The 13-count superseding indictment (now dismissed) against Aaron Swartz basically boiled down to two major complaints: he accessed a computer system, and then downloaded files, without permission to do either.
It was not completely unprecedented in the pre-digital age to penalize acts that at their essence were about doing something without permission. Trespass, for instance, can be criminally prosecuted if someone has entered another’s real property without their permission. But (per the Model Penal Code § 221.2) it is typically prosecuted as a petty misdemeanor, commensurate with the negligible resulting harm. In instances where more serious harm resulted, a harm that could be properly measured in real word dimensions, such as the deprivation or destruction of real or immovable property, then a separate crime could be charged, such as theft – one targeted to address that violent sort of outcome. But even in those cases the crime and its commensurate penalty would hinge on the resulting harm, not the underlying lack of permission (see, e.g., Model Penal Code explanatory note §§ Sections 220.1-220.3). On its own, merely doing something without permission has not been something US law has sought to punish with serious charges carrying lengthy prison sentences.
In Aaron Swartz’s case, however, while his actions, even if true as alleged, resulted in no more measureable harm than an ordinary trespass would have, he was nonetheless charged with multiple felonies.
Each felony charge comprised part of a vicious cycle, with each being predicated on the existence of the last. But at the heart of the indictment is a fundamental misunderstanding of the purported wrongfulness connected with the file downloading. The undisputed facts in this respect are basically thus: The JSTOR archive is a repository of academic articles. Notably Aaron actually had permission to access and download them, although it may be true that in granting that access JSTOR had not contemplated on them having been downloaded in bulk. On the other hand, it does not appear that such permission had been explicitly withheld. Furthermore, Aaron’s downloading of the files in no way deprived JSTOR of anything. The files didn’t disappear from their machine as they were copied onto Aaron’s; they remained exactly where they always were.
Thus the prosecutor’s insistence that this downloading was somehow “theft” (see paragraph 30 of the indictment) fails in both physical and legal terms. In the non-digital world theft involves depriving someone of their property. However no such deprivation of property existed here, thereby rendering it legally incorrect to punish the act as if it were one that would cause it, and then to compound it by using that perceived wrongfulness as a basis for collateral charges.
Of course, no deprivation of property is required for the real world crime of burglary. Like trespass, burglary punishes an unauthorized access, but only one made for the purpose of committing some other crime that would result in its own measurable harm. (See Model Penal Code § 221.1. Note also that the nomenclature and particular requirements for these various crimes may vary from jurisdiction to jurisdiction, but the MPC is being cited here because of how it serves to encapsulate how crime is generally thought of in American law.) It’s not the unauthorized access itself that conditions the seriousness of the charge; it’s the intent to cause the measurable harm that is. Having laws like burglary on the books provides a way to prosecute an attempted crime that would have had real, measurable effects had it ever reached fruition; they aren’t about punishing a permission-less access for its own sake. Which, unfortunately, the Computer Fraud and Abuse Act currently does.
Ostensibly the CFAA, a recent statute ill-fitting the realities of modern computing, sometimes predicates its punishment on the consequences of the purportedly wrongful access of a computer system, but unlike burglary it is largely divorced from any actual criminal accounting of those consequences and at times (see 18 U.S.C. § 1030(a)(2)(c)) requires no destructive harm at all. For purposes of the CFAA the access alone is what’s wrongful.
And it punishes this permission-less access vastly more severely than its consequences could possibly warrant. In Aaron’s case the only demonstrable harm the prosecutor managed to allege in the indictment was that his actions had caused MIT, whose network Aaron is alleged to have accessed without permission (although there is significant dispute about whether such network access truly was impermissible), inconvenience. And so, for allegedly causing MIT some hassle, Aaron faced decades in prison and bankrupting expense, consequences greater than if he had simply outright stolen any of MIT’s actual computers (a real-world state-governed crime that would have put him beyond the reach of federal prosecutors entirely).
In the wake of Aaron’s death, which his friends and family see as a direct result of the DOJ’s overzealous prosecution, there have been many calls for reform. Some of the reform needed is in the CFAA itself, given how it currently conceptualizes unauthorized access of computers in a way that would ensnare nearly every Internet user acting quite reasonably and in a way that resulted in no measurable harm.
But reform is also needed with respect to the underlying wrong the prosecution originally perceived Aaron to be guilty of when he downloaded those articles. The prosecution reacted as though it were a violent destruction of person or property, when it clearly was not. At most he would have been liable for copyright infringement, an act that can be fully redressed through private civil suits without the need – or indeed, the right– for the state to weigh in, especially in such a disproportionate way. It is in this regard, criminalizing access to information beyond one’s permission to have it, that the most reform is needed.