Over the weekend, I learned that Aaron Swartz had taken his own life. I cried, and am still crying, for him, his family, for the close friends who loved him, and for our community. We lost a rare and special person, one who did so much in his short life to make the world a better place. Any do-gooder, including myself, could be proud were we to accomplish as much. We don't know what else he would have acheived were he to have lived. But I admit that I also cried for myself, because I felt guilty that I didn't do more to help Aaron in his criminal case. This post is about part of that challenge, the challenge to improve computer crime laws, and the criminal justice system more generally. Hopefully in the end, there'll be something that I, and you, can do about it.
[Spoiler alert: This is very long, and will be at least two parts. This is Part One]
I was a criminal defense attorney for nine years, before I started working full time on Internet law issues in 2001. I represented people charged with all kinds of crimes, including computer crimes, in federal and state court. I left that work for a lot of reasons, but in part, I found it grueling and insufficiently rewarding. Once, at a federal defender conference, someone was giving a speech addressing attrition in the field. He said that there were three kinds of people who got into criminal defense. First, there are those who care about people, especially the underprivileged, and want to help them through the system. Those don't last long. Second, there are those who believe in the Constitution, and want to curb the awesome power the government can otherwise wield over the individual. Those do better, but they don't last long either. And then there are the third kind, those who just want to fuck with a fucked up system. The crowd roared its approval. I turn out to be Type 2. And so eventually, I left for a field where, in 2001, I felt the law was more wide open, and thus more amenable to positive change.
A SHORT HISTORY OF THE CFAA
As a former criminal defense lawyer, the Computer Fraud and Abuse Act (CFAA), the law under which Aaron was charged, is one of my biggest concerns. The statute basically outlaws accessing a computer without authorization, or in excess of authorization. In a networked environment, the boundaries between machines are porous and appropriate uses are cultural, subtle, subject to interpretation. In the law, the boundaries are bright, and the CFAA polices them under penalty of law. Since every communication with a computer is access, the distinguishing line between legal and prison is the ephemeral concept of "authorization". "Authorization" is in the eye of the beholder. Desired uses of systems can be expressed in terms of service, clickthrough notices, (sometimes competing) cultural expectations, technological protection measures, employment contracts, or cease and desist letters. Yet outside of the computer context, disregarding any of these things is generally not a crime. It may not even be a civil offense. "Authorization" gives great power to the computer system owner. That entity may unilaterally decide what is right and wrong on their system, and the CFAA brings the full force of federal law behind it. Yet outside of the computer context, crimes punish social wrongs, not merely offenses to personal or business preferences.
Another way of looking at the CFAA, is that it protects the box, regardless of other social values or laws regarding the information residing there. Our laws try to balance the protection of information with other social goods, including freedom of expression and the public's right to know. So copyright is conditioned by fair use. Trade secrets are specifically defined and only protected against misappropriation. Classified information must be marked, and there is a cultural and legal history that enables news organizations and journalists who report on such issues to continue to operate. The CFAA doesn't care about any of that nuance. There's a bright line protecting the box, and even otherwise public data stored on the box is thereby subject to the system owner's control.
That concept of punishing access in excess of authorization lead to some relatively early civil cases that were potentially very dangerous to innovation and consumer interests, including lawsuits against companies that aggregated pricing data (American Airlines v. Farechase, eBay v. Bidder's Edge), used Whois to generate business leads (Register.com v. Verio), or identifying metatags on a site in order to better market a competing service to the same set of potential customers (Oyster Software v. Forms Processing). These cases were not brought under the CFAA, but under a resurrected version of the tort of trespass to chattels. Of course, the tort doesn't carry criminal penalties. Nevertheless, it fell out of favor with potential plaintiffs in 2003, when the California Supreme Court ruled in Intel v. Hamidi that the tort required a showing of damage or impairment to the targeted computer system.
The CFAA specifically allows civil suits for violations of some of its provisions, and Plaintiffs have increasingly used the CFAA and its state corrollaries, rather than trespass to chattels, to stop data aggregation for similar anti-competitive purposes (Facebook v. Power Ventures) and also in employment disputes to inhibit employees planning to leave from taking advantage of their computer rights to position themselves for competitors. These uses have been embraced by courts. For example, in International Airport Centers, L.L.C. v. Citrin, the Seventh Circuit held that an employee who uses a company computer disloyally, i.e. contrary to the employer’s interest,violates the CFAA. Take that, all you people who look for a new job while you are at your old job.
In 2001, early in this history, I was on KQED's Forum program with Chris Painter, who I believe was then at the Computer Crime and Intellectual Property Section (CCIPS) in the U.S. Department of Justice. During the debate, I complained about the breadth of the computer crime laws and I remember Painter saying that even though civil plaintiffs were urging an expansive interpretation of the CFAA and courts were embracing those arguments where monetary harm was at stake, that the Department of Justice would not exercise its discretion to use the CFAA to put people in prison for such borderline kinds of activities. At the time, I could not point to a contrary example.
Chris Painter doesn't work at CCIPS anymore. And today, I have many such examples of borderline prosecutions involving broad interpretations of the statute, including Aaron's case, and the successful Auernheimer prosecution for conspiracy to violate the CFAA. Most notably from a legal precident perspective, the Ninth Circuit relatively recently rejected CFAA prosecutions in United States v. Lori Drew and in United States v. Nosal.
In Drew the government argued that the defendant's use of MySpace was without authorization because she violated the social network's terms of service in setting up a pseudonymous account. The account was used to harass a girl who subsequently committed suicide, but the harassment did not rise to criminal levels under state law, which is why the prosecutors wanted to bring the federal case. [Its interesting now to reread the prosecutor's statements in the Drew case, blaming the defendant there for the child's suicide, next to the apologia we are now seeing online from some current and former DOJ employess who I suppose are simply inured to miscarriages of justice such as those we see in Aaron's case. Guys, guess what? We don't have to prove that your prosecution was the but for cause of Aaron's suicide in order for some critical thinking about the justice of the case to be in order here.] In Nosal, the government prosecuted a man who went to work for a competitor and got some of his old colleagues to send him source lists, client data, and contact information from his former employer. The DOJ argued that violating a workplace computer use policy "exceeded authorization" and amounted to a crime. The Ninth Circuit disagreed.
EFFORTS TO IMPROVE THE CFAA
There is a circuit split, with the Fifth, Seventh, and Eleventh circuits adopting a broad interpretation of the statute, finding that an individual accesses a computer “without authorization” or in excess of his authority when the employee acquires an interest adverse to his employer or breaches a duty of loyalty, and the Fourth and Ninth Circuits (in Drew and Nosal, for example) reading the statute to exclude such cases. One area for advocacy could be in the Supreme Court, should the issue ever get there. If it does, you can be sure that the facts will be very ugly, as the government will get to decide which case it uses as the vehicle to see such review.
Alternatively, there could be a statutory fix. Through various vehicles, Senator Patrick Leahy (D-Vt) has been pushing an amendment to the CFAA that would make clear that TOS violations and employee misconduct are not CFAA crimes. The Justice Department opposes that change and the cause is currently moribund. Statutory amendment along this line could fix what has come to be known as the "Lori Drew problem". Another area for advocacy would be to come up with good language for this amendment and to explain to policy makers why it is important.
How should a principled line between lawful and criminal access to computers be defined? Certainly TOS violations and disloyalty are beyond the pale. Scholars and others have proposed looking to whether the alleged attacker merely used the target computer, or somehow circumvented a technological security measure put in the place to control system access. The most complete expression of this proposal is Orin Kerr's article "Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes", accessible from SSRN. Without question, this would be better than what we have now.
However, even requiring circumvention of a code based restriction on computer access or use puts too much power in the hands of the computer owner to define social good, with the force of criminal law behind it. Such a rule probably would not have protected Aaron from prosecution. This is an additonal area for advocacy. We need more scholarly work in this area.
Prosecutorial discretion is both a blessing and a curse. Its a blessing when, for example, someone breaks the law but does so because they are hungry, or young, or addicted and they need another chance. Its a curse when, for example, laws are written to encompass all kinds of every day behavior, and the government can pick and choose its defendants based on whether they are political rivals, activists, assholes or some other anti-social but lawful behavior.
In 2003, I appealed the conviction of security researcher Bret McDanel, who pointed out a flaw in his former employer's messaging service in 2001. He emailed the customers directing them to a webpage explaining how the flaw worked and how the privacy of their messages could be compromised. The government successfully argued at trial that McDanel accessed the system unlawfully by emailing customers via the service, and impaired the integrity of that messaging system by informing customers about the security flaw. Outsiders could potentially access the system, and current customers were upset. The company therefore had to correct the flaw that McDanel revealed. Because fixing that preexisting problem cost money, the government argued that McDanel caused loss to his former employer. It was a bench trial, and the judge agreed.
There were other chilling aspects to Bret's case. First, Bret spent a good portion of the pendancy of his case in custody. I did not represent him then, and I can't remember the details now, but I believe he had violated the conditions of his release in some way and had bail set, bail he could not meet. When I took on the case, he was imprisoned while he waited for sentencing (16 months), while we waited for the transcript to be prepared, while I wrote the appeal, and while we gave DOJ some time to consult internally. Bret served his entire sentence, even though he was innocent.
Relatedly, the government used all its resources to try to force Bret to plead guilty. While he was in custody on the Central District case, the government indicted him in New Jersey for a much earlier incident involving a different employer that the FBI had investigated and taken no action on. I don't remember how explicit the threat was, again because I didn't represent him in the trial court. But he was "arrested" for the New Jersey case a few weeks before his California trial began, and the indictment was filed after his conviction while his motion for acquittal was pending and after he made clear that he was going to appeal. I know the government wanted him to plead in the California case and I know that resolution of the New Jersey charges were part of the deal. Bret did not plead. We are still friends and I hope he's honored when I say it was because he's a stubborn son of a bitch and he knew he was right. Of course, we won the California case, and the government gave him probation in the bullshit New Jersey case. But not everyone is a tough as Bret.
I must also add that the government argued at trial that Bret had criminal intent because he was a hacker and we know he was a hacker because he was wearing a Defcon tee shirt when he was arrested.
To my mind, the government's case in McDanel was not plausable. It should have been obvious that the conviction was improper. Either prosecutors were misinterpreting the CFAA, or the CFAA violated the First Amendment. The DOJ admitted as much on appeal when it declined to oppose my application to vacate the conviction. But educated prosecutors brought the case and a federal court judge bought it. Nothing in the statute was an obstacle to McDanel's conviction.
Cybercrime is a serious problem. National security and economic interests, not to mention privacy and fraud prevention, are at stake. But those very real problems, the rhetoric associated with them, and the financial resources that follow, have been used to justify a legal regime which as often than not is used against whistleblowers, disloyal employees, and activists. Moreover, prosecutorial discretion is structured by various incentives. These include office culture, office policies, training, internal and external oversight, public oversight via data collection and information sharing, defining metrics for office and individual performance evaluation. Governments are putting increasing resources into establishing cybercrime divisions and training investigators and prosecutors. If money, prestige and jobs are going to go to the offices that get the most cybercrime convictions, we aren't going to get what we are paying for. We need more data and scholorship here. We need to figure out why US Attorney's Offices, and Massachusetts, New Jersey and the Central District of California in particular, are pursuing so many troubling cases.
CRIMINAL JUSTICE MORE BROADLY
The CFAA is not the only broad statute that lends itself to prosecutorial overreaching. Our drug laws are notoriously broad, if only because they prohibit activities most of us have participated in at one point or another in our lives. (Marijuana smoking, anyone?) Those harse laws have incentivized young people to work off their potentially devestating sentences as undercover operatives in law enforcement efforts to catch bigger fish in the drug dealing food chain, sometimes with tragic consequences. They have also been instrumental in incarcerating historic numbers of African Americans. See Alexander, Michelle, The New Jim Crow: Mass Incarceration in the Age of Colorblindness.
Harvey Silverglate, a renowned criminal defense attorney who works in the District of Massachusetts, where Aaron was being prosecuted, can plausably claim in his book "Three Felonies A Day" that "citizens from all walks of life -- doctors, accountants, businessmen, political activists, and others -- have found themselves the targets of federal prosecutions, despite sensibly believing that they did nothing wrong." Silverglate identifies particular statutes succeptable to such overreaching, but his book also shows via war stories the ways that the progress of criminal cases can push even innocent defendants towards prison, bankruptcy, career ending guilty pleas, or emotional ruin. A short list includes pretrial incarceration, indicting or involving family members or friends in the case, the risk of draconian sentences, and superceding indictments in response to refusals to plead. Some of these tools were used in Aaron's prosecution. Perhaps his case is a window through which this digital community can understand better how broadly broken the criminal justice system is.
I met Aaron when he was a teenager; he was working with my boss Larry Lessig on Creative Commons. I didn't know him very well, though I couldn't but love him. He was a kid, a fascinating, fascinated kid whose heros were people like Ted Nelson (pioneer of computer networking) and Doug Engelbart (inventor of the computer mouse). We knew each other, but were not friends. When he was indicted for the JSTOR downloads, we talked and I recommended defense lawyers to him. A few months ago, we talked again. Aaron wanted to know if I would help his lawyers with the case. I said I didn't know what I could offer, but that I would talk to his attorney, and see what I could do. I had one conversation with his second lawyer, Marty Weinberg about the CFAA, and I sent an email to his last lawyer, Elliot Peters, to check in, but that was the extent of my contribution.
Why didn't I do more? I believed then and now that prosecuting Aaron was wrong, and that what he did, while ill-advised, was not a crime. Aaron was allowed to download JSTOR articles for free, both from the MIT network and from his home institution. To my mind, a successful prosecution requires drawing a line between downloading and downloading really, really fast.
The government was aided in making that specious argument by two things. First was atmospherics. Like Bret McDanel's tee shirt, Aaron did something that made him seem guilty to the prosecutor, he hid his computer in a closet and covered his face when he went to retrieve the machine. He also named the computer he was trying to hide Gary Host, or ghost, the mystery machine. Regardless of the the merits of the case, the government could argue that Aaron acted guilty because he was guilty. Evading surveillance is not evidence of guilt, of course, but countering that argument was something that was going to take good old criminal defense advocacy, something that I haven't done for years. Each of the attorneys Aaron selected were well respected. I had nothing to offer there.
The second obstacle was the CFAA itself. Even if the Massachussets court adopted the narrower view propounded by the Ninth Circuit that TOS violations are not crimes, MIT did more than that. According to the indictment, MIT blocked Aaron's laptop's MAC address from the network to stop it from downloading the JSTOR articles. Aaron then spoofed the MAC address to get the machine back on the network, and connected to JSTOR. Even under the superior formulation of the CFAA offered by Orin Kerr, this might be circumvention of a code based restriction on access, enough to bring the case outside of Drew territory and into the statutory prohibitions.
I'm not arguing that changing a MAC address should be a CFAA violation. Aaron was still allowed to use the MIT network, and he was still allowed to access JSTOR. The statute doesn't regulate the means of computer access, nor does it prohibit certain uses of information one is otherwise authorized to obtain. But the government would use these facts to say that Aaron was unauthorized and he knew it. Aaron's lawyers knew all of this already. I didn't want to be presumptuous. I made myself available, I didn't want to second guess, or interfere.
I've been mulling over something danah boyd wrote in her blog post about Aaron, addressing the question of why she hadn't spoken up about Aaron's case before. She said, in part, "I was too scared to speak publicly for fear of how my words might be used against him."
Certainly, talking about a friend's case publicly is dangerous. First, you could be called as a witness. That is an awful thing, for your friends and relatives to be called to testify against you. I advised my clients never to talk to anyone about the case, and certainly not to witnesses. That gives the prosecution an avenue into the defendants state of mind, defense posture, etc. It is completely alienating and depressing when friends are called before a grand jury to testify against you. The reports say that at least two of Aaron's friends were subpoened to testify against him at the trial.
Second, as a defense attorney, I would always ask supporters not to talk publicly about the case. There are so many ways a defense can be derailed and in the typical case you need to control every variable within your abilities. I did not let my client talk to the press, and I did not want friends or witnesses innocently doling out information that could be twisted or misused against my client. Remembering things differently from your friends, contradicting yourself after forgetting or remembering facts over the course of an investigation can all form the basis for obstruction of justice allegations. This is what, for example, Martha Stewart was convicted of when the government failed to prove insider trading.
The second thing danah said was also deeply sad: "And I was too scared to get embroiled in the witch hunt that I’ve watched happen over the last three years. Because it hasn’t been about justice or national security. It’s been about power. And it’s at the heart and soul of why the Obama administration has been a soul crushing disappointment to me. I’ve gotten into a ridiculous number of fights over the last couple of years with folks in the administration over the treatment of geeks and the misunderstanding of hackers, but I could never figure how to make a difference on that front."
In the next installment, I'll address this concern of danah's. I will look at the exercise of state power in Aaron's case, but also how the disproportionate power of the federal government is generally wielded in the criminal justice system against people of color and the poor, even as geeks and hackers have also gotten the brunt of it. My goals here are to (1) explain the criminal law and legal process; (2) identify things we can do right now to help fix the CFAA and (3) to introduce the awesome power of Internet activism to networks of criminal justice activists to start to fix this problem for Americans from all walks of life.
Photo Credit: Sage Ross