What to Do about Computer Crime Laws

In a long piece published in AlterNet on Tuesday, I noted that Aaron Swartz’ treatment was not all that unusual.

In some ways, what was happening to Swartz was not all that unusual. George Washington University Law Professor Orin Kerr — a leading expert on computer crime law who is sympathetic to the issues Swartz championed — explains that the government’s charges fall within the norm for computer crimes. Moreover, the tactics used in this case are normal for the Department of Justice. The government often multiplies charges in order to coerce defendants to plead guilty without a trial.


The laws governing computer crime criminalize all sorts of actions that don’t seem like they should be crimes. The government inflates charges beyond all proportion to coerce plea deals. The government’s prosecutorial powers are overwhelming. This administration and these prosecutors have aggressively used the law to shut off the free flow of information.

So to the extent people are horrified by how Swartz was treated, they should also be horrified by the abuse of prosecutorial discretion more generally, whether it affects a genius like Swartz nabbed on an computer crime charge or a regular person brought in on drug charges.

That same day, I suggested we’d be far better off–and far truer to Aaron Swartz’ ethic–trying to fix systemic problems than avenging him personally (though I also called for firing Lanny Breuer, the head of DOJ’s Criminal Division).

One of the most ethical suggestions I’ve seen (and I’m not even sure if there is a White House petition for it) is to fix the Computer Fraud and Abuse Act. [Update: Thanks to Saul Tannenbaum,here it is.]

The government should never have thrown the book at Aaron for accessing MIT’s network and downloading scholarly research. However, some extremely problematic elements of the law made it possible. We can trace some of those issues to the U.S. criminal justice system as an institution, and I suspect others will write about that in the coming days. But Aaron’s tragedy also shines a spotlight on a couple of profound flaws of the Computer Fraud and Abuse Act in particular and gives us an opportunity to think about how to address them.

I didn’t know Aaron personally, but he doesn’t strike me as the kind of guy who would seek individualized solutions to systemic problems. And one of the problems with the system that destroyed him is a law that badly criminalizes actions that don’t present much harm.

Orin Kerr has now finished the second of two posts on Swartz, which says some of the same things–though in much more comprehensive and expert fashion.

 I think it’s important to realize that what happened in the Swartz case happens it lots and lots of federal criminal cases. Yes, the prosecutors tried to force a plea deal by scaring the defendant with arguments that he would be locked away for a long time if he was convicted at trial. Yes, the prosecutors filed a superseding indictment designed to scare Swartz evem more in to pleading guilty (it actually had no effect on the likely sentence, but it’s a powerful scare tactic). Yes, the prosecutors insisted on jail time and a felony conviction as part of a plea. But it is not particularly surprising for federal prosecutors to use those tactics. What’s unusual about the Swartz case is that it involved a highly charismatic defendant with very powerful friends in a position to object to these common practices. That’s not to excuse what happened, but rather to direct the energy that is angry about what happened. If you want to end these tactics, don’t just complain about the Swartz case. Don’t just complain when the defendant happens to be a brilliant guy who went to Stanford and hangs out with Larry Lessig. Instead, complain that this is business as usual in federal criminal cases around the country — mostly with defendants who no one has ever heard of and who get locked up for years without anyone else much caring.

Kerr and I differ on two points. He is silent about the role Obama’s DOJ has in setting certain priorities–both in punishing the liberation of information and in targeting the hacking community in Cambridge. That deserves attention: but the attention should be focused, IMO, at the people setting that emphasis, not those implementing it.

Kerr also argues–fairly compellingly, I think–that we’d be better off letting the courts fix the problem with the Computer Fraud and Abuse Act than letting Zoe Lofgren do so.

A lot of people have wondered how to amend the computer crime laws in response to the Swartz tragedy. So far I have seen a lot of interest in this, but not a lot of sensible proposals. Already, Rep. Lofgren stepped forward with “Aaron’s Law,” , text here, which would amend the statutory definition of “exceeds authorized access.” This isn’t new text: It’s just the definition of “exceeds authorized access” that was passed by the Senate Judiciary Committee last year to try to stop Lori Drew-like prosecutions. This amendment is well meaning, no doubt, but I think it is a bad idea for two reasons. First, it is weirdly disconnected from the Swartz case. Swartz would still have faced exactly the same criminal liability under “Aaron’s Law” that he did without it.

Second, after the en banc Nosal case in the Ninth Circuit, I think the smart move for those of us who want a narrow reading of the CFAA is probably to wait for the Supreme Court to resolve the circuit split. Kozinski’s opinion in Nosal is terrific, and it went far beyond the approach taken by “Aaron’s Law” in limiting the CFAA; instead, it adopted the interpretation I recommended in my 2003 article that the CFAA should be limited to breaching code-based restrictions. Given the prospect that the Supreme Court would agree with that reading when it resolves the split, I think it would be better to wait for the Court to solve this one than have Congress enact the amended language for “exceeds authorized access” which was originally drafted as a small step forward back before the Nosal en banc decision came out. And at the very least, if you want to amend the definition of “exceeds authorized access” at this stage of the game, push for the Kozinski/Kerr interpretation that “exceeds authorized access” is same as “access without authorization” except that it applies when a person has some legitimate access rights to the computer. As it stands now, with the chance of a full victory at the Supreme Court, “Aaron’s Law” would probably be an overall step backward rather than a step forward. Let me put it this way: In the courts we might get a whole loaf; “Aaron’s Law” is just a few crumbs.

Kerr also advocates raising the bars for felonies that can trigger the CFAA penalties as well, which (while he doesn’t say it) makes it a lot harder to treat hacking as a terrorist-like crime, one which magnifies otherwise pedestrian crimes. That discussion is well worth clicking through to read the whole thing, which is very long.

As I said, I don’t think these legal issues are all we should focus on. I think it is clear the government took heightened interest in Aaron because of the crowd he ran with and the values he espoused.

But to the extent we do focus on laws, it’s worth reading what Kerr has to say about them to understand what we might accomplish.

Tweet about this on TwitterShare on Reddit0Share on Facebook0Google+1Email to someone

13 Responses to What to Do about Computer Crime Laws