On the overzealous prosecution of Aaron Swartz
Many of us who view the Web as a second home have been in collective mourning over the suicide of Aaron Swartz, a 26-year-old Internet prodigy whose contributions include early standards for the RSS protocol, the website framework web.py, the architecture for the Open Library, and Reddit, through its merger with his startup Infogami. Swartz was a freedom of information absolutist who believed information should be spread, not imprisoned behind paywalls. He regularly used his computer savvy to promote these views, which led to run-ins with the law.
Much of the blame for Swartz’s tragic and unnecessary death has been laid at the feet of federal prosecutors, who went after Swartz for covertly downloading millions of public-domain academic journal archives on the MIT campus from non-profit university research portal JSTOR. In a statement Swartz’s family claimed “Aaron’s death is not simply a personal tragedy. It is the product of a criminal justice system rife with intimidation and prosecutorial overreach.” Harvard professor and legal scholar Lawrence Lessig called the prosecutor a “bully [who was waging] war against the ‘criminal’ who we who loved him knew as Aaron.” Notorious hacker group Anonymous wrote, “The government’s prosecution of Swartz was a grotesque miscarriage of justice, a distorted and perverse shadow of the justice that Aaron died fighting for."
It’s not clear whether Swartz broke any laws, and in his mind he wasn’t stealing but rather “liberating” the database. JSTOR was not typically free to individuals – it cost $0.10 per page to access – but the MIT library was providing free access to anybody on campus, including to visitors with no affiliation to the university. (Swartz was a Harvard fellow.) Initially he made several relatively tame attempts to download mass quantities of archived documents over Wi-Fi, but was rebuffed by system administrators once the scale of his intentions became clear. Swartz then escalated his efforts by hiding a laptop in an “unlocked wiring closet” in the library’s basement, plugging into a main building switch and assigning himself an unblockable IP address. It took university officials three months to find the hidden computer and determine who owned it.
This was not the first time Swartz’s information liberation tendencies ran him afoul of the law. Before the MIT and JSTOR incident, the hacktivist was previously investigated by the FBI for downloading millions of legal documents from a similar archive system called PACER during a brief 2008 free trial period. Though he escaped charges related to the PACER stunt, he was indicted in the MIT incident for wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer – charges which carried a maximum penalty of up to 35 years in prison and a $1 million fine. When Swartz’s lawyer attempted to reach a plea bargain, the prosecutors said that Swartz would first have to plead guilty to every count and serve prision time. Many close to Swartz have said the stress of the ongoing legal battle had taken a heavy toll.
There remains doubt that his actions were anything more than “inconsiderate.” Both MIT and JSTOR deliberately took steps to enable mass downloads of journal archives, according to defense expert witness and partner at security firm iSEC Partners Alex Stamos:
Even Congress agreed with Swartz that public information should be accessible to all. Legislators passed the E-Government Act of 2002, which made it so that the court's price for accessing information within the PACER legal database – a government database comparable to JSTOR – must be limited to the cost of providing that information. In 2010, research by a Princeton professor revealed that the cost of supporting PACER was $25 million per year while users paid $90 million in fees to access the system – $65 million more than “the cost of providing that information.” While similar income and expense data is not available for the JSTOR database, both systems charge $0.10 per page. JSTOR is not subject to the E-Government Act, which applies only to government databases, but as a purveyor of public information, its pricing practices would seem to violate the spirit of the congressional act nonetheless.
MIT operates an extraordinarily open network. Very few campus networks offer you a routable public IP address via unauthenticated DHCP and then lack even basic controls to prevent abuse. ... In the spirit of the MIT ethos, the Institute runs this open, unmonitored and unrestricted network on purpose. Their head of network security admitted as much to us...
At the time of Aaron's actions, the JSTOR website allowed an unlimited number of downloads by anybody on MIT's huge 18.x Class-A network. The JSTOR application lacked even the most basic controls to prevent what they might consider abusive behavior...
Aaron did not ‘hack’ the JSTOR website ... Aaron did nothing to cover his tracks or hide his activity ... The government provided no evidence that these downloads caused a negative effect on JSTOR or MIT...
For what it's worth, law professor, writer, and scholar Orin Kerr, disagrees with Stamos, writing:
I think the charges against Swartz were based on a fair reading of the law. None of the charges involved aggressive readings of the law or any apparent prosecutorial overreach. All of the charges were based on established caselaw...
My conclusion, at least based on what we know so far, is that the legal charges against Swartz were pretty much legit. Three of them are pretty strong; one is plausible but we would need to know more facts to be sure...
Of course, there may have been reasons not to charge Swartz even though he had violated these statutes or to offer him a lenient plea. ...But to the extent we’re focused on just what the law is, I think that what Swartz was alleged to have done fits pretty well with the charges that were brought. JSTOR eventually dropped its civil claims against Swartz, as did MIT, however the university encouraged a criminal prosecution by the US Attorney for Massachusetts. In a public letter following Swartz’s death, MIT President L. Rafael Reif wrote:
It’s hard to reconcile the actions of federal prosecution with Swartz’s crimes – if you want to call them that. Despite the contention of the prosecution, who state in their indictment that the defendant “intentionally accessed a protected computer without authorization, and as a result of such reckless conduct caused damage to MIT and JSTOR,” Swartz’s crime was one of excess more than anything. No one was hurt. No one lost access to the articles. (System administrators did briefly shut down the network out of confusion over what was occurring.)
I want to express very clearly that I and all of us at MIT are extremely saddened by the death of this promising young man who touched the lives of so many. It pains me to think that MIT played any role in a series of events that have ended in tragedy...
Now is a time for everyone involved to reflect on their actions, and that includes all of us at MIT. I have asked Professor Hal Abelson to lead a thorough analysis of MIT's involvement from the time that we first perceived unusual activity on our network in fall 2010 up to the present.
Despite this, prosecutors treated him as if he were an armed bank robber who had taken hostages. The fact the case was a federal matter was based on a trivial technicality: the JSTOR servers were located across Massachusetts state lines. Yes Swartz avoided JSTOR and university attempts to block him from the network, but he didn’t destroy data or sell anything he copied. Yet, he faced 35 years in jail, while the average sentence for manslaughter in the US is less than half that.
The wire fraud and computer fraud laws under which Swartz was being prosecuted are not wholly useable in today’s world of cloud databases, peer-to-peer networks, and a Web-dominated society. The government tends to be very hard on “computer criminals,” far more so than they are with white collar criminals. Sadly, the application of old statutes incompatible with new Web behavior is as much to blame in this situation as any individual involved in the case.
The charges against Aaron Swartz were overzealous, perhaps reckless. That this case resulted in an unnecessary loss of life is tragic. That it could have been avoided is too much for words. None of this Monday morning quarterbacking can turn back the events of last Friday, nor those of the last several years.
Hopefully, though, a frank and honest look at what transpired might somehow prevent future tragedies.
Update: Shortly after publishing this piece, PandoDaily learned that the U.S. District Court in Massachusetts has officially dismissed the case against Swartz. "In support of this dismissal, the government states that Mr. Swartz died on January 11, 2013," wrote Carmen Ortiz, US attorney.