Examining The Outrageous Aaron Swartz Indictment For Computer Fraud
[Update: January 12, 2013. RIP, Aaron Swartz. He was 26. His family has released a statement describing his death as "the product of a criminal justice system rife with intimidation and prosecutorial overreach." Eulogies from Cory Doctorow and Rick Perlstein.
I wrote the post below back in July 2011, when the indictment was filed (then updated it once in Sepetember 2012). I thought from the onset the prosecution was dubious; after Swartz's death, the expert who was going to testify on his behalf posted his conclusions, conclusions that to me are damning to the U.S. Attorney's office. MIT's network was extraordinarily open by design:
Aaron Swartz was not the super hacker breathlessly described in the Government’s indictment and forensic reports, and his actions did not pose a real danger to JSTOR, MIT or the public. He was an intelligent young man who found a loophole that would allow him to download a lot of documents quickly. This loophole was created intentionally by MIT and JSTOR, and was codified contractually in the piles of paperwork turned over during discovery.
In light of the expert's disclosures — which suggest that Swartz did have "authorization" to obtain the articles, due to the structure of MIT's network and the various JSTOR agreements — it seems that the prosecution was even weaker than it appeared on the surface. An AP article notes that JSTOR's attorney, Mary Jo White, the former top federal prosecutor in Manhattan, had called Stephen Heymann, the lead Assistant U.S. Attorney on the case, to ask him to drop the prosecution; instead, the U.S. Attorney's office continued to demand Swartz plead guilty to all charges.
I think the circumstances demand an explanation from U.S. Attorney Carmen Ortiz about what she sought to accomplish with this prosecution (and what transpired between her and Heymann), as well as a statement from the White House as to whether they will continue these "exceeding authorization" prosecutions in the future. Arguably breaching a Terms of Service should not even arguably be a crime. For further reading on the abuse of prosecutorial discretion in light of the consequences here, see Lessig's "prosecutor as bully." Dan Gillmor has thoughts about how to remember him by continuing his work.
Update: January 14, 2013. Back in late 2011, Aaron wrote to me about this post. My recollection here.]
Aaron Swartz, a 24-year-old programmer and online political activist, has been indicted in Boston on charges that he stole more than four million documents from the Massachusetts Institute of Technology and JSTOR, an archive of scientific journals and academic papers. (Read the full indictment below.)
Mr. Swartz was indicted last Thursday by the United States Attorney for the District of Massachusetts, Carmen M. Ortiz, and the indictment was unsealed Tuesday. The charges could result in up to 35 years in prison and a $1 million fine.
JSTOR’s press statement is here. One of Swartz’s companies, Infogami, was funded by Y Combinator and acquired by reddit, so this is big news in the tech world. Demand Progress, a non-profit Swartz founded, is understandably upset:
Cambridge, MA – Moments ago, Aaron Swartz, former executive director and founder of Demand Progress, was indicted by the US government. As best as we can tell, he is being charged with allegedly downloading too many scholarly journal articles from the Web. The government contends that downloading said articles is actually felony computer hacking and should be punished with time in prison.
“This makes no sense,” said Demand Progress Executive Director David Segal; “it’s like trying to put someone in jail for allegedly checking too many books out of the library.”
“It’s even more strange because JSTOR has settled any claims against Aaron, explained they’ve suffered no loss or damage, and asked the government not to prosecute,” Segal added.
Good thing he didn’t rape or murder someone or he’d be facing 15 years.
* * *
Hell, if he was a Wall Street CEO they’d just give him a bonus.
Indeed. Let’s look at the indictment. He’s charged with:
- 18 U.S.C. § 1343 (Wire Fraud)
- 18 U.S.C. § 1030(a)(4) (Computer Fraud)
- 18 U.S.C. § 1030(a)(2), (c)(2)(B)(iii)(Unlawfully Obtaining Information from a Protected Computer)
- 18 U.S.C. § 1030(a)(5)(B), (c)(4)(A)(i)(I),(VI)(Recklessly Damaging a Protected Computer)
- 18 U.S.C. § 2 (Aiding and Abetting)
- 18 U.S.C. § 981(a)(1)(C), 28 U.S.C. § 2461(c),and 18 U.S.C. §982(a)(2)(B) (Criminal Forfeiture)
18 U.S.C. § 1030 is better known as the Computer Fraud and Abuse Act, which I’ve written a little bit about here. As I wrote there, “If the Circuit Courts and the Supreme Court interpret the CFAA the same way they’ve interpreted the RICO Act, we’ll see a lot more of these claims in the future,” and it sure seems like given how the Swartz indictment is primarily based on CFAA violations.
[Update: September 12, 2012. Seth Finkelstein notes that a superseding indictment was entered. As far as I can tell, the charges aren't really different, there's just more factual detail supplied. Wired explains. As I mentioned in my original post, even if we assume the prosecutor can prove every word of the indictment, it is by no means clear that Swartz has actually violated the Computer Fraud and Abuse Act.]
But there are a few problems, one democratic (little “d”) problem and a couple legal problems.
“The prosecutor has more control over life, liberty, and reputation than any other person in America”
On the democratic point, back when I criticized the iPhone prototype arrest, I quoted “The Federal Prosecutor,” a speech by Robert Jackson, who was a former Attorney General, a Supreme Court Justice, and the Chief Nuremberg Prosecutor:
The prosecutor has more control over life, liberty, and reputation than any other person in America. His discretion is tremendous. He can have citizens investigated and, if he is that kind of person, he can have this done to the tune of public statements and veiled or unveiled intimations. Or the prosecutor may choose a more subtle course and simply have a citizen’s friends interviewed. The prosecutor can order arrests, present cases to the grand jury in secret session, and on the basis of his one-sided presentation of the facts, can cause the citizen to be indicted and held for trial. He may dismiss the case before trial, in which case the defense never has a chance to be heard. Or he may go on with a public trial. If he obtains a conviction, the prosecutor can still make recommendations as to sentence, as to whether the prisoner should get probation or a suspended sentence, and after he is put away, as to whether he is a fit subject for parole. While the prosecutor at his best is one of the most beneficent forces in our society, when he acts from malice or other base motives, he is one of the worst.
I don’t see what societal interest Carmen Ortiz think she’s vindicating with the Swartz indictment. According to Demand Progress, JSTOR already settled their claims with him. What more needs to be done here? The “criminal violation” here arises not from any social duty — like, you know, our society’s communal prohibition on murder — but rather from Swartz “exceeding the authorization” imposed by JSTOR on its servers. Prosecuting Swartz criminally makes less sense than prosecuting telecommunications companies for violating their consumer agreements, and we all know that’s not going to happen any time soon.
Did Aaron Swartz Really Commit Any Crimes?
Then there’s the legal problems which might turn out to be a lot more important here. A good place to find some background is the Congressional Research Service’s Cybercrime: A Sketch of 18 U.S.C. 1030 and Related Federal Criminal Laws.
Put aside the aiding and abetting and the criminal forfeiture claims; those require some other crime be proven before they can be applied. Stop thinking about him opening up a closet at MIT; breaking into a closet is a crime, but it’s a state law trespass, not a federal computer fraud.
I’m not going to take the wire fraud claim under 18 U.S.C. § 1343 seriously. They’re going to have a lot of trouble proving Swartz “devised or intending to devise any scheme or artifice to defraud” by evading the IP restrictions imposed by JSTOR. As the Department of Justice’s Attorney Manual (USAM) notes, most courts interpret “defraud” as meaning “a scheme to defraud another out of money.” More from the USAM about the “specific intent” to defraud here.
The 18 U.S.C. § 1030(a)(4) claim requires the prosecutor show Swartz “knowingly and with intent to defraud, accesse[d] a protected computer without authorization, or exceed[ed] authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” The indictment claims the papers were “things of value,” but they’ve got the same problem: no intent to defraud. Bear in mind we’re talking about a computer hacking statute; the statutes don’t all just create liability for improper access, they create liability for specific “hacking” scenarios. Section (a)(4) was meant to prosecute individuals who stole information for the purpose of fraud. Swartz, a long-time information activist, certainly didn’t download millions of research papers from JSTOR with the intent of defrauding people about Group Theory. That claim is likely going to lose.
The 18 U.S.C. § 1030(a)(5)(B) claim requires the prosecutor show Swartz “recklessly cause[d] damage.” The CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information” 18 U.S.C. §§ 1030(e)(8). Given the ways in which computer systems function, the meaning of “any impairment” in § 1030(e)(8) is ambiguous. As a conceptual matter, all transmissions to a computer cause the “impairment” of the computer’s function by utilizing memory, storage, or processing cycles. If interpreted that way, the CFAA would create strict liability for “the receipt of any unwanted electronic communication under any circumstance.” Czech v. Wall Street On Demand, Inc., 674 F. Supp. 2d 1102, 1116 (D. Minn. 2009)(discussed by Eric Goldman here). In light of the ramifications of such an interpretation, some District Courts have imposed an “actual impairment” requirement, reasoning that Congress did not intend to create liability except where the “damage” to the system was concrete and verifiable. Id. at 1116–1117. The problem for the prosecutor is if Demand Progress is correct that JSTOR “explained they’ve suffered no loss or damage.” If so, then this claim is likely dead, too.
The 18 U.S.C. § 1030(a)(2) claim is probably their best bet. That just requires that Swartz “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.” Most every computer on the internet is a “protected computer,” so they might have something there.
Except that “exceeds authorized access” isn’t necessarily the same thing as “more than JSTOR wanted.” Consider US Bioservices Corp. v. Lugo, 595 F. Supp. 2d 1189, 1192 (D. Kan. 2009)(collecting cases, noting “under these provisions of the CFAA, access to a protected computer occurs ‘without authorization’ only when initial access is not permitted, and a violation for ‘exceeding authorized access’ occurs only when initial access to the computer is permitted but the access of certain information is not permitted.”). The indictment says the Swartz used throw-away email addresses, automated download scripts, IP spoofing, and MAC-address spoofing. Big deal: there’s no dispute that Swartz was permitted to access the information in question. Downloading too many files isn’t the same thing as downloading passwords or credit card numbers.
[Update, January 2013: Soon after this post went up in July 2011, Lawrence Lessig posted a brief comment on the case taking a similar view, including "Even if the facts the government alleges are true, I am not sure they constitute a crime. There is considerable uncertainty in this area of the law. Many wonder about the quick conversion of terms-of-service into criminal prosecution. But that’s a question the courts will ultimately have to resolve."
As of September 2012 (when I last updated the legal research here), the Fourth Circuit had joined the Ninth Circuit in holding that violating terms of service does not constitute a crime under the CFAA. In contrast, the Fifth, Seventh and Eleventh Circuits have held that it can be a crime. As I wrote back in September 2012: "Swartz' case is in the First Circuit. (See this post for more, courtesy of Circuit Splits.) This is the classic sort of Circuit Split that prompts Supreme Court review; if Swartz sticks to his guns, he just might be the case. Trial is currently scheduled for February 2013."
Given the disclosures by Swartz's expert, Alex Stamos, which are linked at the beginning of this post, it seems that Swartz had a strong argument that he did indeed have "authorization." As Stamos says, at the time of Swartz's downloads, "the JSTOR website allowed an unlimited number of downloads by anybody on MIT’s 18.x Class-A network" and "Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing 'Save As' from your favorite browser."
Thus, all Swartz did was write a script to find and download the files. As a factual matter, that may have been "authorization," rendering it lawful everywhere. Even if the script was "exceeding authorization," if the First Circuit had adopted the same rule as the Fourth Circuit and the Ninth Circuit, then Swartz would likely have been not guilty as a matter of law. All of which further shows why this prosecution should not have been brought in the first place; the prosecutor is supposed to exercise their judgment to do justice.]
Don’t U.S. Attorneys Have More Important Things To Do?
The whole case looks like the iPhone prototype saga again: a civil claim that some overly aggressive prosecutor is trying to dress up as a federal crime. JSTOR has more than adequate civil remedies for whatever transpired here.
Worse, there’s more at stake here than the possibility that Swartz might go to jail and the certainty that he’ll have one of the most stressful and expensive experiences of his life. Recall the scene in The Social Network when a jilted Mark Zuckerberg first starts building Facebook by writing scripts to pull pictures from the Harvard houses’ online directories. That’s not much different in sum and substance from what Swartz did: he was permitted to obtain the information, but he did so in excessive volume. Under the Massachusetts’ U.S. Attorney’s theories against Swartz, Zuckerberg committed several felonies.
Zuckerberg, though, has ample funds and protection against a suit like that. What about the next Zuckerberg? This prosecution will give every “hacker” — and I use that term in a complimentary fashion, like the UNIX hackers of old, the people who built the Internet and its tools through creativity and determination — pause before they do anything outside of a bona fide API. The chilling effects will make us all worse off.