Examining The Outrageous Aaron Swartz Indictment For Computer Fraud

[Update: January 12, 2013. RIP, Aaron Swartz. He was 26. His family has released a statement describing his death as "the product of a criminal justice system rife with intimidation and prosecutorial overreach." Eulogies from Cory Doctorow and Rick Perlstein

I wrote the post below back in July 2011, when the indictment was filed (then updated it once in Sepetember 2012). I thought from the onset the prosecution was dubious; after Swartz's death, the expert who was going to testify on his behalf posted his conclusions, conclusions that to me are damning to the U.S. Attorney's office. MIT's network was extraordinarily open by design:

Aaron Swartz was not the super hacker breathlessly described in the Government’s indictment and forensic reports, and his actions did not pose a real danger to JSTOR, MIT or the public. He was an intelligent young man who found a loophole that would allow him to download a lot of documents quickly. This loophole was created intentionally by MIT and JSTOR, and was codified contractually in the piles of paperwork turned over during discovery.

In light of the expert's disclosures — which suggest that Swartz did have "authorization" to obtain the articles, due to the structure of MIT's network and the various JSTOR agreements — it seems that the prosecution was even weaker than it appeared on the surface. An AP article notes that JSTOR's attorney, Mary Jo White, the former top federal prosecutor in Manhattan, had called Stephen Heymann, the lead Assistant U.S. Attorney on the case, to ask him to drop the prosecution; instead, the U.S. Attorney's office continued to demand Swartz plead guilty to all charges. 

I think the circumstances demand an explanation from U.S. Attorney Carmen Ortiz about what she sought to accomplish with this prosecution (and what transpired between her and Heymann), as well as a statement from the White House as to whether they will continue these "exceeding authorization" prosecutions in the future. Arguably breaching a Terms of Service should not even arguably be a crime. For further reading on the abuse of prosecutorial discretion in light of the consequences here, see Lessig's "prosecutor as bully." Dan Gillmor has thoughts about how to remember him by continuing his work

Update: January 14, 2013. Back in late 2011, Aaron wrote to me about this post. My recollection here.]

 

The New York Times reports:

Aaron Swartz, a 24-year-old programmer and online political activist, has been indicted in Boston on charges that he stole more than four million documents from the Massachusetts Institute of Technology and JSTOR, an archive of scientific journals and academic papers. (Read the full indictment below.)

Mr. Swartz was indicted last Thursday by the United States Attorney for the District of Massachusetts, Carmen M. Ortiz, and the indictment was unsealed Tuesday. The charges could result in up to 35 years in prison and a $1 million fine.

JSTOR’s press statement is here. One of Swartz’s companies, Infogami, was funded by Y Combinator and acquired by reddit, so this is big news in the tech world. Demand Progress, a non-profit Swartz founded, is understandably upset:

Cambridge, MA –  Moments ago, Aaron Swartz, former executive director and founder of Demand Progress, was indicted by the US government. As best as we can tell, he is being charged with allegedly downloading too many scholarly journal articles from the Web. The government contends that downloading said articles is actually felony computer hacking and should be punished with time in prison.

“This makes no sense,” said Demand Progress Executive Director David Segal; “it’s like trying to put someone in jail for allegedly checking too many books out of the library.”

“It’s even more strange because JSTOR has settled any claims against Aaron, explained they’ve suffered no loss or damage, and asked the government not to prosecute,” Segal added.

There’s an interesting discussion (mostly about JSTOR) at Y Combinator. The commentators at reddit aren’t impressed either:

Good thing he didn’t rape or murder someone or he’d be facing 15 years.

* * *

Hell, if he was a Wall Street CEO they’d just give him a bonus.

Indeed. Let’s look at the indictment. He’s charged with:

  • 18 U.S.C. § 1343 (Wire Fraud)
  • 18 U.S.C. § 1030(a)(4) (Computer Fraud)
  • 18 U.S.C. § 1030(a)(2), (c)(2)(B)(iii)(Unlawfully Obtaining Information from a Protected Computer)
  • 18 U.S.C. § 1030(a)(5)(B), (c)(4)(A)(i)(I),(VI)(Recklessly Damaging a Protected Computer)
  • 18 U.S.C. § 2 (Aiding and Abetting)
  • 18 U.S.C. § 981(a)(1)(C), 28 U.S.C. § 2461(c),and 18 U.S.C. §982(a)(2)(B) (Criminal Forfeiture)

18 U.S.C. § 1030 is better known as the Computer Fraud and Abuse Act, which I’ve written a little bit about here. As I wrote there, “If the Circuit Courts and the Supreme Court interpret the CFAA the same way they’ve interpreted the RICO Act, we’ll see a lot more of these claims in the future,” and it sure seems like given how the Swartz indictment is primarily based on CFAA violations.

[Update: September 12, 2012. Seth Finkelstein notes that a superseding indictment was entered. As far as I can tell, the charges aren't really different, there's just more factual detail supplied. Wired explains. As I mentioned in my original post, even if we assume the prosecutor can prove every word of the indictment, it is by no means clear that Swartz has actually violated the Computer Fraud and Abuse Act.]

But there are a few problems, one democratic (little “d”) problem and a couple legal problems.

“The prosecutor has more control over life, liberty, and reputation than any other person in America”


On the democratic point, back when I criticized the iPhone prototype arrest, I quoted “The Federal Prosecutor,” a speech by Robert Jackson, who was a former Attorney General, a Supreme Court Justice, and the Chief Nuremberg Prosecutor:

The prosecutor has more control over life, liberty, and reputation than any other person in America. His discretion is tremendous. He can have citizens investigated and, if he is that kind of person, he can have this done to the tune of public statements and veiled or unveiled intimations. Or the prosecutor may choose a more subtle course and simply have a citizen’s friends interviewed. The prosecutor can order arrests, present cases to the grand jury in secret session, and on the basis of his one-sided presentation of the facts, can cause the citizen to be indicted and held for trial. He may dismiss the case before trial, in which case the defense never has a chance to be heard. Or he may go on with a public trial. If he obtains a conviction, the prosecutor can still make recommendations as to sentence, as to whether the prisoner should get probation or a suspended sentence, and after he is put away, as to whether he is a fit subject for parole. While the prosecutor at his best is one of the most beneficent forces in our society, when he acts from malice or other base motives, he is one of the worst.

I don’t see what societal interest Carmen Ortiz think she’s vindicating with the Swartz indictment. According to Demand Progress, JSTOR already settled their claims with him. What more needs to be done here? The “criminal violation” here arises not from any social duty — like, you know, our society’s communal prohibition on murder — but rather from Swartz “exceeding the authorization” imposed by JSTOR on its servers. Prosecuting Swartz criminally makes less sense than prosecuting telecommunications companies for violating their consumer agreements, and we all know that’s not going to happen any time soon.

 

Did Aaron Swartz Really Commit Any Crimes?


Then there’s the legal problems which might turn out to be a lot more important here. A good place to find some background is the Congressional Research Service’s Cybercrime: A Sketch of 18 U.S.C. 1030 and Related Federal Criminal Laws.

 

Put aside the aiding and abetting and the criminal forfeiture claims; those require some other crime be proven before they can be applied. Stop thinking about him opening up a closet at MIT; breaking into a closet is a crime, but it’s a state law trespass, not a federal computer fraud.

 

I’m not going to take the wire fraud claim under 18 U.S.C. § 1343 seriously. They’re going to have a lot of trouble proving Swartz “devised or intending to devise any scheme or artifice to defraud” by evading the IP restrictions imposed by JSTOR. As the Department of Justice’s Attorney Manual (USAM) notes, most courts interpret “defraud” as meaning “a scheme to defraud another out of money.” More from the USAM about the “specific intent” to defraud here.

 

The 18 U.S.C. § 1030(a)(4) claim requires the prosecutor show Swartz “knowingly and with intent to defraud, accesse[d] a protected computer without authorization, or exceed[ed] authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” The indictment claims the papers were “things of value,” but they’ve got the same problem: no intent to defraud. Bear in mind we’re talking about a computer hacking statute; the statutes don’t all just create liability for improper access, they create liability for specific “hacking” scenarios. Section (a)(4) was meant to prosecute individuals who stole information for the purpose of fraud. Swartz, a long-time information activist, certainly didn’t download millions of research papers from JSTOR with the intent of defrauding people about Group Theory. That claim is likely going to lose.

 

The 18 U.S.C. § 1030(a)(5)(B) claim requires the prosecutor show Swartz “recklessly cause[d] damage.” The CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information” 18 U.S.C. §§ 1030(e)(8). Given the ways in which computer systems function, the meaning of “any impairment” in § 1030(e)(8) is ambiguous. As a conceptual matter, all transmissions to a computer cause the “impairment” of the computer’s function by utilizing memory, storage, or processing cycles. If interpreted that way, the CFAA would create strict liability for “the receipt of any unwanted electronic communication under any circumstance.” Czech v. Wall Street On Demand, Inc., 674 F. Supp. 2d 1102, 1116 (D. Minn. 2009)(discussed by Eric Goldman here). In light of the ramifications of such an interpretation, some District Courts have imposed an “actual impairment” requirement, reasoning that Congress did not intend to create liability except where the “damage” to the system was concrete and verifiable. Id. at 1116–1117. The problem for the prosecutor is if Demand Progress is correct that JSTOR “explained they’ve suffered no loss or damage.” If so, then this claim is likely dead, too.

 

The 18 U.S.C. § 1030(a)(2) claim is probably their best bet. That just requires that Swartz “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.” Most every computer on the internet is a “protected computer,” so they might have something there.

 

Except that “exceeds authorized access” isn’t necessarily the same thing as “more than JSTOR wanted.” Consider US Bioservices Corp. v. Lugo, 595 F. Supp. 2d 1189, 1192 (D. Kan. 2009)(collecting cases, noting “under these provisions of the CFAA, access to a protected computer occurs ‘without authorization’ only when initial access is not permitted, and a violation for ‘exceeding authorized access’ occurs only when initial access to the computer is permitted but the access of certain information is not permitted.”). The indictment says the Swartz used throw-away email addresses, automated download scripts, IP spoofing, and MAC-address spoofing. Big deal: there’s no dispute that Swartz was permitted to access the information in question. Downloading too many files isn’t the same thing as downloading passwords or credit card numbers.

 

[Update, January 2013Soon after this post went up in July 2011, Lawrence Lessig posted a brief comment on the case taking a similar view, including "Even if the facts the government alleges are true, I am not sure they constitute a crime. There is considerable uncertainty in this area of the law. Many wonder about the quick conversion of terms-of-service into criminal prosecution. But that’s a question the courts will ultimately have to resolve."

 

As of September 2012 (when I last updated the legal research here), the Fourth Circuit had joined the Ninth Circuit in holding that violating terms of service does not constitute a crime under the CFAA. In contrast, the Fifth, Seventh and Eleventh Circuits have held that it can be a crime. As I wrote back in September 2012: "Swartz' case is in the First Circuit. (See this post for more, courtesy of Circuit Splits.) This is the classic sort of Circuit Split that prompts Supreme Court review; if Swartz sticks to his guns, he just might be the case. Trial is currently scheduled for February 2013."

 

Given the disclosures by Swartz's expert, Alex Stamos, which are linked at the beginning of this post, it seems that Swartz had a strong argument that he did indeed have "authorization." As Stamos says, at the time of Swartz's downloads, "the JSTOR website allowed an unlimited number of downloads by anybody on MIT’s 18.x Class-A network" and "Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing 'Save As' from your favorite browser."

 

Thus, all Swartz did was write a script to find and download the files. As a factual matter, that may have been "authorization," rendering it lawful everywhere. Even if the script was "exceeding authorization," if the First Circuit had adopted the same rule as the Fourth Circuit and the Ninth Circuit, then Swartz would likely have been not guilty as a matter of law. All of which further shows why this prosecution should not have been brought in the first place; the prosecutor is supposed to exercise their judgment to do justice.]

 

Don’t U.S. Attorneys Have More Important Things To Do?


The whole case looks like the iPhone prototype saga again: a civil claim that some overly aggressive prosecutor is trying to dress up as a federal crime. JSTOR has more than adequate civil remedies for whatever transpired here.

Worse, there’s more at stake here than the possibility that Swartz might go to jail and the certainty that he’ll have one of the most stressful and expensive experiences of his life. Recall the scene in The Social Network when a jilted Mark Zuckerberg first starts building Facebook by writing scripts to pull pictures from the Harvard houses’ online directories. That’s not much different in sum and substance from what Swartz did: he was permitted to obtain the information, but he did so in excessive volume. Under the Massachusetts’ U.S. Attorney’s theories against Swartz, Zuckerberg committed several felonies.

Zuckerberg, though, has ample funds and protection against a suit like that. What about the next Zuckerberg? This prosecution will give every “hacker” — and I use that term in a complimentary fashion, like the UNIX hackers of old, the people who built the Internet and its tools through creativity and determination — pause before they do anything outside of a bona fide API. The chilling effects will make us all worse off.

Tweet Like Email LinkedIn
  • Pingback: Linked Data Influencer Under Indictment For Data Theft - semanticweb.com

  • Anonymous

    Hello Sir,

    Have you read:

    http://ist.mit.edu/services/athena/olh/rules#mitnet
    http://www.jstor.org/page/info/about/policies/terms.jsp

    What is missed in much of the current discussion is that this “misappropriation” of JSTOR’s resources via MITnet caused a hard denial of service for the entire MIT community of varying durations. If it was as simple as Mr. Swartz making a massive download from Harvard, he would have maybe been slapped on the wrist. But he, by entering into specific covenants, and through subterfuge, both physical and computationally, misused MIT resources, an organization with which he had NO affiliation. That is not trivial. If he had stayed at Harvard, they may have just revoked his network access. When he decided to abuse the resources at MIT, he overstepped a very clear line.

    • Anonymous

      The physical intrusion is a trespass, a state crime. If the local prosecutor is interested in pressing charges, that’s one thing. If MIT is interested in suing for trespass, that’s one thing.

      But that’s not what happened. The US Attorney filed an indictment for violations of the Computer Fraud and Abuse Act alleging crimes arising primarily from the improper access to JSTOR. It is those charges that raise the concerns I mention above.

      • Anonymous

        Part of the allegations in Count 1 refer to Mr. Swartz’s “material false and fraudulent pretenses, representations, and promises” by which he gained access to JSTOR, i.e., his MITnet usage, and the attendant MITnet usage agreement to which all guest users of the MIT networks must abide. Thus, it is not simply the physical trespass that is at question, but the network trespass and misuse as well. Though it would be inaccurate to call his access to the network as trespass: he was a valid guest. His primary offense here would be his failure to abide by the terms of network usage.

        I concede though, this seems a very heavy handed action to considering he has already settled with JSTOR. MIT, likewise, as you say, could have taken separate actions. I do not know what happened that escalated this matter to a federal matter.

        Thank you for your analysis and comments.

        • kpw

          I’ve been told by people I assume to be familiar with the investigation that this became a federal matter thanks to the Cambridge police department. They were called in to investigate the initial trespass and in-turn called the Secret Service (apparently due to involvement network equipment). Once the Secret Service was involved the criminal investigation took on a life of its own outside of MIT.

      • Paul Pancette

        To put it slightly differently than Shimown and shg (and perhaps less contentiously), the 1030(a)(5) count, for “recklessly damaging” a protected computer, may have a stronger basis than the facts you highlight would suggest. As Shimown points out, the massive downloading resulted in what might be characterized as a mini denial of service attack, or at least that’s essentially what the government describes. The indictment alleges that as a result of Swartz’s automated downloading on such a large scale, some users or servers were taken offline for a time. Even if JSTOR concedes that they did not suffer “damage,” there may still be “damage” for purposes of the statute. For example, if MIT users had their access to JSTOR cut off for a time, that’s an “impairment” of the type 1030 addresses. (And frankly, even if JSTOR has made peace with Swartz, their press statement doesn’t claim there was no “damage,” but rather, that they are satisfied with Swartz’s reassurances about what he did or will do with the data.)

        Of course, the question of whether Swartz can be shown to have “exceeded authorized access” or engaged in unauthorized access (as required under several of the charges) is a separate one, and as you write (and contra shg) not a “slam dunk.” You focus on the un- or extra- authorized access to JSTOR, but another basis for the charge is access to MIT’s network. If the indictment is to be believed, Swartz engaged in a variety of tactics to avoid limits MIT attempted to impose on guest users, so it’s not just a matter of violating some terms of service no one ever reads. Swartz is said to have not only worked some minor deception (spoofing MAC addresses, manually switching IPs), but also to have gained physical unauthorized access to a wiring closet. The relevance of that “break in” may not be that it’s a state crime versus a federal one, but that it’s a clear indication that he wasn’t authorized (by MIT) to be doing what he was doing to their network.

        • Anonymous

          All fair points. The case isn’t wholly frivolous, but it’s so weak, and so far from the purposes of the CFAA, that it raises serious questions about the purpose of the prosecution in the first place. The CFAA’s civil provisions don’t track the criminal ones exactly because the civil provisions require showing certain types of “loss” and “damage.” If, as you describe above, the access recklessly cause significant impairment to MIT’s system, that’s a violation, but not the type of malicious evil sought to be remedied by the CFAA.

          Consider by analogy a surgeon committing malpractice and operating on the wrong site. The patient consented to adequate care, not malpractice, and so the surgeon technically committed criminal battery. Would anyone prosecute that? Of course not. The societal ill there, malpractice, is adequately covered by the available civil remedy.

          Same goes Swartz. I don’t doubt he should have “gotten in trouble,” so to speak, and that JSTOR and MIT should have seriously considered bringing appropriate litigation. But a criminal prosecution is another matter entirely. Here, the claims are so tenuous that it’s hard to accept any viable argument for bringing them.

        • http://twitter.com/solirvine Sol Irvine

          Talk about losing the forest for the trees!

          What public interest is there in maintaining high availability for these systems? I can understand if an intruder’s actions bring a system aimed at the general public down for most or all users for a significant amount of time. JSTOR was neither public, nor was brought down.

          But here you are arguing that loss of redundancies and small-scale denial of access to some users (even that is a big maybe) rises to the level of a criminal public interest. Between picking through the statute and wagging your finger, you (and Shimdown and shg) might want to reflect on why we have these laws, and how they ought to be enforced.

        • http://www.litigationandtrial.com/ Max Kennerly

          If Swartz’s expert is to be believed, there wasn’t any actual damage at all, and the “impairment” to the system was nothing more than MIT & JSTOR turning it off briefly — all of which was the natural result of their decision to put JSTOR on MIT’s unrestricted network.

  • shg

    The CFAA count is a slam dunk, Max. This is as close to a “classic” violation of 1030 as there is. I realize you’re not a criminal lawyer and, obviously, have no clue about federal fraud prosecutions, but this is a reason not to opine rather than write something that is obviously wrong.

    • Anonymous

      There is no “CFAA count.” There are several counts, alleging independent violations; which one is the “slam dunk?”

      There are two “classic” CFAA violations: using forged credentials to access and to retrieve private data (e.g., stealing SSNs), or intentionally/recklessly causing damage to a system (e.g., DDoS). Here, the credentials weren’t forged, the data wasn’t private, and it seems the system wasn’t really impaired by his use; instead, he used unauthorized scripts to access a higher volume of available data than they liked.

      Feel free to put forth a substantive analysis. Have you ever litigated CFAA issues? There’s more civil than criminal litigation over the CFAA.

  • Pingback: The Economics of JSTOR | Anterotesis

  • http://newstechnica.com David Gerard

    The most plausible hypothesis I’ve heard as to the rationale for the Swartz charges is that they are retaliation for his good work in helping kill S.978 (the bill to make streaming copyright material, e.g. putting a song on YouTube, a felony), a bill the copyright industry was particularly keen on. Hence the frankly weird claim that Swartz was going to torrent the lot.

    I suppose that’s largely irrelevant to the litigation of the actual case, though …

  • Pingback: Examining The Outrageous Aaron Swartz Indictment For Computer Fraud | Complex Litigation, Special Comment, Trademark & Copyright Infringement | The P2P Daily | Scoop.it

  • Pingback: SJ’s Longest Now » Blog Archive » Aaron Swartz v. United States

  • Pingback: The case against Aaron Swartz | WEBLOGSKY: Jon Lebkowsky's Blog

  • Anonymous

    Don’t we pay for this academic research? Why then do we have to pay again to read its results? What benefit do these journals provide? They lock up information that would be of great use to the public, even after the copyright protection has expired.

  • Henry Minsky

    Is there anything to be done now? Swartz was a friend of mine. I’d like to see some sort of justice with regards to this vindictive prosecution.

    • http://www.litigationandtrial.com/ Max Kennerly

      Aaron called me about this post; he was friendly, polite, modest, curious, and brilliant.

      Tell Obama to stop these dubious CFAA prosecutions for terms of service violations.

  • Shane Harris

    This is not a criticism: I eagerly await the day that injustice receives this much energy BEFORE the damage is done. RETRACTED: I now see the date this was published. Apologies.

    • http://www.litigationandtrial.com/ Max Kennerly

      Accepted. I barely knew him — we talked exactly once — but I feel guilty nonetheless, wondering if there’s something more I could have done beyond this post that would have made a difference.

  • http://www.facebook.com/wendy.sticht Wendy Sticht

    He couldn’t afford to prove he was innocent of the charges. We are guilty unless we can afford to prove our innocence. Great justice system!