Swartz suicide shines light on federal anti-hacking law

Federal Computer Fraud and Abuse Act is applied too broadly in alleged data theft cases, critics say

By , Computerworld |  Security, Aaron Swartz, data theft

According to the documents, Swartz allegedly downloaded over two million JSTOR documents over a two-week period by using a variety of deliberate, evasive tactics designed to confound JSTOR controls.

Swartz maintained that the sole motivation for accessing the scholarly documents was to make them freely available on the Internet.

In a blog post , Orin Kerr, a professor of law at the George Washington University Law School noted that from a strictly legal standpoint, the charges against Swartz were based on what appears to have been a fair application of the CFAA and federal wire fraud laws.

Even so, legions of Swartz supporters appeared outraged that he faced a long prison term.

"The government should never have thrown the book at Aaron for accessing MIT's network and downloading scholarly research," the Electronic Frontier Foundation (EFF) said in a blog post Monday. The CFAA's broad reach and vague language help the government unfairly bring a potentially crippling criminal prosecution against Swartz, the EFF said.

"Aaron's tragedy also shines a spotlight on a couple profound flaws of the Computer Fraud and Abuse Act in particular, and gives us an opportunity to think about how to address them," the rights group noted.

Hanni Fakhoury, staff attorney at the EFF said that a big problems with the law is its loose definitions of key terms, including those related to unauthorized access to data. Over the years, creative prosecutors have taken advantage of the law and applied it to situations that it was never meant to tackle, Fakhoury said.

For example, Fakhoury cited the case of Lori Drew, who was indicted on charges related to her creation of a Myspace page using a fake name to tease a teenage girl. The girl later committed suicide.

Federal prosecutors indicted Drew on charges that she accessed Myspace's computers without authorization and that she had exceeded her authorized access to the system when she registered the profile using a fake name.

A federal judge eventually overturned a jury verdict that she violated the CFAA statute.

The case illustrates how the language of the law can be used to criminalize violations of a website's terms of service agreements, Fakhoury said. "Creative and aggressive prosecutors have taken advantage of the ambiguity of some of the terms of the law to cover violations of terms of policy," he said.

Originally published on Computerworld |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question