The internet was rocked last Friday by the news of the suicide of Aaron Swartz, co-founder of Reddit and passionate advocate of internet freedom. Swartz had been facing up to 13 felony counts, 50 years in prison, and millions of dollars in fines for allegedly downloading millions of academic articles from the digital archive JSTOR with the intent of making them freely available. Though no articles had been made public before his arrest, Swartz had been vocal about the importance of making academic research accessible to all.
Cyber activists have increasingly been using computer networks and other technology as a form of political protest. Tactics range from temporarily shutting down servers to disclosing personal and corporate information. These acts, including the downloading of data by Aaron Swartz, are criminalized under the federal Computer Fraud and Abuse Act (CFAA). This act was designed to prosecute hackers, but as the cases of Swartz and other “hacktivists” demonstrate, one does not necessarily have to be a hacker to be viewed as one under federal law. This raises the question of whether activists such as Swartz are engaging in civil disobedience or committing online crimes. We examine some of the strategies of “hacktivism” to determine what is considered criminal under the CFAA.
Publishing Documents
The case of Aaron Swartz and Bradley Manning have highlighted the issue of accessing and downloading confidential documents from private servers or behind paywalls with the intent of making them publicly available. In Swartz’s case, he gained access to JSTOR through MIT’s network and downloaded millions of files, in violation of JSTOR’s terms of service (though JSTOR declined to prosecute the case). Manning, while working as an intelligence analyst in Iraq, passed thousands of classified intelligence reports and diplomatic cables to Wikileaks, to be posted on their website. Both were charged under the Computer Fraud and Abuse Act (CFAA) for intentionally causing damage to a protected computer without authorization. Manning stated in an online chat with ex-hacker Adrian Lamo that he wanted people to have access to the truth, regardless of who they are, as without information, people cannot make informed decisions as a public.
Two individuals have been charged with felonies under the Computer Fraud and Abuse Act (CFAA). The charges are based on the interpretation that anyone violating a website’s terms of service is an unauthorized user, and therefore all activities on the website are illegal. The Ninth and Fourth Circuit Court of Appeals have disagreed on the constitutionality of this interpretation, leading to the possibility of the Supreme Court having to make a final ruling.
Assistant U.S. Attorney Steve Heymann of Massachusetts was the lead prosecutor in the case of one of the individuals, Aaron Swartz. Heymann had previously won a case against hacker Albert Gonzalez, resulting in a twenty year prison sentence. Heymann offered Swartz a plea bargain of six months in prison, but this was rejected by the defense team, who argued that a felony and any time in prison was too harsh. Following Swartz’s suicide, some lawmakers are now calling for a review of the CFAA, leading to the introduction of “Aaron’s Law”, which would make it explicitly clear that violating a website’s terms of service cannot be considered a federal offense.
Distributed Denial of Service
In 2010, a group known as Anonymous attempted to overwhelm websites belonging to PayPal, Visa, and Mastercard with web traffic, after the companies refused to process donations to Wikileaks. The group had posted a software program, the ‘Low Orbit Ion Canon’, which allowed roughly 6,000 people to bombard the sites with traffic. This type of attack, known as a Distributed Denial of Service (DDoS), is considered illegal under the Computer Fraud and Abuse Act (CFAA) as it can cause damage to a website and violate its terms of service. Consequently, sixteen alleged members of Anonymous were arrested and charged with conspiracy and “intentional damage to a protected computer” under the CFAA. They could face more than 10 years in prison and $250,000 in fines.
In light of this, some web activists have called for DDoS to be legalized as a form of protest, arguing that disrupting web traffic by occupying a server is not dissimilar to clogging streets when staging a sit-in. A petition started on the White House’s ‘We the People website, shortly before the death of internet activist Aaron Swartz, has since gained more than 5,000 signatures. The petition argues that DDoS is not a form of hacking, but rather “the equivalent of repeatedly hitting the refresh button on a webpage”.
Doxing
Doxing is the practice of finding and publishing a target’s personal or corporate information. In 2011, the hacker groups Anonymous and Lulzsec breached the Stratfor Global Intelligence Service database, releasing the passwords, addresses, and credit card information of the firm’s high-profile clients. They claimed their intention was to use the credit cards to donate $1 million to charity. Recently, Anonymous doxed members of the Westboro Baptist Church after several tweeted their plans to picket funerals for the victims of the Sandy Hook tragedy. The hackers were able to access the Church members’ Twitter accounts and publish their personal information, including phone numbers, emails, and hotel reservation details.
Jeremy Hammond could face life in prison for allegedly leading the Stratfor hack and a separate attack on the Arizona Department of Safety website. Barrett Brown, former Anonymous spokesman, was also indicted for computer fraud in relation to the Stratfor dox, not for hacking into the system, but for linking to the hacked information in a chat room.
The legal consequences for doxing depend on the means by which the information was accessed, as well as the nature of the information published. Generally, publishing publicly available information, such as phone numbers found in a Google search, would not be charged under the Computer Fraud and Abuse Act (CFAA).
Website Defacement
In 1989, Robert Morris became the first person to be prosecuted under the Computer Fraud and Abuse Act (CFAA) after launching the “WANK worm” to protest nuclear armament. The worm targeted NASA, the Department of Energy and other government websites, changing them to read, “Worms Against Nuclear Killers. Your Site has officially been WANKed. You talk of times of peace for all, and then prepare for war.”
Since then, hacktivists have taken over websites to publish their own content or messages. Last November, Anonymous defaced Syrian government websites to protest Bashar al-Assad’s imposed internet blackout, and recently hacked MIT’s website to post an Aaron Swartz tribute message, calling for freedom of information and speaking out against his prosecution.
The CFAA was amended in 1996 to include any unauthorized computer access, and Morris was sentenced to a $10,000 fine and 400 hours of community service. Since then, hacktivism has become an increasingly popular form of protest, with hacktivists using their technical skills to make their voices heard.
