by Charles C. Mann Boston Magazine, vol. 88, no. 4, April 1996, pp. 32-36.
"Why care?" asks the document on the World Wide Web that summarizes the strange story of Randal Schwartz. One reason is that Schwartz is the first bona fide computer expert ever convicted of stealing computer data--all the other possibly criminal hackers have been teenagers, wannabe techies, or Kevin Mitnick. Schwartz, by contrast, is the author of two widely used textbooks on the computer language Perl, a consultant for some of this country's biggest corporations, and a well-known presence on the loose collection of computer discussion groups known as the Usenet.
Nonetheless, Schwartz was convicted last year in Portland, Ore., on three counts of computer crime; he was sentenced to 480 hours of community service, five years of probation, 90 days in jail (deferred until 1998), and $68,471.45 in restitution. According to Schwartz, his legal fees have risen to about $170,000. Although his books and consulting have left him relatively well-off and he seems likely to avoid actual jail time, his entanglement in the criminal-justice system pushed him into what he calls a "suicidal" state. Now he has recovered, he says, "but I'm still feeling what anybody would feel if they'd had $250,000 ripped out of the prime of their career. I've lost 15 to 20 percent of my clients and I'm being a slave to catch up financially."
Still, why care? The most important reason is because the offenses of which Schwartz have been convicted are so nebulous as to strain the ordinary definition of the word "crime." Indeed, the Schwartz case highlights the difficulties posed by computer networks--and the culture that has grown up around them--to our institutions of law and government. Even the computer-crime laws in Massachusetts, which have been hailed by the digerati as exemplars of intelligence and moderation, are not immune to these difficulties.
By all accounts, Schwartz started out as a classic computer nerd, spending as much time as possible before the screen--"trading my childhood for my career," as he puts it now. By the 1980s, Schwartz had become a "hacker", which in those days meant a particularly clever and enterprising programmer. A devotee of Perl, he became a sort of one-man proselytizing squad for the language, preaching its beauty, power, and simplicity to all who would listen. Not only did he write textbooks, he spent much time dispensing free advice via e-mail to people with Perl problems.
In good hacker style, Schwartz would often append a short, elegantly mysterious program to his messages. Written in Perl, the program would look like a snippet of gibberish, even to computer wizards. But when executed it would cause the recipient's computer to print out "Just Another Perl Hacker" in an unexpected way; once, in fact, Schwartz managed to make Perl print in Morse code. Within the acronym-crazy geek community, the programs became known as JAPHs, and were passed around freely.
At the time, the Internet was a small, cozy place. Based mainly in universities and research facilities, it developed an active culture with a strong libertarian strain. No one could order anyone else about; in this spirit, the standards of the Internet are set by documents called Requests for Comment. Like everyone else in this culture, Schwartz was accustomed to moving freely from system to system, doing more or less whatever he thought necessary; as long as nobody else was bothered, everything was permitted. To outsiders, this behavior might seem arrogant and presumptuous, but it was the norm in cyberspace.
Schwartz's troubles began in 1993, when he was consulting for Intel, the chip outfit, which has a big campus west of Portland called Hawthorn Farms. (The location should not be surprising; so many high-tech companies have moved to western Oregon in recent years that the area is often called the Silicon Forest.) Contracted as a "system administrator," Schwartz was one of the ubiquitous but near-invisible caste of computer wizards who keep big networks operational. In orthodox Internet fashion, sysadmins, as they are called, run from machine to machine, doing whatever seems necessary--an independent course that eventually undid Schwartz.
Hawthorn Farms is a security-conscious place; on a recent visit there, I saw all the paraphenalia of corporate paranoia: magnetically coded badges, suspicious gatekeepers, card-locked doors, metal detectors. Hearing of a security incident at another computer system, Schwartz wondered whether Intel's networks were as safe as the campus, a reasonable worry given that they contained everything worth stealing. On his own, he spent 15 minutes setting up the latest version of Crack, a program that checks users' passwords to see if they can be easily guessed. Six days later, Crack had found 48 weak passwords, one of which belonged to an Intel vice president whose psychologically revealing choice was "pre$ident".
"I was pitching in on my own initiative, which I thought is what you're supposed to do," Schwartz says. "I truly believe that I was helping Intel. It was the kind of thing I've always been rewarded for before." He wanted to present the bad passwords to his bosses as partial proof of his utility--a move that he hoped would help get him get a better contract when his present one expired.
As it turned out, Intel did not want the assistance. When another sysadmin discovered Crack running on an internal computer network, the company called the cops. Schwartz's home was searched and his computers confiscated; in the subsequent interrogation, he declined to call a lawyer and promptly dug himself in deeper. Have you ever thought of breaking into computers? he was asked, more or less in those words. Of course, Schwartz said. All good sysadmins think about security, and the best way to do that is imagine how somebody would try to break into your computer. Has long contemplated breaking into computers, the police concluded.
Nothing incriminating was found in the search, because Schwartz had removed nothing--not even a computer file--from Hawthorn Farms. He had not used any of the weak passwords, shown them to anyone else, or looked at other people's files; nor had he made a penny from his Crackery. Nevertheless, he was indicted in March 1994 for "accessing a computer with intent to commit theft" and "altering" computer networks "without authorization." Was there any proof that Schwartz was an inveterate criminal hacker? The prosecution examined his JAPHs. "See!" the prosecution in effect said. "He called _himself_ a hacker!" The jury convicted Schwartz last July; he was sentenced in September. An appeal is under way.
The spectacle of a billion-dollar corporation pushing for the criminal prosecution of a nerd for failing to ask permission to run Crack raises obvious questions. Why would Intel go to such lengths? And what kind of law would let them prosecute? Schwartz himself guesses that the answer to the first question is that Intel had "an entrenchment problem. They freaked out and started to press the case before they knew I hadn't done anything to harm them. Then, if they backed down, there was always the potential for me to sue them. So it was risky for them to drop the charges--not that they ever asked me if I would sue, which I wouldn't." As for the state's willingness to prosecute, it may be worth noting that Intel is Oregon's single largest employer.
The second question is harder. Oregon law is directed against any one who "knowingly and without authorization use[s], access[es], or attempt[s] to access any computer" or those "executing any scheme... to defraud" on a computer. In theory, someone who borrow a friend's credit cards to get a shot of cash from an ATM might be subject to the statute, because such behavior is in technical violation of the authorizations on the credit-card agreement and because using the ATM involves accessing a computer. Worse, such laws are by no means exceptional. Since 1978, all fifty states and the federal government have passed computer-crime statutes, and most of them make the computer-literate sigh in exasperation.
Massachusetts is an exception, partly because Governor William Weld, in a move hailed by the geek community, sought the advice of Mitch Kapor, founder of Lotus and cofounder of the Electronic Frontier Foundation, a civil-liberties watchdog that guards privacy and freedom of expression in the electronic world. With the help of Kapor, Massachusetts passed the Computer Crime Bill of 1994, which has been widely cited as a model of good sense. It is considerably less broad than the Oregon statute, but it is far from perfect.
On pain of up to three days in jail or a thousand-dollar fine, the law makes it illegal for computer users to gain "unauthorized electronic access" to a computer if they "know that such access is unauthorized" or discover afterward "after gaining such access that such access is authorized" and don't stop. More serious, it also bars anyone "with intent to defraud" from "attempt[ing] to obtain" access to a "commercial computer service" by any means. Here the punishment goes up to two and a half years in jail or $3,000. "Commercial computer service," by the way, means "any use of computers... offered by the proprietor or operator of the computer[s]... to others... for monetary consideration."
Intel argued that Schwartz must have known his access was unauthorized because it was not explicitly authorized--an argument that was successful, and would presumably be enough to convict him of the same specious crime in this state. Schwartz might have run into similar trouble on the second part of the statute, too, if circumstances had been different. Many companies rely on computer-service specialists to handle their information system. If Schwartz had been hired by one of these specialists, his use of Crack could have been treated as an "attempt to gain access" to a "commercial computer service"--an indictable offense in our fair commonwealth.
The point is not that Big Brother is lurking, although the Schwartz case has its Orwellian flavor. Rather, our society is having trouble with the legal implications of the omnipresent beige boxes in our lives. More and more of our daily actions involve gaining access to computer systems; we do it every time we visit a bank ATM, encounter a voice-mail system, or look at an unborn child on a sonogram. Because of the potential for misuse, society naturally has an interest in ensuring that access is controlled. But because of the very ubiquity of computers, laws concerning their use spill over into the most unexpected aspects of life.
Conceivably, broad interpretations of computer-crime laws could lead to the criminalization of much ordinary behavior. Schwartz's cruise through Intel's password file may have been foolish and was obviously annoying to his superiors, but it hardly seems criminal; an appropriate response might have been a reprimand or a summary firing, but not a jail cell. Similarly, many people in the non-geek world do their nine-to-five at companies with computerized telephone systems. Often these firms have policies that prohibit the personal use of office phones. Surely annoyed employers should not be allowed to use computer-crime statutes to prosecute employees who call home on a PBX system, thus gaining "unauthorized access to a computer."
Yet such actions are increasingly possible, even plausible. As the Schwartz case shows, one can never be sure of what crazy things may be permitted by the law--even, perhaps, in a state held up as a model of sanity.