With the CFAA, Law and Justice Are Not The Same: A Response to Orin Kerr

Law Professor and Computer Fraud and Abuse Act expert Orin Kerr wrote today in his usual thorough and well-informed fashion about the legal claims in Aaron Swartz's case.  While his analysis of the law is, as usual, spot on, I nevertheless disagree with its treatment of Aaron's case as routine and, by implication, unremarkable.  I am in the process of explaining why , but want to address here a few of Orin's arguments. 

Orin writes:
The indictment against Swartz alleged several different crimes. A bunch of the crimes overlap, but that doesn’t mean that they are really treated separately: At sentencing the general practice is to take the most serious of the crimes as the basis for the sentence and to mostly ignore the rest. But the ordinary practice is to charge all the possible offenses committed in the indictment, even if they overlap, and then let the jury sort them out at trial or else drop some of the charges in a plea deal.

Voluminous, overlapping charges may be typical, but they can give unfair advantage to the prosecution.  At trial, each charge is a chance for the prosecution to win.  Because defendants are sentenced based on related conduct, even aquitted conduct,  the defendant has only one way to win: He must be acquitted on all counts.  The more counts, the more changes for the government to win. Furthermore, having a lot of counts bolsters the government's case in front of a lay jury.  Jurors tend to infer that the crimes were substantial and voluminous if the indictment is.  Orin's conclusion that the charges were within the normal practice also doesn't explains why the prosecution chose to seek a superceding indictment adding more charges right after Aaron refused to plead guilty and right before the trial. (HINT: They do this to coerce a guilty plea.) In sum, many things that were wrong about Aaron's case were also familiar.  His death is an opportunity to reexamine business as usual.  

Moreover, the fundamental question is why the U.S. Attorney decided to charge this case.  Since that decision was a mistake, treating the rest of the case as a serious crime was disproportionate and wrong. The CFAA is shockingly broad. Prosecutors shouldn't file CFAA cases just because they can under existing case law.  To the contrary, this is why the CFAA should be amended and narrowed.  Treating technically illegal but practically innocuous conduct (JSTOR wasn't interested in pressing charges) as if it were a serious crime is also wrong.  It is those combined decisions that Lessig, I and so many others decry, and for which we still have no justification.

Next, Orin says he believes that case law supports the charges against Aaron:
This is not merely a case of breaching a written policy. Rather, this is a case of circumventing code-based restrictions by circumventing identification restrictions. I don’t see how that is particularly different from using someone else’s password, which is the quintessential access without authorization.

For the reasons, I agreed with Orin that the CFAA could reach Aaron's conduct despite the narrowing principles that Orin fought for in the Lori Drew or Nosal cases, exactly because Aaron circumvented access controls.  However, I disagree that all such circumventions ought to trigger CFAA liability, or that Aaron's conduct was like using someone else's password.  Using another person's password gets you access to their files.  Circumventing the JSTOR/MIT efforts to block him merely got Aaron _fast_ access to files he was already authorized to download. 

 

Comments

While it is technically correct that "circumventing the JSTOR/MIT efforts to block him merely got Aaron _fast_ access to files he was already authorized to download.", a far more sinister reason is it got him anonymous access to files that he intended to distribute widely.

While he may have believed that these files should be available in the public domain, he went to great lengths for anonymity, the only reason to do so, it that he was aware of some measure of wrong doing.

IANAL (and it's early) -- if JSTOR and MIT had an agreed up on rate limit for access to JSTOR's files and Aaron's efforts were to get him _fast_ access that he already had been granted, is the better analogy that he was running a privilege escalation exploit and therefore was getting access beyond what was granted? On that basis, isn't he still violating the CFAA?

I'm thinking this more akin to exploiting some kind of QoS code or running a local privilege escalation exploit, rather than breaking or copying someone's password.

Is there any disagreement here? Orin said that the case was complex, so he was going to break it up into two parts - the law and ethics. Then proceeded to discuss only the law. You're in agreement there. Orin has not weighed in about the ethics, but I would not rush to assume that he won't be in agreement with you there as well.

To draw an analogy, Orin was discussing the cudgel that the prosecutor was trying to beat Aaron with while you're pointing out that the prosecutor should not have been trying to beat Aaron with the cudgel. Both points are fair, and both are important.

The internet is full of analysis of the latter, and Orin has promised his opinion on that as well. However the first also matters. If the prosecutor was only holding a floppy fish, Aaron should have little to fear. If the prosecutor is holding a solid piece of oak, Aaron should have a lot to fear.

As a lay person, I'm glad that Orin weighed in with an analysis of the piece of oak the prosecutor held to let me know that Aaron's fears were realistic.

Add new comment