It's a bad time to be a hacker in the United States

By Adrian Lamo , written on January 17, 2013

From The News Desk

To many, a hacker is anyone who does something with a computer that is not trivially understood. To law-enforcement and the criminal justice system, a hacker is someone who commits a computer-involved crime. But in the eyes of the Hacker Ethic, a kind of best practices guide for hackers, Aaron Swartz was a hacker's hacker. If he committed any intrusion – and it's not clear he did – it was for old-fashioned hacker values like freedom and decentralization of information, open access to learning, and the belief that technology and computers can change the world and the people in it for the better.

Yet in the view of US Attorney Carmen M. Ortiz, whose office handled his case, Swartz's vision of open access was tantamount to theft. "Stealing is stealing whether you use a computer command or a crowbar, and whether you take documents, data, or dollars," Ortiz once said, demonstrating the willful subjugation of logic to policy with which the Department of Justice approaches computer-involved cases.

Of course, despite this statement, Ortiz could not have failed to realize that when Swartz walked out of MIT with his hard drive, not one thing of value had been lost to anyone.

I think we can agree that a download is not armed robbery, a point the DOJ appears to concede, but in the most unfortunate way. Under federal sentencing guidelines a person who procures nuclear material for a designated terrorist organization faces a 20-year maximum sentence. A bank robber who uses force or intimidation likewise faces a maximum of 20 years in prison, and the penalty rises only to 25 years if the robber assaults or threatens the life of an innocent party. Meanwhile, Swartz faced a maximum of 35 years.

And while no charges were brought in one of Swartz's previous efforts at information liberation -- in that case, downloading free legal opinions from federal systems through a law library, which earned him the ire of the FBI -- a casual observer might be forgiven for thinking his charges might have been crafted with a mind towards punishing both courses of conduct.

To put this into some kind of perspective, if Swartz had committed violent battery of a Supreme Court justice or a member of Congress he would have faced, at most, a year locked up in the pen -- as long as he didn't use a deadly weapon. Obviously Ortiz's comparison of code and crowbar doesn’t hold up. The law seems to have a distinctive pro-crowbar bias where instrumentalities of theft are concerned.

I speak from personal experience. In my previous life, I was an itinerant computer hacker, breaking into corporate networks, and offering to fix their vulnerabilities free of charge. In 2004, I was convicted of breaking into the computers of Microsoft, LexisNexis, and the New York Times, and was sentenced to six months house arrest, two years probation and ordered to pay restitution of $65,000.

The key difference is, I accepted responsibility for my actions, because I wished to take responsibility for what I had done. In my view, Swartz had no crime to take responsibility for. I've also worked the other side of the fence, working with law enforcement and the US Government on computer-involved national security issues, most notably in the apprehension of Bradley Manning for leaking military and diplomatic secrets to Wikileaks. I doubt anyone would step forward to claim I'm soft on the subject of serious computer-involved crime at this point in my life.

With regards to my network intrusions (I avoid using the word "hacking" or "hacker" for myself due to the controversial definitions), by today's standards, I got off lucky. Over the years, prison sentences for hacking-related crimes have gotten more draconian.

In the mid-80s, Robert Tappan Morris received three years of probation for coding a computer worm that bogged down the entire then-nascent Internet. In the early 90s, Kevin Poulsen served 51 months. Later that decade Kevin Mitnick, whose case many consider a defining example of hacker overprosecution, served 68-months in prison. By 2004, Lowes hacker Brian Salcedo was sentenced to 108 months and in 2010 and 2012, hackers Max Vision and Albert Gonzalez were sentenced to 13 and 20 years, respectively. This showed no signs of being the high-water mark.

In light of this trend, by 2013, it may not have been unreasonable for Aaron Swartz to fear for his future. Hacking is a much different proposition in today's United States than it was 10 years ago. But these more severe criminal penalties have done nothing to deter computer crime, which is more problematic than ever. What they have done is squelch legitimate researchers who are forced to consult attorneys, lest they accidentally run afoul of the law.

And while Swartz had been offered a plea agreement, to say that he should have taken it and served a putative minimal sentence is a deceptively simply analysis. Yes, six months might seem like a good deal compared to 35 years. All it would have taken on Swartz's part was the repudiation of the beliefs that defined his life, the assertion that his efforts to propagate information and evangelize open access were not only not beneficial, but in fact criminal and wrong, and an apology for how he lived his life. Facing that kind of personal compromise, it would be simplistic to believe that there were any easy choices.

It’s a bad time to be a hacker in the United States, even as the United States needs hackers more than ever. It even threatens our national security. As a nation we face global hacking threats from China, Russia, former Eastern Bloc nations, and Iran, yet our laws discourage those who could help protect us -- and our critical computing infrastructure.

This is not the position of someone who wants to give hackers free rein on private networks. It is the position of someone who believes that when an act no more harmful than putting a computer in a closet and downloading free articles can result in a dozen felony charges, the law is no longer something that is written for all, but which is tailored according to the whims of prosecutors to fit their view of the intended culprit, not to fit the crime.

This is not the time to fall further behind in the hacker arms race, any more than the 1950s would have been a practical time to high-handedly dismiss the prospect of aerospace superiority because of a grudge against Wernher von Braun and the other former German rocket scientists who made it possible. Our laws must be able to discern between crimes of malice and the transgressive but well-intentioned curiosity of the sort Aaron Swartz exhibited, so that future issues which might have been resolved with a trespassing citation don't snowball into disproportionate vendettas by out-of-control prosecutors who seem more interested in “winning” a high-profile case than in furthering the interests of justice.

Swartz’s death has the makings of a turning point, and while such moments often come in ways least desired, they are most badly needed. A law becomes unjust when a person of ordinary -- or even extraordinary -- intelligence cannot readily predict what charges might arise from a given activity. By all appearances, such was the law for Aaron Swartz.

[Disclosure: The writer is a convicted computer hacker.]

[Image courtesy Vectorportal]