Expert witness describes Aaron Swartz's "crimes"

Alex Stamos, a computer security and forensics expert, was one of the expert witnesses in US v Swartz, the vindictive case brought against Aaron Swartz for walking into an unlocked computer closet, and downloading a large number of academic articles from JSTOR, using MIT's network. Stamos has very good perspective on the "crimes" for which Aaron was being hounded by the state:

* At the time of Aaron's actions, the JSTOR website allowed an unlimited number of downloads by anybody on MIT's 18.x Class-A network. The JSTOR application lacked even the most basic controls to prevent what they might consider abusive behavior, such as CAPTCHAs triggered on multiple downloads, requiring accounts for bulk downloads, or even the ability to pop a box and warn a repeat downloader.

* Aaron did not "hack" the JSTOR website for all reasonable definitions of "hack". Aaron wrote a handful of basic python scripts that first discovered the URLs of journal articles and then used curl to request them. Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing "Save As" from your favorite browser.

* Aaron did nothing to cover his tracks or hide his activity, as evidenced by his very verbose .bash_history, his uncleared browser history and lack of any encryption of the laptop he used to download these files. Changing one's MAC address (which the government inaccurately identified as equivalent to a car's VIN number) or putting a mailinator email address into a captured portal are not crimes. If they were, you could arrest half of the people who have ever used airport wifi.

* The government provided no evidence that these downloads caused a negative effect on JSTOR or MIT, except due to silly overreactions such as turning off all of MIT's JSTOR access due to downloads from a pretty easily identified user agent.

* I cannot speak as to the criminal implications of accessing an unlocked closet on an open campus, one which was also used to store personal effects by a homeless man. I would note that trespassing charges were dropped against Aaron and were not part of the Federal case.

Aaron hanged himself two years, to the day, after his arrest. The DoJ asked for the maximum penalty: 30 years.


The Truth about Aaron Swartz's "Crime"