During the debate over the Aaron Swartz case, one of the legal issues was whether Swartz had committed an unauthorized access under the CFAA when he changed his IP address to circumvent IP address blocking imposed by system administrators trying to keep Swartz off the network. There was significantly more to the CFAA charges than that, to be clear, including circumventing a subsequent MAC address block and (most significantly) entering an MIT storage closet to install his computer directly. But changing IP addresses to get around IP address blocking was at least one of the possible grounds of unauthorized access. On Friday, Judge Breyer of the Northern District of California handed down the first decision directly addressing the issue. Judge Breyer ruled that changing IP addresses to get around a block is an unauthorized access in violation of the CFAA. The decision is here: Craigslist v. 3taps, Inc..
The facts of the case are very simple. 3taps aggregates and republishes ads from the popular Craigslist website by scraping data from Craigslist. Craigslist responded by sending 3taps a cease-and-desist letter and by blocking the IP addresses associated with 3taps’s computers. 3taps continued to access Craigslist by changing the IP addresses by which its computers accessed Craigslist’s servers. Craigslist then sued 3taps, alleging claims including copyright, state law violations, and the CFAA. For its CFAA claims, Craigslist argued that 3taps violated the CFAA by (a) violating Craigslist’s Terms of Service, which prohibited scraping; and (b) circumventing the IP address block after receiving a cease-and-desist letter.
In an earlier decision, Judge Breyer had indicated that that violating the Craiglist’s Terms of Service did not trigger a CFAA violation. See Craigslist Inc. v. 3Taps Inc. — F.Supp.2d —-, 2013 WL 1819999 (N.D.Cal. April 30, 2013). In the new opinion issued on Friday, [...]
Last month, I blogged about why I agreed to represent Andrew Auernheimer pro bono in his appeal before the Third Circuit. Tomorrow’s Washington Post has a front-page story by Jerry Markon focusing on the case. It begins:
Their guns drawn, a dozen federal agents, police and forensics experts kicked in the door of a run-down two-story home in Arkansas shortly after dawn, barged inside and ordered the occupants to put their hands on their heads.
The target of the raid was neither terrorist nor bank robber. He was a 24-year-old computer hacker suspected of handing off stolen e-mail addresses to the media.
With that, the Justice Department began a case that has come to symbolize what some lawyers and civil libertarians see as overreach in the government’s campaign against cybercrime.
The hacker, Andrew Auernheimer, was convicted and sentenced last month to more than three years in prison for obtaining about 120,000 e-mail addresses of iPad users from AT&T’s Web site — including New York Mayor Michael R. Bloomberg (I), Hollywood executive Harvey Weinstein and other prominent figures — and giving them to the Web site Gawker. When it happened three years ago, the data breach jolted federal officials because it affected one of the nation’s most prominent companies and triggered fears about the security of increasingly popular mobile devices.
Yet only a few, heavily redacted e-mail addresses were published, court documents show. No one’s account was broken into. AT&T fixed the problem in about an hour, and a company official testified that there probably was not enough evidence to sue the hackers.
The case highlights a growing debate over how to define right and wrong in the digital age, what is public and proprietary online, and how far law enforcement should go in pursuing cybercrime.
The Obama administration is
As I recently noted, Congress is considering legislation to increase maximum punishments under the Computer Fraud and Abuse Act. Here’s my question for supporters of this legislation: Can you identify any cases under the current version of the CFAA in which judges sentenced defendants to the current maximum sentences? In other words, have there been any cases in which judges maxed out the current sentences, suggesting that if they had the power to do so they might have wanted to sentence a defendant to a greater punishment? Or is Congress considering increasing the allowed penalties under the CFAA with a complete absence of evidence that any federal judge anywhere has ever found the current statutory maximum penalties too low in any actual case? [...]
A draft cybersecurity bill circulating among House Judiciary Committee members would stiffen a computer hacking law used to bring charges against Internet activist Aaron Swartz. The bill draft would tighten penalties for cyber crimes and establish a standard for when companies would have to notify consumers that their personal data has been hacked, according to a copy obtained by The Hill.
It would also change existing law so that an attempt at a cyber crime can be punished as harshly as an actual offense.
Such measures could spark concern among advocates outraged over the death of Swartz, the 26-year-old Internet activist and computer programmer who killed himself earlier this year while facing a possible 35-year prison term for hacking. Advocates have called on Congress to make changes to what they say is a draconian law that led to too harsh a prosecution of Swartz.
. . . It’s unclear which Judiciary members are sponsoring the draft bill, which is unnamed. A House Judiciary Committee aide said the bill is still in the early drafting stage and is being circulated to stakeholders for their feedback on possible changes.
They’re looking for feedback, so here is mine: Stop taking DOJ’s language from back in 2011 and packaging it as something new. Based on a quick read, it seems that the amendments for 1030 in the new draft are mostly copied from a bill that Senator Leahy offered (with substantial input from DOJ, as I understand it) back in November 2011. I criticized that language here. The new circulating draft also adopts the sentencing enhancements (minus mandatories) and the proposed 1030a that DOJ advocated in May 2011. I criticized [...]
Writing in Slate, Justin Peters has a puzzling article on the CFAA charges brought against Aaron Swartz. Peters appears to think that the basis of the Swartz prosecution was violating the Terms of Service at JSTOR, the service that hosted the database that Swartz tried to copy. Peters then discusses whether Swartz should be held criminally liable for violating JSTOR’s Terms of Service, and he then points out that this would not be a crime in the Ninth Circuit under its en banc opinion in United States v. Nosal.
This misunderstanding of the Swartz prosecution has become popular in some circles, fueled in part by the writings of Larry Lessig . But I’m not sure why Peters, Lessig, and some others think that the Swartz prosecution was based on a TOS violation. True, Swartz violated JSTOR’s terms of Service — and MIT’s, for that matter. But the government’s strongest case for Swartz accessing computers without authorization was Swartz’s entering the MIT closet to hard wire his laptop into MIT’s network after he had been blocked twice by sysadmins when Swartz accessed the the network from a wireless connection. To argue that Swartz did not violate the CFAA, you need to argue that entering the MIT closet and connecting directly to its network was an authorized access. You need to argue that MIT had an “open closets” policy, so that everyone was welcome to go into closets at MIT and connect to any switches they liked when inside. You also need to argue that Swartz was authorized to use the network after MIT’s system administrators tried to block him from doing so. That is, you need to argue that even though MIT’s employees were trying to keep Swartz off the network, there was a distinct entity of MIT [...]
Will Congress amend the Computer Fraud and Abuse Act in light of the Aaron Swartz case? Don’t expect reforms any time soon, Politico suggests:
Despite some recent momentum, there’s not much clamor for change coming from the White House — and as expected, the Justice Department, which once tried to expand the penalties of the so-called Computer Fraud and Abuse Act, has been silent.
While there’s a new reform push on Capitol Hill backed by a few powerful members, the key committees with jurisdiction have other plans in mind — and their agendas are packed with immigration reform and gun control. More than that, Congress actually has been fond of stronger punishments for some offenders.
It’s not to say the principles known as Aaron’s Law won’t ever reach the president’s desk in some form — just that all the Internet hype and rallying mark only the beginning of a new and lengthy political journey.
I think that’s probably right, unfortunately. Narrowing federal criminal law is always hard, both because elected officials don’t want to seem ‘soft on crime’ and because the head of the executive branch has the veto power. Plus, on this issue specifically, the Internet companies and service providers that have a lot of influence on the Hill aren’t natural allies with civil libertarians. Those companies want their customers to feel that using their products is private, which can lead companies to favor expanding privacy protections in the context of government investigations. But when it comes to the substantive criminal laws, those same companies tend to see themselves as victims of computer crimes (whether from outside hackers or insiders). As a result, they tend to be wary of narrowing the laws. So as the Politico story says, expect a lengthy political journey. And keep an eye out [...]
Congresswoman Zoe Lofgren has posted a new draft version of “Aaron’s Law,” an amendment to 18 U.S.C. 1030 in the wake of the Aaron Swartz case. In this new draft, Lofgren adopts the idea I floated and others have since adopted of eliminating the concept of “exceeds authorized access” and instead defining “access without authorization.” Readers may recall that I proposed the following definition of “access without authorization”:
“access without authorization” means to circumvent technological access barriers to a computer or data without the express or implied permission of the owner or operator of the computer;
Lofgren proposes a much more complex definition of “access without authorization.” Here’s Lofgren’s language:
‘access without authorization’— (A) means—
(i) to obtain or alter information on a protected computer;
(ii) that the accesser lacks authorization to obtain or alter; and
(iii) by circumventing one or more technological measures that exclude or prevent unauthorized individuals from obtaining or altering that information; and
(B) does not include the following, either in themselves or in combination—
(i) a violation of an agreement, policy, duty, or contractual obligation regarding Internet or computer use, such as an acceptable use policy or terms of service agreement with an online service provider, Internet website, or employer; or
(ii) efforts to prevent personal identification of a computer user, or identification of a user’s hardware device or software, through a user’s real name, personally identifiable information, or software program or hardware device identifier(s);’’
Based on a quick read, I think this definition has some problems. To explain my views, I’ll put Lofgren’s text in italics section-by-section and then offer my comments in plain text following it:
‘access without authorization’— (A) means (i) to obtain or alter information on a protected computer; (ii) that the accesser lacks authorization to obtain or alter;
This language [...]
I have been beating the drum on the need to narrow the Computer Fraud and Abuse Act for a decade or so, so I was happy to see today’s cartoon for “Tom the Dancing Bug” pick up the cause, too. I don’t know if I can reprint the cartoon here copyright reasons, but you can click here to see it. For my related op-ed from 2011, see here. And for a video of me ranting about the broad scope of the CFAA — or at least coming as close as I come to ranting — see here at the 44:10 mark (and pardon the echo).
In the spirit of the post, I thought I would also reprint the conclusion of the CFAA chapter in the 3rd edition of my Computer Crime Law casebook. As lawyers and law students know, it is common for law school casebooks to supplement cases with extensive “notes and questions” offering additional points and questions for further thought. Here’s the last “note” in the chapter:
The scope of criminal liability for computer misuse is very broad. A critic of existing law might say that the legislature’s basic approach is to criminalize everything and then rely on prosecutorial discretion to select appropriate cases for criminal punishment.
Is this criticism accurate? And if it is, do you think the legislature has acted wisely? Computer technologies and social practices change rapidly, and it may be difficult for the law to keep up. Is it sensible for legislatures to impose broad criminal liability ex ante, so that prosecutors are rarely or never in a position of being unable to charge a worthy case? Or should the legislature only impose liability narrowly, so that new computer technologies can evolve without the threat of criminal punishment? Do you trust prosecutors
In last night’s post, I offered six scenarios to help identify what should be the proper line between access to a computer that is authorized versus without authorization under the Computer Fraud and Abuse Act. The reader responses are still coming in, and if you haven’t voted yet, please read that post and do so. But for those who have already voted, or aren’t into that sort of thing, here are my own thoughts on how the law should treat the six hypotheticals.
1. Sally has an web-based e-mail account that she uses for personal e-mails. Joe suspects that Sally uses a common password that offers very little security, as the e-mail provider does not impose any restrictions on what passwords subscribers can use. Joe wants to teach Sally about good password practices, so he goes to her login page and (without her permission) tries the password “password.” That is in fact Sally’s password, so Joe is able to log in see Sally’s e-mails. In your view, should accessing Sally’s e-mail be considered permitted authorized access or prohibited unauthorized access?
My view: Prohibited unauthorized access. Guessing at someone’s password and using it to access their private files is one of the paradigmatic forms of unauthorized access. The whole point of setting up accounts and having passwords is to block access rights; guessing someone else’s password and using it to access the other person’s files is like picking the lock that guards their physical stuff. It’s true that Sally had a stupid password, but I think it would be problematic to say that you need to have locks that are “good enough” before the law will start to respect a person’s rights in guarding what that lock protects.
2. Sally sets up a “CAPTCHA” gate designed to ensure that only [...]
In a recent post, I offered a series of amendments to narrow the Computer Fraud And Abuse Act. One amendment woud eliminate the concept of “exceeds authorized access” and instead limit the concept of unauthorized access to “access without authorization.” I offered the following definition of “access without authorization” that would be required for most misdemeanor violations of the CFAA:
the term “access without authorization” means to circumvent technological access barriers to a computer or data without the express or implied permission of the owner or operator of the computer;
The good folks at the Electronic Frontier Foundation took my proposal as a starting point and then added a tweak:
We basically took up former DOJ attorney and law professor Orin Kerr’s suggestion that CFAA should just do away with the phrase “exceeds authorized access” and define for the first time access “without authorization.” This definition should encompass all conduct considered “unauthorized.” [But] we also clarified the definition of “without authorization” to make sure the CFAA doesn’t penalize people who have permission to access data but use light technical workarounds to access that data in an innovative way. Since many of these techniques, such as changing IP addresses, have general application to protect the privacy of the user, they should not be cause to charge a felony.
Here’s the relevant additional language proposed by the EFF in italics:
The term “access without authorization” means to circumvent technological access barriers to a computer, file, or data without the express or implied permission of the owner or operator of the computer to access the computer, file, or data, but does not include circumventing a technological measure that does not effectively control access to a computer, file, or data.
There has been a lot of interest in amending the Computer Fraud and Abuse Act in light of the Aaron Swartz prosecution. I have drafted some changes and uploaded a red-lined version here.
My proposal has lots of parts, but the big ones are: (1) eliminating liability for exceeding authorized access, (2) tightening the felony thresholds throughout the statute, and (c) eliminating several sections of the statute, including 1030(a)(3) and (a)(4), which are redundant, and 1030(g), the civil liability provision which is chiefly responsible for the overly expansive readings of the statute.
No rewriting of a statute is going to be perfect, but perhaps this proposed redrafting will be of interest to some who are debating the future of this statute. [...]
Two quick links related to the Aaron Swartz prosecution:
1) Duke lawprof Jamie Boyle has posted a thoughtful reply to my two posts on the Aaron Swartz case over at The Public Domain. I plan to post a response to Jamie when I have time to do so — in a day or two, I hope — but in the meantime I wanted at least to recognize his post and provide the link for interested readers.
2) Senator Cornyn has sent a letter to Attorney General Holder asking for a detailed explanation from Holder of why DOJ exercised its discretion in the Swartz case as it did. Senator Cornyn is my former boss, so maybe I am biased here, but I think that’s a productive way to get DOJ to say more about its perspective on the case. It will be interesting to see how DOJ responds.
Among the questions raised by the Cornyn letter is whether DOJ policy gives U.S. Attorneys the discretion to charge cases consistent with the gravity of the wrongdoing in the case. The answer has changed over time. Traditionally, the answer was “yes.” In 2003, however, then-AG John Ashroft announced a new policy essentially eliminating that discretion. With narrow exceptions, all federal prosecutors were required to “charge and pursue the most serious, readily provable offense or offenses that are supported by the facts of the case.” In 2010, however, AG Eric Holder overturned the Ashcroft policy with a new memo restoring the traditional role of prosecutorial discretion. You can read the 2010 Holder policy here. [...]
This is the second in a series of posts on the Aaron Swartz prosecution. In my first post, I analyzed whether the charges that were brought against Swartz were justified as a matter of law. In this post, I consider whether the prosecutors in the case properly exercised their discretion. As some readers may know, prosecutors generally have the discretion to decline to prosecute a case; once they charge a case, they have the discretion to offer or not offer a plea deal; and once they offer the plea deal, they have some discretion to set the terms of the offer that they will accept. This post considers whether the prosecutors abused that discretion.
To provide some attempted answers, I’m going to break down the question into four different issues: First, was any criminal punishment appropriate in the case? Second, if so, how much criminal punishment was appropriate? Third, who is to blame if the punishment was excessive and the government’s tactics were overzealous? And fourth, does the Swartz case show the need to amend the Computer Fraud and Abuse Act, and if so, how?
This is a very long post, so here’s a summary of where I come out on these four questions.
On the first question, I think that some kind of criminal punishment was appropriate in this case. Swartz had announced his commitment to violating the law as a moral imperative in order to effectively nullify existing federal laws on access to information. When someone engages in civil disobedience and intentionally violates a criminal law to achieve such an anti-democratic policy goal through unlawful means — and when there are indications in both words and deeds that he will continue to do so — it is proper for the criminal law to impose a punishment under [...]
The Internet activist Aaron Swartz has died from an apparent suicide. Swartz was facing a criminal trial in April on charges arising from his effort to “liberate” the JSTOR database, and there has been a lot of commentary accusing the prosecutors in his case of having abused their role in ways that contributed to Swartz’s tragic death. Swartz’s friend Larry Lessig led the way by angrily condemning the prosecutors who charged Swartz as “bullies” who acted like they “had caught the 9/11 terrorists red-handed.” According to Lessig, the prosecutors acted in an “the most absurd or extreme way” and “don’t deserve to have the power of the United States government.” A lot of people seem to agree, and today’s media has picked up the story. The New York Times is running a headline, “A Data Crusader, a Defendant and Now, a Cause.” The Associated Press has a somewhat similar story, “Swartz’ Death Fuels Debate Over Computer Crime”.
The criticisms of the Swartz prosecution concern two different questions. The first question is the law. Were the charges against Swartz based on a fair reading of the laws? Or was the prosecution being overly aggressive or relying on strained theories in charging Swartz as it did? The second question is discretion and judgment. The DOJ has the discretion to charge cases or not, and prosecutors can agree to different plea deals or even agree to have charges dismissed. Were the prosecutors in this case unfair in how they exercised discretion, or did they act irresponsibly in the case in how they exercised the discretion that the law grants them?
I hope to answer these questions in two posts. In the first post, I’m going to try and answer the first question — the law — as informed by my background as [...]