After reading about the horrendous early death of Aaron Swartz, it was not my intention to write about the tragic events, even though the incident has elements that intersect in various topics that are of utmost importance, namely cybercrime, hacktivism, digital liberties, and open access, just to name a few. Some people have said most of what needs to be said about the affair way better than I ever could. Similarly, I did not know Aaron Swartz and I have to admit that I was only vaguely familiar with who he was.
I hope to maintain my early position, and despite the early lines, this post is not about Aaron Swartz, but about some of the legal issues surrounding the case.
One of the most intriguing elements of the story is that it has prompted a large number of legal arguments that have arisen out of the events that led to Aaron’s decision to commit suicide. At the heart of the discussion there is the question of whether or not the actions undertaken by Swartz in gaining access to the JSTOR database warranted the subsequent criminal charges brought by the Massachusetts District Attorney’s office.
I am not very familiar with the facts of the case other than what was reported by the press at the time. According to the New York Times, in September 2010:
“… Mr. Swartz used several methods to grab articles, even breaking into a computer-wiring closet on the M.I.T. campus and setting up a laptop with a false identity on the school network for free JSTOR access under the name Gary Host — or when shortened for the e-mail address, “ghost.” When retrieving the computer, he hid his face behind a bicycle helmet, peeking out through the ventilation holes.
The flood of downloads was so great that it crashed some JSTOR servers, the indictment stated, and JSTOR blocked access to the network from M.I.T. and its users for several days.
Ultimately Mr. Swartz returned the hard drives containing the articles to JSTOR and promised that the material would not be disseminated.”
This action prompted the subsequent arrest and prosecution, as Swartz was charged with wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer. In a statement at the time by the Department of Justice, the prosecutor United States Attorney Carmen Ortiz alleged that:
“Stealing is stealing whether you use a computer command or a crowbar, and whether you take documents, data or dollars. It is equally harmful to the victim whether you sell what you have stolen or give it away.”
Not being familiar with all of the details of the case, it is not possible to make a categorical statement about the merits of the prosecution, although the Internet seems to be filled with various opinions. My own take is that the actions might just fall under the Computer Fraud and Abuse Act (CFAA). In other words, this seems to be entirely a borderline case, and as such prosecutors might have simply decided to ignore the incident. This is the reason why Carmen Ortiz is getting such a deserved grilling from various sources. Her actions seem completely disproportionate and excessive.
It is therefore perfectly honest to make this the centre of the legal debate surrounding the case. However, something else is taking place, some politicians and legal scholars have taken the tragedy as an opportunity to argue the merits of the CFAA and other cybercrime legislation, and one congresswoman has gone as far as to propose “Aaron’s Law“, a change to existing provisions that, in her words, will “prevent any other person from being tortured the way Aaron was”. I could not possibly disagree more.
As a matter of principle, I have always believed that any regulatory response to individual cases tends to be misguided, particularly if those situations are exceptional cases. It has to be said that the Swartz tragedy is unique in many ways, so trying to legislate to stop this tragedy from happening is futile. Cybercrime legislation, particularly anti-hacking legislation, tends to be quite general for a reason. As technology changes, the law that criminalises unauthorised access to a computer is, by necessity, a broad piece of legislation, as it must cover present and future situations. Changes to the law to respond to technological change should be encouraged, but these should be made with technological neutrality in mind.
Most modern anti-hacking laws tend to follow the general principles set out by the European Cybercrime convention, which set out three main criminal types: illegal access to a computer, illegal interception, and interference with data and/or systems. National laws tend to follow this template in broad terms, providing detail. This is a tried and tested approach that, while not perfect, tends to cover a large number of computer crimes. It is perfectly possible that the law may need to be overhauled, but to do it in response to one incident is completely irresponsible, and reeks of opportunism.
By all means, if the CFAA, and anti-hacking law in general, needs an overhaul, this should be done by an evidence-based assessment. For example, one could conduct a quantitative and qualitative analysis of prosecutions under the CFAA to try to study if the law is being used to pursue harmful cybercrime, or if it is being used against hacktivists and other minor offenders.
That would be a worthwhile legacy.
ETA: Given some feedback from Twitter, I guess I need to restate better the point of the article. I’m not saying that cybercrime law should not be changed, but that we should not take one very specific incident to change it. The ideal would be to conduct a survey of the effects of the law across the board, and tweak it accordingly based on the actual effects it is having. That would be a better legacy following Aaron’s tragedy than to place a hasty patch under his name that will not really change anything.