Jan 212013

The 13-count superseding indictment (now dismissed) against Aaron Swartz basically boiled down to two major complaints: he accessed a computer system, and then downloaded files, without permission to do either.

It was not completely unprecedented in the pre-digital age to penalize acts that at their essence were about doing something without permission. Trespass, for instance, can be criminally prosecuted if someone has entered another’s real property without their permission. But (per the Model Penal Code § 221.2) it is typically prosecuted as a petty misdemeanor, commensurate with the negligible resulting harm. In instances where more serious harm resulted, a harm that could be properly measured in real word dimensions, such as the deprivation or destruction of real or immovable property, then a separate crime could be charged, such as theft – one targeted to address that violent sort of outcome. But even in those cases the crime and its commensurate penalty would hinge on the resulting harm, not the underlying lack of permission (see, e.g., Model Penal Code explanatory note §§ Sections 220.1-220.3). On its own, merely doing something without permission has not been something US law has sought to punish with serious charges carrying lengthy prison sentences.

In Aaron Swartz’s case, however, while his actions, even if true as alleged, resulted in no more measureable harm than an ordinary trespass would have, he was nonetheless charged with multiple felonies.

Each felony charge comprised part of a vicious cycle, with each being predicated on the existence of the last. But at the heart of the indictment is a fundamental misunderstanding of the purported wrongfulness connected with the file downloading.  The undisputed facts in this respect are basically thus: The JSTOR archive is a repository of academic articles. Notably Aaron actually had permission to access and download them, although it may be true that in granting that access JSTOR had not contemplated on them having been downloaded in bulk. On the other hand, it does not appear that such permission had been explicitly withheld. Furthermore, Aaron’s downloading of the files in no way deprived JSTOR of anything. The files didn’t disappear from their machine as they were copied onto Aaron’s; they remained exactly where they always were.

Thus the prosecutor’s insistence that this downloading was somehow “theft” (see paragraph 30 of the indictment) fails in both physical and legal terms. In the non-digital world theft involves depriving someone of their property. However no such deprivation of property existed here, thereby rendering it legally incorrect to punish the act as if it were one that would cause it, and then to compound it by using that perceived wrongfulness as a basis for collateral charges.

Of course, no deprivation of property is required for the real world crime of burglary. Like trespass, burglary punishes an unauthorized access, but only one made for the purpose of committing some other crime that would result in its own measurable harm. (See Model Penal Code § 221.1. Note also that the nomenclature and particular requirements for these various crimes may vary from jurisdiction to jurisdiction, but the MPC is being cited here because of how it serves to encapsulate how crime is generally thought of in American law.) It’s not the unauthorized access itself that conditions the seriousness of the charge; it’s the intent to cause the measurable harm that is. Having laws like burglary on the books provides a way to prosecute an attempted crime that would have had real, measurable effects had it ever reached fruition; they aren’t about punishing a permission-less access for its own sake. Which, unfortunately, the Computer Fraud and Abuse Act currently does.

Ostensibly the CFAA, a recent statute ill-fitting the realities of modern computing, sometimes predicates its punishment on the consequences of the purportedly wrongful access of a computer system, but unlike burglary it is largely divorced from any actual criminal accounting of those consequences and at times (see 18 U.S.C. § 1030(a)(2)(c)) requires no destructive harm at all. For purposes of the CFAA the access alone is what’s wrongful.

And it punishes this permission-less access vastly more severely than its consequences could possibly warrant. In Aaron’s case the only demonstrable harm the prosecutor managed to allege in the indictment was that his actions had caused MIT, whose network Aaron is alleged to have accessed without permission (although there is significant dispute about whether such network access truly was impermissible), inconvenience. And so, for allegedly causing MIT some hassle, Aaron faced decades in prison and bankrupting expense, consequences greater than if he had simply outright stolen any of MIT’s actual computers (a real-world state-governed crime that would have put him beyond the reach of federal prosecutors entirely).

In the wake of Aaron’s death, which his friends and family see as a direct result of the DOJ’s overzealous prosecution, there have been many calls for reform. Some of the reform needed is in the CFAA itself, given how it currently conceptualizes unauthorized access of computers in a way that would ensnare nearly every Internet user acting quite reasonably and in a way that resulted in no measurable harm.

But reform is also needed with respect to the underlying wrong the prosecution originally perceived Aaron to be guilty of when he downloaded those articles. The prosecution reacted as though it were a violent destruction of person or property, when it clearly was not. At most he would have been liable for copyright infringement, an act that can be fully redressed through private civil suits without the need – or indeed, the right– for the state to weigh in, especially in such a disproportionate way. It is in this regard, criminalizing access to information beyond one’s permission to have it, that the most reform is needed.

  2 Responses to “A crime of permission”

Comments (2)
  1. I disagree with a couple of points in your article.

    1. “On the other hand, it does not appear that such permission had been explicitly withheld.” JSTOR and MIT actually banned Swartz’ IP address 3 separate times. (See Par. 17 of the indictment) On September 25, they banned his IP. On September 26, they banned any IP from MIT that started 18.55.6 (a ban on more than 250 nodes at MIT and kept that ban in place until Sept. 29) MIT banned Swartz’ MAC address, preventing his computer from logging onto their network. Swartz’ spoofed his MAC address and started the process over again. At this point, JSTOR banned all of MIT from accessing their database. (Par. 22)

    2. “Thus the prosecutor’s insistence that this downloading was somehow “theft” … fails in both physical and legal terms.” It doesn’t fail in legal terms because theft includes intangible property. It also doesn’t fail linguistically, because we commonly talk about people thieving things that don’t actually deprive someone of their use. Stealing secrets – if a spy photographs classified documents, he’s not deprived the government of those documents. The Pope’s butler was convicted recently of “stealing the pontiff’s private documents and leaking them to a journalist…” His attorney attempted to argue that photocopying the documents didn’t deprive the Pope of their possession (obviously unsuccessfully).

    But, Swartz wasn’t charged with theft, so whether his crime fit the elements of theft is irrelevant. He was charged with wire and computer fraud.

    But to a larger point, one should recognize that all litigations are about two (or more) competing narratives. You’ve told one of those narratives – that no one was hurt, that nothing of value was taken, that the information Swartz took was of little value and he didn’t really do anything wrong.

    We should recognize, however, that there is another narrative, that might be equally compelling. In this narrative, Swartz wrote a manifesto about how information should be free, that we should be liberating information from behind paywalls. He then proceeded to attempt to “liberate” PACER, an action that brought the FBI to his door. He then set his sights on JSTOR, an organization that, whether you agree with them or not, provides scholarly articles to libraries and institutions across the country for a fee. Swartz had access to JSTOR from Harvard, but he didn’t want to perpetrate his exploit at Harvard. He went across the street to MIT. He was blocked three separate times and took actions to avoid those blocks, including spoofing his MAC address. Finally, he hard-wired his computer into MIT’s network, putting it into a storage closet, covering it with a box and hiding his face from security cameras when he entered the closet to check his computer and replace the external hard drive. When caught, he fled from MIT security.

    He did all this with the purpose of destroying the JSTOR business model – freeing their information from behind the JSTOR paywall. If that’s true, then his actions were intended to deprive JSTOR of something – a meaningful way of making money with their business model! In this narrative, Swartz’ actions were not harmless, they were part of an attempt to wreak financial havoc on JSTOR that were interrupted. The proportionality of the prosecutors’ actions should be weighed against this competing narrative as well as against the one you’d like to believe. If they convinced a jury of their narrative, Swartz would be sentenced against that narrative, not the one where he did nothing of much consequence which had no potential to harm JSTOR.

  2. You make a valid point about the strength of the narrative – clearly Ortiz, once deciding Aaron was a bad actor could not get past that view, no matter how undeserved it was. The point still stands that there is nothing alleged that makes him a bad actor worthy of this prosecution. The illusory “harm” you describe is not a kind of harm US criminal law has ever been designed to punish. At most he would have been liable for some torts, and JSTOR was perfectly capable of seeking its own redress for them.

    In fact, note that JSTOR did reach some sort of accord with Aaron and asked the DOJ not to prosecute. It was MIT that egged on the DOJ, even though it, too, could have sought civil redress for any injury it alleged. Or simply unplugged the computer. Or even just locked the door to the closet – which a homeless person was also using for personal storage. MIT had plenty of options to heal its claimed injury other than seeking a lengthy imprisonment for Aaron. Remember also that even if you think downloading the archive was an egregious wrong deserving punishment, it was JSTOR that suffered it, not MIT.

    And, no, it’s still not theft. Yes, theft can be of something intangible, but it still would involve depriving someone of their title in something. JSTOR wasn’t deprived of its title at all. As I wrote, this prosecution is based on a mistaken view of how copyright law functions, but I will elaborate further on how that it so another day.

Sorry, the comment form is closed at this time.