the cfaa and aarons law

T H E C O M P U T E R F R A U D A N D A B U S E A C T , & ‘ A A R O N ’ S L AW ’

I N T R O D U C T I O N

To understand the significance of the Computer Fraud and Abuse Act, we must consider its history, the use, scope, and function of the Internet at the time of the Act’s inception, and the recurring nature which Congress amended the Act in order to keep up with the advancements of computer and computer-based communications.

We must also consider the evolution of precedence over the course of its history with respect to charges under the Act.

Further, we must address the root cause of the contentious nature of this Act as written, and look to other industry models which can assist in amending the Act according to contemporary use of computers, and the modern Internet.

T H E C O M P U T E R F R A U D A N D A B U S E A C T O F 1 9 8 4

History of the CFAA

The Computer Fraud and Abuse Act of 1984 was originally born as the Counterfeit Access Device and Computer Fraud and Abuse Act (Counterfeit Access Device Act) in 1984. The law was preempted by an increase in computer crime activity, notably hacking and fraud, which led Congress to address the nuisance under a single federal statute. Keep in mind that the “Internet” in this time period was not yet public, and only available to certain Defense or other federal agencies, select Universities, and/or government contract corporations.

The Counterfeit Access Device Act was extraordinarily narrow in its scope of applicability because it only addressed “federal interest computers” - generally those owned or operated by the federal government or financial institutions. However, because the Counterfeit Access Device Act only applied to select types of confidential information, it immediately fell subject to harsh criticism from legislators, industry leaders, and law enforcement officials. Additionally, the law was deemed too vague and difficult to use. In fact, only one person was ever indicted under the 1984 Counterfeit Access Device Act. (Galbraith, 2004)

The following sections review, discuss, and even outline how this law has morphed since its inception, and where appropriate, displays or opines the resultant detriment to the concern of many. The last sections outline the current criminal offenses in this continuously expansive law, and also address the constitutional problems that occur when a law expands to such a breadth as a result of its vagueness.

Thomas Jones: Syracuse University School of Information Studies, Spring 2013

Computer Fraud and Abuse Act of 1986

In response to these unfortunate facts, Congress amended the law in 1986 to become the Computer Fraud and Abuse Act of 1984 (CFAA, otherwise known as the Act). This amendment clarified the vagueness and added definitions that even today, still cloud the applicability and enforcement of the Act. This amendment to the Act broadened the scope of applicability, and added three additional types of computer crimes: 1. a computer fraud offense patterned after the federal mail and wire fraud statutes; 2. an offense for the alteration, damage, or destruction of information contained in a federal interest computer; and 3. an offense for the trafficking of unauthorized computer passwords in certain circumstances. (Galbraith, 2004) Specifically, the 1986 amendment defined “Federal interest computers” as:

(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects the use of the financial institution’s operation or the Government’s operation of such computer; or

(B) which is one of two or more computers used in committing the offense, not all of which are located in the same State. (Kerr, 2009)

The Violent Crime Control and Law Enforcement Act of 1994

To close further loopholes by unexpected ‘hacker” activity, as the Internet or its equivalent in that time grew in popularity, Congress again amended the Act with a more comprehensive omnibus crime bill entitled The Violent Crime Control and Law Enforcement Act of 1994. This amendment extended the Act to include transmission of worms and viruses. (Galbraith, 2004)Further, the amendment, specifically known as the Computer Abuse Amendments Act of 1994, expanded the computer damage statute applying to computer damage incurred accidentally, even without negligence. The statute also added a civil provision to allow victims of § 1030(a)(5) crimes to recover damages against wrongdoers. (Kerr, 2009)

Economic Espionage Act of 1996

Two years later in 1996 the Act was amended once more, specifically by Title II of the above title, named the National Information Infrastructure Protection Act of 1996. This expanded the Act’s reach to all computers used in interstate commerce - effectively every computer that touches the Internet in its entirety. Consider this point carefully, and take light of the fact that this time period is generally considered the birth of the (commercial) Internet.


This came as a result of extenuating concerns of financial loss due to computer security breaches. This amendment is notable in that it acknowledged that computer crime had substantive and adverse economic impacts. The intent of this amendment, consistent with the legislative history of the Act at this point in history, was to further protect the confidentiality of computer data, as well as the systems upon which the data resided. It also was designed to safeguard the privacy of information, which the amendment’s sponsors hoped would also help ensure the public’s faith in the security of computer networks. (Galbraith, 2004)

To grasp how dramatic this amendment’s expansion was to the Act, Orin S. Kerr, Professor of Law at George Washington University School of Law, and pro-bono counsel to Lori Drew, outlines its expansion in three different ways:

The first change vastly expanded the scope of § 1030(a)(2), which was originally limited to unauthorized access that obtained financial records from financial institutions, card issuers, or consumer reporting agencies. The 1996 amendments expanded the prohibition dramatically to prohibit unauthorized access that obtained any information of any kind so long as the conduct involved an interstate or foreign communication.

Second, the 1996 amendments added new provisions to the computer damage prohibition, added a new felony enhancement to § 1030(a)(2), and added a computer extortion statute at § 1030(a)(7). The new computer damage section expanded the list of harm that counted as damage: beyond monetary damage (raised to $5,000 from $1,000) and impairing a medical diagnosis or treatment, the law added causing “physical injury to any person” or “threaten[ing] public health or safety” to the list. The felony enhancements to § 1030(a)(2) turned a misdemeanor violation into a felony if the offense was conducted in furtherance of any crime or tortious act, if it was conducted for purposes of financial gain, or if the value of the information obtained exceeded $5,000.

Finally, the 1996 amendments expanded the statute dramatically by replacing the decade-old category of “Federal interest” computers with the new category of “protected computer.” As enacted in 1996, a protected computer was defined as a computer:

(A) exclusively for the use of a financial institution of the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in interstate or foreign commerce or communication.


... The critical difference between a “Federal interest” computer and a “protected computer” was that the former required computers in two or more states, while the latter merely required a machine “used” in interstate commerce.

However, the change in the definition changed the scope of the statute dramatically. Because every computer connected to the Internet is used in interstate commerce or communication, it seems that every computer connected to the Internet is a “protected computer” covered by 18 U.S.C. § 1030. (Kerr, 2009)

The USA Patriot Act of 2001

The amendment appears in section 814 of the Act, labeled “Deterrence and Prevention of Cyberterrorism.” The Patriot Act amended the Act in two major ways according to Kerr:

The most significant amendment to the scope of § 1030 in the Patriot Act was the expanded definition of “protected computer” to include computers located outside the United States. Specifically, the amendment added those computers “located outside the United States that [are] used in a manner that affects interstate or foreign commerce or communication of the United States.” The amendment effectively extended the CFAA to as many foreign computers as the Commerce Clause allows.

... The Act added damage to any computer “used by or for a government entity in furtherance of the administration of justice, national defense, or national security” to the list of harms that, if caused, trigger the felony computer damage provisions of § 1030(a)(5). (Kerr, 2009)

Identity Theft Enforcement and Restitution Act of 2008

Subtitled under the Former Vice President Protection Act, this amendment included more subtle changes, but changes that have been described to have had a “surprisingly large impact.” (Kerr, 2009)

Professor Kerr outlines three of the most notable of these subtly described changes.

First, the statute once again expanded the scope of § 1030(a)(2) by removing the requirement of an interstate communication. Under the new § 1030(a)(2)(C), any unauthorized access to any protected computer that retrieves any information of any kind, interstate or intrastate, is punishable by the statute.


The statute also once again expanded the reach of § 1030(a)(5), creating misdemeanor liability for harms under $5,000 and adding once again to the list of felony triggers—this time, harming ten or more computers, designed to cover cases of botnets.

The third significant expansion is the most subtle but the most far-reaching. The 2008 amendments once again expanded the definition of “protected computer.”

Therefore, the present definition includes any computer that is:

(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.

It is easy to miss the change. Congress added “or affecting” in the first phrase of § 1030(e)(2)(B), replacing the definition that included computers “used in interstate or foreign commerce or communication” with computers “used in or affecting interstate or foreign commerce or communication.”

To surmise, this in effect merges the Act with the jurisdiction of the Commerce Clause. It further eludes to how broad the “protected computer” term has become, and applies, to any computer that the federal government has power to regulate. This alarms many computer and Internet users, and rightly so - wouldn't any use of the modern Internet be inherently “Interstate Commerce”? Professor Kerr asserts that it is possible that with the aforementioned expansion in the Act, it is feasible hat a “protected computer” would now simply be considered any, or “a computer.”

Void for Vagueness Doctrine

Under constitutional law, a statute is “void for vagueness” and therefore unenforceable if said statute is so vague as to not be understood by the average citizen. It is a mechanism that encourages clearly defined provisions so that a person can know what is regulated, what is prohibited, and what punishment is resultant from violating the statute. Currently there is wide judicial discretion with respect to what access, authorization, or the excess of either means. Professor Kerr argues that this forces the courts to adopt a narrower interpretation of the aforementioned. He goes on to state:


The basic argument has two stages. First, courts must adopt a clear theory of what makes access unauthorized to provide sufficient notice as to what is prohibited. The interpretation must make clear to potential wrongdoers what is prohibited so they can do more than merely guess at the meaning of the statute. Second, courts must adopt a narrow theory to avoid encouraging discriminatory enforcement. The remarkable breadth of this statute requires courts to adopt a clear and narrow interpretation of unauthorized access to provide fair warning to individuals and to limit government discretion.

Otherwise the public has no certainty what conduct constitutes “unauthorized access”, for example. And if there literally is no (judicial) consensus on what is or is not illegal, the law is subsequently unconstitutional, and unenforceable.

Current Criminal offenses under the Act

Cornell University’s Legal Information Institute provides the following current criminal offenses in the CFAA of 1984 as:

(a) Whoever—

(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

(B) information from any department or agency of the United States; or

(C) information from any protected computer;


http://www.law.cornell.edu/uscode/text/15/1602


http://www.law.cornell.edu/uscode/text/15/usc_sec_15_00001602----000-#n

http://www.law.cornell.edu/uscode/text/15/usc_sec_15_00001602----000-#n

http://www.law.cornell.edu/uscode/text/15






(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

(5)

(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—

(A) such trafficking affects interstate or foreign commerce; or

(B) such computer is used by or for the Government of the United States;

(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—

(A) threat to cause damage to a protected computer;

(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or

(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion;

shall be punished as provided in subsection (c) of this section.




(b) Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section. (Legal Information Institute, n.d.)

E N T E R P R I S E A R C H I T E C T U R E

The Enterprise Architecture (EA3) Cube model is a framework that establishes a relationship between strategy, business, and technology. It does so over five different areas in the architecture - Goals and Initiatives, Products and Services, Data and Information, Systems and Applications, Networks and Infrastructure - each layer dependent on the one that precedes it. For example, a corporation has an overall strategy of how it fits into any given market, this defines its goals and initiatives, which then dictates is products and services, which further develops how data and information are used, leading to which systems and applications are conducive for enterprise use, which then defines the requirements for the underlying network and infrastructure the enterprise needs to operate successfully. This approach is taken across each line of business a corporation has, depending upon its portfolio diversification. However, this model addresses what tools are used to provide the function(s) the company needs to achieve its business plan. It does not necessarily consider how to to secure what tools have been identified for use. This is the purpose of the Enterprise Information Security Architecture (EISA) model which aligns well with the EA3 model.

As applied in practice, as typically seen in enterprise or corporate IT departments, we must strive to understand the posture of the IT systems and services which the Act is intended to protect. We must further strive to understand how a corporate entity qualifies and quantifies its network posture, security measures, and/or policies to protect itself under the law, but also enables its exertion under the Act. The corresponding five EISA layers respective to the EA3 model include IS Governance, Operations and Personnel Security, Dataflow and Application Development Security, Systems Security, and Infrastructure and Physical Security.

Aligned with the business context in the EA3 model mentioned above, the EISA model applies an information security context to the business structure of the corporate entity. The information system governance (business drivers) dictate the operations and personnel security (products and services), which feeds into the dataflow and application development security (data and information), which defines parameters for systems security (systems and applications), which then define requirements for infrastructure and physical security (networks and infrastructure). This provides a comprehensive and contextual model for enterprise information security, and when compounded with the EA3 approach, is contextually relevant to the corporation’s business purpose.

E N T E R P R I S E I N F O R M AT I O N S E C U R I T Y A R C H I T E C T U R E


Enterprise Information Security Architecture is a framework composed of 5 layers which include Information Security Governance, Operations and Personnel Security, Dataflow and Application Development Security, Systems Security, and Infrastructure and Physical Security. As in Enterprise Architecture, each of these layers precedes the other which provides an increasingly contextually defined framework, which can address any company’s security posture, respective to any given market. To understand how this framework does so we must look briefly at each layer as explained by Dr. Scott Bernard of Syracuse University’s School of Information Studies.

Information Security Governance defines security strategies, policies, standards and guidelines for the enterprise from an organizational viewpoint. This results in various outputs such as policy statements, access policies, information practices, security lifecycle charts, etc. - obviously not an all-inclusive list but one that provides general direction, and enables lower layers of the framework to add further specificity. It is this layer where we see policy formation and evaluation, assurance standards, law and legislation, among other common organizational policies. This is arguably one of the major components of the Act commonly brought under question. It is also one of the more frequently contested due to the vagueness Congress has either willingly, or negligently structured into the language of the Act. This issue is discussed further in this paper under Agency-based and Contract-based interpretations of the Act.

The next layer in the framework is Operations and Personnel Security. The purpose of the Operations Security component is to define or dictate the behavioral and operational requirements as they relate to access to the company’s IT data, systems, and services. Outputs of this layer consider and include Risk Assessment, Authorization Models, Access Control User Requirements, Business Impact Analysis, and Disaster Recovery & Business Resumption Planning.

The Personnel Security component extends the aforementioned requirements not to just the protection of the company’s data, systems, and services, but to or for the protection of its leadership and employees thus further protecting the company. Expanding further, the purpose of Personnel Security is to ensure the enterprise’s personnel are accessing and utilizing its information and technology services safely, securely, and in accordance with their predefined roles and responsibilities of their job functions, through proper access control plans and detection of employee anomalous behavior. The resultant outputs of this behavior shares similarities with Operations Security, but focuses further on components such as authentication, role-based access control, awareness training, desktop security policies, and procedural training. Operations and Personnel Security are major pillars of the Act revolving around whether a person, employee or not, accessed a computer “without authorization”, or “exceeded authorized access”. As discussed later in this paper, this layer of EISA is most strongly correlated with the Code-based interpretation, one which some prominent legal scholars argue should be the default interpretation, sometimes compounded with an employment law context.

The Information and Dataflow Security layer focuses not on addressing data or access thereto, but rather information - the meaning of data. More explicitly, the purpose here is to


identify and classify information and data as it moves through the enterprise in order to justify adequate security controls. The data needs to be valued from a quantitative and qualitative aspect and classified into levels depending on the risks of and to data loss, repudiation, competition, and availability. This layer is where we begin to see output or processes outlined that are dedicated to the design of dataflow, categorical treatment or segregation of information, and the logical and associative access controls to it. In some of the case studies below, we see this layer used in Agency, Contract, and Code-based interpretations.

The Application Development Security layer addresses in more specific and technical detail, how the Information and Dataflow Security layer is to be implemented and/or safeguarded. more specifically, architect the authentication, authorization and accounting (AAA) components into the applications used in the enterprise; and to enforce the application process flow thru ought the enterprise; and to ingrain security in the systems development lifecycle. The outputs seen, but not all inclusive to, are design and development, application development security (such as sandboxing), application gateways, and application security placement. This layer aligns strongly with Code-based interpretations of the Act.

The next layer is Systems Security. This layer is used to protect or safeguard sensitive applications, sometimes resultant from the previous layer of Application Development Security. More concisely the purpose of this layer is to protect sensitive applications running on the systems and provide granularity of access controls to sensitive resources. Examples of outputs from this layer include, but are not limited to, user account management & privileges, certificate request management, password stores & management, remote access, authorization models, file system hardening procedures, patching, and security repositories. This layer aligns strongly with Code-based interpretations of the Act, central to the intended meaning of “authorization” to access a computer.

These layers rest upon the final EISA layer of Infrastructure Security. The infrastructure is the physical medium consisting of (network) appliances which all the preceding layers traverse. This layer must meet and facilitate the holistic totality of security requirements from all preceding layers, and provide safeguarding against current or future attacks. Outputs typically seen from this layer include but are not limited to network segregation or partitioning, VLAN’s, Firewalls, Intrusion Prevention and Detection, Load Balancers, PKI architectures, network, cellular, and telecommunication circuits, VPN’s, and a variety of SSL methods or implementations. This layer is intriguing because it is in fact a result of the culmination of requirements from all the above layers. It also has a unique place in the Aaron Swartz case, and the spirit of MIT’s open network. This does align most strongly with a Code-Based interpretation, and as seen below, ultimately code is law.

A P P LY I N G T H E C F A : C A S E S T U D I E S


The application of the CFAA in the courts today has revolved around three distinct approaches. These approaches result from vague language in the Act of what “authorization” means. More specifically what it means to access a computer “without authorization”, or “exceeds authorized access”. This is especially problematic when, employers bring rogue employees into court, arguing under the rather (vague) general language in the CFAA, that the employee was without authorization or exceeded his authorization to access the company computer system when he did so to obtain proprietary company information for devious non-business purposes. (Field, 2009)

This has led to courts adopting one or more of the following interpretations: Agency-Based Interpretation, Contract-Based interpretation, and a Code-based interpretation.

Agency-Based Interpretation

In an agency-based interpretation, authorization is based on common-law principles. The employee-employer relationship imposes “special duties on the part of both the employer and the employee which are not present in the performance of other types of contracts”. In short the employee owes a duty to his employer, which requires him to act solely for the benefit of the employer or company. Moreover, the employee’s authority to act on behalf of the employer terminates when he obtains an interest adverse to the employer - for example if he begins to work for a competitor. Thus applying the aforementioned under the CFAA, an employee’s authorization is implicitly revoked when he accesses a computer for the purposes that do not further his employer’s interests. (Field, 2009)

One notable example of this approach is found in International Airport Centers v. Citrin:

In 2006, the Seventh Circuit was the first appellate court to wade into the “without authorization” debate that had been ongoing among the district courts for more than five years. In International Airport Centers, L.L.C. v. Citrin, the defendant, was employed by the plaintiff to look for and help acquire real estate. Citrin decided to quit working for International Airport Centers (IAC) and start his own business. Prior to leaving IAC, Citrin erased all the data on a laptop computer provided by IAC, some of which would have shown he had engaged in improper conduct and none of which IAC had any additional copies. Citrin installed and used a secure-erase program to do this, which meant that the data were truly unrecoverable. IAC sued under the CFAA's civil provision, § 1030(g), claiming Citrin had violated § 1030(a)(5)(A)(i), which provides that such violation occurs when one “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.”


The court, citing congressional intent that the CFAA should reach internal as well as external actors, readily settled on a broad definition of what constitutes a transmission. While not quite holding that pressing the delete key constitutes a transmission, the court nevertheless determined that installing the secure-erase program—whether installed remotely or by an actor with direct physical access—constituted a transmission in accordance with the CFAA.37

The court next turned to the authorization element of § 1030(a)(5). Here, the court applied principles of agency law and determined that Citrin's authorization to access the laptop computer ended at the moment he violated his employment contract by deciding to act contrary to IAC's interests, i.e., before he erased the data on the computer's hard drive. That authorization, the court said, was granted through the agency relationship Citrin had with his employer and implicitly ended when he violated his duty of loyalty to that employer.

However, a recent opinion from the Ninth Circuit in LVRC Holdings, L.L.C. v. Brekka rejected the Seventh Circuit’s approach and held that authorization is granted by the employer and, therefore, that authorization ends when the employer rescinds it. This split in authority raises questions about how broadly or narrowly the CFAA should be applied—or whether it should be applied at all—in the context of an employee’s disloyal computer use. (Pollaro, 2010)

Contract-Based Interpretation

This interpretation is much more straight forward than an agency-based approach, but not as concrete as a code-based approach.

This interpretation requires the computer user to violate a contract before that user’s access can be found to be unauthorized. This then requires the existence of an explicit or implicit contract that defines the authorization of a particular user. As such this interpretation is often used in cases involving internet or website providers where there is a contract or terms of service (TOS) agreement between the two parties, or in an employment dispute where a case arises between former employers and employees where there is an employment contract (non-disclosures for example) or handbook. (Field, 2009)

The Lori Drew case is one of the most notable cases involving the CFAA using a contract-based interpretation. Aaron Swartz is another but also includes code-based interpretation upon which charges were filed. Aaron committed suicide before his court date which obviously prevented these issues from being addressed once more by the courts.

Lori Drew, the Missouri woman accused of creating a fake MySpace profile in order to “cyberbully” her daughter’s former friend, who, subsequently committed suicide was charged


with felony crimes under the CFAA. The facts of the case are listed by Drew co-counsel Nicholas Johnson. They are as follows:

In 2005, Megan Meier, then a 13-year-old seventh-grader from Dardenne Prairie, Missouri, established an on-again, off-again friendship with Lori Drew’s daughter. Tina Meier, Megan’s mother, described Megan’s transition into seventh grade as “a mess,” and noted that her daughter was sensitive about her weight and “[tried] desperately to fit in.” Megan and Lori Drew’s daughter would go on “jags of companionship,” but eventually ended their friendship. In September 2006, Megan’s parents allowed her to sign up for a MySpace account, despite the fact that, at age 13, she was technically too young to have one. And shortly thereafter, Megan received a friendship request from “Josh Evans,” a muscular, attractive 16 year old boy with blue eyes and wavy brown hair.

What Megan did not know when she readily accepted Josh’s friend request was that he was a fictional character. Nonetheless, the pair was soon communicating back and forth. Drew’s pre-trial motions go out of their way to note that the profile of Josh Evans was open for only 29 days, and for 28 of those 29 days “nothing negative was communicated.” The government’s indictment reveals some PG language of the sort one might expect flirtatious eighth-graders to talk about: Josh allegedly sent a message telling Megan that she was “sexi” [sic], as well as a separate invitation to touch his “snake.”

However, the relationship between Megan and Josh deteriorated rapidly on October 16, 2005, when an “insult war” broke out between the two. The conversation ended “in substance, that the world would be a better place without [Megan] in it.” Shortly after that argument, Megan committed suicide. The government alleged in its indictment that Lori Drew learned of Megan Meier’s suicide that same day, immediately deleted the Josh Evans account, and told one of her alleged co-conspirators to “keep her mouth shut” about it. (Johnson, 2009)

Drew was charged with three felony counts of “accessing protected computers without authorization to obtain information” under 18 U.S.C. § 1030(a)(2)(C) and § 1030(c)(B)(ii) of the Computer Fraud and Abuse Act. (Johnson, 2009)

Counts two through four – accessing a protected computer without authorization under the CFAA – constitutes the root of the prosecution’s theory of Drew’s liability. Section 1030(a)(2)(C) prohibits obtaining information from a “protected computer” by means of intentional, unauthorized access. Use of the MySpace website is governed by its Terms of Use, which constitute a contract between MySpace and its users. Those Terms of Use requires that users, inter alia, “provide truthful and accurate registration information” and “refrain from using any information obtained from MySpace services to harass, abuse, or harm other people.” (Johnson, 2009)


Because Lori Drew’s conduct was in express violation of MySpace’s user contract, Drew therefore acted either without authorization or in excess of authorized access when she communicated with Megan Meier through MySpace’s protected servers. (Johnson, 2009) Professor Kerr adds that the defense argued two main points: TOS does not govern authorization, and that committing unauthorized access by violating TOS would render the statute void for vagueness, thus the Act had to be interpreted more narrowly to exclude TOS violations. (Kerr, 2009)

The defense also pointed out that even the cofounder of MySpace, Tom Anderson, violated the TOS in creating his profile. In late 2007, it was revealed that Anderson’s profile misrepresented his age in an apparent effort to seem younger. Professor Kerr opines that the larger point is that no one really treats TOS as if they govern access rights. He states that because they are written so broadly, most Internet users violate them regularly. Violating the TOS is the norm, complying with them the exception. Few people bother to read them, much less follow them. Internet users routinely click through such agreements on the assumption that they are legal mumbo jumbo that don’t impact what users are allowed to do. As a result, criminalizing TOS violations would for the most part give the government the ability to arrest anyone who regularly uses the Internet. Agents could set up a webpage, dontvisithere.gov, announce that no one could visit the webpage, and then swoop in and arrest anyone who did. (Kerr, 2009)

Judge Wu, presiding over the Drew case, partly agreed with the defense stating that:

It is unclear that every intentional breach of a website’s terms of service would be or should be held to be equivalent to an intent to access the site without authorization or in excess of authorization. This is especially the case with MySpace and similar Internet venues which are publicly available for access and use. However, if every such breach does qualify, then there is absolutely no limitation or criteria as to which of the breaches should merit criminal prosecution. All manner of situations will be covered from the more serious (e.g. posting child pornography) to the more trivial (e.g. posting a picture of friends without their permission). All can be prosecuted. Given the “standardless sweep” that results, federal law enforcement entities would be improperly free “to pursue their personal predilections.” (Kerr, 2009)

Johnson goes on to further elaborate on the disparity between MySpace being regulated by code or by contract. To surmise, the MySpace website is a public website regulated by contract, not a private website regulated by code - you must affirmatively agree to TOS prior to being allowed access to use the site. It goes on to explain that the username and password authentication requirement may appear as code-based protection, but it indeed is not. It is explained as merely a method of access because the username or password system place no physical controls on access to the site. In the registration process Drew inputs a name and valid email address and then she, not MySpace, chooses her own username and password to the site before clicking the “I agree” button for access. Johnson provides the analogy that this is like a


bank allowing customers to mint their own key to the safe when they sign up for a checking account.

Code-based Interpretation

Code-based interpretation of the Act is fundamentally predispositioned on the functional operation of a computer. Access thereto would be unauthorized if the code-based protections, designed to limit a persons use of the computer itself were bypassed. This can occur by using password crackers, injection attacks, exploits in software or computer protocols, and a host of other tactics, techniques, and procedures granting access to a computer system the user would otherwise not be privy to.

The code-based interpretation can be traced back to the earliest CFAA cases involving authorization questions. For example, United States v. Morris invoked a close analogue to the code-based interpretation with its "intended function" test. In Morris, the Second Circuit held that a graduate student violated the CFAA by accessing computers without authorization because he used email and other programs in a manner not related to their intended function; his use instead located holes in the programs, giving him a special and unauthorized access route into other computers. Thus, the intended function test asks whether a user violated the intended function of a network or program to gain access not intended by the programmer or network administrator. The test is similar to a code-based interpretation of authorization because violation of the intended function is often done through technical means, such as by finding holes in programs, or bypassing passwords or other protection systems. (Field, 2009)

Enter the case of Internet prodigy Aaron Swartz, one of the most prominent Internet activists of modern times. Much of the discussion of the Swartz case was resultant from Aaron’s suicide. Arguably so, many postulate his suicide was a result of prosecutorial overreach - a result from the very vague wording of not only the law, but the criminal triggers which allow one to be charged under the law. Swartz was facing more than thirty-five years in jail by trial, or six months in jail by plea bargain. This alone raised eyebrows in the legal community.

There is much to this story about who Aaron was, his intentions and involvement in the Open Access movement, and his famous “Guerilla Open Access Manifesto”. Aaron had arguably done more by the age of 26 than many IT Professionals, Internet activists, hackers, or otherwise will do in their entire lifetimes. If we fast forward through Aaron’s life from being the co-creator of RSS, one of the co-creators of Reddit, to helping start the Creative Commons, Open Library, Watchdog.net, Progressive Change Campaign Committee, founder of Demand Progress which successfully stopped two Internet Censorship bills, SOPA (Stop Online Privacy Act) and PIPA (Protect IP Act), we then arrive at a point and time where Aaron was chiefly concerned with access to information - the empirical theme in the Open Access movement. Aaron’s “Guerilla Open Access Manifesto” sets the tone for the actions that led to his arrest and indictment under the Act. It reads in full:


http://archive.org/stream/GuerillaOpenAccessManifesto/Goamjuly2008_djvu.txt






Information is power. But like all power, there are those who want to keep it for themselves. The world’s entire scientific and cultural heritage, published over centuries in books and journals, is increasingly being digitized and locked up by a handful of private corporations. Want to read the papers featuring the most famous results of the sciences? You’ll need to send enormous amounts to publishers like Reed Elsevier.

There are those struggling to change this. The Open Access Movement has fought valiantly to ensure that scientists do not sign their copyrights away but instead ensure their work is published on the Internet, under terms that allow anyone to access it. But even under the best scenarios, their work will only apply to things published in the future. Everything up until now will have been lost.

That is too high a price to pay. Forcing academics to pay money to read the work of their colleagues? Scanning entire libraries but only allowing the folks at Google to read them? Providing scientific articles to those at elite universities in the First World, but not to children in the Global South? It’s outrageous and unacceptable.

“I agree,” many say, “but what can we do? The companies hold the copyrights, they make enormous amounts of money by charging for access, and it’s perfectly legal — there’s nothing we can do to stop them.” But there is something we can, something that’s already being done: we can fight back.

Those with access to these resources — students, librarians, scientists — you have been given a privilege. You get to feed at this banquet of knowledge while the rest of the world is locked out. But you need not — indeed, morally, you cannot — keep this privilege for yourselves. You have a duty to share it with the world. And you have: trading passwords with colleagues, filling download requests for friends.

Meanwhile, those who have been locked out are not standing idly by. You have been sneaking through holes and climbing over fences, liberating the information locked up by the publishers and sharing them with your friends.

But all of this action goes on in the dark, hidden underground. It’s called stealing or piracy, as if sharing a wealth of knowledge were the moral equivalent of plundering a ship and murdering its crew. But sharing isn’t immoral — it’s a moral imperative. Only those blinded by greed would refuse to let a friend make a copy.

Large corporations, of course, are blinded by greed. The laws under which they operate require it — their shareholders would revolt at anything less. And the


politicians they have bought off back them, passing laws giving them the exclusive power to decide who can make copies.

There is no justice in following unjust laws. It’s time to come into the light and, in the grand tradition of civil disobedience, declare our opposition to this private theft of public culture.

We need to take information, wherever it is stored, make our copies and share them with the world. We need to take stuff that’s out of copyright and add it to the archive. We need to buy secret databases and put them on the Web. We need to download scientific journals and upload them to file sharing networks. We need to fight for Guerrilla Open Access.

With enough of us, around the world, we’ll not just send a strong message opposing the privatization of knowledge — we’ll make it a thing of the past. Will you join us?

This, ultimately, led to an incident in building 16 on MIT’s campus. As described by a press release from the U.S. Attorneys Office in the District of Massachusetts, Aaron Swartz:

was charged in an indictment with wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer.

The indictment alleges that between September 24, 2010, and January 6, 2011, Swartz contrived to break into a restricted computer wiring closet in a basement at MIT and to access MIT’s network without authorization from a computer switch within that closet. He is charged with doing this in order to download a major portion of JSTOR’s archive of digitized academic journal articles onto his computers and hard drives. JSTOR is a not-for-profit organization that has invested heavily in providing an online system for archiving, accessing, and searching digitized copies of over 1,000 academic journals. It is alleged that Swartz avoided MIT’s and JSTOR’s security efforts in order to distribute a significant proportion of JSTOR’s archive through one or more file-sharing sites.

The indictment alleges that Swartz’s repeated automatic downloads impaired JSTOR’s computers, brought down some of its servers, and deprived various computers at MIT from accessing JSTOR’s research. Even after JSTOR and MIT worked to block Swartz’s computers, Swartz allegedly returned with new methods for accessing JSTOR and downloading articles.

The indictment alleges that Swartz exploited MIT’s computer system to steal over four million articles from JSTOR, even though Swartz was not affiliated with MIT as a student, faculty member, or employee. In fact, during these events,


Swartz was allegedly a fellow at a Boston-area university, through which he could have accessed JSTOR’s services and archive for legitimate research.

The press release goes on to note: United States Attorney Carmen M. Ortiz said (in defense of her actions), “Stealing is stealing whether you use a computer command or a crowbar, and whether you take documents, data or dollars. It is equally harmful to the victim whether you sell what you have stolen or give it away.” Professor Lessig quips that this is insulting to both computers and crowbars, neither of which this particular attorney is able to discern. With respect to harm done by both, Lessig opines, and rightly so, that computers are sometimes harmful whereas crowbars are always harmful. This is the essence of the digital divide.

Most pertinent to the Enterprise Information Security Architecture model, a review of the technical facts is not just warranted, but necessary. Keep in mind, even though Aaron’s actions were arguably and convincingly part of an effort to free information, he was not charged with copyright crimes respective to said information, but rather under the Act which considers if one accessed a computer or system without authorization, or exceeded authorized access of a computer system.

Alex Stamos, the highly regarded security professional, and expert witness for the defense of Aaron Swartz conducted a neutral investigation. He reported his findings in a blog post titled “The Truth about Aaron Swartz’s ‘Crime.’” His findings on the technical facts from the charges Aaron was indicted on under the Act read:

1. MIT operates an extraordinarily open network. Very few campus networks offer you a routable public IP address via unauthenticated DHCP and then lack even basic controls to prevent abuse. Very few captured portals on wired networks allow registration by any visitor, nor can they be easily bypassed by just assigning yourself an IP address. In fact, in my 12 years of professional security work I have never seen a network this open.

2. In the spirit of the MIT ethos, the Institute runs this open, unmonitored and unrestricted network on purpose. Their head of network security admitted as much in an interview Aaron’s attorneys and I conducted in December. MIT is aware of the controls they could put in place to prevent what they consider abuse, such as downloading too many PDFs from one website or utilizing too much bandwidth, but they choose not to.

3. MIT also chooses not to prompt users of their wireless network with terms of use or a definition of abusive practices.

4. At the time of Aaron’s actions, the JSTOR website allowed an unlimited number of downloads by anybody on MIT’s 18.x Class-A network. The JSTOR application lacked even the most basic controls to prevent what they might consider abusive behavior, such as CAPTCHAs triggered on multiple downloads,


requiring accounts for bulk downloads, or even the ability to pop a box and warn a repeat downloader.

5. Aaron did not “hack” the JSTOR website for all reasonable definitions of “hack”. Aaron wrote a handful of basic python scripts that first discovered the URLs of journal articles and then used curl to request them. Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing “Save As” from your favorite browser.

6. Aaron did nothing to cover his tracks or hide his activity, as evidenced by his very verbose .bash_history, his uncleared browser history and lack of any encryption of the laptop he used to download these files. Changing one’s MAC address (which the government inaccurately identified as equivalent to a car’s VIN number) or putting a mailinator email address into a captured portal are not crimes. If they were, you could arrest half of the people who have ever used airport wifi.

7. The government provided no evidence that these downloads caused a negative effect on JSTOR or MIT, except due to silly overreactions such as turning off all of MIT’s JSTOR access due to downloads from a pretty easily identified user agent.

8. I cannot speak as to the criminal implications of accessing an unlocked closet on an open campus, one which was also used to store personal effects by a homeless man. I would note that trespassing charges were dropped against Aaron and were not part of the Federal case.

Stamos concludes that:

In short, Aaron Swartz was not the super hacker breathlessly described in the Government’s indictment and forensic reports, and his actions did not pose a real danger to JSTOR, MIT or the public. He was an intelligent young man who found a loophole that would allow him to download a lot of documents quickly. This loophole was created intentionally by MIT and JSTOR, and was codified contractually in the piles of paperwork turned over during discovery. If I had taken the stand as planned and had been asked by the prosecutor whether Aaron’s actions were “wrong”, I would probably have replied that what Aaron did would better be described as “inconsiderate”. In the same way it is inconsiderate to write a check at the supermarket while a dozen people queue up behind you or to check out every book at the library needed for a History 101 paper. It is inconsiderate to download lots of files on shared wifi or to spider Wikipedia too quickly, but none of these actions should lead to a young person being hounded for years and haunted by the possibility of a 35 year sentence.


Lawrence Lessig also offers unique perspective in a talk at Harvard Law School titled “‘Aarons Laws’ - Law and Justice in a Digital Age”. Regarding Aaron’s case, Lessig opines this matter is a different source of restriction regarding access and/or authorization - code vs law. With the former (code) you break code restrictions through “hacking”, with the later you break contract restrictions through terms of service violations (law). US v. Nosal clarified that, “exceeds authorized access” in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.

As Lessig articulates this disparity in his “Cyberlaw geek mode”, consider that a website owner publishes on a webpage (in html code): <H1> By using this site, you agree not to use the print screen command</H1>, and say you do in fact go and use the print screen command, you will have not committed a felony. You have merely violated the terms of service, which in the case of US v Nosal, the Judge pointed out that a website owner reserves the right to change the terms of service at any time for any reason. This would result in everyday common Internet usage subject to felony indictments at virtually any time.

However if the webmaster uses a script - automated code to prevent or disable such a print screen command, an example provided by Lessig that reads:

function blockError(){window.location.reload(true);return true;|</script> </head><body onload=”setClipBoardData();”>YOU TRY TO COPY AND PASTE THIS SCREEN AND ALL THE ACTICE SCREENS</body></html>

And you then hack around this code which enables you to use the print screen command, you have then committed a felony.

The Nosal case led the prosecutors in Aaron’s case to drop the claim of “exceeded authorized access” with a superseded indictment. This left the question of if Aaron had “unauthorized access” to the computer system, or use of MIT’s network. In this instance as Lessig rightly points out, there is no case of traditional hacking here - also reinforced by Alex Stamos.

The short story to this saga is that when JSTOR implemented code restrictions to deny the MAC address of Aaron’s computer, and Aaron subsequently spoofed his MAC address - created a fake MAC address to mask the one included on the network card of his computer - which is actually common best practice computer security for the protection of computer systems, he was then alleged to have broken the law in violation of the Act. Unfortunately this precedent was never able to be settled in court due to the suicide of Aaron Swartz. Aaron’s actions in this case


were not obviously legal, but they were also not obviously illegal according to Lessig. These are the two critical questions which needed to be addressed, and the inherent vagueness of the Act built in by Congress is not advantageous to resolving either.

This case raises many contemporary issues regarding the laws of cyberspace, the nature of cyberspace, and the intent of a company’s network in its role to whether the security posture in itself is, at the very least, complicit in allowing access to its resources that its policy may intend to restrict, but its code does not.

Do you ever have unauthorized access, physically or digitally, to a network that it is intended by its very design to be open to the public - even to the point of wiring closet doors not being locked? What about the ambiguous nature of “harm” in cyberspace? Is the effect of “hacking” kinetic or non-kinetic? Does it have a measurable, physical impact or detriment? What would that even mean? What kind of harm is done, and what of the circumstance where there is no harm? Does liberating information cause harm, especially in absence of copyright violations?

Lessig surmises in shocking similarity with the progressive elaboration structure found in both the EA and EISA models that, “The harm in this case is ambiguous, leading the statute to be ambiguous, meaning the prosecutors have to tie the prosecution to the intent” (of Aaron’s alleged illegal actions under the Act).

This is the exact structure the EA and EISA models are built around, and in fact, by design intended to address. Recall that the EA and EISA are designed to provide a singular framework to address requirements for each line of business in a corporation. Adopting this approach to the Act, or any law, the EA and EISA models would address these contextual issues across each subsection, provision, or charge. To a limited extent the basic EA structure is in place with Congress providing the strategy, the courts establishing precedence thereby declaring the “business objectives”, and the prosecutors and defenders creating new ways to charge or clear people of crimes (technical solutions to company problems) according to the judicial precedent (or within the scope of business goals). This eco system changes of course when Congress amends the law as it has done several times with the Act, and after careful reading of the detailed history of the Act, this has been done with striking similarity to an ITIL lifecycle, which is considered a micro-process within the EISA model itself.

A A R O N S L AW

The larger frustration with this entire ordeal in Aaron’s prosecution was the obliviousness of the prosecutors. The obliviousness to actions in cyberspace which sometimes cause harm as opposed to actions in the real world which always cause harm. Prosecutors who can tell the difference between actions in cyberspace and discern the ambiguity of what harm means in that environment. Aaron’s law attempts to address just this issue.


Aaron’s law was proposed by Representative Zoe Lofgren that would remove terms of service violations from the Act and from the Wire Fraud statute. Indeed TOS violations have been a major point of contestation and confusion throughout the history of the Act. The difference between what I say you cannot do, and that which I impose upon you, through code or system security mechanisms, that which you cannot do. This is an issue the EA and EISA model, if applied, could help address tremendously.

The Electronic Frontier Foundation (EFF) even argues that, while they endorse Aaron’s Law, it does not go far enough. The EFF proposes reform in three “crucial elements” outlined below:

1. Computer users must not face criminal liability for violating private agreements, policies, or duties.

Put simply, there should be no criminal penalties for violating the fine print written by a website or service. Users may face civil liability for violating those terms, or even criminal liability if they go on to do worse things like destroy data. But it is dangerous for a private one-sided contract to be enforceable upon punishment of severe criminal penalties at a prosecutor's whim.

2. If a computer user is allowed to access information, simply doing it in an innovative way must not be a crime.

As the CFAA is written today, users can expose themselves to criminal liability if they are authorized to access data, but do so while engaging in commonplace "circumvention" techniques like changing IP addresses, MAC addresses, or browser User Agent headers. But these "circumvention" activities can have great benefits: they can help protect privacy, ensure anonymity, and aid in testing security. Furthermore, technical barriers are sometimes put into place not to protect data or computers from intrusion at all. Quite often they are an accidental result of misconfigured servers or network equipment.

Apart from these accidents, technological barriers increasingly serve purposes far removed from preventing computer intrusion, such as giving people in one location a better price than people in another and blocking competitors from seeing information otherwise available to the general public. EFF's proposal would clarify that if access to data is already authorized, gaining that access in a novel or automated way is not a crime.

3. Penalties need to be proportionate to computer crime offenses.

As a general principle, minor violations of the CFAA should be punishable with minor penalties. As the law is currently written, first-time offenses can be too easily charged as felonies instead of misdemeanors. Our proposal would fix that.


Furthermore, several sections of the CFAA are redundant with other parts of the law, which lets prosecutors "double dip" to pursue multiple offenses based on the same behavior. And the stiff penalties for "repeat" offenses can be used to dole out harsher punishment for multiple convictions based on the same conduct. Our proposal would ensure that prosecutors can't count the same actions more than once to ratchet up the pressure for a plea bargain by threatening a defendant with decades of jail time.

Indeed whatever balance is struck if any, between Representative Lofgren’s proposal and the EFF community’s efforts, they must work to enforce a much narrower interpretation of the law, restore the balance of computer crime away from corporations or overzealous prosecutors, and address obliviousness plaguing entire legal system. It cannot be clearer or more warranted that more context is needed under the Act or its subsequent amendments. Further research as to the effect of the EA or EISA models on effective cyber-lawmaking appears to be a viable solution deserving genuine consideration and considerable analysis.

Field, K. M. (2009). Agency, Code, or Contract: Determining Employees' Authorization Under

the Computer Fraud and Abuse Act. Michigan Law Review.

Galbraith, C. (2004). Access Denied: Improper Use of the Computer Fraud and Abuse Act to

Control Information on Publicly Accessible Internet Websites. Maryland Law Review.

Johnson, N. R. (2009). “ I Agree” to Criminal Liability: Lori Drew's Prosecution under § 1030

(a)(2)(C) of the Computer Fraud and Abuse Act, and Why Every Internet User Should

Care.

Kerr, O. S. (2009). Vagueness Challenges to the Computer Fraud and Abuse Act. Minnesota Law

Review.

Legal Information Institute. (n.d.). 18 USC § 1030 - Fraud and related activity in connection with

computers. law.cornell.edu. Retrieved April 30, 2013, from http://www.law.cornell.edu/

uscode/text/18/1030


Pollaro, G. (2010). Disloyal Computer Use and the Computer Fraud and Abuse Act: Narrowing

the Scope. Duke Law & Technology Review.
