decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books
Your contributions keep Groklaw going.
To donate to Groklaw 2.0:

Groklaw Gear

Click here to send an email to the editor of this weblog.


To read comments to this article, go here
MIT's Role as Described in Aaron Swartz's October Motion to Suppress ~pj Updated 4 Xs
Wednesday, January 16 2013 @ 05:49 AM EST

The Huffington Post provides a link to Aaron's Swartz's October motion to suppress, which provides some eye-opening details:
After contacting law enforcement, MIT helped federal authorities gather evidence to build their case against Swartz, his attorneys said in court filing. MIT officials, for example, installed video surveillance to catch Swartz returning for his laptop, according to filings.

MIT employees also captured network traffic from Swartz's laptop and turned that data over to the Secret Service without requiring a warrant or subpoena. MIT disclosed that data to law enforcement with permission from the university's general counsel’s office, Swartz's attorney wrote in an October court filing.

The filing describes conditions and policies at MIT and what Swartz's expectations were, and while it's only part of the story, I think it will both surprise you and answer quite a few questions for you. It did me.

It portrays MIT as the core problem in this tragedy. In fact, there are claims that it was actually MIT who was breaking computer laws. Because not only did Aaron Swartz have JSTOR guest visitor privileges on MIT's completely open network, it claims, but once MIT discovered Aaron's laptop, all it had to do was disconnect it from the network and hold it, according to the filing. If Aaron showed up to claim it, they could tell him that they felt he was excessively downloading and to cut it out. And that could have been all there was to it. Instead, MIT contacted the police and the rest is the tragedy that ensued.

Jump To Comments

[Update , Update 2
Update 3, Update 4]

I mention this because MIT is doing an investigation and some soul searching, and when it issues its report, this will give you some context and a way to measure what it concludes.

Keep in mind that as with all court filings, just because a lawyer says it's so, that alone doesn't prove it. For contrast and fairness, Orin Kerr at Volokh Conspiracy provides the indictment [PDF], and if you read only that, you'd get a very different impression. In fact, he did. His view is that the law supports the charges against Aaron, going by the facts in the indictment:

This is not merely a case of breaching a written policy. Rather, this is a case of circumventing code-based restrictions by circumventing identification restrictions. I don’t see how that is particularly different from using someone else’s password, which is the quintessential access without authorization.
Keep in mind that Mr. Kerr is the wonderful lawyer who stood with Lori Drew and helped her defend against the same law that was used against Aaron. I have a great deal of respect for him. But according to the motion, there was no written policy prohibiting what Aaron did. Nor were there identification restrictions.

Yet, according to the indictment, JSTOR "authorized" downloading only a certain number of documents at a time and prohibited bots and scrapers, making users agree to not to use them. And it claims MIT has policies, rules, and requirements that totally contradict what Swartz's motion to supress describes. It's all very Rashomon.

Jennifer Granick responds to Kerr's article at Cyberlaw:

Moreover, the fundamental question is why the U.S. Attorney decided to charge this case. Since that decision was a mistake, treating the rest of the case as a serious crime was disproportionate and wrong. The CFAA is shockingly broad. Prosecutors shouldn't file CFAA cases just because they can under existing case law. To the contrary, this is why the CFAA should be amended and narrowed. Treating technically illegal but practically innocuous conduct (JSTOR wasn't interested in pressing charges) as if it were a serious crime is also wrong. It is those combined decisions that Lessig, I and so many others decry, and for which we still have no justification....

However, I disagree that all such circumventions ought to trigger CFAA liability, or that Aaron's conduct was like using someone else's password. Using another person's password gets you access to their files. Circumventing the JSTOR/MIT efforts to block him merely got Aaron _fast_ access to files he was already authorized to download.

The Swartz motion describes MIT as pretty much allowing whatever folks wanted to do, without handholding, prescreening, or any real checking. I mean you could just walk in off the street and plug into their network:
MIT has a liberal guest access policy, which was described by Tim McGovern, MIT Manager of Network Security & Support Services, as follows:
No authentication of visitors. Visitor network access is provided as an on-demand self-service process for anyone who walks onto campus, plugs in, or elects to use our wireless network, and declares themselves a visitor, and they get 14 days of network privileges.

No identity verification. Visitors are asked to provide an email address. The email address is not used to verify that a bona fide identity exists . . . .

No authentication of users accessing JSTOR.org. By agreement, JSTOR.org allows any computer with a net 18 IP address [an MIT IP address] to access their resources without further identification or authentication.

Exhibit 3. In fact, in internal emails, JSTOR described MIT as “unique” in having an open campus. Exhibit 4. Unlike other institutions which require passwords to access their servers and require additional layers of authentication to access digital libraries such as JSTOR, MIT required neither a password, a formal affiliation with the school, or any form of identification for any visitor to become an authorized guest enjoying access to the MIT electronic communication service which was the equal of that afforded to MIT students and professors.
A footnote points out you can plug into MIT's wireless without even entering their buildings. If that description of MIT's setup is accurate, or even mostly accurate, how, I ended up asking, do you arrive at even one day in jail? At an insistence that this young man plead guilty to multiple *felonies*? I mean, if he had legitimate access and was allowed to download articles, how do you get threatened with 35 years in jail or even six months? For downloading excessively? You can go to jail for life for that? Seriously? If that's the case, someone needs to change the law, don't you think? Wouldn't it be wise to write the law so it catches the real bad guys?

You know what I think about? Young people in Russia and China and Iran don't have a Computer Fraud & Abuse Act to hold them back. They are free to learn as much as they wish about computers, how they work, what they can do. They can research without fear of jail. How can that not create an imbalance in skills between US geeks and their counterparts elsewhere? If the US throws their brightest geeks in jail, or drives them to suicide, who will defend us when state-sponsored cyberattacks come our way? Surely there is a balance to be struck between property concerns and national security. I am a copyright holder, and I believe in copyright protection. But if it's between my copyrights and national security, there is no question what I would consider more important.

When I think of all that Aaron accomplished in his short life, I can only imagine what else he might have created for us. That is the nation's loss. The world's. You don't find genius coders under every bush, you know. Tim Berners-Lee spoke at the funeral, as did Larry Lessig, ars technica reports:

Swartz was eulogized by his partner, Taren Stinebrickner-Kauffman, his defense attorney Elliot Peters, and a couple of his friends, as well as tech luminaries Tim Berners-Lee and Lawrence Lessig. Berners-Lee recalled Swartz's precociousness, sharing his surprise at finding out that one of his conversation partners in a standards-setting group was just 14 years old. "We've lost an elder… a fighter," Berners-Lee remarked.

Struggling at times to compose himself, Lessig described his decade-long friendship with Swartz. "Aaron was the mentor and I the mentee," Lessig explained. He inveighed against the prosecution of the case, arguing that the prosecutor was incapable of recognizing the distinction between "stealing with a computer" and "stealing with a crowbar."

Swartz's lead defense attorney, Elliot Peters, also had harsh words for the US attorney managing the case. He mourned the fact that he would never be able to invoke Boston Harbor and the American Revolution during his closing arguments.

Since his death, the Swartz family has laid blame for his demise at the feet of overzealous federal prosecutors. Indeed, the prosecutors arguably lost all sense of perspective with this case, insisting during plea negotiations that Swartz admit guilt to all charges and serve a stint in prison.

During a heart-wrenching eulogy, Swartz's father Robert accused MIT of betraying "all of its basic principles" by pursuing the case. "Aaron was pushed to his death by his government and the most prominent technical institution in the world," he mourned.

Granick has some suggestions on the Computer Fraud & Abuse Act and how to improve computer laws. Isn't that the most practical response to this event, to ensure it can't ever happen again? There is a We the People petition asking for that, a petition that law professor Eric Goldman says he has signed. And Representative Zoe Lofgren has introduced in the House of Representatives a bill [PDF] she would like to call Aaron's Law to remove criminal liability under the CFAA for violating terms of use. It's being discussed right now on Reddit.

I freely confess I have very little experience with criminal law, so I can't provide guidance or answers. And as you see, lawyers don't agree, so what can *I* tell you? I can't explain what I don't understand myself. Both Kerr and Granick will be writing more on this topic, and I'd encourage you to follow both, and then you will be better equipped to form your own opinion. All I can provide are the documents that can help you to understand what happened. Unfortunately, the case is closed, so we'll never get a full resolution, but this is a big enough tragedy that we need to understand what we can. And I thought you'd want to know that Internet Archive has set up an Aaron Swartz Collection, an archive of his writings.

Please remember that this is Groklaw. We don't allow mean, ad hominem comments, not to or about anyone. Be respectful, please. This is a human tragedy, involving imperfect humans like you and me, and I'm sure everyone involved in it is feeling very shaken and deeply distressed. So I'd ask you also to be kind. If as so many have said there was a lack of humanity shown, let it end. I don't want Groklaw to behave like that.

I've done the document as text for you, and then there is the update, the indictment as text:

UNITED STATES DISTRICT COURT
DISTRICT OF MASSACHUSETTS

________________________

UNITED STATES

v.

AARON SWARTZ

________________________

No. 11-10260-NMG

MOTION TO SUPPRESS ALL FRUITS OF INTERCEPTIONS AND DISCLOSURES OF
ELECTRONIC COMMUNICATIONS AND OTHER INFORMATION BY MIT
PERSONNEL IN VIOLATION OF THE FOURTH AMENDMENT AND THE STORED
COMMUNICATIONS ACT AND INCORPORATED MEMORANDUM OF LAW
(MOTION TO SUPPRESS NO. 1)

Now comes the defendant Aaron Swartz and respectfully moves that this Honorable Court suppress as evidence at the trial of this case (1) the network flow data and DHCP logs collected by MIT personnel and disclosed to the government without a warrant or court order or subpoena, as well as all evidence derived therefrom, and (2) all evidence from the packet capture instituted by MIT personnel on the morning of January 4, 2011, and continuing, at the request of the government that MIT personnel continue to intercept electronic communications, through January 6, 2011, and subsequently turned over to the Secret Service, as well as all evidence derived therefrom.1

As reason therefor, defendant states:

1. He had a reasonable expectation of privacy in the electronic communications flowing to and from his ACER netbook.2

2. The interception of network flow data to the netbook and the packet capture constituted interceptions of electronic communications within the meaning of Title III.

3. The interceptions conducted by MIT and its disclosure of the information gathered to the Secret Service violated 18 U.S.C. §2511(1), as no exceptions to the requirements of Title III apply to MIT’s conduct. The evidence, along with all derivative fruits thereof, must, therefore, be suppressed as violative of the Fourth Amendment.

4. The disclosure of DHCP logs by MIT personnel in the absence of a warrant issued upon a showing of probable cause or a court order pursuant to 18 U.S.C. §2703(d) violated the Fourth Amendment and/or the Stored Communications Act.

5. MIT’s disclosure to the Secret Service of DHCP logs, network flow data, and packet capture information in the absence of a subpoena or search warrant violated 18 U.S.C. §§2702, 2703, as well as Swartz’s rights under the Fourth Amendment such that suppression of the evidence, as well as all derivative fruits, in required.

THE DEFENDANT REQUESTS A HEARING ON THE WITHIN MOTION.

LOCAL RULE 7.1(A)(2) STATEMENT

The undersigned counsel has conferred with AUSA Stephen Heymann. The government opposes the suppression remedies sought and will respond to defendant’s request for a hearing in its response to the motion.

2

MEMORANDUM OF LAW

I. FACTUAL BACKGROUND.

On September 26, 2010, MIT received an email from Brian Larsen at JSTOR, an online archive of scholarly journal articles, informing it that there had been, that morning, an excessive downloading of journals. By the next day, the IP addresses from which the journals were being downloaded had been located (largely, if not exclusively, by JSTOR) and the user information for the guest registration of the computer being used had been identified; JSTOR then blocked access to these IP addresses. Timeline of events related to JSTOR downloading incident: 9/26/10 - 1/6/11, Exhibit 1 (“Timeline”) at 1. On October 9, 2010, JSTOR again notified MIT that its access was being blocked because of excessive downloading. Timeline at 2. JSTOR quickly identified the IP address being used for the downloads, and MIT personnel thereafter discovered that access was being accomplished in Building 16 by a computer registered through its visitor guest registration process by the same guest whose computer was linked to the September incident.3 Timeline at 2-3.

MIT and JSTOR conferred regarding methods to prevent excessive downloading. Timeline at 3-4. On December 26, 2010, there was another episode of excessive downloading, which MIT personnel did not learn of until on or about January 3, 2011. On the morning of January 4, 2011, at approximately 8:00 am, MIT personnel located the netbook being used for the downloads and decided to leave it in place and institute a packet capture of the network traffic to and from the netbook.4 Timeline at 6. This was accomplished using the laptop of Dave Newman, MIT Senior

3

Network Engineer, which was connected to the netbook and intercepted the communications coming to and from it. Id. Later that day, beginning at 11:00 am, the Secret Service assumed control of the investigation.5 Later on January 4, 2011, Mike Halsall, MIT Senior Network & Information Security Analyst, turned over to Secret Service S/A Michael Pickett “historical network flow data concerning 18.55.6.240 & 7.240 [the IP addresses associated with the earlier JSTOR downloads]6 dating from 12/14 until present and relevant DHCP log information7 from prior occurrences of ghost-macbook and ghost-laptop [the two guest registrations at issue] JSTOR downloading incidents (from Sept. and Oct.).” Timeline at 7. The disclosure took place only after the MIT General Counsel’s Office approved the disclosure of the information to law enforcement authorities even in the absence of a warrant or court order or subpoena – and at a time when MIT personnel were acting as government agents – and in contravention of MIT policy that such information, which exceeded that found in bank records or telephone toll records, would be disclosed only upon the receipt of lawful court orders or subpoenas, i.e. , process complying with the Stored Communications Act, 18 U.S.C. §2701 et seq. See Section IV, infra. In a separate email from Halsall to S/A Picket on January 8, 2011, Halsall told Pickett that he “hop[ed] to have the pcap/flows/videos/logs all in by to me Monday,

4

possibly sooner – if you don’t already have a copy of the video or pcap [packet capture], I’ll make sure you get one.” Exhibit 2. No warrant or court order has been provided to counsel which would evidence the government’s having, even post-interception, acquired the contents of the warrantless interceptions by seeking judicial authorization as required.

II. MIT’S ACTIONS VIOLATED TITLE III.

A. Swartz Had a Reasonable Expectation of Privacy in his Electronic
Communications to and from his Netbook.
8

Swartz had a subjective expectation of privacy in electronic communications to and from his netbook, and that expectation is one which society should recognize as objectively reasonable. The netbook was connected to the MIT network, but “the mere act of accessing a network does not in itself extinguish privacy expectations.” United States v. Heckenkamp, 482 F.3d 1142, 1146 (9th Cir. 2007). MIT has a liberal guest access policy, which was described by Tim McGovern, MIT Manager of Network Security & Support Services, as follows:
No authentication of visitors. Visitor network access is provided as an on-demand self-service process for anyone who walks onto campus, plugs in, or elects to use our wireless network, and declares themselves a visitor, and they get 14 days of network privileges.

No identity verification. Visitors are asked to provide an email address. The email address is not used to verify that a bona fide identity exists . . . .

No authentication of users accessing JSTOR.org. By agreement, JSTOR.org allows any computer with a net 18 IP address [an MIT IP address] to access their resources without further identification or authentication.

Exhibit 3. In fact, in internal emails, JSTOR described MIT as “unique” in having an open campus. Exhibit 4. Unlike other institutions which require passwords to access their servers and require additional layers of authentication to access digital libraries such as JSTOR, MIT required neither

5

a password, a formal affiliation with the school, or any form of identification for any visitor to become an authorized guest enjoying access to the MIT electronic communication service which was the equal of that afforded to MIT students and professors.

Swartz was validly signed on to the MIT network as a guest, as the MIT guest policy permitted him to be, as verified by an October 14, 2010, email from Ellen Duranceau, MIT Program Manager of Scholarly Publishing and Licensing, to Brian Larsen at JSTOR, informing him that “[o]ur investigations here point to the same guest that was involved in the 9/27 incident. We don’t have enough information to follow the trail completely, but the signs suggest that the same guest user was responsible for this latest activity. . . . all of this excessive use was caused by a guest visitor at MIT,” Exhibit 5 (emphasis added), and then by an October 18, 2010, email from Ms. Duranceau to Tim McGovern, MIT Manager of Network Security & Support Services:

Tim and Mike:
Would it be accurate for me to answer [JSTOR’s] query this way:

We offer guests access to the MIT network, and this practice will continue. However, once we [in the future] institute our additional authorization layer for JSTOR, this route will be closed to guests. So we will have closed the pathway used.”

****

Mike, I will be asking JSTOR about your mod_rewrite idea once I check in with Rich Wenger in the Libraries and once JSTOR has shifted more clearly into implementing the new method rather than still working on resolving the excessive use issue.

Exhibit 6 (emphasis added). Thus, MIT had an open-access network that permitted anyone to access it by signing in as a visitor/guest, and anyone signed in to the MIT network was permitted to access JSTOR without further identification or authorization. The name and email address used to sign in as a visitor were fundamentally irrelevant to MIT, as it did not use it in any way to identify the visitor or even to ascertain whether it was a “bona fide identity,” nor did guests to the MIT network receive notice that they were prohibited from using static IP addresses, changing IP addresses, or changing MAC addresses when accessing the MIT network on successive occasions. Neither MIT nor JSTOR

6

initiated the additional authorization protocol prior to the seizure of the netbook and Swartz’s arrest on January 6, 2011.

That MIT regarded Swartz as a guest user is also confirmed by several other MIT communications during the fall of 2010. On September 29, 2010, Ellen Duranceau informed Brian Larsen at JSTOR that “the origin of the activity was a guest visiting MIT.” Exhibit 7 (emphasis added). JSTOR is available to “[u]sers [who] come to MIT to establish a guest account on the network, and “do not have to have MIT affiliation to use the content.” Summary of Key Points by Ellen Duranceau, Exhibit 8. See Email from Ellen Duranceau to Ann Wolpert, October 15, 2010, Exhibit 9 (“we cannot identify the guest involved in these incidents” (emphasis added)); Email from Ellen Duranceau to Brian Larsen, October 15, 2010, Exhibit 10 (“[o]ur records and logs . . . do not allow us to definitively identify the guest” (emphasis added); Email from Ellen Duranceau to Rich Wenger, October 18, 2010, Exhibit 11 (“it appears that the individual used MIT’s wireless network guest account process”).

In addition, MIT’s written policy on DHCP logs created a reasonable expectation of privacy in that information, providing that they would be deleted after 30 days, IS&T Policies:DHCP Usage Logs Policy, available at http://ist.mit.edu/about/policies/dhcp-usage-logs (last visited September 24, 2012), and that they would be disclosed only in response to a court order or subpoena:

When any network device, e.g., a computer, connects to MITnet and is assigned a dynamic IP address, MIT's DHCP server adds a record to its log containing the following information:
  • The date and time of the request
  • The MAC address of the requesting device or computer
  • The IP address provided
  • The specific DHCP command that was issued
  • Other technical information related to the request

In the event of a request relating to a potential legal proceeding, IS&T staff may create a case in Request Tracker and store subsets of a log pertinent to the case at hand in the case record.

7

The DHCP server is in a secure location and complies with secure data storage best practices.

IS&T's Network Services Infrastructure team acts as the data custodian for DHCP logs, and ensures that the logs are stored securely and are deleted when they expire.

****

MIT is required to comply with a court order or valid subpoena that requests the disclosure of information contained in DHCP logs. Failure to comply could have serious consequences for the individuals, IS&T, and the Institute. MIT's Office of the General Counsel is qualified and authorized to confirm that a request for information contained in logs is legitimate and not an improper attempt to gain access to confidential information.

Id. (emphasis added).

Moreover, on many occasions, the MIT RADIUS log server provided further evidence documenting MIT’s authorization of Swartz’s access to the MIT network:

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect and use a network service. . . . Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by ISPs and enterprises to manage access to the Internet or internal networks, wireless networks, and integrated e-mail services. . . . The RADIUS server is usually a background process running on a UNIX or Microsoft Windows server. RADIUS serves three functions:
  • to authenticate users or devices before granting them access to a network,
  • to authorize those users or devices for certain network services and
  • to account for usage of those services.
http://en.wikipedia.org/wiki/RADIUS (last visited September 23, 2012)(emphasis added). Swartz, accordingly, maintained a reasonable expectation of privacy in the communications to and from his netbook and that expectation was objectively reasonable.

B. MIT’s Actions in Intercepting Communications to and from Swartz’s Netbook
and Disclosure of the Intercepted Communications Violated Title III.

18 U.S.C. §2511(1) prohibits:
(a) intentionally intercept[ing], endeavor[ing] to intercept, or procur[ing] any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication;

****

(c) intentionally disclos[ing], or endeavor[ing] to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the

8

information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection;

(d) intentionally us[ing], or endeavor[ing] to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection . . . .

18 U.S.C. §2510(12) defines “electronic communication” as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical system that affects interstate or foreign commerce . . . .” Section 2510(4) defines “intercept” as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” “Contents” is in turn defined as “any information concerning the substance, purport or meaning” of the communication. §2510(8)(emphasis added).

The packet capture, which targeted the content of data being sent to or from the netbook that was discovered in Building 16's data room, revealed the contents of electronic communications of all electronic communications intercepted. See Email from Dave Newman, MIT Senior Network Engineer, to S/A Pickett, January 5, 2011, Exhibit 12 (“I have collected about 70G of network traffic so far with about 98% of which is the JSTOR journal downloads”). Use of the packet capture constituted the interception of electronic communications of the defendant and others, including, but not limited to, those with whom he was communicating within the meaning of Title III, see, e.g., United States v. Councilman, 418 F.3d 67 (1st Cir. 2005)( en banc )(diverting incoming communications constitutes interception within the meaning of Title III), which was unlawful in the absence of a valid Title III order authorizing the interceptions of the electronic communications, of which none were sought or issued here.

9

The DHCP logs also captured content as they captured the message sent from the sending computer requesting an IP address, which is the “substance, purport, or meaning” of the communication.9 The network flow data showed that a communication took place between one computer and another and the amount of information transmitted. These, too, constitute “contents.”10

In In re Application of United States, 396 F.Supp.2d 45, 48-49 (D.Mass. 2005), the Court recognized that “dialing, routing, addressing and signaling information” may disclose “content” and mandated that the order include instructions to the provider that “[t]he disclosure of the ‘contents’ of communications is prohibited pursuant to this Order even if what is disclosed is also dialing, routing, addressing and signaling information’” and that “the term ‘contents’ of communications includes subject lines, application commands, search queries, requested file names, and file paths.” See, e.g., United States v. Forrester, 512 F.3d 500, 510 n.6 (9th Cir. 2008)(suggesting that a technique which reveals the URL visited would be “constitutionally problematic”).

Therefore, the interceptions were unlawful unless they fell within an exception to the prohibitions of §2511. The “provider exception” to Title III, §2511(2)(a)(i) provides:

It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights and property of the provider of that service . . . .

10

(emphasis added).11 “The statute’s use of the word necessary, its proviso restricting random monitoring and Congress’ intent to maximize the protection of privacy . . . suggests that this authorization should be limited in scope.” United States v. Freeman, 524 F.2d 337, 341 (7th Cir. 1975). See, e.g., United States v. Cornfeld, 563 F.2d 967, 970 (9th Cir. 1977)(“the authority to intercept and disclose . . . communications is not unlimited”); United States v. Harvey, 540 F.2d 1345, 1350 (8th Cir. 1976)(authority granted by §2511(2)(a)(i) “may be exercised only to the extent necessary for ‘the protection of the rights and property of the carrier’”); United States v. McLaren, 957 F.Supp. 215, 218 (M.D.Fla. 1997)(“the court must consider whether the provider of electronic communication service had reasonable cause to suspect that its property rights were being abused by a particular subscriber”(emphasis added)).

Here, the circumstances demonstrate that MIT personnel did not intercept the communications at issue to protect MIT’s rights or property as a provider of electronic communication service. Instead, its concern was initially with the protection of the rights and property of JSTOR and thereafter with assisting law enforcement with discovering the motive and intent of the owner of the netbook and in acquiring evidence that would further the criminal investigation of the individual responsible for the JSTOR downloading. Once the netbook was physically discovered, MIT personnel, aware that its owner would return to retrieve the external hard drive that was attached to the netbook and receiving the downloaded data, installed video surveillance to identify the owner and help in his apprehension. The investigation commenced with a notification from JSTOR regarding excessive downloads of journal articles, and thereafter MIT

11

personnel worked with JSTOR to develop and institute a plan which would prevent MIT guest users from accessing JSTOR without an additional level of authorization and permission. There was no need for further investigation on MIT’s part, as its electronic communication system was never in the slightest danger of injury or other detrimental impact. Once the netbook was located, MIT advised JSTOR of the discovery and asked it to block the particular IP address it was using. See Exhibit 13. MIT also had the option, which it did not choose to exercise, to simply take the netbook offline. Instead, it kept the connection alive only to assist law enforcement and to further a criminal investigation, objectives well outside the narrow parameters of the provider exception to the general prohibition of warrantless interceptions of wireless communications in transit..

Even at the outset of the investigation which began again on January 3, 2011, the objective was to placate JSTOR, which had deemed MIT’s prior efforts to identify the person responsible for the downloads “tepid,” Exhibit 14, and ensure continued MIT access to JSTOR, as witness the central role played in the investigation by Ellen Duranceau, MIT Program Manager of Scholarly Publishing and Licensing, and not a “necessary incident” to the “protection of the rights and property” of MIT as electronic communications service provider. As of the next morning, January 4, 2011, MIT personnel were acting as agents of law enforcement, and their purpose was not to protect MIT’s electronic communications system but instead to further the criminal investigation.12

Section 2511(2)(a)(i) does not extend to the protection of institutional interests in general but instead only to the protection of the electronic communication system itself.13 Once the ACER was located

12

on the morning of January 4, 2011, MIT’s problem with JSTOR could have been ended by disconnecting that computer from the MIT network. Instead, it elected to intercept communications, not to protect the MIT system, but to gather information for law enforcement purposes, such as the motive and intent of the person responsible for the downloads, and to determine whether any of the downloaded information had been transmitted to others by the netbook, a purpose which was protective of JSTOR and in furtherance of law enforcement’s acquisition of proof of the possible commission of various federal offenses, but not protective of MIT’s electronic communication services, as required by the statutory exception.

Moreover, even if the Court were to conclude that MIT, as electronic communications service provider, was acting to protect its own interest qua service provider as it searched for the “offending” computer, “the federal courts . . . have construed [§2511(2)(a)(i)] to impose a standard of reasonableness upon the investigating communication carrier.” United States v. Harvey, 540 F.2d 1345, 1351 (8th Cir. 1976). See, e.g., United States v. Hudson, 2011 WL 4727811 at *7 -*8 (E.D.La. Oct. 5, 2011)(“The Fifth Circuit has held that this provision imposes a reasonableness requirement on carriers,” citing United States v. Clegg, 509 F.2d 605, 613-14 (5th Cir. 1975)); United States v. McLaren, 957 F.Supp. 215, 218 (M.D.Fla. 1997)(court “must consider whether the interception activities were reasonable”). The interceptions at issue here went far beyond anything that was necessary to the protection of MIT’s rights and property; prior to the January 4, 2011, interceptions and the warrantless disclosures of protected information, the ACER laptop had been discovered, its connection to the MIT network had been identified, video surveillance had been instituted to identify the owner, and a narrow shutdown of service to that computer would have accomplished any legitimate goal of protecting MIT’s electronic communication service.

13

Similarly, an electronic communications system provider may disclose to law enforcement only those intercepted communications which are a “necessary incident” to the protection of the provider’s property rights. See, e.g., Clegg, 509 F.2d at 612-13. See, e.g., United States v. Auler, 539 F.2d 642, 646 n.10 (7th Cir. 1976)(“Evidence which is obtained through an unreasonably broad surveillance cannot be legally disclosed to the government, regardless of whether it is offered at trial”). Only those communications of which §2511(2)(a)(i) reasonably permits the interception may be disclosed and admitted as evidence at the trial of a criminal case; “evidence obtained through surveillance beyond the authorization of §2511(2)(a)(i) . . . must be suppressed.” Id. at 646. None of the disclosures on January 4, 2011, was justified by this narrow exception to an MIT guest’s entitlement to the protections of the Fourth Amendment and Title III. As such, consistent with Councilman, the network data capture constituted unlawful interceptions of electronic communications in violation of the Fourth Amendment, requiring suppression of the captured information and all evidence derived therefrom.

III. THE GOVERNMENT COULD NOT OBTAIN DCHP LOG INFORMATION IN THE
ABSENCE OF A WARRANT OR, AT MINIMUM, A §2703(D) ORDER.

The DHCP log records and stores a variety of data. See page 7, supra. For present purposes, the critical fact about DCHP addressees is that their recording and storage allows the tracking of an individual through the location of his computer. Where laptops and other portable devices are concerned, that data is comparable to cell site data in that it permits the government to determine an individual’s location and to track his movements as he moves his laptop from place to place. Two types of DHCP data are at issue here: the historical data which the government sought from MIT, and with which MIT provided the government, and the ongoing real-time DHCP data which law enforcement obtained on an ongoing basis after they assumed control of the investigation on January

14

4, 2011, all of which was sought, and obtained, by the government without a warrant or a court order issued pursuant to §2703(d).

Individuals have a reasonable expectation of privacy in their movements. See, e.g., In re Application of United States, 849 F.Supp.2d 526, 538-43 (D.Md. 2011). Moreover, an individual retains a reasonable expectation of privacy in DHCP log information because, as the Third Circuit held in the cell site location context, “a . . . customer has not ‘voluntarily’ shared his information with [a third party] in any meaningful way.” In re Application of United States, 620 F.3d 304, 317 (3d Cir. 2010). As Justice Sotomayor explained in her concurring opinion in United States v. Jones, 132 S.Ct. 945 (2012):

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith [v. Maryland], 442 U.S. [735,] 742 [(1979)] . . .; United States v. Miller, 425 U.S. 435, 443 . . . (1976). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. Perhaps, as Justice ALITO notes, some people may find the “tradeoff” of privacy for convenience “worthwhile,” or come to accept this “diminution of privacy” as “inevitable,” . . . and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection. See Smith, 442 U.S., at 749 (Marshall, J., dissenting) (“Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes”); see also Katz [ v. United States], 389 U.S. [347,] 351-352 [(1967)](“[W]hat [a person] seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected”).
Id. at 957.

15

As to both historical and “real time” cell site data, courts have been divided regarding whether the government must demonstrate probable cause as required by the Fourth Amendment or whether the lesser showing required under §2703(d) will suffice. Compare In re Application of the United States, 2012 WL 3260215 at *1-*2 (S.D.Tex. July 30, 2012); In re Application of the United States, 809 F.Supp.2d 113, 118-20 (E.D.N.Y.2011); In re United States, 747 F.Supp.2d. 827, 837-40 (S.D.Tex.2010); In re Application of United States, 736 F.Supp.2d 578, 579 (E.D.N.Y.2010)(requiring showing of probable cause), with In re Application of United States, 620 F.3d at 313; In re Application of United States, 849 F.Supp.2d 177, 179 (D.Mass. 2012); United States v. Graham, 846 F.Supp.2d 384, 396 (D.Md. 2012); United States v. Benford, 2010 WL 1266507, at *2-*3 (N.D.Ind. March 26, 2010); In re Applications of United States, 509 F.Supp.2d 76, 80-81 (D.Mass. 2007); In re Application of United States, 396 F.Supp.2d 294, 327 (E.D.N.Y. 2005)(§2703(d) order suffices).

Courts are likewise split with respect to the government’s burden to obtain real time cell site data. Compare In re Application of the United States, 849 F.Supp.2d 526 (D.Md. 2011); In re Application of the United States, 2009 WL 159187 (S.D.N.Y. Jan.13, 2009); In re Application of the United States, 497 F.Supp.2d 301 (D.P.R.2007); In re Application of the United States, 2006 WL 2871743 (E.D.Wis. Oct. 6, 2006); In re Application, 439 F.Supp.2d 456 (D.Md.2006); In re United States, 441 F.Supp.2d 816 (S.D.Tex.2006); In re United States, 2006 WL 1876847 (N.D.Ind. July 5, 2006); In re Application of the United States, 2006 WL 468300 (S.D.N.Y. Feb. 28, 2006); In re United States, 416 F.Supp.2d 390 (D.Md.2006); In re United States, 415 F.Supp.2d 211 (W.D.N.Y.2006); In re United States, 412 F.Supp.2d 947 (E.D.Wis.2006), aff’d 2006 WL 2871743 (E.D.Wis. Oct. 6, 2006); In re United States, 407 F.Supp.2d 134 (D.D.C.2006)(requiring a showing of probable cause), with In re Application of the United States, 2008 WL 5255815 (E.D.N.Y.

16

Dec.16, 2008); In re United States, 2008 WL 5082506 (E.D.N.Y. Nov. 26, 2008); In re Application of the United States, 460 F.Supp.2d 448 (S.D.N.Y.2006); In re United States, 433 F.Supp.2d 804 (S.D.Tex.2006); In re Application of the United States, 415 F.Supp.2d 663 (S.D.W.Va.2006); In re Application of the United States, 411 F.Supp.2d 678 (W.D.La.2006)(probable cause not required).

The cases requiring a showing of probable cause for both historical cell site data and real time cell site data are the better reasoned and more consonant with the requirements of the Fourth Amendment and its historical role in protecting citizens from serious invasions of personal privacy. The same analysis is applicable to both historical DHCP data and real time DHCP data, and the government’s acquisition of this information in the absence of a warrant based on probable cause violated the Fourth Amendment. The invasion of this information also has serious First Amendment implications in that it traces an individual’s communicational associations. See In re Application of United States, 849 F.Supp.2d at 538 n.5. At a minimum, a §2703(d) order was required. Accordingly, the DHCP log information, and all information derived therefrom, including the laptop and hard drive seized from the MIT Student Center which were discovered as an unattenuated result of the “real time” inspection of DHCP logs on January 6, 2011, must be suppressed.

IV. MIT’S ACTIONS VIOLATED THE STORED COMMUNICATIONS ACT (“SCA”).

18 U.S.C. §2702(a)(1) prohibits any person or entity “providing an electronic communication service to the public” from “knowingly divul[ging] to any person or entity the contents of a communication while in electronic storage by that service.”14 Section 2702(a)(3) prohibits “a provider of . . . electronic communication service to the public” from “divulg[ing] a record or other

17

information pertaining to a subscriber or a customer of such service . . . .” MIT was a provider of electronic communication service to the public because it freely allowed guests with no affiliation to MIT to access the MIT network and because it provided wireless service which was readily accessible to anyone within reach of its signal, which extended to areas outside the bounds of the MIT campus.15 As a guest, Swartz was a customer or subscriber of MIT’s electronic communication service. The SCA contains a provider exception similar to that of Title III: the provider of electronic communication service may disclose the content of communications or information pertaining to a subscriber or customer “as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service.” §§2702(b)(5), (c)(3). This exception does not apply for the same reasons previously addressed in conjunction with the provider exception of Title III.

Moreover, here, MIT did not voluntarily disclose the information on its own initiative. Indeed, disclosure of the information was contrary to MIT policy, which provided its users, including guests, with a reasonable expectation of privacy in the DHCP logs and other information collected by MIT. See pages 7-8, supra. MIT disclosed the information only after its General Counsel’s office authorized the disclosure, which had been requested by the government after it had assumed control of the investigation and after MIT had deferred to the government’s control over the investigation. Thus, at the time of the disclosures, MIT personnel were acting as government agents. In short, MIT personnel, by the late morning of January 4, 2011, were acting as agents of federal and state law enforcement.

Congress passed the Stored Communications Act in 1986 as part of the Electronic Communications Privacy Act. “The SCA was enacted because the advent of the Internet

18

presented a host of potential privacy breaches that the Fourth Amendment does not address.” Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 900 (9th Cir.2008)[, rev’d on other grounds sub nom. City of Ontario v. Quon, 130 S.Ct 1531 (2010)] (citing Orin S. Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It, 72 Geo. Wash. L. Rev. 1208, 1209–13 (2004)). The SCA prevents “providers” of communication services from divulging private communications to certain entities and individuals. Kerr, supra, at 1213. It “creates a set of Fourth Amendment-like privacy protections by statute, regulating the relationship between government investigators and service providers in possession of users' private information.” Id. at 1212. First, the statute limits the government's right to compel providers to disclose information in their possession about their customers and subscribers. 18 U.S.C. § 2703. . . . Second, the statute limits the right of an Internet Service Provider (“ISP”) to disclose information about customers and subscribers to the government voluntarily. 18 U.S.C. § 2702.

Crispin v. Christian Audigier, Inc., 717 F.Supp.2d 965, 971-72 (C.D. Cal. 2010).

As addressed in the previous section, MIT could not voluntarily disclose the information without violating the SCA. Under §2703, the government could not lawfully request or obtain access to the content of electronic communications in the absence of a warrant issued in accordance with the Rules of Criminal Procedure. 18 U.S.C. §2703(a).

In passing the Electronic Communications Privacy Act in 1986, Congress expressed the need to expand the protections of the Fourth Amendment to new forms of communication and data storage. 132 Cong. Rec. H4039-01 (1986); S.Rep. No. 99-541, at 1-2 (1986), as reprinted in 1986 U.S.C.C.A.N. 3555, 3555-56. The legislative history indicates that Congress wished to encourage the development and use of these new methods of communication by ensuring that they were protected and private. S.Rep. No. 99-541, at 5. Congress recognized that courts had struggled with the application of the Fourth Amendment to the seizure of intangibles, like telephone conversations. Id. at 2. They therefore sought to strike a balance between the competing interests addressed by the Fourth Amendment in the world of electronic communications by “protect[ing] privacy interests in personal and proprietary information, while protecting the Government's legitimate law enforcement needs.” Id. at 3.

It is clear that Congress wished to apply the protections associated with search warrants to searches authorized under § 2703(a).

In re United States, 665 F.Supp.2d 1210, 1220 (D.Or. 2009). The government could not lawfully obtain “record[s] or other information pertaining to a subscriber or customer” of MIT’s electronic communications system in the absence of a warrant or a court order issued pursuant to §2703(d). 18 U.S.C. §2703(c)(1). Under §2703(c)(2), the government may obtain the name and address of a

19

customer or subscriber, records of session times and duration, length of services and types of service used, and “other subscriber number or identity, including any temporarily assigned network address” only through an administrative, grand jury, or trial subpoena. The information at issue here went beyond this narrow description, but, in any event, the government did not seek the information pursuant to subpoena. The DHCP logs, the network flow data, and the packet capture all either contained “content” of the electronic communications to and from the netbook, in which Swartz had a reasonable expectation of privacy or “record[s] or other information” pertaining to Swartz’s use of MIT’s electronic communications system, in which he also had a reasonable expectation of privacy. Indeed, MIT’s DHCP log policy created an objectively reasonable expectation that those logs would remain confidential unless they were required to be disclosed pursuant to a lawful order or subpoena, of which there was none here. The government’s conduct, in seeking the production of this material without a warrant and without a §2703(d) order violated the Fourth Amendment. See, e.g., United States v. Warshak, 631 F.3d 266, 288 (6th Cir. 2010). The material at issue must, accordingly, be suppressed, along with all derivative fruits thereof.

Respectfully submitted,

By his attorney,
/s/ Martin G. Weinberg
Martin G. Weinberg
[address, phone, fax, email]

20

CERTIFICATE OF SERVICE I, Martin G. Weinberg, hereby certify that on this 5th day of October, 2012, a copy of the foregoing document has been served via the Court’s ECF system on all registered participants, including Stephen P. Heymann, AUSA. One copy of the exhibits to the motion was served on the government by hand this same date.

/s/ Martin G. Weinberg
Martin G. Weinberg ______
1 In a separate motion to suppress, Swartz contends that after law enforcement agents arrived on the scene on January 4, 2011, and recommended that MIT personnel continue the packet capture they had begun earlier that morning and began to direct the investigation, MIT personnel were acting as government agents, and their actions were therefore subject to the requirements of the Fourth Amendment. See Motion to Suppress All Fruits of Warrantless Searches Conducted from January 4, 2011, to January 6, 2011, And Incorporated Memorandum of Law. This motion is directed in part at the interceptions conducted by MIT personnel before they began acting as government agents, as well as MIT’s turning over to the government material in which Swartz had a reasonable expectation of privacy, in the complete absence of judicial process compelling MIT to produce such evidence to the government at a time when law enforcement agents were directing MIT employees regarding how to further their criminal investigation of the defendant.

2 All averments herein regarding Swartz’s ownership and possession of the ACER netbook and the attached hard drive, and the communications flowing to and from them, are made pursuant to the protections provided by Simmons v. United States, 390 U.S. 377, 392-94 (1968).

3 MIT personnel first received notice of the October 9, 2010, incident when they returned following the Columbus Day holiday on October 12, 2010. Timeline at 2.

4 A packet capture captures the entire communication, including subject matter and content, and to the extent it was diverting and copying communications in transit to and from the netbook, this constituted a classic interception of electronic communications in violation of United States v. Councilman, 418 F.3d 67 (1st Cir. 2005)( en banc ). See page 9, infra. 5 See Motion to Suppress All Fruits of Warrantless Searches Conducted from January 4, 2011, to January 6, 2011, And Incorporated Memorandum of Law.

6 Network flow data shows connections made between computers and the amount of information transmitted. It shows the start and stop time of a connection, the source IP address, the IP address of the website contacted, source and destination port numbers, and the number of bytes of information transmitted.

7 “DHCP” stands for Dynamic Host Configuration Protocol. DHCP assists with the assignment of IP addresses to computers on networks. When a computer joins a network, the computer issues a DHCP request on the network, which asks a DHCP server on the network to provide an IP address to the requesting computer. Part of the information contained in this request is the MAC (Media Access Control) address which is a unique identifier of the network card contained in the computer requesting an IP address. It also includes the commands made by the computer in question. See page 7, infra.

8 Swartz incorporates by reference the discussion in Section II of his Motion to Suppress All Fruits of Warrantless Searches Conducted from January 4, 2011, to January 6, 2011, And Incorporated Memorandum of Law.

9 Another issue specific to the DHCP logs is addressed in Section III, infra.

10 Such information is not analogous to a pen register, which has been held not to reveal content, because a pen register does not even show whether a communication even took place, see United States v. New York Tel. Co., 434 U.S. 159, 167 (1977). Even a pen register requires a court order based upon a “certification by the applicant that the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by that agency.” 18 U.S.C. §3122(b)(2).

11 18 U.S.C. §2510(15) defines “electronic communication service” as “any service which provides to users thereof the ability to send or receive wire or electronic communications.”

12 See Motion to Suppress All Fruits of Warrantless Searches Conducted from January 4, 2011, to January 6, 2011, And Incorporated Memorandum of Law.

13 The interceptions also did not fall within the “trespasser exception,” §2511(2)(i), because Swartz was not a trespasser, see Motion to Suppress All Fruits of Warrantless Searches Conducted from January 4, 2011, to January 6, 2011, And Incorporated Memorandum of Law at 16-19, and, most importantly for present purposes, MIT personnel were not, until law enforcement agents encouraged and adopted the ongoing packet capture, acting “under color of law.”

14 “Electronic storage” includes “any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof” and “any storage of such communication by an electronic service communication provider for purposes of backup protection of such communication.” 18 U.S.C. §2510(17).

15 MIT’s wireless network signal is available outside of the campus, for example, at the Kendall Hotel and on the streets and sidewalks that border the campus.

21

Update: Here's the superseding indictment, the final one with all the counts added to it to make Aaron's actions look as dastardly as possible, as text. Somehow doing it as text -- or actually just cleaning it up a little, as a volunteer helped us by doing it for us, Peter -- I see several descriptions of "proof" of awareness on Aaron's part that he knew he was not supposed to be doing what he was doing, but because they didn't understand the tech, they are sadly wrong or at least it's not proof of anything except that he knew what he was doing technically. Not to me, anyway. If he actually wanted to hide, some of his actions, even by their account, are inexplicable.

For example, they note that he registered as "Gary Host" when on their wireless network, and when he was blocked, he plugged into the wired network, and again he registered as Gary Host. See what I mean? And he allegedly changed his IP address from 18.55.6.215 to 18.55.6.216. And later they acknowledge he used two computers, not one. And when he changed his Mac address, all he changed was the final digit. I mean, it's like he was trying to evade some technical issue rather than trying to evade detection by humans. If you wanted to elude humans, this wouldn't do that. Only computers are stupid enough to say, "Oh, OK. Now you are new." And it's not illegal that I know of to alter your Mac address. So, ipso facto, it's not proof of evil intent to do it, is it? On what basis? I'd like to see that law.

And as for the false email address, it was a Mailinator account, which a lot of people might use for any temporary use when they are going to do a one-time job, particularly on a network anyone on the street was allowed by MIT to use. It is used as proof of bad intentions, but actually it's a smart thing a lot of geeks would do to avoid identity theft and spam and a lot of annoying things nongeeks accept as just inevitable when they blithely and foolishly provide their usual email address. It's not false if it's yours.

And then they point out that he used MIT guest access, instead of Harvard's as himself. Ditto as to motive though. I mean, he surely knew that MIT's open access policies were unique and therefore uniquely helpful.

The closet he allegedly broke into? Groklaw has a comment that there's a video showing the closet was and is unlocked, and it has no sign saying Keep Out. That is confirmed by the expert witness for the defense, Alex Stamos, the CTO of Artemis Internet, who wrote that it was unlocked:

I know a criminal hack when I see it, and Aaron’s downloading of journal articles from an unlocked closet is not an offense worth 35 years in jail.

The facts:

  • MIT operates an extraordinarily open network. Very few campus networks offer you a routable public IP address via unauthenticated DHCP and then lack even basic controls to prevent abuse. Very few captured portals on wired networks allow registration by any visitor, nor can they be easily bypassed by just assigning yourself an IP address. In fact, in my 12 years of professional security work I have never seen a network this open.

  • In the spirit of the MIT ethos, the Institute runs this open, unmonitored and unrestricted network on purpose. Their head of network security admitted as much in an interview Aaron’s attorneys and I conducted in December. MIT is aware of the controls they could put in place to prevent what they consider abuse, such as downloading too many PDFs from one website or utilizing too much bandwidth, but they choose not to.

  • MIT also chooses not to prompt users of their wireless network with terms of use or a definition of abusive practices.

  • At the time of Aaron’s actions, the JSTOR website allowed an unlimited number of downloads by anybody on MIT’s 18.x Class-A network. The JSTOR application lacked even the most basic controls to prevent what they might consider abusive behavior, such as CAPTCHAs triggered on multiple downloads, requiring accounts for bulk downloads, or even the ability to pop a box and warn a repeat downloader.

  • Aaron did not “hack” the JSTOR website for all reasonable definitions of “hack”. Aaron wrote a handful of basic python scripts that first discovered the URLs of journal articles and then used curl to request them. Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing “Save As” from your favorite browser.

  • Aaron did nothing to cover his tracks or hide his activity, as evidenced by his very verbose .bash_history, his uncleared browser history and lack of any encryption of the laptop he used to download these files. Changing one’s MAC address (which the government inaccurately identified as equivalent to a car’s VIN number) or putting a mailinator email address into a captured portal are not crimes. If they were, you could arrest half of the people who have ever used airport wifi.

  • The government provided no evidence that these downloads caused a negative effect on JSTOR or MIT, except due to silly overreactions such as turning off all of MIT’s JSTOR access due to downloads from a pretty easily identified user agent.

  • I cannot speak as to the criminal implications of accessing an unlocked closet on an open campus, one which was also used to store personal effects by a homeless man. I would note that trespassing charges were dropped against Aaron and were not part of the Federal case.
In short, Aaron Swartz was not the super hacker breathlessly described in the Government’s indictment and forensic reports, and his actions did not pose a real danger to JSTOR, MIT or the public. He was an intelligent young man who found a loophole that would allow him to download a lot of documents quickly. This loophole was created intentionally by MIT and JSTOR, and was codified contractually in the piles of paperwork turned over during discovery.
OMG. "At the time of Aaron’s actions, the JSTOR website allowed an unlimited number of downloads by anybody on MIT’s 18.x Class-A network." Unlimited downloads? Then he did absolutely nothing criminal to JSTOR? I catch Orin Kerr's point that if his intent was to distribute the documents, one could argue that some punishment was appropriate, in the sense that he was caught in the middle of the plan. I personally would hate it if someone took my work and just did whatever they wanted with it, without even asking me. So I get that part. But felonies? Prison time? No distribution ever happened.

Jennifer Granick's Part 2 is also now online:

The CFAA is incredibly broad and covers swaths of online conduct that should not merit prison time. To point out that under the CFAA, Aaron's defense was hard is not to say that I believe Aaron was guilty. Aaron was authorized to access JSTOR as a result of being on MIT's campus. The CFAA may protect the box from unauthorized access, but it does not regulate the means or the speed of access. If you are allowed to download, and Aaron was, then it is not a crime to download really, really fast. Even if the server owner would prefer you took your time.

Exactly because the CFAA arguably applies to Aaron's alleged actions, it should be amended. It's also why prosecutors must be extremely careful and measured when bringing these cases. Unfortunately, from Drew, to Nosal, to McDanel, to Aurenheimer to Swartz, they are not. When so many thoughtful people, including former prosecutors, disagree with United States Attorney's conduct in these cases, we need to stop.

Now I am angry, specifically at MIT. But excuse me if I'm naive and inexperienced in such things, but why would it be acceptable for prosecutors to lie in an indictment? Is it like on TV, where they do lie and break laws, supposedly for the greater good or to speed things up and make sure they prevail? I hate those shows, but sometimes others make you sit and watch with them. Did they not check the closet? I mean, that's verifiable. It's either locked or it's not. It can't be both. So somebody did lie or at a minimum charge him with something totally untrue, if the closet was actually unlocked, which the grand jury swallowed whole. If you are ever on such a grand jury, remember this. Did the prosecutors not check the MIT and JSTOR policies before they wrote this indictment? How could they not have, given the date? Do you just write up indictments out of thin air, like a novel? Granick writes: "It is also true that in my criminal law career, I found the U.S. Attorney's office in the District of Massachusetts particularly immoral."

If what Mr. Kerr writes is true that things like this happen every day, something needs to change. Because this is terrifying. Innocent people can be incarcerated for years for things that don't add up to a hill of beans? (By innocent, I mean innocent of the exact charges, not that Aaron didn't do anything the law might want to deter or punish.) And prosecutors can act like this and nothing happens to them? There's no recourse? Nothing happens to MIT either? I wonder if the family has a claim, or his estate.

And JSTOR just opened their documents to the public for free, although they set a limit of reading three articles every two weeks. 40% of the documents are still paywalled. If they were really worth millions of dollars....

I can't read minds, but to me these things listed are not proof of anything but tech smarts. I mean, if he'd done the downloading ten documents a day (or whatever they allege was the limit, something the tech expert for the defense denies) for a year or two instead of all at once, he would not have violated anything. That to me means that he might have realized they wouldn't have understood wget -R or whatever he used (curl), but he could have thought the downloading itself was perfectly legitimate. Getting blocked when you try to connect via wireless -- without any notice of why -- could appear to just be a software bug, to be easily fixed by changing a last digit. I mean, to me it's plausible.

It's infuriating and tragic at the same time to read this. I guess there were no techies on the grand jury either. It's really an issue in courtrooms when nobody but the defendant knows even basic tech. But my question is, if his lawyers explained all this and more to the prosecutors, why didn't anyone listen?

And finally, here's part 2 of Orin Kerr's analysis of the criminal charges and the question of prosecutorial discretion -- did they over do it?:

On the second question, I think the proper level of punishment in this case would be based primarily on the principle of what lawyers call “special deterrence.” In plain English, here’s the key question: What punishment was the minimum necessary to deter Swartz from continuing to try to use unlawful means to achieve his reform goals? I don’t think I know the answer to that question, but that’s the question I would answer to determine the proper level of punishment. The prosecution’s plea offer of 6 months in jail and a felony conviction may have been much more than was needed to persuade Swartz not to engage in unlawful and anti-demoratic means to pursue his policy goals in the future. If so, then I think it was too severe. But it depends on how much punishment was necessary to deter Swartz from using unlawful means to pursue his policy goals. In my view, that’s the question that we need to answer in order to say what punishment was appropriate in Swartz’s case.
Since he'd returned everything to JSTOR and apologized, more than a year before this superseding indictment was signed, I think the answer is not a mystery. Mr. Kerr has some suggestions for those who feel angry and would like to do something:
On the fourth issue, yes, the Swartz case does point to a serious problem with the Computer Fraud and Abuse Act. But that problem is not the definition of “unauthorized access,” as some people seem to believe. (That definition is a problem, but with the Nosal case from the Ninth Circuit and likely Supreme Court review in the next year or so, I think the Courts are likely to take care of it.) Rather, the problem raised by the Swartz case is one I’ve been fighting for years: Felony liability under the statute is triggered much too easily. The law needs to draw a distinction between low-level crimes and more serious crimes, and current law does so poorly. I would recommend two changes. First, the felony enhancements for 1030(a)(2) are much too broad. I would significantly narrow them. Second, I would repeal 1030(a)(4), which is redundant as it only a combination of 1030(a)(2) and the wire fraud statute, 18 U.S.C. 1343. It therefore only leads to extra and redundant charges to confuse juries, and is better off repealed.
Mr. Kerr elaborates on one of his suggestions for change, but remember it if it doesn't happen and you are called to sit on a grand jury:
Another change I would make would be to repeal 18 U.S.C. 1030(a)(4), the Computer Fraud statute. That statute shouldn’t exist because it is almost entirely redundant: It is just a blend of 1030(a)(2) and the Wire Fraud statute, Section 1343. It is almost never charged alone. Instead, 1030(a)(2), 1030(a)(4), and 1343 are usually charged together to cover the same basic conduct. Once you get to the sentencing stage, the fact of convictions under many crimes ends up making no difference; the Guidelines treat them as the same as a conviction under just one of those offenses. But the multiple overlapping crimes gives prosecutors an unfair advantage at trial that in turn pressures defendants unfairly to take a guilty plea. That’s the case because the jury is easily misled. When the jury sees a multi-count indictment involving many different crimes, the jurors have two natural reactions. First, they think they can “split the difference” and convict on some but not all. This is just wrong, as it turns out; at sentencing, a conviction as to only one crime is treated just as severely as a conviction as to all crimes. But the jury doesn’t know that, giving the prosecution an advantage. And relatedly, the jury likely thinks that the defendant’s conduct is extra serious if it is charged under lots of criminal offenses instead of one. The existence of multiple overlapping crimes therefore gives the prosecutors an unfair advantage; the answer is to narrow that advantage by eliminating entirely duplicative crimes like 18 U.S.C. 1030(a)(4).

These two changes, and other like them, would be truly in the spirit of an “Aaron’s Law.” They would limit the computer crime laws by more carefully limiting what constitutes a felony — making sure that only truly serious crimes have the felony label that both draws prosecutorial interest and was so offensive to Aaron Swartz.

Granick explains why plea deals, even if he'd have accepted one of the offers, are dangerous:
Some have blithely said Aaron should just have taken a deal. This is callous. There was great practical risk to Aaron from pleading to any felony. Felons have trouble getting jobs, aren't allowed to vote (though that right may be restored) and cannot own firearms (though Aaron wasn't the type for that, anyway). More particularly, the court is not constrained to sentence as the government suggests. Rather, the probation department drafts an advisory sentencing report recommending a sentence based on the guidelines. The judge tends to rely heavily on that "neutral" report in sentencing. If Aaron pleaded to a misdemeanor, his potential sentence would be capped at one year, regardless of his guidelines calculation. However, if he plead guilty to a felony, he could have been sentenced to as many as 5 years, despite the government's agreement not to argue for more. Each additional conviction would increase the cap by 5 years, though the guidelines calculation would remain the same. No wonder he didn't want to plead to 13 felonies. Also, Aaron would have had to swear under oath that he committed a crime, something he did not actually believe.

There's a more systemic problem here. Plea bargaining in the face of potentially heavy sentences incentivizes guilty pleas even (or especially) where the case is weak, or the defendant is factually innocent. People plead guilty all the time to things they did not do, because they couldn't afford the right lawyer, because they are scared, because they think no one will believe them, because they are simply playing the odds. Especially when you have a case involving network policies, academic culture, technological infrastructure, and information of questionable economic value, asking a jury to decide what's "authorized" at the risk of prison is scary.

Lest we mistake plea bargaining for justice, ask yourself, why is a seven-year sentence just for a person who goes to trial, while one who pleads guilty should only be incarcerated for six months? Why should Aaron have received two additional months of incarceration in order to argue to the judge that his sentence should be lower? This is not justice, this is horse trading. It is typical, it happens every day, but it is also wrong.

I am gobsmacked. It happens every day?

Update 2: The US Attorney has now issued a statement:

STATEMENT OF UNITED STATES ATTORNEY CARMEN M. ORTIZ
REGARDING THE DEATH OF AARON SWARTZ

As a parent and a sister, I can only imagine the pain felt by the family and friends of Aaron Swartz, and I want to extend my heartfelt sympathy to everyone who knew and loved this young man. I know that there is little I can say to abate the anger felt by those who believe that this office’s prosecution of Mr. Swartz was unwarranted and somehow led to the tragic result of him taking his own life.

I must, however, make clear that this office’s conduct was appropriate in bringing and handling this case. The career prosecutors handling this matter took on the difficult task of enforcing a law they had taken an oath to uphold, and did so reasonably. The prosecutors recognized that there was no evidence against Mr. Swartz indicating that he committed his acts for personal financial gain, and they recognized that his conduct – while a violation of the law – did not warrant the severe punishments authorized by Congress and called for by the Sentencing Guidelines in appropriate cases. That is why in the discussions with his counsel about a resolution of the case this office sought an appropriate sentence that matched the alleged conduct – a sentence that we would recommend to the judge of six months in a low security setting. While at the same time, his defense counsel would have been free to recommend a sentence of probation. Ultimately, any sentence imposed would have been up to the judge. At no time did this office ever seek – or ever tell Mr. Swartz’s attorneys that it intended to seek – maximum penalties under the law.

As federal prosecutors, our mission includes protecting the use of computers and the Internet by enforcing the law as fairly and responsibly as possible. We strive to do our best to fulfill this mission every day.

Update 3: She would do it all again, then.

So what Mr. Kerr and Ms. Granick write, that the problem is the system, not individuals, is correct. Perhaps it's both. But what is now clear is that prosecutors can't be left with such power to decide, if they can't see a problem in what happened here. A man is dead. And she would do it all again.

Here's is an article where a retired federal judge, Nancy Gertner, who served right there in Boston comments on prosecutorial discretion:

“Just because you can charge someone with a crime, just because a technical crime has been committed, doesn’t mean you should,” Gertner said.

“At the time of the indictment, [Ortiz] said, ‘Stealing is stealing.’ I saw that all the time when I was on the bench,” she said. “This is a classic line. Stealing an apple if you’re hungry is different than Bernie Madoff. It is obviously different.”...

“And in the world of punishment, the prosecutor has enormous power and he has the enormous power to make you plead guilty and give up your rights,” Gertner said.

This is where the judgment of prosecutors, and specifically the judgment of Ortiz, becomes a major issue, Gertner says. She learned on the bench that the power of prosecutors have increased because federal sentencing guidelines have decreased the powers of judges to exercise discretion.

“So the prosecutor determines the charges and the punishment,” Gertner explained. “Again, once they start the process, once the indictment is brought, the potential for enormous punishment is there and although a judge has some discretion in sentencing, often what the prosecutor wants is what the person gets.

“When that happens the prosecutor has enormous power and has to exercise that with some degree of fairness and judgment at that end,” she added.

And this is what Gertner says Ortiz lacked in the case of Aaron Swartz.

We may not yet have all the details of what happened, but I think we do know now where the centerpiece of this tragedy is and what needs changing if we don't want it to ever happen again. - End Update 3.]

Update 4: James Boyle has answered Mr. Kerr on The Public Domain, and let's zero in on his response to Kerr's "special deterrence" theory of punisment:

The Theory of Punishment:

Orin says this “On the second question, I think the proper level of punishment in this case would be based primarily on the principle of what lawyers call “special deterrence.” In plain English, here’s the key question: What punishment was the minimum necessary to deter Swartz from continuing to try to use unlawful means to achieve his reform goals? I don’t think I know the answer to that question, but that’s the question I would answer to determine the proper level of punishment.”

He argues that Aaron’s announced ideals would lead him to violate the law again and that therefore the prosecutor would be right to ask for a sentence sufficient to stop that hypothetical continued criminal conduct.

Now maybe this is right. But I think it is a lot more revolutionary than Orin gives it credit for and a lot more contentious than his post suggests. I return to the Martin Luther King or Rosa Parks examples.... Legislatures had enacted segregation laws. If Dr. King trespasses and violates state rules mandating segregation, and announces that he considers these laws wrong and that he will encourage others to do the same in the future, do we really believe that the prosecutor should ramp up the penalty until it would amount to special deterrence? What would that take? Death? Life imprisonment? Is that then “not disproportionate”?

He also notes that the PACER download was during a *legal* free trial period:
PACER is a system that charges a fee for court documents. Carl Malamud of Public Resource argued – completely correctly in my view – that the courts should not be charging a fee – at least in the case of Federally-produced documents that are in the public domain under section 105 of the Copyright Act. During a government authorized free trial of the PACER system, Aaron downloaded approximately 20% of the court documents and donated them to Malamud’s organization. Did the people who set up the free trial expect someone to download 20% of the court documents? I do not think so. Did Aaron break the law by doing so? Well, as Orin notes, the FBI investigated but did not prosecute. I do not think so. Again, we can argue about whether that is true – Aaron did install a PERL script on a computer — but Orin just seems to assume that he did. I would respectfully argue that one cannot responsibly do that. So can a prosecutor use what Aaron did with PACER as part of the decision to come up with a harsher sentence, because “this kind of behavior needs to be deterred in the future”? What if what he did with PACER was legal and socially beneficial? Then using that “evidence” to shore up Orin’s theory of punishment is really troubling. Aaron’s manifesto calls for civil disobedience, but it also calls for freeing public domain works – sharing those might be a violation of a term of service, and it might be a violation of a code based restriction. But it is not a copyright violation, and it could be an example of doing something that was legal, even if it irritated the powerful. A reader of Orin’s post would likely miss those complexities. Again, the tie does not go to the accused. That’s unfortunate. And the combination of Orin’s questionable theory of punishment of those who profess civil disobedience, and his willingness to include protest behavior in the past that may well have been legal as evidence of future propensity of lawlessness is really disturbing. “Technically, last time you were demonstrating legally on public land. But that means that this time, if you actually trespass on private land, we can throw the book at you because we know you are a trouble maker. And as you are a trouble maker, we are going to have to throw that book pretty hard to deter you.”
Do you know how much it has cost Groklaw for PACER documents in the last six months, mostly to cover the Apple v. Samsung and Microsoft v. Motorola trials and the aftermath? Note we haven't even obtained every single document filed, just the ones we had to in order to follow the cases (plus appeals). Around $4,000. We are noncommercial, but we don't qualify for the cheaper PACER rates, because we are media. How is that arguably justifiable? These documents are supposedly in the public domain. The public is deeply interested in these cases, but the court makes it prohibitively expensive to follow them unless you have money. Why? It's all digital. We couldn't do it without your contributions, obviously. Equally obviously, there is profit in the picture at PACER's end. Profit on public domain documents. You don't see a problem? Well, then-Senator Joe Lieberman did, as did a number of other non-revolutionary types, like the American Association of Law Libraries, which represents 5,000 law librarians nationwide. Here's an article by Aaron Greenspan, the CEO of Think Computer Corporation and a CodeX Fellow at Stanford Law School, arguing that it's actually PACER that is behaving illegally by gouging the public for more than it needs to run the system. Maybe someone needs to figure out a "special deterrence" remedy. Do you think anyone will bother? - End Update.]

Here it is as text, the superseding indictment, so you can judge for yourself:

UNITED STATES DISTRICT COURT
DISTRICT OF MASSACHUSETTS


UNITED STATES OF AMERICA

v.

AARON SWARTZ,

Defendant


_____________

Crim. No. ll-CR-10260-NMG

VIOLATIONS:

18 U.S.C. § 1343 (Wire Fraud)
18 U.S.C. § 1030(a)(4),(b) (Computer Fraud)
18 U.S.C. § 1030(a)(2), (b), (c)(2)(B)(iii)
(Unlawfully Obtaining Information from a Protected Computer)

18 U.S.C. § 1030(a)(5)(B), (c)(4)(A)(i)(I),(VI)
(Recklessly Damaging a Protected Computer)

18 U.S.C. § 2 (Aiding and Abetting)

18 U.S.C. § 981(a)(l)(C), 28 U.S.C. § 2461(c),
18 U.S.C. § 982(a)(2)(B), and 18 U.S.C. §
1030(i) (Criminal Forfeiture)

____________________

SUPERSEDING INDICTMENT


The Grand Jury charges that at all relevant times:

PARTIES

JSTOR

1. JSTOR, founded in 1995, was and continued to be a United States-based, not-for-profit organization that provides an online system for archiving and providing access to academic journals and journal articles. It provides searchable digitized copies of articles from over l,000 academic journals. dating back for lengthy periods of time.

2. JSTOR's service is important to research institutions and universities because it can be extraordinarily expensive, in terms of both cost and space, for a research or university library to maintain a comprehensive collection of academic journals. By digitizing extensive, historical collections of journals, JSTOR enables libraries to outsource the journals' storage, ensures their preservation, and enables authorized users to conduct full-text, cross-disciplinary

searches of them. JSTOR has invested millions of dollars in obtaining and digitizing the journal articles t.hat it makes available as part of its service,

3. JSTOR generally charges libraries, universities, and publishers a subscription fee for access to JSTOR's digitized journals. For a large research university, this annual subscription fee for JSTOR's various collections of content can cost more than $50,000. Portions of the subscription fees are shared with the journal publishers who hold the original copyrights. In addition, JSTOR makes some articles available for individual purchase.

4. JSTOR authorizes users to download a limited number of journal articles at a time. Before being given access to JSTOR's digital archive, each user must agree and acknowledge that they cannot download or export content from JSTOR's computer servers with automated computer programs such as web robots, spiders, and scrapers. JSTOR also uses computerized measures to prevent users from downloading an unauthorized number of articles using automated techniques.

MIT

5. The Massachusetts Institute of Technology ("MlT") was and continued to be a leading research and teaching university located in Cambridge, Massachusetts.

6. JSTOR provided MIT with its services and content for a fee.

7. MIT made JSTOR's services and content available to its students, faculty, and employees. MIT also allowed guests of the Institute to have the same access to JSTOR, but required guests to register on the MIT network. MIT authorized guests to use its network for no more than fourteen days per year, and required all users to use the network to support MIT's research, education, and administrative activities, or at least to not interfere with these activities; to maintain the system's security and conform to applicable laws, including copyright laws; and to conform with rules imposed by any networks to which users connected through MIT's system. These rules explicitly notified users that violations could lead to state or federal prosecution. Guest users of the MIT network agreed to be bound by the same rules that applied to students,

2

faculty, and employees.

8. JSTOR's computers were located outside the Commonwealth of Massachusetts, and thus any communications between JSTOR's computers and MIT's computers crossed state boundaries. JSTOR's and MIT's computers were also used in and affected interstate and foreign commerce.

Aaron Swartz

9. Aaron Swartz lived in the District of Massachusetts and was a fellow at Harvard University's Safra Center for Ethics. Swartz was not affiliated with MIT as a student, faculty member, or employee or in any other manner. Although Harvard provided Swartz access to JSTOR's services and archive as needed for his research, Swartz used MIT's computer networks to steal millions of articles from JSTOR.

OVERVIEW OF THE OFFENSES

10. Between September 24, 2010, and January 6, 201 1, Swartz contrived to:

a. break into a restricted-access computer wiring closet at MIT;

b. access MIT's network without authorization from a switch within that closet;

c. access JSTOR's archive of digitized journal articles through MIT's computer network;

d. use this access to download a substantial portion of JSTOR's total archive onto his computers and computer hard drives;

e. avoid MIT's and JSTOR's efforts to prevent this massive copying, efforts that were directed at users generally and at Swartz's illicit conduct specifically; and

f. elude detection and identification.


3

MEANS OF COMMITTING THE OFFENSES

11. Swartz alone, or in knowing concert with others unknown to the Grand Jury, (hereafter simply "Swartz" in this section) committed these offenses through the means described below.

September 24 through 27, 2010

12. On September 24, 2010, Swartz purchased an Acer laptop computer from a local computer store.

13. Later that day, Swartz connected the Acer laptop to MIT's computer network from a location in Building 16 at MIT and registered with MIT's computer network as a guest.

14. When Swartz registered on the network, he took measures to hide his identity as the computer's owner and user:

a. Swartz registered the computer under the fictitious guest name "Gary Host."

b. Swartz specified the computer's client name as "ghost laptop." (A computer's client name helps to identify it on a network and can be chosen by its user.) In this case, the "ghost" client name abridged the pseudonym "Gary Host" by combining the first initial "g" with the last name "host."

c. Swartz identified the fictitious "Gary Host's" e-mail address as "ghost@mailinator.com", a temporary e-mail address. Mailinator advertised itself as a free e-mail service that allows a user to create a new temporary-mail address as needed. Mailinator advertised that it would accept mail for any e-mail address directed to the mailinator.com domain without need for a prior registration or account. Mailinator also advertised that all mail sent to mailinator.com would automatically be deleted after several hours, whether read or not, and that the company kept no logs of e-mail access.

15. On September 25, 2010, Swartz used the Acer laptop to systematically access and

4

rapidly download an extraordinary volume of articles from JSTOR by submitting download requests faster than a human could type, and in a manner designed to sidestep or confuse JSTOR's computerized efforts to restrict the volume of individual users' downloads.

16. The effect of these rapid and massive downloads and download requests was to impair computers used by JSTOR to provide articles to client research institutions.

17. As JSTOR, and then MIT, became aware of these events, each took steps to block communications to and from Swartz's computer. Swartz, in turn, altered the apparent source of his automated demands to sidestep or circumvent JSTOR's and MIT's blocks against his computer, as described below:

a. On the evening of September 25, 2010, JSTOR terminated Swartz's computer's network access by refusing communications from the computer's assigned IP address.
i. An IP (short for "Internet Protocol") address is a unique numeric address assigned to each computer connected to the Internet so that the computer's incoming and outgoing Internet traffic is directed to the proper destination. Most Internet service providers control a range of IP addresses. MIT controls all IP addresses that begin with the number 18.

ii. Swartz's computer had been assigned an IP address of 18.55.6.215.

iii. On September 25, 2010, JSTOR blocked communications from that IP address, thus preventing Swartz from requesting and receiving any more JSTOR articles.

b. On September 26, 2010, Swartz established a new IP address for his computer on the MIT network - 18.55.6.216 - which sidestepped the IP address block and allowed the laptop to resume downloading an extraordinary volume of articles from JSTOR. Accesses from this address continued until the middle of the day, when JSTOR spotted the access and blocked communications from this

5

new IP address as well.

c. Because the downloads on September 25 and 26 originated from shifting MIT IP addresses beginning with 18.55.6, and because JSTOR's computers used to provide articles to research institutions had been impaired and significant portions of its archive was at risk of misappropriation, on September 26, 2010, JSTOR began blocking a broader range of IP addresses. The block prevented a researcher assigned any one of over 250 other IP addresses available at MIT from being able to access JSTOR's archive until September 29, 2010.

d. After JSTOR notified MIT what was happening, MIT sought to block Swartz in particular. It did so by prohibiting Swartz's laptop from being assigned any IP address on MIT's network. MIT did so by blocking communications with any computer beating the laptop`s MAC address.

i. A MAC address is a unique identifier assigned to each computer's network interface, in this case, Swartz's Acer laptop's network interface card.

ii. When a user plugs his computer into MIT's wired network on campus, the network reads the computer's MAC address to determine whether the computer is authorized to use the network. As part of the registration process, "Gary Host's" computer, i.e., Swartz's Acer laptop, had identified its network interface's MAC address as 00:23:5a:73:5f:fb.

iii. Consequently, on September 27, 2010, MIT terminated the laptop's guest registration and barred any network interface with that MAC address from obtaining a new IP address.

October 2 through 9, 2010

18. On October 2, 2010, just over a week after JSTOR and MIT had blocked Swartz's Acer laptop from communicating with JSTOR's and MIT's networks, Swartz sought and

6

obtained another guest connection on MIT's network for his Acer laptop.

19. Once again, Swartz registered the Acer laptop on the network using identifiers chosen to avoid identifying Swartz as the computer's owner and user:

a. Swartz once again registered the computer under the fictitious name "Gary Host" and the client name "ghost laptop."

b. To evade the MAC address block, Swartz "spoofed" the Acer laptop's computer's MAC address. A MAC address is usually assigned to a network interface card by the card's manufacturer, and therefore generally remains constant. But a user with the right knowledge can change the MAC address, an action referred to as "MAC address spoofing." Swartz spoofed the Acer laptop's MAC address by changing it from 00:23:5a:73:5f:fb to 00:23:5a:73:5f:fc (that is, the final 'b' became a 'c').

c. By re-registering the laptop, the laptop received a new IP address, which disassociated Swartz's Acer laptop from the IP addresses that JSTOR had blocked when Swartz had used them in September.

20. On October 8, 2010, Swartz connected a second computer to MIT's network and registered as a guest, using similar naming conventions: Swartz registered the computer under the name "Grace Host," the computer client name "ghost macbook," and the temporary e-mail address "ghost42@mailinator.com."

21. On October 9, 2010, Swartz used both the "ghost laptop" and the "ghost macbook" to, again, systematically and rapidly access and download articles from JSTOR. The pace of Swartz's automated downloads was so fast and voluminous that it significantly impaired the operation of some computers at JSTOR.

22. In response, beginning on or about October 9, 2010, JSTOR blocked MIT's entire computer network from accessing JSTOR. The block lasted several days, again depriving legitimate users at MIT from accessing JSTOR's services.

7

November and December, 2010

23. During November and December, 2010, Swartz again used the "ghost laptop" (i.e., the Acer laptop) at MIT to download over two million documents from JSTOR, more than one hundred times the number of downloads during the same period by all legitimate MIT JSTOR users combined.

24. During this period, when Swartz connected to MIT's computer network, he circumvented MIT's guest registration process altogether. Rather than let MIT assign his computer an IP address automatically, Swartz instead simply hard-wired into the network and assigned himself two IP addresses. He did so by entering a restricted network interface closet in the basement of MIT's Building 16, plugging the computer directly into the network, and operating the computer to assign itself two IP addresses. To further cloak his activities, Swartz also hid the Acer laptop and a succession of external storage drives under a box in the closet, so that they would not arouse the suspicions of anyone who might enter the closet.

January 4 through 6, 2011

25. On January 4, 2011, Swartz entered the restricted basement network wiring closet and replaced an external hard drive attached to the laptop.

26. On January 6, 2011, Swartz returned to the wiring closet to remove his computer equipment. This time he attempted to evade identification at the entrance to the restricted area, Apparently aware of or suspicious of a video camera, as Swartz entered the wiring closet, he held his bicycle helmet like a mask to shield his face, looking through ventilation holes in the helmet. Swartz then removed his computer equipment from the closet, put it in his backpack, and left, again masking his face with the bicycle helmet before peering through a crack in the double doors and cautiously stepping out.

27. Later that day, Swartz connected his Acer laptop to MIT's network in a different building - the student center - again registering on the network using identifiers chosen to avoid identifying Swartz as the computer's owner and user:

8

a. Swartz registered the computer under the fictitious name "Grace Host" and the client name "ghost laptop."

b. By re-registering the laptop, the laptop again received a new IP address, which disassociated Swartz's Acer laptop from the IP addresses Swartz had used up to that point.

c. To again evade the MAC address block, Swartz had spoofed the Acer laptop's MAC address a second time, changing it from the blocked 00:23:5a:73:5f:fb (or from the later-spoofed 00:23:5a:73:5f:fc) to 00:4c:e5:a0:c7:56.

28. Swartz's Acer laptop contained a software program named "keepgrabbing.py," which was designed to download .pdf files (the format used by JSTOR) from JSTOR and sidestep or confuse JSTOR's computerized efforts to prevent repeated and voluminous downloads.

29. When MIT Police spotted Swartz on the afternoon of January 6, 2011 and attempted to question him, Swartz fled with a USB drive that contained the program "keepgrabbing2.py," which was similar to "keepgrabbing.py."

30. In all, Swartz stole a major portion of the total archive in which JSTOR had invested.

31. Swartz intended to distribute these articles through one or more file-sharing sites.

9

COUNTS 1 and 2
Wire Fraud
18 U.S.C. §§ 1343 & 2

32. The Grand Jury realleges and incorporates by reference the allegations in paragraphs 1-31 of this Indictment.

33. Aaron Swartz devised a scheme to defraud JSTOR of a substantial number of journal articles which they had invested in collecting, obtaining the rights to distribute, and digitizing.

34. He sought to defraud MIT and JSTOR of rights and property by:

a. Deceptively making it appear to JSTOR that he was affiliated with MIT by downloading JSTOR's articles through MIT's computer network and from MIT IP addresses, even though he was not affiliated at the time with MIT, and even though for legitimate research he could have accessed JSTOR through Harvard University, where he worked;

b. Repeatedly taking steps to change his and his computer's apparent identities and to conceal his and his computer's true identities;

c. Using a rapid, automated collection software tool designed to make it appear as if he were multiple people making single requests rather than a single person making multiple requests, in order to bypass safeguards designed to limit the number of articles any one person could download;

d. Attempting to conceal from MIT the physical location of the Acer laptop's connection to MIT's network, by placing it in a utility closet, covering it with cardboard, and, at one point, moving it from one MIT building to another; and

e. Using wire communications between a MIT computer in Massachusetts and JSTOR's computer out-of-state to effectuate his scheme.

35. The Grand Jury charges that repeatedly from on or about September 24, 2010 through January 6, 2011, or thereabout, in the District of Massachusetts and elsewhere, the

10

defendant,

AARON SWARTZ,

having devised and intended to devise a scheme and artifice to defraud and for obtaining property - journal articles digitized and distributed by JSTOR, and copies of them - by means of material false and fraudulent pretenses and representations, transmitted and caused to be transmitted by means of wire communication in interstate commerce writings, signs, and signals - that is, communications to and from JSTOR's computer servers - for the purpose of executing the scheme, and aiding and abetting it, including on or about the dates specified below:

COUNTDATES
1October 9, 2010
2January 4-6, 2011

All in violation of Title 18, United States Code, Sections 1343 and 2.

11

COUNTS 3-7
Computer Fraud
18 U.S.C. §§ 1030(a)(4), (b) & 2

36. The Grand Jury realleges and incorporates by reference the allegations in paragraphs 1-31 and 33-34 of this Indictment and charges that;

37. Repeatedly between on or about September 26, 2010 and January 6, 2011, including on or about the dates specified below, in the District of Massachusetts and elsewhere, the defendant,

AARON SWARTZ,

knowingly and with intent to defraud, accessed protected computers belonging to MIT and JSTOR without authorization, and by means of such conduct furthered the intended fraud and obtained things of value - namely, digitized journal articles from JSTOR's archive - and aided and abetted the same and attempted to do the same:
COUNTDATESPROTECTED COMPUTERS
3September 26, 2010JSTOR
4October 2-9, 2010MIT
5November 29, 2010 - December 26, 2010JSTOR
6 December 27, 2010 - January 4, 2011JSTOR
7January 4-6, 2011MIT
All in violation of Title 18, United States Code, Sections 1030(a)(4) and 2.

12

COUNT 8-12
Unlawfully Obtaining Information from a Protected Computer
18 U.S.C. §§ l030(a)(2), (b), (c)(2)(B)(iii) & 2

38. The Grand Jury realleges and incorporates by reference the allegations in paragraphs 1-31 and 33-34 of this Indictment and charges that:

39. Repeatedly between September 26, 2010 and January 6, 201 1, including on or about the dates specified below, in the District of Massachusetts and elsewhere, the defendant,

AARON SWARTZ,

intentionally accessed computers belonging to MIT and JSTOR without authorization, and thereby obtained from protected computers information whose value exceeded $5,000 -- namely, digitized journal articles from JSTOR's archive - and aided and abetted the same and attempted to do the same.
COUNTDATESPROTECTED COMPUTERS
8September 26, 2010JSTOR
9October 2-9, 2010MIT
10November 29,2010 - December 26, 2010JSTOR
11December 27, 2010 - January 4, 2011JSTOR
12January 4-6, 2011MIT
All in violation of l8 U.S.C. §§ l030(a)(2), (c)(2)(B)(iii) and 2.

13

COUNT 13
Recklessly Damaging a Protected Computer
18 U.S.C. §§ 1030(a)(5)(B), (c)(4)(A)(i)(I),(VI) & 2

40. The Grand Jury realleges and incorporates by reference the allegations in paragraphs 1-31 and 33-34 of this Indictment.

4|. Aaron Swartz's repeated accessing of JSTOR's and MIT's computer systems without authorization constituted a related course of conduct lasting from on or about September 26, 2010 through January 6, 2011. His unauthorized access of the systems on or about days such as September 26 and October 9, 2010 resulted in reckless damage to both. The pace and volume of his automated requests impaired computers JSTOR used to provide service to researchers and research institutions and caused JSTOR to cut off legitimate MIT researchers for days at a time.

42. Both MIT and JSTOR were required to expend significant resources to respond to Swartz's unlawful access to their systems and high speed automated downloads of substantial portions of JSTOR's digital archives.

43. The Grand Jury charges that on or about October 9, 2010 in the District of Massachusetts and elsewhere, the defendant,

AARON SWARTZ,

intentionally accessed a protected computer without authorization, and as a result of such conduct recklessly caused damage to MIT and JSTOR, that is impairment to the availability of information, data, and a system, which, during a one year period:

(A) caused loss, that is, reasonable costs of responding to the offense, conducting a damage assessment, and restoring the information, data, and system to its condition prior to the offense, aggregating at least $5,000 in value from a related course of conduct affecting at least one other protected computer, and

(B) damage affecting at least 10 protected computers.

All in violation of Title 18, United States Code, Section l030(a)(5)(B), (c)(4)(A)(i)(l),(VI) & 2.

14

FORFEITURE ALLEGATIONS
(18 U.S.C. § 98l(a)(l)(C), 28 U.S.C. § 2461(c), 18 U.S.C. § 982(a)(2)(B), and 18 U.S.C. §
l030(i))

44. Upon conviction of one or more of the offenses alleged in Counts One and Two of the Indictment, the defendant,

AARON SWARTZ,

shall forfeit to the United States, pursuant to 18 U.S.C. § 98l(a)(1)(C) and 28 U.S.C. § 2461(c), any property, real or personal, that constitutes, or is derived from, proceeds traceable to the commission of the offense.

45. Upon conviction of one or more of the offenses alleged in Counts Three through Thirteen of the Indictment, the defendant,

AARON SWARTZ,

shall forfeit to the United States, pursuant to 18 U.S.C. § 982(a)(2)(B) and 18 U.S.C. § 1030(i) any property constituting, or derived from, proceeds obtained directly or indirectly as a result of the commission of the offenses, and pursuant to 18 U.S.C. § 1030(i) any personal property that was used or intended to be used to commit or facilitate the commission of such violations.

46. If any of the property described in paragraphs 44 and 45 hereof as being forfeitable pursuant to 18 U.S.C. § 981(a)(l)(C), 28 U.S.C. § 2461(c), 18 U.S.C. § 982(a)(2)(B), and 18 U.S.C. § 1030(i) as a result of any act or omission of the defendant --

a. cannot be located upon the exercise of due diligence;

b. has been transferred to, sold to, or deposited with a third party;

c. has been placed beyond the jurisdiction of this Court;

d. has been substantially diminished in value; or

e. has been commingled with other property which cannot be divided without difficulty;

it is the intention of the United States, pursuant to 21 U.S.C. § 853(p), as incorporated by 28 U.S.C. §2461(c), 18 U.S.C. §982(b)(1), and 18 U.S.C. § 1030(i)(2), to seek forfeiture of all

15

other property of the defendant up to the value of the property described in paragraphs 44 and 45 above.

All pursuant to Title 18, United States Code, Sections 98l(a)(1)(C), 982(a)(2)(B), and 1030(i), and Title 28, United States Code, Section 246l(c).

A TRUE BILL

[signature]
Foreperson of the Grand Jury



[signature]
Assistant United States Attorney

Date: 9-12-12


DISTRICT OF MASSACHUSETTS

September l2, 2012

Returned into the District Court by the Grand Jurors and filed.

[signature]
Deputy Clerk
12:45
9/12/12

16

[Criminal Cover Sheet forms - see PDF]

17, 18


  View Printable Version


Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )