“The Cyber” Part II: Cybersecurity Research and the Role of the Enforcer
Written by Chris Calabrese
(This blog is part of a continuing series on the legal and policy issues surrounding security research. For an overview of all the issues please see our recent paper, titled “The Cyber: Hard Questions in the World of Computer Security Research.” For previous posts in this series, click here.)
Before commenting on the role that prosecutorial discretion plays in limiting a chill on computer security research, it’s important to note that actual prosecutions of security researchers when they are engaged in security research are extremely infrequent. The high-profile “Weev” case in 2011 is probably the most notable exception.
That said, there are no reliable statistics on the number of inquiries or investigations opened by the FBI (the proverbial “knock on the door”). Further, as can be seen in the Aaron Swartz case, two aspects of the Computer Fraud and Abuse Act (“CFAA”) – vagueness in the trigger for criminal liability in the law and potential for very severe penalties under multiple charges arising from the same course of conduct – suggest that the concerns many security researchers have expressed about potential liability under the CFAA remain reasonable.
It’s now more than four years since Swartz’s tragic suicide, following the refusal of the U.S. attorney’s office in Massachusetts to agree to a plea deal without any jail time. Swartz, a programmer and activist, had been accused of a series of computer crimes in trying to download academic articles en masse from the JSTOR repository using MIT’s systems.
The facts of the case have been exhaustively detailed, most notably in a formal report commissioned by MIT’s president to look into the school’s handling of the case (which was highly critical of the current state of the CFAA). But, basically, Swartz was accused of plugging a laptop into a server in an MIT closet, covering it with a box, and leaving it to automatically download articles from JSTOR’s databases.
The government alleged that Swartz had done so with the intent of releasing the articles publicly, though the MIT report includes reports that Swartz liked to collect large datasets for various reasons. Some suggested, as he had done previously with Westlaw, that he wanted to run a program on the dataset to determine how much of the research in JSTOR’s proprietary database had been funded through public money.
In any event, a couple of points about the Swartz case are relevant when looking at prosecutorial discretion in the CFAA context. One, JSTOR declined to press a civil suit against Swartz after he returned the articles he had downloaded. Two, despite JSTOR (who had actually had servers taken offline by the automated downloading) wanting to let the matter drop, the U.S. attorney in Massachusetts persisted with a multi-count case against Swartz.
Indeed, as detailed in the MIT report, the U.S. attorney sought a superseding indictment 14 months after the initial complaint, expanding the initial four count indictment to 13 felony counts: two counts of wire fraud and 11 counts of violating the CFAA, all based on the same course of conduct (plugging the laptop into the server in the closet and running a download script). Although unlikely to have been handed down, the maximum sentence faced by Swartz rose to almost 100 years in prison and $3 million in fines.
Prosecutors have extensive discretion in designing an indictment. They could have chosen to collapse the charges into only a few, or, as they did, to expand them accordion-like to charge multiple discrete elements of the offense separately. This is generally the case with numerous statutes, though the CFAA is particularly susceptible to such “stacking” because multiple provisions can cover the same underlying alleged crime.
The practical effect in the Swartz case, however, was to dramatically ratchet up the pressure on Swartz. Prosecutors also refused to entertain a plea without jail time, or to permit Swartz to plead to a misdemeanor. According to Swartz’s attorney during these plea discussions, he warned prosecutors that Swartz was a suicide risk – in large part because of the prosecution – to which the prosecutor responded “that the office could have him locked up,” presumably under suicide watch. (See page 40 of the MIT president’s report.) Swartz hung himself on Jan. 11, 2013, two years after his arrest. Aaron was a colleague and mentor to a number of us at CDT, and part of what drives us to seek solutions here is exactly not wanting to lose young, promising researchers.
Interestingly, a year later, then-Attorney General Eric Holder issued an intake and charging policy for computer crime matters (which was released publicly in 2016). The memorandum acknowledges that “laws addressing the misuse of computers have not kept pace uniformly with developments in technology and criminal schemes,” but states that the CFAA remains an important tool for prosecutors. Helpfully, it also acknowledges the importance of consistent enforcement and that the public understand how the law is enforced.
To that end, it lays out a non-exhaustive list of factors to be considered by prosecutors in determining whether to bring charges. Many of these factors are vague, such as “the sensitivity of the affected computer system,” the “impact  on the victim or other third parties,” or the “deterrent value of a prosecution.”
The memorandum, however, does have two important instructions for U.S. attorneys.
One, it clarifies that a prosecutor must be prepared to prove that, for an “exceeds access authorization” violation of the CFAA (also a significant source of confusion), the defendant accessed information that she was not entitled to access, in contrast to merely misusing information that was fair game to access.
Two, and more importantly, the charging attorney for the government is required to consult with authorities in Washington before seeking an indictment. Attorneys in the computer crime section at the Justice Department are likely to have the technical expertise and practical experience to better prevent overcharging (though this is by no means a panacea).
In CDT’s white paper, we look at whether there are other steps the Department of Justice, in particular, could take to better improve the consistency and fairness of CFAA prosecution to avoid any repeat of something like the Swartz case. For instance, we ask whether the DOJ could release more detailed guidance (similar to, for instance, regulations governing foreign investment review at the Treasury Department) with illustrative examples of cases where security research will not prompt investigation or prosecution. Such guidance could, for instance, carve out activity like internet scanning or the collection of publicly available information on the internet (similar to the Weev case).
The recent rise in cybercrime vividly calls for law enforcement intervention. The Aaron Swartz case, however, shows that, just because the prosecution involves computers, technology, and “the cyber,” the consequences are real and human. Prosecution must be consistent and fair, and punishment humane and just. Partnership with federal law enforcement is a crucial element of meeting this challenge while also properly preventing and punishing cybercrimes.
For more on this and other hard questions in security research, see CDT’s recent white paper here.