Hacktivism: Civil Disobedience or Cyber Crime?
By Christie Thompson, ProPublica, Jan. 18, 2013
When Reddit co-founder and internet freedom activist Aaron Swartz committed suicide last Friday, he was facing up to 13 felony counts, 50 years in prison, and millions of dollars in fines. His alleged crime? Pulling millions of academic articles from the digital archive JSTOR.
Prosecutors allege that Swartz downloaded the articles because he intended to distribute them for free online, though Swartz was arrested before any articles were made public. He had often spoken publicly about the importance of making academic research freely available.
Other online activists have increasingly turned to computer networks and other technology as a means of political protest, deploying a range of tactics — from temporarily shutting down servers to disclosing personal and corporate information.
Most of these acts, including Swartz's downloads, are criminalized under the federal Computer Fraud and Abuse Act (CFAA), an act was designed to prosecute hackers. But as Swartz's and other "hacktivist" cases demonstrate, you don't necessarily have to be a hacker to be viewed as one under federal law. Are activists like Swartz committing civil disobedience, or online crimes? We break down a few strategies of "hacktivism" to see what is considered criminal under the CFAA.
Publishing Documents
Accessing and downloading documents from private servers or behind paywalls with the intent of making them publicly available.
Swartz gained access to JSTOR through MIT's network and downloaded millions of files, in violation of JSTOR's terms of service (though JSTOR declined to prosecute the case). Swartz had not released any of the downloaded files at the time his legal troubles began.
The most famous case of publishing private documents online may be the ongoing trial of Bradley Manning. While working as an intelligence analyst in Iraq, Manning passed thousands of classified intelligence reports and diplomatic cables to Wikileaks, to be posted on their website.
"I want people to see the truth… regardless of who they are… because without information, you cannot make informed decisions as a public," Manning wrote in an online chat with ex-hacker Adrian Lamo, who eventually turned Manning in to the Department of Defense.
Both Swartz and Manning were charged under a section of the CFAA that covers anyone who "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer…"
The charges hinge on an interpretation of this section that says anyone in violation of a website's terms of service is an unauthorized user. Because they're unauthorized, all of their activity on that website could therefore be considered illegal. Both were charged with felonies under the CFAA, on top of other allegations.
The Ninth and Fourth Circuit Court of Appeals have ruled that such an interpretation of the CFAA casts too wide a net. With the circuit courts divided over whether a broad definition of "unauthorized" is constitutional, it may fall on the Supreme Court to ultimately decide.
Assistant U.S. Attorney Steve Heymann of Massachusetts was the lead prosecutor in Swartz's case. (He was known for winning a 2010 case that landed hacker Albert Gonzalez 20 years in prison.) Heymann offered Swartz a plea bargain of six months in prison but Swartz's defense team rejected the deal, saying a felony and any time behind bars was too harsh a sentence. Swartz's family blamed his death in part on "intimidation and prosecutorial overreach."
As a result of Swartz's suicide, some lawmakers are now calling for a review of the CFAA. On Tuesday, Rep. Zoe Lofgren (D-Calif.) proposed a piece of legislation called "Aaron's Law," which would amend the law to explicitly state that merely violating a site's terms of service cannot fall under the federal CFAA.
Distributed Denial of Service
A Distributed Denial of Service, or DDoS attack, floods a web site's server with traffic from a network of sometimes thousands of individual computers, making it incapable of serving legitimate traffic.
