When Reddit co-founder and internet freedom activist Aaron Swartz committed suicide, he was facing up to 13 felony counts, 50 years in prison, and millions of dollars in fines. His alleged crime? Pulling millions of academic articles from the digital archive JSTOR.
Prosecutors allege that Swartz downloaded the articles because he intended to distribute them for free online, though Swartz was arrested before any articles were made public. He had often spoken publicly about the importance of making academic research freely available.
Other online activists have increasingly turned to computer networks and other technology as a means of political protest, deploying a range of tactics — from temporarily shutting down servers to disclosing personal and corporate information.
Most of these acts, including Swartz’s downloads, are criminalized under the federal Computer Fraud and Abuse Act (CFAA), an act was designed to prosecute hackers. But as Swartz’s and other “hacktivist” cases demonstrate, you don’t necessarily have to be a hacker to be viewed as one under federal law. Are activists like Swartz committing civil disobedience, or online crimes? We break down a few strategies of “hacktivism” to see what is considered criminal under the CFAA.
Publishing Documents
Accessing and downloading documents from private servers or behind paywalls with the intent of making them publicly available.
Swartz gained access to JSTOR through MIT’s network and downloaded millions of files, in violation of JSTOR’s terms of service (though JSTOR declined to prosecute the case). Swartz had not released any of the downloaded files at the time his legal troubles began.
The most famous case of publishing private documents online may be the ongoing trial of Bradley Manning. While working as an intelligence analyst in Iraq, Manning passed thousands of classified intelligence reports and diplomatic cables to Wikileaks, to be posted on their website.
“I want people to see the truth… regardless of who they are… because without information, you cannot make informed decisions as a public,” Manning wrote in an online chat with ex-hacker Adrian Lamo, who eventually turned Manning in to the Department of Defense.
Both Swartz and Manning were charged under a section of the CFAA that covers anyone who “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer…”
The charges hinge on an interpretation of this section that says anyone in violation of a website’s terms of service is an unauthorized user. Because they’re unauthorized, all of their activity on that website could therefore be considered illegal. Both were charged with felonies under the CFAA, on top of other allegations.
The Ninth and Fourth Circuit Court of Appeals have ruled that such an interpretation of the CFAA casts too wide a net. With the circuit courts divided over whether a broad definition of “unauthorized” is constitutional, it may fall on the Supreme Court to ultimately decide.
Assistant U.S. Attorney Steve Heymann of Massachusetts was the lead prosecutor in Swartz’s case. (He was known for winning a 2010 case that landed hacker Albert Gonzalez 20 years in prison.) Heymann offered Swartz a plea bargain of six months in prison but Swartz’s defense team rejected the deal, saying a felony and any time behind bars was too harsh a sentence. Swartz’s family blamed his death in part on “intimidation and prosecutorial overreach.”
As a result of Swartz’s suicide, some lawmakers are now calling for a review of the CFAA. On Tuesday, Rep. Zoe Lofgren (D-Calif.) proposed a piece of legislation called “Aaron’s Law,” which would amend the law to explicitly state that merely violating a site’s terms of service cannot fall under the federal CFAA.
Distributed Denial of Service
A Distributed Denial of Service, or DDoS attack, floods a web site’s server with traffic from a network of sometimes thousands of individual computers, making it incapable of serving legitimate traffic.
In 2010, the group Anonymous attempted to overload websites for PayPal, Visa and Mastercard after the companies refused to process donations to Wikileaks. Anonymous posted their “Low Orbit Ion Canon” software online, allowing roughly 6,000 people who downloaded the program to pummel the sites with traffic.
A DDoS attack can be charged as a crime under the CFAA, as it “causes damage” and can violate a web site’s terms of service. The owner of the site could also file a civil suit citing the CFAA, if they can prove a temporary server overload resulted in monetary losses.
Sixteen alleged members of Anonymous were arrested for their role in the PayPal DDoS, and could face more than 10 years in prison and $250,000 in fines. They were charged with conspiracy and “intentional damage to a protected computer” under the CFAA and the case is ongoing.
Some web activists have pressed for DDoS to be legalized as a form of protest, claiming that disrupting web traffic by occupying a server is the same as clogging streets when staging a sit-in. A petitionstarted on the White House’s “We the People” site a few days before Swartz’s death has garnered more than 5,000 signatures.
“Distributed denial-of-service (DDoS) is not any form of hacking in any way,” the petition reads. “It is the equivalent of repeatedly hitting the refresh button on a webpage. It is, in that way, no different than any ‘occupy’ protest.”
Doxing
Doxing involves finding and publishing a target’s personal or corporate information.
In 2011, Anonymous and hacker group Lulzsec breached the Stratfor Global Intelligence Service database and published the passwords, addresses and credit card information of the firm’s high-profile clients. The group claimed they planned to use the credit cards to donate $1 million to charity.
Anonymous also recently doxed members of the Westboro Baptist Church after several tweeted their plans to picket funerals for Sandy Hook victims. Hackers were able to access Church members’ twitter accounts and publish their personal information, including phone numbers, emails and hotel reservation details.
Jeremy Hammond could face life in prison for allegedly leading the Stratfor hack and a separate attack on the Arizona Department of Safety website. Former Anonymous spokesman Barrett Brown was also indicted for computer fraud in the Stratfor dox, not for hacking into the system, but for linking to the hacked information in a chat room.
The charges for doxing depend on how the information was accessed, and the nature of published information. Simply publishing publicly available information, such as phone numbers found in a Google search, would probably not be charged under the CFAA. But hacking into private computers, or even spreading the information from a hack, could lead to charges under the CFAA.
Correction: An earlier version of this piece stated that Robert Morris was the creator of the WANK worm. Robert Morris was not behind the WANK worm, but created one of the first known internet worms. He was prosecuted in that case under the CFAA. We have removed the incorrect language.
Clarification: This post originally suggested Swartz participated in hacking such as DDoS or Doxing, when we meant to describe general tactics. We have updated this post accordingly.
We’re not backing down in the face of Trump’s threats.
As Donald Trump is inaugurated a second time, independent media organizations are faced with urgent mandates: Tell the truth more loudly than ever before. Do that work even as our standard modes of distribution (such as social media platforms) are being manipulated and curtailed by forces of fascist repression and ruthless capitalism. Do that work even as journalism and journalists face targeted attacks, including from the government itself. And do that work in community, never forgetting that we’re not shouting into a faceless void – we’re reaching out to real people amid a life-threatening political climate.
Our task is formidable, and it requires us to ground ourselves in our principles, remind ourselves of our utility, dig in and commit.
As a dizzying number of corporate news organizations – either through need or greed – rush to implement new ways to further monetize their content, and others acquiesce to Trump’s wishes, now is a time for movement media-makers to double down on community-first models.
At Truthout, we are reaffirming our commitments on this front: We won’t run ads or have a paywall because we believe that everyone should have access to information, and that access should exist without barriers and free of distractions from craven corporate interests. We recognize the implications for democracy when information-seekers click a link only to find the article trapped behind a paywall or buried on a page with dozens of invasive ads. The laws of capitalism dictate an unending increase in monetization, and much of the media simply follows those laws. Truthout and many of our peers are dedicating ourselves to following other paths – a commitment which feels vital in a moment when corporations are evermore overtly embedded in government.
Over 80 percent of Truthout‘s funding comes from small individual donations from our community of readers, and the remaining 20 percent comes from a handful of social justice-oriented foundations. Over a third of our total budget is supported by recurring monthly donors, many of whom give because they want to help us keep Truthout barrier-free for everyone.
You can help by giving today during our fundraiser. We have 7 days to add 432 new monthly donors. Whether you can make a small monthly donation or a larger gift, Truthout only works with your support.