Aaron Swartz hanged himself Jan. 11, 2013. He had pleaded not guilty, and his federal trial was to begin next month. (AP Photo/ThoughtWorks, Pernille Ironside)
Facing relentless prosecutors who pressed 13 charges carrying up to 35 years in prison and millions in fines, Internet trailblazer Aaron Swartz committed suicide this weekend. ”He was killed by the government,” his father said to mourners at his son’s funeral in suburban Chicago.
“Aaron’s death is not simply a personal tragedy. It is the product of a criminal justice system rife with intimidation and prosecutorial overreach. Decisions made by officials in the Massachusetts U.S. Attorney’s office and at MIT contributed to his death. The US Attorney’s office pursued an exceptionally harsh array of charges, carrying potentially over 30 years in prison, to punish an alleged crime that had no victims,” the family said in a statement.
Swartz, 26, pleaded not guilty to violating the Computer Fraud and Abuse Act. He was accused of downloading 4.8 million articles from JSTOR, a paywalled database for academic work, with apparent plans to release them to the general public.
Swartz created RSS, which allows easy distribution news headlines on the Web, and was one of the founders of the social news website Reddit.com. He had built a reputation as an activist for freedom of information and was one of the prime forces opposing the Stop Online Privacy Act, a bill Congress considered last year that would have caused web providers to self-censor their content.
Letter of the Law
His legal problems began in 2010, when he came up with a series of workarounds to download the JSTOR articles from the MIT network, masking his IP address, physically plugging into the network itself and coming up with code to bypass bulk download restrictions.
Orin S. Kerr
Although pundits have debated whether Swartz’s actions are even much of a crime, George Washington University Law Professor and noted computer crime expert Orin S. Kerr points out that the feds did have a good case that he violated the law. The Computer Fraud and Abuse Act has several provisions that ban accessing computers “without authorization” for various purposes.
“I think it’s pretty clear that Swartz exceeded his authorized access here,” Kerr writes on the Volokh Conspiracy blog. “JSTOR has a password-protected database that Swartz was trying to copy by circumventing code-based barriers to large-scale access, and Swartz was playing a cat-and-mouse game in which he kept trying to gain access to the database and JSTOR kept trying to block him. They blocked his IP address; he changed it. They blocked his MAC address; he spoofed it. They blocked access and he broke into a restricted closet and connected directly to MIT’s network. This is not merely a case of breaching a written policy. Rather, this is a case of circumventing code-based restrictions by circumventing identification restrictions.”
Draconian Punishments
However, regardless of the statutes broken, the punishment pursued by prosecutors was clearly over the top. Thirty-five years is more than many murderers, robbers, rapists and arsonists serve. Faced with the full force of the U.S. government over a crime that JSTOR itself declined to press charges over, and what looked to be an expensive, open-ended legal fight, Swartz instead hanged himself in his apartment.
The lesson from the tragedy may be that it is time to tighten the Computer Fraud and Abuse Act, which was written in 1986 and gives the government vast wiggle room for interpretation and the ability to impose draconian punishments for minor infractions.
Several years ago Kerr created an absurd terms of use policy that Web users agreed to by visiting his blog, in order to demonstrate how far the law could be extended.
“If you post an abusive comment; you are an employee of the U.S. government; your middle name is Ralph; you’re not super nice, as judged by me; or you have visited Alaska, I have kinda bad news for you,” he wrote. “You are a criminal, as you have just violated 18 U.S.C. 1030(a)(2)(C) by accessing the Volokh Conspiracy’s service without authorization or in excess of authorization.” Violating the terms of use could be considered “hacking into” the blog, he noted.
Making the issue more tangled is that few Internet surfers bother to look at terms of use notices, so they wouldn’t even know they were potentially violating a federal law. Of course, as a practical matter officials would never have resources or reason to pursue the average person with the middle name of Ralph who unwittingly broke a Web agreement, but the example goes to show just how malleable the law can be for prosecutors with an agenda.
