What to Do about Computer Crime Laws

In a long piece published in AlterNet on Tuesday, I noted that Aaron Swartz’ treatment was not all that unusual.

In some ways, what was happening to Swartz was not all that unusual. George Washington University Law Professor Orin Kerr — a leading expert on computer crime law who is sympathetic to the issues Swartz championed — explains that the government’s charges fall within the norm for computer crimes. Moreover, the tactics used in this case are normal for the Department of Justice. The government often multiplies charges in order to coerce defendants to plead guilty without a trial.

[snip]

The laws governing computer crime criminalize all sorts of actions that don’t seem like they should be crimes. The government inflates charges beyond all proportion to coerce plea deals. The government’s prosecutorial powers are overwhelming. This administration and these prosecutors have aggressively used the law to shut off the free flow of information.

So to the extent people are horrified by how Swartz was treated, they should also be horrified by the abuse of prosecutorial discretion more generally, whether it affects a genius like Swartz nabbed on an computer crime charge or a regular person brought in on drug charges.

That same day, I suggested we’d be far better off–and far truer to Aaron Swartz’ ethic–trying to fix systemic problems than avenging him personally (though I also called for firing Lanny Breuer, the head of DOJ’s Criminal Division).

One of the most ethical suggestions I’ve seen (and I’m not even sure if there is a White House petition for it) is to fix the Computer Fraud and Abuse Act. [Update: Thanks to Saul Tannenbaum,here it is.]

The government should never have thrown the book at Aaron for accessing MIT’s network and downloading scholarly research. However, some extremely problematic elements of the law made it possible. We can trace some of those issues to the U.S. criminal justice system as an institution, and I suspect others will write about that in the coming days. But Aaron’s tragedy also shines a spotlight on a couple of profound flaws of the Computer Fraud and Abuse Act in particular and gives us an opportunity to think about how to address them.

I didn’t know Aaron personally, but he doesn’t strike me as the kind of guy who would seek individualized solutions to systemic problems. And one of the problems with the system that destroyed him is a law that badly criminalizes actions that don’t present much harm.

Orin Kerr has now finished the second of two posts on Swartz, which says some of the same things–though in much more comprehensive and expert fashion.

 I think it’s important to realize that what happened in the Swartz case happens it lots and lots of federal criminal cases. Yes, the prosecutors tried to force a plea deal by scaring the defendant with arguments that he would be locked away for a long time if he was convicted at trial. Yes, the prosecutors filed a superseding indictment designed to scare Swartz evem more in to pleading guilty (it actually had no effect on the likely sentence, but it’s a powerful scare tactic). Yes, the prosecutors insisted on jail time and a felony conviction as part of a plea. But it is not particularly surprising for federal prosecutors to use those tactics. What’s unusual about the Swartz case is that it involved a highly charismatic defendant with very powerful friends in a position to object to these common practices. That’s not to excuse what happened, but rather to direct the energy that is angry about what happened. If you want to end these tactics, don’t just complain about the Swartz case. Don’t just complain when the defendant happens to be a brilliant guy who went to Stanford and hangs out with Larry Lessig. Instead, complain that this is business as usual in federal criminal cases around the country — mostly with defendants who no one has ever heard of and who get locked up for years without anyone else much caring.

Kerr and I differ on two points. He is silent about the role Obama’s DOJ has in setting certain priorities–both in punishing the liberation of information and in targeting the hacking community in Cambridge. That deserves attention: but the attention should be focused, IMO, at the people setting that emphasis, not those implementing it.

Kerr also argues–fairly compellingly, I think–that we’d be better off letting the courts fix the problem with the Computer Fraud and Abuse Act than letting Zoe Lofgren do so.

A lot of people have wondered how to amend the computer crime laws in response to the Swartz tragedy. So far I have seen a lot of interest in this, but not a lot of sensible proposals. Already, Rep. Lofgren stepped forward with “Aaron’s Law,” , text here, which would amend the statutory definition of “exceeds authorized access.” This isn’t new text: It’s just the definition of “exceeds authorized access” that was passed by the Senate Judiciary Committee last year to try to stop Lori Drew-like prosecutions. This amendment is well meaning, no doubt, but I think it is a bad idea for two reasons. First, it is weirdly disconnected from the Swartz case. Swartz would still have faced exactly the same criminal liability under “Aaron’s Law” that he did without it.

Second, after the en banc Nosal case in the Ninth Circuit, I think the smart move for those of us who want a narrow reading of the CFAA is probably to wait for the Supreme Court to resolve the circuit split. Kozinski’s opinion in Nosal is terrific, and it went far beyond the approach taken by “Aaron’s Law” in limiting the CFAA; instead, it adopted the interpretation I recommended in my 2003 article that the CFAA should be limited to breaching code-based restrictions. Given the prospect that the Supreme Court would agree with that reading when it resolves the split, I think it would be better to wait for the Court to solve this one than have Congress enact the amended language for “exceeds authorized access” which was originally drafted as a small step forward back before the Nosal en banc decision came out. And at the very least, if you want to amend the definition of “exceeds authorized access” at this stage of the game, push for the Kozinski/Kerr interpretation that “exceeds authorized access” is same as “access without authorization” except that it applies when a person has some legitimate access rights to the computer. As it stands now, with the chance of a full victory at the Supreme Court, “Aaron’s Law” would probably be an overall step backward rather than a step forward. Let me put it this way: In the courts we might get a whole loaf; “Aaron’s Law” is just a few crumbs.

Kerr also advocates raising the bars for felonies that can trigger the CFAA penalties as well, which (while he doesn’t say it) makes it a lot harder to treat hacking as a terrorist-like crime, one which magnifies otherwise pedestrian crimes. That discussion is well worth clicking through to read the whole thing, which is very long.

As I said, I don’t think these legal issues are all we should focus on. I think it is clear the government took heightened interest in Aaron because of the crowd he ran with and the values he espoused.

But to the extent we do focus on laws, it’s worth reading what Kerr has to say about them to understand what we might accomplish.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

13 replies
  1. orionATL says:

    maybe lofgren’s proposal is well-intentioned.

    maybe not.

    the title – aaron’s law – is manipulative in true “patriot” act fashion.

    more substantively, if swartz (and others) would face the same criminal charges with lofgren’s proposal as without, one wonders if logren isn’t simply trying to get in front of and control a process her corporate supporters in silicon valley migbt be queasy about.

    decriminalizing swartz’s actions and recognizing their free speech/challenge-and-change-the-laws component would seem more useful to society.

  2. orionATL says:

    as for federal prosecutors, they really need to be reigned in in a major way. the major reason the swartz tragedy engages me is because i have watched doj prosecutorial brutality for years from the entirely partisan-based persecution of alabama gov don segelman to way too numerous young muslim-americans to environmental activists to judicial reform activists to health practices activists. it would be instructive to produce a list of abusive doj prosecutions since jan, 2001.

    though it is an indirect attack, i think a good start would be to create severe sanctions for u.s. attorneys who withhold information from defense attorneys or courtsor, who lie to or mislead the courts. it would seem hard for republicans and democrats not to support such a proposal.

    a congressionally mandated outside(of the doj) review panel with powers to intervene and discipline doj officials and attorneys might help to stem the abuse.

    insisting that the doj rigorously enforce foia requests directed to itself might be cause-to-pause for doj attorneys. how is it that the nation’s chief law enforcement institution can get away with ignoring, skirting, and defying ourlaws?

  3. grayslady says:

    Sorry, Marcy, I have to disagree with you on this one. We, as citizens, need to use a full-court press on this one–just as the prosecutors tried to use on Aaron. It’s not just the laws here. It’s the showboating by DOJ attorneys for future political gain, no matter whose life they destroy. It’s the “Homeland Security” overkill on just about every aspect of our lives–in this case, library access to stored documents. It’s what Aaron described, in one part of his Freedom to Connect speech, as the blazing anger in the eyes of the one Senator when describing how he wanted to obliterate all the young, technically savvy free-information rebels. Neil Barofsky has already made it admirably clear that 99% of Congress is clueless on how finance really works, thereby being truly willing to let the bankers write all the banking-related laws. Do you really believe that a bunch of terrified, intellectually stupid old white guys–whose skills are limited to PR for their next elections–are really going to pass sensible technology laws? I think Aaron understood the magnitude of the problem, and that it involved action on many fronts, not just one front.

  4. orionATL says:

    when one sees a pathological pattern in annorganization like that illustrated by the doj’s prosecution of aaron swartz, there is the stro g likelihood of a systems problem.

    i would suggest that, following an outside review, the management structure and practices and the doj’s system of promotion and rewards be reworked to remove incintives for line prosecutors to follow the path u.s. attorney stephen haymann in prosecuting swartz.

    in focusing on doj we should not lose sight of the fact that it is the president who is responsible for the way the doj conducts public business. this president has looked the other way at doj excesses for four years.

    he didn’t run on a “send the bastards up the river” platform in 2008 nor in 2012. it s time for president obama to shoulder some of the responsibility for doj prosecutorial brutality.

  5. emptywheel says:

    @grayslady: I think you misunderstand my position. I’m not saying we do nothing. I am saying that letting Zoe Lofgren pass a law that may be counterproductive to the Courts passing one may not be the best response.

  6. grayslady says:

    @emptywheel: Oh, I understood you. I just don’t see why you think that the judiciary–the members of which seem to be equally technically unenlightened as our Congress–are more likely to come up with a just solution for preserving data freedom. A Supreme Court that equates money with free speech and thinks that corporations are “people” isn’t my idea of an enlightened judiciary. Also, it seems clear from Aaron’s case–as well as many others that have nothing technological in the basis of law–that our justice system itself is part of the problem. Aaron’s situation just magnified so many of the issues he was fighting to reform. From what I know of Lofgren’s proposal, it still seems too vague to be helpful.

  7. Seedeevee says:

    Zoe Lofgren is my congressperson and has an office down the street from me. She does represent one of the most liberal and highly educated areas in the US. Zoe Lofgren works in the part of our government that most closely responds in a democratic fashion.

    Her job is to make laws in a brutal and corrupt political system and not necessarily to wait for our incredibly brutal and corrupt justice system (the executive + judiciary) to decide what rights we will be given today.

    As for the propaganda of “he was intentionally breaking the law in the short run to achieve a long-run goal of nullifying the protections of a set of democratically-enacted laws that he opposed” — I need to remind Mr. Kerr that we live in a Republic with the oh-so-not-democratic Senate, and a Presidency elected by electors (when not by the judiciary) – not by the People and a Constitution enacted by a few rich men.

    I do not share Kerr’s belief that ” . . .the Courts are likely to take care of it. ” I have no confidence in our Court system to do any thing but expand the power of the Executive.

    I also do not accept as adequate Kerr’s position on not “blaming the prosecutors”. The “just following orders” defense is just bad.

    So, notwithstanding the poor taste of an “Aaron’s Law” name, why should we wait for an ever increasingly authoritarian judiciary and executive to produce change for us? Fear of something worse? Why should I ask my Representative to wait? I have not seen a good enough reason in either your or Mr. Kerr’s comments.

  8. Bill Michtom says:

    @Seedeevee: I did remind Mr. Kerr of the nature of our government and his propagandistic use of “democratically-enacted”: four times in quick succession.

    Thanks for your clearly stated summary.

    As to letting the courts decide, his critique of the problem with Lofgren’s law makes sense to me.

  9. Bill Michtom says:

    @orionATL: “how is it that the nation’s chief law enforcement institution can get away with ignoring, skirting, and defying our laws?”

    That was rhetorical, right?

  10. Bill Michtom says:

    @grayslady: “Do you really believe that a bunch of terrified, intellectually stupid old white guys–whose skills are limited to PR for their next elections–are really going to pass sensible technology laws?”

    Hey! As an old white guy, I take exception to this canard. There are people of varied genders, races and ethnicities being stupid and corrupt in our Congress. Credit where it’s dued!

Comments are closed.