The prosecutors also made more technical claims that Aaron registered as a guest on the MIT network under a pseudonym, bypassed IP blocks, and spoofed his laptop's MAC address to avoid detection on the MIT network. Respected information security expert Alex Stamos, who would have testified at trial, has debunked the idea that these practices amounted to the grim hacking scheme suggested by the government, especially because MIT purposely maintains an open network. Stamos concluded:
Aaron Swartz was not the super hacker breathlessly described in the Government’s indictment and forensic reports, and his actions did not pose a real danger to JSTOR, MIT or the public. He was an intelligent young man who found a loophole that would allow him to download a lot of documents quickly. This loophole was created intentionally by MIT and JSTOR, and was codified contractually in the piles of paperwork turned over during discovery.
The Justice Department's press release announcing Aaron's indictment suggests the true motivation for pursuing the case was that Aaron downloaded academic literature from JSTOR and planned to make it available to the public for free as a political statement about access to knowledge. According to United States Attorney Carmen M. Ortiz, “Stealing is stealing whether you use a computer command or a crowbar, and whether you take documents, data or dollars. It is equally harmful to the victim whether you sell what you have stolen or give it away.” And the CFAA's vague language and broad reach helped to give the government the means to bring a criminal prosecution, even though the situation would have been better resolved privately among Aaron, JSTOR, and MIT.
It's time for Congress to amend the CFAA to clarify what counts as access "without authorization" and what doesn't. This will help ensure prosecutors can't use the law to bring arbitrary cases against people they simply don't like.
Problem 2: Hacking laws have far too heavy-handed penalties
The penalty scheme for CFAA violations is harsh and disproportionate to the magnitude of offenses. Even first-time offenses for accessing a protected computer "without authorization" can be punishable by up to five years in prison each (10 years for repeat offenses) plus fines. It's worth nothing that five years is a relatively light maximum penalty by CFAA standards; violations of other parts of that law are punishable by up to 10 years, 20 years, and even life in prison.
When Aaron was first indicted on four felony counts, the Justice Department crowed that he was facing 35 years in prison and a $1 million fine. Last fall, the government upped the ante and re-indicted Aaron on 13 counts. Eleven counts were CFAA offenses, some of which were "unauthorized" access claims and some of which were alleged violations of other parts of that law. Each CFAA count was punishable by a maximum of five years of prison time. He was also indicted on two wire fraud counts, each of which carried a maximum of 20 years.
According to the Wall Street Journal, the government indicated shortly before Aaron's death that it "might only seek seven years at trial." That number pales in comparison with what prosecutors could have exercised their discretion to seek, and what the law would have permitted a court to impose. But seven years is still a very long time, and a wholly disproportionate penalty for Aaron's alleged actions.
As if the law's current magnitude of punishment isn't overwhelming enough, Congress has been thinking about beefing up the CFAA, which the Justice Department fully supports (PDF). Both the House and Senate considered legislation last year that would expand the reach of the statute and make its penalties even more severe. These are terrible ideas, especially in light of the "unauthorized" access problem discussed above.
The specter of being incarcerated for years should never have haunted Aaron, but it did. Brilliant, talented, visionary people should be spending their time building our future, not worrying about wasting away in prison. Congress must update the CFAA to ensure the penalties actually make sense in light of the behavior they're meant to punish.
The CFAA's vague language, broad reach, and harsh punishments combine to create a powerful weapon for overeager prosecutors to unleash on people they don't like. Aaron was facing the possibility of decades in prison for accessing the MIT network and downloading academic papers as part of his activism work for open access to knowledge. No prosecutor should have tools to threaten to end someone's freedom for such actions, but the CFAA helped to make that fate a realistic fear for Aaron.
Aaron was a powerful force for change, and he would still be working toward that goal if he were here. His memory should challenge us to make the Internet, the law, and the world better. One place to start is the CFAA.
This article was originally published on the Electronic Frontier Foundation’s website.