from the whether-or-not-it-had-an-impact dept
Larry Lessig's post made some clear points suggesting that the feds and MIT were out of line in pursuing this case, which seems like an understatement:
Here is where we need a better sense of justice, and shame. For the outrageousness in this story is not just Aaron. It is also the absurdity of the prosecutor’s behavior. From the beginning, the government worked as hard as it could to characterize what Aaron did in the most extreme and absurd way. The “property” Aaron had “stolen,” we were told, was worth “millions of dollars” — with the hint, and then the suggestion, that his aim must have been to profit from his crime. But anyone who says that there is money to be made in a stash of ACADEMIC ARTICLES is either an idiot or a liar. It was clear what this was not, yet our government continued to push as if it had caught the 9/11 terrorists red-handed.Lessig made it clear that the feds sought to get Aaron to agree to a plea deal, in which he'd plead guilty to some aspect of the charges against him, in exchange for letting him off on the more serious charges. Aaron did an amazing thing and refused, believing that he had not done anything wrong:
Aaron had literally done nothing in his life “to make money.” He was fortunate Reddit turned out as it did, but from his work building the RSS standard, to his work architecting Creative Commons, to his work liberating public records, to his work building a free public library, to his work supporting Change Congress/FixCongressFirst/Rootstrikers, and then Demand Progress, Aaron was always and only working for (at least his conception of) the public good. He was brilliant, and funny. A kid genius. A soul, a conscience, the source of a question I have asked myself a million times: What would Aaron think? That person is gone today, driven to the edge by what a decent society would only call bullying. I get wrong. But I also get proportionality. And if you don’t get both, you don’t deserve to have the power of the United States government behind you.
In that world, the question this government needs to answer is why it was so necessary that Aaron Swartz be labeled a “felon.” For in the 18 months of negotiations, that was what he was not willing to accept, and so that was the reason he was facing a million dollar trial in April — his wealth bled dry, yet unable to appeal openly to us for the financial help he needed to fund his defense, at least without risking the ire of a district court judge. And so as wrong and misguided and fucking sad as this is, I get how the prospect of this fight, defenseless, made it make sense to this brilliant but troubled boy to end it.And, for those who don't think that pushing back against the feds is an amazing thing, you have no clue how much pressure the federal government can put on you when it wants you to plead guilty. Two years ago I wrote about a documentary called Better This World, which is about an entirely different subject, but really opened my eyes to the way the feds handle some of these cases. It's not about what's right. It is entirely about them winning, getting the press coverage and "making examples" of people. And they'll go to amazing lengths, and create pressure that you and I can only have nightmares about, to get people to accept bogus "plea" deals, just so they can notch up another "win." It's scary, scary stuff. Fighting back may have been the right thing to do, but must have created a level of stress unimaginable to most people.
The WSJ has provided more details about the hard line that federal prosecutors had taken with Aaron, including last week's demand that he plead guilty to all counts and spend time in jail:
Mr. Swartz's lawyer, Elliot Peters, first discussed a possible plea bargain with Assistant U.S. Attorney Stephen Heymann last fall. In an interview Sunday, he said he was told at the time that Mr. Swartz would need to plead guilty to every count, and the government would insist on prison time.In exchange for pleading guilty across the board, Heymann apparently promised that they would ask for a shorter sentence, though that's never a guarantee:
Mr. Peters said he spoke to Mr. Heymann again last Wednesday in another attempt to find a compromise. The prosecutor, he said, didn't budge
The government indicated it might only seek seven years at trial, and was willing to bargain that down to six to eight months in exchange for a guilty plea, a person familiar with the matter said. But Mr. Swartz didn't want to do jail time.The report also notes that his girlfriend was unaware of any depressive episodes until right after Wednesday's decision by Heymann to refuse to budge on jailtime and a guilty plea on all counts.
"I think Aaron was frightened and bewildered that they'd taken this incredibly hard line against him," said Mr. Peters, his lawyer. "He didn't want to go to jail. He didn't want to be a felon."
As for the details of the case itself, they were absurd -- and it is no wonder that Swartz refused to plead guilty. Back in September, we delved into the ridiculous details of the final indictment -- which upped the felony count, all of which was based on the idea that he had done some sort of massive computer hacking for the sake of some criminal conspiracy. And yet... that was clearly never the case. As Tim Lee detailed, at worst, it appeared that Swartz might possibly be guilty of trespassing. Yes, he went into a computer closet at MIT, but he got access to a network which was open for all, and he downloaded documents that were made available freely to all on that network.
Many people have reasonably pointed to a blog post from Alex Stamos, the CTO of Artemis Internet, who had been brought on as an expert witness on Aaron's behalf. After demonstrating that his reports have been used on behalf of prosecutors in attacks, and pointing out that he's no friend of hackers, Stamos highlights in detail just how completely bogus the charges against Swartz were:
That's from someone who clearly had detailed knowledge about the situation. Other legal experts had come to similar conclusions after the original indictment came out. Way back when, we had pointed to an article by Max Kennerly in which he looked closely at the indictment and was left confused as to how it got as far as it did. Kennerly has since updated his post (both after the new indictment and again over the weekend, in which he notes that Stamos' post suggest that his own original analysis didn't even go far enough after discovering the details). Kennerly looked at how the case really revolved around whether or not Swartz's activities violated the terms of service, but given the details of the case, combined with Stamos' comments and the fact that (since Swartz was charged) multiple courts have ruled that a mere terms of service violation is not a violation of the Computer Fraud and Abuse Act (CFAA), this case seemed to have absolutely nothing legitimate.
I know a criminal hack when I see it, and Aaron’s downloading of journal articles from an unlocked closet is not an offense worth 35 years in jail.
- MIT operates an extraordinarily open network. Very few campus networks offer you a routable public IP address via unauthenticated DHCP and then lack even basic controls to prevent abuse. Very few captured portals on wired networks allow registration by any vistor, nor can they be easily bypassed by just assigning yourself an IP address. In fact, in my 12 years of professional security work I have never seen a network this open.
- In the spirit of the MIT ethos, the Institute runs this open, unmonitored and unrestricted network on purpose. Their head of network security admitted as much in an interview Aaron’s attorneys and I conducted in December. MIT is aware of the controls they could put in place to prevent what they consider abuse, such as downloading too many PDFs from one website or utilizing too much bandwidth, but they choose not to.
- At the time of Aaron’s actions, the JSTOR website allowed an unlimited number of downloads by anybody on MIT’s 18.x Class-A network. The JSTOR application lacked even the most basic controls to prevent what they might consider abusive behavior, such as CAPTCHAs triggered on multiple downloads, requiring accounts for bulk downloads, or even the ability to pop a box and warn a repeat downloader.
- Aaron did not “hack” the JSTOR website for all reasonable definitions of “hack”. Aaron wrote a handful of basic python scripts that first discovered the URLs of journal articles and then used curl to request them. Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing “Save As” from your favorite browser.
- Aaron did nothing to cover his tracks or hide his activity, as evidenced by his very verbose .bash_history, his uncleared browser history and lack of any encryption of the laptop he used to download these files. Changing one’s MAC address (which the government inaccurately identified as equivalent to a car’s VIN number) or putting a mailinator email address into a captured portal are not crimes. If they were, you could arrest half of the people who have ever used airport wifi.
- The government provided no evidence that these downloads caused a negative effect on JSTOR or MIT, except due to silly overreactions such as turning off all of MIT’s JSTOR access due to downloads from a pretty easily identified user agent.
- I cannot speak as to the criminal implications of accessing an unlocked closet on an open campus, one which was also used to store personal effects by a homeless man. I would note that trespassing charges were dropped against Aaron and were not part of the Federal case.
In short, Aaron Swartz was not the super hacker breathlessly described in the Government’s indictment and forensic reports, and his actions did not pose a real danger to JSTOR, MIT or the public. He was an intelligent young man who found a loophole that would allow him to download a lot of documents quickly. This loophole was created intentionally by MIT and JSTOR, and was codified contractually in the piles of paperwork turned over during discovery.
Given the disclosures by Swartz's expert, Alex Stamos, which are linked at the beginning of this post, it seems that Swartz had a strong argument that he did indeed have "authorization." As Stamos says, at the time of Swartz's downloads, "the JSTOR website allowed an unlimited number of downloads by anybody on MIT’s 18.x Class-A network" and "Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing 'Save As' from your favorite browser."Separately, it has been pointed out numerous times that the only real party who had any reasonable claim to "harm" was JSTOR, and it had said from early on that it had settled its issue with Swartz when he agreed to turn over his hard drive with everything he'd downloaded. Now, a bit more has come out, as apparently JSTOR itself asked federal prosecutors to drop the case:
Thus, all Swartz did was write a script to find and download the files. As a factual matter, that may have been "authorization," rendering it lawful everywhere. Even if the script was "exceeding authorization," if the First Circuit had adopted the same rule as the Fourth Circuit and the Ninth Circuit, then Swartz would likely have been not guilty as a matter of law. All of which further shows why this prosecution should not have been brought in the first place; the prosecutor is supposed to exercise their judgment to do justice.
Elliot Peters, Swartz's California-based defense attorney and a former federal prosecutor in Manhattan, told The Associated Press on Sunday that the case "was horribly overblown" because Swartz had "the right" to download from JSTOR, a subscription service used by MIT that offers digitized copies of articles from more than 1,000 academic journals.So even the supposedly "harmed" party didn't want the case to go forward. And yet, Stephen Heymann kept pushing.
Peters said even the company took the stand that the computer crimes section of the U.S. Attorney's Office in Boston had overreached in seeking prison time for Swartz and insisting , two days before his suicide , that he plead guilty to all 13 felony counts. Peters said JSTOR's attorney, Mary Jo White , the former top federal prosecutor in Manhattan , had called Stephen Heymann, the lead Boston prosecutor in the case.
"She asked that they not pursue the case," Peters said.
The case is now gone, so we'll never see how a judge rules on it. We can hope that, given everything above, a judge would have clearly seen what a joke the case was, and dismissed it. But, you never know how judges will rule, and especially when they're not very technically savvy, they'll give a ridiculous amount of deference to federal prosecutors, merely because of their position. But the ridiculousness of the case should be pointed out over and over again to remind everyone of the problems we get when the federal government gets too powerful, and knows that it can use that power against someone it doesn't like.
Whether or not the impending trial contributed to Swartz's death, one thing is undeniable: the case itself was a complete farce, and that should not be forgotten. One hopes that, among other things, one of the legacies of Swartz's death may be to fix broken laws that allowed this prosecution to move forward, and to figure out a way to dial back the aggressiveness with which federal prosecutors take on cases these days.