Posted Friday, Feb. 15, 2013, at 4:12 PM
Courtesy of Peretz Partensky/Flickr/Wikimedia Commons
“The Idealist,” my recent Slate profile of programmer and activist Aaron Swartz, who committed suicide on January 11, was already a very, very long story, but I wish I had gone into slightly greater depth about the specifics of some of the charges against Swartz, and whether or not those charges made sense.
Basically, Swartz was accused of illicitly accessing the computer network at the Massachusetts Institute of Technology, and—with the help of a simple computer program he wrote—using that network to download about 4.8 million academic journal articles from a subscription database called JSTOR. In the piece, I wrote that Alex Stamos, an independent expert retained by Swartz’s defense counsel, was prepared to argue that Swartz had tacitly been authorized to access MIT’s “extraordinarily open” computer network. Still, others have argued that, regardless of Stamos’s point, Swartz clearly and willfully violated JSTOR’s terms of service, which prohibited users from downloading with the help of scripts, bots, or other programs. But should this be considered criminal behavior?
The Computer Fraud and Abuse Act (CFAA), under which Swartz was charged, allows for the punishment of anyone who “accesses a protected computer without authorization, or exceeds authorized access,” in order to obtain information from a protected computer, or to fraudulently obtain materials worth more than $5,000. (According to the CFAA, which dates back to 1984, any computer "which is used in or affecting interstate or foreign commerce or communication" qualifies as a protected computer—so, basically, any computer with an Internet connection.) In its terms of service, JSTOR pretty clearly states that users are not authorized to use scripts, spiders, or bots. Yet a relatively recent Ninth Circuit en banc decision ruled that violating computer use policies shouldn't be considered a federal crime.
In his April 10, 2012 opinion in United States v. Nosal, Chief Judge Alex Kozinski of the Ninth Circuit—a childhood hero of Swartz’s—found that “the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions.” Wrote Kozinski:
Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars.
Kozinski seems to be arguing that there’s a substantive difference between scaling a fence marked “No Trespassing” and ignoring the often-dense, legalistic language that appears in a pop-up box at the beginning of a computer session—and that people should not be subject to felony prosecution for those sorts of violations. To me, this is an intuitive and sensible take on this section of the CFAA; Orin Kerr at The Volokh Conspiracy called Kozinski’s opinion “superb and extremely insightful.” There are plenty of serious people who think that America’s computer crime laws are vague, outdated, and unduly harsh; the Nosal decision reads like an important validation of the argument that those laws should be changed.
The Nosal decision wasn’t immediately relevant to Swartz’s case, given that Swartz’s case was not in the Ninth Circuit. (Other circuits have different interpretations of the “exceeds authorized use” provision.) And it would be ridiculous to equate Swartz’s JSTOR stunt with visiting ESPN.com from your work computer (for one thing, visiting ESPN.com doesn’t involve obtaining materials worth over $5,000). But I still think Nosal is interesting, and helpful if you’re simply trying to understand why there’s been so much debate over the Swartz case—and why “he violated JSTOR’s TOS” isn’t the most convincing argument in favor of Swartz’s prosecution.