Almost a week ago, 26-year-old Internet activist Aaron Swartz hanged himself. Aaron was facing a range of felony charges and prison time for using the Massachusetts Institute of Technology’s computer network to download nearly five million academic journal articles from a database that charged for access. Aaron then planned to make the downloaded articles available to the public.
The computer hacking began as a usual “breaking and entering” report and escalated into a federal prosecution for computer crimes. But when Aaron was indicted in July 2001 for computer fraud, wire fraud and several other offenses that could have put him in prison for 35 years and exposed him to fines of up to $1 million the hacking case became far from the usual. It’s the government had indicated to Aaron’s lawyer that it might only seek seven here is a trial and would be willing to bargain that down to 6 to 8 months in exchange for a guilty plea. Aaron’s case was rare in that he sought no financial gain with his alleged stunt was not disruptive in nature similar to other hacking incidents in the news recently.
Prosecutors have broad discretion when it comes to the type of cases that can be brought when computer crimes have taken place. Prosecutors typically rely on the 1986 Computer Fraud and Abuse Act, an anti-hacking statute that makes unauthorized computer use a crime. The Computer Fraud and Abuse Act was written broadly to keep in step with the rapid pace of technological change. Primarily, the statute prohibits accessing a computer “without authorization” or in a way that “exceeds authorized access.”
Federal prosecutors have ramped up efforts to pursue hackers after a number of high-profile intrusions into government and corporate computer systems. The primary targets are those hackers employed by foreign governments and organized criminals who threaten national security and break into computers for financial gain. The longest prison sentence handed down in a U.S. hacking case was 20 years to Albert Gonzales, for his role in the 2010 theft and sale of millions of credit and debit cards.
Did the punishment fit the crime in Aaron’s case? With no prospects of financial gains or direct harm to an individual, does 7 to 11 years in prison seemed just? Aaron’s case is certainly a sad one given its ending and the impact is had on his family and community. No one wanted to see life end as a result of this hacking. Regardless of his motives, the time he faced in prison for the alleged crime is outrageous. Computer hacking is not a matter that should be taken lightly, but the punishment needs to be fitting for the crime committed. Certainly a 10 year sentence for stealing millions of credit card numbers and data and then selling them to the highest bidder is adequate. However a 7 to 10 year sentence for hacking into an educational database is outrageous. Hardened criminals rarely serve more than 3 to 5 years for the heinous crimes they commit which often involve the safety and well-being of innocent people. What are your thoughts on the 1986 Computer Fraud and Abuse Act? Is a time to start thinking that maybe the act is too broad and not fitting to every circumstance? Perhaps we owe it to ourselves as a nation to take a different look at this Act and how we handle and prosecute certain hacking crimes. As with many things, this is not a one-size-fits-all situation. We must assess the malicious intent of the crime committed when deciding an appropriate sentence.