It's been eight years since @aaronsw took his own life. Aaron had been charged with 13 felonies under the Computer Fraud and Abuse Act (#CFAA) for violating the terms of service on the @JSTOR database of scholarly articles.


Prosecutors Stephen Heymann and Carmen Ortiz didn't dispute that Aaron was allowed to access the articles he retrieved. Rather, they said that the WAY he accessed them (using a script instead of clicking on links) was a terms-of-service violation and hence a crime.

In other words: any business could conjure a felony out of thin air by making you click through an unreadable garbage-novella of legalese proscribing the use of a service they granted you access to. Violate any of those terms and you face a prison sentence.

This isn't law as we know it, it's Felony Contempt of Business Model, and the most alarming thing was that this interpretation of the CFAA wasn't completely ridiculous, given how badly drafted that law is.

Ronald Reagan signed CFAA into law. Fed prosecutors had been seeking broad authority to punish "hacking" and had drawn up an absurdly broad definition of cybercrime that would give them latitude to go after anyone they didn't like.

They wanted to define hacking as "exceeding your authorization" on a computer that didn't belong to you. Even in the mid-1980s, legal and technical scholars recognized the potential dangers of a definition this broad, but not Ronald Reagan.

Then Reagan got spooked by the movie Wargames - yes, the one with Matthew Broderick - and urged the dimbulbs in the Congress and Senate to send the CFAA to his desk. They obliged, he signed it, and CFAA became law in 1986.

In the decades since, CFAA has become a major source of cybersecurity mischief. Security researchers who audit systems and warn their users about defects in them are silenced with CFAA threats, giving companies a veto over who can criticize them and how.

Monopolistic online businesses threaten their competitors with CFAA liability. Companies like Facebook have managed to prevail in court, interpreting CFAA the same way Aaron's prosecutors did, making terms-of-service violations into violations of the law.

But cracks have appeared in this dangerous interpretation of CFAA. The @ACLU and a group of journalists have been litigating to overturn portions of the law since 2016:

And in 2019, the Ninth Circuit Court of Appeals produced a remarkably good ruling on CFAA in Hiq v Linkedin, splitting with its own (terrible) precedents in Power Ventures and Nosal II.

But the main event for CFAA-fighters has been at the Supreme Court this year, where the Van Buren case promised to make or break the worst elements of the CFAA for good.

The truism "hard cases make bad law" was especially true in Van Buren. Nathan Van Buren was a crooked Georgia cop who took a bribe to look up a sex-worker's personal information in the state law-enforcement database in a FBI sting.

Van Buren thought he was helping a criminal determine whether the sex-worker was an undercover cop.

Van Buren is a bad man and a bad cop.

But he isn't a hacker.

Nevertheless, prosecutors charged him under the CFAA, saying that while he was allowed to access the database, doing so for an improper purpose was a hacking crime, because he "exceeded his authorization."

This may sound sensible - or just expedient - to you. But if the prosecutors were right - if accessing a computer you were authorized to use, but in an unauthorized way - is a felony, then almost everyone is a felon.

The DoJ's theory of the CFAA would make most terms-of-service violations into potential jailable offenses (think "sharing Netflix passwords"). If federal prosecutors gain the power to threaten prison for anyone - everyone - this won't be used to rid the world of dirty cops.

Rather, it will be used against people who already bear the brunt of prosecutorial overreach, creating leverage over the victims of dirty cops.

Thankfully, the Supremes agreed. Yesterday, they handed down a good - if not great - ruling in Van Buren.

The best analysis - as ever - comes from my @EFF colleagues @kurtopsahl and @aaron_d_mackey.

As they point out, the heart of the ruling is a ban on breaking into computer systems - not criminalizing entering the wrong command into a computer you're allowed to use.

This correct interpretation (far narrower than the DoJ's) safeguards security researchers, competitors, and other researchers doing things like gathering data from a housing site to investigate racial bias in rental ads.

As the court pointed out, the DoJ's interpretation was so broad that it could criminalize "embellishing an online-dating profile to using a pseudonym on Facebook."

The ruling was good, but not perfect. A single footnote explains that the court isn't ruling on whether the CFAA only applies when someone bypasses a technical measure, which leaves the door open to turning policy and contract violations into crimes.

SCOTUS got it (mostly) right here. They vindicated Aaron Swartz and all the other victims who were bullied, silenced and terrorized by the CFAA. They took a huge step towards undoing one of Ronald Reagan's many idiocies.

Van Buren should be punished for corruption - under anti-corruption law, not under a definition of hacking so broad that it captures normal activities we all engage in several times, every day.

Sage Ross


ETA - If you'd like an unrolled version of this thread to read or share, here's a link to it on, my surveillance-free, ad-free, tracker-free blog:

More from Cory Doctorow

Happy Birthday to the queen of the scream queens, Barbara Steele!

Happy Birthday to the queen of the scream queens, Barbara Steele!

Happy Birthday to the queen of the scream queens, Barbara Steele!

Happy Birthday to the queen of the scream queens, Barbara Steele!

Happy Birthday to the queen of the scream queens, Barbara Steele!
Today's Twitter threads (a Twitter thread).

Inside: Criti-Hype; Right to Repair is back for 2021; The free market and rent-seeking; and more!

Archived at:



Criti-Hype: Tech bros will settle for "evil genius."


Right to Repair is back for 2021: Will Apple sabotage this one too?


The free market and rent-seeking: Unauthorized bread and poor doors.


#10yrsago Diane Duane’s crowdfunded publishing experiment finally concludes

#10yrsago Inside Sukey, the anti-kettling mobile app

Today's Twitter threads (a Twitter thread).

Inside: Thinking through Mitch McConnell's plea for comity; Further, on Mitch McConnell and comity; Understanding the aftermath of r/wallstreetbets; and more!

Archived at:



Thinking through Mitch McConnell's plea for comity: A thoughtful analysis.


Further, on Mitch McConnell and comity: I thought about it some more.


Understanding the aftermath of r/wallstreetbets: Even if there's no angels, there's still a path to glory.


#10yrsago Morrow’s Diviner’s Tale is a tight, literary ghost story

#10yrsago ATM skimmer that doesn’t require any modifications to the ATM

More from All

You May Also Like

1/ I wanted to show you some sneak peek this week, but instead we DEPLOYED TO PRODUCTION 🔥😄

If you’re a creator, get an invite here 👉

Week 2 highlights: our first ever podcast 🎙, meeting @Jason 🦄, shipping @BREWdotcom alpha 🚢 & laptop stickers!

2/ First off, thanks for the mind-blowing response last week (120k+ views 😲 omgwtfasdasd!)… absolutely pushed us to get the product out there.

also, there’s something magical about watching people try a buggy product and fixing it on the go 🤓

3/ Thanks @JasonDemant for inviting us to grab some behind the scenes at @LAUNCH.

As a huge fan and avid listener of the @TWistartups show🎙, it was great watching @Jason do his thing live!

4/ 🎙@domainnamewire invited us to chat about acquiring domain and that was officially our first podcast ever. Check it out here:

You nailed it your first time, Maddy! 🍻 Thanks for having us on the show, Andrew.

5/ Great news: Brew partnered with @Tipalti to enable payouts for creators everywhere (unlike @kickstarter which only support 26 countries).

Platforms like Twitch use Tipalti to payout instantly and via multiple methods like Check, PayPal, local bank transfer, etc.
I think a plausible explanation is that whatever Corbyn says or does, his critics will denounce - no matter how much hypocrisy it necessitates.

Corbyn opposes the exploitation of foreign sweatshop-workers - Labour MPs complain he's like Nigel

He speaks up in defence of migrants - Labour MPs whinge that he's not listening to the public's very real concerns about immigration:

He's wrong to prioritise Labour Party members over the public:

He's wrong to prioritise the public over Labour Party