Photo Credit: Daniel J. Sieradski
One day back in the early 1970s, two young computer miscreants named Steve Jobs and Steve Wozniak exploited a hole in AT&T’s phone system to prank call the Pope. The call — made using a homemade device called a “blue box” which made free calls by emulating the tones in AT&T’s switching system — was more than just a prank. It was part of a history of irreverent tinkering that would eventually lead to the creation of the Apple I, and the founding of what would later become the most valuable computer company on the planet.
In July of 2011, Aaron Swartz was federally indicted for acts that in retrospect seem far more innocuous than those of Jobs and Wozniak. He had allegedly entered a maintenance closet at MIT and used a Python script to rapidly download millions of documents from JSTOR, a database of academic journals containing publicly-funded research that he had legal access to under MIT’s open network. Last Friday, facing dwindling legal funds and up to 35 years in prison, Swartz committed suicide.
As security researcher and expert witness Alex Stamos explains, what Swartz did wasn't "hacking" — not even under the loosest interpretations. Yet despite JSTOR dropping its own charges against him, federal prosecutors pursued the case aggressively. And they were able to do so because of the dangerously vague language and inconsistent interpretations of the US government’s favorite anti-hacker playbook, the Computer Fraud & Abuse Act (CFAA) of 1986.
The CFAA can effectively mark anyone who uses the internet as a felon
The CFAA may have been written with malicious computer break-ins in mind, but in reality it’s used to target an incredibly broad range of activities completely divorced from “hacking,” and Aaron Swartz is only the most recent example. Framed during a time of widespread computer illiteracy when nefarious depictions of hackers dominated mainstream media, the law attempted to bring order to the new computational “Wild West” by combating unauthorized access to protected systems in government and finance. But today, the CFAA can effectively mark anyone who uses a computer to access another computer (e.g., anyone on the internet) as a felon.
The hook in Swartz's case had to do with something we should all be familiar with: Terms of Service. Whether we’re using Gmail or Facebook or logging on to a company-owned server at work, these contracts have us agree to certain rules as a condition of accessing a computer or service. If we break any of these rules, the company has the right to suspend access, terminate employment, or sue in court, if the resulting damage is significant.
All of that would be just fine if it weren’t for a section of the CFAA describing “unauthorized” and “excessive” access of a “protected computer” — or to be more accurate, not describing it. This section is supposed to define the terms which constitute a criminal intrusion, but the language is so plain that the law basically leaves this up to the imaginations of the courts.
The result is that the courts actually default to the language in those Terms of Service, network use policies, and other private contracts, as defined by the employers and web services in question. To wit, the CFAA can make breaking a code of conduct or violating a social network’s Terms of Service into a felony, which in effect gives private companies the ability to set the definitions of criminality wherever a computer is involved.
That’s not because of any recent changes in the law’s text, however — it’s due to aggressive federal prosecutors taking advantage of the CFAA’s malleable nature to crack down on a wide variety of computer-related activities — including, conveniently enough, the kind that embarrass or undermine the authority of the federal government and their corporate sponsors.
For one example, consider Andrew “weev” Auernheimer, a security researcher and internet troll who was convicted after exposing a security exploit discovered on AT&T-branded iPads in 2010. Auernheimer discovered the hole by simply incrementing an iPad’s serial number and feeding that data into a public AT&T web server, which then spat out names and email addresses of 114,000 users associated with those serial numbers.
AT&T had known about the loophole, but ignored it. So Auernheimer went public, sharing his findings with Gawker's Ryan Tate. He reasoned that “when a large company puts users at risk, you deserve to know about it” — a method of public shaming that many in the security community, including cryptography expert Bruce Schneier, have agreed can be an effective means of promoting better security practices.
Again, none of this was “hacking” — anyone with an iPad serial number and enough smarts could have pulled it off. And since AT&T’s system was left wide open, no protected computer had been accessed in the exchange. But AT&T and federal prosecutors disagreed, and pursued a case that eventually found Auernheimer guilty on charges of unauthorized access and identity theft, giving him a maximum 10 year jail sentence.
What this suggests is that accessing any publicly accessible computer without explicit permission can be grounds for federal indictment, so long as its owner decides later that they didn’t like something you were doing on it. In the end, it seemed Auernheimer’s conviction had little to do with actually upholding the law — it was about the federal government and a monolithic telecommunications company using the vague language of the CFAA to send an intimidating message to the hacking and security community.
The government has sent a similar message when prosecuting another form of “non-hack”: the Distributed Denial of Service (DDoS) attack. Made popular by members of leaderless hacktivist collective Anonymous, DDoS attacks have been blamed for causing extensive damage to corporate computer systems. Mercedes Haefer, a 21 year old journalism student, participated in one such attack as part of “Operation Payback,” the campaign against PayPal in response to its refusal to process donations for Wikileaks.
The goal of a DDoS attack isn't to cause lasting damage — it's to temporarily slow or block access to certain websites by sending a flood of requests, an act some have compared to civil disobedience. But the punishments being doled out for digital disruptions vastly overshadow the night in jail plus fine given to many of the 700 Occupy Wall Street protestors who shut down the Brooklyn bridge in October of 2011: Haefer and 13 other Anonymous members are now each facing up to 15 years in prison and $500,000 in fines.
Which highlights another area where the law is stacked against actors in the digital space: proportionality.
"Stealing is stealing whether you use a computer command or a crowbar."
In Swartz’s case, US Attorney Carmen Ortiz contended that "Stealing is stealing whether you use a computer command or a crowbar." But even if you ignore the nature of the content in question (publicly-funded research, able to be duplicated infinitely), it has little basis in what the law prescribes for a similar situation in physical reality. Under Massachusetts state law, someone going into a library and stealing a large quantity of physical books would be charged with trespassing, which carries a maximum punishment of 30 days in jail or a $100 fine. If the value is more the $250, the maximum sentence is 2 - 5 years — leagues below what Swartz faced for his 13 felony counts under the CFAA.
“We agree there should be reasonable computer crime laws, but it seems that all the prosecutions we hear about aren't reasonable,” says Hanni Fakhoury, a Senior Staff Attorney for the Electronic Frontier Foundation. He notes that some courts, notably those in the Fourth and Ninth Circuits, have recently pushed back against broad interpretations of the CFAA which use Terms of Service violations to push criminal charges. But in others, he says, prosecutors continue to test the limits of the law.
Aaron Swartz was a lot of things the US government isn’t particularly fond of. He was an activist — a key architect of the campaigns that brought down COICA, SOPA, and PIPA, three copyright bills written to preserve the interests of Hollywood lobbyists. He was also a free culture agitator, who in 2008 wrote a Guerilla Open Access Manifesto calling for the “liberation” of taxpayer-funded research papers from privately-owned paywalls like JSTOR and PACER. If he could be called a “hacker” in any sense, it’d be closer to the definitions of the eccentric Free Software godfather Richard Stallman, who once described hacking as “playful cleverness” — a dance along the razor’s edge, bending the rules of the current system to create something new, better, or different.
"My first reaction was that we need to change the statute that would permit this."
Amending CFAA won’t reverse what happened to Aaron Swartz. But in the short term, it might at least prevent prosecutors from using the law to pursue all kinds of innocuous activity. It’s with that in mind that Rep. Zoe Lofgren went on Reddit this week to propose a draft of “Aaron’s Law,” a new bill that would change the requirements in the CFAA to explicitly prohibit Terms of Service and other private contracts from standing in for government definitions of criminality.
"When I heard about Aaron's death I was not only sad but outraged," Lofgren said this week in a phone interview with The Verge. "I didn’t know the details of the prosecution as well as I do now, but when I heard about it, my first reaction was [that] we need to change the statute that would permit this."
"Most people, when they look at what Aaron did, think it shouldn't be a crime at all, certainly not a felony."
In August of 2011, members of various groups from across the political spectrum including the EFF, the ACLU, and the Heritage Foundation had exactly the same idea. In a letter to Senators Patrick Leahy and Chuck Grassley, they wrote that activities which violate terms of service “should not be “computer crimes,” any more than they are crimes in the physical world.”
If, for example, an employee photocopies an employer’s document to give to a friend without that employer’s permission, there is no federal crime (though there may be, for example, a contractual violation). However, if an employee emails that document, there may be a CFAA violation. If a person assumes a fictitious identity at a party, there is no federal crime. Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation. This is a gross misuse of the law.
The CFAA should focus on malicious hacking and identity theft and not on criminalizing any behavior that happens to take place online in violation of terms of service or an acceptable use policy.”
Fakhoury agrees it’s a good time call for CFAA reform, but worries whether the efforts can attract enough support in Congress. He points to a previous attempt by Sen. Patrick Leahy to fix the TOS loophole, which wound up being tied to even higher sentences and the addition of a two-year mandatory minimum.
Since its announcement, copyright reform advocate Lawrence Lessig, Swartz’s former mentor, has thrown his enthusiastic support behind Lofgren’s proposed bill, and others have left feedback and suggestions on ways to refine it.
As for the debate over prosecutorial overreach, Lofgren acknowledges it’s a broader issue that needs attention. But for now, she’s intent on honing in on the more immediate problem, and hopeful that she can gather bipartisan support.
“What I want to do first is address the [CFAA] statute that was used in a way that I think shocked a lot of people,” she says. “Most people, when they look at what Aaron did, think it shouldn't be a crime at all, certainly not a felony and certainly not [carrying] mandatory minimums."