Computer crime, Aaron Swartz, and telling your boss no.
In my career as a network administrator, I’ve been asked to break into three e-mail boxes of existing employees (entering into departed employees e-mail is routine and I’ve lost count of how many of those I’ve done). Twice I did so after verifying that it would be legal to do so, the third time, I regretfully told my bosses boss that company policies were so incoherent on the subject of notice that it didn’t meet the legal standard and I wouldn’t break in to find out if an employee was fielding recruiter e-mails. This lack of notice was a real accomplishment on the part of the employee handbook writers for the firm as the standard for notice is absurdly low. You can find cookie cutter notice templates for notice of lack of privacy in company e-mails all over the Internet. I still expected to get fired for that action, but didn’t. No doubt a lawyer was consulted but nothing more was ever said to me. The lesson is this. While an authority may intend something, if it doesn’t actually go through the action of properly saying so, it is an abuse to just go along with the flow.
Aaron Swartz could have been given meaningful notice that what he was doing was in violation of the terms of the JSTOR license using the same technology that Panera and Starbucks use to notify you about doing naughty things with their free wi-fi. MIT chose not to do so. Instead, they treated Aaron Swartz’s computer as if it was technically misbehaving (which it was) and issued a MAC block on the use of their DHCP server. Which, as they knew themselves, was trivial to defeat and was promptly defeated. But a MAC block on DHCP says nothing about JSTOR access. What Swartz did was incredibly rude, a brazen kick between JSTOR’s metaphorical legs begging for attention. That doesn’t mean that it was illegal or that the MAC block provided any sort of legally meaningful notice.
JSTOR could have said that MIT was in violation of its license and pulled JSTOR access until they fixed it or they could have throttled the connections from MIT to reduce the number of downloads to tolerable levels. What the situation wasn’t was wire fraud or computer fraud. It was abusing the special MIT JSTOR license until it sat up and begged.
MIT’s JSTOR license has all the integrity of an Obamacare waiver for a labor union. Mere mortals have to pay for downloads to access publicly financed scientific research papers but people who wander onto the hallowed campus of MIT get to download for free. JSTOR sets up a multi-tier access system, which is their right, but they have to do it carefully otherwise you get leakage to the little people who don’t rate. JSTOR didn’t do it carefully enough and Aaron Swartz exploited their licensing carelessness. It’s not like he didn’t already have access to JSTOR via Harvard as a research fellow at that institution. If all he had wanted to do was to get the articles, he could have smurfed out his requests via the Harvard network to be below detection thresholds and we all would have woken up one day with a giant torrent sitting out there on the Internet, similar to what happened with Climategate. He did his actions at an institution where he did not have special rights on purpose and very likely looked forward to ending up in civil court to hammer home his points and if he lost, perhaps pay a fine.
Instead he ended up charged with multiple felonies and the prospect of losing some of his civil rights for the rest of his life. This was a turn of events that even JSTOR did not want.
However, Attorney General Eric Holder thinks that charging thirteen felony counts for accessing information you have rights to from the wrong network was ok, if the plea deal is sweet enough. “I think what those prosecutors did in offering three, four, zero-to-six [month prison term plea term offers] was consistent with that conduct.” That seems to miss the point. A civil matter was escalated to criminal status. That’s the line that was crossed. Senator Cornyn (R-TX) seems to get it “I’m concerned that average citizens, if you can call them that, like Aaron Swartz, people who don’t have status and power, perhaps, in dealing with the federal government, could be bullied.” Representative Issa (R-CA) is looking into the matter too, seeking to gather evidence of the affair. I don’t think these Republican politicians are just taking up the Swartz case because they don’t like Holder or Obama. There are real issues at stake that should concern americans of all political persuasions but especially conservatives. Overcharging is not a conservative value. Using the machinery of the criminal system to hammer out what should have been a civil matter is not a conservative value. High disparities between plea offerings and sentence at trial are a dubious tactic that may run afoul of ethics rules and, you guessed it, not a conservative value.
But the biggest reason to have a bit of sympathy for Swartz’s cause of openness is that it will, on balance, benefit conservatives. Big government thrives on confusing people and hiding the truth of its venality, idiocy, and incompetence. Automated scripts accessing information need to be kept legal in the widest possible variety of circumstances because downloading information and data mining it to figure out where the hidden truths are is our best tool for keeping serious oversight over the whole complex mess. We are not doing enough of that, and prosecutions like Swartz’s discourage their use.
Update: I’m apparently unable to comment so until that technical snafu is fixed, I’ll just update here:
Dave A – The problem is that Swartz had the right to download the JSTOR documents, every one. As slicksleddog notes, he was doing it too fast. However, the definition of doing it too fast is elastic and there are significant difficulties with the prosecution’s implication that initiating a download prior to the expiration of a non-public timing threshhold that is likely measured in seconds is the same as stealing a document. So far as I know, Swartz was not charged with B&E, though he probably could have been on a state charge but those are irrelevant for the proper analysis of the actual charges in federal court.
If you have a DHCP server on a network, according to the prosecutor’s theory, assigning yourself a static address is computer hacking. This is wrong, dangerous, and criminalizes the normal conduct of many ordinary people, including an awful lot of developers undergoing normal operations for their company and who run static addresses for perfectly valid reasons. This is because DHCP servers are not security devices. According to the prosecution they are. That is just bad for the country if the prosecution’s theory were to be accepted as law. MAC card addresses are also not legally valid identifiers. This is one reason why they are written in a way that they can be changed because sometimes, for perfectly legitimate reasons, you want to spoof them. The prosecution criminalizes this activity too.
slicksleddog – Part of the problem with your position is that you are incorrectly citing the T&C, or at least incompletely citing it. The provision, clause 5(d) of the T&C is pretty clearly aimed at disruptive automation and not automation per se. That makes Swartz a thief, but a thief of computer cycles and bandwidth over time, something that is a great deal cheaper. Since the charges were based on him stealing the documents, the prosecution likely would have failed and would need to have been refiled for the pittance that was actually at issue.
Imagine if every cable TV thief was charged with the value of the programs he stole (by production costs) instead of the value of the subscription access. That mischaracterization of the theft is absolutely wrong and has nothing to do with whether Swartz was a good guy or properly respectful of the property rights. I think that he was badly confused on certain issues and very much not respectful of property rights as he should have been but he was innocent of the charges filed because he had the right to access the documents. What he didn’t have the right to do was tax the computers so hard and should have been charged with that. But tote that value up and you get orders of magnitude lower valuations and very likely a charge sheet that a judge will give no prison time for and question why the court’s time is being wasted for such trivialities.
The computer world is full of timing limits that, if exceeded, essentially say “slow down cowboy”. They are trivial to implement. JSTOR could have, and frankly should have, either accepted his requests within the timeframe he was sending them, or refused them as being too quick on the draw. This should have been a technical fix, not a prosecution. Had JSTOR implemented a 30 second interval between requests, Swartz would have gotten not millions but perhaps tens of thousands of documents, a significant difference.
streiff – Putting out a MAC block is a denial of access to the DHCP server, not a denial of access to the network. Please keep that difference in mind. If you fail to get a DHCP lease, your network connection does not automatically become a felony, much as the prosecution would like everyone to think so. Network admins *can* deny network access but different techniques are used, techniques that MIT did not choose to employ. It is very unlikely that they are ignorant of those techniques. I have little doubt that they invented some of them.
Update 2: It seems like the block on commenting is going to stay up so another round of responses is in order
Sir Aaron – The backstory is that JSTOR contracted to provide access to their content to a university that prides itself on having an insecure network. This does make a difference in normal law enforcement. I don’t have a problem with posting requirements on real property and I suspect that you don’t either. They are a normal, sane part of the law of long standing that is a minor burden on property owners who want to exclude people, or regulate their conduct with regard to hunting, fishing, or trapping. What your beef with extending the principle to electronic interactions that can be much more confusing is a mystery to me. The use of puns and one off names is quite common in that community. There is no regulation of it at present. The problem is that in cyberspace, somebody self-identifying as Aaron Swartz would have to have his identity checked just as thoroughly because anybody could have claimed to be Aaron Swartz. Cyber nom-de-plumes are so common because people have been playing name games for decades on the Internet. Swartz was not out of the mainstream of ordinary practice.
I agree to the fact that he, in the past, had written a political manifesto. That is not illegal. I don’t agree with that manifesto. It’s irrelevant to the problem we are facing here which is that the prosecution took the opportunity to inappropriately charge this guy, thereby establishing precedent that is very bad public policy and contrary to mainstream practice in the technology field. And Attorney General Holder’s assertion that it was all right because the plea deal made the punishment not very burdensome is just diabolic. The charge was wrong and pleading guilty to it would have made the farce an end run around the legislative process. Aaron Swartz committed crimes. He should have been charged with them and found guilty of them. But those weren’t the crimes he was charged with. That should bother conservatives. It bothers this one.
Swartz did not hack the JSTOR system. He asked the system to give him files. That’s not hacking. He asked the system to do it fast. That is a T&C violation in this particular case but should not be a federal crime because the T&C were unconscionably loose as to what constitutes a violation. By all sane networking and computer design principles a couple of laptops should saturate their network connections long before they make an international level institution like JSTOR’s servers do more than blip and thus violate clause 5(c) of the relevant T&C. This is the kind of fuzzy situation where meaningful notice is essential to an orderly functioning of the law. Neither JSTOR nor MIT fulfilled their obligations to make the restriction that they wanted to impose lawful. They chose not to do so.
The defense’s expert witness wrote about what actually went on in an article here. His assertion that the closet was kept unlocked and also happened to be the storage place for a homeless person is worth noting. How does one meaningfully break into an unlocked closet on an open campus? Again, I think that Swartz is guilty of certain crimes, just not the ones he was charged with and that if we’re going to be serious about the rule of law, a prosecutor who improperly charges a criminal in a way that would set precedent and criminalize an awful lot of mainstream activity needs to be condemned, and gotten out of any position of power as soon as possible. This should have been prosecuted as a civil matter.
Aaron Swartz is dead. His account, no matter where you think the balance of his actions are, is paid. The prosecutor is a continuing menace. That is the real situation we are faced with and we need to concentrate action on fixing the continuing menace, not on the jerk with a point who couldn’t stand the heat he’d created and killed himself. This is not holding up Swartz as a hero for this action. He wasn’t. I generally don’t think of suicides as heroes under any circumstance so I think that your characterization is more coming from you than it was from me.
Finally, the idea that we should not invoke people from the other side is just daft. You would be reading figures like Rush Limbaugh and Andrew Breitbart out because both of them have held up Saul Alinsky’s Rules for Radicals as something that we should read and do to the left. That’s a much stronger endorsement than anything I’m attempting here. I just wanted Swartz to be alive and be charged and convicted for the correct crime. That used to be called being in favor of the rule of law. In sane portions of the conservative world it still is.
streiff – Your technical ignorance of what was actually going on makes you dangerous in a three-year-old-with-matches sort of way.
Repair_Man_Jack – Essentially this is a trespass crime. Meaningful notice is the same as posting your property against trespass, trapping, hunting, and fishing. There is no way to know what constitutes excessive use that impairs the function of JSTOR without JSTOR actually saying so.
Dave_A – According to an expert witness, the closet was not locked. Trespass charges were filed and dropped, probably because they couldn’t be made to stick without the closet being locked. Swartz was guilty of enough that we shouldn’t make up stuff that he didn’t actually do.
sudomakeme – If you read into my post that I think Swartz was not guilty of crimes, you did not read me carefully enough. He was guilty, but not of CFAA violations for downloading the articles. He was guilty of excessive use of resources by downloading them so fast and should have been charged for any bandwidth caps that JSTOR busted and excess CPU cycles he burned. That these damages are likely orders of magnitude smaller than what he was charged with is the heart of why a lot of sane people are troubled by how this case was prosecuted.