Aaron Swartz was prosecuted under the so-called “Computer Fraud and Abuse Act.” The statutory language of the CFAA is incredibly broad, and this allows prosecutors to level extremely broad charges against the smallest of potential infringements.
Among other things, the CFAA makes it illegal to gain access to protected computers “without authorization” or in a manner that “exceeds authorized access.” Unfortunately, the law doesn’t clearly explain what a lack of “authorization” actually means. Creative prosecutors have taken advantage of this confusion to craft criminal charges that aren’t really about hacking a computer but instead target other behavior the prosecutors don’t like.
An obvious problem with this argument is that it would mean anyone who runs afoul of a web site’s fine print is a criminal — and many of us intentionally or unintentionally violate those agreements every day. Prosecutors wouldn’t bother filing criminal charges against most of us, of course. But if they wanted to, they would have the leeway to do it under the government’s theory.
But other criminal defendants haven’t been so lucky.
- Towards Learning from Losing Aaron Swartz (cyberlaw.stanford.edu)
- How To Honor Aaron Swartz (slate.com)
- With the CFAA, Law and Justice Are Not The Same: A Response to Orin Kerr (cyberlaw.stanford.edu)