By Aaron Pressman
BOSTON, Jan 15 (Reuters) - Lie about your identity on
Facebook or delete files from your work laptop before you quit
and you could run afoul of a 29-year-old U.S. computer security
law that some experts say has been changed so often it no longer
The U.S. Computer Fraud and Abuse Act has come under renewed
criticism after last week's suicide of Internet activist Aaron
Swartz, who could have faced prison time for alleged hacking to
download millions of academic articles from a private database
through a network at the Massachusetts Institute of Technology.
The 26-year-old's family blamed the suicide on
"intimidation" from what they described as an overzealous U.S.
prosecutor, who threatened Swartz with prison and up to $1
million in fines.
Swartz, who helped found popular website Reddit, had
"problems with depression for many years," his friend, science
fiction author Cory Doctorow, wrote in an online eulogy on
The U.S. attorney's case was based on the 1984 CFAA law,
which some legal experts contend has been amended so many times
that some portions of it no longer make sense. Penalties for
minor offenses can exceed those for more serious crimes and key
terms of the law, written before the arrival of the Internet as
a cultural phenomenon, remain undefined.
"So much has changed and gotten more complicated and the law
has kept Frankenstein-ing," said Eric Goldman, a professor at
the Santa Clara University School of Law. "You step back and see
that it's become a horrible, hideous monster."
Other legal experts said the prosecution, led by U.S.
Attorney Carmen Ortiz in Boston, followed the law closely in
bringing charges against Swartz, who argued that research
created with public funds should be freely shared on the
Authorities charge that, when MIT tried to shut off the
downloads, Swartz hid and altered his computer's network
identity and eventually sneaked into a closet at the
university's Cambridge, Massachusetts, campus to gain access to
the 4 million articles.
"The prosecutors weren't stretching the law to fit the
facts," said Orin Kerr, a professor at George Washington
University law School and a former federal prosecutor. "The law
is broad and seems to cover this kind of act."
PROSECUTORS PUSH ON
The act penalizes a person who accesses computers "without
authorization, or exceeds authorized access" to obtain something
of value worth at least $5,000. But courts across the United
States have split about just what constitutes unauthorized
In one case, a court upheld a lawsuit against an employee
who deleted files from his work laptop before quitting to form a
competing business. Once the defendant decided to quit, he no
longer was authorized to access his laptop, the court said.
In a better known case, a judge overturned hacking charges
against a woman from Missouri after she created a false profile
on social networking site MySpace to fool a teenage girl who
later committed suicide. Prosecutors alleged the woman did not
have authorization to access MySpace servers because she
violated the site's terms of service.
The confusion has not slowed prosecutors, who have brought
297 federal criminal cases under the CFAA and related computer
fraud laws from 2010 through 2012, about the same as in the
prior three years, according to court filings reviewed in
Westlaw, a legal data division of Thomson Reuters.
Over the same period, nearly 300 civil lawsuits were brought
in private disputes citing the CFAA and related laws, up from
243 in the prior three years, the filings show.
Prosecutors have taken advantage of the vague terms to add
huge penalties to lesser cases, said Marcia Hofmann, a senior
staff attorney at the Electronic Frontier Foundation, a
non-profit civil liberties organization.
"They make an aggressive reading of what unauthorized access
means to try to throw the book at somebody," she said. "Usually,
their real beef isn't with the hacking, but with something else
the person did that the prosecutor didn't like."
Hofmann and many of Swartz's supporters believe that might
be what happened to the popular online activist, one of the
inventors of a key Internet standard called RSS, which is used
by media companies and bloggers to distribute articles. More
than 30,000 people have signed an online petition calling on the
administration of President Barack Obama to remove U.S. Attorney
Ortiz from Swartz's case, a move that would have little
practical effect after his death.
Ortiz's office declined to comment.
Swartz had been investigated before after downloading almost
20 million pages of text from a government-run database of court
records called PACER in 2008. No charges were filed.
But he got into more serious trouble in 2011 after the MIT
incident, which led to his prosecution in a trial that had been
due to start in a few months.
Following Swartz's death, MIT President Rafael Reif launched
a review of the elite school's handling of the case.
Swartz's possible desire to make the articles public did not
exempt him from prosecution, said Kerr, who represented the
woman accused of hacking for using a fake MySpace profile.
"There's no 'good guy' exception to the criminal laws."
The outcry in the wake of Swartz's suicide may provide a
rare opportunity for lawmakers to revisit the hacking statute,
which has been repeatedly expanded over the past two decades.
"Usually, Congress wants to expand these laws," Kerr said.
"This may be an unusual time when the public reaction is that
the law gives government too much power."
Follow us on Twitter @ReutersLegal | Like us on Facebook