Law Professor and Computer Fraud and Abuse Act expert Orin Kerr wrote today in his usual thorough and well-informed fashion about the legal claims in Aaron Swartz's case. While his analysis of the law is, as usual, spot on, I nevertheless disagree with its treatment of Aaron's case as routine and, by implication, unremarkable. I am in the process of explaining why , but want to address here a few of Orin's arguments.
The indictment against Swartz alleged several different crimes. A bunch of the crimes overlap, but that doesn’t mean that they are really treated separately: At sentencing the general practice is to take the most serious of the crimes as the basis for the sentence and to mostly ignore the rest. But the ordinary practice is to charge all the possible offenses committed in the indictment, even if they overlap, and then let the jury sort them out at trial or else drop some of the charges in a plea deal.
Voluminous, overlapping charges may be typical, but they can give unfair advantage to the prosecution. At trial, each charge is a chance for the prosecution to win. Because defendants are sentenced based on related conduct, even aquitted conduct, the defendant has only one way to win: He must be acquitted on all counts. The more counts, the more changes for the government to win. Furthermore, having a lot of counts bolsters the government's case in front of a lay jury. Jurors tend to infer that the crimes were substantial and voluminous if the indictment is. Orin's conclusion that the charges were within the normal practice also doesn't explains why the prosecution chose to seek a superceding indictment adding more charges right after Aaron refused to plead guilty and right before the trial. (HINT: They do this to coerce a guilty plea.) In sum, many things that were wrong about Aaron's case were also familiar. His death is an opportunity to reexamine business as usual.
Moreover, the fundamental question is why the U.S. Attorney decided to charge this case. Since that decision was a mistake, treating the rest of the case as a serious crime was disproportionate and wrong. The CFAA is shockingly broad. Prosecutors shouldn't file CFAA cases just because they can under existing case law. To the contrary, this is why the CFAA should be amended and narrowed. Treating technically illegal but practically innocuous conduct (JSTOR wasn't interested in pressing charges) as if it were a serious crime is also wrong. It is those combined decisions that Lessig, I and so many others decry, and for which we still have no justification.
Next, Orin says he believes that case law supports the charges against Aaron:
This is not merely a case of breaching a written policy. Rather, this is a case of circumventing code-based restrictions by circumventing identification restrictions. I don’t see how that is particularly different from using someone else’s password, which is the quintessential access without authorization.
For the reasons, I agreed with Orin that the CFAA could reach Aaron's conduct despite the narrowing principles that Orin fought for in the Lori Drew or Nosal cases, exactly because Aaron circumvented access controls. However, I disagree that all such circumventions ought to trigger CFAA liability, or that Aaron's conduct was like using someone else's password. Using another person's password gets you access to their files. Circumventing the JSTOR/MIT efforts to block him merely got Aaron _fast_ access to files he was already authorized to download.