In the first days of January 2011, computer programmer and activist Aaron Swartz plugged a laptop into MIT’s network, logged into a website that allows unlimited downloads to anyone on the MIT network, and began downloading articles from academic journals hosted by the site, JSTOR. Automating the process with “scripts” so he did not have to search and download each article manually, he let his laptop download article after article over the course of several days before coming back to retrieve it.
Then on Jan. 6, Swartz was riding his bicycle when agents of the Secret Service tackled and arrested him for allegedly breaking and entering into the unlocked computer closet on the MIT campus, where he had placed his laptop. Soon he was indicted by the Department of Justice for violating the Computer Fraud and Abuse Act, a criminal statute originally intended to prosecute felony computer hacking, which can now result in a person’s going to prison for failing to abide by a website’s terms of service or end user agreement. A year and a half later, the Justice Department brought even more CFAA-related charges against Swartz—setting him up to serve as many as 35 years behind bars for the alleged crime of downloading academic articles. Five months after that, Swartz committed suicide.
How did legislation intended to stop people from breaking into computer networks come to be used to prosecute people even though it’s unclear what harm has been done? In fact, first-time offenses for accessing a protected computer without sufficient “authorization” can be punishable by up to five years in prison each (10 years for repeat offenses) plus fines. Other CFAA violations are punishable by up to 10 years, 20 years, or even life in prison. Such penalties were a key aspect in the government’s case against Swartz; 11 of 13 crimes he was alleged to have committed were CFAA offenses, for which the government hoped to jail him for 35 years.
Part of the problem is the way the law was written. During the debate over SOPA and PIPA—proposed Internet privacy statutes that most experts agree would have been egregious overreach by the government (and that Swartz was instrumental in stopping)—members of Congress didn’t flatter themselves by demonstrating a high level of computer literacy. CFAA seems to be the result of a similar level of deliberation. It makes it illegal to intentionally access a computer “without authorization” or “in excess of authorization,” yet the meaning of those phrases is the subject of considerable dispute, and the law doesn’t provide much in the way of guidance.
Creative prosecutors have taken advantage of this confusion to bring criminal charges for acts that are more about information accessed in a way other than what was originally intended than they are about any kind of “fraud and abuse.” For instance, in Swartz’s case, his “crime” was having a script download the journal articles rather than sitting there and downloading them one at a time himself. Yet it’s not clear that such automation even violates MIT and JSTOR’s terms of service. As computer expert Alex Stamos describes it: “[Aaron] was an intelligent young man who found a loophole that would allow him to download a lot of documents quickly. This loophole was created intentionally by MIT and JSTOR, and was codified contractually” in documents revealed during the discovery phase of the government’s case against Swartz.
This vaguely defined law with strict penalties means that an overly ambitious prosecutor can imprison someone for doing things most Internet users consider routine, allowing law enforcement to go after people for violating a contract, even when the violated party isn’t encouraging prosecution. In Swartz’s case, JSTOR did not want to pursue the matter. The Justice Department asserted that his actions constituted a felony.
So the next time you think about
• reading Seventeen magazine even though you are under the age of 18;
• reading The New York Times, the Boston Globe, or NBC News even though you are under the age of 13;
• letting a friend log in to your Pandora account;
• reading NPR.org or CNN.com without your parents’ permission;
• describing your physical appearance inaccurately on Craigslist;
• lying about your age on Facebook; or
• posting impolite comments at NYTimes.com
Because in the country that is supposed to be the beacon of freedom throughout the world, if the wrong prosecutor decides to take up your case, you could go to jail for that.
This article was created in association with the social action campaign for The Internet’s Own Boy, which is being released by TakePart’s parent company, Participant Media, and filmbuff.