How a 'hopelessly out of date' law makes you a computer criminal

A 26-year-old law says that any unauthorized access into a protected network or computer — like your access to this website — is a federal crime with longer prison sentences than most violent crimes.

|
Pernille Ironside / ThoughtWorks / AP / File
Aaron Swartz, a co-founder of Reddit, hanged himself on Jan. 11. Since his suicide, friends and admirers have eulogized the 26-year-old free-information activist as a martyred hero. Swartz was tried for cybercrimes under a law written a decade before the World Wide Web existed.

In 1970, a 14-year-old boy dialed into a nationwide computer network, uploaded a virus he had written and caused the entire network to crash.

That boy was Bill Gates. Five years later, he founded Microsoft.

A few years later, two young men went around college dorms in California selling boxes of wires that let students bypass telephone-company restrictions and make long-distance calls for free.

Those young men were Steve Jobs and Steve Wozniak, and a later venture they started, Apple, is now the most valuable company in the world.

In 2010, another young man, who had already founded a multimillion-dollar company, broke into a utility closet at the Massachusetts Institute of Technology.

He hooked up a laptop to the campus network and downloaded 4 million academic journal articles, most of them in the public domain, from a paid archive to which he had a subscription.

He was arrested, indicted twice on multiple counts of fraud and, at a trial that was to have begun in April, faced 50 years in federal prison and a $1 million fine.

His name was Aaron Swartz, and last week he hanged himself.

More computers, more prosecutions

The difference between the fates of Gates, Jobs and Wozniak on the one hand, and of Swartz on the other, originates with the Computer Fraud and Abuse Act.

The CFAA is a 1986 law, section 1030 of the federal criminal code, which makes any unauthorized access into a protected network or computer a federal crime and permits harsh penalties for those convicted.

But 1986 was a long time ago. Today, any Web server can be defined as a protected computer, and almost anything can be defined as unauthorized access.

Use your roommate's Netflix account to watch movies on your iPad? You're violating the CFAA.

Trim the URLs of articles on the New York Times website so you can read them for free? You're breaking federal law.

Check your Facebook page at work, even if your employer forbids it? Better call your lawyer.

If that sounds ridiculous, here's a fact: Andrew "Weev" Auernheimer, a well-known "gray hat" hacker, was convicted in November of fraud and conspiracy for harvesting data from a publicly accessible server. He's facing up to 10 years in prison at his sentencing next month.

There weren't any passwords protecting the data Auernheimer and his friend, who later testified against him, downloaded. All they did was change numbers in URLs and press "return." But according to the CFAA, they were breaking the law.

[Security Experts Blast iPad Hacker's 'Chilling' Conviction]

Back to the future

"The punishments for these crimes are hugely disproportionate to the offenses listed," said Adam Goldstein, an attorney advocate at the Student Press Law Center in Arlington, Va. "We wrote these laws based on the 1980s view of the worst-case scenario of hacking in a networked world."

To Robert Graham, chief executive officer of Errata Security in Atlanta, the CFAA is "hopelessly out of date, and can be used to prosecute anybody for almost anything."

"The issue is 'authorization,'" Graham said. "Back in 1986, everyone had to be explicitly authorized to use a computer with an assigned username and password.

"But today, with the Web, we access computers with reckless abandon without knowing whether we are authorized or not," he added. "When you click on a URL, you are technically in violation of the law as it was designed."

Swartz was facing more prison time than he would have if he'd committed a serious physical crime, such as assault, burglary, grand theft larceny or involuntary manslaughter.

"Why the penalties are stiffer for e-crime does not make sense," said Chester Wisniewski, an American who works as a senior security analyst in the Vancouver, British Columbia, office of the British security firm Sophos. "These penalties are more in line with murder than theft."

"There is a serious problem in federal criminal law where the use of a computer ratchets up a criminal sentence dramatically out of proportion from the harm caused," said Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation in San Francisco.

"We wrote laws designed to punish the worst monsters of William Gibson's nightmares," Goldstein said. "We're wielding them against people who download journal articles and steal naked pictures from Scarlett Johansson."

Tomorrow: How the CFAA is abused, and how it might be amended.

Copyright 2013 TechNewsDaily, a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to How a 'hopelessly out of date' law makes you a computer criminal
Read this article in
https://www.csmonitor.com/USA/Latest-News-Wires/2013/0117/How-a-hopelessly-out-of-date-law-makes-you-a-computer-criminal
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe