Expert witness describes Aaron Swartz's "crimes"

Alex Stamos, a computer security and forensics expert, was one of the expert witnesses in US v Swartz, the vindictive case brought against Aaron Swartz for walking into an unlocked computer closet, and downloading a large number of academic articles from JSTOR, using MIT's network. Stamos has very good perspective on the "crimes" for which Aaron was being hounded by the state:

* At the time of Aaron’s actions, the JSTOR website allowed an unlimited number of downloads by anybody on MIT’s 18.x Class-A network. The JSTOR application lacked even the most basic controls to prevent what they might consider abusive behavior, such as CAPTCHAs triggered on multiple downloads, requiring accounts for bulk downloads, or even the ability to pop a box and warn a repeat downloader.

* Aaron did not “hack” the JSTOR website for all reasonable definitions of “hack”. Aaron wrote a handful of basic python scripts that first discovered the URLs of journal articles and then used curl to request them. Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing “Save As” from your favorite browser.

* Aaron did nothing to cover his tracks or hide his activity, as evidenced by his very verbose .bash_history, his uncleared browser history and lack of any encryption of the laptop he used to download these files. Changing one’s MAC address (which the government inaccurately identified as equivalent to a car’s VIN number) or putting a mailinator email address into a captured portal are not crimes. If they were, you could arrest half of the people who have ever used airport wifi.

* The government provided no evidence that these downloads caused a negative effect on JSTOR or MIT, except due to silly overreactions such as turning off all of MIT’s JSTOR access due to downloads from a pretty easily identified user agent.

* I cannot speak as to the criminal implications of accessing an unlocked closet on an open campus, one which was also used to store personal effects by a homeless man. I would note that trespassing charges were dropped against Aaron and were not part of the Federal case.

Aaron hanged himself two years, to the day, after his arrest. The DoJ asked for the maximum penalty: 30 years.

The Truth about Aaron Swartz’s “Crime”


  1. So basically he was hounded to suicide because he challenged a technologically obsolete bureaucratic apparatus. Obviously some people lived off and still live well because of JSTOR and in their mind a 50 year sentence is a quite an appropriate penalty for jeopardizing their cozy positions.
    What is particularly revolting here is that the said deeply lodged ancient bureaucratic tick didn’t bite from some shadowy government basement or a secret corporate office meeting but from MIT which is supposed to stand for new technologies, open information and whatnot, at least from what I was lead to believe.
    What a sordid affair.
    And before anyone says “oh no that was the evil DoJ,” no it wasn’t. If someone sics an attack dog on you than it is the owner rather than the dog who is responsible for what happens next. DoJ and the whole justice machinery is just that – a machine which follows its rules and cannot be stopped until it performs its function. The people who set that machine into motion are as responsible as those who designed it.

    1. DoJ and the whole justice machinery is just that – a machine which follows its rules and cannot be stopped until it performs its function.

      People blindly performing their function without caring as to the consequences was at the root of Aaron Swartz actions.

  2. 50 years.  Fifty. Fucking. Years.  For whatever this kid did (the legalities are frankly beyond me)…asking for 50 years more than likely caused this young man to kill himself.  From where I’m sitting what he did might be worth 50 days of community service: ‘Don’t trespass into closets with laptops, kids, drugs are bad, pay for your media etc’.  

    Fifty years is a death sentence.  Totally, utterly out of scale with the ‘crime’ committed.

    Department of “Justice”…how pathetic.

    1. Not trying to belittle the entire affair but; it’s 50 hypothetical f*ucking years, isn’t it? As in: that’s not what he was really looking at, that’s what the legal department threw at him hoping that, say, 20% of it might stick.

      And I agree, the entire juridical system has become a f*cking resource-consuming farce where both sides are expected to outdo one another in hyperbole and theatricals, But we still need to remember that charged is not the same thing as convicted.

      1. True, but how would you feel if you were waiting to go on trial for 50 years for something that really wasn’t worth even 1 year. Sure you might HOPE that the jury would understand how silly the entire thing was, but frankly I imagine you’d also spend a lot of time thinking about how awful this country you were living in was to threaten you with this effective life sentence.  I know I’d be thinking about just killing myself.  Could you stand to be locked up for 50 years with real criminals just because you downloaded some academic articles?  

        1. Well, the silver lining to America’s mass incarceration binge is that he wouldn’t have been locked up solely with “real criminals.” The vast majority of his fellow inmates would have been non-violent drug offenders. 

      2. You don’t have to censor swear words here, you know.

        Also, like Edmund Bates says, being threatened with 50 years is gawd-awfully demoralizing, regardless of how likely it was. IMHFO Swartz shouldn’t have spent even a week in prison for that.

    2. “what he did might be worth 50 days of community service”

      Every day of Aaron’s teen and adult life was a day of community service.

  3. on the one hand, the federal government hounded this man to death.

    but on the other hand, they used star wars references in response to a silly petition.

    eh, it’s a toss-up.

    (if you’re going to point out that they were separate branches note two things: 1. that’s the point of propaganda; 2. they aren’t; doj is an executive department and thus at the president’s disposal.)

  4. What did he want the articles for? Just curious why he went to the trouble to write the scripts. Must’ve been some project he was working on, and I’d like to know what, if anyone knows.

    1. If i could sneak my way into all the stuff ive found on google scholar I would. Data and reports get nerds off.

        1. i’ll assume you’re not trolling or being coy.

          he more or less was a true believer that “information should be free,” and probably thought that the paywalls were immoral. he didn’t do it (only) for kicks.
          there was a good video on youtube of lessig talking about the problem of paywalls for scientific knowledge and about how jstor is kind of anachronistic, having represented open access in the early days of the internet but now being somewhat regressive.

          okay, i found it. i forget where it is, but he talks about it somewhere in this video:

          edit: the jstor part starts at 13:30.

          1. “Many years ago the great British explorer George Mallory, who was to die on Mount Everest, was asked why did he want to climb it. He said, ‘Because it is there.’ ”

            JFK – during his speech launching the USA’s effort to put a man on the moon

          2. yes, i’m aware of the quotation and its history. what’s the relevance?

            it doesn’t really make sense for issues of social justice.

          3.  I can’t reply to your comment below. He did it because it was there, a challenge, a puzzle, it meant something to him to beat it. Yes, there are benefits to many people for having this information publically available, perhaps he was stopped before his overall plan was possible to achieve, but perhaps his motivation was simply “I have a cool idea, let’s try it”

    2. He believed, as do I, that you shouldn’t have to buy a document that was produced with tax dollars. For example, you have to pay to read scientific papers that are funded by the NSF. You have to pay to obtain a copy of a judicial order. 

      He was downloading public documents and then republishing them on publicly available web sites. 

      In a world where everything is a crime, who gets prosecuted and who doesn’t get prosecuted is a matter of political connections. He didn’t have the juice to avoid an over-zealous prosecutor coming after him.

      1. Thanks for informing me; that’s fascinating.  I’ve often had the same thought, that everything scientific and publicly funded  should be free. But I also wonder how publishers could make money and keep their doors open if everything is free.  

        PLOS One is an intriguing idea – you pay to have your paper published (unless you are in tier 1 or tier 2 countries).  So any idiot ***with $1350*** can publish his or her paper, assuming it passes basic muster of the PLOS editorial board.

        But the problem is just that… journals are highly specialized.  There is no way PLOS could employ experts in all fields. (They say they have 3000.)  Editorial boards at traditional journals are supposedly composed of members of that particular field of research. 

        So, DO WE BUY THAT PREMISE?  That validity of research publication is ensured by a competent professional review board?  Or do we suspect publication bias, and that professional, paid review boards are an anachronism?  And instead, cast our lot to the larger peer group of humanity?

        Personally, I think there is a world where both paradigms could have their place.  I think what it would take is for a major university to be like PLOS, or to USE PLOS actively as its front line of publication.  When it negotiates with traditional journals for publication on their pages, it also reserves legal right to publish its own papers free-access, either locally or on PLOS.  A lot of places try to make their own publications free to their own research communities, but what if one took the extra step to say, hey, we will post EVERY bit of research we do, free and open access on our university website.

        This would turn the value proposition on its head.  Instead of journals holding the prestige and being the keepers of knowledge and publication rights, the universities retain the rights and the journals are the ones who scramble to find papers to publish and get permission of their authors and institutions.

      2.  He was doing nothing of the sort.

        He /may/ have, in the future. But that’s the most you can say.

        There’s good evidence he might not have published them at all (he did do mass article analysis, and could easily have needed them for that).

        There’s good evidence he may have only decided to release the ones that weren’t under copyright (which was a good portion of them)

        And there’s some evidence he may have released all of them.

        But he didn’t actually do anything. Just had several things he could have done.

        1. I quote Cory’s original post:

          >The post-Reddit era in Aaron’s life was really his coming of age. His stunts were breathtaking. At one point, he singlehandedly liberated 20 percent of US law. PACER, the system that gives Americans access to their own (public domain) case-law, charged a fee for each such access. After activists built RECAP (which allowed its users to put any caselaw they paid for into a free/public repository), Aaron spent a small fortune fetching a titanic amount of data and putting it into the public domain.

          1. I thought you meant here, in this case and situation. Yes, he’d done it before for different document.

  5. We, on the left-ish side of the political spectrum, tend to focus on corporate corruption but academia is as bad, if not worse (not individual academics that just do their jobs but the way the institution of Western academia functions and is structured). From the often shady methods of knowledge production, to the perpetuation of a scheme that limits the access of said knowledge even when it was, more often than not, produced with taxpayers money.

    While I know that MIT dropped the charges, I think it is worth noting that academic institutions help perpetuate the very systems of oppression that Aaron so vehemently fought against. Academia informs policy making and it is undoubtedly part of the way the class, gender and racial categories are maintained. As Lessig rightfully pointed out in his memorial, MIT is complicit in this disgrace.

    1. The Road to Hell may be paved with good intention but the Road to Oblivion is paved with people keeping their heads down and just doing their job, (and paying no attention to the smell from the crematoria.)

      1. What? Why do you make up shit that simply is not there? Where do you infer from that I ignore the role of the government in complicity with corporations? I suggest you read what I wrote rather than comment on what you *think* I wrote. It might lead to more productive comments.

  6. Willie Green, your ad hominem strategy won’t fly here sir. Attack the point Aaron was making, if you can, but attacking his character weakens your argumentation instead of reinforcing it.

  7. The problem is with the over-zealous prosecutor and the concept of plea-bargaining in particular. The prosecutor attempts to coerce the alleged criminal into admitting guilt to avoid trial in return for a moderate punishment, rather than risking a full trial with life-ruining consequences (50 years in jail) if found guilty. That mode of prosecution short-circuits justice.

    JSTOR made it clear that they had no interest in seeing a prosecution take place after they’d recovered the copies of the dataset that Swartz had downloaded, and the alleged trespass on MIT property was a minor state-level matter, since no locks were broken into; MIT apparently haven’t felt the need to pursue that matter either. If any court action ever needed to be brought it should only have been as a civil matter, i.e. JSTOR pursuing Swartz for costs and the return of the dataset, rather than the DoJ deciding to allege federal crimes on it’s own initiative. If both the alleged victims in the case feel it is not worth pursuing the prosecution, and there’s clearly no coercion of MIT or JSTOR by Swartz, then how is the public interest served by the DoJ’s actions?

    It reminds me of the Gary McKinnon case in the UK; in that instance someone with only moderate computing ability actually did “hack” into United States government computers by using default passwords. The UK ultimately declined to surrender McKinnon to the USA for trial; The Home Secretary determined that the punishment on offer was disproportionate and that there was a risk of suicide. I am not sure whether the suicide risk to McKinnon was genuine or not, however UK law prohibits extradition when there is a danger to life. McKinnon could have in principle been prosecuted in the UK, although there are statutory time limits to filing charges that have lapsed.

    The disparity of justice is galling; McKinnon evaded trial and yet arguably acted in a criminal fashion, it’s unclear that Swartz’s alleged actions even constitute commissioning the alleged crimes. It’s quite possible that Swartz would have been acquitted, although at the heavy cost in time and money of mounting a defence.

    In the McKinnon case, the charges for the proposed trial carried 70 years jail time, whereas McKinnon was offered 3 years if he plead guilty, causing the House of Lords in the UK to debate the apparent abuse of process. It can’t be right that the standard practice of the DoJ is to coerce people to wave their legal right to a fair trial by threatening grossly disproportionate sentences.

    1. Every comment and story mentions in the abstract the “overzealous prosecutor” padding their resume by relentlessly pursuing legal action against this poor kid… Do we not know the names of this person/these people? Are state prosecutors protected by anonymity? I wish we had some names, so these people could be rightly and publicly shamed and stigmatized – and their careers and reputation jeopardized, by their irresponsible-yet-effective actions rather than them quietly and anonymously enjoying this macabre ‘victory.’

    1. I’m afraid that day will never come, so long as those ultimately in charge are given unfailing support and accolades despite years of overseeing a system that has destroyed the lives of many innocent people.

  8. As a network admin who used to work at MIT, I find this story horribly distressing. 

    If someone is intruding on my network, he could be a criminal setting out to do horrible things (clean out people’s bank accounts, relay kiddie porn, et cetera). Or he could be a 14 year old thinking with his dong. 

    He could be up to serious crimes that should not be trivialized, or he could be up to things that cannot be trivialized because they are already trivial. 

    I have to trust the authorities to figure out what the case is and prosecute accordingly. Otherwise, look at the situation I’m in:

    I could keep my mouth shut, and deprive teh FBI of a chance to catch and remove a serious malefactor. 


    I could make the call, and cause some young kid’s life to be ruined over chickenshit. 

    What the fuck am I supposed to do now???

    1. And for the record, I feel this case belonged in a middle ground. They should have taken it to civil court, or at worst given this guy a chance to plead guilty toa misdemeanor. 

      1. They did take it to civil court. Aaron settled with MIT and JSTOR; JSTOR repudiated the charges, but MIT didn’t. This left a door open for Ortiz to press criminal charges.

    2. From the article:

      MIT operates an extraordinarily open network. Very few campus networks offer you a routable public IP address via unauthenticated DHCP and then lack even basic controls to prevent abuse. Very few captured portals on wired networks allow registration by any visitor, nor can they be easily bypassed by just assigning yourself an IP address. In fact, in my 12 years of professional security work I have never seen a network this open.

      More from the article:

      In the spirit of the MIT ethos, the Institute runs this open, unmonitored and unrestricted network on purpose. Their head of network security admitted as much in an interview Aaron’s attorneys and I conducted in December. MIT is aware of the controls they could put in place to prevent what they consider abuse, such as downloading too many PDFs from one website or utilizing too much bandwidth, but they choose not to.

      Yet even more from the article:

      I cannot speak as to the criminal implications of accessing an unlocked closet on an open campus, one which was also used to store personal effects by a homeless man. I would note that trespassing charges were dropped against Aaron and were not part of the Federal case.

      I’ve never been a network administrator, but it seems obvious that MIT (and you) could prevent people from what you consider unauthorized access to your network by implementing policies and controls against said unauthorized access in the first place. And by keeping your utility closets locked.

      In other words, instead of wringing your hands over the possibility of ruining someone’s life, why don’t you do the equivalent of locking the barn door before the horse is gone.

      [Edit] Not to mention, you could also stop to analyse what your “intruder” was doing on your network. Chances are that you can tell the difference between someone downloading copies of documents, vs. someone “cleaning out people’s bank accounts” or “relaying kiddie porn.”

      1. I’m not going to go at length about why it is that MIT keeps the barn door open. There are reasons. It’s not a frivolous thing.

        But I will say that even if I had closed things down further, Mr. Swartz could still have gone in (he had the know how) and I would STILL want to know that that authorities would not use more legal muscle than necessary. 

        “Chances are that you can tell the difference between someone downloading copies of documents, vs. someone “cleaning out people’s bank accounts” or “relaying kiddie porn.””

        Actually, these days no. Not before catching him. 

        1. I’m not criticizing MIT’s decision to keep their network open. Nor am I criticizing the actions of Aaron Swartz (I rather like his “information likes to be free” philosophy, and admire his technical skills and his risk-taking.)

          What I’m saying is that there are steps MIT could have taken if they didn’t want this kind of thing to happen in the first place, and it might be a good idea to take those steps if you, as a network administrator, don’t want to be put in the position of having to decide whether to contact the authorities, prior to it actually happening.

          Once you “turn someone in” to the authorities, you don’t have much, if any, control over how they handle the situation.

  9.  Has anyone started a petition on the white house website to have the various policies which led up to this point reconsidered? Seems like one obvious place to start a lessons-learned process…

    (Some of you are going to object to the following, but it needs saying: Having been around MIT and having some experience with depression myself, I must point out that the causes of suicide are usually a much less clear-cut cause-and-effect chain than the popular myths would have you believe. So I’d be just a bit careful before assuming that Aaron’s suicide was primarily triggered by this specific incident. Fine opportunity to make a set of problems visible, but may not be a good rallying cry — frex, if you’re going to invoke it you have to then ask whether his decision to take this particular set of actions was in any way a cry for help, and the whole thing gets very messy very fast. Reality is fractal, and not always conducive to telling a good story.)

  10. As I understand, it’s a bit more than this. I believe his script overloaded the networks, causing downtime and something similar to a DOS attack. He should have written the script more carefully.

    Appropriate punishment: misdemeanour mischief, sentence to time served, understood to be an act of civil disobedience in cause of a greater good.

    1. Dirtbags tresspass ON MIT’s campus every day, usually to steal electronics. They don’t get nailed for 50 years in prison for it. 

    2. And criminal trespass doesn’t usually involve trying to put someone away from 30+ yrs does it? B&E gets less, theft gets less, hell — friggin’ rapists get less, and murderers have often get less.

      It’s a matter of proportionality, look at the banking crisis, see any of those people (like Lloyd Blankfein of Goldman Sachs) do ANY time? He cost people BILLIONS and threw retirements into a tailspin. The kid stole/dowloaded academic papers, and they hound him for what? So the prosecutors can have high profile cases to advance their careers or get a seat on a bench? 

      1. That Goldman, HSBC and others deserve prosecution does not somehow make this argument work. Just because it was really easy for him to do these illegal things doesn’t mean he shouldn’t be held culpable for them.

        What happened isn’t a tragedy, he isn’t some poor schmuck who can’t afford appropriate counsel who got railroaded. He’s a guy who committed a crime and could afford effective enough representation to delay his prosecution by a couple years without having to be in jail. You’re essentially arguing that one white guy with money should really get as much leniency as other white guys with money, which I find a pretty repugnant argument.

        He committed a crime, he was being prosecuted. That is what is supposed to happen. That the law fails to prosecute some of the guilty doesn’t mean it should prosecute none of them.

        1. You may have been confused by the plot of Les Miz. Javert wasn’t the hero.

          To put matters in perspective, if Swartz had hit someone over the head with a baseball bat, causing permanent brain damage, under Massachusetts law the maximum prison term he could be sentenced to was a small fraction of the 50 years the prosecution wished. Any argument in favor of the Majesty of the Law in this case needs to explain why this result is, in fact, just.

        2. You DO realize the organization he supposedly wronged decided NOT to pursue charges right? The DOJ did even though JSTOR didn’t ask for it. In juast about all cases when the complainant does that the case is dropped.

          “You’re essentially arguing that one white guy with money should really get as much leniency as other white guys with money, which I find a pretty repugnant argument.” What the hell are you smoking? In no way did I say anything remotely like that, please explain how you reached that absurd conclusion.

        3. He was being prosecuted as if he’d committed a much more serious crime than he did commit.  No one is arguing that he wasn’t trespassing, just that he shouldn’t have been prosecuted as if he was doing much, much worse than that.

          And if you think that a suicide by a man in his twenties suffering from depression and being unjustly persecuted by a powerful government agency with a history of unjustly persecuting people, “isn’t a tragedy,” well, talk about repugnant.

  11. He should have moved to Europe! At least in The Netherlands, by law “downloading” is never illegal. 30 years for downloading stuff? Seems the US penal code is protecting the media industry, destroying “irrelevant” human lives in its path, or at least boosting prosecutor careers the “easy way”.

  12. Not denying what the DOJ did was uncalled-for but as someone who has lived through a few suicides I think it’s important to note circumstances hardly ever lead healthy people to kill themselves. Depression is the killer here, not the DOJ. We all want to point fingers here and that’s natural after something this senseless. But think a minute: if persecution were all it took to trigger suicide no one would have survived the Holocaust or Darfur.

    Things start to make a lot more sense once you realize just how senseless this all is. Looking for logic just delays that realization.

    1. Can you tell me where you learned this stuff about suicide?  Because in my admittedly limited experience particular events can absolutely trigger suicides.  I’m thinking about one case in particular where the person in question was in somewhat less legal trouble than Aaron Swartz.

      Are you just saying that not everyone is the sort of person who commits suicide? Because that’s actually not relevant to whether Swartz’ legal troubles drove him to it. Thousands or even millions of depressed people don’t commit suicide, so by your own argument depression can’t be the cause of suicide.

  13. Here’s the thing that gets me, that I don’t see people bringing up:  The supposedly injured parties were perfectly free to pursue Swarz in civil court if they felt they had suffered losses as a result of his actions. Instead he was hounded like Al fucking Capone. Lessig called this one perfectly: the prosecution’s sense of proportion is absolutely missing.

    1. JSTOR (the supposedly injured party) wasn’t even interested in criminal charges.  Looks to me like the government saw a chance to make an example out of someone.

  14. Were he sentenced to 30-50 years in prison, Aaron would have fulfilled his role as the tarred corpse in the gibbet alongside the information superhighway, a grim warning to any potential information superhighwaymen who might have ideas of fucking with intellectual property laws.  Dead, he fulfils the same role.  The DOJ and JSTOR have won, in a way they might not have done so in a courtroom.

    1. No, they haven’t won.  There are plenty more freedom-fighters, where I come from. Aaron Swartz didn’t die in vain.

Comments are closed.