Evan Schuman's StorefrontBacktalk

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

We all love to get stuff for free. Whether it is a coupon, a sample or a trial, if it’s free, it’s good. For retailers, offering a freebie can get customers used to using their products or services, may engender goodwill and may be a smart business decision. But if those retailers fail to adequately define the terms of the free trial, they may be setting themselves up for a disaster. The recent suicide of online activist Aaron Swartz, who was under indictment for breaking into MIT’s computers to “steal” information from an online resource, raises many issues about criminal law, prosecutorial discretion and the open nature of information. But for retailers, it raises questions about the terms and conditions under which they can control the distribution of digital access and digital information.

This holiday season, I was walking through the mall seeking out the See’s Candies ladies with their free samples. I would gladly take a chocolate lollipop or a toffee square, circle the mall and come back for another. The free sample came with no terms or conditions and no obvious limitations on access or use. Could I then argue that, because See’s was giving away chocolate lollipops, these items were “free” and that I was, therefore, lawfully entitled to take six or seven boxes from behind the counter without paying for them? Absurd. But why? Because in the real world, we have loosely formed social conventions and a system of shaming to enforce them. I can have one or two chicken teriyaki samples on a toothpick but can’t make that my dinner for a month. The enforcement tends to be of the type, “Hey, haven’t you been here before?” Although there are some abuses, for the most part, the system does what it is supposed to do.

Online may be different. I say may, because although the normal conventions for what is “acceptable” and what is not may still apply online (or new comparable conventions may exist), the ability to quickly and efficiently thwart such conventions may create new legal and technological problems for anyone with an online presence. To understand this, we must first understand what Aaron Swartz did that got him into legal hot water.

In a nutshell, Swartz—by all accounts a brilliant programmer and online activist—initially obtained a free trial to the U.S. Government’s PACER system of electronic court records by visiting the federal courthouse in Chicago. Virtually all filings in the federal courts, pleadings, motions and court opinions are stored on PACER, which charges a per-document fee for access. Because these are government documents (well, many of them are not, but we’ll put that aside for now), the government does not obtain an enforceable copyright in its works. Swartz then used his free trial and a bit of technology (a PERL script) to attempt to download the entire PACER database, which he was going to make available for free on a cloud server. He downloaded more than 19 million documents, for which PACER would have charged $0.08 each, or a potential “theft” of more than $1.5 million from the federal government. Certainly not what PACER envisioned when it gave Swartz a free trial. But because neither the PACER Terms of Service nor free trial terms appeared to prohibit this, and because the works taken were not obviously subject to copyright (at least those created by the government), the FBI investigated but did not prosecute these actions.

In the second case, Swartz accessed the open networks at MIT and obtained a free wireless MIT account, using it to access the MIT library’s JSTOR access account. JSTOR is a repository of academic and technical journals that charges a fee of up to $50,000 a year to academic institutions for access. These institutions then make access to these journals available to their communities. Ordinary users must obtain a user ID and password from JSTOR and pay for access to individual articles. But Swartz accessed the MIT Wi-Fi network, created a guest account and wrote a program called “keepgrabbing” to get around JSTOR’s limits on downloading. When MIT and JSTOR blocked this access, he changed his IP address, got a different computer and, eventually, just went into an MIT wiring closet

and hardwired a computer into the network to keep downloading JSTOR documents. Swartz planned to make the JSTOR documents available on P2P networks. This time, he was indicted for hacking, and those charges may ultimately have lead to his suicide.

So what does this mean for retailers?