www.tidewaterreview.com/entertainment/books/la-fi-hiltzik-20130206,0,908370.column

tidewaterreview.com

Congress' horse-and-buggy computer laws

The prosecution of software programmer Aaron Swartz exposes the poorly written, anachronistic laws governing a range of computer use.

Michael Hiltzik

7:35 AM EST, February 6, 2013

Advertisement

As martyrs go, Aaron Swartz was an extraordinary example of the breed. A computer programming genius, he had helped develop the social networking site Reddit and became known as a leading advocate for easy and free information sharing on the Web.

When Swartz committed suicide in January, while awaiting trial on federal computer hacking charges that could have landed him in prison for 35 years and cost him fines of $1 million, his death was seen as a reproach to overzealous federal prosecutors in Boston. But the case raises a broader issue: Why is Congress so awful at writing computer and Internet laws?

Swartz was indicted in 2011 under the Computer Fraud and Abuse Act, a 1984 law that has struggled to keep up with the times. It's been amended seven times and is more outdated than ever. The charges stemmed from his efforts to allegedly break into MIT's computer network and use it to download millions of academic articles kept by JSTOR, a nonprofit, fee-based service. Legitimate MIT users could access JSTOR articles for free. (JSTOR advocated dropping the case, but MIT did not.)

The Computer Fraud and Abuse Act, or CFAA, may be the worst of the statutes Congress has passed or debated as ways to address what is vaguely shoveled into a bin labeled "computer crime." But others are nearly as frightful. The Digital Millennium Copyright Act, or DMCA, of 1998 imposes excessive civil and criminal penalties for activities engaged in by many users of digital books, movies and music in the real world.

In 2011, Congress contemplated a bill called the Stop Online Piracy Act, or SOPA, which would have given the owners of supposedly pirated or counterfeited property nuclear-scale weapons to use against websites they didn't like, by allowing them to simply assert rights infringement to shut down a site. SOPA was derailed by an online campaign spearheaded by, among others, Aaron Swartz.

The three laws had much in common. They were written broadly, in a fruitless effort to "future-proof" them against new technologies. They imposed excessive penalties, on the reasoning that if a crime is bad, it's much worse when committed with these mysterious devices called computers. And they offered special interests such as copyright claimants, corporations facing trade competition, and media conglomerates opportunities to assert new legal rights they were denied in the world of old technologies.

"Congress tries to write technology-neutral laws," says Jennifer Granick, an Internet law expert at Stanford, "but there's been a wholesale change in how we interact with computers" that renders these laws quickly anachronistic.

Clever lawyers and aggressive prosecutors often rush in to fill the gaps. The DMCA was originally aimed to discourage hackers from copying code-protected DVDs; but it's been cited by a garage door-opener company against a rival making universal clickers, and by desktop printer makers against knock-off toner cartridges. (Both those efforts failed in court, but the potential for expansive interpretation remains.) The recording industry threatened to prosecute Princeton computer expert Edward Felten under the DMCA if he reported publicly on how he had broken the industry's digital protection technology — an effort he undertook at the industry's invitation. The threat prompted Felten to withdraw a planned public presentation.

By imposing extra penalties for using a computer to do things that have traditionally been handled in civil court, "these broader laws have criminalized things that are of dubious criminality," Granick told me.

The CFAA is a perfect example. The measure was written as a cyberspace analogue to trespass laws. Its broadest provision says that anyone who intentionally "exceeds authorized access and thereby obtains information from any protected computer" has committed a federal crime.

This is a wide-open definition that prosecutors have used very aggressively. A "protected computer," by Justice Department definition, can be almost anything with a microchip, including your Internet-savvy refrigerator or your car. "Unauthorized access" could mean viewing a website in violation of its terms of use, that mass of impenetrable legalese that most of us click on blithely without reading, just to use the site. Do that to obtain or read any "information," and you've committed a federal crime.

If you think this is an alarmist interpretation, consider the Lori Drew case — the "poster child" for CFAA overreaching, in the words of Orin Kerr, a Georgetown University cyber-law expert who argued Drew's side. She was the Missouri mother who was accused of helping set up a fake Myspace page to bully a classmate of her daughter. The classmate later committed suicide. Since there is no federal cyber-bullying statute, prosecutors charged Drew under the CFAA for violating the Myspace terms of use, which requires users to provide only accurate information about themselves. A Los Angeles jury found her guilty.

Los Angeles District Judge George Wu overturned the verdict, observing that a website's term of use, which can be altered without notice, are too flimsy to carry the weight of criminal liability, and almost never enforced by the website. But as Kerr notes, federal prosecutors have not abandoned their expansive interpretation despite its obvious absurdities: Until they were changed in March 2012, Google's terms of service required users to be of "legal age," meaning that a middle school child conducting a Google search was theoretically committing a federal crime. So are users of dating websites who exaggerate their good points, in violation of terms of use requiring rigorous accuracy about their height, weight, physical condition and charm.

The law places a powerful weapon in the hands of employers, who routinely forbid workers from using their computers for personal business. "The computer gives employees new ways to procrastinate by chatting with friends, playing games, shopping or watching sports highlights," wrote Appellate Judge Alex Kosinski in a ringing denunciation of the CFAA last year. "Under the broad interpretation of the CFAA, such minor dalliances would become federal crimes." Kosinski's ruling upheld the dismissal of CFAA charges against a corporate headhunter who used information from his old employer's computer system to start a competing company.

Efforts are underway in Congress to pare back the CFAA. Rep. Zoe Lofgren (D-San Jose) has proposed a draft "Aaron's Law," which would ban prosecutions based strictly on violations of a website's terms of service or an employer's policies. She would also make clear that tweaking a computer's digital signature — as Swartz did to conceal his identity in a weeks-long cat-and-mouse game with MIT network overseers — is not in itself a crime.

Yet nothing in Lofgren's bill would address the fundamental problem of Congress writing nonsensically broad laws to govern cyberspace and letting the Justice Department work out the kinks. But prosecutors always agitate for more discretion and stiffer penalties, Kerr says; that's how we end up with criminal penalties for lying about one's age on a dating site.

It's also how Swartz gets threatened with 35 years in jail for downloading academic papers that MIT students could access for free. The prosecutors' goal was to pressure him to take a plea, but the instrument was put in their hands by a Congress that couldn't be bothered to educate itself about the real world of computers and networks before legislating about it. That's the type of legislating that has to change to avoid more cases like Swartz's.

Michael Hiltzik's column appears Sundays and Wednesdays. Reach him at mhiltzik@latimes.com, read past columns at latimes.com/hiltzik, check out facebook.com/hiltzik and follow @latimeshiltzik on Twitter.