New Charges Against Aaron Swartz

by Henry on September 19, 2012

Detailed here at Wired.

Federal prosectors added nine new felony counts against well-known coder and activist Aaron Swartz, who was charged last year for allegedly breaching hacking laws by downloading millions of academic articles from a subscription database via an open connection at MIT. … Like last year’s original grand jury indictment on four felony counts, (.pdf) the superseding indictment (.pdf) unveiled Thursday accuses Swartz of evading MIT’s attempts to kick his laptop off the network while downloading millions of documents from JSTOR, a not-for-profit company that provides searchable, digitized copies of academic journals that are normally inaccessible to the public. n essence, many of the charges stem from Swartz allegedly breaching the terms of service agreement for those using the research service.

“JSTOR authorizes users to download a limited number of journal articles at a time,” according to the latest indictment. “Before being given access to JSTOR’s digital archive, each user must agree and acknowledge that they cannot download or export content from JSTOR’s computer servers with automated programs such as web robots, spiders, and scrapers. JSTOR also uses computerized measures to prevent users from downloading an unauthorized number of articles using automated techniques.”

MIT authorizes guests to use the service, which was the case with Swartz, who at the time was a fellow at Harvard’s Safra Center for Ethics. The case tests the reach of the Computer Fraud and Abuse Act, which was passed in 1984 to enhance the government’s ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality.

The government, however, has interpreted the anti-hacking provisions to include activities such as violating a website’s terms of service or a company’s computer usage policy, a position a federal appeals court in April said means “millions of unsuspecting individuals would find that they are engaging in criminal conduct.” The 9th U.S. Circuit Court of Appeals, in limiting reach of the CFAA, said that violations of employee contract agreements and websites’ terms of service were better left to civil lawsuits. The rulings by the 9th Circuit cover the West, and not Massachusetts, meaning they are not binding in Swartz’ prosecution. The Obama administration has declined to appeal the ruling to the Supreme Court.

Notorious lefty rabble-rouser Orin Kerr wrote an op-ed last year about the crazy ways in which federal prosecutors were interpreting the CFAA.

The problem is that a lot of routine computer use can exceed “authorized access.” Courts are still struggling to interpret this language. But the Justice Department believes that it applies incredibly broadly to include “terms of use” violations and breaches of workplace computer-use policies. Breaching an agreement or ignoring your boss might be bad. But should it be a federal crime just because it involves a computer? If interpreted this way, the law gives computer owners the power to criminalize any computer use they don’t like. Imagine the Democratic Party setting up a public website and announcing that no Republicans can visit. Every Republican who checked out the site could be a criminal for exceeding authorized access.

If that sounds far-fetched, consider a few recent cases. In 2009, the Justice Department prosecuted a woman for violating the “terms of service” of the social networking site MySpace.com. The woman had been part of a group that set up a MySpace profile using a fake picture. The feds charged her with conspiracy to violate the Computer Fraud and Abuse Act. Prosecutors say the woman exceeded authorized access because MySpace required all profile information to be truthful. But people routinely misstate the truth in online profiles, about everything from their age to their name. What happens when each instance is a felony?

I’d be startled if there is a single US-based Crooked Timber reader out there who hasn’t committed this ‘felony’ at some point. Aaron is a friend of Crooked Timber, and a personal friend of mine (if there is some fundraising for his defense, I will very possibly be involved). He is also someone who has given freely to a wide variety of good things and useful causes (not only lefty ones - I’m writing this post in Markdown, a markup language that Aaron helped create; anyone who has ever used an RSS feed also owes him a debt). This means that I feel particularly strongly about this travesty of abuse of prosecutorial discretion. But even those who don’t know Aaron should recognize that this is an outrageous assault on basic civil liberties, and the ability to use the Internet as you want to, not as corporate entities dictate. Those who agree, and who have access to some kind of public platform, or otherwise can exert influence should do what they can to push back against this.

Update: those who want to donate should do so at http://free.aaronsw.com.

{ 74 comments }

1

Guan Yang 09.19.12 at 3:37 pm

There is such an effort!

2

Navin Kumar 09.19.12 at 3:45 pm

So… everyone violates the terms and conditions, but they only get invoked when someone downloads millions of documents. Am I the only one who looks at this and thinks ‘these institutions work better than I expected’?

3

rea 09.19.12 at 4:09 pm

” In 2009, the Justice Department prosecuted a woman for violating the “terms of service” of the social networking site MySpace.com. The woman had been part of a group that set up a MySpace profile using a fake picture. The feds charged her with conspiracy to violate the Computer Fraud and Abuse Act. “

Orrin Kerr should have said a bit more about the facts of this case, which involved a couple of adults pretending to be a teenage boy in order to bully a 13-year old girl, who eventually committed suicide. The jury convicted, but the judge threw the conviction out after trial.

The point is, the statute is very badly drafted, and catches a bunch of conduct that shouldn’t be criminal. Nevertheless, there is a core of conduct here that I have little doubt is appropriately made criminal.

As for Aaron Swartz (who I have encountered online and who seems like a decent guy) it seems to me that downloading a few million articles from a subscription-only database is something that could properly be criminalized in a sensibly-drafted statute.

4

Warren Terra 09.19.12 at 4:48 pm

I’m with #2. Mr. Swartz seems to have noble motivations, to be a genuine idealist and a very interesting person. As you note, he has made significant contributions to society. I have no legal knowledge, nor can I weigh in on the precise prosecutorial tactics used to pursue him. But it is just completely beyond clear that he misused MIT resources in order to violate JSTOR’s terms of service and obtain vast quantities of copyrighted material, whose copyrights he had unilaterally decided should be nullified. As someone who appreciates the ability to use JSTOR, I do not appreciate the threat to JSTOR posed by people who would deliberately misuse it.

I don’t know what punishment he faces, nor do I have any real idea what punishment is appropriate. It is quite possible that when I hear more about this question I will be shocked and be more sympathetic to Mr. Swartz. But until that day, I find these special pleadings on his behalf, which ignore what he actually did, to be obnoxious.

I would happily donate to a legal mitigation fund for Mr. Swartz, seeking to minimize his punishment. But so long as he refuses to portray his actions as being consciously illegal acts of civil disobedience and continues to pretend to actual innocence, I don’t understand how people can take his side and back a legal defense fund.

5

Sebastian H 09.19.12 at 4:52 pm

Rea, I agree that both cases have a core of conduct that could be made appropriately criminal, but using ‘violation of terms of service’ as the hook to do so is about as over broad as could be possible without skipping straight to ‘if you are breathing’.

TOS violations run an incredible range. The system is way out of balance if the question of whether or not obscuring your identity on facebook counts as a felony charge (with length of prison time available based on terrorism rhetoric in the legislature) based only on whether a prosecutor wants to threaten you or not. If we give up this tool to discrectionary enforcement, it seems much more dangerous to average citizens than RICO for example.

6

Fr. 09.19.12 at 5:06 pm

I resent law that proceeds with no criminal intent. I cannot figure out what Aaron Swartz was doing (any details on that part?), but my bet is on scraping for academic research, in which case he is not undermining JSTOR’s mission but bringing it to life.

7

Henry 09.19.12 at 5:07 pm

Warren – I am not going to get into what he did, or what he did not do, because (a) I do not have any specific knowledge of it (I have, for the obvious reasons, not discussed the facts of the case at any point with him), and (b) because I have reasonable grounds to fear that statements suggesting that he did do _x_ or _y_, whether to condone, explain, condemn or whatever, could be used in unpredictable ways. Not addressing the facts of the case is not a form of special pleading. It is a necessary corollary of a criminal justice system in which prosecutors have every incentive to use statements (including, very possibly, statements from people only tangentially involved such as myself) in extremely unpleasant ways, in order to try to secure convictions that will likely result in decades of time spent in prison (which answers your question about ‘what punishment’ I think). I think your interpretation is really quite mistaken here, and I suspect, if you think things through, you’ll see why.

8

Chris Bertram 09.19.12 at 5:57 pm

Do US prosecutors not have to determine that a prosecution meets a public interest test, as British ones do?

9

Peter Hovde 09.19.12 at 6:20 pm

Chris-Bertram-no they do not.
Navin Kumar # 2-Precisely! Let them criminalize vast swaths of conduct (and not just with fines-we’re talking potentially serious prison time here) and then choose which people to actually prosecute. I know I trust the authorities-it’s not like they would use the Espionage Act to punish whistleblowers or anything.

10

L2P 09.19.12 at 6:20 pm

“Do US prosecutors not have to determine that a prosecution meets a public interest test, as British ones do?”

Not really. Prosecutors have an ethical duty:

(1) As all attorneys, to zealously advocate their client’s position (in this case, the United States; generally, the People in general), while at the same time

(2) Maintaining their duty to “do justice” by appropriately exercising prosecutorial discretion, as attorneys representing not just the “prosecution” but “the People/the United States.”

Good prosecutors can run into some difficulties balancing these duties, and there’s a lot of interesting scholarly articles ethical debates (and probably a scholarly article) over what we should do in different and interesting situations. Bad prosecutors just go for the win.

11

Phil 09.19.12 at 6:49 pm

The tone of this post rubs me up the wrong way, I have to say. My first impression, which the passage of time hasn’t changed, was that what he did was (a) wrong and (b) orders of magnitude larger in scale than your average TOS-violation.

On the other hand, it also sounds to me as if a criminal prosecution of any sort is overkill (let JSTOR sue), and the prospect of Aaron facing years of jail time is monstrous. So I think the OP’s correct tactically if nothing else – defence is the first priority.

I remember protests in the 1970s against abusive counter-terrorist policing and defence funds being raised for the people who got busted. We knew (or surmised) that some of those people almost certainly did some of what the police thought they did, but that wasn’t the point – if we sat back while the police kicked their door in on suspicion of terrorism, next time it might be your door they kicked in on suspicion of something else. Same principle here, more or less.

12

JW Mason 09.19.12 at 6:52 pm

If I’m correctly understanding Navin Kumar, rea, Warren Terra, etc., they like the idea of making anyone who uses a computer formally a felon, and trusting the prosecutors to decide who should actually go to jail. Judge Dredd, in other words. Now, me, I kind of prefer the rule of law. No accounting for taste, I guess.

13

Omega Centauri 09.19.12 at 6:55 pm

I can’t but think that “intent” should be very important here. If he was downloading ton’s of papers in order to distribute them, thats one thing. If he was using some sort of bot to implement a meta-study that actually needs to scan large numbers of papers, that ought to be a legitimate (if unanticipated) use.

14

Warren Terra 09.19.12 at 7:00 pm

@#12 JW Mason
You ask yourself whether you have understood correctly. I think that you have answered your own question. In general, if your theory is predicted on the premise that your interlocutors are cartoonishly evil and incomprehensibly stupid, you might want to rethink your premise. Or, heck, call people names instead.

15

piglet 09.19.12 at 7:44 pm

[comment from banned commenter deleted]

16

JW Mason 09.19.12 at 7:49 pm

But Warren, I know something about prosecutors. I’ve spoken with a couple, and I see how they talk in public. From their point of view, they never have enough discretion. A lot of them really do want to be Judge Dredd. So in general, I’m quite sure the attitude I’m describing is held by real people. On rereading your comment, though, I probably should not have lumped you in with them. Sorry.

17

Salient 09.19.12 at 8:00 pm

The “www dot” part at the beginning of that donation page link should be deleted, it misdirects you to one of those creepily incoherent placeholder sites. I put the correct link in as my name link for this comment, since maybe the in-comment HTML was adding the www or something like that.

18

ogmb 09.19.12 at 8:47 pm

Maybe the WIRED article is not factually accurate for the case at hand, but if a hypothetical individual engaged in the conduct described in the article I’d have a hard time seeing that as a mere violation of JSTOR’s terms of service. Not many people inadvertently spoof MAC addresses dynamically and accidentally access networks from which they got booted previously.

19

leederick 09.19.12 at 9:37 pm

I don’t think federal prosecutors are interpreting the CFAA in a crazy way. “Unauthorized access” is a concept deliberately designed to criminalize activities which go against the whims of employers and computer owners. It is, essentially, backing up internal control policies with the force of criminal law. If employers thought they could get away with putting through a law criminalizing people for looking at things they weren’t supposed to in filing cabinets, they would.

20

L2P 09.19.12 at 10:33 pm

“However, giving false information on such a form is a crime regardless of intentionality and regardless of whether any harm was caused or not.”

Generally, forms are signed under penalty of perjury and so the only criminal liability results from knowingly providing a false statement. If the declarant doesn’t know that the statement is false, then the statement isn’t perjured – it’s just wrong.

There is also a materiality requirement. If the statement wasn’t material, it’s not perjured. For example, if in a police report I ask you a bunch of stuff and one of them is where did you go to elementary school, and you knowingly say “Yale,” but it doesn’t matter, and you then sign that your statement is given under penalty of perjury, it’s probably not a criminal issue.

However, some forms can be infracted based on no knowledge of their falsity. I don’t know for sure for immigration, but I’d be shocked if they were. I think they’re signed under penalty of perjury. AFAIK, the usual “punishment” is that a false statement will prohibit immigration status.

21

Salient 09.20.12 at 12:18 am

Isn’t the governing issue here about whether certain kinds of (mis)behavior are more properly the domain of criminal law or civil law? We can be agnostic about whether ‘offences were committed’ and still feel strongly that this ought not be a matter for criminal law. And that feeling’s not without its judicial allies–

The 9th U.S. Circuit Court of Appeals, in limiting reach of the CFAA, said that violations of employee contract agreements and websites’ terms of service were better left to civil lawsuits.

I dunno, it makes sense to me. Is anybody saying that opinion is unreasonable, or that it shouldn’t apply to the charges we know about, or…?

22

ogmb 09.20.12 at 6:01 am

@Salient, I think what various commenters here saying is that absent an idea of what actually happened it is impossible to determine whether the only misbehavior is a violation of the TOS, or if there is more to it. If I buy a ticket to the Louvre and walk out with the Mona Lisa under my arm I’m “violating the TOS” of the Louvre, but I understand if there is also a public interest to prosecute me.

From what I was able to piece together, it SEEMS that Jstor has a bundle of articles which lapsed into the PD, but which, as of 2011, it kept behind their paywall. Swartz, while at Harvard, used his courtesy account at MIT to “liberate” those. Jstor got wind of this and complained to MIT, which in turn kicked Swartz of its network. So far we’re still roughly within the realm of National Portrait Gallery v Coetzee, minus the international component. Now it seems as if Swartz did not let it rest but used a variety of subterfuges (vulgo: “hacking”) to get back onto the MIT network. This got the prosecutors on the plan, even if MIT and Jstor don’t seem to have an interest in pursuing the matter in civil court.

So there seem to be two issues at stake here, and neither in my book look very favorable for Swartz, but they give different answers regarding the prosecutor’s actions.

One is Jstor vs Swartz. It might be assholey of Jstor to charge for PD material, but it is perfectly legitimate. They put effort into scanning those articles using their special software and they want to be compensated for it. If you don’t like this, climb down into the stacks and make your own copy. But they cannot rely on copyright law to enforce this, so they create a contractual arrangement to prevent their documents from leaking, and Swartz (as we all) agreed to that contract when he started downloading articles from Jstor. Now this arrangement goes quite a bit beyond the website TOS the NPG invoked against Coetzee, but I can follow arguments which say this should be handled in civil court.

The other one is MIT vs Swartz. I’m sure there is a stipulation that makes violating Jstor’s TOS also a violation of MIT’s TOS, and I’m also very sure that MIT has all kinds of provisions against hacking into their network, but what exactly Swartz’s contractual relationship with MIT is isn’t quite clear here.

So there might be all kinds of circumstances that speak in Swartz’s favor (his actions were of “activist” nature, Jstor followed suit in making some of their PD material freely available, MIT and Jstor don’t seem to be interested in pursuing this, etc.), but what I don’t see here is how the prosecutors use an overly broad CFAA to hassle Swartz for something entirely different, or even that all Swartz did was simply ignore a website TOS. But then again finding a factual account that isn’t clouded by advocacy isn’t easy, so the actual story might be very different.

23

rea 09.20.12 at 10:56 am

<i"If I’m correctly understanding Navin Kumar, rea, Warren Terra, etc., they like the idea of making anyone who uses a computer formally a felon, and trusting the prosecutors to decide who should actually go to jail"

JWMason, you have manged to read my comment exctly contrary to what it actually means. Congratulations.

24

derrida derider 09.20.12 at 12:38 pm

True, rea, you argued for a “properly drafted statute” to criminalise Swartz’ behaviour rather than leave it to entrepreneurial prosecutors under a catchall statute. JW pinged Navar correctly though.

But I really don’t agree with you anyway – this seems to me a classic civil tort. Let JSTOR get some recompense for the damage done to them. Hell, even add some exemplary damages if you must. But the People, as distinct from JSTOR, has not much of a dog in this fight.

25

Pipie314 09.20.12 at 1:05 pm

Aren’t badly written laws that over–criminalise behaviour a feature not a bug for the politically well connected, because only certain people/crimes get prosecuted?

26

L2P 09.20.12 at 5:19 pm

“But I really don’t agree with you anyway – this seems to me a classic civil tort. Let JSTOR get some recompense for the damage done to them. Hell, even add some exemplary damages if you must. But the People, as distinct from JSTOR, has not much of a dog in this fight.”

“Aren’t badly written laws that over–criminalise behaviour a feature not a bug for the politically well connected, because only certain people/crimes get prosecuted?”

I can’t follow the chain of thought in these two comments are in the context of criminal justice theory. The reason we want The People, and not individuals, in charge of enforcing this behavior is that regardless of your beliefs about the corruption of the criminal justice system by the politically and monetarily powerful and the other evils inherent in the system, at least it’s a “system.”

A rich entity can ALWAYS enforce a law through civil enforcement; it’s the poors that need The People to help them out. Absent some criminal enforcement, it’s you and me that can’t protect our computers, not Bank of America. Patent enforcement is a good example; there’s criminal laws, but the RIAA would rather just drop $500,000 judgments on teenagers. Because they can – they’ve got tons of money, and then they don’t have to listen to prosecutor to say, “Really? You want me to file a 1,000 count indictment against a cheerleader?”

Also, I’m not sure where all the angst about section 1030 is coming from. Prof. Kerr knows that the law doesn’t apply the way he claims it does – he LITIGATED the Drew case, after all. The Court specifically held that a “conscious violation of a website’s terms of service” [b]is not a crime[/b] under section 1030. You literally are not liable for going to Match.com and saying you’re 30 instead of 45 – that’s literally the holding of the court; that isn’t “intentional unauthorized access.” It’s all in the case. And in Nosal. Clarity Systems too. It’s not like ANY cases disagree here, because they don’t; I can’t think of a single case where there’s been liability until after a provider has sent specific notice of termination of use. I can understand being against 1030, but not because of people being scooped into criminal liability for errors in accessing websites.

Swartz is potentially liable because he did MORE than that. He accessed the computers, was booted, accessed it again, was booted again, accessed it [b]again[/b] was booted again, then broke into a closet to access the computers [b]again.[/b] This potentially shows “intentional unauthorized access.” The Government has a case; this law is not a tragic misapplication of justice.

I’m sympathetic to anyone who has a friend accused of a crime, and of course the facts need to be litigated and the scope of the law is in dispute. But to argue that We Are All Swartz seems like hyperbole. It’s simply not true that “every reader of Crooked Timber” is a felon because we might have misstated something in a website application. That’s literally not the law.

27

piglet 09.20.12 at 8:46 pm

[comment from banned commenter deleted]

28

Stuart 09.20.12 at 10:27 pm

#22: If I buy a ticket to the Louvre and walk out with the Mona Lisa under my arm I’m “violating the TOS” of the Louvre, but I understand if there is also a public interest to prosecute me.

Theft is a crime, so punishing you for violating the TOS instead of using the actual exist laws that covers the crime you committed would seem bizarre. The same should be the case here – if he has committed actual crimes, charge him with them as appropriate, if not JSTOR can sue him for using too much bandwidth or messing with their system or whatever.

Computers are tools, like say a car – if someone deliberately drives into a pedestrian we charge them with murder, not improper use of a steering wheel. Equally there should basically be no computer crimes, instead already existing crimes should be prosecuted as normal whether the way they were committed happened to involve a computer or not.

29

Substance McGravitas 09.20.12 at 10:35 pm

Equally there should basically be no computer crimes, instead already existing crimes should be prosecuted as normal whether the way they were committed happened to involve a computer or not.

If I throw a brick through a window at a bank it’s vandalism, but if I can take down their computer system it feels like something different and larger. There are new things to deal with: what existing law covered making my computer a zombie to make it send spam, or to sell the rights to its zombiehood?

Not that I’m sympathetic to prosecution in this case.

30

Odm 09.21.12 at 5:13 am

Computers are tools, like say a car – if someone deliberately drives into a pedestrian we charge them with murder, not improper use of a steering wheel. Equally there should basically be no computer crimes, instead already existing crimes should be prosecuted as normal whether the way they were committed happened to involve a computer or not.

There are actually a whole bunch of laws specifically concerning driving.

31

engels 09.21.12 at 6:22 am

Computers are tools, like say a car – if someone deliberately drives into a pedestrian we charge them with murder, not improper use of a steering wheel. Equally there should basically be no computer crimes, instead already existing crimes should be prosecuted as normal

Oh dear.

32

Katherine 09.21.12 at 8:39 am

Okay, I’m not even clear what Schwarz was trying to protest here. The law criminalising extreme actions vis a vis terms of service (and from what I can read above, the case law is applying the statute that way, and in a common law system, case law is law just as much as the statute is)? JSTOR? MIT? Why JSTOR particularly? A combination of JSTOR and the law?

If sympathy and support is being asked for, then a break down of what one is supposed to be supporting and sympathising with would be useful.

33

L2P 09.21.12 at 4:11 pm

“Computers are tools, like say a car – if someone deliberately drives into a pedestrian we charge them with murder, not improper use of a steering wheel. Equally there should basically be no computer crimes, instead already existing crimes should be prosecuted as normal whether the way they were committed happened to involve a computer or not.”

Here’s a short list of just the common law crimes relating to theft:

1. Theft. A felony.

2. Fraud. A felony, but involves thievery through deception.

3. Armed Robbery. A felony, but involves thievery through force.

4. Burglary. A felony. Not necessary involving theft, but let’s assume it does here, and involves theivery after breaking into a building.

You see the point? We don’t just say “Well, the crime here is theft. Just charge the criminal with theft.” There’s LOTS of different types of theft. In my opinion, theft using a computer is different than shoplifting. Reasonable minds can differ.

34

Sebastian H 09.21.12 at 4:16 pm

This kind of case is exactly why so many people thought that Chris’s anti-rule-of-law-fetishists “http://crookedtimber.org/2012/08/02/badminton-taxes-regulation-and-the-peoples-justice/”>post was so troubling. Overcharging to apply inappropriate pressure for plea bargaining is routine. Overcharging to make an example is common. Overcharging just because the prosecutor can is normal. Stretching laws that seem balanced in one area into a crazy quilt of scary patchwork in another area just so you can ‘get’ somebody happens all the time, and then gets used as precedent to slap down normal people.

Something is wrong with the criminal system if we elevate ‘violation of terms of service’ to a federal felony crime. Trusting the discretion of prosecutors to use it in only appropriate cases, where they are really getting a bad guy, is uncharmingly naive.

In this particular case I suspect 3 factors:
1) legislators have no idea that violating terms of service means ANYTHING in that wall of text everyone clicks when installing or using any computer program or service.
2) prosecutors will seek more personal power at every turn
3) Swartz acted in a shady manner, doing something that lots of people will feel intuitively is not right, so of course some prosecutor is going to think he should pervert whatever tool necessary to punish him.

The weird thing about this case is NOT that it shows an odd level of prosecutorial overreach. The weird thing is that it is being used to punish an affluent white male.

35

Substance McGravitas 09.21.12 at 4:35 pm

Why JSTOR particularly?

Oodles of information here.

36

JW Mason 09.21.12 at 5:20 pm

JWMason, you have manged to read my comment exctly contrary to what it actually means.

On rereading, I see you are correct. I blame the bourbon.

But in my defense, I do think the thought it seems to me that downloading a few million articles from a subscription-only database is something that could properly be criminalized in a sensibly-drafted statute can plausibly be understood to continue “… so it’s ok to go over him with whatever tools are at hand,” as opposed to what I realize now you intended, “… so there’s no need to rely on prosecutorial discretion.”

37

Salient 09.21.12 at 5:32 pm

Swartz acted in a shady manner, doing something that lots of people will feel intuitively is not right, so of course some prosecutor is going to think he should pervert whatever tool necessary to punish him.

You know, it would be nice if people would at least acknowledge the fact that JSTOR and MIT consider the issue to have been resolved already. I realize it’s not the primary issue under discussion, but it’s starting to feel like people are insinuating that MIT and/or JSTOR are supportive of the prosecution allegedly being conducted on their behalf. They are not, to wit:

“The charges are made all the more senseless by the fact that the alleged victim has settled any claims against Aaron, explained they’ve suffered no loss or damage, and asked the government not to prosecute.”

Now ok, I comprehend the argument that just because the victim refuses to press charges, doesn’t mean that charges should be withheld. Ok. There’s a public interest in enforcing law — so, for example, if you steal a TV from someone’s house and they tell police they don’t want to press charges, you should still be arrested and prosecuted and jailed for the theft, because hypothetically you might otherwise feel encouraged to go steal from someone who would mind and would want charges pressed. I comprehend this perspective.

It just feels super awkward when we’re enforcing a terms of service violation under criminal law, even though the allegedly injured parties feel the violation has been resolved and don’t want to press charges. Say what you will about the problems with assigning this category of conduct to civil law — piglet’s got a good point — at least in civil court if the offended party feels they’ve received adequate recompense prior to going to court, the case doesn’t proceed regardless.

Is this criminal prosecution really in the public interest? Is it essential to society that prosecutors retain the right to prosecute these types of offenses, even when the injured parties do not wish to?

38

L2P 09.21.12 at 5:34 pm

“In this particular case I suspect 3 factors:
1) legislators have no idea that violating terms of service means ANYTHING in that wall of text everyone clicks when installing or using any computer program or service.”

Well, maybe the legislators think that violating terms of service isn’t a crime because it’s not a crime?

The Courts have repeatedly – repeatedly – ruled that it takes more than simply violating the terms of service to be an intentional unauthorized access under 1030(a)(2). The Courts repeatedly – repeatedly ruled that was the intent of congress. It would be an abuse of prosecutorial discretion to go after somebody for saying they’re Joe when they’re name is Billy, or downloading a document against the rules. It’s not a crime under 1030 – it doesn’t show intentional misconduct under the statute.

What does it take?

It takes something like violating terms of service to download unauthorized documents, getting kicked off a system for violating those terms of service, then accessing the system AGAIN for downloading unauthorized documents, then getting kicked of the system AGAIN for violating the terms of service, then accessing the system AGAIN to download unauthorized documents, then BREAKING INTO A CLOSET to ACCESS THE SYSTEM AGAIN to download unauthorized documents- ALSO IN VIOLATION OF THE TERMS OF SERVICE.

Now, here, you have something that looks a lot like unauthorized access.

So are you planning on doing something like that? My guess is no. But if you do, why do you think Congress didn’t have somebody like you squarely in their sights when they criminalized “unauthorized access?”

39

Salient 09.21.12 at 8:21 pm

@L2P
Did our comments cross paths, or are you arguing that “unauthorized access” to a place should be prosecuted in cases even if the place that was unauthoritarily accessed does not wish to press charges?

If a friend breaks my window to get into my apartment, and I come home and call the cops saying “someone broke into my house!” but after I learn it was my friend I tell the cops hey look it’s ok and the matter is settled and there’s no reason to press charges, I understand that the cops are supposed to arrest that friend of mine anyway, because hypothetically I could have wanted to press charges, and as agents of the state they’re not responsible to me personally, but to every hypothetical victim of the action. The prosecutor might decide that my willingness to testify on the friend’s behalf indicates that B&E charges should be dropped–but they might also decide it’s in the public interest to press the case and make a point. That’s criminal law for you: an agent of the state decides whether or not the matter is settled, not the victim. It’s actually a good thing, broadly speaking, especially in assault cases where a victim might feel too intimidated to press charges or testify.

I can’t tell if you really feel that BREAKING INTO A CLOSET is one kind of thing that a prosecutor should pursue even when the closet’s own owner protests that they don’t want to see the person prosecuted. It’s a coherent perspective to me, even if it isn’t yours. But I should ask instead of presuming. You have a sense in your mind of what Aaron did, as a crime. Do you feel this is a crime not adequately addressed by existing laws against physical intrution into a space?

That physicality seems to be getting overplayed, IMO. In its absence, I may [..tries to remember statute of limitations info..] I may or may not have actually done something similar, dodging Internet use restrictions. Created “guest” account hithereimmaguest001, created a server entity, got booted. [The three-digit number was, in retrospect, unduly ambitious.] Created account hithereimmaguest002, created a server entity, soon enough, computer got booted. I was all the way to account hithereimmaguest017 when my computer 403’d and ceased to receive information from the outside world. Packed up computer, went to the next hotspot. Created account immadifferentguest001, set up a server… In my defense, I was a stupid kid. My “My money helped pay for this internet access so you damn well ought to let me use it” excuse was waxpaper-thin, given that in order to access the ‘net I had to agree to a block of text that told me, no hosting servers via our service! So what happened? I received what I presume was some form of C&D letter, threatening that “they” “were aware” of what I was doing, and if I didn’t stop trying to get around their user policy… they would eliminate my Internet access altogether. And I could face some vague unspecified academic penalty, .

This was aggravating!, insulting!, uncalled-for! unbelievable! …and was completely entirely exactly the way that this kind of end-user contract should be enforced.

Was I a pest? Yes. For good reasons? Nah. Quake is not a good reason to do anything. But did I cost the internet service provider any significant expense of time or money? …not really, no. Would they have been in the right to threaten to cut off the Internet line to me, or to so do? Absolutely. Would it make sense for a law to criminalize my (mis)conduct, so that I could face jail time for what I did? I’d say no…

40

L2P 09.21.12 at 8:41 pm

“Did our comments cross paths, or are you arguing that “unauthorized access” to a place should be prosecuted in cases even if the place that was unauthoritarily accessed does not wish to press charges?”

Yes.

“Would it make sense for a law to criminalize my (mis)conduct, so that I could face jail time for what I did?”

I’d think you’d probably agree it wouldn’t be cool for your neighbors to break the code to your wifi and steal your bandwidth (let’s say the boost all of it, because we’re making stuff up). I’m thinking you’d put up with it once or twice, but after Three Solid Months of lost service, you’d probably be annoyed. I bet you’d probably also feel like you don’t think you should be forced handle that by repeatedly kicking them off your server and threatening them with academic penalties.

I figure you probably think that, if that happened enough, you might. Just maybe. Perhaps. Call the police. And maybe it’d be nice if instead of them saying, “What? Bandwidth? Nobody’s hitting you or anything? OK, we’ll be out there in . . . 2015,” let’s say there actually are specific criminal statutes that somebody is violating, so they actually, specifically care.

But maybe not. Maybe you’d just go downtown, pick up a summons and complaint, and file a nuisance action against your neighbor, and six months later get to use the internet again.

Reasonably minds can differ.

41

bay of arizona 09.22.12 at 12:02 am

“I’d think you’d probably agree it wouldn’t be cool for your neighbors to break the code to your wifi and steal your bandwidth (let’s say the boost all of it, because we’re making stuff up). I’m thinking you’d put up with it once or twice, but after Three Solid Months of lost service, you’d probably be annoyed. I bet you’d probably also feel like you don’t think you should be forced handle that by repeatedly kicking them off your server and threatening them with academic penalties.

I figure you probably think that, if that happened enough, you might. Just maybe. Perhaps. Call the police. And maybe it’d be nice if instead of them saying, “What? Bandwidth? Nobody’s hitting you or anything? OK, we’ll be out there in . . . 2015,” let’s say there actually are specific criminal statutes that somebody is violating, so they actually, specifically care.

But maybe not. Maybe you’d just go downtown, pick up a summons and complaint, and file a nuisance action against your neighbor, and six months later get to use the internet again.

Reasonably minds can differ.”

I guess you didn’t read the part where JSTOR and MIT don’t support this?

42

Salient 09.22.12 at 12:32 am

L2P, I honestly cannot figure out how to read your comment. I will mention that you’re not describing anything like what Aaron did when you say “break the code to your wifi” in the hypothetical. What do you mean by this? I haven’t argued against a statute outlawing hacking, and Aaron has not been accused of hacking anything. Now, if you’re saying my hypothetical wifi router is an open public unsecured network, or that I did voluntarily give those neighbors my WEP2 password and permission to use it, then we’re in a comparable case, but you’re describing it weirdly.

Also. Is the police call part of the “we’re making stuff up” hypothesis that I am supposed to accept? Is the idea some kind of ad hominem, like, declaring that I’m the kind of person who would actually make that call? I feel like whatever it’s supposed to mean, you’re not acknowledging how absurd and incoherent that would be. Am I misreading? Not picking up on sarcasm?

I suppose next we’ll have to write a statute that assigns a year of jail to those dastardly kids who go and sit in my gazebo without my permission! They should just stay off my lawn!! It’s criminal trespass! C’mon, police, c’mon hurry up, drive here quick and arrest them before they run off! This is the fourth time they’ve sat in the gazebo in my backyard this month! What’s wrong with kids these days!!

…huh?

And maybe it’d be nice if instead of them saying, “What? Bandwidth? Nobody’s hitting you or anything? OK, we’ll be out there in . . . 2015,” let’s say there actually are specific criminal statutes that somebody is violating, so they actually, specifically care

I can’t figure out what you mean. It would be nice? That hypothetical sounds terrifying and awful. Am I actually supposed to like it? Are you saying that, given the comments I’ve made so far, I must be the kind of person who would support that kind of statute? Or is this some kind of sarcasm that’s going over my head? Or is the idea that I should like it, because sending my neighbors to jail for years is actually a coherent, rational, and proportional response to boosted wifi?

It sounds like the nonsense I hear from anti-abortion activists who don’t have a clue in their head what the criminal penalty for aborting one’s own pregnancy should be, and who aren’t willing to commit to a statement that concretely associates the act with a consequence they deem proportional.

Are you willing to commit to the following sentence? “Arrest, criminal prosecution, and years of incarceration is a proportional social response to someone who repeatedly boosts wifi off their neighbor’s public unsecured network, changing their computer’s name to dodge a blacklist.” And, given that you’re not willing to commit to that, why the fuck are we wasting time discussing weird hypotheticals in which I would?

43

Salient 09.22.12 at 12:40 am

I guess you didn’t read the part where JSTOR and MIT don’t support this?

No, that’s not it, notice I asked about whether the support of JSTOR and MIT mattered, and L2P responded that it didn’t. (That’s what the Yes. meant: yes, the state should prosecute unauthorized access even in cases where the accessed party doesn’t want to pursue the matter. I think. I think? But maybe I didn’t get what that was supposed to mean either. L2P is generally kind and thoughtful and this is probably just a case of something important going over my head.)

44

Phil 09.22.12 at 11:02 am

Salient: I’m very much in the “let JSTOR and/or MIT sue” school of thought on this one, and if it’s true that neither of them is particularly bothered (I can’t find a statement to that effect, but your google fu may be better) then a criminal indictment really is outrageous.

But I still don’t agree with the OP:

even those who don’t know Aaron should recognize that this is an outrageous assault on basic civil liberties, and the ability to use the Internet as you want to, not as corporate entities dictate

I’ll let ‘basic civil liberties’ go – I think it is fairly fundamental to the rule of law that a civil cause of action that’s been dropped shouldn’t get recycled as a criminal charge. But I can’t see any political case for doing what Aaron allegedly did, or for defending it – other than the (real and important) principle of defending one’s comrades, whatever crazy stunt they’ve got busted for.

45

Chaz 09.22.12 at 7:15 pm

Phil,

Maybe I’m misreading you, but he was certainly making a political argument. The argument is that scientific research (or perhaps all information) should be freely and publicly available, rather than kept behind copyright and paywalls.

I believe that statement was the whole point of the stunt, although I hadn’t heard the public domain angle before (I originally thought these were copyrighted works).

46

Chaz 09.22.12 at 7:50 pm

I agree that any damage to JSTOR should be a civil matter. I understand the argument, “But look how the civil courts have screwed up filesharing cases!” but it doesn’t really apply. The law on copyrights specifies super-excessive penalties and/or some doctrine is giving absurdly high estimates of harm caused. That just means we should fix that law and doctrine, not switch over to criminal law. Criminal law is capable of handing out excessive sentences as well, and there are plenty of prosecutors who would go after filesharers.

As for MIT, if MIT had formally told him he was no longer allowed to access their network (not just booted his computer by a technical means–I mean actually talked to him or sent him a letter; I don’t know if they did or not) and he wouldn’t stop, then they would be entitled to ask for police assistance. If MIT didn’t order him to stop or they did but they worked it out with him afterward then there’s no reason for police involvement.

I would say that some crimes should be prosecuted whether the victim wants to press charges, but only in certain cases: such as where there’s substantial danger of intimidation or if the crime harms the public generally. Misuse of a network is exactly the opposite–let the parties work it out unless one asks for help.

47

Phil 09.22.12 at 9:49 pm

he was certainly making a political argument

According to the indictment, what he was doing was knowingly taking large amounts of information past a corporate gatekeeper. He had a political argument to justify what he was doing, but it doesn’t seem like a political action.

For me it’s partly a matter of scale and partly one of tactics. In terms of scale, lots of people doing something illegal often (although not always) leads to the discovery that that thing should have been legal all along; one person doing something illegal hardly ever does, whatever justification they can cite. In terms of tactics, what’s likely to follow from an attack on JSTOR, of all people? Unintended consequences aren’t unknown in this area – in the UK we’ve recently seen how calls for open access could turn into advocacy of pay-to-publish schemes, which could have a serious chilling effect on new research. It just seems like an opportunistic, voluntaristic hack.

Aaron needs to be got off this charge and freed if it’s humanly possible. He also needs to rethink his tactics.

48

Chaz 09.22.12 at 10:31 pm

Someone above said that after Swartz’s action, JSTOR changed their policy and made many of the articles in question public. And of course even if they hadn’t, a humungous quantity of articles is now available through BitTorrent because Swartz put it there. So his action accomplished his goal both directly and through persuasion.

I don’t understand your distinction between a political argument and a political action. What Swartz did is very similar to an illegal protest march or a sit in. What would you call those?

49

Chaz 09.22.12 at 10:50 pm

Also I am prepared to defend (although not to participate in) well-intentioned acts of protest even if they are incompetently performed or tactically unsound. Most protests are not effective.

50

Phil 09.23.12 at 8:37 am

What Swartz did is very similar to an illegal protest march or a sit in. What would you call those?

If it was carried out by one person, I’d call it an ill-thought-out, voluntaristic stunt.

51

Matt 09.23.12 at 8:55 am

It seems plausible that Swartz is being pursued in this case as payback for his PACER liberation work: http://www.wired.com/threatlevel/2009/10/swartz-fbi/ That would explain why the government is so eager to prosecute despite a lack of will from JSTOR or MIT.

I have a more elaborate theory too, though little direct evidence for it. This could be another front in the war to enclose the digital commons.

In the US, digitizing public domain material doesn’t give you proprietary rights over those digital copies. Scanning an old public domain book and slapping on some OCR isn’t sufficiently transformative to birth a new copyright. Corporations seeking to profit by scanning and aggregating public domain works online, like Google does with Google Books, use other means to maintain their rents on material that should be shared freely.

Google couldn’t do Books without the cooperation of libraries. Participating libraries get copies of all the scan data from Google, and they have come together to form the HathiTrust as a permanent academic archive. The HathiTrust provides institutional members and the public with access to the public domain books that came from their shelves and were subsequently scanned by Google. They are also better about copyright clearance: they often check Library of Congress copyright renewal records to see if American works published between 1923 and 1963 are still under US copyright, rather than assuming that they all are, as Google does on the main Books site. But the public access is limited by contract: the agreement between Google and libraries requires that libraries not provide the public with any easy way to download entire volumes, and indeed take proactive measures to prevent systematic mirroring/aggregation. A private agreement like this that goes well beyond statutory copyright, enforced on the public through Terms of Service, exposes an outsider to federal prosecution if she tries to build another digital library from public domain works scanned by Google. Oddly, Google Books itself often allows the public full-volume PDF downloads of public domain works, but partner libraries are prevented from doing the same; perhaps it’s to entice visitors to keep coming to Google Books instead of alternatives from the partners.

Google isn’t the only company trying to extract ongoing rents from the public domain. Elsevier, Springer-Verlag, and even the professional societies who now make a lot of revenue from publications (e.g. the American Chemical Society) all sell scanned back catalog material that is in the public domain in the United States. They all have an interest in setting up barriers to duplication; they don’t want a student at a subscribing school harvesting all their older public domain articles and rehosting them alongside ads, or even just putting them on the Internet Archive. There’s nothing in copyright law that would let them fence off the old material that way, but they can put much greater restrictions in their Terms of Service. And if violating Terms of Service provisions is a federal crime, they have leverage almost as good as if the material were still under formal copyright. Anyone who wants to build a parallel archive of digitized public domain journal articles will need to track down paper copies and scan them again.

Finally, there seems to be some further collusion that is either tacit or at least not in public agreements when it comes to protecting older, more valuable documents from access by the public. The American Chemical Society’s Chemical Abstracts Service is the single most profitable part of ACS operations. The ACS started operating the service in 1907 and it operated until 1994 on purely volunteer labor. It consists of indexed English abstracts and excerpts of chemical publications and data from academic and industrial chemical literature across many languages and countries. It is now available as a very expensive and popular electronic subscription service called SciFinder. The paper CAS volumes from 1907 through 1949 are all in the public domain; CAS didn’t start renew copyrights with the Library of Congress for volumes before 1950. But despite the HathiTrust’s generally aggressive copyright clearance work, this extremely popular series is only visible to the public through 1922 on the HathiTrust. The ACS’s flagship Journal of the American Chemical Society also cuts off at 1922 even though the first volume renewed was from 1955. The Journal of Organic Chemistry started in 1936 and all volumes until 1951 are public domain, but the HathiTrust doesn’t allow the public to read any of them. The same pattern repeats for all ACS journals that have post-1922 volumes in the public domain. It happens again with the American Physical Society: Reviews of Modern Physics is public domain up through 1956, but none of them are visible to the public on the HathiTrust. I haven’t had time to review every American journal that falls into the renewal window but it looks like a trend to me. This is not low-impact, obscure material that has been overlooked. It appears to be the exact opposite: material so popular that publishers see significant rents 70+ years later. And it appears that HathiTrust will not step on powerful institutions’ toes by opening up the journal volumes that didn’t get copyright renewals, even though it would be perfectly legal and consistent with their academic mission.

Getting a felony conviction on TOS violations in a particularly extreme case like this sets precedent for strong digital fences enclosing all the public domain stuff that publishers would like to privately profit from. A final paranoid thought: it may be that financially interested parties (authors’ guilds, publishers, academic societies who’ve developed a sweet tooth for royalties) are egging on the federal prosecution through back channels rather than doing anything in public. Playing Goliath in public attracts public outrage, while an apparently independent federal prosecution advances their private interests without any supporting entity risking boycotts or protests in response.

52

PeterC 09.23.12 at 12:53 pm

What is happening to him is obviously tragic, obviously disproportionate and obviously absurd. The sadist aspect is that this trinity is happening with increasing frequency to new victims so one cannot assert, obviously unusual.

53

leroy hacker 09.23.12 at 1:41 pm

A question: was public domain material the focus of Swartz’s downloading? I have seen much talk of the public domain in commentary on this case, but nothing I’ve seen in any reporting on the facts of the case mentions the public domain. All talk I’ve seen about this being an effort to liberate public domain materials seems to be just speculation based on the earlier PACER incident. Has anyone connected with the case claimed or stated that the articles downloaded were all or mostly in the public domain, or that liberation of public domain materials was the intent? If someone can point me to a story I’ve missed I’d appreciate it.

54

PeterC 09.23.12 at 10:02 pm

On the issue there seems confusion. Protectors of property like to talk of theft. But there is no theft. There is simply the evading of revenue raising. This is not the same thing.

If someone, for example, deprives me of my wifi broadband by using it up that clearly is a theft. If someone steals my car, that is a theft. If someone makes a replica of my car, that might be a wrongful evading of a legitimate payment to whoever owns the design rights to the car but the only deprivation is of revenue or of the right to raise revenue from use of the design. (Revenue may not even have been deprived, because at the price asked, the copier may have simply gone without.) Hence, the two (theft and copying) ought not be conflated. Although the design owners do want the act to be considered, hysterically, as theft, theft it is not.

55

hannah 09.23.12 at 10:08 pm

Call it plagiarism.

56

PeterC 09.24.12 at 12:03 am

It isn’t plagiarism either. If it was, those plagiarists who paid a toll would cease being plagarists. Anyway, plagiarism is a crime against the original creator by passing off the creation as your own work. The original creator need not and may never have owned the rights anyway, and clearly attempting to pass the work off as ones own doesn’t come into it.

57

Keith M Ellis 09.24.12 at 4:14 am

I am sympathetic to Swartz in every respect excepting the one which is salient: if his access to the network was officially revoked, then his further access was intentional unauthorized access and a violation of the law under which he’s being charged. There is no requirement that access be technologically protected such that there must be “hacking” done to circumvent it.

Similarly, I don’t need to lock the door of my house as a prerequisite to my refusing someone entry such that their subsequent unauthorized entry is a crime — especially if I’ve explicitly told a specific individual they’re not allowed in my house and they immediately enter it over my objections.

I don’t want to belabor the comparison, because these things aren’t perfectly comparable. My aim is merely to point out that the intuition that Swartz would have needed to “hack in” to the network in order to have run afoul of the law is mistaken. He merely need have been told that his usage is no longer allowed.

Well, okay, another imperfect comparison: embezzlement statutes are written in such a way that they often include anything that can be construed as depriving the employer of its rightful use of its property for any length of time. Thus, you can have a situation where an employees drives a vehicle that they’ve been allowed to drive in the past, but have been told they no longer can use, is charged with embezzlement for driving it, anyway. Not to steal it, and not doing something that they didn’t previously do with authorization, and not by picking the lock or anything. Only violating the verbal removal of authorization.

Again, an imperfect comparison, but one that demonstrates a couple of things: first, that it’s whether something is authorized, or not, that often matters. Not the technology which protects it and how/whether that protection was circumvented. And that makes sense, really — we don’t want laws against burglary that define burglary according to whether a specific kind of lock was picked, or not. Second — and this goes to some discussion at the beginning of the thread, and related to the earlier post by Bertram that was mentioned — in actual practice, it’s most often the case that laws are written more broadly than they’re intended to be enforced and there’s considerable prosecutorial discretion. This is pretty much the case for all criminal law. And it’s a good thing, not a bad thing, in general, because the just enforcement of law requires judgment and not just formal reasoning.

The down-side is when you have unjust prosecutions that are possible because of prosecutorial discretion. There has to be separate remedies for that.

This does sound like an unjust prosecution (disproportionate, I think). But then, the problem is that it’s pretty standard wherever there’s concern that some law that’s been technically underenforced in some respect might be on the verge of (or already) having that underenforcement taken advantage of such that a wide violation of this type is actually a serious problem … so they pick an opportune case and make an example of the offender. This happens with all sorts of stuff. I’m not saying this is a just example of this, just that throwing the book at select offenders happens every day.

If what we were talking about here was only what is presented by Henry in this post — that this is all about nothing more than Swartz downloading a huge number of JSTOR articles in violation of the TOS — then I’d be sympathetic to this call for support. But that’s not what this is about. As soon as Swartz reconnected and continued his downloading after having been caught and told to desist, instead of walking away, he made it something very different. He was being stupid, took a stupid risk, and I’m pretty much exactly as sympathetic to him as someone who made an error in judgment that got him into serious legal trouble as I am with anyone who makes an error in judgment and gets into serious legal trouble. Which is to say, quite sympathetic, really. But 99% of those people are not well-educated, well-off members of the privileged class with access to many people who will make public appeals for help in their defense. That part sort of bugs me.

58

PeterC 09.24.12 at 4:58 am

The criticism that some network privately created law was violated (even if that law us backed up by some friendly overarching law) or that the ‘culprit’s is a member if some elite seems a wee bit contrived and not greatly relevant.

Not clear that anyone ought to be necessarily bound by terms of service, or that they ought to be backed by force of law. Don’t believe in even reading them, personally.

As one of the assembled women said when Moses came down from the Mont and explained that God said that they were to do all the house work, and otherwise pamper and toil for the benefit of their menfolk… “He’s just making it up.”  So with terms of service.

And like other commands from on high, if not resisted they become set in stone.

59

GiT 09.24.12 at 5:11 am

But it’s not plagiarism. One is not saying the work is one’s own. It’s copyright infringement. Not all cases of plagiarism infringe copyrights, and not all infringements of copyright are plagiarism.

60

Keith M Ellis 09.24.12 at 6:05 am

Not clear that anyone ought to be necessarily bound by terms of service, or that they ought to be backed by force of law. Don’t believe in even reading them, personally.

I agree completely. But this whole discussion about the ToS and what Swartz was doing with JSTOR is a red herring. It’s just not relevant. Here’s the important part from the Wired article, which Henry quoted in this post:

…the superseding indictment (.pdf) unveiled Thursday accuses Swartz of evading MIT’s attempts to kick his laptop off the network…

In actively connecting to the network (or that particular network resource) after having been told that he was no longer authorized to do so (not implicitly merely because he violated the ToC, but explicitly was his authorization revoked and yet he reconnected and pursued evasive strategies to his actively being prohibited) he was violating a law specifically written to criminalize people who connect to computer networks and access resources who are not authorized to do so. Such violations can be trivial, and almost always unenforced, or they can be more serious, and strongly enforced. Either way, it’s a perfectly sensible law.

The ToS stuff is, at this point, a red herring intended to confuse the issue by people with a vested interest in defending Swartz. And, well, I am absolutely 100% in agreement with regard to the stupidity of ToSs and criminalization that relies upon them, as well as in agreement about the wrongness of JSTOR locking up public domain papers. Not to mention that Swartz seems like a great guy who has done many, many things which have been good for lots of people. But none of that is a defense against what he’s been charged with.

61

Theobald Smith 09.24.12 at 7:04 am

@Salient, 42:

I will mention that you’re not describing anything like what Aaron did when you say “break the code to your wifi” in the hypothetical. What do you mean by this?

I can’t speak for L2P, but perhaps he means something along the lines of, say, “run t packet sniffer, spoof your laptop’s MAC address and then seed fifty million torrents”.

Which, while we’re on the topic of dynamically spoofing MAC addresses…

62

Phil 09.24.12 at 7:18 am

As soon as Swartz reconnected and continued his downloading after having been caught and told to desist, instead of walking away, he made it something very different. He was being stupid, took a stupid risk, and I’m pretty much exactly as sympathetic to him as someone who made an error in judgment that got him into serious legal trouble as I am with anyone who makes an error in judgment and gets into serious legal trouble. Which is to say, quite sympathetic, really.

What he said. I think three discussions are getting mixed up in a lot of this thread (including the OP): “should Aaron be prosecuted?”, “should we endorse Aaron’s [supposed] actions on political grounds?” and “did Aaron [supposedly] do anything he knew he was legally prohibited from doing?” The OP answers No, Yes and No Comment; I’d say No to the second (mainly on tactical grounds) and a reluctant Yes to the third. He shouldn’t be prosecuted, though.

63

PeterC 09.24.12 at 8:19 am

I guess we’ll have to agree to disagree on that one, as to me the ‘crime’ against MIT is the red herring. If I were a decision maker at MIT, I might find it necessary to try to boot him off the network so MIT was not implicated in what he was doing. Representing MIT I might also find it necessary to join the lynch party just to keep in good with other members of the party. Who knows if pressure was,or was not, put on MIT to join the posse?

64

Keith M Ellis 09.24.12 at 2:35 pm

As I understand it, different laws in different jurisdictions are written differently such that some are of the “victim pressing charges” variety, and others are effectively the state pressing charges — it’s not just, per discussion above, that sometimes victims might be pressured against pressing charges, or fearful, but that the primary interest being protected is perceived as being the state’s, not the victim’s.

That’s a clumsy way to put it. But, for example, back twenty years ago when I was working in rape crisis, it was explained to me by a prosecutor that in that jurisdiction, rape was understood as an offense against the general peace, against the state, and therefore not legally dependent upon the victim “pressing charges”. However, the prosecutor generally wouldn’t prosecute with an uncooperative victim, so it was still effectively a choice of the victim’s. But not necessarily.

IANAL, and when I looked some of this up later, I saw that it’s more complicated. Even so, I think that it’s sort of a ubiquitous misunderstanding that all criminal prosecutions rely upon the victim “pressing charges”. They don’t, it’s not unusual for a prosecutor to pursue a case against the wishes of a victim, and you can’t assume that when a case is prosecuted it’s at the impetus of the victim. Given that JSTOR and MIT have both said that they’d rather drop the matter, it seems that this is the case here.

Perhaps some are objecting to MIT’s initial involvement with the police. But I don’t see how we could draw any meaningful conclusions from this. I don’t know what exactly happened, but it’s entirely possible that a) Swartz crossed some line that explicitly called for informing the authorities, and b) it well may have been something like getting into that closet and accessing the network there.

People connecting to networks and computers they’ve explicitly been told they are not authorized to access is no small thing. It’s a violation that should be criminalized and it’s a violation that is central to a whole bunch of really bad things that are done all the time. Why Swartz was doing this, and what was doing when he did it, may be things we’re entirely sympathetic to, but he broke a non-trivial law to do so and he broke it in such a way that is as far from innocent or inadvertent as is imaginable.

65

Henry 09.24.12 at 3:58 pm

Keith M. Ellis – the indictment is here. The “revocation of access” that you think is dispositive appears to have been nothing more than the blocking of particular IP addresses and a bit of MAC spoofing. At CT, we’ve occasionally had persistent trolls in comments sections deliberately logging in from different IP addresses, as well as changing identities etc, and have taken the obvious steps necessary to stop this. Trust me, when I say that this is a pain in the arse, and has involved a lot of wasted time on my part. Trust me also when I say that this in itself should not be a criminal activity, even though we make it quite clear that this behavior goes against CT policies, and continue to reserve the right to take all necessary and appropriate measures etc. Should poor old Seth Edenbaum be hauled away to prison then for repeatedly trying to post under bogus pseudonyms? I’ve also spoofed MAC addresses in the past, as, I suspect, have many others with a minimum of technical knowledge.

And as for the “ToS is a red herring” claim – come off it. Are you denying that several of the charges rest, effectively, on the claim that defying ToS is a criminal activity? Are you suggesting that there aren’t hefty prison sentences associated with these charges? Some fucking red herring.

66

Keith M Ellis 09.24.12 at 5:55 pm

Henry:

Okay, reading the new indictment, I find that in some respects it’s more ambiguous than I thought, and in other respects less ambiguous.

On your side of the argument, and contrary to my misunderstanding, MIT never directly communicated with Swartz and told him that he was no longer allowed to access the network.

However, that’s because they didn’t know who it was who was doing this. They couldn’t have contacted him directly because he had taken elaborate steps to disguise his identity. But, even so, they’d taken numerous and increasingly specific efforts to prevent his access, without knowing his specific identity. They could hardly have made it more clear that they didn’t want him doing what he was doing, or that because he was doing what he was doing they didn’t want him connecting to their network. And by his own actions he hardly could have made it more clear that he was entirely aware that they didn’t want him doing what he was doing, or that they didn’t want him connecting to the network. He went to great lengths to circumvent their efforts to prevent his access. In that context, and given that by the very nature of this kind of crime the specific identity of the intruder is unknown, that they didn’t explicitly contact him personally and revoke his access formally is not any sort of defense. He hid his identity specifically to prevent that, clearly.

Should poor old Seth Edenbaum be hauled away to prison then for repeatedly trying to post under bogus pseudonyms?

Yes, if he visited the facilities where this server is located and did as Swartz did:

Rather than let MIT assign his computer an IP address automatically, Swartz instead simply hard-wired into the network and assigned himself two IP addresses. He did so by entering a restricted network interface closet in the basement of MIT’s Building 16, plugging the computer directly into the network, and operating the computer to assign itself two IP addresses. To further cloak his activities, Swartz also hid the Acer laptop and a succession of external storage drives under a box in the closet, so that they would not arouse the suspicions of anyone who might enter the closet.

and

On January 6, 2011, Swartz returned to the wiring closet to remove his computer equipment. This time he attempted to evade identification at the entrance to the restricted area. Apparently aware of or suspicious of a video camera, as Swartz entered the wiring closet, he held his bicycle helmet like a mask to shield his face, looking through ventilation holes in the helmet. Swartz then removed his computer equipment from the closet, put it in his backpack, and left, again masking his face with the bicycle helmet before peering through a crack in the double
doors and cautiously stepping out.

It should also be made clear that when all this began, initially JSTOR tried to simply block the IP address that Swartz was using. He got another. JSTOR contacted MIT and together they became more aggressive, blocking a range of addresses and then his MAC address. Swartz circumvented all this. And so, reasonably, JSTOR suspended all of MIT’s access for several days, probably both as a solution they knew would be sufficient from their end, and also to put some pressure on MIT to resolve this themselves. The result, though, was that Swartz’s actions caused all of MIT to lose JSTOR access for several days. This isn’t trivial.

Are you denying that several of the charges rest, effectively, on the claim that defying ToS is a criminal activity?

Yes, actually. Read the indictment. The mention of JSTOR’s ToS and MIT’s policies for guest usage are all simply to help establish that Swartz was knowingly using the network in ways he knew he should not have been and which would, were he caught, result in an explicit, direct denial of his access. This is relevant in explaining why he made such obvious effort to disguise his identity and to access the network with such obvious covert and illicit means. It’s all part of establishing his intent to commit a crime; that is to say, access a computer network that he has strong reason to know he is not authorized to access. But the fundamental issue is that he accessed the network intentionally in a way that circumvented attempts to prevent his access. The MIT admins could have revoked his access for any reason and his subsequent behavior would be no less criminal.

Specifically, while arguably prior to JSTOR’s, and especially MITs, attempts to block him is his behavior only criminal insofar as he knew he was violating the ToS, subsequent to their attempts to prevent his access the ToS just doesn’t matter with regard to the criminality. I think your comparison to CT and a banned commenter is very badly flawed, but a similar distinction in your comparison would be between a user who posts a comment that violates your policy (knowing he’ll be banned or whatever) and a user who continues to try to post after he’s been banned. The case against him before you’ve banned him is nonexistent. Your case against him after you’ve banned him is much, much stronger. Especially if he breaks into your network closet to make a connection you can’t prohibit normally.

So, yeah, this argument that this is all about criminalizing activity on the basis of violating a ToS is not only a red herring, but in reading the indictment, it strikes me as being dishonest. I think very highly of you and I have enormous difficulty believing that you would make such an argument in bad faith. Nevertheless, there’s no way to analysis this that honestly and rationally makes it something that is essentially about a ToS violation. Rather, what it is, essentially, is someone who accessed a computer network (repeatedly, with numerous and increasingly aggressive methods of hiding his identity and circumventing attempts to prohibiting him) not only without authorization, but with unambiguous evidence that his access was specifically prohibited and he knew it to be so.

Contrary to yours and others’ possibly mistaken impressions, I’m not happy about this at all, about my judgment. I find that I am in complete sympathy with Swartz in every respect with the sole exception of his … hacking into a computer network where he wasn’t authorized. I am sympathetic to what he was doing, and why. I am sympathetic to the argument against criminalizing ToSs (and here I’m thinking in terms of past attempts to connect ToSs with DMCA such as in MDY v. Blizzard). I am sympathetic to the argument against the prosecutors throwing the book at Swartz. And I’m especially sympathetic to the point of view that Swartz is a good person who’s done a bunch of good things. I’m also sympathetic to the fact that a number of people I regularly read and admire are friends of his and actively defending him. But, even so, I think he did something he knew to be criminal and, given all those things I just mentioned, I’d be more sympathetic to his defense (at least in the public sphere) if it were built around the argument that he violated the law for good reasons, not that he didn’t violate the law and this is some absurd, twisted legal reasoning.

67

Henry 09.24.12 at 6:34 pm

Keith – my ability to argue about this is greatly limited by my unwillingness to say anything which might imply knowledge of, or direct judgment of the facts at hand. I don’t know anything about them, but would prefer, all in all, not to be hauled in front of a grand jury to explain how I don’t know anything about them, or to elaborate on theories of what happened that might be used in a prejudicial manner. But a couple of points on the general appropriateness of the charges which don’t stray in those directions.

(1) The alleged activities with the bike helmet etc are not actually, as best as I understand it, the subject of criminal charges. This despite the existence of statutes on physical trespass etc. If this is your concern, you might want to ask why it is that charges with decades of jail time are being preferred instead.

(2) I won’t take personal offense at your suggestion that I, and others, are being dishonest in saying that the ToS issues are key, since I’m pretty sure that you’re making this suggestion in all sincerity, and without any desire to offend. I will say that you need to read more about this, and read through the grand jury indictment to understand why I and others are saying this. As I understand it, the claims about use “without authorization,” “unauthorized” use etc rely on the prior argument that AS violated the relevant terms of service, since there is no claim in the indictment that AS e.g. sought to root the system, login under a stolen administrator’s password or engaged in any of the activities that might be seen as a direct breach under a narrower interpretation of the statute. That’s the issue here. As I read the indictment, (IANAL and I may be wrong – if there are any practitioners with experience in this area, they should feel free to comment) this suggests that counts 3-13 of the indictment basically rest on a breach of ToS argument. For a detailed discussion of the use of breach of ToS claims under the relevant statute, see this longer article by Orin Kerr, especially section IIC, and the judge’s opinion excerpted therein. NB that this opinion was in a different circuit, so it is not controlling, although it may plausibly be influential should this case come to trial.

(3) More generally, I would suggest that before you leap into the claim that people are being dishonest, you do a bit of background research to make sure that there isn’t some argument there that you simply aren’t getting, because you’re not fully acquainted with the facts, because there is a complicated prior debate etc. As I say, I’m not taking any particular offense, but a less accusatory inquiry, along the lines of ‘reading this, I am not seeing how the ToS is relevant here – can you explain why you disagree?” would have been more appropriate to the circumstances.

68

Keith M Ellis 09.24.12 at 7:00 pm

Okay, well, honestly, I would prefer to be proven mistaken about all this. And maybe I’m being more aggressive in countering the majority opinion here than I ought to be; but with regard to both this and the other (elsewhere) blog post I read, I was honestly shocked to later learn that Swartz didn’t merely, as both these posts strongly imply, download a bunch of JSTOR articles. ” Shocked”, because what he did actually do was entirely beyond the pale of merely violating ToS. Yes, I can see the argument that it all rests upon that violation — but eliding from the discussion everything beyond the ToS is, in my opinion, very misleading.

But with regard to your main argument, I’m not comfortable with defending him on the basis of a technical test of a certain behavior (“sought to root the system, login under a stolen administrator’s password”). If a reading of the statute sees those things as being dispositive, presumably because those things clearly signal intentional unauthorized access and, well, just a kind of general bad intent, then while reconnecting after being knocked off and spoofing a MAC address is pretty weak tea for establishing the same sort of unambiguity, getting into a network closet to connect to the network as a means of circumventing an effort to prohibit connection and hiding a laptop there with a couple of external drives seems to me to easily meet that test.

69

Henry 09.24.12 at 7:18 pm

getting into a network closet to connect to the network as a means of circumventing an effort to prohibit connection and hiding a laptop there with a couple of external drives seems to me to easily meet that test.

Again, without commenting on the specific allegations against AS (all of what I know about these is what I have read in the indictments), I have anecdotal evidence at least that this is not actually unexceptional behavior. I’ve witnessed one conversation among techies along the lines of ‘who hasn’t got a computer that is stuffed away somewhere hidden hooked up to the network of their old undergraduate/M.Sc. institution, scraping stuff off the Internet.’ Can’t say how universally this generalizes, but given MIT students’ technical proclivities and notoriously pragmatic attitude towards the rules of their home institution, I’d be startled if this was the only such instance in MIT, and not even slightly surprised to find that it was quite common.

70

Salient 09.24.12 at 7:19 pm

This seems like a good place to point out that, in cases without a clear victim whose interests we also have to defend, conjecturing and speculating about a person’s innocence is not nearly so dangerous and pernicious as conjecturing and speculating about a person’s guilt.

(In cases with a clear victim whose interests we have to defend, that’s usually reversed, so I hope it’s not completely trivial for me to point this out…)

71

Keith M Ellis 09.24.12 at 7:35 pm

Well, in any case, I do want to say that I object to the fraud counts (which are the ones, I believe, that have the steepest penalties) as they rely upon conjecture about what Swartz intended to do with the articles, not to mention the other (IMO) related, dubious IP claims.

Also, if Swartz didn’t actually do the things he’s being accused of doing, then of course I object, too. While Henry and the other blogger I read are people who personally know Swartz and are therefore constrained about what they might say in his defense, it’s not the case that other defenders are so constrained and, in that context, it’s more relevant that he’s not being defending by that group on the basis that the claims about his actions are false, but that his actions weren’t actually illegal.

72

piglet 09.24.12 at 9:22 pm

deleted comment by banned commenter

73

PeterC 09.25.12 at 5:41 pm

Seems we are well into agree to disagree territory. I have to agree with Henry.

The whole thing is shockingly heavy handed. And is in the context of private companies locking up access to research in journals, that often, the public through government and philanthropy has well and truly paid for. And locking access up, not for the public good in any direct or indirect way as may be argued for IP, but rather for ruthless commercial reasons to extract monopoly rents.

74

PeterC 09.25.12 at 6:04 pm

A very good point is made by Henry about AS having engaged in something quite common but rarely punished. There has to be concern when government chooses to punish someone for doing something that many have and do do. The question needs to be asked is the government prosecuting this individual as some random offender because they have decided to tighten up enforcement in this unenforced area? If so,the penalty should not be draconian but should simply signal that an enforcement change is underway. Or,as might be in this case, are authorities just abusing their powers (delegated powers in a democracy) for personal, political, or some other low reason? Using the mighty power and authority of the state to victimized an individual is something every rational individual should be against, regardless of personal dislike of that individual, because protecting him or her is just protecting yourself. “Ask not for whom the bell tolls..”

Comments on this entry are closed.