Mobile // Mobile Applications
News
1/17/2013
11:08 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Hacking Law Critics Demand Change After Swartz Suicide

Proposed legislation seeks to end felony charges related to 'unauthorized access,' but legal experts say bigger fixes are needed.

In the wake of the suicide of activist Aaron Swartz, numerous legal, privacy, and security experts have demanded that Congress rein in the Computer Fraud and Abuse Act (CFAA) to prevent prosecutors from treating minor crimes as felonies.

"The CFAA's vague language, broad reach, and harsh punishments combine to create a powerful weapon for overeager prosecutors to unleash on people they don't like," said Marcia Hofmann, a senior staff attorney at privacy rights group Electronic Frontier Foundation, in a blog post.

Swartz co-created the RSS 1.0 specification, helped establish Reddit, was widely respected for his campaigning for open access to information, and had long suffered from depression. He also faced a 35-year jail sentence after being arrested in 2011 on hacking charges, for allegedly using the Massachusetts Institute of Technology's network to download millions of academic articles from the JSTOR academic database.

Swartz, who in 2011 served as a fellow at the Harvard University Safra Center for Ethics, characterized the downloading as an act of civil disobedience, since many of the papers featured on JSTOR stemmed from publicly funded research. Prosecutors, however, charged Swartz with 13 felony violations, including wire fraud, computer fraud, "recklessly damaging" a computer, and unauthorized access.

[ For more on Swartz's role in the debate over online content and copyright, see The Crying Need To Punish Cyber Crime Fairly. ]

In response, Rep. Zoe Lofgren (D-Calif.) Tues. proposed legislation that would "exclude certain violations of agreements or contractual obligations" from the CFAA. In effect, her bill would prevent someone from being prosecuted solely for violating a site's acceptable use policy or terms of service agreement.

"The CFAA was the hook for the government's bullying of @aaronsw. This law would remove that hook," said Lofgren in a Reddit post. "In a single line: no longer would it be a felony to breach a contract."

Would Lofgren's proposed legislation truly reform CFAA? "The Swartz case does point to a serious problem with the Computer Fraud and Abuse Act," said Orin S. Kerr, a professor of law at the George Washington University Law School, in a blog post that recommends specific changes to the CFAA.

But, he said, a fix requires more than altering the "unacceptable access" provisions of CFAA -- which by the way is already likely to happen via a case involving David Nosal being reviewed by the Supreme Court. "The problem raised by the Swartz case is one I've been fighting for years: Felony liability under the statute is triggered much too easily. The law needs to draw a distinction between low-level crimes and more serious crimes, and current law does so poorly."

Many people have also accused federal prosecutors in the Swartz case of acting inappropriately. "The charges were ridiculous and trumped-up," Rep. Jared Polis (D-Colo.) told The Hill. "It's absurd that he was made a scapegoat. I would hope that this doesn't happen to anyone else."

Furthermore, attorney Lawrence Lessig -- who runs Harvard's Safra Center for Ethics -- said that JSTOR officials requested that the U.S. government not prosecute Swartz. JSTOR likewise released an undated statement noting that Swartz returned all copies of the documents he'd downloaded, and said it had settled any civil claims against him as of June 2011. MIT, however, reportedly declined to request that prosecutors not pursue charges against Swartz, who allegedly accessed JSTOR after breaking into a server closet at MIT, where he wasn't a student.

Federal prosecutors, of course, ultimately did charge Swartz, and said publicly that they planned to press for a seven-year sentence if the case went to trial.

After Swartz's death, his family accused the prosecutors of "intimidation and prosecutorial overreach," saying they'd helped drive him to commit suicide. His family also accused MIT of being complicit in his death. In response, MIT said it would launch an internal investigation into its involvement, and appointed computer science professor Hal Abelson, a founding director of Creative Commons and the Free Software Foundation, to lead the inquiry.

In the wake of a petition filed with the White House that demands her firing, the lead federal prosecutor in Swartz's case, Carmen Ortiz, released a statement Wed. defending her approach. "This office's conduct was appropriate in bringing and handling this case," she said, and noted that because of the nature of Swartz's crimes, prosecutors were seeking "an appropriate sentence that matched the alleged conduct -- a sentence that we would recommend to the judge of six months in a low-security setting."

But prosecutors, using what legal experts have said is standard operating procedure, had been increasing pressure on Swartz to settle. Notably, prosecutors first charged Swartz on four felony counts, which carried a maximum penalty of 35 years in jail and a $1 million fine. Later, however, they filed a superseding indictment adding seven more CFAA felony violations as well as two felony wire-fraud charges, which could have imposed even more jail time, fines and restitution requirements.

Prior to the scheduled April 1 start date for his trial, prosecutors then offered Swartz their deal: plead guilty to all charges, and the jail time will be reduced to serving just six months in a low-security setting.

Some critics of CFAA and of the prosecutors' handling of the case, say that any system -- including current plea-bargaining practices -- that allows prosecutors to threaten an imprisonment of 35 years or more when they see only a six-month incarceration as being commensurate with the crime, is inherently unfair and prone to corruption.

When choosing an endpoint protection product, IT focuses too much on malware detection capabilities and not enough on end users. So instead of building a lab to run three or four endpoint protection products through a gauntlet of malware, get your users in on the decision process. Find out more in the How To Pick Endpoint Protection report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
mgentry300
50%
50%
mgentry300,
User Rank: Apprentice
1/17/2013 | 6:49:18 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
The suicide is unfortunate but it's ridiculous and ignorant to demand that hacking laws should be lessened to prevent accused criminals from committing suicide. There's nothing minor about illegally downloading 4.8 million documents, especially after taking the time to physically access a wiring closet to hack the network.

Look, the Dept of Defense estimates that it endures 400 million cyber-attacks every year. All it takes is a single major attack to succeed. Cyber-threats are much bigger than most people realize, and its effects are greater than 9/11 by several magnitudes.
GAProgrammer
50%
50%
GAProgrammer,
User Rank: Strategist
1/17/2013 | 7:10:50 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
I couldn't agree more. They are taking the public perception that prosecutors just pick people they don't like to file charges against. They can never use this against you if you don't do the crime. Leave it alone. It's more of these idiots who think hacking is romantic that are pushing this. Breaking the law is breaking the law, not matter how "noble" you think your intentions are.
rhovestadt021
50%
50%
rhovestadt021,
User Rank: Apprentice
1/17/2013 | 7:31:29 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
If they go and take the teeth out of the law then they might as well repeal it all together as it will be relatively useless at stopping anyone. As has been said he didn't steal just a few documents, that would be civil disobedience, he stole millions of documents that's a crime plain and simple. A crime that is compounded by the fact that he broke into a Network Closet so he could do so. The only part of this whole thing I disagree with is the DA threatening a long jail term and huge fine, when that is not what they would have requested to begin with. [By the way i also disagree with plea deals as they do not serve the people, but thats a different discussion]. It's time prosecutors, in general, were up front about things, this just makes them look like shysters.
bknabe
50%
50%
bknabe,
User Rank: Apprentice
1/17/2013 | 8:06:25 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
He took the documents and returned them. He didn't distribute them. The prosecutors tried to make an example of him, and it backfired. The whole system is broken, and needs to be changed.

The CFAA is so broad that I doubt anyone reading this article would be safe from prosecution if an agency decided to use it against them.
Leo Regulus
50%
50%
Leo Regulus,
User Rank: Apprentice
1/17/2013 | 8:12:00 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
I'm not sure that we really need to change existing law. I think more that we probably need to look more carefully at its' application. I mean, for example, do Federal Authorities use this much enthusiasm when pursuing persons who have falsified information on required background checks for purchasing a firearm?
Is this pursuit of 'Justice' more powered by outrage of the Egomania of self-important Politicians, Academicians, Business people etc.? People who were nonchalant enough as to leave their stuff out in the street where children could play with it. Now, people seeking revenge.

Is this really anymore than street BULLYING?

Hey, C'mon guys, GROW UP ! We just lost not only one of the more brilliant minds of our time, but also a precious Human Being.

Aaron, I never knew you. By whatever you may have deemed Holy, may you be Blessed.
kharrison212
50%
50%
kharrison212,
User Rank: Apprentice
1/17/2013 | 9:14:32 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
How does one return files stolen from a network? There could be copies and backups all over the place. While JSTOR may be a non profit they do have expenses associated with the content, they also protected their system requiring accounts and passwords to access the data. Did they settle to avoid the public eye or do they really not care if their material is released to the general public with no chance of later recovering it? What would Microsoft do if their MSDN content was stolen, would they accept a disk saying that is all there is. I suspect the Mathworks wouldn't like to have their software stolen either.
Melanie Rodier
50%
50%
Melanie Rodier,
User Rank: Apprentice
1/17/2013 | 9:19:44 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
I agree. Hacking is hacking, as is breaking and entering. It doesn't matter what your goal is, however 'noble' you think it is. The possible jail sentence did seem harsh, particularly given to the often much more lenient sentences dished out to hard criminals. Still, the way the events unfolded is very sad but you can't change a whole law based on this outcome.
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Strategist
1/18/2013 | 5:25:48 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
The other question, perhaps more pertinent than complete products off of MSDN, is if academic reports are of any value if they are not publicly available to read? If I publish a report and keep it locked away that noone can see it, who benefits? Only those who fear having their ideas/theories challenged.

It sounds like JSTOR was willing to prosecute if they didn't get them back (perhaps because they did not have backup copies) and once returned it was no longer an issue for them (they settled whether that implies monetary compensation or otherwise). So why prosecute if noone is crying foul? Seems to be a clear case of vendictive bullying of someone not so easily manipulated and that was a source of embarrassment to the rule enforcers. Not to mention it seems the kid lacked a determined support network and that is tragic.
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Strategist
1/18/2013 | 7:36:57 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
Good, let's use your B&E offense as comparison. The laws vary state to state but a quick sampling reveals average sentence on first offense (non weapon bearing) to be 6-18 months. With an offensive weapon (gun, knife) then you can go to 5 years. Isn't then 35 years suspiciously harsh to overzealous? I also read it as addressing the verbage of the CFAA which largely targeted federal or financial systems of compelling federal interest and leverages other established laws. The CFAA has since been used for cases of questionable federal interest like the Playstation 3 and schools which spied on their students.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
1/18/2013 | 9:56:16 PM
re: Hacking Law Critics Demand Change After Swartz Suicide
Hacking is hacking. Murder is murder. Theft is theft. That doesn't seem like a very nuanced system of justice. You can change a whole law based on this outcome, and that's exactly what's being proposed.
Page 1 / 2   >   >>
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.