YOU ARE HERE: LAT HomeCollections

Congress' horse-and-buggy computer laws

The prosecution of software programmer Aaron Swartz exposes the poorly written, anachronistic laws governing a range of computer use.

February 06, 2013|Michael Hiltzik
  • Aaron Swartz, who was charged with computer hacking, committed suicide last month.
Aaron Swartz, who was charged with computer hacking, committed suicide… (Pernille Ironside, AP )

As martyrs go, Aaron Swartz was an extraordinary example of the breed. A computer programming genius, he had helped develop the social networking site Reddit and became known as a leading advocate for easy and free information sharing on the Web.

When Swartz committed suicide in January, while awaiting trial on federal computer hacking charges that could have landed him in prison for 35 years and cost him fines of $1 million, his death was seen as a reproach to overzealous federal prosecutors in Boston. But the case raises a broader issue: Why is Congress so awful at writing computer and Internet laws?

Swartz was indicted in 2011 under the Computer Fraud and Abuse Act, a 1984 law that has struggled to keep up with the times. It's been amended seven times and is more outdated than ever. The charges stemmed from his efforts to allegedly break into MIT's computer network and use it to download millions of academic articles kept by JSTOR, a nonprofit, fee-based service. Legitimate MIT users could access JSTOR articles for free. (JSTOR advocated dropping the case, but MIT did not.)

The Computer Fraud and Abuse Act, or CFAA, may be the worst of the statutes Congress has passed or debated as ways to address what is vaguely shoveled into a bin labeled "computer crime." But others are nearly as frightful. The Digital Millennium Copyright Act, or DMCA, of 1998 imposes excessive civil and criminal penalties for activities engaged in by many users of digital books, movies and music in the real world.

In 2011, Congress contemplated a bill called the Stop Online Piracy Act, or SOPA, which would have given the owners of supposedly pirated or counterfeited property nuclear-scale weapons to use against websites they didn't like, by allowing them to simply assert rights infringement to shut down a site. SOPA was derailed by an online campaign spearheaded by, among others, Aaron Swartz.

The three laws had much in common. They were written broadly, in a fruitless effort to "future-proof" them against new technologies. They imposed excessive penalties, on the reasoning that if a crime is bad, it's much worse when committed with these mysterious devices called computers. And they offered special interests such as copyright claimants, corporations facing trade competition, and media conglomerates opportunities to assert new legal rights they were denied in the world of old technologies.

"Congress tries to write technology-neutral laws," says Jennifer Granick, an Internet law expert at Stanford, "but there's been a wholesale change in how we interact with computers" that renders these laws quickly anachronistic.

Clever lawyers and aggressive prosecutors often rush in to fill the gaps. The DMCA was originally aimed to discourage hackers from copying code-protected DVDs; but it's been cited by a garage door-opener company against a rival making universal clickers, and by desktop printer makers against knock-off toner cartridges. (Both those efforts failed in court, but the potential for expansive interpretation remains.) The recording industry threatened to prosecute Princeton computer expert Edward Felten under the DMCA if he reported publicly on how he had broken the industry's digital protection technology — an effort he undertook at the industry's invitation. The threat prompted Felten to withdraw a planned public presentation.

By imposing extra penalties for using a computer to do things that have traditionally been handled in civil court, "these broader laws have criminalized things that are of dubious criminality," Granick told me.

The CFAA is a perfect example. The measure was written as a cyberspace analogue to trespass laws. Its broadest provision says that anyone who intentionally "exceeds authorized access and thereby obtains information from any protected computer" has committed a federal crime.

This is a wide-open definition that prosecutors have used very aggressively. A "protected computer," by Justice Department definition, can be almost anything with a microchip, including your Internet-savvy refrigerator or your car. "Unauthorized access" could mean viewing a website in violation of its terms of use, that mass of impenetrable legalese that most of us click on blithely without reading, just to use the site. Do that to obtain or read any "information," and you've committed a federal crime.

If you think this is an alarmist interpretation, consider the Lori Drew case — the "poster child" for CFAA overreaching, in the words of Orin Kerr, a Georgetown University cyber-law expert who argued Drew's side. She was the Missouri mother who was accused of helping set up a fake Myspace page to bully a classmate of her daughter. The classmate later committed suicide. Since there is no federal cyber-bullying statute, prosecutors charged Drew under the CFAA for violating the Myspace terms of use, which requires users to provide only accurate information about themselves. A Los Angeles jury found her guilty.

Los Angeles Times Articles