COMPUTER FRAUD AND ABUSE OR PROSECUTORIAL FRAUD AND ABUSE: TIME FOR CHANGE.

• Author: Manolache, Victor

INTRODUCTION

On January 11, 2013, Aaron Swartz hung himself. (1) Swartz was 26, and despite his youth, was already a well-known and accomplished programmer. Most notably, Swartz helped develop Creative Commons, and his company Infogami merged with Reddit. (2) Many prominent computer programmers and scholars considered Swartz a genius and a friend, and mourned his death. (3) Tim Berners-Lee, the inventor of the World Wide Web, reacted to Swartz' death saying "Aaron dead. World wanderers, we have lost a wise elder. Hackers for right, we are one down. Parents all, we have lost a child. Let us weep." (4)

Almost two years to the day before his death, on January 6, 2011, Swartz was arrested in connection with a series of network break-ins of MIT's computer system. The break-ins spanned a few months and Swartz carried them out from a storage closet on MIT's campus. (5) Between September 2010 and January 2011, Swartz, a Harvard graduate student at the time, physically entered MIT campus, and from a storage closet, hooked up his computer to MIT's network. He spoofed his ID on the network to remain undetected and downloaded millions of academic journals from JSTOR. (6)

On July 11, 2011, a Federal grand jury indicted Swartz for wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer. (7) The charges carried a maximum sentence of 35 years in prison. Swartz refused a plea deal, and on September 12, 2012 Federal prosecutors added nine more felony counts under the Computer Fraud and Abuse Act ("CFAA") (8), increasing the maximum prison time to 50 years. (9)

In all, Swartz was charged with two counts of wire fraud (10) and eleven violations of the Computer Fraud and Abuse Act. (11) Usually, wire fraud charges involving computers are prosecuted along with the CFAA. (12) Thus the essence of the prosecution's case depended on their interpretation and application of the CFAA.

Reaction to Swartz' death was very opinionated, dividing legal scholars and prompting a public debate about whether Swartz was overcharged (13)--or whether he even committed a crime to begin with. (14) At Swartz' funeral, his father, Robert Swartz, condemned the prosecution, saying "[Aaron] was killed by the government, and MIT betrayed all of its basic principles." (15) Prosecutor Carmen Ortiz declined to comment, but her husband replied through Twitter, writing: "Truly incredible that in their own son's obit[uary] they blame others for his death and make no mention of the 6 month offer." (16)

Perhaps Robert Swartz' words were an emotional reaction by a mourning father, but many legal scholars' reaction targeted the CFAA's harsh criminal treatment of Swartz in light of an intrusion that was neither malicious nor prolonged. (17) Jennifer Garnick, director of Civil Liberties for the Center of Internet and Society at Stanford Law School wrote: "The CFAA is incredibly broad and covers swaths of online conduct that should not merit prison time." A former criminal defense attorney and friend of Swartz', Garnick concluded: "Exactly because the CFAA arguably applies to Aaron's alleged actions, it should be amended." (18)

Others differed. Professor Orin Kerr (19) believed the charges were based on an appropriate reading of the law. (20) But Kerr recognized that the CFAA, in its current form, lead to undesired outcomes: "The problem raised by the Swartz case is... [that] felony liability under the statute is triggered much too easily. The law needs to draw a distinction between low-level crimes and more serious crimes, and current law does so poorly..." (21) The back and forth correspondence, publicized through blogs and online editorials (22) differed in sympathy expressed towards Swartz, but agreed in principal that the CFAA no longer worked well as a viable, well-balanced, computer crime statute.

Originally, the CFAA created three federal crimes limited to federal interest computers. Those crimes were: accessing national security information, private financial information, or a computer owned by the US Government without authorization. (23) A federal interest computer was any computer on which national security or private financial information was found. (24)

The CFAA's scope has been expanded through revisions. Today, the CFAA is over-inclusive of criminal activity, creating over-criminalization that is only checked by prosecutorial discretion. There are two reasons for this. First, Congress never defined "authorization." This creates vagueness and has resulted in a Circuit split between the Seventh and Ninth Circuit. Second, the CFAA is a bright line rule with no exceptions. (25)

This Note shall explain both problems and offer a possible solution to each. Section I discusses the history of computer crime law. Section II presents the circuit split and offers a solution. Section III discusses consequences of the CFAA's bright line approach. Section IV proposes an amendment to the CFAA that creates an exception for types of uses that, although unauthorized, should not merit criminal prosecution. Swartz' case is revisited, and the discussion from the previous sections is applied.

1. HISTORY OF COMPUTER CRIME LAW

   1. Pre-CFAA

      Computer misuse prosecution can be traced back to 1972. (26) Defendants were charged with computer crimes under existing laws such as trespass, burglary, and theft, because no specific computer crime statute existed. (27) Conceptually, the cyber world and physical world were different, and courts struggled to find a satisfactory approach to prosecuting computer crime.

      Prosecution under a theft statute might have required a property interest in the computer and a showing that the defendant's misuse of the computer deprived the owner of their property interest. (28) In United States v. Seidlitz, (29) a former employee of a military contractor used a stolen password, logged onto the company's network, downloaded, and made a copy of software. Identifying a property interest was easy: the company owned the software and it was protected by password. Showing how, by making a copy of the software, defendant depraved the company of the software was difficult. The original copy remained in the company's possession, but it was clear the defendant's action impacted the company's financial interests. (30)

      Because of such trivialities, courts took a case-by-case, results-oriented approach. If computer misuse caused harm, then property was taken and defendants were liable. (31) If misuse did not cause appreciable harm, then property was not taken and defendants had not committed a crime. (32) In Seidlitz, the defendant intended to use the software for his own business. (33) This would have caused the company that owned the software financial harm by depriving it of a competitive advantage, and the Fourth Circuit found him guilty of wire fraud. (34)

      The pre-CFAA approach premised liability on an actual showing of harm, evaluated case-by-case. If computer misuse passed a certain threshold of harm, it was considered theft, and, prosecuted. (35) If the Government did not demonstrate that defendant's conduct met the burden of harm, the case was dismissed. (36)

   2. 1984: First Computer Crime Legislation

      The CFAA was codified as part of the Comprehensive Crime Control Act of 1984 and named the "Crime Fraud and Abuse Act" in 1986. (37) In the last 30 years, the CFAA has been amended five times. With each amendment, the scope of the CFAA has been enlarged. In 1984, the CFAA was a narrow and specific piece of legislation, limited to unauthorized access of a "federal interest" computer, defined as a computer that held national security or financial information, or was property of the Government. (38)

      The first offense, codified at [section] 1030(a)(1), prohibited unauthorized access to a computer for the purpose of obtaining national security information with intent, or reason to believe, the information would be used against the USA's interests. (39) The second offense, codified at [section] 1030(a)(2), prohibited unauthorized access to a computer to obtain financial information from an institution or consumer reporting agency. (40) The third offense, codified at [section] 1030(a)(3) prohibited a person from unauthorized access to a Government computer if doing so affected the computer's operation. (41) The purpose of all three statutes was to protect three specific Government interests. (42)

      The next two amendments, in 1986 and 1994, brought additional liabilities and a civil remedy, but the scope of the CFAA remained limited to "federal interest computers". (43)

   3. 1996: Significant Expansion

      Congress expanded the CFAA in three significant ways in 1996. Congress' intent was "addressing in a single statute the problem of computer crime". (44) First, a new felony enhancement section for crime and extortion was added. The two other changes created more significant legal consequences. The scope of "unauthorized access" in 1030(a)(2) was expanded beyond only financial information. And, the limitation to "federal interest computer" was expanded to "protected computer." (45)

      The scope of 1030(a)(2), prohibiting unauthorized access to financial information, was expanded to include unauthorized access to obtain any information of any kind if the conduct involved an interstate or foreign communication. (46) Finally, and most significantly, Congress expanded the CFAA's limitation to "federal interest computers" was expanded to "protected computers." (47) A "protected computer" was defined to include any computer "used in interstate or foreign commerce or communication." (48) This gave the Government jurisdiction over virtually any business's computer that was connected to the Internet. (49)

   4. Post 9-11

      In response to the September 11, 2001 terrorist attacks, Congress expanded the meaning of "protected computer" to include computers outside the United States "used in a matter that affects...