Student Innovators Continue to Face Threats from CFAA and State-Level Criminal Hacking Laws
Some of the world’s most recognized companies began on college campuses. Think of Facebook, invented by Mark Zuckerberg while an undergraduate at Harvard, or Microsoft, started by Bill Gates when he was a college sophomore.
Yet universities are not necessarily the most welcoming places for student innovation. Harvard reprimanded Zuckerberg for “breaching security” and hacking into dorm websites to obtain photos of students for an early version of Facebook. Luckily, the university did not involve law enforcement, but they certainly could have.
Likewise, Bill Gates and his Microsoft co-founder Paul Allen innovated at the boundaries of the law before founding Microsoft. The pair had obtained an administrator’s password at the company where they were employed in order to use the timeshared computers for personal projects. Today, these activities are illegal and subject to serious prosecution under existing federal and state level computer crime laws.
Close calls and potential run-ins with the law were part of the patchwork of experimentation in university communities that lead to the creation of some of the world’s largest technology companies. Just as laws are frequently outdated by the accelerated pace of technology, campus policies often lag behind in addressing the potential legal needs of their most innovative students exploring the frontiers of digital invention.
Yet universities don’t have to move at the slothful pace of legal change. Rather as institutions that are home to cutting edge developers of technology, universities have a responsibility to be more responsive to the needs of student innovators and researchers.
Student encounters with criminal hacking laws
Armed with the Computer Fraud and Abuse Act (CFAA) and state-level computer crime laws, prosecutors could have forced Zuckerberg, Allen and Gates to face a threat of serious jail time. Sadly, today overzealous prosecutors are using computer crime laws to endanger innovative students.
Look at what happened to MIT undergraduate Jeremy Rubin who received a subpoena from the New Jersey Attorney General because of an explicitly marked proof-of-concept project he developed with other students for a local hackathon last November. The project is called Tidbit, and it gives users the option to offer up some computer processing power to websites to mine for Bitcoins in exchange for the removal of advertisements. Tidbit won an award at the hackathon for innovation, but it was never actually implemented.
Yet the state of New Jersey is suggesting that the Tidbit developers have violated New Jersey state-level computer crime laws and is demanding that Rubin hand over Tidbit source code and related documents. The attorney general also issued requests for the names and identities of Bitcoin wallets associated with Tidbit and the name of anybody whose computer mined for Bitcoins using Tidbit – despite the fact that Tidbit's code was not configured to mine for Bitcoins.
At first, confused as to what to do after receiving a subpoena, Rubin asked MIT’s legal department for help. MIT claimed it wasn’t able to offer assistance and recommended Rubin contact EFF. We took the case and moved to quash the subpoena in New Jersey state court in January of this year; a hearing date has now been set for September 22nd in New Jersey.
One of the more troublesome kinds of laws that student innovators may run into are criminal hacking laws like the Computer Fraud and Abuse Act and state level computer crime statutes, like the one used to threaten the creators of the Tidbit project. The CFAA makes it a crime to access a computer without “authorization” or in excess of authorized access. The Department of Justice has asserted that the CFAA makes it a federal crime to violate a website’s terms of service, and under the CFAA, first time offenses can be charged as felonies.
Student innovators are particularly susceptible. At the time of this death, Internet activist Aaron Swartz was under indictment for allegedly violating the CFAA when he used MIT's computer network to download millions of academic articles from the online archive JSTOR without "authorization" although he was allowed to access individual articles. Before Swartz, the Massachusetts Bay Transit Authority used the CFAA to sue a group of MIT students, convincing a federal court to order them to cancel their scheduled presentation at DEF CON about vulnerabilities that they found in Boston's transit fare payment system, violating their First Amendment right to discuss their important research. (With EFF’s help, the injunction was later removed, but only after the conference was over.)
After a late start, MIT gets it in the Tidbit case
If universities want to be welcoming, safe places for innovation, students need to know where to go if they run into legal trouble with a new invention or idea. Universities could, for instance, create a place for legal in-take of student questions, write a regularly updated resource on hacking laws, and provide a safe place for students to seek advice without being punished. The point is that universities need to adopt a posture of support.
While the threat of incarceration continues to stifle innovation on and off campus, we’ve seen some welcomed developments in the Tidbit case. Notably, after faculty members and students circulated an open letter, MIT President Rafael Reif announced plans to support the Tidbit innovators and MIT sent a formal letter to New Jersey’s Attorney General, asking it to withdraw the subpoena. The open letter stated that the subpoena from the New Jersey Attorney General will have, “a chilling effect on MIT teaching and research.” Soon after, MIT faculty and MIT students wrote additional letters of support, asking New Jersey to withdraw the subpoena. Over 800 members of the MIT community signed onto these letters.
President Reif appears to get it. In response to the outcry over the Tidbit controversy, Reif announced that MIT plans to create a new legal resource for students threatened by legal challenges as a result of their innovative work and entrepreneurial pursuits. “In the case of someone creating an innovative new product and then getting into legal trouble doing something that was a part of their classwork — then, MIT absolutely does have a legal interest to be involved,” Ethan Zuckerman, director of MIT's Center for Civic Media, told the press.
Computer crime laws like the CFAA or its state-law equivalents are in dire need of reform. And until we start to see more policymakers take a leadership role in driving for these laws to be reformed, universities should pledge to offer support and advice to students working on the frontiers of research and new technologies.
It’s time for reform
But we shouldn’t need to fight this broken, outdated law on a case-by-case basis. Fortunately, lawmakers have been thinking about a way forward. Aaron’s Law—a bill that was proposed last year in memory of Aaron Swartz—is a good starting point for much needed revisions and updates to the Computer Fraud and Abuse Act with common sense reforms. As drafted, the bill does not go far enough and does not—currently—have wide spread support in Congress.
Congress could do a lot, but until it’s ready to act, we need to keep fighting for reform. And you can help by pushing for change locally on campuses and on the state level. We are heartened by MIT’s move to create resources for students who are threatened by criminal hacking laws and look forward to seeing how that project takes shape. Universities that want to protect and encourage student innovation need to act similarly.
Now is the time for students and campus communities that want to vitalize innovation to speak up and demand university support. There are some simple steps that universities can take to foster inventiveness in their campus communities:
- Create a legal intake mechanism or program for students who receive subpoenas and are threatened by computer crime laws. Student innovators need to know where to go to receive help.
- Publish a guide on CFAA and in-state computer crime laws so that students and researchers can better understand the contours of the laws that may be leveraged against them.
- Universities should be pushing for computer crime legal reform and come out with strong institutional support for reform efforts on the federal and state level.
These are only a few of the may ways universities can step up to the plate. Stay tuned: EFF is fighting for reform and to protect the next wave of technological innovators. If you’re a student or a professor and want to get involved, email email@example.com to learn how.