On January 11, 2013, young internet prodigy Aaron Swartz hanged himself in his Brooklyn apartment. Swartz may not have the instant name recognition of Steve Jobs or Mark Zuckerburg, but at just twenty-six years old, he had amassed an impressive list of achievements. As a teenager, Swartz worked on RSS, developed new standards to support the semantic web, helped create the news aggregation site Reddit, became a digital activist who founded Watchdog.net and Demand Progress, and actively campaigned against the Stop Online Piracy Act. Many believe, including friends and family, that Aaron’s suicide was caused by an ongoing federal criminal action against him under the Computer Fraud and Abuse Act (CFAA) for “hacking” MIT’s network and downloading millions of academic articles from the scholastic database JSTOR. Swartz allegedly planned to distribute these articles on peer-to-peer networks for free. If convicted, Swartz faced over thirty-five years in federal prison. JSTOR itself did not support the prosecution.
Aaron Swartz’s tragic death has brought popular attention to a movement to reform the CFAA. Activists like the Electronic Frontier Foundation’s Trevor Timm argue that a new generation of tech wunderkinds are being dissuaded from the kinds of fringe activities that allowed industry leaders like Steve Jobs, Bill Gates, and Mark Zuckerberg to get their feet wet before founding companies that changed the world. But what sort of impact could a law that targets hackers really have on the development of technology and new intellectual properties?
Last week, twenty-seven-year-old Andrew “weev” Auernheimer was sentenced to 41 months in prison and over $70,000 in restitution damages for finding a security hole in AT&T’s database systems and releasing over one hundred thousand exposed e-mail addresses of iPad owners to Gawker.com. Granted, Auernheimer is a less sympathetic individual than Swartz, but as critics have pointed out, Auernheimer’s actions ultimately amounted to simply accessing public data, even if that data was intended to be private.
Many laypersons would probably consider this a distinction without a difference. After all, Auernheimer exposed private data that he was never meant to access. However, it is this broad interpretation of the CFAA’s “exceeding authorized access” language that proves Timm’s premise: using the CFAA to prosecute individuals simply for breaching a company’s private terms of service is bad for business. Many who got their start in the tech-world’s hacking gray zone were the creators of some of today’s most iconic tech companies, including Apple’s Steve Jobs, Microsoft’s Bill Gates, Facebook’s Mark Zuckerberg, and Twitter’s Jack Dorsey. They would arguably be felons under this aggressive interpretation of the CFAA. Indeed, such a hard-line approach to hacking exposes even relatively harmless acts to prosecution, and exposure is really all that matters.
Whether or not prosecutors will actually use the CFAA to pursue the next Steve Jobs is beside the point. The growing perception among tech enthusiasts is that if they are not careful, they could end up like Aaron Swartz. This seems to be exactly the reaction federal prosecutors wanted. However, testing boundaries leads to innovation. To punish and vilify pushing those boundaries may curb “hacking,” but it could also stifle creativity and perhaps do unforeseeable harm to the development of new and exciting ideas in technology for years to come.
* Alan Guffy is an associate attorney at Jenny Horne Law Firm, LLC in Summerville, SC. Alan has earned a J.D. from Wake Forest University School of Law and a Bachelor’s in Economics & History from Wofford College. Alan has been admitted to the North Carolina Bar and his South Carolina Bar admission is pending. He is a member of the Intellectual Property Law sections of the North Carolina Bar Association and the American Bar Association. He is currently developing his practice in intellectual property and technology law.