Feds Charge Aaron Swartz With Felony Hacking… For Downloading A Ton Of Academic Research
from the how-dare-he! dept
Well, the big story making the rounds today has been the charges filed against Aaron Swartz by US prosecutors for violating the Computer Fraud and Abuse Act — a law that is all too often been abused by the feds to attack people they don’t like. Wired News has the most comprehensive coverage as far as I can tell.
If you’re unfamiliar with Aaron, while most of the reports refer to him as a co-founder of Reddit (which is a bit of a stretch as he was actually merged into Reddit as part of an early Ycombinator program) and as the founder of Demand Progress, I remember him from way before that — back when he was a teenager and helped author the RSS 1.0 spec.
As for the specifics of the case, it’s still a little hazy. The full indictment is embedded below, but the story being pushed by the feds is that Aaron maliciously hacked into JSTOR, a non-profit organization that hosts academic journal articles, via a computer room at MIT and then downloaded millions of records, bringing JSTOR’s servers to a screaming halt. Believe it or not, the indictment directly claims that he “stole” these articles, despite them being offered up for download via open access on various university campuses. He didn’t “steal” a damn thing.
Demand Progress paints a very different portrait of what happened, pointing out that he was downloading works that appeared to be authorized and that the complaint seems to really just be that he downloaded too much:
?This makes no sense,? said Demand Progress Executive Director David Segal; ?it?s like trying to put someone in jail for allegedly checking too many books out of the library.?
?It?s even more strange because JSTOR has settled any claims against Aaron, explained they?ve suffered no loss or damage, and asked the government not to prosecute,? Segal added.
James Jacobs, the Government Documents Librarian at Stanford University, also denounced the arrest: ?Aaron?s prosecution undermines academic inquiry and democratic principles,? Jacobs said. ?It?s incredible that the government would try to lock someone up for allegedly looking up articles at a library.?
JSTOR, itself, put out a statement that, at the very least, suggests that after they talked to Aaron and confirmed he wasn’t going to release the data he downloaded, that that was all they cared about:
We stopped this downloading activity, and the individual responsible, Mr. Swartz, was identified. We secured from Mr. Swartz the content that was taken, and received confirmation that the content was not and would not be used, copied, transferred, or distributed.
The criminal investigation and today?s indictment of Mr. Swartz has been directed by the United States Attorney?s Office.
It’s not clear, then, how the Feds became involved in the first place. It’s entirely possible JSTOR alerted them originally, and then the investigation went from there. From the details, it seems more likely that MIT may have reported the situation to the feds.
As far as I can tell, the crux of the argument against Swartz is that he violated the JSTOR terms of service, specifically the part about automated downloading, which in the minds of the feds, makes you a felon who can face up to 35 years in jail and $1 million fines. There’s a lot of fluff around that violation of terms of service, about how he “broke into” an MIT computer writing room and covered his face with a bicycle helmet. But, really, that’s all to set up the claim that he knowingly was getting around the terms of service and certain technological measures that JSTOR had put on its system to avoid such mass downloads.
It doesn’t looked like Swartz actually “hacked” into anything. He went onto MIT’s campus and logged in as a guest, as MIT allows. Now, it does appear that JSTOR and MIT took somewhat weak efforts to block him from mass downloading JSTOR works, and Aaron took rather trivial measures to get around that (change the IP, change the MAC address). The government is using that to suggest malicious intent.
But what was Aaron actually doing this for? I imagine that will come out soon enough. The government claims that he “intended to distribute a significant portion of JSTOR’s archive of digitized journal articles through one or more file-sharing sites.” That may be possible, though JSTOR says that Aaron had already promised the works would not be distributed. It’s important to note that Aaron has a long history of being involved in open access and open records movements, and was investigated by the feds once before for doing something similar. In that case, he set up a program to download legal documents from PACER, which are public documents, to post them on a free internet service. That case went nowhere, of course, because those documents are public. Separately, in the past, Aaron has gone through academic research to help with research papers on potential conflicts of interest in research funding. I have no idea what he was trying to do here, but it seems likely that it had to do with more open records research. Perhaps he was trying to open up works that were funded by federal dollars?
Either way, a felony indictment and threats of 35 years in jail and $1 million in fines seems ridiculously excessive and vindictive when you consider what he actually did here: which was download 4.8 million academic articles via a network that allowed such downloads. Yes, he used automated means barred by the terms of service, and yes, after being barred a few times, he worked out how to get around that. But it’s hard to see how any of that really deserves felony prosecution for computer hacking, with totally bogus claims from the feds about how “stealing is stealing.” He wasn’t “stealing” anything or you would have charged him with theft. Actually, the stealing is stealing comment from US Attorney Carmen M. Ortiz is so chock full of wrong, it deserves special mention:
Stealing is stealing whether you use a computer command or a crowbar and whether you take documents, data or dollars. It is equally harmful to the victim whether you sell what you have stolen or give it away.
Downloading data made available on a network is not “stealing.” And he made copies of documents. He did not “take” them. JSTOR still had the documents. And, JSTOR doesn’t seem to be acting like a victim of “theft” here. It certainly looks like Aaron did some things that were questionable in how he accessed this data. But does it raise to the level of a federal indictment for criminal hacking? That seems like a huge, huge stretch.