In the wake of programmer Aaron Swartz’s suicide, Congress has been considering new amendments limiting criminal sanctions for violating a company’s terms of service. Under the Computer Fraud and Abuse Act (CFAA), exceeding one’s authorization on a protected computer is a federal crime. Prosecutors have attempted to apply that language broadly and aggressively, going so far as to bring charges for jailbreaking a Playstation 3 and breaching MySpace’s Terms of Service. While appellate courts have reversed such broad interpretations of CFAA, prosecutors still use the breach of contract theory to threaten harsh prison time.
The CFAA is a federal statute passed in 1986 in attempt to punish hackers. It criminalizes “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtains information from [a computer]… which is used in or affect[s] interstate… commerce or communication.” Prosecutors have repeatedly attempted to expand CFAA to include violations of terms of service or other private agreements. A broad interpretation of “exceeding authorized access” could open the door to felony sentences for merely violating the terms of click-through licenses (e.g., Apple’s Terms and Conditions agreement to which you click “I agree”). While case law has generally established that violating terms and conditions is a civil claim and not a crime, the prosecution against Swartz demonstrates that courts still allow this theory.
Aaron Swartz was a programmer and activist famously involved in the development of Rich Site Summary (RSS), a content subscription tool, and Reddit, a social news site. He was a proponent of free culture, fighting for the use of internet technology to help bring information to the public. In his manifesto, he stated, “sharing isn’t immoral — it’s a moral imperative… We need to take information, wherever it is stored, make our copies and share them with the world.” In accordance with his beliefs, Swartz downloaded documents from JSTOR, a subscription-based online database of academic studies and papers, presumably to repost the database so the public could access the articles for free.
According to his indictment, he downloaded 4.8 million documents (nearly the entire database) from JSTOR under a false account. These downloads allegedly brought down some servers and forced JSTOR to block MIT’s entire computer network from accessing their service for several days. Swartz was charged before any attempt to release the downloaded information. JSTOR decided not to pursue the case after Swartz turned over the downloaded documents. However, federal prosecutors still charged Swartz under the CFAA for accessing JSTOR with a false IP address and violating its terms of service. He faced over 50 years in prison for 13 felony counts but prosecutors offered a plea agreement of 6 months if he pleaded guilty to all felony charges. Commentators have criticized the prosecutors for the practice of charging severe sentences in order to coerce a plea agreement.
Swartz opposed the plea agreements, stating that he refused to plead guilty to crimes he was not guilty of. On January 11, 2013, during the course of this prosecution, Swartz committed suicide. Swartz’s family commented: “Aaron’s death is not simply a personal tragedy. It is the product of a criminal justice system rife with intimidation and prosecutorial overreach. Decisions made by officials in the Massachusetts U.S. attorney’s office and at M.I.T. contributed to his death.” Similarly, the hacker community responded (predictably) by hacking federal websites, including replacing the U.S. Sentencing Guidelines website with the message, “A line was crossed.”
Two proposals are on the table to reform CFAA in response to this case. California Representative Zoe Lofgren drafted a proposed amendment to CFAA, nicknamed “Aaron’s Law,” in respect to Aaron Shwartz. The current proposal of Aaron’s Law includes three changes to the CFAA that limit the criminalization of exceeding one’s authorization under a license:
1) “Access without authorization” requires circumventing technological barriers (i.e., hacking)
2) Violations of the terms of service, EULA, or other similar click-through licenses are not criminalized under the CFAA or wire fraud statute
3) Efforts to prevent the personal identification of a computer user (e.g., changing one’s IP address) is not criminal under the CFAA or wire fraud statute
Under these changes, Swartz’s actions would not violate the CFAA since he did not circumvent technological barriers. Furthermore, violating JSTOR’s terms of service and using a false IP address would clearly not be criminal under these changes.
The Electronic Frontier Foundation (EFF) took a different (and perhaps simpler) approach in its proposed changes by adding new requirements to CFAA. EFF’s proposed changes limit CFAA’s reach to instances where the offense was committed for commercial advantage or private financial gain with damages exceeding $10,000. These changes would have excluded Aaron’s access of JSTOR database from CFAA since he did not attempt to receive any private financial gain.
Either of the proposed amendments will prevent prosecutors from bringing someone to court under Swartz’s circumstances and prevent the acceptance of the broad interpretation of CFAA brought forth by the prosecutors. These changes provide comfort to citizens that they won’t be handcuffed under CFAA for violating rarely read agreements. As of February 5th 2013, these reforms enjoy bipartisan support.