Swartz’s death shines light on strict hacking laws

IT World Canada Staff

11 years ago

The suicide last week of extremely talented programmer Aaron Swartz has brought about an outpouring sorrow in many quarters of the technology industry but recently it has also brought about calls for change to the United States’ laws around hacking and computer crime.

“The government should have never thrown the book at Aaron for accessing MIT’s network and downloading scholarly research,” said Marcia Hoffman, senior staff attorney for the Electronic Frontier Foundation in a blogpost Wednesday on the digital rights group’s Web site. “However, some extreme problematic elements of the law made it possible.

Swartz, one of the creators of the first version of RSS (Rich Site Summary) format for delivery Web content, a co-founder of social news site Reddit and co-founder of the anti-Internet censorship group Demand Progress, hanged himself last Friday in his Brooklyn, New York apartment. At that time, the 26-year-old programmer was facing 13 counts of felony related to his alleged 2011 illegal downloading through the Massachusetts Institute of Technology network of nearly five million academic journals from JSTOR, a non-profit publisher of journals. The charges carried a maximum sentence of 35 years in jail and up to US$1 in fines.

“…Aaron’s tragedy shines a spotlight on a couple of profound flaws of the Computer Fraud and Abuse Act in particular, and gives us an opportunity to think about how to address them,” wrote Hoffman.

It is critical that these flaws are addressed, she said, because individuals who “intentionally or unintentionally” violate them could face severe penalties.

The U.S. laws around computer fraud and abuse are too broad and too vague, according to the EFF lawyer.Hoffman said the CFAA makes it illegal to gain access to protected computers without authorization or in a manner which “exceeds authorized access.” Unfortunately, she said, the law doesn’t clearly state what constitutes lack of authorization.

She cited the case of United States v. Drew in which a woman created a fak MySpace page to taunt a teenage girl. The girl became distraught and committed suicide. Because there are no criminal laws against bullying the prosecutor charged Drew under the CFAA claiming her fake profile violated MySpace’s terms of use which made her accessing the network “unauthorized”.

The prosecutor’s argument, Hoffman said would mean that anyone who runs afoul of a site’s fine print could be considered as having broken the law.

Hoffman also said that hacking laws have penalties that are harsh and disproportionate to the offenses people are charged with. For instance, even first-time offenders accused of accessing protected computers without authorization can get up to five years in prison. Repeat offenders face 10 years.

Violations of other parts of the law, she said, are could face up 20 years of life imprisonment.

“The spectre of being incarcerated for years should never have haunted Aaron,” said Hoffman. “Congress must update the CFAA to ensure penalties actually make sense in light of the behavior they’re meant to punish.”