With Aaron Swartz’s suicide came the lifting of the floodgates for public criticism of the Computer Fraud and Abuse Act. The amount of venom directed at the law is second only to that directed at the federal prosecutors who were prosecuting Swartz. While I understand the emotional issues that are driving much of the criticism, as I read opinion after opinion by so many “experts” on the CFAA, I can’t help but wonder about Sandra Teague. That is, if these experts are now so concerned about how the CFAA was being used to prosecute Aaron Swartz, why didn’t they have this same concern for Sandra Teague? Or, if they were not aware of Sandra Teague before, how would they feel about her prosecution now? How about you?
Aaron Swartz Case
Much has been written about the Aaron Swartz case including an outstanding analysis by Professor Orin Kerr, a true scholar on the Computer Fraud and Abuse Act. I will only hit a few high points and I encourage you to read Kerr’s two part series titled The Criminal Charges Against Aaron Swartz (Part 1 and Part 2).
Aaron Swartz was, by all accounts, a genius who according to his own words was on a mission to “liberate” all information without regard to the laws protecting such information. Consider his own essay:
Information is power. But like all power, there are those who want to keep it for themselves. The world’s entire scientific and cultural heritage, published over centuries in books and journals, is increasingly being digitized and locked up by a handful of private corporations. Want to read the papers featuring the most famous results of the sciences? You’ll need to send enormous amounts to publishers like Reed Elsevier.
* * *
We need to take information, wherever it is stored, make our copies and share them with the world. We need to take stuff that’s out of copyright and add it to the archive. We need to buy secret databases and put them on the Web. We need to download scientific journals and upload them to file sharing networks. We need to fight for Guerilla Open Access.
With enough of us, around the world, we’ll not just send a strong message opposing the privatization of knowledge — we’ll make it a thing of the past. Will you join us?
Swartz did not just talk the talk, he walked the walk. In 2008, Swartz downloaded and released approximately 20% of the Public Access to Court Electronic Records (PACER) database of United States federal court documents which amounted to about 18,000,000 documents. He was investigated by the FBI for this but was not charged.
Swartz then set his sights on JSTOR. JSTOR stands for Journal Storage and is a digital library of academic journals that has been acquired and digitized to provide full-text searches. Access to JSTOR is usually through an academic institution’s paid subscription that allows faculty, researchers, and students (and in some cases alumni) to access JSTOR through its subscription. Swartz wanted to “liberate” all of the information in JSTOR’s database by copying it and making it publicly available via filesharing networks. As Kerr explains, Swartz made several attempts to accomplish this by using MIT’s network and account with a guest account he created, each time circumventing the barriers that MIT and JSTOR set up to try and stop him:
- He used a program called “keepgrabbing” that circumvented JSTOR’s limits on how many articles a person could download.
- After MIT and JSTOR saw this extremely high download activity, his IP address was blocked so he changed his IP address and began the massive download again.
- JSTOR saw this and blocked the range of IP addresses from MIT to prevent this from continuing and contacted MIT which cancelled his account and blocking his computer’s MAC address.
- Swartz then bought a new laptop and spoofed the MAC address from his old one to circumvent the ban — he continued downloading.
- JSTOR then saw this and shut off all of MIT’s access to JSTOR for a few days.
- Swartz then broke into a closet in the basement of a building at MIT and connected his computer directly to the network and hid his computer in the closet. His computer stayed there for a month or two and he was able to download a major portion of JSTOR’s database. (As you can see in the photo, Swartz used his bicycle helmet to cover his face as he entered the closet, perhaps knowing he was being filmed.)
- Swartz was caught on the MIT campus shortly thereafter when trying to run from police.
While Swartz was charged with breaking several federal criminal laws, the three charges under the Computer Fraud and Abuse Act have garnered virtually all of the criticism.
- 18 U.S.C. § 1030(a)(2): “Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer”
- 18 U.S.C. § 1030(a)(4): “Whoever knowingly and with the intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value”
- 18 U.S.C. § 1030(a)(5)(B): “Whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage”
Based on a plain and ordinary reading of the these three laws, do you believe Swartz’s acts violated any of them? (even if you do not agree with the law — do you at least think that what he did fit within the letter of the law?) Hold that thought.
Sandra Teague Case
Sandra Teague worked for a contractor that assists the Department of Education with student loan inquiries via a call center and engages in debt collection for the government. In order to perform her duties, she had been granted access to the National Student Loan Data System which contains student borrowers’ private information. Teague was one of nine people who used their access to look up records for an individual even though they were not working on anything related to that person. For this single act, Teague was charged with violating the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(B): “Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” violates the law.
While Teague did not admit to committing the crime and the only evidence of her guilt was the use of her system login credentials, she was fully prosecuted and ultimately found guilty at trial. Teague appealed and her conviction was affirmed by the United States Court of Appeals for the Eighth Circuit in United States v. Teague, 646 F.3d 1119 (8th Cir. 2011).
Consider A Few Points Between Swartz and Teague
- Teague accessed 1 record — Swartz accessed and copied millions of journals
- There were no code-based or other technological restrictions placed on Teague’s ability to access the records she was found to have accessed — Swartz went through multiple different steps to try and circumvent the mulitiple restrictions that MIT and JSTOR were using to block his access to the system — Swartz became a true “hacker”
- Teague was an employee with full access to the specific database as a part of her job — Swartz created a guest account at MIT, with which he had no affiliation, to use its account to access JSTOR
- Teague was trying to obtain information — Swartz was trying to obtain information
- There was no evidence that Teague intended to or did “liberate” the information she accessed; Swartz was intending to “liberate” all of JSTOR’s database by disclosing it to the world
What Do You Think? Can Your Passions and Prejudices Aside?
What do you think? In light of what you understand about the Aaron Swartz prosecution and your feelings about that, what do you think of the Sandra Teague prosecution? Do you feel that Teague’s prosecution was justified and Swartz’s was not? Do you feel like neither were justified? Can you be outraged by Swartz’s prosecution yet not by Teague’s?
My point in writing this blog was to try and challenge you to see how intellectually honest you can be with yourself as you read this. And, only you know whether you have been or not — and that’s good enough. When looking at cases like this, passion, prejudice, and raw emotion can really cloud our ability to find the truth of whether the facts really fit the law. This is especially difficult in a case like the Swartz case. However, before you go jumping to too many conclusions about your own ability to be objective and put prejudices aside, I have one other little twist for you — but you have to go and read a tiny bit more about the following case to see what it is: Read This Case
Now that you’ve read that, are you still as intellectually honest as you thought or have your views changed a bit? ;)
I have several thoughts that have developed or, perhaps, evolved since I first wrote this post, and I think it is important for all of us to continue to keep our thoughts “open” as we work through the issues with the CFAA because that is the only way that anyone can ever find “truth” — by continuing to consider things and by being willing to reevaluate and change their views when the situation calls for it. In this case, I do not feel like my own views have changed any since I originally wrote it but, in looking back over the past year and a half, I do think some key points have become more clear:
- The Aaron Swartz case demonstrates the problems with the penalty “prong” of the CFAA. For what Aaron did, which I do think was wrong, violated the law, and deserved some punishment, in no way justified the magnitude of the threatened felonies that were lodged against him. An old maxim of law is, “the punishment must fit the crime.” As currently written, the CFAA allows prosecutors to use the threat of outlandish punishments as a weapon for coercing defendants to accept whatever plea deal they are given, at whatever costs. This happens in the law — in both criminal and civil cases — and it always will continue because one of the ways cases get settled outside of trial is when the attorneys can frame the threat of the of losing as far too risky vis-a-vis the deal that is on the table. This is just how it works, but, the way the CFAA was used in this case was way too far. Allowing for felonies for many of these violations needs to be re-considered, and I do not believe many people would argue with this. This is probably pretty doable.
- The Sandra Teague case demonstrates the problems with the access “prong” of the CFAA. In the case with Swartz, we have a whole nation full of people who see absolutely nothing wrong with what he was doing to the JSTOR database because they like him and they like his “cause” — yet, at the same time, they see no problem with what happened to Teague who literally only had one peep at a record that she was given the logistical ability to access and view but was not given authorization to access and view for the purpose for which she viewed it. Then, when this case is contrasted with the Nosal and WEC Carolina Energy Solutions cases, they simply do not jibe. This is where the would-be reformers must come to some sort of a consensus on what we as a society value and want to protect. The district and circuit courts have struggled with it, Congress may talk about it but does not really seem to interested in touching it, and to think that the Supreme Court will be any better able to decide this just doesn’t make sense.
- The only way a debate on these issues will be fruitful is if “we the people”: (1) put aside all of the inflammatory rhetoric and emotional appeals and sit down and be honest about what we are dealing with by (2) identifying the specific parts of the CFAA that are causing so many problems; (3) identifying the areas where people generally agree (i.e., the felonies part); (4) looking at how the CFAA and the conduct addressed by the CFAA is interconnected with other laws such as those concerning data breaches because in many cases, a CFAA violation on the left hand equals a data breach on the right hand — and the two sides must jibe together; and (5) then we get to the really difficult part where we must figure out what “we the people” really want when it comes to what conduct is prohibited and what is not because we cannot have the “I know it when I see it” approach that we have now, which so many people love while hating, depending on whether they like the “cause” or actors involved.
- Can it be done? I think so. Will it be done? I doubt it … “we the people” usually can’t get past step one on these kinds of things.
- Aaron Swartz’s Suicide Triggers Response from US Lawmakers (business.time.com)
- Swartz suicide shines light on Computer Fraud and Abuse Act (computerworld.com)
- Reddit co-founder Aaron Swartz commits suicide in midst of controversial trial (rt.com)