I did not know Aaron Swartz, unless you count having copies of a person's entire digital life on your forensics server as knowing him. I did once meet his father, an intelligent and dedicated man who was clearly pouring his life into defending his son. My deepest condolences go out to him and the rest of Aaron's family during what must be the hardest time of their lives.
If the good that men do is oft interred with their bones, so be it, but in the meantime I feel a responsibility to correct some of the erroneous information being posted as comments to otherwise informative discussions at Reddit, Hacker News and Boing Boing. Apparently some people feel the need to self-aggrandize by opining on the guilt of the recently departed, and I wanted to take this chance to speak on behalf of a man who can no longer defend himself. I had hoped to ask Aaron to discuss these issues on the Defcon stage once he was acquitted, but now that he has passed it is important that his memory not be besmirched by the ignorant and uninformed. I have confirmed with Aaron's attorneys that I am free to discuss these issues now that the criminal case is moot.
I was the expert witness on Aaron's side of US vs Swartz, engaged by his attorneys last year to help prepare a defense for his April trial. Until Keker Van Nest called iSEC Partners I had very little knowledge of Aaron's plight, and although we have spoken at or attended many of the same events we had never once met.
Should you doubt my neutrality, let me establish my bona fides. I have led the investigation of dozens of computer crimes, from Latvian hackers blackmailing a stock brokerage to Chinese government-backed attacks against dozens of American enterprises. I have investigated small violations of corporate policy to the theft of hundreds of thousands of dollars, and have responded to break-ins at social networks, e-tailers and large banks. While we are no stranger to pro bono work, having served as experts on EFF vs Sony BMG and Sony vs Hotz, our reports have also been used in the prosecution of at least a half dozen attackers. In short, I am no long-haired hippy anarchist who believes that anything goes on the Internet. I am much closer to the stereotypical capitalist white-hat sellout that the AntiSec people like to rant about (and steal mail spools from) in the weeks before BlackHat.
I know a criminal hack when I see it, and Aaron's downloading of journal articles from an unlocked closet is not an offense worth 35 years in jail.
The government's allegations are laid out in detail in the indictment (included in full at the bottom of this post), and contemporaneous news accounts provide a good summary of the prosecutor's view of events.
Aaron was accused of downloading millions of documents from JSTOR, a non-profit web portal used by university researchers to access the archives of thousands of academic journals. At the time of Aaron's actions, JSTOR access was not free to individuals, and the locking away of this huge store of academic research was extremely controversial and a topic of personal interest to Aaron. In a sad irony, just this week JSTOR announced that millions of articles will now be free to individuals.
Most university libraries license access to the JSTOR database for their researchers, and as of the Fall of 2010 the MIT library was providing access to JSTOR to anybody on campus, including to visitors with no connection to the Institute. This deal proved to be an irresistible attraction to the Harvard-based Aaron, who began to download large numbers of articles from JSTOR from MIT's wireless network in September 2010. These downloads proceeded for a while before being noticed by JSTOR, which then blocked access to Aaron's IP. Thus began a three month cat-and-mouse game, where Aaron would connect to open MIT networks in various ways and obtain new IP addresses, and JSTOR would then block that IP after noticing what they considered too many downloads.
Later that year Aaron took his most controversial step and placed his laptop in an unlocked wiring closet in the basement of MIT's building 16, where he was able to plug into the main building switch and assign himself a working IP address. This last move confounded MIT's network administrators, and it took until January 2011 to track down the physical location of the laptop. As described in the indictment, at this point MIT installed a small webcam to monitor the closet and eventually caught Aaron retrieving his system.
After his arrest and release, Aaron settled civilly with MIT and JSTOR, returning the downloaded files, paying a small fine and promising to not attempt such downloading again. Many observers expected this to be the end of this story, until the US Attorney for Massachusetts filed federal charges against Aaron in July 2011. Aaron has been fighting these charges ever since, and at the time of his death they were:
Two counts of Wire Fraud (18 U.S.C. §§ 1343 & 2), for "Deceptively making it appear to JSTOR that he was affiliated with MIT" by using the intentionally open MIT network, "Using a rapid, automated collection software tool designed to make it appear as if he were multiple people making single requests rather than a single person making multiple requests", and for using several techniques to change IP addresses. The indictment specifically calls out Aaron's use of a fictitious name, Gary Host, when registering with MIT's visitor portal as one of the aspects of his "scheme" to commit wire fraud.
Five counts of Computer Fraud (18 U.S.C. §§ 1030(a)(4), (b) & 2) because he "knowingly and with intent to defraud, accessed protected computers belonging to MIT and JSTOR without authorization, and by means of such conduct furthered the intended fraud and obtained things of value."
Five counts of Unlawfully Obtaining Information from a Protected Computer (18 U.S.C. §§ 1030(a)(2), (b), (c)(2)(B)(iii) & 2) for "intentionally accessed computers belonging to MIT and JSTOR without authorization, and thereby obtained from protected computers information whose value exceeded $5,000
One count of Recklessly Damaging a Protected Computer (18 U.S.C. §§ 1030(a)(S)(B), (c)(4)(A)(i)(I),(VI) & 2), since "The pace and volume of his automated requests impaired computers JSTOR used to provide service to researchers and research institutions and caused JSTOR to cut off legitimate MIT researchers for days at a time."
According to the press release touting the indictment of Aaron, these charges carry a penalty of "up to 35 years in prison, to be followed by three years of supervised release, restitution, forfeiture and a fine of up to $1 million."
When we became involved in Aaron's case we were provided with gigabytes of evidence gathered by MIT, the Cambridge PD and US Secret Service. These files included images of several computer systems and external drives, log files from MIT and JSTOR servers, and the government's forensic analysis of Aaron's property. I also had a chance to visit MIT with Aaron's attorneys in December, interviewing witnesses and inspecting MIT's networks directly.
These are the relevant facts:
- MIT operates an extraordinarily open network. Very few campus networks offer you a routable public IP address via unauthenticated DHCP and then lack even basic controls to prevent abuse. Very few captured portals on wired networks allow registration by any visitor, nor can they be easily bypassed by just assigning yourself an IP address. In fact, in my 12 years of professional security work I have never seen a network this open.
- In the spirit of the MIT ethos, the Institute runs this open, unmonitored and unrestricted network on purpose. Their head of network security admitted as much to us. MIT is aware of the controls they could put in place to prevent what they consider abuse, such as downloading too many PDFs from one website or utilizing too much bandwidth, but they choose not to.
- MIT also chooses not to prompt users of their wireless network with terms of use or a definition of abusive practices.
- At the time of Aaron's actions, the JSTOR website allowed an unlimited number of downloads by anybody on MIT's huge 18.x Class-A network. The JSTOR application lacked even the most basic controls to prevent what they might consider abusive behavior, such as CAPTCHAs triggered on multiple downloads, requiring accounts for bulk downloads, or even the ability to pop a box and warn a repeat downloader.
- Aaron did not "hack" the JSTOR website for all reasonable definitions of "hack". Aaron wrote a handful of basic python scripts that first discovered the URLs of journal articles and then used curl to request them. Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing "Save As" from your favorite browser.
- Aaron did nothing to cover his tracks or hide his activity, as evidenced by his very verbose .bash_history, his uncleared browser history and lack of any encryption of the laptop he used to download these files. Changing one's MAC address (which the government inaccurately identified as equivalent to a car's VIN number) or putting a Mailinator email address into a captured portal are not crimes. If they were, you could arrest half of the people who have ever used airport Wi-Fi.
- At the time of Aaron's death we were still waiting to be provided with more detailed logs from MIT's captured portal, to see whether the use of false identities are as popular as they are in cafés, airports or other educational campuses. I suspect that the evidence would have demonstrated that visitors registering as "Mickey Mouse" and "no@spam.com" would have been found at a greater rate than they exist in the general population.
- The government provided no evidence that these downloads caused a negative effect on JSTOR or MIT, except due to silly overreactions such as turning off all of MIT's JSTOR access due to downloads from a pretty easily identified user agent.
- I cannot speak as to the criminal implications of accessing an unlocked closet on an open campus, one which was also used by a homeless man to store personal effects. I would note that trespassing charges were dropped against Aaron and were not part of the Federal case.
In short, Aaron Swartz was not the super hacker breathlessly described in the Government's indictment and forensic reports, and his actions did not pose a real danger to JSTOR, MIT or the public. He was an intelligent young man who found a loophole that would allow him to download a lot of documents quickly. This loophole was created intentionally by MIT and JSTOR, and was codified contractually in the piles of paperwork turned over during discovery.
If I had taken the stand as planned and had been asked by the prosecutor whether Aaron's actions were "wrong", I would probably have replied that what Aaron did would better be described as "inconsiderate". In the same way it is inconsiderate to write a check at the supermarket while a dozen people queue up behind you or to check out every book at the library needed for a History 101 paper. It is inconsiderate to download lots of files on shared Wi-Fi or to spider Wikipedia too quickly, but none of these actions should lead to a young person being hounded for years and haunted by the possibility of a 35 year sentence. The proper place for this dispute was the civil justice system where MIT and JSTOR settled with Aaron, and at the time charges were filed JSTOR spoke out publicly against them. No equivalent statement was made by MIT.
Professor Lessig writes more eloquently than I can on prosecutorial discretion and responsibility, but I certainly agree that Aaron's death demands a great deal of soul searching by the US Attorney who decided to massively overcharge this young man and the MIT administrators who decided to involve federal law enforcement.
I cannot speak as to all of the problems that contributed to Aaron's death, but I do strongly believe that he did not deserve the treatment he received while he was alive. It is incumbent on all of us to figure out how to create some positive change out of this unnecessary tragedy. I'll write more on that later. First I need to spend some time hugging my kids.
A version of this article originally appeared on Unhandled Exception.
Photograph by peretzp
The indictment is in full below (click to enlarge):