Was Aaron Swartz a Cyber-Criminal or a Martin Luther King, Jr. of the Internet? (Thompson)

Christie Thompson writes at ProPublica:

When Reddit co-founder and internet freedom activist Aaron Swartz committed suicide last Friday, he was facing up to 13 felony counts, 50 years in prison, and millions of dollars in fines. His alleged crime? Pulling millions of academic articles from the digital archive JSTOR.

Prosecutors allege that Swartz downloaded the articles because he intended to distribute them for free online, though Swartz was arrested before any articles were made public. He had often spoken publicly about the importance of making academic research freely available.

Other online activists have increasingly turned to computer networks and other technology as a means of political protest, deploying a range of tactics — from temporarily shutting down servers to disclosing personal and corporate information.

Most of these acts, including Swartz’s downloads, are criminalized under the federal Computer Fraud and Abuse Act (CFAA), an act was designed to prosecute hackers. But as Swartz’s and other “hacktivist” cases demonstrate, you don’t necessarily have to be a hacker to be viewed as one under federal law. Are activists like Swartz committing civil disobedience, or online crimes? We break down a few strategies of “hacktivism” to see what is considered criminal under the CFAA.

Publishing Documents

Accessing and downloading documents from private servers or behind paywalls with the intent of making them publicly available.

Swartz gained access to JSTOR through MIT’s network and downloaded millions of files, in violation of JSTOR’s terms of service (though JSTOR declined to prosecute the case). Swartz had not released any of the downloaded files at the time his legal troubles began. 

The most famous case of publishing private documents online may be the ongoing trial of Bradley Manning. While working as an intelligence analyst in Iraq, Manning passed thousands of classified intelligence reports and diplomatic cables to Wikileaks, to be posted on their website.

“I want people to see the truth… regardless of who they are… because without information, you cannot make informed decisions as a public,” Manning wrote in an online chat with ex-hacker Adrian Lamo, who eventually turned Manning in to the Department of Defense.

Both Swartz and Manning were charged under a section of the CFAA that covers anyone who “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer…”

The charges hinge on an interpretation of this section that says anyone in violation of a website’s terms of service is an unauthorized user. Because they’re unauthorized, all of their activity on that website could therefore be considered illegal. Both were charged with felonies under the CFAA, on top of other allegations.

The Ninth and Fourth Circuit Court of Appeals have ruled that such an interpretation of the CFAA casts too wide a net. With the circuit courts divided over whether a broad definition of “unauthorized” is constitutional, it may fall on the Supreme Court to ultimately decide.

Assistant U.S. Attorney Steve Heymann of Massachusetts was the lead prosecutor in Swartz’s case. (He was known for winning a 2010 case that landed hacker Albert Gonzalez 20 years in prison.) Heymann offered Swartz a plea bargain of six months in prison but Swartz’s defense team rejected the deal, saying a felony and any time behind bars was too harsh a sentence. Swartz’s family blamed his death in part on “intimidation and prosecutorial overreach.”

As a result of Swartz’s suicide, some lawmakers are now calling for a review of the CFAA. On Tuesday, Rep. Zoe Lofgren (D-Calif.) proposed a piece of legislation called “Aaron’s Law,” which would amend the law to explicitly state that merely violating a site’s terms of service cannot fall under the federal CFAA.

Distributed Denial of Service

A Distributed Denial of Service, or DDoS attack, floods a web site’s server with traffic from a network of sometimes thousands of individual computers, making it incapable of serving legitimate traffic.

In 2010, the group Anonymous attempted to overload websites for PayPal, Visa and Mastercard after the companies refused to process donations to Wikileaks. Anonymous posted their “Low Orbit Ion Canon” software online, allowing roughly 6,000 people who downloaded the program to pummel the sites with traffic.

A DDoS attack can be charged as a crime under the CFAA, as it “causes damage” and can violate a web site’s terms of service. The owner of the site could also file a civil suit citing the CFAA, if they can prove a temporary server overload resulted in monetary losses.

Sixteen alleged members of Anonymous were arrested for their role in the PayPal DDoS, and could face more than 10 years in prison and $250,000 in fines. They were charged with conspiracy and “intentional damage to a protected computer” under the CFAA and the case is ongoing.

Some web activists have pressed for DDoS to be legalized as a form of protest, claiming that disrupting web traffic by occupying a server is the same as clogging streets when staging a sit-in. A petitionstarted on the White House’s “We the People” site a few days before Swartz’s death has garnered more than 5,000 signatures. 

“Distributed denial-of-service (DDoS) is not any form of hacking in any way,” the petition reads. “It is the equivalent of repeatedly hitting the refresh button on a webpage. It is, in that way, no different than any ‘occupy’ protest.”

Doxing

Doxing involves finding and publishing a target’s personal or corporate information.

In 2011, Anonymous and hacker group Lulzsec breached the Stratfor Global Intelligence Service database and published the passwords, addresses and credit card information of the firm’s high-profile clients. The group claimed they planned to use the credit cards to donate $1 million to charity. 

Anonymous also recently doxed members of the Westboro Baptist Church after several tweeted their plans to picket funerals for Sandy Hook victims. Hackers were able to access Church members’ twitter accounts and publish their personal information, including phone numbers, emails and hotel reservation details.

Jeremy Hammond could face life in prison for allegedly leading the Stratfor hack and a separate attack on the Arizona Department of Safety website. Former Anonymous spokesman Barrett Brown was also indicted for computer fraud in the Stratfor dox, not for hacking into the system, but for linking to the hacked information in a chat room.

The charges for doxing depend on how the information was accessed, and the nature of published information. Simply publishing publicly available information, such as phone numbers found in a Google search, would probably not be charged under the CFAA. But hacking into private computers, or even spreading the information from a hack, could lead to charges under the CFAA.

Website Defacement

Hacktivists take over a website to publish their own content or messages.

One of the first known hacking protests was in 1989, when the “WANK worm” targeted NASA, the Department of Energy and other government websites to protest nuclear armament. The sites were changed to read, “Worms Against Nuclear Killers. Your Site has officially been WANKed. You talk of times of peace for all, and then prepare for war.”

In a more recent example, Anonymous defaced Syrian government websites last November to protest Bashar al-Assad’s imposed internet blackout.  Anonymous also recently hacked MIT’s website to post an Aaron Swartz tribute message, calling for freedom of information and speaking out against his prosecution.

Robert Morris, the hacker behind the WANK worm, was the first person to be prosecuted under the CFAA. He was sentenced in 1990 to a $10,000 fine and 400 hours of community service. At the time, the law only applied to computers owned by the federal government or large financial institutions, but it was amended in 1996 to include any unauthorized computer access.

Clarification: This post originally suggested Swartz participated in hacking such as DDoS or Doxing, when we meant to describe general tactics. We have updated this post accordingly. 

Follow @cm_thompson3


11 Responses

  1. In the age of information, freedom of information becomes critical. The old way of doing things is becoming obsolete and without freedom of information, human development will be stifled. Swartz was perceptive enough to understand this and courageous enough to pursue it.

  2. Perhaps the notion of “dirty hands” should apply here. Those organizations claiming “we were wronged!” are hardly innocent. The activities that drew these protests should be looked at.

    It is also true that the only weapon available to protesters is something of a scatter gun. The lone person who has access to information exposing wrongdoing rarely has the resources, time or ability to carefully craft the information he releases.

    Bradley Manning could hardly have filtered the enormous quantity of information that he released. To his and Wikileaks credit they seem to done the best possible job given constraints they had. The US government, in its wars in the Middle East, clearly has dirty hands.

    Aaron Swartz in his protest against monetizing publicly funded research results probably had no other way of publicizing the issue. JSTOR does not care about who actually “owns” the information, they just want their profit stream to continue. Dirty hands again.

    When PayPal, Visa, and MasterCard cut off payments to Wikileaks they were engaging in a political act. They are rather hypocritical is complaining about a political DDoS attack. Did they violate their own “terms of service”? Dirty hands? Of course a DDoS attack is a scatter gun attack but what else would have gotten their attention?

    Stratfor is one of those dirty little organizations that the darker parts of the US government seem to find useful. More dirty hands hit by a scatter gun.

    It is time that we take the notion of dirty hands into account before we throw the book at people who protest the handy work of those with dirty hands.

    • I think the dirty hands concept leads to a very slippery slope. Sure these organizations (I’ll exclude JSTOR) are reprehensible, but who gets to make that call. I bet there are significant numbers of Americans who consider this site “unpatriotic” or not supportive of Israel -or an enemy of fossil fueled interests etc. So if we make an exception for “dirty hand”, we risk setting off cyber-culture and cyber-political wars. I don’t think we wan to go there.

  3. ” JSTOR does not care about who actually “owns” the information, they just want their profit stream to continue.”

    No.

    JSTOR is a non-profit entity.

    Let me repeat that:

    JSTOR IS A NON-PROFIT ENTITY.

    The money they collect for access (almost all paid by universities and other organizations, who then grant their students/faculty/members access) goes to collecting, indexing, curating, storing, OCRing to make searchable, this research (about 8.5 million articles) – many of which would not be otherwise available electronically.

    JSTOR is not ‘concerned about their profit stream.’ That is, in the true sense of the word, ignorant.

    “Sticking it” to JSTOR — if it eventualy meant, say, shutting them down — is not a noble goal, it’s self-defeating. Did you want to research out-of-print journal articles from long-defunct journals from the 1880s? Oh, sorry. Maybe you can find someone with an electronic copy just laying around? Just mass email The Internet and I’m sure someone will get back to you.

    It’s appalling that everyone seems to think that JSTOR is a for-profit monster denying the public access to information. Their mission is to make it available, and they (WHILE NOT TURNING A PROFIT) charge fees to keep their operation up and running.

    Do some god damn research.

    • That is the standard misconception about non-profit corporations; it
      is true that they do not have shareholders expecting a
      good return on their investment. But it is also true that
      they often have handsomely paid executives that are very
      competitive in protecting their domain. In that they
      are no different than regular corporations.

      You might remember the scandals at United Way a few
      years back. Those at the top lived very well. There are
      non-profits that have volunteer staff but I doubt that
      JSTOR is one of them.

      I am hardly surprised that JSTOR vigorously protects
      their slice of their “market”. However, what they
      do can be done by other internet entities. This was
      not true in the past but is certainly true now. They
      may do an admirable job but the business model has
      changed. What they do has been replicated on the
      internet for free in other areas. They are like a library
      but they think that they own the knowledge in the books.

      • Jstor is not corrupt! It is a wonderful service to have scanned all those journal articles and to have made them available via most libraries! Unless you want to nationalize it and pay for it with your tax dollars (not a bad idea), it does need some business model to survive and grow. You can get it via a lot of public libraries and most college and university libraries, so the bar to entry isn’t that high. The point of the article is that Aaron’s spreading around further of something already widely available shouldn’t have been subject to such harsh punishments, worse than those for a lot of violent crimes! – Juan

    • “Do some god damn research.”

      Well said, Saior Arepo. There are too many people who post comments without researching or understanding the real issues. Of course, real research takes time and thought, and it might disturb the preconceived narrative that, for example, ascribes “Dirty Hands” to JSTOR.

    • No, Google books are not available as complete texts if they are in copyright. Only US publications before 1926 or so are fully available. The journal articles are also in copyright, though many journals release that to authors, who often post the piece to the web. Frankly most academic journal articles in the humanities and soft social sciences are probably not worth much money (however valuable they are in insight) after a couple of years.

      • Yes, JSTOR mostly has soft sciences and humanities.

        If someone else was providing this service for free, the JSTOR model wouldn’t work and they’d disappear.

        The point is:

        All over the internet there’s a knee-jerk reaction that somehow this action “was the right thing to do” — hence the MLK comparisons, etc.

        Try this:

        Download all 8.5 million JSTOR articles. Yeah, that’s big, but storage is pretty cheap. Several dozens of terrabytes of data should do it.

        Now search it for, say, a keyword. Go to lunch. Come back. Go to New York. Come back. Go to Italy. Come back.

        Search done yet? No? Quel suprise!

        Okay, even if you put up with that – now make it available for, say, tens of thousands of academics to search. Simultaneously.

        For fear of becoming pedantic – the point is that, yes, JSTOR employees are paid. To curate, index, make available, etc. this content. Much of which wouldn’t be available or searchable at all if not for them.

        I think they expect to have these articles printed out, disseminated, etc. But their mission is to make this information available. Most researchers belong to an institution, the vast majority of which offer free access to JSTOR.

        Now I feel like I’m starting to repeat myself. But the freaking Robin Hood comparisons just aren’t apt.

        (The other model, by the way, is PLoS – Public Library of Science. Access is free (obviously they concentrate on hard sciences), but YOU PAY to have your article(s) reviewed and published.)

    • “similar in scope”

      No. Maybe in ambition. But not close.

      All Google services are “free” – in that they don’t cost currency. But they’re mining data. Call it a quid pro quo.

Comments are closed.