With Aaron Swartz’s suicide came the lifting of the floodgates for public criticism of the Computer Fraud and Abuse Act. The amount of venom directed at the law is second only to that directed at the federal prosecutors who were prosecuting Swartz. While I understand the emotional issues that are driving much of the criticism, as I read opinion after opinion by so many “experts” on the CFAA, I can’t help but wonder about Sandra Teague. That is, if these experts are now so concerned about how the CFAA was being used to prosecute Aaron Swartz, why didn’t they have this same concern for Sandra Teague? Or, if they were not aware of Sandra Teague before, how would they feel about her prosecution now? How about you?
Aaron Swartz Case
Much has been written about the Aaron Swartz case including an outstanding analysis by Professor Orin Kerr, a true scholar on the Computer Fraud and Abuse Act. I will only hit a few high points and I encourage you to read Kerr’s two part series titled The Criminal Charges Against Aaron Swartz (Part 1 and Part 2).
Aaron Swartz was, by all accounts, a genius who according to his own words was on a mission to “liberate” all information without regard to the laws protecting such information. Consider his own essay:
Information is power. But like all power, there are those who want to keep it for themselves. The world’s entire scientific and cultural heritage, published over centuries in books and journals, is increasingly being digitized and locked up by a handful of private corporations. Want to read the papers featuring the most famous results of the sciences? You’ll need to send enormous amounts to publishers like Reed Elsevier.
* * *
We need to take information, wherever it is stored, make our copies and share them with the world. We need to take stuff that’s out of copyright and add it to the archive. We need to buy secret databases and put them on the Web. We need to download scientific journals and upload them to file sharing networks. We need to fight for Guerilla Open Access.
With enough of us, around the world, we’ll not just send a strong message opposing the privatization of knowledge — we’ll make it a thing of the past. Will you join us?
Swartz did not just talk the talk, he walked the walk. In 2008, Swartz downloaded and released approximately 20% of the Public Access to Court Electronic Records (PACER) database of United States federal court documents which amounted to about 18,000,000 documents. He was investigated by the FBI for this but was not charged.
Swartz then set his sights on JSTOR. JSTOR stands for Journal Storage and is a digital library of academic journals that has been acquired and digitized to provide full-text searches. Access to JSTOR is usually through an academic institution’s paid subscription that allows faculty, researchers, and students (and in some cases alumni) to access JSTOR through its subscription. Swartz wanted to “liberate” all of the information in JSTOR’s database by copying it and making it publicly available via filesharing networks. As Kerr explains, Swartz made several attempts to accomplish this by using MIT’s network and account with a guest account he created, each time circumventing the barriers that MIT and JSTOR set up to try and stop him:
- He used a program called “keepgrabbing” that circumvented JSTOR’s limits on how many articles a person could download.
- After MIT and JSTOR saw this extremely high download activity, his IP address was blocked so he changed his IP address and began the massive download again.
- JSTOR saw this and blocked the range of IP addresses from MIT to prevent this from continuing and contacted MIT which cancelled his account and blocking his computer’s MAC address.
- Swartz then bought a new laptop and spoofed the MAC address from his old one to circumvent the ban — he continued downloading.
- JSTOR then saw this and shut off all of MIT’s access to JSTOR for a few days.
- Swartz then broke into a closet in the basement of a building at MIT and connected his computer directly to the network and hid his computer in the closet. His computer stayed there for a month or two and he was able to download a major portion of JSTOR’s database. (As you can see in the photo, Swartz used his bicycle helmet to cover his face as he entered the closet, perhaps knowing he was being filmed.)
- Swartz was caught on the MIT campus shortly thereafter when trying to run from police.
While Swartz was charged with breaking several federal criminal laws, the three charges under the Computer Fraud and Abuse Act have garnered virtually all of the criticism.
- 18 U.S.C. § 1030(a)(2): “Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer”
- 18 U.S.C. § 1030(a)(4): “Whoever knowingly and with the intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value”
- 18 U.S.C. § 1030(a)(5)(B): “Whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage”
Based on a plain and ordinary reading of the these three laws, do you believe Swartz’s acts violated any of them? (even if you do not agree with the law — do you at least think that what he did fit within the letter of the law?) Hold that thought.
Sandra Teague Case
Sandra Teague worked for a contractor that assists the Department of Education with student loan inquiries via a call center and engages in debt collection for the government. In order to perform her duties, she had been granted access to the National Student Loan Data System which contains student borrowers’ private information. Teague was one of nine people who used their access to look up records for an individual even though they were not working on anything related to that person. For this single act, Teague was charged with violating the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(B): “Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” violates the law.
While Teague did not admit to committing the crime and the only evidence of her guilt was the use of her system login credentials, she was fully prosecuted and ultimately found guilty at trial. Teague appealed and her conviction was affirmed by the United States Court of Appeals for the Eighth Circuit in United States v. Teague, 646 F.3d 1119 (8th Cir. 2011).
Consider A Few Points Between Swartz and Teague
- Teague accessed 1 record — Swartz accessed and copied millions of journals
- There were no code-based or other technological restrictions placed on Teague’s ability to access the records she was found to have accessed — Swartz went through multiple different steps to try and circumvent the mulitiple restrictions that MIT and JSTOR were using to block his access to the system — Swartz became a true “hacker”
- Teague was an employee with full access to the specific database as a part of her job — Swartz created a guest account at MIT, with which he had no affiliation, to use its account to access JSTOR
- Teague was trying to obtain information — Swartz was trying to obtain information
- There was no evidence that Teague intended to or did “liberate” the information she accessed; Swartz was intending to “liberate” all of JSTOR’s database by disclosing it to the world
What Do You Think? Can Your Passions and Prejudices Aside?
What do you think? In light of what you understand about the Aaron Swartz prosecution and your feelings about that, what do you think of the Sandra Teague prosecution? Do you feel that Teague’s prosecution was justified and Swartz’s was not? Do you feel like neither were justified? Can you be outraged by Swartz’s prosecution yet not by Teague’s?
My point in writing this blog was to try and challenge you to see how intellectually honest you can be with yourself as you read this. And, only you know whether you have been or not — and that’s good enough. When looking at cases like this, passion, prejudice, and raw emotion can really cloud our ability to find the truth of whether the facts really fit the law. This is especially difficult in a case like the Swartz case. However, before you go jumping to too many conclusions about your own ability to be objective and put prejudices aside, I have one other little twist for you — but you have to go and read a tiny bit more about the following case to see what it is: Read This Case
Now that you’ve read that, are you still as intellectually honest as you thought or have your views changed a bit? ;)
- Aaron Swartz’s Suicide Triggers Response from US Lawmakers (business.time.com)
- Swartz suicide shines light on Computer Fraud and Abuse Act (computerworld.com)
- Reddit co-founder Aaron Swartz commits suicide in midst of controversial trial (rt.com)