Photo Credit: Daniel J. Sieradski

One day back in the early 1970s, two young computer miscreants named Steve Jobs and Steve Wozniak exploited a hole in AT&T’s phone system to prank call the Pope. The call — made using a homemade device called a “blue box” which made free calls by emulating the tones in AT&T’s switching system — was more than just a prank. It was part of a history of irreverent tinkering that would eventually lead to the creation of the Apple I, and the founding of what would later become the most valuable computer company on the planet.

In July of 2011, Aaron Swartz was federally indicted for acts that in retrospect seem far more innocuous than those of Jobs and Wozniak. He had allegedly entered a maintenance closet at MIT and used a Python script to rapidly download millions of documents from JSTOR, a database of academic journals containing publicly-funded research that he had legal access to under MIT’s open network. Last Friday, facing dwindling legal funds and up to 35 years in prison, Swartz committed suicide.

As security researcher and expert witness Alex Stamos explains, what Swartz did wasn't "hacking" — not even under the loosest interpretations. Yet despite JSTOR dropping its own charges against him, federal prosecutors pursued the case aggressively. And they were able to do so because of the dangerously vague language and inconsistent interpretations of the US government’s favorite anti-hacker playbook, the Computer Fraud & Abuse Act (CFAA) of 1986.