker’s Hell: Many Want to Narrow the Computer Fraud and Abuse Act.

As I recently noted, Congress is considering legislation to increase maximum punishments under the Computer Fraud and Abuse Act. Here’s my question for supporters of this legislation: Can you identify any cases under the current version of the CFAA in which judges sentenced defendants to the current maximum sentences? In other words, have there been any cases in which judges maxed out the current sentences, suggesting that if they had the power to do so they might have wanted to sentence a defendant to a greater punishment? Or is Congress considering increasing the allowed penalties under the CFAA with a complete absence of evidence that any federal judge anywhere has ever found the current statutory maximum penalties too low in any actual case?

The Hill reports that a draft of language to reform the CFAA is being circulated among House Judiciary Committee members for feedback:

A draft cybersecurity bill circulating among House Judiciary Committee members would stiffen a computer hacking law used to bring charges against Internet activist Aaron Swartz. 

 The bill draft would tighten penalties for cyber crimes and establish a standard for when companies would have to notify consumers that their personal data has been hacked, according to a copy obtained by The Hill.

It would also change existing law so that an attempt at a cyber crime can be punished as harshly as an actual offense.
Such measures could spark concern among advocates outraged over the death of Swartz, the 26-year-old Internet activist and computer programmer who killed himself earlier this year while facing a possible 35-year prison term for hacking. Advocates have called on Congress to make changes to what they say is a draconian law that led to too harsh a prosecution of Swartz.

. . . It’s unclear which Judiciary members are sponsoring the draft bill, which is unnamed. A House Judiciary Committee aide said the bill is still in the early drafting stage and is being circulated to stakeholders for their feedback on possible changes.

They’re looking for feedback, so here is mine: Stop taking DOJ’s language from back in 2011 and packaging it as something new. Based on a quick read, it seems that the amendments for 1030 in the new draft are mostly copied from a bill that Senator Leahy offered (with substantial input from DOJ, as I understand it) back in November 2011. I criticized that language here. The new circulating draft also adopts the sentencing enhancements (minus mandatories) and the proposed 1030a that DOJ advocated in May 2011. I criticized that initial DOJ language here. (There’s also a breach notification provision in the new language, but I haven’t followed that issue closely; I don’t know if that proposal is also based on old language.)

In some ways, the new circulating language is even more severe and harsh than DOJ wanted even in the Lori Drew case. For example, the proposed language would make it a felony crime to violate Terms of Service if the TOS violation:

(I) involves information that exceeds $5,000 in value;
(II) was committed for purposes of obtaining sensitive or non-public information of an entity or another individual (including such information in the possession of a third party), including medical records, wills, diaries, private correspondence, financial records, photographs of a sensitive or private nature, trade secrets, or sensitive or non-public commercial business information;
(III) was committed in furtherance of any criminal act in violation United States or of any State, unless such state violation would be based solely on the obtaining of information without authorization or in excess of authorization; or
(IV) involves information obtained from a computer used by or for a government entity;

This language is really, really broad. If I read it correctly, the language would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions. It would make it a felony crime for anyone to violate the TOS on a government website. It would also make it a federal felony crime to violate TOS in the course of committing a very minor state misdemeanor. If there is a genuine argument for federal felony liability in these circumstances, I hope readers will enlighten me: I cannot understand what they are.

In short, this is a step backward, not a step forward. This is a proposal to give DOJ what it wants, not to amend the CFAA in a way that would narrow it.

Or at least that’s how it seems to me based on a quick read. If I am misreading something, which is always possible when in a hurry, I hope readers will point that out in the comment thread; I’ll be offline for a few hours for Passover but I’ll plan on posting updates/corrections later tonight if necessary.

Writing in Slate, Justin Peters has a puzzling article on the CFAA charges brought against Aaron Swartz. Peters appears to think that the basis of the Swartz prosecution was violating the Terms of Service at JSTOR, the service that hosted the database that Swartz tried to copy. Peters then discusses whether Swartz should be held criminally liable for violating JSTOR’s Terms of Service, and he then points out that this would not be a crime in the Ninth Circuit under its en banc opinion in United States v. Nosal.

This misunderstanding of the Swartz prosecution has become popular in some circles, fueled in part by the writings of Larry Lessig . But I’m not sure why Peters, Lessig, and some others think that the Swartz prosecution was based on a TOS violation. True, Swartz violated JSTOR’s terms of Service — and MIT’s, for that matter. But the government’s strongest case for Swartz accessing computers without authorization was Swartz’s entering the MIT closet to hard wire his laptop into MIT’s network after he had been blocked twice by sysadmins when Swartz accessed the the network from a wireless connection. To argue that Swartz did not violate the CFAA, you need to argue that entering the MIT closet and connecting directly to its network was an authorized access. You need to argue that MIT had an “open closets” policy, so that everyone was welcome to go into closets at MIT and connect to any switches they liked when inside. You also need to argue that Swartz was authorized to use the network after MIT’s system administrators tried to block him from doing so. That is, you need to argue that even though MIT’s employees were trying to keep Swartz off the network, there was a distinct entity of MIT beyond its employees that authorized Swartz to go around its agents and access the network anyway. I think that’s a hard argument to make. Not impossible, perhaps, but very tough. But that’s what the argument needs tp be to engage with the facts of the Swartz prosecution. In contrast, I don’t think it helps to imagine that the government was prosecuting Swartz for violating Terms of Service.

As regular readers know, I have publicly opposed CFAA liability for violating Terms of Service ever since I left DOJ in 2001. I’ve written articles and op-eds opposing it, I’ve testified against it, and I’ve litigated cases against it. If Swartz had been prosecuted for violating TOS, I would have been working for him pro bono just like I did for Lori Drew. But the government didn’t need to rely on that possible theory in the Swartz case, as Swartz’s conduct gave the government pretty secure ground to argue that Swartz had committed an unauthorized access.

One final thought: Peters seems to miss an inside joke when he quotes me as saying that the Nosal opinion is “superb and extremely insightful.” In my post that he quotes, the quoted phrase was hyperlinked to my 2010 post Brilliant People Agree With Me, about how folks often call writing “superb” and “extremely insightful” when it happens to match their view. Perhaps this was too subtle, but I was trying to say that I liked Nosal in part because it closely mirrored my own writings on the CFAA.

Will Congress amend the Computer Fraud and Abuse Act in light of the Aaron Swartz case? Don’t expect reforms any time soon, Politico suggests:

Despite some recent momentum, there’s not much clamor for change coming from the White House — and as expected, the Justice Department, which once tried to expand the penalties of the so-called Computer Fraud and Abuse Act, has been silent.

While there’s a new reform push on Capitol Hill backed by a few powerful members, the key committees with jurisdiction have other plans in mind — and their agendas are packed with immigration reform and gun control. More than that, Congress actually has been fond of stronger punishments for some offenders.

It’s not to say the principles known as Aaron’s Law won’t ever reach the president’s desk in some form — just that all the Internet hype and rallying mark only the beginning of a new and lengthy political journey.

I think that’s probably right, unfortunately. Narrowing federal criminal law is always hard, both because elected officials don’t want to seem ‘soft on crime’ and because the head of the executive branch has the veto power. Plus, on this issue specifically, the Internet companies and service providers that have a lot of influence on the Hill aren’t natural allies with civil libertarians. Those companies want their customers to feel that using their products is private, which can lead companies to favor expanding privacy protections in the context of government investigations. But when it comes to the substantive criminal laws, those same companies tend to see themselves as victims of computer crimes (whether from outside hackers or insiders). As a result, they tend to be wary of narrowing the laws. So as the Politico story says, expect a lengthy political journey. And keep an eye out for how the courts construe the CFAA, too: There’s a lot of uncertainty that courts will have to grapple with regardless of whether Congress takes up the issue.

Congresswoman Zoe Lofgren has posted a new draft version of “Aaron’s Law,” an amendment to 18 U.S.C. 1030 in the wake of the Aaron Swartz case. In this new draft, Lofgren adopts the idea I floated and others have since adopted of eliminating the concept of “exceeds authorized access” and instead defining “access without authorization.” Readers may recall that I proposed the following definition of “access without authorization”:

“access without authorization” means to circumvent technological access barriers to a computer or data without the express or implied permission of the owner or operator of the computer;

Lofgren proposes a much more complex definition of “access without authorization.” Here’s Lofgren’s language:

‘access without authorization’— (A) means—
(i) to obtain or alter information on a protected computer;
(ii) that the accesser lacks authorization to obtain or alter; and
(iii) by circumventing one or more technological measures that exclude or prevent unauthorized individuals from obtaining or altering that information; and
(B) does not include the following, either in themselves or in combination—
(i) a violation of an agreement, policy, duty, or contractual obligation regarding Internet or computer use, such as an acceptable use policy or terms of service agreement with an online service provider, Internet website, or employer; or
(ii) efforts to prevent personal identification of a computer user, or identification of a user’s hardware device or software, through a user’s real name, personally identifiable information, or software program or hardware device identifier(s);’’

Based on a quick read, I think this definition has some problems. To explain my views, I’ll put Lofgren’s text in italics section-by-section and then offer my comments in plain text following it:

‘access without authorization’— (A) means (i) to obtain or alter information on a protected computer; (ii) that the accesser lacks authorization to obtain or alter;

This language is taken from the current definition of “exceeds authorized access” in the existing 18 U.S.C. 1030(e)(6), but I’m not sure what work it does here. I gather that (i) provides a definition of “access” to a computer — defining it as the obtaining or altering of information on that computer. I’m not sure that is how we would want to define “access,” but then perhaps that depends on how broadly one reads “alter information” on a computer. Is every use of a computer something that “alters” information in it for purposes of the statute? Or is the threshold for “altering” supposed to be something higher? I’m not sure. In general, though, I think the wiser approach is to interpret access broadly and then limit the statute through the authorization prong; I’m not sure if (i) does that.

As for (ii), that language shares the problematic circularity of the existing definition of “exceeds authorized access.” The language says that a person isn’t allowed to do what they’re not allowed to do. But that begs the question of what a person is allowed to do, so it’s not clear what the language is supposed to mean.

by circumventing one or more technological measures that exclude or prevent unauthorized individuals from obtaining or altering that information; and

This language strikes me as a bit confusing. Read literally, it appears to say that if you can break in then you must be authorized. After all, if an unauthorized person has circumvented the measure and obtained or altered information, then obviously the measure didn’t exclude or prevent unauthorized individuals from obtaining or altering that information. Perhaps that language works better if you insert the phrase “designed to” before “exclude or prevent”?

(B) does not include the following, either in themselves or in combination— (i) a violation of an agreement, policy, duty, or contractual obligation regarding Internet or computer use, such as an acceptable use policy or terms of service agreement with an online service provider, Internet website, or employer; or

This language is redundant. An “agreement, policy, duty, or contractual obligation” is not a “technological measure,” so the exclusion in (B)(i) doesn’t actually subtract anything from (A). I gather that the language was added to make extra sure that courts know that the statute does not prohibit breaching TOS or a policy. So interpreted, perhaps the language is harmless. At the same time, I always worry that redundant language might lead courts astray. Courts like to invoke the maxim that every word or phrase in a statute should be treated as having meaning and not as surplusage. In light of that, the intentional addition of surplusage in (B)(i) may have the unintended effect of leading courts to read the definition in (A) more broadly to give the exclusion in (B)(i) independent meaning.

(B) does not include . . . (ii) efforts to prevent personal identification of a computer user, or identification of a user’s hardware device or software, through a user’s real name, personally identifiable information, or software program or hardware device identifier(s);

I assume the purpose of this language was to try to carve out an exception for IP and MAC address spoofing in light of the fact that Swartz did this in his accessing the MIT computer. Assuming such a carve out is a good idea — a question I’m not so sure about, but let’s assume that as a goal — the language here seems problematic. One of the core examples of “access without authorization” is using someone else’s password to access their private account without their permission. But it’s possible to read (B)(ii) as saying that this is legal. Imagine Joe runs a program designed to crack Sally’s password, and he uses the password to login to her account and read her personal e-mail. In that case, Joe is using a software program to try to get information to disguise himself as Sally (or someone with Sally’s permission) so he could access her e-mail. Isn’t that an example of “efforts to prevent personal identification of a computer user . . . through a . . . software program” that would be exempt from liability under this language?

Finally, it’s worth noting the uncertainty of whether Swartz would have been criminally liable for violating the CFAA even under this version of “Aaron’s Law.” Swartz entered the closet at MIT and physically connected his laptop to the non-public MIT computer inside. Neither Lofgren’s latest draft nor my own proposed definition of “access with authorization” is clear about how to treat this kind of circumvention of physical access barriers. Let’s put the facts of the Swartz case aside and imagine a few hypotheticals. First, imagine you bring your laptop to a coffee shop and leave it there while you get up to get another latte. While you are up and not paying attention, a man you have never seen before takes his thumb drive and connects it to your machine to get information from your machine. Is the man accessing your computer without authorization, or has he not circumvented a technological access barrier? Next consider the difference between two situations. In the first situation, Sally’s computer workstation is set up in a room but is password protected. Joe accesses the computer by guessing the password, which is a classic case of access without authorization. In the second situation, Sally’s computer workstation is in a room but enclosed in steel box with a combination lock. Joe accesses the computer by guessing the combination on the lock, removing the case, and then using Sally’s machine. Should this also be access without authorization, or is there a difference between a password gate and a physical lock? How should the law treat physical access restrictions, and what kind of physical access restrictions should be covered under the statute? Perhaps the answer is all of them, in which case the word “technological” should be replaced by “technological or physical.” Or perhaps some kind of physical barriers should not be enough. Either way, it’s an issue that merits more attention. (Thanks to Harriet Pearson for raising it.)

I have been beating the drum on the need to narrow the Computer Fraud and Abuse Act for a decade or so, so I was happy to see today’s cartoon for “Tom the Dancing Bug” pick up the cause, too. I don’t know if I can reprint the cartoon here copyright reasons, but you can click here to see it. For my related op-ed from 2011, see here. And for a video of me ranting about the broad scope of the CFAA — or at least coming as close as I come to ranting — see here at the 44:10 mark (and pardon the echo).

In the spirit of the post, I thought I would also reprint the conclusion of the CFAA chapter in the 3rd edition of my Computer Crime Law casebook. As lawyers and law students know, it is common for law school casebooks to supplement cases with extensive “notes and questions” offering additional points and questions for further thought. Here’s the last “note” in the chapter:

The scope of criminal liability for computer misuse is very broad. A critic of existing law might say that the legislature’s basic approach is to criminalize everything and then rely on prosecutorial discretion to select appropriate cases for criminal punishment.

Is this criticism accurate? And if it is, do you think the legislature has acted wisely? Computer technologies and social practices change rapidly, and it may be difficult for the law to keep up. Is it sensible for legislatures to impose broad criminal liability ex ante, so that prosecutors are rarely or never in a position of being unable to charge a worthy case? Or should the legislature only impose liability narrowly, so that new computer technologies can evolve without the threat of criminal punishment? Do you trust prosecutors to charge only appropriate cases? Does the threat of criminal punishment have a significant chilling effect on legitimate computer use?

In last night’s post, I offered six scenarios to help identify what should be the proper line between access to a computer that is authorized versus without authorization under the Computer Fraud and Abuse Act. The reader responses are still coming in, and if you haven’t voted yet, please read that post and do so. But for those who have already voted, or aren’t into that sort of thing, here are my own thoughts on how the law should treat the six hypotheticals.

1. Sally has an web-based e-mail account that she uses for personal e-mails. Joe suspects that Sally uses a common password that offers very little security, as the e-mail provider does not impose any restrictions on what passwords subscribers can use. Joe wants to teach Sally about good password practices, so he goes to her login page and (without her permission) tries the password “password.” That is in fact Sally’s password, so Joe is able to log in see Sally’s e-mails. In your view, should accessing Sally’s e-mail be considered permitted authorized access or prohibited unauthorized access?

My view: Prohibited unauthorized access. Guessing at someone’s password and using it to access their private files is one of the paradigmatic forms of unauthorized access. The whole point of setting up accounts and having passwords is to block access rights; guessing someone else’s password and using it to access the other person’s files is like picking the lock that guards their physical stuff. It’s true that Sally had a stupid password, but I think it would be problematic to say that you need to have locks that are “good enough” before the law will start to respect a person’s rights in guarding what that lock protects.

2. Sally sets up a “CAPTCHA” gate designed to ensure that only humans and not computers get access to her website where she is offering tickets for sale to her upcoming concert (only two tickets can be sold per person). Joe wants to buy 1,000 tickets to the concert so he can scalp them for a profit, so Joe writes a script designed to visit the website and guess at the correct letters and numbers. Use of the script allows Joe’s computer to bypass the CAPTCHA gate and purchase 1,000 tickets in a short period of time. In your view, should use of the script to bypass CAPTCHA and purchase the tickets be considered permitted authorized access or prohibited unauthorized access?

My view: This one is tricky, and I think it could reasonably go either way. On balance, though, I tend to think it should be deemed permitted authorized access. The site was set up so that it provided the code to access the computer to anyone who visited. It’s true that the CAPTCHA made it harder for the computer to access the computer without a human intermediary. But every visitor was given the way to access the computer, and the script gained access by entering the code that was given. So while it’s a close call, but on balance I think this one is probably best described as authorized access.

3. Sally runs a news website and gives visitors five free visits a week as determined by a cookie placed on the visitor’s computer. If a person tries to visit more than five times in a week, however, the website blocks access and asks the user to purchase a subscription. Joe visits the website many times a day; when the site blocks access, he simply cleans out his cookies and keeps visiting. In your view, should this be considered permitted authorized access or prohibited unauthorized access?

My view: Permitted authorized access. The website was available to the public, and any one could access it from a new machine at any time. The only means of limiting access was using a cookie placed on the user’s machine. But it’s up to users to set what cookies they want on their own machines. Many users often clear out their cookies for many reasons or use different browsers; control is up to them, not the websites they visit. As a result, I think that automatically limiting access based on a cookie left on that one browser of that one machine is best understood not as an effort to block access to that user but as an effort to introduce a mild annoyance that might prompt users to buy a subscription to avoid the hassle of cleaning out cookies or using a different browser or machine. Clearing out cookies to visit like everyone is allowed to do is still permitted authorized access.

4. Sally has a website with pictures of her most recent party. Access to the website is protected by a password. Sally e-mails her friend who attended the party and invites them to visit the page and look at pictures using the password “sallysparty.” Joe did not attend the party but he is able to guess the password; he uses the password and sees the pictures. In your view, should using the password to see the pictures be considered permitted authorized access or prohibited unauthorized access?

My view: Prohibited unauthorized access. This is just like scenario #1. It’s true that more people have the password, but I don’t see how that makes a difference to whether guessing the password makes access unauthorized. Shared passwords can raise issues of intent: the prohibition on access without authorization requires intent, and it’s often true that if passwords are widely shared, a person might not realize that using it goes beyond the limits set by the account holder. But that doesn’t seem to be an issue here because Joe only guesses at the password.

5. Sally is a college admissions counselor who decides to let applicants know if they have been admitted by sending them a link to a unique URL, such as www.college.edu/?shva=1#decision/13c9e80c03a4a673 A person who visits the URL will see a letter either admitting them or rejecting them. Joe wants to know who has been admitted to the college, so he he writes a script that queries the website at each of the possible URLs and collects the letters indicating the admissions decisions of all 5,000 applicants. In your view, should accessing the college site to collect all the decisions be considered permitted authorized access or prohibited unauthorized access?

My view: Permitted authorized access. The school has posted the admissions decisions on the web. That is, they have set up their server so that anyone who enters in that address will be shown the relevant page. It’s true that they did so using URLs that were hard to guess, and they only advertised those URLs to specific individuals. But you can’t post stuff on the web for anyone to see and then just hope that only the right people happen to look at the right pages. Anyone can visit a public web page; visiting these pages was permitted authorized access.

6. Sally runs a free social networking site in which users must register and obtain an account. The Terms of Use of the website say that each user can have only one account, and that they must not use the social networking site for commercial purposes. Joe signs up for an account and uses the site to sell his products. In response to complaints about this commercial use, Sally bans Joe’s account. Joe responds by signing up for a new account with a new name, and he then uses the new account to sell his products. Other users complain, so Sally bans Joe’s new account. Joe responds by signing up for a third account under a third name, and he accesses Sally’s social networking site and again uses the site to sell his products. This time, however, Joe acts in ways that keep complaints to a minimum, and Sally is never notified that Joe is back using the site. In your view, should creating the third account and accessing the site using it be considered permitted authorized access or prohibited unauthorized access?

My view: This is one is a little tricky, but I think it should be treated as prohibited unauthorized access. Sally had booted Joe off the site; when Joe came back, Sally booted him off again; and the only reason Joe was able to return was that Sally hadn’t noticed him (yet). I think this should be treated just like trespass in the physical world. If I own a bar or restaurant that is open to the public, then at first anyone is welcome. But if I throw someone out of the bar for some perceived affront, then the usual access rights don’t apply to the guy who I just threw out. He can’t just put on a hat and a fake beard and walk right in again. The clear indication that that person has been banned from the bar makes future accesses unauthorized. The Model Penal Code calls this a “defiant trespasser,” and the Code specifically includes liability when a person “enters or remains in any place as to which notice against trespass is given by . . . actual communication to the actor.” MPC 221.2(2). I tend to think the same principle should apply in the online setting. The action by the sysadmin designed specifically and unambiguously to keep that person off the site makes Joe’s using a new account to get around the ban an access without authorization. With that said, as in #4, there may be questions of intent that could justify a different result in some cases. The law prohibits intentional access without authorization, not just any access without authorization. If Joe comes back and complies with the TOS, he may honestly believe that he is now permitted to access the site. If he has that belief, his conduct would be an access without authorization that is not prohibited because it is not intentional as to the lack of authorization.

In a recent post, I offered a series of amendments to narrow the Computer Fraud And Abuse Act. One amendment woud eliminate the concept of “exceeds authorized access” and instead limit the concept of unauthorized access to “access without authorization.” I offered the following definition of “access without authorization” that would be required for most misdemeanor violations of the CFAA:

the term “access without authorization” means to circumvent technological access barriers to a computer or data without the express or implied permission of the owner or operator of the computer;

The good folks at the Electronic Frontier Foundation took my proposal as a starting point and then added a tweak:

We basically took up former DOJ attorney and law professor Orin Kerr’s suggestion that CFAA should just do away with the phrase “exceeds authorized access” and define for the first time access “without authorization.” This definition should encompass all conduct considered “unauthorized.” [But] we also clarified the definition of “without authorization” to make sure the CFAA doesn’t penalize people who have permission to access data but use light technical workarounds to access that data in an innovative way. Since many of these techniques, such as changing IP addresses, have general application to protect the privacy of the user, they should not be cause to charge a felony.

Here’s the relevant additional language proposed by the EFF in italics:

The term “access without authorization” means to circumvent technological access barriers to a computer, file, or data without the express or implied permission of the owner or operator of the computer to access the computer, file, or data, but does not include circumventing a technological measure that does not effectively control access to a computer, file, or data.

Jennifer Granick has since weighed in with a thoughtful post. Jennifer offers the following explanation for why she prefers EFF”s language to my own:

Orin’s suggestions are really important. He streamlines the statute, reduces the changes that minor conduct will be the basis for a felony prosecution and deletes the language in the statute that has been most abused. However, by focusing purely on whether the service operator implements technological access barriers, [Orin's] proposal risks a similar problem to the one that the current statute has, giving server owners plenary authority to criminalize the way members of the public interact with information made available online, but through “technological access barriers” rather than merely terms of service and employee agreements. There are many situations where otherwise law abiding people arguably seek to evade technological access barriers, but which should not be crimes.

This is why I favor the language suggested by the EFF. Their proposal builds on Orin Kerr’s good work, but further clarifies the definition of “without authorization” “to make sure the CFAA doesn’t penalize people who have permission to access data but use light technical workarounds to access that data in an innovative way.” . .. [The EFF's] “effectively control access” language is pulled from the anti-circumvention provisions of the DMCA, 17 U.S.C. 1201. There are a lot of problems with section 1201, but “effectively control access” has been interpreted to mean that if the user otherwise has unfettered access to protected information via one route, technological controls on a particular manner of access are not given the force of law. Lexmark Int’l, Inc. v. Static Control Components, Inc., 387 F.3d 522 (6th Cir. 2004). . . .Thus, for otherwise unprotected information, if the computer server and information are made freely accessible to the user, digital attempts to control or condition the public’s manner or use of that information will not carry the force of CFAA punishment behind them.

Granick’s helpful post on some of the ambiguities of “code-based restrictions” provides a great opportunity to run through some of the most interesting fact patterns that have come up — either in cases or hypos — on where the border should be for CFAA liability. I’m going to run through some of the major examples, and I would like readers to answer in the poll whether they think the act of access should be legal (authorized access under the law) and which ones you think should be prohibited (“access without authorization”). Then feel free to offer thoughts in the comments, of course.

To make sure we’re on the same page, understand that the issue here is which of these examples should as a matter of policy be classified as (a) categorically legal under the “unauthorized access” prongs of the CFAA or (b) generally sufficient to establish some form of misdemeanor liability and (if additional elements are satisfied) potentially qualify for felony liability. Importantly, don’t worry for now about the statutory language, or which examples might be covered by which proposal. Instead, just tell me which examples you think should count as permitted authorized access and which should count as not permitted unauthorized access. In a subsequent post, we can reason backwards from those outcomes and come up with the best way of drafting the standard for “access without authorization” in light of which examples we think should be prohibited.

Here are six examples:

(1) Sally has an web-based e-mail account that she uses for personal e-mails. Joe suspects that Sally uses a common password that offers very little security, as the e-mail provider does not impose any restrictions on what passwords subscribers can use. Joe wants to teach Sally about good password practices, so he goes to her login page and (without her permission) tries the password “password.” That is in fact Sally’s password, so Joe is able to log in see Sally’s e-mails. In your view, should accessing Sally’s e-mail be considered permitted authorized access or prohibited unauthorized access?

(2) Sally sets up a “CAPTCHA” gate designed to ensure that only humans and not computers get access to her website where she is offering tickets for sale to her upcoming concert (only two tickets can be sold per person). Joe wants to buy 1,000 tickets to the concert so he can scalp them for a profit, so Joe writes a script designed to visit the website and guess at the correct letters and numbers. Use of the script allows Joe’s computer to bypass the CAPTCHA gate and purchase 1,000 tickets in a short period of time. In your view, should use of the script to bypass CAPTCHA and purchase the tickets be considered permitted authorized access or prohibited unauthorized access?

(3) Sally runs a news website and gives visitors five free visits a week as determined by a cookie placed on the visitor’s computer. If a person tries to visit more than five times in a week, however, the website blocks access and asks the user to purchase a subscription. Joe visits the website many times a day; when the site blocks access, he simply cleans out his cookies and keeps visiting. In your view, should this be considered permitted authorized access or prohibited unauthorized access?

(4) Sally has a website with pictures of her most recent party. Access to the website is protected by a password. Sally e-mails her friend who attended the party and invites them to visit the page and look at pictures using the password “sallysparty.” Joe did not attend the party but he is able to guess the password; he uses the password and sees the pictures. In your view, should using the password to see the pictures be considered permitted authorized access or prohibited unauthorized access?

(5) Sally is a college admissions counselor who decides to let applicants know if they have been admitted by sending them a link to a unique URL, such as www.college.edu/?shva=1#decision/13c9e80c03a4a673 A person who visits the URL will see a letter either admitting them or rejecting them. Joe wants to know who has been admitted to the college, so he he writes a script that queries the website at each of the possible URLs and collects the letters indicating the admissions decisions of all 5,000 applicants. In your view, should accessing the college site to collect all the decisions be considered permitted authorized access or prohibited unauthorized access?

(6) Sally runs a free social networking site in which users must register and obtain an account. The Terms of Use of the website say that each user can have only one account, and that they must not use the social networking site for commercial purposes. Joe signs up for an account and uses the site to sell his products. In response to complaints about this commercial use, Sally bans Joe’s account. Joe responds by signing up for a new account with a new name, and he then uses the new account to sell his products. Other users complain, so Sally bans Joe’s new account. Joe responds by signing up for a third account under a third name, and he accesses Sally’s social networking site and again uses the site to sell his products. This time, however, Joe acts in ways that keep complaints to a minimum, and Sally is never notified that Joe is back using the site. In your view, should creating the third account and accessing the site using it be considered permitted authorized access or prohibited unauthorized access?

There has been a lot of interest in amending the Computer Fraud and Abuse Act in light of the Aaron Swartz prosecution. I have drafted some changes and uploaded a red-lined version here.

My proposal has lots of parts, but the big ones are: (1) eliminating liability for exceeding authorized access, (2) tightening the felony thresholds throughout the statute, and (c) eliminating several sections of the statute, including 1030(a)(3) and (a)(4), which are redundant, and 1030(g), the civil liability provision which is chiefly responsible for the overly expansive readings of the statute.

No rewriting of a statute is going to be perfect, but perhaps this proposed redrafting will be of interest to some who are debating the future of this statute.

Two quick links related to the Aaron Swartz prosecution:

1) Duke lawprof Jamie Boyle has posted a thoughtful reply to my two posts on the Aaron Swartz case over at The Public Domain. I plan to post a response to Jamie when I have time to do so — in a day or two, I hope — but in the meantime I wanted at least to recognize his post and provide the link for interested readers.

2) Senator Cornyn has sent a letter to Attorney General Holder asking for a detailed explanation from Holder of why DOJ exercised its discretion in the Swartz case as it did. Senator Cornyn is my former boss, so maybe I am biased here, but I think that’s a productive way to get DOJ to say more about its perspective on the case. It will be interesting to see how DOJ responds.

Among the questions raised by the Cornyn letter is whether DOJ policy gives U.S. Attorneys the discretion to charge cases consistent with the gravity of the wrongdoing in the case. The answer has changed over time. Traditionally, the answer was “yes.” In 2003, however, then-AG John Ashroft announced a new policy essentially eliminating that discretion. With narrow exceptions, all federal prosecutors were required to “charge and pursue the most serious, readily provable offense or offenses that are supported by the facts of the case.” In 2010, however, AG Eric Holder overturned the Ashcroft policy with a new memo restoring the traditional role of prosecutorial discretion. You can read the 2010 Holder policy here.

This is the second in a series of posts on the Aaron Swartz prosecution. In my first post, I analyzed whether the charges that were brought against Swartz were justified as a matter of law. In this post, I consider whether the prosecutors in the case properly exercised their discretion. As some readers may know, prosecutors generally have the discretion to decline to prosecute a case; once they charge a case, they have the discretion to offer or not offer a plea deal; and once they offer the plea deal, they have some discretion to set the terms of the offer that they will accept. This post considers whether the prosecutors abused that discretion.

To provide some attempted answers, I’m going to break down the question into four different issues: First, was any criminal punishment appropriate in the case? Second, if so, how much criminal punishment was appropriate? Third, who is to blame if the punishment was excessive and the government’s tactics were overzealous? And fourth, does the Swartz case show the need to amend the Computer Fraud and Abuse Act, and if so, how?

This is a very long post, so here’s a summary of where I come out on these four questions.

On the first question, I think that some kind of criminal punishment was appropriate in this case. Swartz had announced his commitment to violating the law as a moral imperative in order to effectively nullify existing federal laws on access to information. When someone engages in civil disobedience and intentionally violates a criminal law to achieve such an anti-democratic policy goal through unlawful means — and when there are indications in both words and deeds that he will continue to do so — it is proper for the criminal law to impose a punishment under the law that the individual intentionally violated. (Indeed, usually that is the point of civil disobedience: The entire point is to be punished to draw attention to the law that is deemed unjust.)  As that appears to be the case here, I think some punishment was appropriate.

On the second question, I think the proper level of punishment in this case would be based primarily on the principle of what lawyers call “special deterrence.” In plain English, here’s the key question: What punishment was the minimum necessary to deter Swartz from continuing to try to use unlawful means to achieve his reform goals? I don’t think I know the answer to that question, but that’s the question I would answer to determine the proper level of punishment. The prosecution’s plea offer of 6 months in jail and a felony conviction may have been much more than was needed to persuade Swartz not to engage in unlawful and anti-demoratic means to pursue his policy goals in the future. If so, then I think it was too severe. But it depends on how much punishment was necessary to deter Swartz from using unlawful means to pursue his policy goals. In my view, that’s the question that we need to answer in order to say what punishment was appropriate in Swartz’s case.

On the third question, the issue of who was to blame if the prosecution was too severe, I think it’s important to realize that what happened in the Swartz case happens it lots and lots of federal criminal cases. Yes, the prosecutors tried to force a plea deal by scaring the defendant with arguments that he would be locked away for a long time if he was convicted at trial. Yes, the prosecutors filed a superseding indictment designed to scare Swartz evem more in to pleading guilty (it actually had no effect on the likely sentence, but it’s a powerful scare tactic). Yes, the prosecutors insisted on jail time and a felony conviction as part of a plea. But it is not particularly surprising for federal prosecutors to use those tactics. What’s unusual about the Swartz case is that it involved a highly charismatic defendant with very powerful friends in a position to object to these common practices. That’s not to excuse what happened, but rather to direct the energy that is angry about what happened. If you want to end these tactics, don’t just complain about the Swartz case. Don’t just complain when the defendant happens to be a brilliant guy who went to Stanford and hangs out with Larry Lessig. Instead, complain that this is business as usual in federal criminal cases around the country — mostly with defendants who no one has ever heard of and who get locked up for years without anyone else much caring.

On the fourth issue, yes, the Swartz case does point to a serious problem with the Computer Fraud and Abuse Act. But that problem is not the definition of “unauthorized access,” as some people seem to believe. (That definition is a problem, but with the Nosal case from the Ninth Circuit and likely Supreme Court review in the next year or so, I think the Courts are likely to take care of it.) Rather, the problem raised by the Swartz case is one I’ve been fighting for years: Felony liability under the statute is triggered much too easily. The law needs to draw a distinction between low-level crimes and more serious crimes, and current law does so poorly. I would recommend two changes. First, the felony enhancements for 1030(a)(2) are much too broad. I would significantly narrow them. Second, I would repeal 1030(a)(4), which is redundant as it only a combination of 1030(a)(2) and the wire fraud statute, 18 U.S.C. 1343. It therefore only leads to extra and redundant charges to confuse juries, and is better off repealed.

So that’s my overall take. Let’s take it issue by issue.

II. Was Any Criminal Punishment Proper in the Swartz Case?

Let’s start question of whether any criminal charges at all were appropriate in this case. In order to answer that, we need to focus on what Swartz planned to do. Swartz was arrested in the middle of his planned course of conduct, so we need to make an educated guess about what his plan was. Granted, some have argued that the fact that Swartz was caught mid-way means that there was no harm in the Swartz case and he should not be punished. But I think that approach is mistaken. When the police catch someone in the course of criminal conduct and intervene mid-way, the punishment is properly based on what the person was in the course of doing rather than how much he succeeded before he was caught.

So what was Swartz’s plan? From what I can tell, Swartz was a remarkable and unusually focused person, and there are substantial reasons to think he acted with a pretty specific plan in mind. Although he never went to law school, Swartz was a serious legal nerd. He hung out with lots of lawyers, and he was passionately involved in debates on legal topics. He went to the Supreme Court argument in Eldred v. Reno as Larry Lessig’s personal guest when he was only 15 years old. More recently, he was deeply involved in the recent debate over SOPA. He was quite informed about the law and interested in it. I know from an e-mail he once sent me that he was a “big fan” of my work — his words — which suggests he was pretty deep in the details of laws like the Computer Fraud and Abuse Act, under which he was ultimately charged.

In figuring out what Swartz was doing, we have an unusual source: Swartz’s own words. In 2008, Swartz published an essay that he labeled the Guerilla Open Access Manifesto. In the essay, Swartz argues that there is a moral imperative to engage in civil disobedience and break laws that limits access to academic articles and to make those articles available wherever they are restricted. Engaging in civil disobedience can nullify the law by making it impossible to enforce, Swartz suggests. Here’s the essay, which is worth reading in full:

Information is power. But like all power, there are those who want to keep it for themselves. The world’s entire scientific and cultural heritage, published over centuries in books and journals, is increasingly being digitized and locked up by a handful of private corporations. Want to read the papers featuring the most famous results of the sciences? You’ll need to send enormous amounts to publishers like Reed Elsevier.

There are those struggling to change this. The Open Access Movement has fought valiantly to ensure that scientists do not sign their copyrights away but instead ensure their work is published on the Internet, under terms that allow anyone to access it. But even under the best scenarios, their work will only apply to things published in the future. Everything up until now will have been lost.

That is too high a price to pay. Forcing academics to pay money to read the work of their colleagues? Scanning entire libraries but only allowing the folks at Google to read them? Providing scientific articles to those at elite universities in the First World, but not to children in the Global South? It’s outrageous and unacceptable.

“I agree,” many say, “but what can we do? The companies hold the copyrights, they make enormous amounts of money by charging for access, and it’s perfectly legal — there’s nothing we can do to stop them.” But there is something we can, something that’s already being done: we can fight back.

Those with access to these resources — students, librarians, scientists — you have been given a privilege. You get to feed at this banquet of knowledge while the rest of the world is locked out. But you need not — indeed, morally, you cannot — keep this privilege for yourselves. You have a duty to share it with the world. And you have: trading passwords with colleagues, filling download requests for friends.

Meanwhile, those who have been locked out are not standing idly by. You have been sneaking through holes and climbing over fences, liberating the information locked up by the publishers and sharing them with your friends.

But all of this action goes on in the dark, hidden underground. It’s called stealing or piracy, as if sharing a wealth of knowledge were the moral equivalent of plundering a ship and murdering its crew. But sharing isn’t immoral — it’s a moral imperative. Only those blinded by greed would refuse to let a friend make a copy.

Large corporations, of course, are blinded by greed. The laws under which they operate require it — their shareholders would revolt at anything less. And the politicians they have bought off back them, passing laws giving them the exclusive power to decide who can make copies.

There is no justice in following unjust laws. It’s time to come into the light and, in the grand tradition of civil disobedience, declare our opposition to this private theft of public culture.

We need to take information, wherever it is stored, make our copies and share them with the world. We need to take stuff that’s out of copyright and add it to the archive. We need to buy secret databases and put them on the Web. We need to download scientific journals and upload them to file sharing networks. We need to fight for Guerilla Open Access.

With enough of us, around the world, we’ll not just send a strong message opposing the privatization of knowledge — we’ll make it a thing of the past. Will you join us?

As far as I can tell, this “manifesto” was not just a casual remark or random thought. Rather, it seems to have been a set of principles Swartz believed in quite passionately. And his conduct appears to reflect that commitment. In the same year Swartz published the manifesto, he participated in the effort to download the entire contents of PACER. That led to an FBI investigation but no charges. And then the MIT/JSTOR incident followed soon after, in 2010, which led to the criminal charges in this case.

If I’m right about what Swartz was trying to do, then I think some kind of criminal prosecution is appropriate in this case. The evidence suggests to me that this was not a one-time mistake or an impulsive decision. Rather, Swartz was acting very deliberately with a quite far-reaching goal: he was intentionally breaking the law in the short run to achieve a long-run goal of nullifying the protections of a set of democratically-enacted laws that he opposed.

And Swartz knew that the means he used to obtain the JSTOR database was unauthorized. He was playing a long-term cat-and-mouse game with MIT and JSTOR in which they repeatedly tried to get him off the network and he repeatedly figured out ways to get back on and get the files he wanted. He didn’t break into the closet because he liked closets; he was trying to find a way to do what MIT and JSTOR were trying to block. He wasn’t hiding his face from the video camera in the MIT closet out of shyness; he knew that he was doing something illegal and he was trying not to get caught. And when the police spotted him, he wasn’t surprised that they wanted to talk to him: According to the police report, he jumped off his bike and tried to outrun the police on foot. Further, Swartz’s conduct had real costs to others, ranging from costs to MIT in dealing with responding to his conduct to lost access to JSTOR for a few days for the entire campus.

In these circumstances, it seems to me that at least *some* criminal responsibility is appropriate. We can debate what the proper punishment should be — more on that in a minute — but I don’t think it would have been right to just let Swartz go ahead with his plan to intentionally violate the law, releasing millions of articles onto file-sharing networks, without the law responding at least in some way. The great tradition of civil disobedience is to intentionally violate the law and proudly bear the consequences in order to change public opinion and eventually change the law, not to violate the law in secret and try to render the law you oppose unenforceable  while avoiding punishment. So I think some kind of criminal punishment is appropriate.

Some have argued that criminal prosecution was inappropriate because JSTOR did not favor prosecution. The problem with this view, in my opinion, is that JSTOR is not the only party with rights at stake here. MIT is also a party with rights at stake: Swartz imposed costs and inconvenience on MIT’s network and its users, and we know MIT called the police and helped the Secret Service catch Swartz. The copyright owners of the copyrighted articles that Swartz was trying to release on file-sharing networks were also parties with rights at stake: Democratically-enacted laws gave them control over that articles that Swartz was trying to defeat. And I would argue that the public also had a broad interest. To the extent Swartz’s goal was to nullify the effect of a democratically-enacted law that he opposed — which seems to be the gist of the manifesto — he was trying to eliminate options that the the public otherwise had in dealing with access to new technologies based on the public’s beliefs about optimal social policy. The reaction of JSTOR doesn’t consider or reflect any of these additional interests, so I don’t think it should strongly influence the government’s decision of whether to prosecute.

III. What Was the Appropriate Punishment in the Aaron Swartz Case?

Now let’s turn to what may be the next question. What punishment was proper? Did prosecutors go too far? To answer that, we need a benchmark of how much punishment was enough. And to answer that, we need to look at the social harms involved in the conduct. Swartz was caught before he executed his plan, so there were relatively minimal harms from the plan that was stopped before it succeeded. But as I’ve explained above, it seems like Aaron was committed to a long-term plan to continue to engage in such conduct, including through unlawful means. In his view, this was not a one-off, or an impulsive decision. Rather, he felt that there was a moral imperative to violate laws that he saw as unjust.  And critically, he didn’t want to violate those laws in a symbolic way just to bring attention to laws he saw as unjust.  Swartz was not acting in the grand tradition of civil disobedience in which one willingly draws punishment to  bring attention to the unjustness of the law.  In his own words, he didn’t want to “just send a strong message opposing the privatization of knowledge.” Rather, he wanted to change the facts on the ground to make his preferred world a  fait accompli.   That is, he wanted to make the laws unenforceable, winning the debate unilaterally outside of Congress. In his words, he wanted to act so that the democratically-enacted laws that allowed privatization of knowledge would become “a thing of the past.”

Given that commitment, I think one appropriate benchmark for the proper punishment is based on what legal scholars call “special deterrence.” In plain English, the question is this: What is the minimum punishment that was needed to persuade Swartz not to do this sort of thing in the future? To my mind, the answer to that question provides a reasonable benchmark to determine the proper punishment. By all accounts, Swartz was a tremendously brilliant guy with an incredibly bright future. His death is a tremendous tragedy. But had he lived, we would all have been better off with a future in which Swartz directed his incredible talents to pursuing his ideas through lawful means rather than unlawful means. Many people — and many readers of this post in particular — share Swartz’s sense of good social policy. But we live in a democracy.   We might not like all the rules in a democracy, but the way to change those rules is through democratic change.  Swartz could have tried to be punished under the law to bring attention to the law in the hope of changing it through the democratic process.  But instead he had something anti-democratic in mind. I think it’s pretty clear that in a democratic system, that kind of anti-democratic cause is something that we should disfavor.  You can break the law to draw punishment, but the ultimate goal of traditional civil disobedience is achieving change through the legal means of democracy.  Swartz had something else in mind, it seems;  changing the law de facto by his unilateral action. Given the importance of the difference, a punishment that was the minimum sufficient to persuade Swartz to follow the law in the future seems appropriate.

This brings up the difficulty that we don’t know exactly what penalty would have persuaded Swartz to follow the law in the future. So I’ll ask those who knew Swartz best: What do you think would have been sufficient to persuade Swartz to abandon the moral imperative of civil disobedience and instead agree to pursue change through only legal means? I’ll defer here to the people who knew Swartz best, with whatever they think the right answer is. Would probation have been enough? A month of home confinement? Jail time? I really don’t know. It may be that the answer was unknowable.

To my mind, this is one of the puzzles about Swartz. On one hand, he was deeply committed to civil disobedience and to the moral imperative of breaking unjust laws. On the other hand, he seems to have had his soul crushed by the prospect that he would spend time in jail. This is an unusual combination. Usually the decision to engage in civil disobedience comes along with a willingness to take the punishment that the law imposes. But despite Swartz’s apparent interest in legal questions, he seems to have made his decision with a blind spot to the penalties that would actually follow. It’s a strange situation: Swartz was really interested in the law, and he knew he was violating the law. He knew a lot of lawyers who would have told him that this would likely happen if he went ahead with his plan. But there was some apparent blind spot that led him to act anyway.

Continue reading ‘The Criminal Charges Against Aaron Swartz (Part 2: Prosecutorial Discretion)’ »

The Internet activist Aaron Swartz has died from an apparent suicide. Swartz was facing a criminal trial in April on charges arising from his effort to “liberate” the JSTOR database, and there has been a lot of commentary accusing the prosecutors in his case of having abused their role in ways that contributed to Swartz’s tragic death. Swartz’s friend Larry Lessig led the way by angrily condemning the prosecutors who charged Swartz as “bullies” who acted like they “had caught the 9/11 terrorists red-handed.” According to Lessig, the prosecutors acted in an “the most absurd or extreme way” and “don’t deserve to have the power of the United States government.” A lot of people seem to agree, and today’s media has picked up the story. The New York Times is running a headline, “A Data Crusader, a Defendant and Now, a Cause.” The Associated Press has a somewhat similar story, “Swartz’ Death Fuels Debate Over Computer Crime”.

The criticisms of the Swartz prosecution concern two different questions. The first question is the law. Were the charges against Swartz based on a fair reading of the laws? Or was the prosecution being overly aggressive or relying on strained theories in charging Swartz as it did? The second question is discretion and judgment. The DOJ has the discretion to charge cases or not, and prosecutors can agree to different plea deals or even agree to have charges dismissed. Were the prosecutors in this case unfair in how they exercised discretion, or did they act irresponsibly in the case in how they exercised the discretion that the law grants them?

I hope to answer these questions in two posts. In the first post, I’m going to try and answer the first question — the law — as informed by my background as a specialist in this particular area of law who has testified on these statutes before Congress, defended computer crime cases involving these statutes, and helped prosecute them, too. In a subsequent post, I’ll try to answer the second question, the exercise of prosecutorial discretion.

This is going to be a long post, so here’s the summary of my conclusion on the first question: I think the charges against Swartz were based on a fair reading of the law. None of the charges involved aggressive readings of the law or any apparent prosecutorial overreach. All of the charges were based on established caselaw. Indeed, once the decision to charge the case had been made, the charges brought here were pretty much what any good federal prosecutor would have charged. This is different from what a lot of people are hearing on the Internets, so I realize this post isn’t going to be popular. But I’ll explain my position in some detail, starting with the facts and then turning to the law, and then I’ll open it up for comments. And in a subsequent post, I’ll take on the second question of whether prosecutors properly exercised their discretion in the decision to charge the case and during plea negotiations.

I. The Facts Alleged in the Indictment

Here’s the indictment filed in Swartz’ case. Based on the indictment and news coverage of the case, the following is my current understanding of the facts:

JSTOR is an organization that sells universities, libraries, and publishers access to a database of over 1,000 academic journals. For a large research unversity, JSTOR charges as much as $50,000 a year for an annual subscription fee, at least parts of which go to pay copyright fees to the owners of the articles in the databases. The JSTOR database is not freely available: Normally, a username and password are required to access it. But if you access the site from a computer network owned by a university that has purchased a subscription, you can access the site without a username and password from their network. Users of the service then have to agree to use JSTOR in a particular way when they log in to the site; they generally can download one article at a time, but the JSTOR software is configured to block efforts to download large groups of articles.

Aaron Swartz decided to “liberate” the entire JSTOR database. He wanted everyone to have access to all of the journals in the database, so he came up with a plan to gain access to the database and copy it so he could make it publicly available to everyone via filesharing networks. Swartz lived in the Boston area, and he had legitimate access to the JSTOR database using Harvard’s network, where he was a fellow. But Swartz decided not to use Harvard’s network for what he had planned. Instead, he used MIT’s network across town. Swartz did not have an account or formal relationship with MIT, but MIT is known for having relatively open account practices.

In Swartz’ first attempt, he purchased a laptop, went into a building at MIT, and used the MIT wireless network to create a guest account on MIT’s network. He then accessed JSTOR and executed a program called “keepgrabbing” that circumvented JSTOR’s limits on how many articles a person could download — thus enabling Swartz to start to download a massive number of articles. MIT and JSTOR eventually caught on to what was happening, and they blocked Swartz’s computer from being able to access the MIT network by banning the IP address that he had been assigned.

Swartz responded by changing his IP address, and it took a few hours before JSTOR noticed and blocked his new IP address. To try to stop Swartz from just changing IP addresses again, JSTOR then blocked a range of IP addresses from MIT and contacted MIT for more help. MIT responded by canceling the new account and blocking Swartz’ computer from accessing the MIT address by banning his MAC address, a unique identifier associated with his laptop.

Undeterred, Swartz tried again. This time he brought a new laptop and also spoofed the MAC address from his old one to circumvent the ban. Using the two latops and the program designed to circumvent JSTOR’s limits on downloading articles, he started to download a significant chunk of JSTOR’s database. A day or two later, JSTOR responded by blocking all of MIT’s access to JSTOR for a few days.

Again undeterred, Swartz came up with a different plan. Instead of trying to connect to the MIT network wirelessly, Swartz broke into a closet in the basement of a building at MIT and connected his computer directly to the network — hiding his computer under a box so no one would see it. Over a month or two period, he succeeded in downloading a major portion of JSTOR’s database.

Investigators were on to Swartz at this point, however. They installed a video camera in the closet to catch Swartz when he accessed the closet to swap out storage devices or retrieve his computer. Swartz was caught on camera, and he even seems to have realized that he was being filmed; at one point he was filmed entering the closet using his bicycle helmet as a mask to avoid being identified. (Here’s the picture.) Swartz was spotted on MIT’s campus soon after by the police and tried to run away, but he was then caught and arrested. Federal charges followed.

II. The Legal Charges Brought Against Swartz

The indictment against Swartz alleged several different crimes. A bunch of the crimes overlap, but that doesn’t mean that they are really treated separately: At sentencing the general practice is to take the most serious of the crimes as the basis for the sentence and to mostly ignore the rest. But the ordinary practice is to charge all the possible offenses committed in the indictment, even if they overlap, and then let the jury sort them out at trial or else drop some of the charges in a plea deal. Here are the different offenses charged, with a legal analysis of each.

(a) Wire Fraud. The Wire Fraud statute, 18 U.S.C. 1343, prohibits a scheme to gain “property” by false pretenses. This strikes me as a pretty strong charge here. The false pretenses are provided by the false identification and spoofing of Swartz’ IP address and MAC address. Swartz was trying to trick JSTOR into giving him access to their database after they had specifically tried their best to ban him from doing so. And the “property” was the contents of the JSTOR database itself.

Some might argue that the contents of the JSTOR database should not be considered “property.” But I think that’s a hard argument to make in light of United States v. Seidlitz, 589 F.2d 152 (4th Cir. 1978). In Seiditz, a former employee of a company named OSI used the username and passowrd of another employee of the company to login and try to download a text-editing program named WYLBUR used for business applications. Seidlitz argued that the program was not “property” because the WYLBUR program was widely used by different companies. But the court disagreed:

Even though software systems similar to OSI’s WYLBUR were in use at non-OSI facilities, the evidence that OSI invested substantial sums to modify the system to suit its peculiar needs, that OSI enjoyed a multi-million dollar competitive advantage because of WYLBUR, and that OSI took steps to prevent persons other than clients and employees from using the system permitted a finding that the pilfered data was the property of OSI and not, as the defendant contends, property in the public domain subject to appropriation by persons such as himself.

That reasoning seems to apply reasonably well to the JSTOR database, too. See also Carpenter v. United States, 484 U.S. 19 (1987) (recognizing a property right for purposes of federal fraud statutes for a business in confidentiality and use of information to appear in a forthcoming publication). It’s possible to argue that Seidlitz is distinguishable, but I think it’s an uphill battle.

(b) Computer Fraud. The next charges were brought under the Computer Fraud statute, 18 U.S.C. 1030(a)(4), which is a close cousin of the Wire Fraud statute. The two are usually charged together in computer crime cases, and there isn’t really all that much that separates them that we need to dwell on here. So let’s move on to the next crime.

(c) Unauthorized Access. The next charge was unauthorized access to a computer to obtain information valued more than $5,000, in violation of 18 U.S.C. 1030(a)(2)(C) and 18 U.S.C. 1030(c)(2)(B)(iii). I think this charge was a fair one. There are two notable legal issues here. First, was the information valued at more than $5,000? The answer is clearly yes under the leading case of United States v. Batti, 631 F.3d 371 (6th Cir. 2011). Batti dealt with the $5,000 requirement in the context of a video that was difficult to value. The Sixth Circuit concluded that the $5,000 refers to the value of the information obtained, not any loss or harm to the alleged victim in the case. Further, the court authorized the following methodology when “information obtained by a violation of § 1030(c)(2)(B)(iii) does not have a readily ascertainable market value.” In such cases, the court held, “it is reasonable to use the cost of production as a means to determine the value of the information obtained.” Creating thousands of journals over many years obviously costs more than $5,000, so that element is easily satisfied.

The second issue is whether Swartz exceeded authorized access to the JSTOR computer. As regular readers know, I have been fighting overly broad readings of “unauthorized access” for well over a decade as a scholar, defense attorney, and op-ed writer. But I think it’s pretty clear that Swartz exceeded his authorized access here. JSTOR has a password-protected database that Swartz was trying to copy by circumventing code-based barriers to large-scale acces, and Swartz was playing a cat-and-mouse game in which he kept trying to gain access to the database and JSTOR kept trying to block him. They blocked his IP address; he changed it. They blocked his MAC address; he spoofed it. They blocked access and he broke into a restricted closet and connected directly to MIT’s network. This is not merely a case of breaching a written policy. Rather, this is a case of circumventing code-based restrictions by circumventing identification restrictions. I don’t see how that is particularly different from using someone else’s password, which is the quintessential access without authorization. So I think unauthorized access is established here, too.

(d) Computer Damage. The final charge brought was exceeding authorized access and thereby impairing the availability or integrity of information in ways that cause more than $5,000 or loss or involve more than 10 computers, in violation of 18 U.S.C. 1030(a)(5)(B) and 1030(c)(4)(A)(i)(I) & (VI). This is a plausible charge, although we’d need to know more details about the case to know if it is fully merited. I’ve already covered the elements of authorized access, so we can adopt that analysis above here and move on to the other elements.

To get to $5,000 in a 1030(a)(5) case, the easiest and most widely-accepted methodology in the caselaw is to focus on the time spent responding to the unauthorized access. Courts would generally just consider the hours spent by MIT and JSTOR in responding to Swartz and multiply those hours to get to an overall dollar figure. See, e.g., United States v. Middleton, 231 F.3d 1207 (9th Cir. 2000); United States v. Millot, 433 F.3d 1057 (8th Cir. 2006). It sounds like MIT and JSTOR spent a lot of dealing with Swartz. If so, the time alone should pretty quickly get up to and over the $5,000 threshold. So while we don’t know the facts in detail, that was probably enough.

The impairment of availability or integrity element would probably be satisfied, as well, although again we don’t have much in the way of needed detail to know for sure. The leading case here is Pulte Homes, Inc. v. Laborers’ International Union of North America, 648 F.3d 295 (6th Cir. 2011), which adopted a broad view of this requirement, holding that this is satisfied by “a transmission that weakens a sound computer system — or, similarly, one that diminishes a plaintiff’s ability to use data or a system.” The indictment alleges that Swartz’s conduct impaired the working of the JSTOR database but doesn’t give us much detail, so it’s hard to be sure. Also, DOJ might be able to use JSTOR’s decision to cut off access to JSTOR on MIT’s network as an impairment of availability on the network. But I think this is a bit of a stretch, for two reasons. First, it’s hard to know exactly where to place the responsibility for the impairment. Did Swartz cause it, or did JSTOR? And more significantly, does access to a particular service from some users really constitute an impairment of availability of the JSTOR computer itself? I’m not sure, but I’m wary of that argument. So the 1030(a)(5) charges are plausible, but we would need to know more facts to know for sure if they were justified.

III. Conclusion

My conclusion, at least based on what we know so far, is that the legal charges against Swartz were pretty much legit. Three of them are pretty strong; one is plausible but we would need to know more facts to be sure. Of course, there may have been reasons not to charge Swartz even though he had violated these statutes or to offer him a lenient plea. I’ll take on those questions in my next post. But to the extent we’re focused on just what the law is, I think that what Swartz was alleged to have done fits pretty well with the charges that were brought.

My co-blogger Stewart Baker recently argued that it is legal to hack into the computer of someone who has hacked into your computer. Stewart says his analysis is “surely” right. I think it’s obviously wrong. Here’s why.

The Computer Fraud and Abuse Act is a computer trespass statute. It prohibits accessing another person’s computer “without authorization” just like trespass laws prohibit walking on to someone else’s land without their consent. As with a traditional trespass statute, it is the owner/operator of the property that controls authorization. The basic idea is to give computer owners the ability to enforce rights on their own machines. There is lots of disagreement about how computer owner/operators can create rights on their machines that the law will enforce — I’ve blogged a lot about the role of Terms of Service in doing so — but everyone agrees that hacking into someone else’s machine is the quintessential example of the kind of conduct prohibited by the statute.

Stewart offers a novel way to get around this and read the statute allowing hacking back. He posits that rights to control authorization go with ownership of data stored on a particular machine. More specifically, Stewart argues that the CFAA is so vague as to whether it protects computer or data that the rule of lenity requires courts to adopt the view that any person pursuing their stolen data is authorized in their conduct. In his view, you can’t really rule out that the theft victim controls authorization — and if you can’t really rule it out, you must rule it in. Thus anything victims do must be authorized because they themselves have authorized it.

I think this view of the CFAA is clearly wrong. Contrary to Stewart’s claim, there is no genuine ambiguity over whether the statute protects the rights of computer owners or data owners. The statutory language expressly prohibits “intentionally access[ing] a computer without authorization” (emphasis added). It protects access to computers, not access to stolen data. The rule here is the same rule that is used in real property law: The owner/operator of the property controls who has access to it. The fact that your neighbor borrowed your baseball glove and you want it back doesn’t give you a right to break into everything your neighbor owns on the theory that you can authorize yourself to go anywhere to get your glove back. The same goes for computers.

Stewart also justifies his statutory interpretation on the ground that it creates results he likes. The victim can hack back, which Stewart thinks is a good idea. But even assuming his I-like-it-and-therefore-it-is-the-law argument were valid, I think the results it would produce would be terrible. For every one hypothetical you can devise in which such hacking back might seem like a good thing, you can come up with hundreds of examples in which it wouldn’t be. For example, wouldn’t Stewart’s theory allow copyright holders to hack into the computers of anyone suspected of having any infringing materials on their computers? That would be bad. More broadly, Stewart’s theory appears to have few limits. His test seems to boil down to good faith: As long as someone believes that they were a victim of a computer intrusion and has a good-faith belief that they can help figure out who did this or minimize the loss of the intrusion by hacking back, the hacking back is authorized. Given the well-known difficulty of locating the source of intrusions, that’s not a power that we want to give to every person in the U.S. who happens to own or control a computer.

UPDATE: Another problem with Stewart’s theory is that it would have the bizarre effect of allowing hacking victims to declare that the people who hacked into their machines can’t access their own computers. That is, if A hacks into B’s machine, B just has to announce that A now can’t use A’s own machine. If A uses his own computer, that is “without authorization” from B and therefore a crime. It’s a bizarre result, and even more bizarre given that Stewart uses the rule of lenity to justify it.

Last year, I posted about a recently-filed criminal prosecution in which the federal government was charging a state fraud scheme involving poker machines under the Computer Fraud and Abuse Act:

Andrew Nestor learned of a programming flaw in certain video poker machines used in Las Vegas. By using a certain feature and playing a particular combination, a person could trick the poker machine into paying out winnings at a higher rate than it should have. Nestor played the combination, and he was able to receive winnings that he was not entitled to have. At this stage, it sounds like a state law offense of theft or fraud. Nestor stole the money from the machine by fraud.

But was a federal crime committed, as opposed to a state crime? Federal prosecutors love to charge fraud cases under the wire fraud statute, 18 U.S.C. 1343, but that wouldn’t work here. Liability under the wire fraud statute requires a crossing of state lines, while here all the action occurred in a single room. So instead the government charged Nestor with a CFAA violation, and specifically 18 U.S.C. 1030(a)(4), which punishes “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”

Note that there is no longer a requirement of crossing state lines, as there is in the case of the wire fraud statute. Instead, the only federal hook is that the computer be a “protected computer.” But that’s really no federal hook at all: Protected computers are defined as any computers that can be regulated under the Commerce Clause power, which paired with Gonzales v. Raich seems to be any computers, period. So voila, there is federal jurisdiction over the state law crime because a computer is involved.

Of course, whether the government can use 1030(a)(4) to federalize state law fraud schemes involving computers depends on the legal interpretation of “accesses . . . without authorization, or exceeds authorized access,” which is the main issue involved in cases like United States v. Nosal, currently pending before the en banc Ninth Circuit. In the Nestor case, I assume DOJ’s view is that it is implicitly unauthorized to exploit a programming error in a computer in order to commit a fraud. I think this reading essentially reads “without authorization, or exceeds authorized access” out of the statute, and instead treats 1030(a)(4) as punishing fraud committed using any computer, period. But we’ll see what the district court does with the motion to dismiss in Nestor, which may in turn depend on what the en banc Ninth Circuit does in Nosal.

This morning, Magistrate Judge Johnston filed his report and recommendation in the case recommending that the indictment be dismissed for two reasons. First, according to Magistrate Judge Johnston, the video poker machines are not protected computers because there is insufficient evidence that the machines had an impact on interstate commerce:

In order to be classified as a “protected computer,” a computer must be used in or affect interstate or foreign commerce or communication. 18 U.S.C. § 1030(e)(2)(B). The Government argues that video poker machines affect interstate commerce because “[c]ustomers from all over the country travel to Nevada to play Las Vegas’ gaming machines.” Response (#68) at 5. This argument fails for two reasons. First, this supposed effect on interstate commerce only holds up in the aggregate. While it may be true that the entire Las Vegas gambling industry attracts customers from all over the country, the Government cannot show that individual video poker machines have such an effect on interstate commerce. Second, to follow the Government’s interpretation of the term “protected computer” would divorce the function of the device, i.e. logical, arithmetic, or storage functions, from its supposed effects on interstate commerce. Computers connected to the internet are “protected computers” because this part of their designed function allows them to engage in interstate commerce. Likewise, the function of the radio system in Mitra was to connect with a federally regulated channel of interstate commerce. While any individual computer connected to the internet, or the Mitra radio system, can instantaneously engage in interstate commerce, an individual video poker machine has no such
connection to the wider world.

I have problems with broad theories of the Computer Fraud and Abuse Act, and especially its lack of statutory federalism limitations, but I think this position misunderstands the relevant law. As I pointed out in this post in 2009, the 2008 amendments to the definition of “protected computer” changed the scope of the protected computer in a critical way:

In 2008, Section 207 of the Former Vice President Protection Act, Pub.L. 110-326, expanded the definition of protected computer regulated by the statute to a computer that is “used in or affecting interstate or foreign commerce or communication” (new language in italics), and removed the requirement that information obtained had to be information that crossed state lines.

The switch from prohibiting conduct “in interstate commerce” to regulating conduct “affecting interstate commerce” is easy to overlook, but it turns out to be a critical change. When Congress uses the phrase “affecting interstate commerce,” that is generally understood to express Congress’s intent to regulate as far as the Commerce Clause will allow. See Russell v. United States, 471 U.S. 858, 849 (1985) (noting that prohibition regulating conduct “affecting interstate or foreign commerce” expresses “an intent by Congress to exercise its full power under the Commerce Clause”); Scarborough v. United States, 431 U.S. 563, 571 (1977) (“Congress is aware of the distinction between legislation limited to activities ‘in commerce’ and an assertion of its full Commerce Clause power so as to cover all activity substantially affecting interstate commerce.”). When Congress uses the jurisdictional hook of “affecting interstate commerce,” or its close cousin “affecting interstate or foreign commerce,” then the scope of the jurisdictional hook is generally understood to be defined by Commerce Clause jurisprudence.

But here’s the rub. Under Gonzales v. Raich, 545 U.S. 1 (2005), it seems awfully difficult to find any computer or any type of data that is actually beyond the scope of the federal commerce power. If you can aggregate the effect of all computers and all data, you’re going to identify a rational basis for identifying a substantial effect on interstate commerce. Maybe I’m just too much of a Commerce Clause pessimist — and if so, please let me know in the comment thread — but it seems to me that under Raich, if it’s a computer, it’s going to be a computer that Congress can regulate. See, e.g., United States v. Jeronimo-Bautista, 425 F.3d 1266 (10th Cir. 2005).

The end result: In the last two years, Congress has essentially gutted the idea of computer crimes that are beyond the reach of the federal government. If a computer is involved — any computer — it’s very likely to be a federal issue. The federal government can always decline to prosecute a case, and it can consider the fact that it’s just a local crime in the course of making that call. But that’s a matter of discretion, not law. For those of us who care about federalism, it’s a very sad state of affairs.

In light of this statutory change, Judge Johnston’s concern that the impact on interstate commerce “only holds up in the aggregate” misses the point. The only limit to the definition of “protected computer” is the Commerce Clause, and under Raich courts must consider the aggregate to determine the impact on interstate commerce. (Judge Johnston’s reliance on the Mitra precedent is problematic because Mitra was decided in 2005, three years before the statute was amendmed).

Second, Magistrate Judge Johnston concludes that use of the video poker machines to win money by exploiting the programming error did not “exceed authorized access” under the Ninth Circuit’s recent en banc decision in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012):

[W]hen playing ordinary, non-video poker at a casino there is an intermediary, namely the dealer, who is employed by the casino and who upholds and enforces the rules. When playing video poker, on the other hand, the rules are upheld and enforced by the gambling software itself. The Defendants argue that they could not have possibly exceeded their authorized access, because the bounds of their authorized access were defined by what the gaming software would allow. Any selections that would have exceeded that authorization should have been regulated by the software and made unavailable. The software is designed to regulate what selections are allowed and what results may be produced. Like the human casino employee, the software acts as the gatekeeper, stopping any unauthorized access in the event that a player tries to do something that falls outside the rules.

The Ninth Circuit’s most recent opinion interpreting the meaning of “exceeds authorized access” makes clear that the Government’s proposed interpretation of the statute in the present case is untenable. In U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), the government argued that “exceeds authorized access” should “refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information.” The government in Nosal asserted that the word “so” in the definition of “exceeds authorized access” should be read to mean “in that manner,” which it claimed referred to use restrictions. Nosal, 676 F.3d at 857. Writing for the court, Chief Judge Kozinski stated that “[t]he government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.” . . . .

Here, the Government has asserted that, although the Defendants were authorized to play the video poker machines and access information for that purpose, the way that they used the information exceeded their authorization. This argument is directly analogous to the government’s argument in Nosal and it fares no better here. As Nosal makes clear, the CFAA does not regulate the way individuals use the information which they are otherwise authorized to access. Here, the Defendants’ alleged actions did not exceed their authorized access.

I think this is a hard issue, and I find the question of exceeding authorized access trickier than the judge suggests. If you take seriously the notion that “the software acts as the gatekeeper,” then no one can ever violate the Computer Fraud and Abuse Act. That kind of reasoning leads to the bizarre result that if you can do it then it was necessarily authorized. On the other hand, the government’s reasoning in this case does seem to be the same reasoning that it relied on in Nosal. It’s also worth noting that in United States v. Morris, 926 F2d 504 (2d Cir. 1991), the Second Circuit held that using a command to gain access in a way contrary to its “intended function” makes that access “without authorization.” The idea was that exploiting a security flaw to gain access is not authorized because computer programs are implicitly limited to their generally intended use. Does exploiting a programming error to obtain money a user is not entitled to obtain implicitly “exceed authorized access” under the rationale of Morris? Or is Morris limited to controls on access on a computer, whereas here the issue was not access to the computer but rather obtaining funds from it?

I find this a hard case, but my very tentative conclusion is that the court was right on this issue. The first reason is the text of 1030(a)(4). That text requires two different elements to be proven: first, access without authorization or exceeding authorized access, and second, that “by means of such conduct” the defendant “furthers the intended fraud and obtains anything of value.” It seems to me that the government’s theory in this case appears to collapse the two elements: It treats the act of the fraud as implicitly exceeding authorized access. But that effectively eliminates the fraud requirement out of 1030(a)(4). Second, the notion of unauthorized access in 18 U.S.C. 1030 is focused on access to computers and access to data stored on them. Here the scheme was not to obtain data, but to obtain money: It was a fraud scheme, but not a scheme to trespass on to the machine or invade privacy. So on balance my tentative view is that the court was right on this issue, although I think it’s a tricky question.

UDPATE: For a related post, see this 2005 entry, Treating Machines Like People.