Legislation of Privacy, the CFAA, and the Death of Aaron Swartz

 The quick version is this: Aaron Swartz was a digital crusader who helped create Really Simple Syndication (RSS), was among the founders of Reddit, and was considered a friend and compatriot by the likes of Larry Lessig. He snuck into MIT and used their JSTOR account to download a bunch of documents, which he allegedly intended to release for free. Before he did so, things went pear-shaped and he returned the documents to JSTOR, which elected not to press charges. But the U.S. Attorney for Massachusetts wanted to make an example of Swartz, and indicted him under the Computer Fraud and Abuse Act for a variety of different federal felonies. On January 11, 2013, eighteen months after his indictment, and facing the possibility of a decades-long stay in federal prison, Swartz committed suicide by hanging himself. Before his death, the New York Times called Swartz an “Internet folk hero.” Since his death he has certainly become a martyr.

There’s a lot to talk about here. Perhaps of most immediate importance is prosecutorial discretion, and a lot is being said about it: just last Monday, January 28, the chair and the ranking member of the House Committee on Oversight and Government Reform published a letter to Eric Holder seeking information on the propriety of the U.S. Attorney’s Office’s conduct. But at least as important in the long-run, and for the purposes of this blog, are the implications vis-à-vis computer privacy law writ large.

The CFAA was an early attempt to fill gaps in the common law of theft, broadly understood, to cope with the perceived threat posed by black-hat hackers and other cyber-criminals. But it also is properly understood as a computer privacy law, forbidding unauthorized access to protected computers. It was passed in 1984, and although it has been revised a number of times, by today’s standards its provisions are clunky and poorly defined. The prosecutorial overreach which has been the focus of most of the commentary to address Swartz’s death was only possible because of the well documented ambiguities of the statutory language.

There is an important lesson for us here. As more and more of our society is comprised of digital natives, norms are developing about what data “should” be private—and pressure is mounting to match those norms to legislative action. At the same time, traditional business and legal models are crumbling under the onslaught of technology, and norms are emerging about intellectual property and other information (one thinks of government transparency through agency procedures as well as FOIA) and the degree to which it “should” be public. These two trends are headed for a nasty collision on the floor of Congress and the state legislatures. As attorneys, the death of Aaron Swartz should serve to remind us of the potential consequences inadequate legislation, and the distinct professional, moral, and political interests in clear laws with proportionate remedies or punishments.

The CFAA is an excellent example of what happens when laws are passed by people who don’t understand what they are regulating. Until the advance of computer technology slows, there is every reason to assume a similar disconnect between any legislative body and the circumstances in which its laws will be applied. As we consider whether and what role statutory law has in a world of increasing technological saturation, and how privacy should be protected within our society, we must keep in mind the dangers of overzealous or underdeveloped efforts to protect privacy by regulating conduct that cannot yet be fully understood, because it does not yet exist. 

Edit: Formatting.