One
day back in the early 1970s, two young computer miscreants named Steve
Jobs and Steve Wozniak exploited a hole in AT&T’s phone system to
prank call the Pope. The call — made using a homemade device called a
“blue box” which made free calls by emulating the tones in AT&T’s
switching system — was more than just a prank. It was part of a history
of irreverent tinkering that would eventually lead to the creation of
the Apple I, and the founding of what would later become the most
valuable computer company on the planet.
In July of 2011, Aaron Swartz was federally indicted for acts that in
retrospect seem far more innocuous than those of Jobs and Wozniak. He
had allegedly entered a maintenance closet at MIT and used a Python
script to rapidly download millions of documents from JSTOR, a database
of academic journals containing publicly-funded research that he had
legal access to under MIT’s open network. Last Friday, facing dwindling
legal funds and up to 35 years in prison, Swartz committed suicide.
,
what Swartz did wasn’t “hacking” — not even under the loosest
interpretations. Yet despite JSTOR dropping its own charges against him,
federal prosecutors pursued the case aggressively. And they were able
to do so because of the dangerously vague language and inconsistent
interpretations of the US government’s favorite anti-hacker playbook,
the
The CFAA may have been written with malicious computer break-ins in
mind, but in reality it’s used to target an incredibly broad range of
activities completely divorced from “hacking,” and Aaron Swartz is only
the most recent example. Framed during a time of widespread computer
illiteracy when nefarious depictions of hackers dominated mainstream
media, the law attempted to bring order to the new computational “Wild
West” by combating unauthorized access to protected systems in
government and finance. But today, the CFAA can effectively mark anyone
who uses a computer to access another computer (e.g., anyone on the
internet) as a felon.
The hook in Swartz’s case had to do with something we should all be
familiar with: Terms of Service.
Whether we’re using Gmail or Facebook
or logging on to a company-owned server at work, these contracts have us
agree to certain rules as a condition of accessing a computer or
service. If we break any of these rules, the company has the right to
suspend access, terminate employment, or sue in court, if the resulting
damage is significant.
All of that would be just fine if it weren’t for a section of the
CFAA describing “unauthorized” and “excessive” access of a “protected
computer” — or to be more accurate,
not describing it. This
section is supposed to define the terms which constitute a criminal
intrusion, but the language is so plain that the law basically leaves
this up to the imaginations of the courts.
The result is that the courts actually default to the language in
those Terms of Service, network use policies, and other private
contracts, as defined by the employers and web services in question. To
wit, the CFAA can make breaking a code of conduct or violating a social
network’s Terms of Service
into a felony, which in effect gives private companies the ability to set the definitions of criminality wherever a computer is involved.
That’s not because of any recent changes in the law’s text, however —
it’s due to aggressive federal prosecutors taking advantage of the
CFAA’s malleable nature to crack down on a wide variety of
computer-related activities — including, conveniently enough, the kind
that embarrass or undermine the authority of the federal government and
their corporate sponsors.
For one example, consider Andrew “weev” Auernheimer, a security
researcher and internet troll who was convicted after exposing a
security exploit discovered on AT&T-branded iPads in 2010.
Auernheimer discovered the hole by simply incrementing an iPad’s serial
number and feeding that data into a public AT&T web server, which
then spat out names and email addresses of 114,000 users associated with
those serial numbers.
AT&T had known about the loophole, but ignored it. So Auernheimer
went public, sharing his findings with
Gawker‘s
Ryan Tate. He reasoned that “when a large company puts users at risk,
you deserve to know about it” — a method of public shaming that many in
the security community, including
cryptography expert Bruce Schneier, have agreed can be an effective means of promoting better security practices.
Again, none of this was “hacking” — anyone with an iPad serial number
and enough smarts could have pulled it off. And since AT&T’s system
was left wide open, no protected computer had been accessed in the
exchange. But AT&T and federal prosecutors disagreed, and pursued a
case that eventually
found Auernheimer guilty on charges of unauthorized access and identity theft, giving him a maximum 10 year jail sentence.
What this suggests is that
accessing any publicly accessible computer
without explicit permission can be grounds for federal indictment, so
long as its owner decides later that they didn’t like something you were
doing on it. In the end, it seemed Auernheimer’s conviction had little
to do with actually upholding the law — it was about the federal
government and a monolithic telecommunications company using the vague
language of the CFAA to send an intimidating message to the hacking and
security community.
The government has sent a similar message when prosecuting another
form of “non-hack”: the Distributed Denial of Service (DDoS) attack.
Made popular by members of leaderless hacktivist collective Anonymous,
DDoS attacks have been blamed for causing extensive damage to corporate
computer systems. Mercedes Haefer, a 21 year old journalism student,
participated in one such attack as part of “Operation Payback,” the
campaign against PayPal in response to its refusal to process donations
for Wikileaks.
The goal of a DDoS attack isn’t to cause lasting damage — it’s to
temporarily slow or block access to certain websites by sending a flood
of requests, an act some have compared to civil disobedience. But the
punishments being doled out for digital disruptions vastly overshadow
the night in jail plus fine given to many of the
700 Occupy Wall Street protestors who shut down the Brooklyn bridge in October of 2011: Haefer and 13 other Anonymous members are now each facing up to
15 years in prison and $500,000 in fines.
Which highlights another area where the law is stacked against actors in the digital space: proportionality.
In Swartz’s case, US Attorney Carmen Ortiz contended that “Stealing
is stealing whether you use a computer command or a crowbar.” But even
if you ignore the nature of the content in question (publicly-funded
research, able to be duplicated infinitely), it has little basis in what
the law prescribes for a similar situation in physical reality. Under
Massachusetts state law, someone going into a library and stealing a
large quantity of physical books would be charged with trespassing,
which carries a maximum punishment of 30 days in jail or a $100 fine. If
the value is more the $250, the maximum sentence is 2 – 5 years —
leagues below what Swartz faced for his 13 felony counts under the CFAA.
“We agree there should be reasonable computer crime laws, but it
seems that all the prosecutions we hear about aren’t reasonable,” says
Hanni Fakhoury, a Senior Staff Attorney for the Electronic Frontier
Foundation. He notes that some courts, notably those in the
Fourth and
Ninth Circuits,
have recently pushed back against broad interpretations of the CFAA
which use Terms of Service violations to push criminal charges. But in
others, he says, prosecutors continue to test the limits of the law.
Aaron Swartz was a lot of things the US government isn’t particularly
fond of. He was an activist — a key architect of the campaigns that
brought down COICA, SOPA, and PIPA, three copyright bills written to
preserve the interests of Hollywood lobbyists. He was also a free
culture agitator, who in 2008 wrote a
Guerilla Open Access Manifesto
calling for the “liberation” of taxpayer-funded research papers from
privately-owned paywalls like JSTOR and PACER. If he could be called a
“hacker” in any sense, it’d be closer to the definitions of the
eccentric Free Software godfather Richard Stallman, who once described
hacking as “
playful cleverness” — a dance along the razor’s edge, bending the rules of the current system to create something new, better, or different.
Amending CFAA won’t reverse what happened to Aaron Swartz. But in the
short term, it might at least prevent prosecutors from using the law to
pursue all kinds of innocuous activity. It’s with that in mind that
Rep. Zoe Lofgren
went on Reddit this week
to propose a draft of “Aaron’s Law,” a new bill that would change the
requirements in the CFAA to explicitly prohibit Terms of Service and
other private contracts from standing in for government definitions of
criminality.
“When I heard about Aaron’s death I was not only sad but outraged,” Lofgren said this week in a phone interview with
The Verge.
“I didn’t know the details of the prosecution as well as I do now, but
when I heard about it, my first reaction was [that] we need to change
the statute that would permit this.”
n August of 2011, members of various groups from across the political
spectrum including the EFF, the ACLU, and the Heritage Foundation had
exactly the same idea. In a letter to Senators Patrick Leahy and Chuck
Grassley, they wrote that activities which violate terms of service
“should not be “computer crimes,” any more than they are crimes in the
physical world.”
If, for example, an employee photocopies an employer’s
document to give to a friend without that employer’s permission, there
is no federal crime (though there may be, for example, a contractual
violation). However, if an employee emails that document, there may be a
CFAA violation. If a person assumes a fictitious identity at a party,
there is no federal crime. Yet if they assume that same identity on a
social network that prohibits pseudonyms, there may again be a CFAA
violation. This is a gross misuse of the law.
The CFAA should focus on malicious hacking and identity theft and not
on criminalizing any behavior that happens to take place online in
violation of terms of service or an acceptable use policy.”
Fakhoury agrees it’s a good time call for CFAA reform, but worries
whether the efforts can attract enough support in Congress. He points to
a previous attempt by Sen. Patrick Leahy to fix the TOS loophole, which
wound up being
tied to even higher sentences and the addition of a two-year mandatory minimum.
Since its announcement, copyright reform advocate Lawrence Lessig,
Swartz’s former mentor, has thrown his enthusiastic support behind
Lofgren’s proposed bill, and others have
left feedback and suggestions on ways to refine it.
As for the debate over prosecutorial overreach, Lofgren acknowledges
it’s a broader issue that needs attention. But for now, she’s intent on
honing in on the more immediate problem, and hopeful that she can gather
bipartisan support.
“What I want to do first is address the [CFAA] statute that was used
in a way that I think shocked a lot of people,” she says. “Most people,
when they look at what Aaron did, think it shouldn’t be a crime at all,
certainly not a felony and certainly not [carrying] mandatory minimums.”
Read original here:
http://www.theverge.com/2013/1/18/3888528/after-aaron-swartz-how-antiquated-computer-laws-enable-the/in/3637531