Abelson Report to MIT on Aaron Swartz Released ~pj Updated

Tuesday, July 30 2013 @ 12:26 PM EDT

Contributed by: PJ

Harold Abelson report [PDF] to MIT about his investigation into the Aaron Swartz affair is now publicly available on MIT's website, along with a letter [PDF] from the President of MIT, L. Rafael Reif. There's a MD5 fingerprint.

It's dated July 26, and the review panel is listed as being made up of  Abelson,   Peter  A.  Diamond,   Andrew  Grosso, and   Douglas  W.  Pfeiffer  (support).

It's not a whitewash. It clearly sets out that MIT could have done more to achieve a different outcome had it cared about Aaron more and acted more harmoniously with traditional MIT culture:

If the Review Panel is forced to highlight just one issue for reflection, we would choose to look to the MIT administration’s maintenance of a “neutral” hands-off attitude that regarded the prosecution as a legal dispute to which it was not a party. This attitude was complemented by the MIT community’s apparent lack of attention to the ruinous collision of hacker ethics, open-source ideals, questionable laws, and aggressive prosecutions that was playing out in its midst. As a case study, this is a textbook example of the very controversies where the world seeks MIT’s insight and leadership.

A friend of Aaron Swartz stressed in one of our interviews that MIT will continue to be at the cutting edge in information technology and, in today’s world, challenges like those presented in Aaron Swartz’s case will arise again and again. With that realization, “Neutrality on these cases is an incoherent stance. It’s not the right choice for a tough leader or a moral leader.” In closing, our review can suggest this lesson: MIT is respected for world-class work in information technology, for promoting open access to online information, and for dealing wisely with the risks of computer abuse. The world looks to MIT to be at the forefront of these areas. Looking back on the Aaron Swartz case, the world didn’t see leadership. As one person involved in the decisions put it: “MIT didn’t do anything wrong; but we didn’t do ourselves proud.”

It has not been the Panel’s charge for this review to make judgments, rather only to learn and help others learn. In doing so, let us all recognize that, by responding as we did, MIT missed an opportunity to demonstrate the leadership that we pride ourselves on. Not meeting, accepting, and embracing the responsibility of leadership can bring disappointment. In the world at large, disappointment can easily progress to disillusionment and even outrage, as the Aaron Swartz tragedy has demonstrated with terrible clarity.

Not everyone reading the report will agree that MIT "didn't do anything wrong" as the report itself is critical of MIT's stance in certain respects. However, it does say that there is no one thing that would have for sure changed the outcome:
In concluding this review, we recognize the desire for a simple take-away, a conclusion that “if MIT had only done this rather than that, things would have turned out OK.” We can’t offer one. There were too many choices, too many might-have-beens, too great an emotional shock, and a public response that has been supercharged by the power of the Internet, the same power that Aaron Swartz epitomized and that he helped to create. Even today, with the benefit of hindsight, we have not found a silver bullet with which MIT could have simply prevented the tragedy.
Here's one. Do something about the Computer Fraud and Abuse Act. There's the silver bullet.

The report does highlight that. For example, beginning on page 87 of the report:

IV.B.6 Becoming  more  informed  about  the  charges

OGC [MIT’s Office of the General Counsel] asked MIT’s outside counsel for background understanding of the details of the indictment (and so of the role of the Computer Fraud and Abuse Act) late in the summer of 2012 and received a brief sketch of issues. Members of the MIT community who have been active in considering the CFAA did not draw the attention of OGC or the administration to issues around CFAA during the prosecution. MIT had the option of exploring the charges earlier and considering the CFAA more broadly as part of formulating its responses to requests about statements. One particularly pertinent moment was in June 2011 when the Media Lab Director informed the administration that Aaron Swartz was charged with “unauthorized access” and suggested that MIT would be in a position to cast doubt on this charge if so desired (see section III.B.1). Other pertinent times were when the two federal indictments were issued, although the Review Panel does not suggest that it was MIT’s role to offer lines of argument for the defense or to point out issues with the indictment. Similarly, members of the MIT community who were following the prosecution could have explored and discussed this issue in more detail.

A charge of “accessing [the MIT network] without authorization or in excess of authorized access” deeply involves MIT, since MIT provides the authorization and sets the rules of authorization. Thus MIT set rules that played a key role in determining what constituted a felony in the Aaron Swartz case. In the 1994 prosecution of David LaMacchia, MIT communicated to the USAO that, as a student, LaMacchia was authorized to access the computer as he had done. There was no reflection on the LaMacchia case during Swartz’s prosecution: institutional memory had been lost. Part V, Question 1, in considering the need for greater expertise at MIT relating to computer crime, also asks about ways to help preserve institutional memory.

IV.B.7 Engaging  more  deeply  with  issues  around  the  Computer  Fraud  and  Abuse  Act

  As we are finishing this report, a bill has been filed in Congress to reform the CFAA, and dubbed “Aaron’s Law.” No doubt there will be extensive discussion before there is any legislation. MIT’s roles, both in having chosen the rules and in interpreting their applicability to Aaron Swartz, make it clear that MIT has a real interest in contributing to the discussion. As MIT is a leading institution concerned with computers and network technology, MIT scholars and MIT institutionally have a role to play in encouraging reform. Thus, beyond the issue of exploring the charges against Aaron Swartz (based on wire fraud as well as access rules) earlier and in more detail, Question 5 in Part V raises the issue of MIT’s general institutional concern with the CFAA.

Part  V: QUESTIONS  FOR  THE  MIT  COMMUNITY

  We have described the events concerning Aaron Swartz and his prosecution and MIT’s involvement in those events. We now reach the portion of President Reif’s charge that is, perhaps, the most important: discussing how we might learn. Here in Part V we pose questions for the MIT community, and offer suggestions for how to address some of them, in the hope that doing so will aid the process of learning from this heartbreaking history. In selecting our questions, we draw on past incidents at MIT as well as the immediate one, and focus on structural issues raised by these experiences. MIT’s response to Aaron Swartz’s arrest and prosecution reflected the MIT community’s overall sentiment—a limited interest, as demonstrated by virtually the entire MIT

Abelson was not asked to make suggestions, but he raises questions for MIT at the end of the report. One example:
Aaron Swartz’s father noted that, in his discussions with some MIT administrators, he was asked if his son was a member of the MIT community. When he explained that his son was not a student or staff member, he felt that these administrators assured themselves that MIT had no responsibilities to Aaron and gave no consideration to the idea that Aaron was part of MIT’s larger community of scholars and scientists.

Do we need to broaden our understanding of what it means to be part of the MIT community? In the words of one faculty member interviewed:

Besides its faculty, students, staff, and employees, MIT has through the course of its history welcomed into its midst many who have only peripheral connections to the Institute and a number who have no affiliation whatsoever. These “guests” come via various informal routes as observers in laboratories, visitors in hallways, auditors in classrooms, readers in libraries, and overnight lodgers. Not all are integral to what goes on here, and some have little more than nuisance value, but many are tolerated because as a group they form part of a rich subculture that makes this community unique in its receptiveness to intellectual content regardless of credentials, points of origin, or other conventional standards. It is a relatively loose, undocumented subculture, but almost everyone here recognizes its prevalence, and values it as part of the fabric of this great institution.
What institutional obligations does MIT have to members of its larger community? What is the nature and scope of those obligations? If Aaron Swartz had been an MIT student, MIT might very well have reacted differently to his prosecution, if only because the Committee on Discipline could be available as an alternative mechanism for handling transgressions and the Dean for Students might have entered, and possibly altered, the trajectory of events. Should MIT develop a formal recognition of “guests,” contributors, and other participants in the academic life of MIT? Should such possible recognition be captured in policy, or should it be left to informal channels and community awareness? While differences will always exist, there remains a basic issue of how MIT should think about responses to members of a wider community—as the underlying mindset will affect actions, whether it is codified or not.
That, of course, relates to what I knew and you did too, that he didn't break into MIT or JSTOR. Anyone could walk in and use the open wireless:
MIT operates a very open network. Anyone can come onto campus and plug their computer into an MIT network port, or connect to the wireless network.36 Connecting to the wired network, and getting connected automatically, requires registering the computer the first time it is plugged in. Connecting to MIT’s wireless network does not require registration. Prior to January 2011, any computer connected to the MIT network could access JSTOR.
Tell the prosecutors. Seriously. MIT has changed that now, locking things down more. That's what they got out of all this.

Here's a question Abelson raises, and it's related:

Question  8:  How  can  MIT  draw  lessons  for  its  hacker  culture  from  this  experience?

  MIT celebrates hacker culture. Our admissions tours and first-year orientation salute a culture of creative disobedience where students are encouraged to explore secret corners of the campus, commit good-spirited acts of vandalism within informal but broadly— although not fully—understood rules, and resist restrictions that seem arbitrary or capricious. We attract students who are driven not just to be creative, but also to explore in ways that test boundaries and challenge positions of power.

There are multiple times in the narrative of our review where one might wonder whether some earlier process of discussion and education might have had a positive impact on actions and decisions. A similar thought comes when considering earlier experiences involving students detailed in Appendix 9. In particular, students, faculty, staff, and administration might all benefit from a discussion of the nature of a desirable hacker culture, recognizing both advantages and risks.

This raises the question of whether the MIT community is sufficiently aware of what the hacker culture is meant to be about, of the risks inherent in crossing lines as part of hacking, and the roles of faculty, staff and administration in responding to what might or might not be a hack. And we note that there has been a persistent undercurrent of concern over the past several years that MIT’s hacking tradition is being vitiated by a perceived increasing tendency to interpret hacking as a criminal activity. Some of the concern stems from incidents in 2006–2008 where students engaging in “unauthorized access” to various areas of campus ended up in Cambridge District Court, charged with breaking and entering with intent to commit a felony (as Swartz initially was).12

Yet in the computer context, unlike as in the physical world, “unauthorized access”—ill defined as it may be—can be grounds for a major federal felony prosecution. For Swartz the end result was calamitous. The entire episode may create a chilling effect for those students contemplating exploits that may push the bounds of their and society’s knowledge, but will also take them to places where conventional rules say they are not supposed to be—“coloring outside the lines” so to speak, punishable by criminal records rather than mere forfeiture of crayons.

How can we prevent a robust hacking tradition from becoming a casualty of the Aaron Swartz tragedy? Is MIT doing enough to help students when their investigations lead them into confrontations with powerful authorities or existing law? Do we distinguish adequately the different sorts of ways students get into trouble and respond appropriately? Are we misleading students and community members by advertising one kind of community and enforcing rules more appropriate to a different kind of community? Are faculty, staff, and administrators on similar wavelengths about the responses that are most appropriate? While an extended discussion will not lead to uniform views, it would be good to expand awareness of the range of views in the community.

More generally, has MIT become overly conservative in its institutional decision-making around these incidents? More than once in our interviews, the Review Panel heard members of the MIT community express a feeling that there has been a change in the institutional climate over recent years, where decisions have become driven more by a concern for minimizing risk than by strong affirmation of MIT values. Several people interpreted the Institute’s response in the Swartz case in that light. And some critics have chided MIT for playing such a passive role when Swartz’s actions were motivated by principles that MIT itself champions. Yet we think it is important to view this tragedy in light of a history that may not conform with a myth of a golden past. For this reason we have referred repeatedly to some prior experiences.

One distinguished alumnus said to us, “MIT seemed to be operating according to the letter of the law, but not according to the letter of the heart,” even while he expressed his enormous respect for the MIT leaders who had to grapple with these decisions. Is his concern on target? MIT aspires to be passionate about its principles, but we must also behave prudently as an institution. Of all the decisions MIT’s leadership must make, those that require negotiating a balance between prudence and passion are some of the most wrenching. How can we make those choices easier to confront?

A possible way to move forward would be to charge a committee, composed of students, faculty, staff, and policy-administrators, to organize a series of campus-wide deliberations around issues raised by this report. These issues might include (but should not be limited to): What is the MIT community, and who is in it? What responsibility does MIT have to advise and, at times, oppose laws and government when it sees implications adverse to MIT’s purpose and scope of leadership? What lines must MIT’s students be made aware that they should not cross, or at least be sternly warned that “there be dragons” beyond? Where does MIT draw the line between risk-avoidance, so as to protect its more parochial interests, and risk-assumption, to promote those things in which it is interested?

__________
12 See “Hacking Tradition Under Fire?,” The Tech, February 5, 2008, http://tech.mit.edu/V127/N66/hacking.html; “Lawyer: Student in NW16 Basement Was ‘Hacking’,” The Tech, July 9, 2008, http://tech.mit.edu/V128/N29/hacking.html; and “DiFava, Pierce Discuss Hacking at EC,” The Tech, November 4, 2008, http://tech.mit.edu/V128/N53/difavapierce.html.

The report addresses what Aaron's motive for the "excessive downloading" as JSTOR called it when reporting it to MIT, which led to all the rest. We know the prosecutors reached the conclusion that somehow he meant to distribute it in the wild, based on a manifesto written some time in the past and by a group of people. But Abelson raises an alternative possibility:
Aaron Swartz also participated in a study of downloaded articles concerning the payment by interested organizations to experts, including law professors, to publish papers in academic journals. He wrote a script that downloaded articles from Westlaw, and a second script that extracted the relevant information about the funding sources from the footnotes of each article.18 This has been cited as support for a different possible motive for his actions: an intention to cross-reference the entire JSTOR database by author, publisher, and funding source, so as to demonstrate the extent to which JSTOR’s service, and thus the fees it charged, was enabled and funded by public money.19 In support of this interpretation is Aaron Swartz’s self-description on the first page of his blog: “He [Aaron Swartz] is a frequent television commentator and the author of numerous articles on a variety of topics, especially the corrupting influence of big money on institutions including nonprofits, the media, politics, and public opinion. From 2010–2011, he researched these topics as a Fellow at the Harvard Ethics Center Lab on Institutional Corruption.”
MIT's president's letter is loathsomely and inaccurately self-serving:
The review panel's careful account provides something we have not had until now: an independent description of the actual events at MIT and of MIT's decisions in the context of what MIT knew as the events unfolded. The report also sets the record straight by dispelling widely circulated myths. For example, it makes clear that MIT did not “target” Aaron Swartz, we did not seek federal prosecution, punishment or jail time, and we did not oppose a plea bargain.
Sigh. Orin Kerr cites the conclusion of the report. (PJ: I earlier thought he was quoting from the letter, not the report. I'm sorry if I confused anyone.) The letter is what the president hopes we'll focus on. In fact the New York Times seems to have done so, incredibly titling its article, "M.I.T. Cleared in Report After Suicide of Activist". Ars technica's title is more accurate: "MIT not to blame for Aaron Swartz prosecution, MIT report says".

But I believe we have have now sufficient facts to reach a solid conclusion as to what was the problem. And what still is, since the letter states with bravado that we will surely understand from the report that "MIT's decisions were reasonable, appropriate and made in good faith." No. I do not so conclude.

I conclude that MIT needs a new president.

And someone seriously needs to do something about US computer laws. They are destroying people. I note a footnote about the charges Aaron faced by the time all the charging on the federal level had been accomplished, and at that point he didn't face 35 years in jail. It was 95. Are these laws crazy or merely vicious?

33 One effect of these charging decisions was to—theoretically—increase the maximum penalties to which Aaron Swartz might be subject from 35 years to 95 years imprisonment; and from $1 million to $3 million in fines. We note that, as a practical matter, the U.S. Sentencing Commission Guidelines take into account the relevant conduct of a person convicted of a crime, giving little regard to the number of counts for which that person is convicted. A judge is not obligated to follow the sentencing guidelines—but must explain on a sentencing form—that is, on the record—why the court has “departed” from the guidelines.

It is legally proper to include (or “bundle”) two or more events as part of a single count in an initial indictment, even where each event is chargeable as a separate crime as defined by a single criminal statute. It is also proper to treat such separate events as separate crimes or counts in such an indictment. Thus, while not legally required, it is appropriate to charge multiple events in one count; similarly, although not legally required, it is appropriate to charge such multiple events in multiple counts.

We also note that the U.S. Attorneys’ Manual (USAM), published by the U.S. Department of Justice and establishing policy for all U.S. Attorneys’ Offices, contains the following comment regarding charging decisions:

Comment: It is important to the fair and efficient administration of justice in the Federal system that the government bring as few charges as are necessary to ensure that justice is done. The bringing of unnecessary charges not only complicates and prolongs trials, it constitutes an excessive—and potentially unfair—exercise of power. To ensure appropriately limited exercises of the charging power, USAM 9-27.320 outlines three general situations in which additional charges may be brought: (1) when necessary adequately to reflect the nature and extent of the criminal conduct involved; (2) when necessary to provide the basis for an appropriate sentence under all the circumstances of the case; and (3) when an additional charge or charges would significantly strengthen the case against the defendant or a codefendant. “Additional Charges,” USAM 9-27.320 B.

See also United States v. Goodwin, 457 U.S. 368 (1982) (discussing appropriateness of seeking additional charges in a superseding indictment prior to trial).

Did the prosecutors pile on? Or did they abide by the comment's urging to bring as few charges as necessary to "ensure justice is done"? Justice was not done. Giving prosecutors so much power and nothing to compel them to be human resulted in a man's death under an "unfair exercise of power", as I view it. He downloaded some scientific papers. In a world of evil that we read about every day, that is the crime you want to charge with a potential of 95 years in jail and $3 million-dollar fines? Who isn't thinking clearly in this picture? When a law is so vaguely written it can be stretched like this, and left to any prosecutor's interpretations, somebody needs to fix the problem. The law shouldn't be that no one knows exactly what is covered or that if a prosecutor doesn't like you or needs some headlines to run for a future political office, you are going to get "got". That's not America to me.

Let me give you one example, so you can reach your own conclusion, some notes on a meeting by telephone between MIT's outside counsel and the lead prosecutor. I believe it will give you the idea:

On August 9, 2012, MIT’s outside counsel had a 45-minute telephone conversation with the lead prosecutor. They covered the following points:39

________
39 This material is taken from a memorandum provided by MIT’s outside counsel to OGC, dated August 10, 2012. Where phrases appear in quotes in this material, the same phrases appear, also in quotes, in the memorandum.

40 The only Internet campaign occurring during this period that has been identified by the Review Panel is the statement and petition drive conducted by Demand Progress, referenced in section II.B.2. As noted there, the statement was co-drafted by the Director of Demand Progress and Quinn Norton. We do not know what the lead prosecutor meant by “institutionalizing” a prosecution, and we do not comment on the implications of doing so based upon a public lobbying effort undertaken by or on behalf of a criminal defendant.

Get the picture? If it was public, he had to be tougher, I gather. But really, why? If you are indicted, you are not allowed to speak? Since when? You get punished more severely if you exercise your rights of free speech? Where is that law? Even if you could point to one, it'd be unconstitutional. And where is it written that institutions can't be humane? What did he mean? Toward whom was he pointing?

Ironically, tomorrow the White House will be honoring what they call technology's "champions of change":

Tomorrow, the White House will honor 11 local heroes who are "Champions of Change for Tech Inclusion." The event will celebrate Americans who are doing extraordinary things to expand technology opportunities for young learners-especially minorities, women and girls, and others from communities historically underserved or underrepresented in tech fields. These champions are inspiring students to become the developers, engineers, and innovators who will create solutions to some of the Nation's toughest challenges.
Aaron Swartz is not on the list. But he should be.

Update: Aaron's father has now released a statement, as has his partner, Taren Stinebrickner-Kauffman, who says the report *is* a whitewash, which you can find in Jon Brodkin's article on ars technica. The father's statement points out some things MIT didn't stress showing that MIT in fact was not neutral:

Swartz's father, Robert, also released a response to the report, saying that "The report makes clear that MIT was not in fact neutral." He continued:
The school helped the prosecutor in many ways that it did not help Aaron:
  • They provided the government information without subpoenas and warrants, a courtesy that was never afforded Aaron’s legal team.

  • MIT gave the prosecutor access to witnesses that they refused to give to us.

  • The University provided the prosecutor with information that they didn’t give to us.
Lawrence Lessig, law professor and founder of Creative Commons, wrote on this blog that MIT should have tried to intervene on Swartz's behalf given that, "under MIT’s open access policies, Aaron’s access was likely not 'unauthorized.'"
Here's more from Lessig:
"Neutrality" is one of those empty words that somehow has achieved sacred and context-free acceptance — like “transparency," but don’t get me started on that again. But there are obviously plenty of contexts in which to be “neutral" is simply to be wrong.

For example, this context: The point the report makes in criticizing the prosecutors is that they were at a minimum negligent in not recognizing that under MIT’s open access policies, Aaron’s access was likely not “unauthorized." As the report states (at 139):

As far as the Review Panel could determine, MIT was never asked by either the prosecution or the defense whether Aaron Swartz’s access to the MIT network was authorized or unauthorized—nor did MIT ask this of itself. Given that (1) MIT was the alleged victim of counts 9 and 12, (2) the MIT access policy, its Rules of Use, and its own interpretation of those Rules of Use (including the significance or “materiality” of any violation of those terms) were at the heart of the government’s CFAA allegations in counts in both indictments, and (3) this policy and these rules were written, interpreted, and applied by MIT for MIT’s own mission and goals—not those of the Government— the Review Panel wonders why. (p139)
But that criticism goes both ways — if indeed MIT recognized this, and didn’t explicitly say either privately or publicly that Aaron was likely not guilty of the crime charged, then that failure to speak can’t be defended by the concept of “neutrality."

228 comments



http://groklawstatic.ibiblio.org/article.php%3fstory=20130730122632843