Stepping off my usual entrepreneurship topics, here’s a letter I sent to Carmen Ortiz, Stephen Heymann, and Scott Garland (the prosecutors in the Aaron Swartz case) earlier this week.

I’m expecting precisely zero effect on anything here, but it captures my analysis of what happened.  Apart from the sadness and tragedy, I think we all need to be very mindful of the growing gaps between technology and our laws.

January 28, 2013

The Honorable Carmen M. Ortiz
United States Attorney for Massachusetts
John Joseph Moakley
United State Federal Courthouse
1 Courthouse Way, Suite 9200
Boston, MA  02210

Dear Mrs. Ortiz:

I’m writing you (and Mr. Heymann), as many have, regarding Aaron Swartz.  I know emotions are high, and I’m sorry the criticism has been so unfair and uninformed.  I’m sharing constructive comments I hope will be helpful as you consider this matter.  I’ve reviewed the public court documents and several relevant legal opinions.  I am a pioneer of the Internet economy, and a technology and business method expert in the subjects of this case.

It is clear Swartz did something wrong and should have been punished.  However, I have come to agree the prosecutorial stance did not match the severity of Swartz’s deeds.

I believe that you and Mr. Heymann were doing “what any good prosecutor would do”, and as you’ve noted, prosecutors don’t make the laws and penalties.  However, the CFAA is unusually broad and ambiguous, by design, to address a major policy issue.  Technology is advancing much faster than our laws, and the Justice Department has argued for legal flexibility with this Act (e.g. Richard Downing’s House Judiciary Subcommittee testimony in Nov, 2011).  That flexibility requires discretion in application, perhaps more than any other statute you prosecute.

This case is a nearly perfect test of that discretion, because it’s missing most of the typical criminal elements.  Swartz was not pursuing financial gain.  He wasn’t trafficking in credit cards, passwords, national secrets, or confidential/proprietary information.  He didn’t destroy data or access personal records.  He didn’t access something he wasn’t supposed to; he accessed more than he should have.

Swartz, like any MIT guest, was allowed to download JSTOR articles.  He enjoyed no greater access than any normal user would, but he violated JSTOR’s Terms of Service (ToS) by automating his download process.  His violation of MIT’s guest ToS is less clear:  MIT is famously and widely known for an open campus and network, and there’s a reasonable argument MIT’s effective ToS is much more permissive.  (Also, MAC address manipulation is not analogous to VIN tampering; if it were, it would criminalize the “Change MAC Address” feature available in nearly every consumer router.)

Regarding damages, JSTOR’s articles are freely available at 7,000 institutions worldwide, and many documents are public domain.   MIT’s $50,000 annual subscription amounts to $136/day, a starting point for calculating damages.  However, subscription fees have limited use in determining damages, because they mix the access costs with document value.  For example, PACER’s public documents “cost” $0.10/page, but their value is zero.  JSTOR’s quick civil settlement, their public stance in this case, and their subsequent public release of millions of articles are all extremely telling.

Swartz did not destroy or damage data or infrastructure.  There’s no (public) evidence his actions caused more than minor service outages and investigation costs at MIT and JSTOR.  Swartz’s actions were “minimally criminal”, and justice should have been sought on those terms.  (In addition, if your case had prevailed on the basis of ToS violations, there’s a solid appeal to void this interpretation for vagueness.  It’s nearly impossible to pass the “average citizen” test for defining criminal behavior with CFAA+ToS.)

At this point, you will likely say Swartz would have had every opportunity to make these arguments.  That’s true of course, but I’d respectfully say it’s disingenuous.  From the moment you indict and issue a press release, you frame the case.  The use of Secret Service resources, the home search warrant, the discovery refusal to provide raw hard drive images, the superseding indictment, and the reported plea negotiations & constraints; these all signal that Swartz’s acts were extremely serious, worthy of government resources.  Furthermore, Mr. Heymann is a seasoned prosecutor and computer crime expert;  the judges, jury, MIT, and JSTOR take cues from his stance.

Again, the unique ambiguity in the CFAA demands a prosecutorial duty of discretion above and beyond normal.  Our goal is to seek justice, and to that end, I share several suggestions.  First, I strongly recommend you proactively and immediately release all non-exempt case documents, and consider selectively waiving FOIA exemptions for other material.  The content may be unflattering, but transparency would be a very powerful leadership act on your part.  The people have a right to know how their attorneys conduct business, and the full record will help us enact the best policies.

Second, I would encourage you to support sensible CFAA revisions.  For critics, this case is a poster example of why the statute needs to be less vague.  Congress looks to Justice for advice, and you now have the best perspective of any prosecutor on finding a balance between (a) a flexible law, (b) a clear definition of criminal behavior, and (c) the prosecutor’s duty of discretion.

Third, I suggest you consider future CFAA cases more carefully, especially cases missing the obvious criminal elements.  The computer fraud case volume is relatively thin, making each case a bounds test almost by definition.

I pray you find these thoughts helpful in this sad and tragic story, and I hope they constructively capture the broader criticism about proportionality.

Finally, if an informal discussion regarding this matter (or fraud policy in general) would ever be useful, I would welcome that opportunity.

My email is <andy [at] payne [D O T] org>.

Sincerely,

Andrew C. Payne

Cc:       Stephen P. Heymann, Assistant U.S. Attorney
Scott L. Garland, Assistant U.S. Attorney