Crossroads Blog | Institute National Security and Counterterrorism

EFF, Law, law enforcement

The EFF is Wrong About Aaron Swartz, But Right About the CFAA

A newsletter today from the Electronic Frontier Foundation (EFF) proclaims, “Help us save the next Aaron Swartz.”  But, when you click through to their webpage, Fix the CFAA, most of the criticism is about: “The Justice Department thinks the CFAA [Computer Fraud and Abuse Act, Title 18, United States Code, Section 1030, et seq.] criminalizes violations of website terms of service and employer computer use policies. Don’t let the government turn a private contract into one policed by federal law.”

As Professor Orin Kerr (a highly respected source) points out, the charges are NOT that Mr. Swartz exceeded his authorization to the expensive JSTOR database.  Rather, the charges were that Mr. Swartz tried multiple attempts to download the data from an Institution with which he did not have an account, and ultimately was successful only after physically breaking into a closet in the basement of MIT and connecting directly to MIT’s network while concealing his computer under a box.  Allegedly, he was caught on video tape using a mask to conceal his identity, and he fled when police attempted to stop him.  This is simply not a case, as the EFF puts it, of attempting to impose “criminal penalties for violating a website’s fine print.”

I agree with the EFF that reasonable limits should be placed upon interpreting the law’s prohibition of “unauthorized access or access exceeding authorization” such that violations of obscure user agreements do not become Federal crimes punishable by lengthy imprisonment.  On the other hand, using Aaron Swartz as a cause célèbre for that argument is akin to arguing for lower penalties for unknowing simple trespass because an alleged burglar and large-scale thief sadly committed suicide after being charged for burglary and theft, not simple trespass.  The one just does not follow from the other.

To be fair, here is a response to Orin Kerr from thepublicdomain.org.

The Indictment alleges (meaning that the Grand Jury found probable cause to believe) that Swartz:

“enter[ed] a restricted network interface closet in the basement of MIT’s Building 16, plugging the computer directly into the network, and operating the computer to assign itself two IP addresses. … On January 4, 2011, Swartz entered the restricted basement network wiring closet and replaced an external hard drive attached to the laptop. … On January 6, 2011, Swartz returned to the wiring closet to remove his computer equipment.  This time he attempted to evade identification at the entrance to the restricted area.  Apparently aware of or suspicious of a video camera, as Swartz entered the wiring closet, he held his bicycle helmet like a mask to shield his face, looking through ventilation holes in the helmet.”

Read the whole Indictment for yourself.

My ultimate point is that mixing Aaron Swartz with the effort to amend the CFAA is counterproductive.  Congress is highly unlikely to countenance the conduct the Indictment alleges, so mixing the two reduces the chances of getting much-needed limitations on prosecuting trivial violations of obscure user agreements as serious felonies.  I am encouraging the EFF to continue to fight for “No more criminal penalties for violating a website’s fine print” while ending attempts to convince the world that the Indictment of Aaron Swartz charges something other than very serious criminal behavior.

Leave a Reply

Bitnami