By CHRIS R. ALBON
On January 11th Internet activist Aaron Swartz took his life after two years of brutal and unnecessary persecution by the Department Of Justice. This tragedy hit home for many for a number of reasons, not the least of which was that Aaron was an author of RSS and an avid activist for digital freedom. But for me, who never knew Swartz, it was because in 2007 I committed the same alleged “crime” that earned him years of aggressive prosecution.
Swartz's was allegedly attempting to download thousands of gated journal articles from JSTOR, a non-profit digital library for academic research normally requiring an expensive subscription to access. But Aaron did not steal the articles—in fact, he accessed them using a legitimate account. His major alleged crime was "excessive" use; more specifically, breaking JSTOR's end-user license agreement (EULA) which dictates how users can and cannot use the service. Despite the fact that JSTOR (to their credit) refused to press charges against Swartz, amongst other things, the young activist faced decades of jail time for violating JSTOR’s EULA, under the Computer Fraud and Abuse Act (CFAA)—a law written in 1984 and well before the Internet came into its own. Since Aaron’s death, a movement has sprung up by activists and members of the Congress to reform the archaic law used as justification for his prosecution. This reform bill is aptly called Aaron's Law.
The bill, proposed by California Congresswoman Zoe Lofgren, is still being debated and revised by digital activists like EFF and Lawrence Lessig. One revision made by EFF focuses specifically on adding clarification of computer crime to "ensure that when a user breaks a private contract like a terms of service or other contractual obligation or duty, the government can't charge them criminally under the CFAA or wire fraud law." This was exactly what happened to Swartz.
My own run-in with JSTOR’s EULA occurred during the first year of my PhD in political science. I was planning on spending the summer backpacking through Europe. Foreseeing months with unreliable Internet access and wanting to continue preparation for my qualifying exams while traveling, I downloaded more than 1,500 political science academic journal articles over the course of a few days. That was it, that was my crime. Soon after, JSTOR contacted my university's head librarian, who contacted the chair of my department, who contacted the program's head administrator, who contacted me.
It was demanded that my department make me "pledge" that I would not again excessively download articles; and that I make sure all the articles had been deleted off any computer or removable memory (which I demonstrated with a screenshot of the files, selected with my cursor, over the delete button). There was an implication that if I did not comply, the whole university's JSTOR access could be affected.
On the whole it was minor—resulting in nothing more than a few sleepless nights. After I complied with both requirements, the matter was dropped. But what has not been lost on me is that in a jurisdiction with a more aggressive federal prosecutor, or with a more infamous name, I could have been prosecuted under the exact same laws that were used to attack Swartz —and, quite likely, so could you.
EULAs are everywhere on the Internet. You know, those blocks of legal text that nine times out of ten you skim over, if even that, all the while hunting for the "I Agree" button. The fact they are almost never read by users has become a meme in itself, with companies pulling such stunts as slipping humorous easter eggs into the text.
EULAs themselves are not generally dangerous: they are merely contracts between the service provide and you, the user. The problem is CFAA. According to Orin S. Kerr of George Washington University's Law School, CFAA was originally designed to cover only a narrow set of "federal interest computer crimes" but has since had it's reach expanded five times to the point that now it is "one of the most far-reaching criminal laws in the United States Code." Here’s where CFAA makes things Kafkaesque: if you violate other contracts—say, for example, your renter's agreement—it is a civil matter governed by contract law. Under CFAA, on the other hand, violating a EULA is a federal offense.
I’d bet everything that anyone who has spent enough time on the Internet has either accidently or intentionally broken a EULA at some point. And more importantly, the vast majority of Internet citizens who have broken EULAs are totally unaware of it.
This is the heart of the problem. CFAA creates a situation where, under the right conditions and in a jurisdiction with the wrong prosecutor, almost anyone could be dragged into federal court.
The CFAA is an outdated and barbaric legal bludgeon. It creates the threat of decades of jail time, for what can constitute an incredibly minor offense. We deserve better than this. Contact your representative and tell them to support Aaron's Law.