Unfortunately, that same act also allows stiff penalties for acts that seem far less nefarious. The tragic end of the MIT case — in which Internet activist Aaron Swartz committed suicide under the threat of a federal felony conviction — highlights the need for reform of an overly broad law. E-mails recently reviewed by the Globe suggest that, even as the parameters of the case became clearer, some MIT employees and — more fatefully — US Attorney Carmen Ortiz’s office seemed unable to draw a distinction between acts of high-tech espionage and the work of a political activist helping himself to a trove of minimally guarded material.

When a mysterious intruder using the cheeky name “ghost” hacked into a computer network at MIT in 2010, the security breach might conceivably have been quite damaging. The Globe’s Marcella Bombardieri reported last Sunday that, soon after the institute became aware that someone was mass-downloading academic journal articles from the JSTOR database, employees speculated about student hackers — but also about “sinister foreigners” who might be probing the weaknesses of MIT’s systems to purloin scientific data. If the latter were true, and the perpetrators were caught, the federal Computer Fraud and Abuse Act, originally written in 1986, provides for stiff criminal penalties.


Swartz, a talented programmer who opposed restrictions on access to academic research, manipulated guest network privileges that were readily available to visitors at MIT to download articles that JSTOR had made available to the MIT community for free. In doing so, Swartz should have been prepared for civil penalties, like those applicable to people who’ve been caught sharing stolen music files. Indeed, some criminal penalties were possible, too — by physically entering a computer wiring closet, Swartz might have violated trespassing laws, for instance. But even though Swartz clearly wasn’t seeking personal gain, federal prosecutors came down hard, filing felony computer-fraud charges that could have landed him in jail for years.

Internet activists aren’t the only ones expressing concern about the breadth of the federal Computer Fraud and Abuse Act. Many legal experts believe the law is written in ways that allow even modest electronic intrusions to be prosecuted as felonies. Under some interpretations, the law may infringe on legitimate news-gathering about electronic security issues. Courts have struggled with how the law defines unauthorized use of a protected computer. A proposal known as “Aaron’s Law” would tweak the existing legislation, but there’s some question about whether the measure would even have helped Swartz. Congress must take a broader, more nuanced look at the issue — which, fortunately, is ripe for bipartisan cooperation.


Swartz’s death made him a cause celebre among Internet freedom activists, in a way that isn’t entirely fair to MIT and JSTOR. The university and the database organization both missed opportunities, the Globe report suggests, to act more nobly. Still, it’s noteworthy that MIT and JSTOR — which have sought to strike a balance on cybersecurity, offering some people relatively free use of their services while restricting access for others — have earned more enmity than institutions that reflexively lock their information as tightly as possible. Network owners, copyright holders, and publicly accessible databases should surely have some recourse against people who break into their systems. But the law must also be written to avoid miscarriages of justice, like the one that occurred in the Swartz case.