Posted By: Tammy Thibodeau
In Aaron Swartz’s superseding indictment the government alleged Swartz, accessed JSTOR and the MIT network “without authorization.” (United States v. Aaron Swartz, Crim. No. 11-CR-10260-NMG, 3, Sept. 12, 2012). Swartz had accessed the MIT network (and computers) four times “without authorization” after being blocked in three separate incidents. (Id.). Further, JSTOR’s software configuration enables computerized measures to block automated downloads of large amounts of articles. (Id. at 2). All of Swartz’s conduct violated the Computer Fraud and Abuse Act (CFAA) under both definitions of access; “exceeds authorized access” and “without authorization.” (18 U.S.C. § 1030(e)(6) (2008)).
Swartz had the ability to access JSTOR legitimately through Harvard, but that access came with restrictions. (Id.). Swartz went to MIT and accessed its network through guest network access set up. (Id.). But a condition to using the MIT guest network a user had to identify himself with an email address. (Id.).
Swartz first circumvented JSTOR’s database by downloading beyond the limits allowable by JSTOR. (Id. at 5). Once JSTOR and MIT knew of the breach, they blocked Swartz’s individual computer by banning his computer assigned IP address. (Id.). Swartz’s second attempt to circumvent, he changed the assigned IP address, and again started to download large amounts of data which was again blocked. (Id. at 7). Once JSTOR recognized the same problem, they contacted MIT and MIT canceled the new account and banned Swartz’s computer MAC address. As Swartz tried for the third time to circumvent the blocks at MIT, he purchased a new laptop and spoofed the old computers MAC address, using both computers to pull data. (Id.). During this connection, Swartz managed to download a sizeable amount of data, in which JSTORE responded by blocking access for several days to the entire MIT campus. (Id. (emphasis added)).
After the first three restrictions continued to cut-off access, all three were done wirelessly, Swartz physically accessed an unlocked restricted network closet within an MIT building and proceeded to connect his computers directly into MIT’s non-public network. (Id. at 8 (emphasis added)). Then Swartz manually assigned two IP addresses for the two laptop computers. In other words, he bypassed permission from the MIT network by never asking for a new IP address and thus, MIT could never deny the computer requests coming from his laptops. (Id. (emphasis added)). Because Swartz hard wired the laptops into the network and manually assigning the IP numbers neither MIT nor JSTOR could cut-off access as easily in the first three attempts. To isolate and disconnect the rogue computer, MIT would first need to physically find the port which Swartz connected to and disable that port. It took MIT roughly two months to find the rogue computer on the network, which meant MIT had to isolate and locate one computer among many hundreds of computers. MIT accomplished this by tracing the large volume of data requested to individual switches from building to building, from floor to floor in order to isolate the offending (or Swartz’s) computer. Even though the superseding indictment does not state that during this fourth attempt Swartz changed the laptops MAC addresses, it is highly likely because the third attempt to retrieve data would have recorded the MAC address and thus, that MAC address would have been blocked in this fourth attempt.
Swartz’s last and final attempt to circumvent happened after Swartz removed the computer from the unlocked restricted network closet.(Id). Swartz connected to the MIT network from a different building by once again spoofing the MAC address of the computer, which gave the laptop a new IP address. (Id. at 9 (emphasis added)). However, on this occurrence Swartz did not download any data from JSTOR.
Did Swartz access the MIT network without authorization or exceed his authorized access within the scope of the CFAA? Congress’s defined “exceeds authorized access” in Section 1030(e)(6), some courts have held to the broader interpretation of the CFAA, such as the purpose for which a computer or information is accessed is relevant to the inquiry of whether the accused exceeded his authorized access. (Orrin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1641-42 (2003)). Congress’s primary purpose for the CFAA “was to create a cause of action against computer hackers (e.g., electronic trespassers).” (Int’l Ass’n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d. 479, 495 (D. Md. 2005) (quoting Sherman & Co. v. Salton Maxim Housewares, Inc., 94 F. Supp. 2d 817, 820 (E.D. Mich. 2000)). As the House Report explained, the bill was aimed largely at hackers who “trespass into” computers: “[T]he conduct prohibited is analogous to that of ‘breaking and entering’ rather than using a computer (similar to the use of a gun) in committing the offense.” (H.R. Rep. No. 98-894, 20, 1984 U.S.C.C.A.N. 3689, 3705). Thus, the legislative history of the definition of “exceeds authorized access” under the CFAA, intended only to criminalize those who strayed beyond the technical authorization given. It did not intend to criminalize those who used a computer for an improper purpose, even if that use amounted to a criminal offense.
Since Congress did not define the phrase “without authorization,” perhaps assuming that the words speak for themselves; but that definition “has proven to be elusive.” (EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582 n. 10 (1st Cir. 2007)). One of the first criminal decisions under the CFAA was in Morris, the defendant a programmer at Cornell released a worm from a computer at MIT, to prove the internet had serious security holes. (United States v. Morris, 928 F. 2d 504, 506-507 (2d Cir. 1991)). Morris used a computer which he had been given authority to access; however, he used it to send out a damaging “worm” that spread and infected computers throughout the US. Morris’ access was without authorization because (1) “he found holes in . . . [the] programs that permitted him a special and unauthorized access route into other computers;” (2) he lacked authorization to other computers; and (3) his gaining access was unauthorized. (Id. at 507-10). The Courts rational was Morris misused the functions available to him in an unintended way. For purposes of access without authorization, a person may have authorization to access certain networks or computers but not others, in which he will be treated as an outsider. (Id. at 507-10).
A more narrow approach in Aleynikov, the defendant, a Goldman Sachs computer programmer copied, encrypted and transferred hundreds of lines of Goldman Sachs’ source code, which he later gave to his new employer. (United States v. Aleynikov, 737 F. Supp. 2d 173, 174-75 (S.D.N.Y. 2010)). The defendant was authorized to access the Goldman computer he accessed and to access the source code he accessed, though Goldman Sachs required each computer programmer to sign a confidentiality agreement and limited access to its source code to those employees who have reason to access it. (Id. at 190-91). The defendant was indicted for unauthorized access and exceeding authorized access. (Id.). The defendant moved to dismiss the CFAA count of the indictment, arguing that the CFAA “does not encompass an employee’s misuse or misappropriation of information that the employee has authority to access.” (Id. at 191). The court granted the motion to dismiss the CFAA count of the indictment and held that “a person who ‘exceeds authorized access’ has permission to access the computer, but not the particular information on the computer that is at issue.” (Id. at 191-92). The court explained, “[w]hat use an individual makes of the accessed information is utterly distinct from whether the access was authorized in the first place.” (Id.) Even though, “the individual uses information on a computer in a manner contrary to the information owner’s interest would therefore require a departure from the plain meaning of the statutory text.” (Id. at 192) The court further explained that the interpretation of the CFAA was consistent with statutory text, the overall purpose and the legislative history of the section. (Id. at 192-93 & n. 23).
A similar result in LVRC Holdings L.L.C. v. Brekka. (LVRC Holdings L.L.C. v. Brekka, 581 F.3d 1127 (9th Cir. 2009). Even though, Brekka is a civil case the Court notes, it interpretation “is equally applicable in the criminal context.” Id. at 1134). An employer brought an action against a former employee under the CFAA, alleging that the former employee exceeded authorized access when he emailed documents to himself and his wife “to further his own personal interests, rather than the interests of [his employer].” (Id. at 1132). The Ninth Circuit determined that an employee does not exceed authorized access to a computer by accessing information unless the employee has no authority to access the information under any circumstances. The Court interpreted the CFAA “which gives effect to both the phrase ‘without authorization’ and the phrase “exceeds authorized access”: a person who intentionally accesses a computer without authorization, accesses a computer without any permission at all, while a person who “‘exceeds authorized access,’ has permission to access the computer, but accesses information on the computer that the person is not entitled to access.” (Id.)
The newest decision in Nosal, interprets the distinction between access and use. In Nosal, a former employee used current employee’s accounts, to access the employer’s computer system to obtain trade secrets and other proprietary information. (United States v. Nosal, 676 F.3d 854 (9th Cir. 2012)). The employer placed several limitations on its employees’ access of its system, including a restriction on the use or disclosure of all information available on that system, except for legitimate company business. (Id. & n. 1). The en banc Ninth Circuit affirmed the district court’s dismissal of the CFAA counts against the defendant. (Id. at 858). The court held that “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” (Id.) The Ninth Circuit further stated, “that the phrase ‘exceed authorized access’ in the CFAA does not extend to violations of use restrictions,” but rather to “hacking-the circumvention of technological access barriers.” (Id.). The Court also noted that the interpretation of “exceeds authorized access” to be most consistent with the statutory text and structure of the CFAA, as well as the legislative history of the statute. (Id.). The Court stated that “[t]he [prosecution’s] interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute” and thus, “makes every violation of a private computer use policy a federal crime.” (Id. at 855-56) And therefore, the Court in Nosal declined to follow an expansive reading of the CFAA statute.
Similar to Morris, Swartz worked at another academic institution and used the MIT network and computers to facilitate his actions. Like Morris, Swartz had authorization to access the MIT computer system, which he misused. Unlike Morris, Swartz only had guest access to the MIT network solely based upon the condition he gave his real identity upon registration,but he falsely provided a different identity to gain access. Similarly Swartz misused the network, but not to the same degree as Morris, Swartz downloaded four million articles from the JSTOR database. Here, Swartz had initial authorization to access the MIT network but he did not have authorization to misuse the functions of JSTOR. Thus, Swartz would be treated as an outsider and without authorization and criminally culpable.
According to the Ninth Circuit in Nosal, a person or an employee who has authorization to access information but abuses that access is not culpable under the CFAA. Rather, the Nosal court interpreted “without authorization . . . [to] apply to outside hackers (individuals who have no authorized access to the computer at all)and “exceeds authorized access” would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files).” (Id. at 858). Here, under Nosal, Swartz would still be viewed as an outside hacker because he initially had authorization to use the network, but his access was revoked, and therefore his further access to the MIT network exceeded his authorized access. Hence, under Nosal, Swartz exceed his authorized access and, again, might be seen as criminally culpable.
Along with Swartz’s technological access restrictions, Swartz physically accessed an unlocked non-public network closet and hard wired directly into the MIT network. The physical access can be argued as either an inside or outside hacker. On one hand, Swartz’s conduct against the non-public MIT network closet may be classified as an outside hacker because he had neither authorized access to the network closet nor the permission from MIT for use of the non-public network. Thus, Swartz had no authorized access to the computer servers at MIT or JSTOR and his actions were without authorization and criminally culpable. On the other hand, it is arguable since the CFAA only restricts access and not use, and since Swartz’s physical access was not restricted by the definition of the CFAA, the network closet was unlocked. Then by extension of Nosal, Swartz’s conduct could be labeled as an inside hacker who exceeded his authorized access and not criminally culpable. However, just because the door was unlocked, the act of wiring was a trespass and not an authorized method to obtain access to the network and thus, he exceeded his authorized use. Thus, Swartz is still criminally culpable.
Based on these court decisions Swartz was “without authorization” and exceeded his authorized access on the condition he gave his identity upon registration, in which he falsely provided to gain access and he circumvented a technological barrier both on MIT’s network and within JSTOR’s software. For example, MIT and JSTOR used several technological measures to restrict access by Swartz’s computer access to the MIT network and JSTOR’s computerized measures. Swartz’s purposefully changed his IP address and altered the computers MAC address to conceal its identity and work around those measures. However, the CFAA does not create a criminal count based on bypassing a technological barrier; nor does it define what constitutes a “technological barrier.” On that basis, blocking an IP address should not be covered as “without authorization” under the CFAA. Further, changing an IP address is a relatively easy effort, and does not require the malicious intent implied by “hacking.” Nonetheless, even if Swartz’s intentions were benign, this conduct created possible criminal culpability under the CFAA. The government’s theory in the Aaron Swartz case therefore did not rely solely on exceeding the Terms of Service for the JSTOR database or the MIT network, as popularly thought.