The Impact of "Aaron's Law" on Aaron Swartz's Case

Like so many around the greater Berkman community I was stunned and saddened to hear that Aaron Swartz committed suicide late last week. I truly admired Aaron's work and consider the future of Internet policy substantially worse off without his presence. For more on his life and work, I'd encourage you to visit this gathering of Berkman blog feeds, which this week is filled with posts that discuss his life and work in greater detail.

Much of my attention towards Aaron was focused on his recent federal prosecution. This week Representative Zoe Lofgren has announced on Reddit that she plans to introduce a new bill that changes computer crime law to protect activities like Aaron's from future prosecution. (This action itself is a very fitting tribute to both Aaron's work in shaping a pro-Internet political climate and his early and involved work with Reddit.)

The bill provides two edits to two different computer crime statutes, the Computer Fraud and Abuse Act ("CFAA") and the federal wire fraud law. A preliminary element of many of the prohibitions under the CFAA focuses on whether a defendant accessed a computer "without authorization" or "exceed[ing] authorized access." The bill would change the CFAA definition of "exceed[ing] authorized access" to expressly not include

access in violation of an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.

As to wire fraud, the bill would amend the federal wire fraud statute to say:

A violation of an agreement or contractual obligation regarding Internet or computer use, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer is not in itself a violation of this section.

EFF has now announced its own markup of the Lofgren bill, both on Reddit and on EFF's website.

There is some disagreement over how much "Aaron's Law" (as it is being called) would have helped Aaron himself. Orin Kerr states in part two of his comprehensive analysis of Swartz's case that Aaron's Law would not have changed the outcome. EFF's Marcia Hofmann seems to agree. Lawrence Lessig, on the other hand, suggests that this would have made a very large difference, perhaps removing the felony counts entirely. Jennifer Granick doesn't expressly come out either way, but calls it a good first step. Given all this, it seems appropriate to take some time to go over the Swartz prosecution and Aaron's Law in more detail, and explore exactly how the case would have turned out, and how the proposed law could have changed the outcome of the case.

I'm following in some very large footsteps here, so I'll try to distinguish this analysis by laying out some of the law and facts more explicitly that has been done already. I'll also try and identify how, exactly, the federal courts in Massachusetts (where the case was brought, in the First Circuit) approach the legal questions here. I should state at the start that I am relying on the facts of the case entirely as they have been briefed and reported in the media; I have had no access to any information about the case that isn't already public. If you see an error please feel free to call it out in the comments.

I. The Facts of the Swartz Case

The facts here are drawn principally from the superseding indictment against Swartz and the blog post made by Alex Stamos, the expert witness that Aaron Swartz planned to use in his defense.

The indictment alleges that Swartz connected two computers to the MIT network – first wirelessly and later via a network port in a utility closet – and downloaded about four million articles from the website JSTOR. JSTOR is a paid-subscription academic article clearinghouse that colleges make available to students, faculty, researchers, and "walk-in users" (as JSTOR's terms of use call them) who are visiting the campus and using its network and academic resources. From my own personal experience I can add that at academic institutions like MIT, access to the JSTOR database feels exactly like browsing a more open repository of documents like Google Scholar or the Internet Archive. You do not need a username or password to use the site, but if you download an article you are forced to click on a link that says "Acccept JSTOR's Terms and Conditions and Proceed to PDF."

Aaron was a fellow at the Safra Center for Ethics at Harvard and a guest on the MIT network at all times relevant here. By either credential this entitled him to general access (at least initially) to the JSTOR database. (Most universities provide access to JSTOR on their networks.) He used that initial access to begin his bulk download of the JSTOR corpus.

What he planned to do with the corpus has been presumed in a lot of other writing, but I don't think anyone knows for sure. The leap that the prosecution made in the indictment is that he would have released the entire corpus onto some peer-to-peer service. That, to me, seems rather ham-fisted compared to his other efforts. I see his earlier work in the the PACER case as an example of Swartz's ability to layer technology upon law to generate techno-legal loopholes that allowed him to achieve his ends while not committing a crime. There are certainly some potential uses, such as parsing the database and posting only the public domain and openly licensed articles, or using the database to do corpus textual analysis, that are equally plausible given Swartz's areas of interest and would not seem so repugnant to copyright law. And in any event, JSTOR opted not to pursue a civil claim here for copyright and the DOJ makes no allegations about copyright, despite the atmospherics of the facts here.

Returning to the facts as alleged in the indictment, to expedite his downloading, Aaron designed a Python script that would repeatedly call up articles and download them onto his laptop. He did this initially on MIT's wireless network, which he accessed as a guest user, providing a pseudonym and an email account from Mailinator (a temporary, but functional, email account system).

The indictment further alleges that JSTOR detected this batch downloading and attempted to block it by denying access to Aaron's then-assigned IP address, I would add here that there's no way for us to know whether Aaron knew that his connection was blocked because of his downloading or because of some other issue. Either way, Aaron resolved this by obtaining a different IP address, (I recognize that this sounds unduly charitable to Aaron's side of the case, but on a dynamically-assigned-IP network an action as simple as restarting a computer can result in a new IP address.)

Realizing that the IP block did not stop the downloading, JSTOR then blocked a small range of addresses coming from MIT and discussed with the University how to stop the batch downloading. This ended in MIT attempting to deny the issuance of an IP address to a computer with the MAC address of Aaron's laptop, 0:23:5a:73:5f:fb. Contrary to popular belief, MAC address is not branded into a computer permanently; a capable programmer can change it. And so Aaron did, which reestablished his network connection.

This escalated the response. JSTOR initially blocked all access from all MIT IP addresses, though this block was temporary. Around this time Swartz connected his computer to the MIT network via an ethernet port in a network utility closet and began batch downloading from there. At some point he also obtained a second laptop and put that machine to downloading as well. This continued until early January 2011, when an MIT systems administrator detected that the downloading was coming from a network closet in an MIT building and the called the police. The MIT police discovered Aaron's laptop hiding underneath a box in the closet and placed video surveillance in the closet. Aaron was later observed entering the closet while obscuring his face with his bicycle helmet, retrieving the laptop. He was subsequently arrested.

II. The Crimes Alleged in the Swartz Case, and How "Aaron's Law" Could Change Them

The superseding indictment laid out four theories of criminal liability, with multiple counts for each theory based on discrete time blocks when Swartz was alleged to have committed the crimes. The indictment brings a prosecution for wire fraud, as well as three different CFAA claims: computer fraud (§ 1030(a)(4)), obtaining information through unauthorized access to a protected computer (§ 1030(a)(2)), and computer damage (§ 1030(a)(5)(B)).

For those that don't have time to read everything below, here's the executive summary:

  1. As to wire fraud, most of the theories pursued by the government are not supported by the law as it stands (principally with whether the action taken by Aaron was "false" and/or material with the decision to provide the property in question), but the ones that do survive have a clear path forward to a prosecution. The claims that do look plausible, however, also happen to be the ones most likely to be eliminated by the amendment to the wire fraud act included in Aaron's Law. That said, there may be ways for the DOJ to plead around the restrictions in the proposed law, so further edits to Aaron's Law would be needed to ensure that future wire fraud cases could not be premised on facts like these.
  2. The three CFAA claims all consider in part whether Swartz had accessed the computers of JSTOR and MIT either "without authorization" or "exceed[ing] authorized access." To provide a framework for possible sources of authorization, Prof. Kerr has looked to three sources: code-based restrictions, contract-based restrictions, and norms-based restrictions. The most recent trend, following cases in the Ninth Circuit, holds that the CFAA considers only the code-based restrictions, but other circuits apply the law much more broadly. The courts in Massachusetts are unsettled. If they opt to follow the Ninth Circuit (or if, instead, Aaron's Law is passed), lack of authorization would have to rest on a code-based restriction. This could come either from evasion of the IP blocking (provided it was intentional) or from the routing done around the MAC address block, but whether a court would find this to be enough is not certain.
  3. As to computer fraud, assuming the DOJ overcomes the hurdles in calculating access as noted in (2), the outcome tracks the wire fraud case under the current law. Aaron's Law could prevent the claim here, but because it only makes a definitional change to "exceeds authorized access," the DOJ could work around it by claiming that Swartz accessed "without authorization." That goes against the current trend in interpretation, but the Massachusetts courts are unsettled.
  4. As to obtaining information from a protected computer, this claim rises and falls on whether the government can show that Swartz's access exceeded authorization, as described in (2). There is a path forward to do that based on code-based limitations on access, but it is not certain. If the DOJ can show that Swartz accessed JSTOR in excess of authorization the claim remains a felony. If the DOJ can only show unauthorized access to MIT's servers based on the MAC address filter, it's possible that the claim would be reduced to a misdemeanor. It depends on whether the court would look to the value of the JSTOR corpus as part of the "value of the information obtained" through the unauthorized access to MIT's computer.
  5. As to the specific computer damage charge, the law only applies if a person accesses the computer "without authorization." Under the current case trend, this requires showing that the user was a complete outsider to the network, which Swartz was not. The Massachusetts courts have not decided this point, but assuming they go against the current trend the claim would be successful only if the DOJ can show that the intrusion took down JSTOR for a period of time. If they can, the damage thresholds are so low and generously calculated that this would quickly escalate to a felony. Aaron's Law has no impact on this claim whatsoever.

Each of these claims are now addressed in turn:

A. Wire Fraud

The DOJ's criminal resource manual shows that courts vary somewhat in defining the wire fraud law, but in general a successful prosecution requires the government to prove that the defendant had a scheme to defraud a person out of money or property using some form of false pretense, and that the defendant sent some form of signal over a wire or RF communication apparatus in furtherance of that scheme. We know from Supreme Court precedent that the falsehood must be material to the decision to give the money or property, but the property acquired can be intangible.

One can also concede that Aaron used a wire or radio communication in connection with his activity. As to whether copying documents that JSTOR hosts constitutes obtaining "property," there's an argument to be made there that it is not (and scattered caselaw to support it) but for the most part courts seem to have little trouble finding an activity like this suffices. Kerr's analysis cites to United States v. Seidlitz, which is a great early example of a court reaching this result.

This leaves only the requirement of a false and fraudulent pretense. The DOJ alleged this pretense through the following theories: (1) appearing to JSTOR that he was affiliated with MIT; (2) changing the computer's IP and MAC addresses to conceal his "computer's true identities"; (3) using a Python script to appear as though he was multiple users making individual requests; and (4) concealing the physical location of the laptop in a security closet.

Three of these theories seem to have trouble with the law as it stands today. Theory (1) seems to be on especially weak footing, given that MIT allowed access to JSTOR for guests to its network and JSTOR recognizes in its own terms that such access is allowed. Theory (2) has an issue with not being false: at all times the IP address in question was his actual IP address, and there's nothing in the law or in computer code that prevents a MAC address from being changed, even though an initial address is assigned when a computer is first made. (A motion to dismiss the wire fraud charge has more on this point; the government's response is here.) I'm also not aware of any case which finds that the physical concealment of a device is a "false pretense" for wire fraud purposes. This casts theory (4) into jeopardy.

Theory (3) seems to provide the clearest case of wire fraud, but the government would have to prove that somewhere in the script a false representation was made. (We have very little to go on under the current set of facts to know one way or the other.) Also, whether Swartz was one user or several is material only to the extent that JSTOR was trying to enforce its own terms of use. (The expert witness that Aaron would have relied upon at trial states that JSTOR had no code-based way of stopping a batch downloader.) So the DOJ's theory would have to be this: the terms of use say no batch downloading; Swartz's script made it appear as though he was not engaged in batch downloading; thus indicating to JSTOR that he was not breaking their terms; thus creating a false pretense.

Nothing would appear to prevent that theory from going forward under current law, but it is precisely this reliance on JSTOR's terms of use that Aaron's Law seeks to prevent. Were Aaron's Law in effect, the case against Swartz would be substantially harder. The DOJ would probably attempt to work around how Aaron's Law is phrased, arguing that the use of the Python script made it so that the violation of the terms here was not "in itself" the basis of the charge. That would seem to directly contradict the intent of the law, which rejects the idea of criminalizing contract law, but a language tweak to clarify this before it passes wouldn't go amiss.

Could the government have come up with a different theory to convict Aaron without relying on JSTOR's terms? The best I can think of is to claim that Aaron's "fraudulent pretense" was the evasion of MIT's MAC address filter. But that seems to require the government to prove that Aaron's re-assigned MAC address is somehow "false." The DOJ pains to do that by referring to it as "spoofing," but the term of art prejudices the analysis. I don't know where (in law, code, or elsewhere) you find the rule that you have to keep the MAC address that's initially assigned to you, so I have a hard time coming to the conclusion that this is false.

B. Computer Fraud (§ 1030(a)(4))

Claims of computer fraud begin with the government needing to show that that a person accessed a computer "without authorization" or "exceed[ed] authorized access." This is probably the most complicated of all the elements in this post, and the most critical to all three of the CFAA claims alleged here, so it requires the greatest examination.

1. The "Authorization" Element

Orin Kerr's landmark article on the CFAA and his subsequent writing lay out three possible forms of regulation that can govern access authorization: computer code, contracts, and social norms. In other words, a computer's owner can limit access by imposing a code-based prohibition (usually a password, though it could take other forms), a contract or agreement that dictates the rules of a access, or by looking to the normatively acceptable behavior of society.

Those are presented in order of least to most controversial as the basis of prosecution. The latter two are often used to underscore the extreme breadth of the CFAA. Those two are also met with the most judicial scrutiny. Courts in the Ninth Circuit have taken the lead in limiting the authorization inquiry, most recently with the en banc decision in United States v. Nosal, which held that "exceed[ing] authorized access" is limited to circumventing code-based restrictions. Earlier, in United States v. Drew, a California district court found that a broad reading of access exceeding authorization that relied on a breach of terms of use would violate the void-for-vagueness doctrine in a criminal prosecution. 

Other courts, however, have not been so limiting, and invite "authorization" analysis to come from virtually anywhere. For example, the Seventh Circuit famously allowed a CFAA claim against accessing a company computer to do something that is disloyal to the company. Jennifer Granick's post gives other examples of dangerously broad interpretations. The general trend appears to be favoring the Ninth Circuit's more narrow approach, but this is far from settled. For much more, take a look at the DOJ's computer crimes manual, pages 8-12.

The First Circuit doesn't have much in the way of interpretation, but at least one case allowed use of a employee confidentiality agreement to serve as grounds for finding the scope of authorization. Obviously, this broad definition is one of the major issues with the CFAA, and one that Aaron's Law seeks to correct. (Aaron's Law does not address access based on normative restrictions, but it's hard to see how a claim like that can remain in light of Drew.) But the First Circuit could very well preempt the need for the Aaron's Law amendment to the CFAA by adopting the interpretation in Nosal

Turning now to the facts here, the DOJ alleged that Swartz exceeded any authorized access to both JSTOR and MIT's computers by his actions. Indisputably, the actions that he took after he had access clearly violated JSTOR's terms of use, but if the courts in Massachusetts choose to adopt the view of the Nosal court this would not be enough to show unauthorized access. Such a finding would also be preempted under Aaron's Law. The DOJ's suggestion that Swartz's use of a pseudonym constituted a violation of MIT's guest WiFi agreement would similarly fail (and it's worth noting that a quick scan of MIT's guest wireless page, the MITnet rules of use page, or the guest wireless description page reveal no such prohibition).

But if the DOJ proved unauthorized access based on a code-based restriction, that would survive both Nosal and Aaron's Law. Kerr believes there to be such a code-based restriction here, which he analyzes as follows:

JSTOR has a password-protected database that Swartz was trying to copy by circumventing code-based barriers to large-scale access, and Swartz was playing a cat-and-mouse game in which he kept trying to gain access to the database and JSTOR kept trying to block him. They blocked his IP address; he changed it. They blocked his MAC address; he spoofed it. They blocked access and he broke into a restricted closet and connected directly to MIT’s network. This is not merely a case of breaching a written policy. Rather, this is a case of circumventing code-based restrictions by circumventing identification restrictions.

As to the first point Kerr raises I reach a slightly different conclusion, but I think this is principally due to the fact that Kerr is analyzing this looking solely at the facts alleged in the indictment, while I'm looking at extrinsic facts. I don't see a way that Swartz's downloading itself violated a code-based restriction. As I noted above, JSTOR doesn't require a password to access its database, nor does it require entering a CAPTCHA or other code-based hurdle. Swartz's expert also claims that JSTOR posed no code-based hurdles to combat repeat downloaders.

But as to the "cat-and-mouse" behavior that Kerr mentions, evading the IP and MAC address blocks, there may be a claim within this fact. But the relevant authority is unclear.

There are a few cases that support the idea that JSTOR's IP blocking of Swartz would be sufficient to find unauthorized access, but none that do so clearly and cleanly (and none in the First Circuit). Craigslist, Inc. v. Kerbel (N.D. Cal. 2012) granted a default judgment under the CFAA against a person who allegedly circumvented both CAPTCHA and IP blocking, though given its procedural posture the court spends very little time examining this. Earlier in Facebook, Inc. v. Power Ventures, Inc. (N.D. Cal. 2012), the same court found that systematic attempts to anticipate IP blocking by Facebook by rotating IP-address was sufficient to find a CFAA violation, but in that case the blocks were systematically implemented and accompanied by a very damning email from the defendant's founder that unequivocally showed that the IP rotation system was designed to evade a persistent code-based restriction.

Other than these two cases, I'm unable to find a case that meaningfully addresses whether something as simple as an IP block provides sufficient basis for "unauthorized access," such that CFAA liability attaches. And even if it does, the government would need to further prove that Swartz knowingly changed it to obtain access (for computer fraud) or intentionally changed it to obtain access (for § 1030(a)(2), discussed in Part C). And as I noted above, there are innocent explanations for a changed IP address.

MIT's MAC address blocking is the strongest case the government has for unauthorized access. Circumvention of a MAC filter shows both a higher level of intentional activity and removes the possibility that the change happened innocently or accidentally. My searching found no direct case law on point, though interestingly a wire fraud case from the District of Massachusetts resulted in a conviction where the defendant distributed software that allowed a user to obtain free and higher-speed Internet access by changing the user's MAC address to mimic paying customers. (To apply that to Swartz's case and proceed with a felony federal prosecution based on a single snippet of code used to stay on a wireless network would raise the prosecutorial discretion concern in spades, but I'm leaving that discussion to others.)

All of this is just one element of the CFAA claim for computer fraud, so examination of the actual outcome requires running this conclusion through the remaining elements.

2. The Other Elements

In addition to unauthorized access, the "computer fraud" portion of the CFAA (§ 1030(a)(4)) requires the government to prove that Swartz had an intent to defraud, accessed a "protected computer" (a term of art which embraces virtually all computers) to further the fraud, and obtained a "thing of value."

This bears a substantial overlap to the examination of wire fraud in Part A, so the analysis is essentially the same. It's hard to argue that Swartz did not receive a "thing of value" in the JSTOR corpus, and to the extent there is a "fraud" his access of the computer was done in furtherance of that fraud. As to whether there was a fraud, the answer tracks the analysis in Part A – the element would likely be met only if the Python script that made it appear as though one person was not engaged in batch downloading were considered to be some form of fraudulent representation.

But while Aaron's Law would most likely preempt this claim in the context of wire fraud, it's not so clear that it would as to computer fraud, because Aaron's Law only changes the definition of "exceeds authorized access" under the CFAA, and § 1030(a)(4) allows a conviction for either access "without authorization" or "exceed[ing] authorized access." The DOJ could try to get around Aaron's Law here by aruging that Swartz accessed JSTOR and MIT "without authorization" instead.

Would the district court follow along? Possibly, but it's against the prevailing trend of cases that raise the question. Currently the district courts are leaning toward treating "unauthorized access" as requiring that a person be a complete "outsider" to a given network. These courts are following Ninth Circuit's precedent in LVRC Holdings v. Brekka over the earlier Seventh Circuit's approach in International Airport Centers v. Citrin. (The DOJ computer crimes manual has a nice discussion of this at pages 6-8.) Swartz did have some level of access to JSTOR, suggesting that this line of attack would be weak.

Nevertheless, the courts in the First Circuit seem somewhat unsettled on the question: the District of Massachusetts followed the Seventh Circuit's reasoning in 2009, and the District of New Hampshire identified it as an open question in the circuit before punting on the answer in 2010. So if the DOJ wanted to, it may have been able to argue that the access was done "without authorization," and it is possible that the courts in Massachusetts would accept that. That would effectively circumvent any remedy that could come from Aaron's Law.

So, to line up all the "ifs" in this section and put them all together: for the same reason that the wire fraud claim might have been premised on the script that allegedly made it look like Swartz's computer was in fact multiple computers there could be a cognizable fraud for a § 1030(a)(4) claim, but that would again depend on the what exactly the Python script did. The DOJ would have to prove unauthorized access, and doing so based on the terms of use alone could be a non-starter if the court opts to follow the analysis of the Ninth Circuit in Nosal. There are, however, code-based indications of unauthorized access, and there are scattered cases to show that routing around an IP address or MAC address could satisfy this (provided it was intentional).

Aaron's Law would limit the determination of "exceed[ing] unauthorized access" to the code-based elements, but it would not change any determination of authorization based on the IP and MAC address blocking. And a definitional change to "exceeds authorized access" would still allow the DOJ to claim access "without authorization." Whether such a workaround would have succeeded under the First Circuit precedent is unclear.

C. Obtaining Information Through Unauthorized Access to a Protected Computer (§ 1030(a)(2))

This section of the CFAA (which is usually just called a "1030(a)(2) claim") punishes those that access a computer without authorization or exceeding authorized access, and thereby obtain either financial records, information from a department or agency of the United States, or "information from a protected computer." Again, because a "protected computer" is a term of art which embraces basically every computer, this element is trivially easy to meet. Similarly, the term "information" imposes no meaningful limitation, as accessing information can be as simple as viewing data from that computer. A § 1030(a)(2) violation is a misdemeanor, unless the government can prove that the act was done for financial gain, in furtherance of another criminal or tortious act, or the value of the information obtained exceeds $5000, in which case it is a felony with a sentence of up to five years. (The DOJ alleged a felony here under the $5000 value rationale, so I focus the later discussion on this subpart.)

As you can already guess, the claim itself nearly completely rises and falls with the question of whether Swartz "exceed[ed] authorized access," as discussed in Part B(1) above. For § 1030(a)(2) the government does not need to show that Swartz used any sort of fraud or false pretense.

Assuming a court found that JSTOR's authorization was exceeded by use of the IP workaround, we'd still be seeing a felony charge against Swartz, even after Aaron's Law. The way in which courts calculate the $5000 threshould is extremely generous, as Kerr already has explained (and called for reforming). It wouldn't take long for a court to find $5000 of value in 4 million journal articles.

If the only unauthorized access the DOJ can show is to MIT's servers via MAC address circumvention, however, this may only amount to a misdemeanor under § 1030(a)(2). Again, the government would have to prove that the value of the "information" obtained from MIT's "protected computer" exceeded $5000. The big underlying question here is whether in valuing the information obtained the government must look solely to MIT's computer (as the statute speaks of "information from a protected computer" and then asks to look at the "value of the information obtained"), or whether the court can also rope in the information taken from JSTOR's computer, through MIT's computer. I find no caselaw on point. If it cannot, I don't see how the DOJ could get to an argument saying that what was taken solely from MIT exceeded $5000.

D. Computer Damage (§ 1030(a)(5)(B))

The final theory of liability here comes from § 1030(a)(5)(B) of the CFAA, which prohibits intentionally accessing a protected computer without authorization, and as a result recklessly causing damage. "Damage" is a term of art here, meaning "any impairment to the integrity or availability of data, a program, a system, or information." This is a misdemeanor, but elevates to a felony when the damage is to ten or more computers (under § 1030(c)(4)(A)(i)(VI)) or when the damage causes "loss" to any one or more persons aggregating $5000 over one year (under § 1030(c)(4)(A)(i)(I)). "Loss" is yet another defined term, and encompasses most reasonable costs incurred by the victim in responding to and restoring the data.

Interestingly, this is the only of the three CFAA charges that doesn't allow liability to attach when a person only "exceeds authorized access" – the section only speaks of access "without authorization," and the DOJ's own computer crimes manual (page 38) notes this to mean you cannot violate § 1030(a)(5)(B) by merely exceeding authorized access. As noted in Part B(2) above, the emerging trend is to not treat those like Aaron who had some initial right access the computer as being "without authorization," but Massachusetts courts are not settled on the issue.

Also, because § 1030(a)(5)(B) does not apply to exceeding authorized access, the textual change to the definition of that term in Aaron's Law would have no bearing on the outcome of this claim.

Assuming the court accepts the broader definition of access "without authorization," the remainder of the claim rests entirely on the factual details of the case that have yet to be explored, and whether or not Swartz's activity actually caused JSTOR to be unavailable for some period of time. While the DOJ alleges this, I don't see how MIT's computers were ever "damaged" in this case, so I think it appropriate to focus on JSTOR. As Kerr notes in his analysis, the decision by JSTOR to cut off service to MIT was really one reached by JSTOR, and didn't impair JSTOR's computer, so there's good reason to omit it in reaching the final conclusion here. The DOJ must also prove that Swartz acted recklessly in causing the alleged damaging – in other words, that he consciously disregarded a substantial risk that his actions would lead to the damage – but if there was damage I don't see that being a serious limiting factor.

As to whether this would have been a misdemeanor or felony, it appears from the facts alleged that MIT and JSTOR each spent an extensive amount of time analyzing what was happening on their servers and attempting to throttle Swartz's downloading. Again, this is heavily factual, and would also have to consider both whether JSTOR ever went down and the cost to get JSTOR back up. All of that said, the threshold of $5000 is a very low bar to meet.

III. Conclusion

So would Aaron's Law have helped in Aaron Swartz's defense? Only to a certain extent, and it could certainly do better. Aaron's Law probably would have prevented the wire fraud claim, but its use of the phrase "the sole basis" in its amendment leaves open the possibility that a clever use of code that evades a contractual restriction could still be the basis of a claim. It similarly may have prevented the computer fraud claim, but changing the definition of "exceeds authorized access" without attempting to cabin access "without authorization" as well leaves open a rather big loophole. It also does nothing to prevent the computer damage claim. And as for the § 1030(a)(2) claim and the big-picture questions about authorization and access that claim presents, it doesn't address the IP and MAC address reassignments that still could be the basis of a claim for unauthorized access. (EFF's proposed edit to include an exception for hiding device identifiers seems to close that loop effectively.)

And of course there is much more we could do. We could clarify that "without authorization" applies only to those that have no authority to access the computer whatsoever to avoid that gap. As Kerr notes and as detailed above, we could also remove computer fraud entirely; Kerr argues, and I agree, that computer fraud is largely an overlap of wire fraud and § 1030(a)(2), and this overlap can actually prejudice a jury, on the theory that if a jury sees all three charged at once they will feel as though they are "splitting the difference" in allowing only one to stand. The $5000 is the threshold in (a)(2) and (a)(5) for a felony is also absurdly low, and the ways in which courts calculate that value are absurdly generous. All of these lessons come out of the Swartz prosecution.

It's also important to note that positive improvements may be coming from the Supreme Court. As Kerr points out (yet again) the Nosal case may be headed to the Supreme Court, and an affirmation there would do all of what Aaron's Law seeks to do for the CFAA, and much, much more. I very much take to heart Kerr's concern about how a change to the language of the statute may frustrate what may be an even bertter interpretation of the existing language from the Supreme Court. At the same time, waiting for the Supreme Court to do something right doesn't seem like a great strategy if one wants to see real reform.  

IV. One Final Thought

You should not take the conclusion that the law may have applied to these facts as justification for the behavior of the prosection here. Quite to the contrary, I believe the law was used in an extremely inappropriate and disproportionate manner. But as the exhaustive analysis above shows, this was not a case of a prosecutor making up legal theories to apply a law that doesn't fit to the facts before them. The CFAA is shockingly broad when it is laid out, and wire fraud is even worse in its vagueness and heavy jail sentences (up to 20 years). A clever prosecutor can frame many benign activities online as a felony. This is emphatically not what a prosecutor should do, of course. A prosecutor should be reactive to the will of Congress and not stretch laws simply as a power play or a way of sending of message. But right now, the DOJ is left with an incredibly powerful law and only its own discretion in limiting it. If the Swartz case shows us anything, it shows that this is not an adequate safeguard.

It would be naïve and foolish to think that this sort of problem only haunts crimes that affect research fellows and hackers. As Catherine Bracy notes in a post from yesterday, the flaw we are identifying in computer crimes proseuctions is part of a systemic problem in our justice system. It is as if cyberlaw advocates are finally hearing what criminal justice advocates have been shouting about for decades. While we can and should try and fix it in the realm of cybercrime, it is important to look at the broader issues. As much time as we spend taking about Kerr, Lessig, Granick, Hofmann, and the EFF, we should spend talking about Butler, Stuntz, Silverglate, and the EJI, ACLU, and NLG, who are already laying the groundwork to fix this problem as it impacts all crime – not just cybercrime.

Update: James Boyle's criticism of Kerr's analysis is excellent further reading. Much of it discusses Kerr's portrayal of the facts and approach to the prosecutorial discretion question, all of which is outside the scope of this post, but he also tackles the CFAA claims. Boyle suggests that the indictment and Swartz's planned expert witness create a split on whether there existed a code-based restriction to govern his access. Stamos's blog post does a lot to refute the suggestion in the indictment that there were code-based restrictions on his batch downloading, but I personally didn't see anything that refutes the allegation that JSTOR blocked IP addresses and, or that MIT blocked MAC address 0:23:5a:73:5f:fb. Nor anything that refutes the suggestion that these blocks were all done as a means of controlling access.

That said, I do think Boyle is right to emphasize the fact that MIT's network addressing system is designed to be open and non-controlling about authentication of devices. Assuming this is true, the argument that MIT can say (or, more accurately, that the DOJ can say that MIT believes) that one MAC address block was a express signal of authorization revocation has a credibility weakness. This also raises a point I didn't get to above: there are a number of scholars, Granick included, that refute the idea that code-based restrictions should de facto give grounds for a CFAA violation, when the restriction is trivially overcome. But we are without caselaw on this point, which I see both as a signal of the overreach of this prosecution and an indication that we simply don't know how a court would approach this sort of weak code restriction.

Andy Sellars is a staff attorney at the Citizen Media Law Project and the Dunham First Amendment Fellow at the Berkman Center for Internet & Society. The views expressed here are entirely his own. Andy thanks Jeff Hermes, Phil Malone, and Kit Walsh for giving very constructive, thoughtful pushbacks and ideas during the drafting of this.

(We end most of our posts with a credit to a photo licensed under a Creative Commons. We decided not to run a photo on this one, but we would be remiss not to mention that the code layer of CC licenses is yet another place where Aaron's work helped make the Internet a better place. Thanks again, Aaron.)


Subject Area: