Aaron Swartz, RIP

I mentioned this in the comments on Alex’s post on the David Gregory thing, but it’s worth a post on its own. Aaron Swartz, who helped invent the RSS at age 14, founded Reddit and played a key role in the COICA/SOPA/PIPA fight, committed suicide this weekend:

He was a Harvard University fellow studying ethics when he was charged in 2011 with stealing nearly 5 million articles from a computer archive at the Massachusetts Institute of Technology.

He faced 13 felony charges, including wire fraud, computer fraud and unlawfully obtaining information from a protected computer. Prosecutors said he intended to distribute the articles on file-sharing websites.

Swartz pleaded not guilty, and his trial in federal court was scheduled to begin next month. If convicted, he could have faced decades in prison and steep fines.

So what were these crimes? The first was that he accessed the PACER online court records system, downloaded about 20% of it and posted it online. The FBI investigated but didn’t charge him. That in itself was ridiculous. Swartz didn’t “hack” anything. He created a program to download public records. Universities and law firms pay a fee to access PACER but that fee is is of dubious legality for access to public records that are, in no way, private. But by bypassing the system, he annoyed some people.

The current prosecution was for accessing JSTOR, which stores academic journals, using a laptop connected to MIT’s network. He was charged with all kind of hacking-related charges, but the reality is a a little different says an expert witness:

I know a criminal hack when I see it, and Aaron’s downloading of journal articles from an unlocked closet is not an offense worth 35 years in jail.

The facts:

MIT operates an extraordinarily open network. Very few campus networks offer you a routable public IP address via unauthenticated DHCP and then lack even basic controls to prevent abuse. Very few captured portals on wired networks allow registration by any visitor, nor can they be easily bypassed by just assigning yourself an IP address. In fact, in my 12 years of professional security work I have never seen a network this open.

In the spirit of the MIT ethos, the Institute runs this open, unmonitored and unrestricted network on purpose. Their head of network security admitted as much in an interview Aaron’s attorneys and I conducted in December. MIT is aware of the controls they could put in place to prevent what they consider abuse, such as downloading too many PDFs from one website or utilizing too much bandwidth, but they choose not to.

At the time of Aaron’s actions, the JSTOR website allowed an unlimited number of downloads by anybody on MIT’s 18.x Class-A network. The JSTOR application lacked even the most basic controls to prevent what they might consider abusive behavior, such as CAPTCHAs triggered on multiple downloads, requiring accounts for bulk downloads, or even the ability to pop a box and warn a repeat downloader.

Aaron did not “hack” the JSTOR website for all reasonable definitions of “hack”. Aaron wrote a handful of basic python scripts that first discovered the URLs of journal articles and then used curl to request them. Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing “Save As” from your favorite browser.

Aaron did nothing to cover his tracks or hide his activity, as evidenced by his very verbose .bash_history, his uncleared browser history and lack of any encryption of the laptop he used to download these files. Changing one’s MAC address (which the government inaccurately identified as equivalent to a car’s VIN number) or putting a mailinator email address into a captured portal are not crimes. If they were, you could arrest half of the people who have ever used airport wifi.

The government provided no evidence that these downloads caused a negative effect on JSTOR or MIT, except due to silly overreactions such as turning off all of MIT’s JSTOR access due to downloads from a pretty easily identified user agent.

JSTOR — you remember them? the victims? — declined to pursue charges. The professors whose articles were on JSTOR are now posting the articles online as a protest. Even the journals can’t care since they only bought one-time rights. MIT declined to press charges on trespassing (possibly the only crime committed) but was unclear on other charges. That was just the opening the federal prosecutor needed to go after someone who’d pissed off the wrong people. Greenwald:

Swartz never distributed any of these downloaded articles. He never intended to profit even a single penny from anything he did, and never did profit in any way. He had every right to download the articles as an authorized JSTOR user; at worst, he intended to violate the company’s “terms of service” by making the articles available to the public. Once arrested, he returned all copies of everything he downloaded and vowed not to use them. JSTOR told federal prosecutors that it had no intent to see him prosecuted, though MIT remained ambiguous about its wishes.

But federal prosecutors ignored the wishes of the alleged “victims”. Led by a federal prosecutor in Boston notorious for her overzealous prosecutions, the DOJ threw the book at him, charging Swartz with multiple felonies which carried a total sentence of several decades in prison and $1 million in fines.

Lessig:

From the beginning, the government worked as hard as it could to characterize what Aaron did in the most extreme and absurd way. The “property” Aaron had “stolen,” we were told, was worth “millions of dollars” — with the hint, and then the suggestion, that his aim must have been to profit from his crime. But anyone who says that there is money to be made in a stash of ACADEMIC ARTICLES is either an idiot or a liar. It was clear what this was not, yet our government continued to push as if it had caught the 9/11 terrorists red-handed.

The result of this “theft” was an 18-month prosecution, decades in potential federal prison time and relentless financial pressure. They made sure they drained whatever financial resources he had and forbad him for getting money from elsewhere. These things did not “cause” Aaron’s suicide, per se. He clearly had other issues. But they certainly didn’t help.

Lessig’s penultimate paragraph is also worth savoring:

That person is gone today, driven to the edge by what a decent society would only call bullying. I get wrong. But I also get proportionality. And if you don’t get both, you don’t deserve to have the power of the United States government behind you.

For remember, we live in a world where the architects of the financial crisis regularly dine at the White House — and where even those brought to “justice” never even have to admit any wrongdoing, let alone be labeled “felons.”

And that’s the point. We have given the federal government far too much power to harass, intimidate and bankrupt anyone they’ve decided they don’t like. Swartz’ case was not unusual; it’s standard operating procedure. Silvergate’s excellent book Three Felonies a Day catalogues case after case where this sort of thing has happened. One of the favored tactics is to cut people off from real legal help. Businesses are allowed to escape prosecution if they cut some token targets lose. Forfeitures laws are used to prevent assets from being used to procure competent legal help. Even legal defense funds are attacked.

I’m not a conspiracy-minded person. I don’t think they singled out Swartz because of his activism, per se. But I’m sure it didn’t help. I’m sure that when an overzealous ambitious prosecutor saw a chance to take down someone prominent who was annoying the government … well she had the tools to do it.

Read the links above. Read Patterico. And realize that this could be any of us.