Photo: selfagency/Flickr

Federal prosectors added nine new felony counts against well-known coder and activist Aaron Swartz, who was charged last year for allegedly breaching hacking laws by downloading millions of academic articles from a subscription database via an open connection at MIT.

Swartz, the 25-year-old executive director of Demand Progress, has a history of downloading massive data sets, both to use in research and to release public domain documents from behind paywalls. He surrendered in July 2011, remains free on bond and faces dozens of years in prison and a $1 million fine if convicted.

Like last year’s original grand jury indictment on four felony counts, (.pdf) the superseding indictment (.pdf) unveiled Thursday accuses Swartz of evading MIT’s attempts to kick his laptop off the network while downloading millions of documents from JSTOR, a not-for-profit company that provides searchable, digitized copies of academic journals that are normally inaccessible to the public.

Using a program named keepgrabbing.py, the scraping took place from September 2010 to January 2011 via MIT’s network, and was invasive enough to bring down JSTOR’s servers on several occasions, according to the indictment.

Disclosure: Swartz was part of a small team that sold Reddit to Condé Nast, Wired’s parent company, and has done coding work for Wired.

In essence, many of the charges stem from Swartz allegedly breaching the terms of service agreement for those using the research service.

“JSTOR authorizes users to download a limited number of journal articles at a time,” according to the latest indictment. “Before being given access to JSTOR’s digital archive, each user must agree and acknowledge that they cannot download or export content from JSTOR’s computer servers with automated programs such as web robots, spiders, and scrapers. JSTOR also uses computerized measures to prevent users from downloading an unauthorized number of articles using automated techniques.”

MIT authorizes guests to use the service, which was the case with Swartz, who at the time was a fellow at Harvard’s Safra Center for Ethics.

The case tests the reach of the Computer Fraud and Abuse Act, which was passed in 1984 to enhance the government’s ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality.

The government, however, has interpreted the anti-hacking provisions to include activities such as violating a website’s terms of service or a company’s computer usage policy, a position a federal appeals court in April said means “millions of unsuspecting individuals would find that they are engaging in criminal conduct.” The 9th U.S. Circuit Court of Appeals, in limiting reach of the CFAA, said that violations of employee contract agreements and websites’ terms of service were better left to civil lawsuits.

The rulings by the 9th Circuit cover the West, and not Massachusetts, meaning they are not binding in Swartz’ prosecution. The Obama administration has declined to appeal the ruling to the Supreme Court.

The indictment accuses Swartz of repeatedly spoofing the MAC address — an identifier that is usually static — of his computer after MIT blocked his computer based on that number. The grand jury indictment also notes that Swartz didn’t provide a real e-mail address when registering on the network. Swartz also allegedly snuck an Acer laptop bought just for the downloading into a closet at MIT in order to get a persistent connection to the network.

Photo: TheRealDavidFrancis/Flickr

The Justice Department has decided not to ask the Supreme Court to review a controversial federal appeals court decision that said employees may not be prosecuted under a federal anti-hacking statute for simply violating their employer’s computer use policy.

The 9-2 decision in April by the 9th U.S. Circuit Court of Appeals dealt a blow to the Obama administration, which is invoking the same theory to prosecute alleged WikiLeaks leaker Bradley Manning.

The case concerns the Computer Fraud and Abuse Act, which was passed in 1984 to enhance the government’s ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality.

At least, that’s what the San Francisco-based appeals court said was the act’s purpose.

The government, however, has interpreted the anti-hacking provisions to include activities such as violating a website’s terms of service or a company’s computer usage policy, a position the court ruled means “millions of unsuspecting individuals would find that they are engaging in criminal conduct.” The court said that violations of employee contract agreements and websites’ terms of service were better left to civil lawsuits.

“Under the government’s proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist’s policy, or describing yourself as ‘tall, dark and handsome,’ when you are actually short and homely, will earn you a handsome orange jumpsuit,” Judge Alex Kozinski wrote for the majority, adding in a footnote that the government’s interpretation of the law opens employees up to be arrested, not merely fired, for playing Farmville at work.

The act makes it a federal offense if one “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”

Orin Kerr, a George Washington University Law School scholar and considered one of the leading experts on the topic, suggested the government did not appeal because it “may have been scared off by Judge Kozinski’s opinion.”

“It would have been the first document that the justices read, and it’s a pretty powerful brief against the government’s position,” he said.

The Justice Department did not immediately respond to comment on its decision not to appeal. (.pdf)

The case before the appeals court concerned an appeal by defendant David Nosal, who had worked for an executive search firm and was charged with, among other crimes, three CFAA counts for allegedly aiding and abetting his former colleagues to supply him with company data that his co-workers were authorized to access but forbidden to divulge. The decision by the nation’s largest federal appeals court, which covers the western United States, reversed the same circuit’s 2-1 ruling last year that said no hacking was required to be prosecuted as a hacker under the CFAA.

The 9th Circuit covers Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon and Washington.

The outcome conflicts with at least three other circuit courts of appeal nationwide. Had the government appealed, the Supreme Court likely would have taken the case to clear up the conflicts. But so far, the Supreme Court remains sidelined on the issue.

Accused WikiLeaks leaker Manning is charged with, among other things, breaching the CFAA by allegedly exceeding his authorized access of a government computer and providing files to secret-spilling site WikiLeaks. The prosecution doesn’t allege, however, that Manning actually broke into any computer system. But Manning is being prosecuted at Ft. Meade in Maryland, outside the reach of the 9th Circuit’s decision.

The statute was used to prosecute Lori Drew, who was charged criminally for participating in a MySpace cyberbullying scheme against a 13-year-old Missouri girl who later committed suicide. The Los Angeles federal court case against Drew hinged on the government’s argument that violating MySpace’s terms of service was the legal equivalent of computer hacking and a violation of the CFAA. A federal judge who presided over the prosecution tossed the guilty verdicts in July 2009, and the government declined to appeal.

However, the feds used the same theory to get hacking convictions of two New Jersey men who used computer scripts to help them buy, with real money, lots of concert tickets from Ticketmaster.com, which they later scalped.

But the appeals court plainly said breaking company computer-use policies does not amount to hacking.

Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by gchatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason. TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit.

Kozinski was joined by Judges Harry Pregerson, M. Margaret McKeown, Kim McLane Wardlaw, Ronald M. Gould, Richard A. Paez, Richard R. Clifton, Jay S. Bybee and Mary Murguia.

In dissent, Judge Barry Silverman, joined by Richard C. Tallman, wrote: “In ridiculing scenarios not remotely presented by this case, the majority does a good job of knocking down straw men — far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy. The majority also takes a plainly written statute and parses it in a hyper-complicated way that distorts the obvious intent of Congress. No other circuit that has considered this statute finds the problems that the majority does.”

While Nosal, the defendant in the case, escaped the hacking charges, he is also accused of trade secret theft, mail fraud and other charges. Trial is pending in San Francisco federal court.

Employees may not be prosecuted under a federal anti-hacking statute for simply violating their employer’s computer use policy, a federal appeals court ruled Tuesday, dealing a blow to the Obama administration’s Justice Department, which is trying to use the same theory to prosecute alleged WikiLeaks leaker Bradley Manning.

The case, decided by the 9th U.S. Circuit Court of Appeals, concerns the Computer Fraud and Abuse Act, which was passed in 1984 to enhance the government’s ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality.

At least, that’s what the court says is the act’s purpose.

The government, however, has interpreted the anti-hacking provisions to include activities such as violating a website’s terms of service or a company’s computer usage policy, a position the court said means “millions of unsuspecting individuals would find that they are engaging in criminal conduct.” The court said that violations of employee contract agreements and websites’ terms of service were better left to civil lawsuits.

“Under the government’s proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist’s policy, or describing yourself as ‘tall, dark and handsome,’ when you are actually short and homely, will earn you a handsome orange jumpsuit,” the court ruled, adding in a footnote that the government’s interpretation of the law opens employees up to be arrested, not merely fired, for playing Farmville at work.

The act makes it a federal offense if one “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”

Tuesday’s case considered an appeal by defendant David Nosal, who had worked for an executive search firm and was charged with, among other crimes, three CFAA counts for allegedly aiding and abetting his former colleagues to supply him with company data that his co-workers were authorized to access but forbidden to divulge. The decision by the nation’s largest federal appeals court, which covers the western United States, reverses the same circuit’s 2-1 ruling last year that said no hacking was required to be prosecuted as a hacker under the CFAA.

The 9th Circuit covers Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon and Washington.

The outcome conflicts with at least three other circuit courts of appeal nationwide, which means the Supreme Court could take up the issue soon. The San Francisco-based appeals court noted the split and urged its sister circuits to reconsider their rulings. (.pdf)

The same legal theory was used to prosecute Lori Drew, who was charged criminally for participating in a MySpace cyberbullying scheme against a 13-year-old Missouri girl who later committed suicide. The Los Angeles federal court case against Drew hinged on the government’s argument that violating MySpace’s terms of service was the legal equivalent of computer hacking and a violation of the CFAA. A federal judge who presided over the prosecution tossed the guilty verdicts in July 2009, and the government declined to appeal.

The feds used the same theory to get hacking convictions of two New Jersey men who used computer scripts to help them buy, with real money, lots of concert tickets from Ticketmaster.com, which they later scalped.

Accused WikiLeaks leaker Bradley Manning is also accused of, among other things, breaching the CFAA by allegedly exceeding his authorized access of a government computer and providing files to secret-spilling site WikiLeaks. The prosecution doesn’t allege, however, that Manning actually broke into any computer system.

But the appeals court plainly said breaking company computer-use policies does not amount to hacking.

Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by gchatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit.

Kozinski was joined by Judges Harry Pregerson, M. Margaret McKeown, Kim McLane Wardlaw, Ronald M. Gould, Richard A. Paez, Richard R. Clifton, Jay S. Bybee and Mary Murguia.

In dissent, Judge Barry Silverman, joined by Richard C. Tallman, wrote: “In ridiculing scenarios not remotely presented by this case, the majority does a good job of knocking down straw men — far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy. The majority also takes a plainly written statute and parses it in a hyper-complicated way that distorts the obvious intent of Congress. No other circuit that has considered this statute finds the problems that the majority does.”

While Nosal, the defendant in the case, escaped the hacking charges, he is also accused of trade secret theft, mail fraud and other charges. Trial is pending.

And for now, at least, feel free to keep playing Words with Friends on your employer’s dime and lying about your age on dating sites. The feds can’t touch you — so long as you live in the West.

Photo: TheRealDavidFrancis/Flickr

Well it is bound to happen occasionally, and it did last week… I missed a Chet Chat. I was at the Sophos sales conference and did so much speaking and chatting with colleagues, that I lost my voice.

I’m back this week though, and I had my friend and co-worker Ben Jupp join me on Chet Chat 60. Ben works in our Global Escalation Support team and deals with all the thorny issues with non-Windows platforms. Ben’s specialty is Mac OS X and works closely with product development and SophosLabs on Apple related issues.

This week we began our discussion with Obama’s recent proposed changes to the Computer Fraud and Abuse Act (CFAA) and Racketeer Influenced and Corrupt Organizations Act (RICO). We talked about the latest data breach at Square Enix and Sony’s most recent stumble.

My primary reason for having Ben as my guest was to explore all the news surrounding the recent fake anti-virus attacks against the Mac platform. In addition to the malware for OS X we also talked a bit about the Apple Mac App Store and keeping applications patched against vulnerabilities.

If you prefer a news summary for the week in text format, visit the Sophos Security News and Trends for the latest selected hot topics or subscribe to our weekly newsletter, Sophos eNews.

(19 May 2011, duration 20:27 minutes, size 9.9MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 60 or subscribe to our RSS.