By Jennifer Granick on January 14, 2013 at 4:37 pm
Over the weekend, I learned that Aaron Swartz had taken his own life. I cried, and am still crying, for him, his family, for the close friends who loved him, and for our community. We lost a rare and special person, one who did so much in his short life to make the world a better place. Any do-gooder, including myself, could be proud were we to accomplish as much. We don't know what else he would have acheived were he to have lived. But I admit that I also cried for myself, because I felt guilty that I didn't do more to help Aaron in his criminal case. This post is about part of that challenge, the challenge to improve computer crime laws, and the criminal justice system more generally. Hopefully in the end, there'll be something that I, and you, can do about it.
[Spoiler alert: This is very long, and will be at least two parts. This is Part One]
I was a criminal defense attorney for nine years, before I started working full time on Internet law issues in 2001. I represented people charged with all kinds of crimes, including computer crimes, in federal and state court. I left that work for a lot of reasons, but in part, I found it grueling and insufficiently rewarding. Once, at a federal defender conference, someone was giving a speech addressing attrition in the field. He said that there were three kinds of people who got into criminal defense. First, there are those who care about people, especially the underprivileged, and want to help them through the system. Those don't last long. Second, there are those who believe in the Constitution, and want to curb the awesome power the government can otherwise wield over the individual. Those do better, but they don't last long either. And then there are the third kind, those who just want to fuck with a fucked up system. The crowd roared its approval. I turn out to be Type 2. And so eventually, I left for a field where, in 2001, I felt the law was more wide open, and thus more amenable to positive change.
A SHORT HISTORY OF THE CFAA
As a former criminal defense lawyer, the Computer Fraud and Abuse Act (CFAA), the law under which Aaron was charged, is one of my biggest concerns. The statute basically outlaws accessing a computer without authorization, or in excess of authorization. In a networked environment, the boundaries between machines are porous and appropriate uses are cultural, subtle, subject to interpretation. In the law, the boundaries are bright, and the CFAA polices them under penalty of law. Since every communication with a computer is access, the distinguishing line between legal and prison is the ephemeral concept of "authorization". "Authorization" is in the eye of the beholder. Desired uses of systems can be expressed in terms of service, clickthrough notices, (sometimes competing) cultural expectations, technological protection measures, employment contracts, or cease and desist letters. Yet outside of the computer context, disregarding any of these things is generally not a crime. It may not even be a civil offense. "Authorization" gives great power to the computer system owner. That entity may unilaterally decide what is right and wrong on their system, and the CFAA brings the full force of federal law behind it. Yet outside of the computer context, crimes punish social wrongs, not merely offenses to personal or business preferences.
Another way of looking at the CFAA, is that it protects the box, regardless of other social values or laws regarding the information residing there. Our laws try to balance the protection of information with other social goods, including freedom of expression and the public's right to know. So copyright is conditioned by fair use. Trade secrets are specifically defined and only protected against misappropriation. Classified information must be marked, and there is a cultural and legal history that enables news organizations and journalists who report on such issues to continue to operate. The CFAA doesn't care about any of that nuance. There's a bright line protecting the box, and even otherwise public data stored on the box is thereby subject to the system owner's control.
That concept of punishing access in excess of authorization lead to some relatively early civil cases that were potentially very dangerous to innovation and consumer interests, including lawsuits against companies that aggregated pricing data (American Airlines v. Farechase, eBay v. Bidder's Edge), used Whois to generate business leads (Register.com v. Verio), or identifying metatags on a site in order to better market a competing service to the same set of potential customers (Oyster Software v. Forms Processing). These cases were not brought under the CFAA, but under a resurrected version of the tort of trespass to chattels. Of course, the tort doesn't carry criminal penalties. Nevertheless, it fell out of favor with potential plaintiffs in 2003, when the California Supreme Court ruled in Intel v. Hamidi that the tort required a showing of damage or impairment to the targeted computer system.
The CFAA specifically allows civil suits for violations of some of its provisions, and Plaintiffs have increasingly used the CFAA and its state corrollaries, rather than trespass to chattels, to stop data aggregation for similar anti-competitive purposes (Facebook v. Power Ventures) and also in employment disputes to inhibit employees planning to leave from taking advantage of their computer rights to position themselves for competitors. These uses have been embraced by courts. For example, in International Airport Centers, L.L.C. v. Citrin, the Seventh Circuit held that an employee who uses a company computer disloyally, i.e. contrary to the employer’s interest,violates the CFAA. Take that, all you people who look for a new job while you are at your old job.
In 2001, early in this history, I was on KQED's Forum program with Chris Painter, who I believe was then at the Computer Crime and Intellectual Property Section (CCIPS) in the U.S. Department of Justice. During the debate, I complained about the breadth of the computer crime laws and I remember Painter saying that even though civil plaintiffs were urging an expansive interpretation of the CFAA and courts were embracing those arguments where monetary harm was at stake, that the Department of Justice would not exercise its discretion to use the CFAA to put people in prison for such borderline kinds of activities. At the time, I could not point to a contrary example.
Chris Painter doesn't work at CCIPS anymore. And today, I have many such examples of borderline prosecutions involving broad interpretations of the statute, including Aaron's case, and the successful Auernheimer prosecution for conspiracy to violate the CFAA. Most notably from a legal precident perspective, the Ninth Circuit relatively recently rejected CFAA prosecutions in United States v. Lori Drew and in United States v. Nosal.
In Drew the government argued that the defendant's use of MySpace was without authorization because she violated the social network's terms of service in setting up a pseudonymous account. The account was used to harass a girl who subsequently committed suicide, but the harassment did not rise to criminal levels under state law, which is why the prosecutors wanted to bring the federal case. [Its interesting now to reread the prosecutor's statements in the Drew case, blaming the defendant there for the child's suicide, next to the apologia we are now seeing online from some current and former DOJ employess who I suppose are simply inured to miscarriages of justice such as those we see in Aaron's case. Guys, guess what? We don't have to prove that your prosecution was the but for cause of Aaron's suicide in order for some critical thinking about the justice of the case to be in order here.] In Nosal, the government prosecuted a man who went to work for a competitor and got some of his old colleagues to send him source lists, client data, and contact information from his former employer. The DOJ argued that violating a workplace computer use policy "exceeded authorization" and amounted to a crime. The Ninth Circuit disagreed.
EFFORTS TO IMPROVE THE CFAA
There is a circuit split, with the Fifth, Seventh, and Eleventh circuits adopting a broad interpretation of the statute, finding that an individual accesses a computer “without authorization” or in excess of his authority when the employee acquires an interest adverse to his employer or breaches a duty of loyalty, and the Fourth and Ninth Circuits (in Drew and Nosal, for example) reading the statute to exclude such cases. One area for advocacy could be in the Supreme Court, should the issue ever get there. If it does, you can be sure that the facts will be very ugly, as the government will get to decide which case it uses as the vehicle to see such review.
Alternatively, there could be a statutory fix. Through various vehicles, Senator Patrick Leahy (D-Vt) has been pushing an amendment to the CFAA that would make clear that TOS violations and employee misconduct are not CFAA crimes. The Justice Department opposes that change and the cause is currently moribund. Statutory amendment along this line could fix what has come to be known as the "Lori Drew problem". Another area for advocacy would be to come up with good language for this amendment and to explain to policy makers why it is important.
How should a principled line between lawful and criminal access to computers be defined? Certainly TOS violations and disloyalty are beyond the pale. Scholars and others have proposed looking to whether the alleged attacker merely used the target computer, or somehow circumvented a technological security measure put in the place to control system access. The most complete expression of this proposal is Orin Kerr's article "Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes", accessible from SSRN. Without question, this would be better than what we have now.
However, even requiring circumvention of a code based restriction on computer access or use puts too much power in the hands of the computer owner to define social good, with the force of criminal law behind it. Such a rule probably would not have protected Aaron from prosecution. This is an additonal area for advocacy. We need more scholarly work in this area.
Prosecutorial discretion is both a blessing and a curse. Its a blessing when, for example, someone breaks the law but does so because they are hungry, or young, or addicted and they need another chance. Its a curse when, for example, laws are written to encompass all kinds of every day behavior, and the government can pick and choose its defendants based on whether they are political rivals, activists, assholes or some other anti-social but lawful behavior.
In 2003, I appealed the conviction of security researcher Bret McDanel, who pointed out a flaw in his former employer's messaging service in 2001. He emailed the customers directing them to a webpage explaining how the flaw worked and how the privacy of their messages could be compromised. The government successfully argued at trial that McDanel accessed the system unlawfully by emailing customers via the service, and impaired the integrity of that messaging system by informing customers about the security flaw. Outsiders could potentially access the system, and current customers were upset. The company therefore had to correct the flaw that McDanel revealed. Because fixing that preexisting problem cost money, the government argued that McDanel caused loss to his former employer. It was a bench trial, and the judge agreed.
There were other chilling aspects to Bret's case. First, Bret spent a good portion of the pendancy of his case in custody. I did not represent him then, and I can't remember the details now, but I believe he had violated the conditions of his release in some way and had bail set, bail he could not meet. When I took on the case, he was imprisoned while he waited for sentencing (16 months), while we waited for the transcript to be prepared, while I wrote the appeal, and while we gave DOJ some time to consult internally. Bret served his entire sentence, even though he was innocent.
Relatedly, the government used all its resources to try to force Bret to plead guilty. While he was in custody on the Central District case, the government indicted him in New Jersey for a much earlier incident involving a different employer that the FBI had investigated and taken no action on. I don't remember how explicit the threat was, again because I didn't represent him in the trial court. But he was "arrested" for the New Jersey case a few weeks before his California trial began, and the indictment was filed after his conviction while his motion for acquittal was pending and after he made clear that he was going to appeal. I know the government wanted him to plead in the California case and I know that resolution of the New Jersey charges were part of the deal. Bret did not plead. We are still friends and I hope he's honored when I say it was because he's a stubborn son of a bitch and he knew he was right. Of course, we won the California case, and the government gave him probation in the bullshit New Jersey case. But not everyone is a tough as Bret.
I must also add that the government argued at trial that Bret had criminal intent because he was a hacker and we know he was a hacker because he was wearing a Defcon tee shirt when he was arrested.
To my mind, the government's case in McDanel was not plausable. It should have been obvious that the conviction was improper. Either prosecutors were misinterpreting the CFAA, or the CFAA violated the First Amendment. The DOJ admitted as much on appeal when it declined to oppose my application to vacate the conviction. But educated prosecutors brought the case and a federal court judge bought it. Nothing in the statute was an obstacle to McDanel's conviction.
Cybercrime is a serious problem. National security and economic interests, not to mention privacy and fraud prevention, are at stake. But those very real problems, the rhetoric associated with them, and the financial resources that follow, have been used to justify a legal regime which as often than not is used against whistleblowers, disloyal employees, and activists. Moreover, prosecutorial discretion is structured by various incentives. These include office culture, office policies, training, internal and external oversight, public oversight via data collection and information sharing, defining metrics for office and individual performance evaluation. Governments are putting increasing resources into establishing cybercrime divisions and training investigators and prosecutors. If money, prestige and jobs are going to go to the offices that get the most cybercrime convictions, we aren't going to get what we are paying for. We need more data and scholorship here. We need to figure out why US Attorney's Offices, and Massachusetts, New Jersey and the Central District of California in particular, are pursuing so many troubling cases.
CRIMINAL JUSTICE MORE BROADLY
The CFAA is not the only broad statute that lends itself to prosecutorial overreaching. Our drug laws are notoriously broad, if only because they prohibit activities most of us have participated in at one point or another in our lives. (Marijuana smoking, anyone?) Those harse laws have incentivized young people to work off their potentially devestating sentences as undercover operatives in law enforcement efforts to catch bigger fish in the drug dealing food chain, sometimes with tragic consequences. They have also been instrumental in incarcerating historic numbers of African Americans. See Alexander, Michelle, The New Jim Crow: Mass Incarceration in the Age of Colorblindness.
Harvey Silverglate, a renowned criminal defense attorney who works in the District of Massachusetts, where Aaron was being prosecuted, can plausably claim in his book "Three Felonies A Day" that "citizens from all walks of life -- doctors, accountants, businessmen, political activists, and others -- have found themselves the targets of federal prosecutions, despite sensibly believing that they did nothing wrong." Silverglate identifies particular statutes succeptable to such overreaching, but his book also shows via war stories the ways that the progress of criminal cases can push even innocent defendants towards prison, bankruptcy, career ending guilty pleas, or emotional ruin. A short list includes pretrial incarceration, indicting or involving family members or friends in the case, the risk of draconian sentences, and superceding indictments in response to refusals to plead. Some of these tools were used in Aaron's prosecution. Perhaps his case is a window through which this digital community can understand better how broadly broken the criminal justice system is.
I met Aaron when he was a teenager; he was working with my boss Larry Lessig on Creative Commons. I didn't know him very well, though I couldn't but love him. He was a kid, a fascinating, fascinated kid whose heros were people like Ted Nelson (pioneer of computer networking) and Doug Engelbart (inventor of the computer mouse). We knew each other, but were not friends. When he was indicted for the JSTOR downloads, we talked and I recommended defense lawyers to him. A few months ago, we talked again. Aaron wanted to know if I would help his lawyers with the case. I said I didn't know what I could offer, but that I would talk to his attorney, and see what I could do. I had one conversation with his second lawyer, Marty Weinberg about the CFAA, and I sent an email to his last lawyer, Elliot Peters, to check in, but that was the extent of my contribution.
Why didn't I do more? I believed then and now that prosecuting Aaron was wrong, and that what he did, while ill-advised, was not a crime. Aaron was allowed to download JSTOR articles for free, both from the MIT network and from his home institution. To my mind, a successful prosecution requires drawing a line between downloading and downloading really, really fast.
The government was aided in making that specious argument by two things. First was atmospherics. Like Bret McDanel's tee shirt, Aaron did something that made him seem guilty to the prosecutor, he hid his computer in a closet and covered his face when he went to retrieve the machine. He also named the computer he was trying to hide Gary Host, or ghost, the mystery machine. Regardless of the the merits of the case, the government could argue that Aaron acted guilty because he was guilty. Evading surveillance is not evidence of guilt, of course, but countering that argument was something that was going to take good old criminal defense advocacy, something that I haven't done for years. Each of the attorneys Aaron selected were well respected. I had nothing to offer there.
The second obstacle was the CFAA itself. Even if the Massachussets court adopted the narrower view propounded by the Ninth Circuit that TOS violations are not crimes, MIT did more than that. According to the indictment, MIT blocked Aaron's laptop's MAC address from the network to stop it from downloading the JSTOR articles. Aaron then spoofed the MAC address to get the machine back on the network, and connected to JSTOR. Even under the superior formulation of the CFAA offered by Orin Kerr, this might be circumvention of a code based restriction on access, enough to bring the case outside of Drew territory and into the statutory prohibitions.
I'm not arguing that changing a MAC address should be a CFAA violation. Aaron was still allowed to use the MIT network, and he was still allowed to access JSTOR. The statute doesn't regulate the means of computer access, nor does it prohibit certain uses of information one is otherwise authorized to obtain. But the government would use these facts to say that Aaron was unauthorized and he knew it. Aaron's lawyers knew all of this already. I didn't want to be presumptuous. I made myself available, I didn't want to second guess, or interfere.
I've been mulling over something danah boyd wrote in her blog post about Aaron, addressing the question of why she hadn't spoken up about Aaron's case before. She said, in part, "I was too scared to speak publicly for fear of how my words might be used against him."
Certainly, talking about a friend's case publicly is dangerous. First, you could be called as a witness. That is an awful thing, for your friends and relatives to be called to testify against you. I advised my clients never to talk to anyone about the case, and certainly not to witnesses. That gives the prosecution an avenue into the defendants state of mind, defense posture, etc. It is completely alienating and depressing when friends are called before a grand jury to testify against you. The reports say that at least two of Aaron's friends were subpoened to testify against him at the trial.
Second, as a defense attorney, I would always ask supporters not to talk publicly about the case. There are so many ways a defense can be derailed and in the typical case you need to control every variable within your abilities. I did not let my client talk to the press, and I did not want friends or witnesses innocently doling out information that could be twisted or misused against my client. Remembering things differently from your friends, contradicting yourself after forgetting or remembering facts over the course of an investigation can all form the basis for obstruction of justice allegations. This is what, for example, Martha Stewart was convicted of when the government failed to prove insider trading.
The second thing danah said was also deeply sad: "And I was too scared to get embroiled in the witch hunt that I’ve watched happen over the last three years. Because it hasn’t been about justice or national security. It’s been about power. And it’s at the heart and soul of why the Obama administration has been a soul crushing disappointment to me. I’ve gotten into a ridiculous number of fights over the last couple of years with folks in the administration over the treatment of geeks and the misunderstanding of hackers, but I could never figure how to make a difference on that front."
In the next installment, I'll address this concern of danah's. I will look at the exercise of state power in Aaron's case, but also how the disproportionate power of the federal government is generally wielded in the criminal justice system against people of color and the poor, even as geeks and hackers have also gotten the brunt of it. My goals here are to (1) explain the criminal law and legal process; (2) identify things we can do right now to help fix the CFAA and (3) to introduce the awesome power of Internet activism to networks of criminal justice activists to start to fix this problem for Americans from all walks of life.
Continue to Towards Learning from Losing Aaron Swartz: Part 2
Photo Credit: Sage Ross
Clifford Hayden January 16, 2013 at 7:27 pmPermalink
This article is very impressive in its analysis of the problem and parallels my more intuitive views of where activism needs to be directed in the future. It is clear that there is a massive amount of injustice in the criminal justice system, implemented by means of what are commonly called bullying tactics. What clearly is needed is a check on the unbridled power of the prosecutor to push innocents into convictions. I look forward to part two.
public_servant_watch January 15, 2013 at 10:24 pmPermalink
Not only does the US Attorney hold responsibility for Aaron's death but you can bet she was pressured by the Administrative Offices of the US Courts to go after Aaron because he messed with their precious corrupt PACER System. Aaron was part of the movement that wanted access to court documents free to everyone; access to court documents means more than an opinion rendered by the court (sometimes rendered by the court). NOW THERE IS THE PROBLEM - how soon would the world be aware of the number of fraudulent documents that are routinely entered into PACER by corrupt court staff, and yes, corrupt judges with world-wide free access to ALL federal court documents? How soon would it be before the world became aware that the US Courts are not about truth and justice but simply a huge racketeering enterprise set up to pad the pockets of select "elite" attorneys? Publishing for view the corrupt decisions that come from these courts on justia.com without access to the documents filed by the parties is a huge scam promoted and protected by the US Courts. The fact that the tax payer has to support these criminals while they pull off the largest dishonest service fraud scheme the US has ever seen is more than clearly a good reason to torture this young man. All of you on 1 Court House Way and all of you working and providing dishonest service in the US Courts throughout this country are sick psychopaths and you all belong in prison! I say all because those not directly involved aid and abet; cover-up and protection of those working in these courts who routinely deprive rights to rob life, liberty and property is routine by court staff, the US Marshal and the Clerks of the Courts. These corrupt tax paid scum are in fact domestic terrorist who have delegitimized an entire Branch of OUR Government!!! PACER gives free access to judicial opinions, and citizens don't have to pay if they look at less than $10 worth of filings during the billing quarter; BIG FREAKING DEAL---THEY LET YOU READ FOR FREE THEIR CORRUPT DECISIONS!!!! So let's RECAP on the corrupt and make public access to ALL COURT RECORDS fly full force. I find it interesting that when I first had access to file in the electronic filing system the very first page I accessed had a warning not to use the RECAP system. So in actuality Carmen Ortiz not only needs to be removed from office but she belongs in front of a Grand Jury along with the entire 1 Court House Way crowd.
David Booth January 15, 2013 at 7:23 pmPermalink
What Aaron *intended* to do with those articles does not matter, because he had not actually *done* anything with them. Regardless of what he may have initially intended, he could have changed his mind or been persuaded not to do anything with them before he actually did anything. The fact that he chose to download them via the MIT network instead the Harvard network is irrelevant, because HE HAD LEGAL ACCESS TO THOSE JSTOR ARTICLES through his Harvard affiliation.
Scott January 15, 2013 at 6:48 pmPermalink
@Sandy Thatcher, you ask what purpose other than illegal distribution as the prosecutor accuses Swartz may have intended for the JSTOR articles which he downloaded at MIT, something he was entitled to legally do as a visitor.
In 2008, Swartz worked with Shireen A. Barday to download and analyze 441,170 law review articles to determine the source of their funding. The results were published in Stanford Law Review. They found systematic corruption of big money on vast stretches of american organizations, institutions and the media. Because of this work, Swartz was hired as a fellow to do further research in analyzing large datasets to find corruption, as a Fellow at the Harvard Ethics Center Lab on Institutional Corruption. It was this position he had when he acquired the JSTOR articles. It is exceptionally likely that he was acquiring the papers, legally, for his own research into corruption, which was his job at the time he downloaded them. It is far less likely he intended to do something illegal with them, that is a just-so story the prosecution has been pushing, along with various powers-that-be who are seriously concerned about the sorts of corruption that Swartz was discovering using the analysis methods he devised. Looking at Swartz's history, he has no history of criminal acts and was always careful to make sure that the things he did were not illegal. When he went to a courthouse and liberated courthouse documents from PACER for example, he did it in a way that was found to be completely legal and the FBI was not able to prosecute him after carefully examining the case. Those courthouse documents were 100% in the public domain. Most of the JSTOR cache was not in the public domain. For him to just steal documents and upload them, which would in fact be clearly illegal, is not consistent with his pattern of doing things.
Sandy Thatcher January 15, 2013 at 1:29 pmPermalink
Can it be truthfully said that Swartz had no intention of doing anything with those JSTOR articles but using them himself? I thought his whole aim was to "liberate" such products of scholarship from the shackles of copyright law by posting them to the open Internet. If that is what his goal was, then it was a crime, as defined by the NET Act of 1997, which was passed specifically to address the situation when the actor does not commit his act in the pursuit of personal financial gain. So, why wasn't he prosecuted under that law? His act would not have been a victimless crime either: among those who would have been hurt are the university presses that publish much of what is contained in JSTOR and those authors who share 50/50 in any reprints or coursepack uses of such articles. Did Swartz want to hurt these institutions and people? Probably not intentionally, but that is what his act would have accomplished. I support open access too, but question the methods Swartz used in pursuit of this goal.
Yves Smith January 16, 2013 at 3:07 amPermalink
I can't believe you are making this argument. It is fascist thinking.
Intent and action are two different things. Is saying you intend to quit your job quitting your job? Is saying you intend to lose 20 pounds losing 20 pounds? Is saying you intend to have an affair with your neighbors wife the same as getting her to sleep with you? Is saying you plan to take a gun through the TSA scanners the same as actually doing it?
There is no crime if there is no criminal action. And as various experts have indicated, what Swartz did was taking advantage of JSTOR and MIT policies. The worst thing he did was spoof a MAC address. If that's a crime, every semi computer literate person in the US is a criminal.
The fact that you can't see the distinction is stunning.
N/A January 15, 2013 at 10:41 pmPermalink
What makes you think that authors share 50/50 in reprints? I've authored academic papers, for conferences hosted by ACM, IEEE and the like. They charge money if people want to read my papers, but I don't get a single cent. I have to sign away copyright if I want to see my paper published at conference or in a journal. JSTOR maybe sharing revenue with publishers, but I doubt any of the academic authors who did the actual work are seeing any revenue.
Anonymous2 January 15, 2013 at 6:34 pmPermalink
Sandy, it is speculation regarding what Aaron might've done with the articles. It may even have been legal for him to post the public domain ones. But in the end he decided not to post any of them.
Add new comment