Towards learning from losing Aaron Swartz

When I learned that Aaron Swartz had taken his own life, I cried. I am still desperately sad, for him, his family, for the close friends who loved him, and for our community. We lost a rare and special person, one who did so much in his short life to make the world a better place. Any do-gooder, including myself, could be proud were we to accomplish as much. We don’t know what else he would have acheived were he to have lived. But I admit that I also cried for myself, because I felt guilty that I didn’t do more to help Aaron in his criminal case. This article is about part of that challenge, the challenge to improve computer crime laws, and the criminal justice system more generally. Hopefully in the end, there’ll be something that I, and you, can do about it.  

I was a criminal defence attorney for nine years, before I started working full time on internet law issues in 2001. I represented people charged with all kinds of crimes, including computer crimes, in federal and state court. I left that work for a lot of reasons, but in part, I found it gruelling and insufficiently rewarding. Once, at a federal defender conference, someone was giving a speech addressing attrition in the field. He said that there were three kinds of people who got into criminal defence. First, there are those who care about people, especially the underprivileged, and want to help them through the system. Those don’t last long. Second, there are those who believe in the Constitution, and want to curb the awesome power the government can otherwise wield over the individual. Those do better, but they don’t last long either. And then there are the third kind, those who just want to screw with a screwed up system. The crowd roared its approval. I turn out to be Type 2. And so eventually, I left for a field where, in 2001, I felt the law was more wide open, and thus more amenable to positive change.  

A short history of the CFAA

As a former criminal defence lawyer, the Computer Fraud and Abuse Act (CFAA), the law under which Aaron was charged, is one of my biggest concerns. The statute basically outlaws accessing a computer without authorisation, or in excess of authorisation. In a networked environment, the boundaries between machines are porous and appropriate uses are cultural, subtle, subject to interpretation. In the law, the boundaries are bright, and the CFAA polices them under penalty of law. Since every communication with a computer is access, the distinguishing line between legal and prison is the ephemeral concept of “authorisation”. “Authorisation” is in the eye of the beholder. Desired uses of systems can be expressed in terms of service, clickthrough notices, (sometimes competing) cultural expectations, technological protection measures, employment contracts, or cease and desist letters. Yet outside of the computer context, disregarding any of these things is generally not a crime. It may not even be a civil offence. “Authorisation” gives great power to the computer system owner. That entity may unilaterally decide what is right and wrong on their system, and the CFAA brings the full force of federal law behind it. Yet outside of the computer context, crimes punish social wrongs, not merely offences to personal or business preferences.

Another way of looking at the CFAA, is that it protects the box, regardless of other social values or laws regarding the information residing there. Our laws try to balance the protection of information with other social goods, including freedom of expression and the public’s right to know. So copyright is conditioned by fair use. Trade secrets are specifically defined and only protected against misappropriation. Classified information must be marked, and there is a cultural and legal history that enables news organisations and journalists who report on such issues to continue to operate. The CFAA doesn’t care about any of that nuance. There’s a bright line protecting the box, and even otherwise public data stored on the box is thereby subject to the system owner’s control.

That concept of punishing access in excess of authorisation lead to some relatively early civil cases that were potentially very dangerous to innovation and consumer interests, including lawsuits against companies that aggregated pricing data (American Airlines v Farechase, eBay v Bidder’s Edge), used Whois to generate business leads (Register.com v Verio), or identifying metatags on a site in order to better market a competing service to the same set of potential customers (Oyster Software v Forms Processing). These cases were not brought under the CFAA, but under a resurrected version of the tort of trespass to chattels. Of course, the tort doesn’t carry criminal penalties. Nevertheless, it fell out of favour with potential plaintiffs in 2003, when the California Supreme Court ruled in Intel v Hamidi that the tort required a showing of damage or impairment to the targeted computer system.

The CFAA specifically allows civil suits for violations of some of its provisions, and Plaintiffs have increasingly used the CFAA and its state corrollaries, rather than trespass to chattels, to stop data aggregation for similar anti-competitive purposes (Facebook v Power Ventures) and also in employment disputes to inhibit employees planning to leave from taking advantage of their computer rights to position themselves for competitors. These uses have been embraced by courts. For example, in International Airport Centers, LLC v Citrin, the Seventh Circuit held that an employee who uses a company computer disloyally, ie contrary to the employer’s interest, violates the CFAA. Take that, all you people who look for a new job while you are at your old job.

In 2001, early in this history, I was on KQED’s Forum programme with Chris Painter, who I believe was then at the Computer Crime and Intellectual Property Section (CCIPS) in the US Department of Justice. During the debate, I complained about the breadth of the computer crime laws and I remember Painter saying that even though civil plaintiffs were urging an expansive interpretation of the CFAA and courts were embracing those arguments where monetary harm was at stake, that the Department of Justice would not exercise its discretion to use the CFAA to put people in prison for such borderline kinds of activities. At the time, I could not point to a contrary example.

Chris Painter doesn’t work at CCIPS anymore. And today, I have many such examples of borderline prosecutions involving broad interpretations of the statute, including Aaron’s case, and the successful Auernheimer prosecution for conspiracy to violate the CFAA. Most notably from a legal precident perspective, the Ninth Circuit relatively recently rejected CFAA prosecutions in United States v Lori Drew and in United States v Nosal.

In Drew the government argued that the defendant’s use of MySpace was without authorisation because she violated the social network’s terms of service in setting up a pseudonymous account. The account was used to harass a girl who subsequently committed suicide, but the harassment did not rise to criminal levels under state law, which is why the prosecutors wanted to bring the federal case.

[It’s interesting now to reread the prosecutor’s statements in the Drew case, blaming the defendant there for the child’s suicide, next to the apologia we are now seeing online from some current and former DOJ employess who I suppose are simply inured to miscarriages of justice such as those we see in Aaron’s case. Guys, guess what? We don’t have to prove that your prosecution was the but for cause of Aaron’s suicide in order for some critical thinking about the justice of the case to be in order here.]

In Nosal, the government prosecuted a man who went to work for a competitor and got some of his old colleagues to send him source lists, client data, and contact information from his former employer. The DOJ argued that violating a workplace computer use policy “exceeded authorisation” and amounted to a crime. The Ninth Circuit disagreed.  

Efforts to improve the CFAA

There is a circuit split, with the Fifth, Seventh, and Eleventh circuits adopting a broad interpretation of the statute, finding that an individual accesses a computer “without authorisation” or in excess of his authority when the employee acquires an interest adverse to his employer or breaches a duty of loyalty, and the Fourth and Ninth Circuits (in Drew and Nosal, for example) reading the statute to exclude such cases. One area for advocacy could be in the Supreme Court, should the issue ever get there. If it does, you can be sure that the facts will be very ugly, as the government will get to decide which case it uses as the vehicle to see such review.  

Alternatively, there could be a statutory fix. Through various vehicles, Senator Patrick Leahy – a Democrat from Vermont – has been pushing an amendment to the CFAA that would make clear that Terms of Service (TOS) violations and employee misconduct are not CFAA crimes. The Justice Department opposes that change and the cause is currently moribund. Statutory amendment along this line could fix what has come to be known as the “Lori Drew problem”. Another area for advocacy would be to come up with good language for this amendment and to explain to policy makers why it is important.  

How should a principled line between lawful and criminal access to computers be defined? Certainly TOS violations and disloyalty are beyond the pale. Scholars and others have proposed looking to whether the alleged attacker merely used the target computer, or somehow circumvented a technological security measure put in the place to control system access. The most complete expression of this proposal is Orin Kerr’s article “Cybercrime’s Scope: Interpreting ‘Access’ and ‘Authorization’ in Computer Misuse Statutes”, accessible from SSRN. Without question, this would be better than what we have now.

However, even requiring circumvention of a code based restriction on computer access or use puts too much power in the hands of the computer owner to define social good, with the force of criminal law behind it. Such a rule probably would not have protected Aaron from prosecution. This is an additonal area for advocacy. We need more scholarly work in this area.  

Prosecutorial discretion

Prosecutorial discretion is both a blessing and a curse. It’s a blessing when, for example, someone breaks the law but does so because they are hungry, or young, or addicted and they need another chance. It’s a curse when, for example, laws are written to encompass all kinds of every day behaviour, and the government can pick and choose its defendants based on whether they are political rivals, activists, assholes or some other anti-social but lawful behaviour.

In 2003, I appealed the conviction of security researcher Bret McDanel, who pointed out a flaw in his former employer’s messaging service in 2001. He emailed the customers directing them to a webpage explaining how the flaw worked and how the privacy of their messages could be compromised. The government successfully argued at trial that McDanel accessed the system unlawfully by emailing customers via the service, and impaired the integrity of that messaging system by informing customers about the security flaw. Outsiders could potentially access the system, and current customers were upset. The company therefore had to correct the flaw that McDanel revealed. Because fixing that preexisting problem cost money, the government argued that McDanel caused loss to his former employer. It was a bench trial, and the judge agreed.

There were other chilling aspects to Bret’s case. First, Bret spent a good portion of the pendancy of his case in custody. I did not represent him then, and I can’t remember the details now, but I believe he had violated the conditions of his release in some way and had bail set, bail he could not meet. When I took on the case, he was imprisoned while he waited for sentencing (16 months), while we waited for the transcript to be prepared, while I wrote the appeal, and while we gave the DOJ some time to consult internally. Bret served his entire sentence, even though he was innocent.  

Relatedly, the government used all its resources to try to force Bret to plead guilty. While he was in custody on the Central District case, the government indicted him in New Jersey for a much earlier incident involving a different employer that the FBI had investigated and taken no action on. I don’t remember how explicit the threat was, again because I didn’t represent him in the trial court. But he was “arrested” for the New Jersey case a few weeks before his California trial began, and the indictment was filed after his conviction while his motion for acquittal was pending and after he made clear that he was going to appeal. I know the government wanted him to plead in the California case and I know that resolution of the New Jersey charges were part of the deal. Bret did not plead. We are still friends and I hope he’s honoured when I say it was because he’s a stubborn son of a bitch and he knew he was right. Of course, we won the California case, and the government gave him probation in the outrageous New Jersey case. But not everyone is as tough as Bret.  

I must also add that the government argued at trial that Bret had criminal intent because he was a hacker and we know he was a hacker because he was wearing a Defcon tee shirt when he was arrested.

To my mind, the government’s case in McDanel was not plausable. It should have been obvious that the conviction was improper. Either prosecutors were misinterpreting the CFAA, or the CFAA violated the First Amendment. The DOJ admitted as much on appeal when it declined to oppose my application to vacate the conviction. But educated prosecutors brought the case and a federal court judge bought it. Nothing in the statute was an obstacle to McDanel’s conviction.

Cybercrime is a serious problem. National security and economic interests, not to mention privacy and fraud prevention, are at stake. But those very real problems, the rhetoric associated with them, and the financial resources that follow, have been used to justify a legal regime which as often than not is used against whistleblowers, disloyal employees, and activists. Moreover, prosecutorial discretion is structured by various incentives. These include office culture, office policies, training, internal and external oversight, public oversight via data collection and information sharing, defining metrics for office and individual performance evaluation. Governments are putting increasing resources into establishing cybercrime divisions and training investigators and prosecutors. If money, prestige and jobs are going to go to the offices that get the most cybercrime convictions, we aren’t going to get what we are paying for. We need more data and scholorship here. We need to figure out why US Attorney’s Offices, and Massachusetts, New Jersey and the Central District of California in particular, are pursuing so many troubling cases.  

Criminal justice more broadly

The CFAA is not the only broad statute that lends itself to prosecutorial overreaching. Our drug laws are notoriously broad, if only because they prohibit activities most of us have participated in at one point or another in our lives (marijuana smoking, anyone?). Those harse laws have incentivised young people to work off their potentially devestating sentences as undercover operatives in law enforcement efforts to catch bigger fish in the drug dealing food chain, sometimes with tragic consequences. They have also been instrumental in incarcerating historic numbers of African-Americans.

Harvey Silverglate, a renowned criminal defence attorney who works in the District of Massachusetts, where Aaron was being prosecuted, can plausably claim in his book Three Felonies A Day that “citizens from all walks of life – doctors, accountants, businessmen, political activists, and others – have found themselves the targets of federal prosecutions, despite sensibly believing that they did nothing wrong.” Silverglate identifies particular statutes succeptable to such overreaching, but his book also shows via war stories the ways that the progress of criminal cases can push even innocent defendants towards prison, bankruptcy, career ending guilty pleas, or emotional ruin. A short list includes pretrial incarceration, indicting or involving family members or friends in the case, the risk of draconian sentences, and superceding indictments in response to refusals to plead. Some of these tools were used in Aaron’s prosecution. Perhaps his case is a window through which this digital community can understand better how broadly broken the criminal justice system is.  

Aaron’s case

I met Aaron when he was a teenager; he was working with my boss Larry Lessig on Creative Commons. I didn’t know him very well, though I couldn’t but love him. He was a kid, a fascinating, fascinated kid whose heros were people like Ted Nelson (pioneer of computer networking) and Doug Engelbart (inventor of the computer mouse). We knew each other, but were not friends. When he was indicted for the JSTOR downloads, we talked and I recommended defence lawyers to him. A few months ago, we talked again. Aaron wanted to know if I would help his lawyers with the case. I said I didn’t know what I could offer, but that I would talk to his attorney, and see what I could do. I had one conversation with his second lawyer, Marty Weinberg about the CFAA, and I sent an email to his last lawyer, Elliot Peters, to check in, but that was the extent of my contribution.

Why didn’t I do more? I believed then and now that prosecuting Aaron was wrong, and that what he did, while ill-advised, was not a crime. Aaron was allowed to download JSTOR articles for free, both from the MIT network and from his home institution. To my mind, a successful prosecution requires drawing a line between downloading and downloading really, really fast.  

The government was aided in making that specious argument by two things. First was atmospherics. Like Bret McDanel’s tee shirt, Aaron did something that made him seem guilty to the prosecutor, he hid his computer in a closet and covered his face when he went to retrieve the machine. He also named the computer he was trying to hide Gary Host, or ghost, the mystery machine. Regardless of the the merits of the case, the government could argue that Aaron acted guilty because he was guilty. Evading surveillance is not evidence of guilt, of course, but countering that argument was something that was going to take good old criminal defence advocacy, something that I haven’t done for years. Each of the attorneys Aaron selected were well respected. I had nothing to offer there.  

The second obstacle was the CFAA itself. Even if the Massachussets court adopted the narrower view propounded by the Ninth Circuit that TOS violations are not crimes, MIT did more than that. According to the indictment, MIT blocked Aaron’s laptop’s MAC address from the network to stop it from downloading the JSTOR articles. Aaron then spoofed the MAC address to get the machine back on the network, and connected to JSTOR. Even under the superior formulation of the CFAA offered by Orin Kerr, this might be circumvention of a code based restriction on access, enough to bring the case outside of Drew territory and into the statutory prohibitions.  

I’m not arguing that changing a MAC address should be a CFAA violation. Aaron was still allowed to use the MIT network, and he was still allowed to access JSTOR. The statute doesn’t regulate the means of computer access, nor does it prohibit certain uses of information one is otherwise authorised to obtain. But the government would use these facts to say that Aaron was unauthorised and he knew it. Aaron’s lawyers knew all of this already. I didn’t want to be presumptuous. I made myself available, I didn’t want to second guess, or interfere.  

Criminal defence

I’ve been mulling over something Danah Boyd wrote in her blog post about Aaron, addressing the question of why she hadn’t spoken up about Aaron’s case before. She said, in part, “I was too scared to speak publicly for fear of how my words might be used against him.”  

Certainly, talking about a friend’s case publicly is dangerous. First, you could be called as a witness. That is an awful thing, for your friends and relatives to be called to testify against you. I advised my clients never to talk to anyone about the case, and certainly not to witnesses. That gives the prosecution an avenue into the defendant’s state of mind, defence posture, etc. It is completely alienating and depressing when friends are called before a grand jury to testify against you. The reports say that at least two of Aaron’s friends were subpoened to testify against him at the trial. 

Second, as a defence attorney, I would always ask supporters not to talk publicly about the case. There are so many ways a defence can be derailed and in the typical case you need to control every variable within your abilities. I did not let my client talk to the press, and I did not want friends or witnesses innocently doling out information that could be twisted or misused against my client. Remembering things differently from your friends, contradicting yourself after forgetting or remembering facts over the course of an investigation can all form the basis for obstruction of justice allegations. This is what, for example, Martha Stewart was convicted of when the government failed to prove insider trading.  

The second thing Danah said was also deeply sad:

And I was too scared to get embroiled in the witch hunt that I’ve watched happen over the last three years. Because it hasn’t been about justice or national security. It’s been about power. And it’s at the heart and soul of why the Obama administration has been a soul crushing disappointment to me. I’ve gotten into a ridiculous number of fights over the last couple of years with folks in the administration over the treatment of geeks and the misunderstanding of hackers, but I could never figure how to make a difference on that front.

Overcharging

Many people feel that Aaron’s prosecution was disproportionate to the offense, if any, committed. The government filed multiple, duplicative charges, hung 35 years, then 50, over Aaron’s head and insisted that Aaron plead to multiple felonies and be incarcerated.  

Certainly, most federal cases I defended went much the same way: The government overcharges the case. There are so many ways to lose and only one way – total acquittal – to win. The maximum potential sentence is terrifying. While any first-time defendant is unlikely to get the maximum – because defendants are sentenced based not just on the conduct proven at trial, but also on unproven “related conduct” – the actual sentence can be quite high. In this atmosphere of terror, the prosecutor offers a deal, usually before dispositive motions are heard, or before trial. If my client waives her right to trial and appeal and admits felonious conduct, the government will suggest to the court a greatly reduced sentence. If she refuses to do so, the prosecutor will return to the grand jury and add more charges to the case, thereby racheting up the opportunities to lose and the maximum lawful sentence.

This reality is discomfiting enough when your client has been caught red-handed with a car full of cocaine. But when the facts are unclear, or the case arises under a vague and overbroad law, it becomes terrifying.

Voluminous, overlapping charges may be typical, but they can give unfair advantage to the prosecution. At trial, each charge is a chance for the prosecution to win. Convict on one count, and you can likely punish the defendant for all of his conduct, because related conduct, even aquitted conduct, is part of the sentencing calculation. In contrast, the defendant has only one way to win: He must be acquitted on all counts. The more counts, the more chances for the government to win. Furthermore, having a lot of counts bolsters the government’s case in front of a lay jury. Jurors tend to infer that the defendant must have done something very wrong if the indictment is substantial and voluminous. When just the disposition of the case requires jurors to understand technology, politics, economics, philosophy and physics likely outside of common experience, this tactic is all the more coercive.

Sentencing

Aaron was in danger of doing real time behind bars, and that is terrifying. To really understand the pressure that federal defendants face, you have to understand something about the way that federal sentencing works.  

In federal court, sentences are almost entirely determined by the federal sentencing guidelines. The guidelines were initially adopted to constrain judges’ arbitrary sentencing practices, so similarly situated convicts would be sentenced similarly. In practice, the guidelines set draconian sentences that would always rachet upwards, but almost never downwards. Because one of the only ways to lower your sentence was to plead guilty and testify against someone else, the federal court system is replete with prosecutions based on snitches and liars. When I was practicing, judges had to sentence according to the guidelines. Today, the guidelines are highly influential but technically discretionary, giving us the worst of both worlds – arbitrary sentences informed by a strict and draconian regime.  

To calculate the sentence, you look at the defendant’s past record and at the offence characteristics. The factors are plotted along the X- and Y-axis on a sentencing table. Cross-referencing these factors on the table gives the judge a range of months she should impose. Along the X-axis, Aaron was criminal history category I, he had no prior convictions.

Along the Y-axis, you look at the sentencing guideline for the particular case. CFAA sentences are governed by §2B1.1, which provides for a base offence level of 6, and adds to that for loss and other characteristics of the offence. 

Sentencing under the CFAA is both harsher and less predictable than sentencing even in other fraud cases. Loss, and not the statutory maximum, determines the sentence in computer crime cases. But, as I wrote in 2006 [PDF], in computer crime cases, the sentence is almost wholly dependent on a “reasonable estimate” of loss and the loss calculation is extremely malleable. The CFAA defines loss as “any reasonable cost to any victim, including the cost of responding to an offence, conducting a damage assessment, and restoring the data, programme, system, or information to its condition prior to the offence, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service”.

Nor do the guidelines limit loss in computer crime cases to foreseeable damages. While the definition of loss for other white collar fraud crimes punished under the same guideline includes only reasonably foreseeable monetary harm, a special rule for computer crime cases requires the court to include any reasonable cost to any victim, regardless of whether the harm was reasonably foreseeable or not. Also, the guidelines establish a lower burden of proof for loss calculations in sentencing. Generally, sentencing is by a preponderance of the evidence. However, the guidelines only require the judge to make a “reasonable estimate” of the loss. In other words, the government only needs to show by a preponderance of the evidence that the sentencing court made a reasonable estimate of loss, and that estimate is a factual finding entitled to great deference on appeal.

I don’t know what the government claimed was the loss in Aaron’s case. Allegedly, he downloaded 4.8 million articles and the cost to download each individual article was $19. At that rate, Aaron arguably caused $91M in loss to JSTOR. The government’s opposition to the suppression motion alleged the information was “valued in the tens of thousands of dollars at the time”. Another, or additional, claim of loss could be based on the amount of time MIT and JSTOR spent trying to stop Aaron from downloading. Given the low burden of proof, and the fact that such damage need not be foreseeable, loss numbers are very much in the control of the alleged victims. 

For Aaron, with such a fungible numbers in hand and such a low burden of proof, the government could have argued for almost any sentence it wanted. Using just the base level of 6 and $70K in loss, Aaron would not be eligible to serve any of his sentence in a halfway house or on home confinement. He would be looking at 15 to 21 months of incarceration. That number could get higher quickly. Section 2B1.1 increases the base offense level to 12 if the conduct involved use of an “authentication feature” or “unauthorised access device”. Alternatively, upwards adjustments may be warranted if the defendant used a special skill, abused a position of trust, or tried to obstruct justice. True, 35 years wasn’t in the cards, despite the fact that’s the sentence the government publicly waived over Aaron’s head. Neither was a maximum of 50 years, which was what the government arrived at after its perplexing choice to get a superceding indictment. But Aaron could easily have come out to over a year in his guideline calculation.   

Plea bargaining

Reportedly, prosecutors offered Aaron three options: He could plead guilty to all 13 felony charges and the government would argue for a six-month prison term while Swartz’s lawyers argued for less time; he could plead guilty to all 13 felonies and accept a sentence of four months; or Aaron could go to trial and if he lost, the government would argue for seven years.

Some have blithely said Aaron should just have taken a deal. This is callous. There was great practical risk to Aaron from pleading to any felony. Felons have trouble getting jobs, aren’t allowed to vote (though that right may be restored) and cannot own firearms (though Aaron wasn’t the type for that, anyway). More particularly, the court is not constrained to sentence as the government suggests. Rather, the probation department drafts an advisory sentencing report recommending a sentence based on the guidelines. The judge tends to rely heavily on that “neutral” report in sentencing. If Aaron pleaded to a misdemeanor, his potential sentence would be capped at one year, regardless of his guidelines calculation. However, if he plead guilty to a felony, he could have been sentenced to as many as 5 years, despite the government’s agreement not to argue for more. Each additional conviction would increase the cap by 5 years, though the guidelines calculation would remain the same. No wonder he didn’t want to plead to 13 felonies. Also, Aaron would have had to swear under oath that he committed a crime, something he did not actually believe.

There’s a more systemic problem here. Plea bargaining in the face of potentially heavy sentences incentivises guilty pleas even (or especially) where the case is weak, or the defendant is factually innocent. People plead guilty all the time to things they did not do, because they couldn’t afford the right lawyer, because they are scared, because they think no one will believe them, because they are simply playing the odds. Especially when you have a case involving network policies, academic culture, technological infrastructure, and information of questionable economic value, asking a jury to decide what’s “authorised” at the risk of prison is scary.

Lest we mistake plea bargaining for justice, ask yourself, why is a seven-year sentence just for a person who goes to trial, while one who pleads guilty should only be incarcerated for six months? Why should Aaron have received two additional months of incarceration in order to argue to the judge that his sentence should be lower? This is not justice, this is horse trading. It is typical, it happens every day, but it is also wrong.
 
The criminal process is byzantine and treacherous. We rely on knowledgeable lawyers to shepherd our loved ones safely through the system, even though we know that the system is broken. We ourselves are afraid to be called as witnesses, to be inculpated. We have no clear avenue through which we can say “Stop!” Perhaps now is an opportunity.  

Thoughts on current activism

I’ve seen two petitions to the White House circulating, one for reforming the CFAA and one for removing the prosecutors from office.  

Real reform of the CFAA requires two steps: (1) a comprehensive rethinking of the statute, especially since solving the Lori Drew problem would not have saved Aaron and (2) engaging not with the White House, but with Senators Leahy and Franken, the policymakers most likely to understand and support these efforts. Nevertheless, I’m going to sign this petition. The White House can know what I think.  

As for removing the prosecutors, yes, I am angry. But, I am the kind of person who tends to blame the system rather than the individual, and I believe systematic change is more likely to make a difference than a campaign against these particular officials. I want to know how and why the decision to charge was made in Aaron’s case. I want to know why they were pushing for felonies and incarceration. I want to know what JSTOR and MIT’s role was. I want to better understand funding, incentives, evaluation metrics, bonuses and other perks prosecutors receive, for cybercrime and for other cases. I want to insulate future prosecutors from the incentives to build their careers on conviction rates rather than crime prevention, to train them so that they don’t get myopic, so that in their bones they know that behind their conviction rates are the hearts, minds and bodies of real people and their families. I want to change the conditions so that a newly-minted bully won’t just take these prosecutors’ places.

It is also true that in my criminal law career, I found the US Attorney’s office in the District of Massachusetts particularly immoral. In one case, I was told that if my client failed to enter a plea that day, the prosecutor would obtain a superseding indictment and add embarrassing pornography charges to my client’s computer crime case based on materials allegedly found on his hard drive but never disclosed to me in discovery. Similarly, that office sought to imprison a man for collecting user emails to compile a list of best-selling books, despite the fact that the email collection would have uncontrovertably have been lawful had it occurred a nanosecond later (US v Councilman).

Towards learning

I admire this community’s anger and energy. We are not alone. There are great organisations out there fighting to improve the criminal justice system in specific ways that would have helped Aaron. Every day there are people getting chewed up by the criminal justice system, rightly or wrongly, and these people tend to be poor, people of colour, non-English speakers, the mentally ill, the addicted. The pressure the government regularly brings to bear on the least powerful of us, when combined with vague laws like the CFAA, can wreak devastation on innocent people from all walks of life. My hope is that this community will productively cross-pollinate with criminal justice advocates and that together we are strong enough not only to change the CFAA but also the normalisation of disproportionately harsh prosecutorial tactics.  

To Aaron’s friends and family: I’m sorry. In the aftermath of this great loss, all I know how to do is make a To-Do list. I am going to try to make changes that will reduce the chances that something like this happens again, but it will not bring our Aaron back.

Jennifer Granick is the Director of Civil Liberties at the Stanford Center for Internet and Society.

A version of this article first appeared on the Center for Internet and Society blog.