Security

The case against Aaron Swartz: Why we should be concerned

Patrick Lambert looks as the charges facing Internet activist Aaron Swartz before his death. Why were the penalties so severe and how easy would it be for others to get in the same kind of legal trouble?

The life of Aaron Swartz was a great, inspiring journey, with a tragic end. When the 26 year old activist died earlier this month, he was facing serious charges in federal court, and many think that this played a key role in why he decided to commit suicide. Aaron was seen by many as a prodigy, a very intelligent person who contributed in many technological projects, including being part of the invention of RSS, something used by millions of websites, before he became a political activist, believing strongly that information ought to be free.

His troubles with the law started with the PACER incident in 2008. This was a system that held all of the US federal court documents, and which charged people for access. Since these were all in the public domain, Aaron decided that they should be available for free. He purchased access and then released for free around 20 percent of the entire database, or 18 million documents. This quickly brought an investigation from the FBI, but after two months, the case was closed, since he never broke any law. But he was not done, and last year he secretly accessed the JSTOR database, which provides research journals for a fee. He downloaded 4 million documents by hooking up a laptop in an MIT closet, and saving them on a removable hard drive.

Changing a MAC address equals fraud?

This time, the prosecutors were all over him, and he faced up to 35 years in jail, although it now appears that they were willing to make a deal for 6 months plus probation. But the key issue here is how they even managed to pile up so many charges on him that could bring such severe consequences? The main issue that prompted this was nothing more than breaking terms of services. Every major website has a link at the bottom of the page that links to a ToS, which specifies what you can and cannot do on that site. As a casual reader of this or any other site, chances are you never looked at them. Terms of services are not laws, but courts have upheld them in some cases. Still, breaking a site's ToS usually results in being banned from the site, not going to jail for decades. So in order to push the case forward, even after JSTOR refused to press charges, prosecutors instead focused on the fact that Aaron had hidden his identity in order to add wire and computer fraud charges. Those are the charges which carry a much heavier penalty.

Let's forget the legal side for now and simply look at the technology behind it. The key concept is that his laptop was using a fake identity. This, by itself, should send a chilling effect to many people in the technical field, whether you work in IT, as a security researcher, or you are simply a geek. Anyone who has dealt with networking before can tell you how trivial it is to change your MAC address. Many adapters offer the option right in their configuration screen, and in Windows you simply have to click a few buttons to access it:

Even if you can't do it through a GUI, you can change a registry setting, or use one of many free tools to do the same thing. The problem here is that a MAC address is not a security issue. If you take a networking course, such as a Cisco or CompTIA certification, one of the very first things you learn in security modules is that filtering MAC addresses is a useless proposition. While those addresses are supposed to be unique for each network adapter, there are many cases where they will not be, including in virtual networks, or if someone changed the address at some point through one of those methods.

The exact same thing is true for IP addresses as well. Whether you're supposed to use a DHCP server or set your own address in a static way, anyone can configure their adapter to use the address they want, and as long as the router accepts to route it, then it will, with no idea of who is using it. So the idea that changing your MAC or IP address equals to computer or wire fraud is very scary, since those are not authentication mechanisms; there is no security behind them. At no point should a network adapter, or any sensibly made login system, ask a user to identify itself through those means. Instead, this is why we use things like user names, passwords, public key cryptography, digital signatures, certificates, and so on.

So the bottom line is that what the prosecutors went after, the fact that changing something like a MAC address to hide the presence of a laptop is a crime, should be looked at very carefully. From the information we have, at no point did the JSTOR system ask Aaron to identify himself, and blocking access based on MAC addresses is misunderstanding what these addresses are. It's not security, and spoofing a MAC address is not hacking -- it's a normal networking process. Even MIT itself does it. For example, if you go on the campus, you can see two publically announced wi-fi hotspots: "00:21:d8:49:98:61" and "00:21:d8:49:98:62" which correspond to "MIT" and "MIT GUEST". However, both of these addresses actually link to the same adapter. So in effect, MIT is spoofing a MAC address. There is a very good reason in this case, and it's to provide two virtual networks to various people, but on the technology side, it's the exact same process.

This is why a case like this is so important, and why it never should have been allowed to go forward for so long. Technology can be complicated, especially for non-technical people. To a layman, spoofing a MAC address may seem like a case of fraud, before you realize that it was never designed that way, and that instead, it is used in many very reasonable cases. This is why authentication does not rely on these technologies, and instead use other concepts which were created for authentication. Technical people have been working on e-commerce systems for a long time, and confronting the problem of selling digital goods while making sure someone can't copy them and then distribute them freely. There are many options, including DRM, but none of them are completely effective. Unfortunately, what it does look like is that in the case of Aaron Swartz, aggressive litigation appears to have been the solution of choice for the prosecutor's office.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

31 comments
SaadHusain
SaadHusain

Aaron filed a Freedom of Information request on the status of Bradley Manning. Gov did not like that.

cybershooters
cybershooters

Six months plus probation isn't that severe - all kinds of laws have maximum penalties that are intimidating. All kinds of laws can be easily broken, you can easily lie on a form and misrepresent who you are - but that can carry a serious penalty. What about check kiting? Any idiot can write a false figure on a check. But you can get months or years in prison for doing it. If you steal documents and place them on the internet, you know what? You might go to prison for it. It's a shame he committed suicide but he did that, no-one else did.

Pete6677
Pete6677

Aaron and a couple of his buddies should have formed a corporation, done the exact same stuff Aaron did on his own, and called it a business. Even if they didn't make any money on it, criminal law is MUCH more forgiving to businesses than to individuals. The worst that would have happened would be to shut the business down, with minimal criminal charges against the business owners. Look at all of the various malware companies that committed all kinds of computer tampering and wire fraud, only to be hit with fines and then allowed to go on their merry ways.

slater
slater

I have been told that in Oak Brook, IL, at the Headquarters of McDonald's, they call it the Big Mac address.

homesjc
homesjc

If these documents are scientific papers published in journals managed by JSTOR should not the copyright be with the authors of said papers? Likewise when a significant proportion have been paid for by public monies, ie R&D funds ex government in one form or another, so consequently the data should be in the public domain. To reduce accessibility to these papers merely slows up innovation and hence cuts back the potential of novel industries/applications including such serious problems as the failure of the pharmaceutical industry to replace our failing antibiotics or deal with human forced climate changes. My Christmas (Perth wa) was far too hot this year. All this copyright protection does is to restrict the opportunities of the (mostly yours and mine) grandchildren of the 99.5%, and protect the 0.5% from some possible future competition, as well as extort monies for other peoples effort.

kenneth.fees
kenneth.fees

So if a person does something for which no specific law stipulates you may not do, and that entity is not harmed, but revenue is potentially effected, then the Justice Department is allowed to charge you with a felony. What he did simply showed that there was a hole in the system, and the response was to criminalize his violation of non-binding terms of use. It is like charging someone with theft for taking 10 free samples at the grocery store. You could call the person a jerk, sure, but not a thief.

Docape
Docape

I am currently being bullied by a prosecutor who has admitted he is hoping to win awards and move up the ladder. When are the American people going to wake up and let our government know that we are fed up with this behavior? Eric Holder said he was going to correct these problems and nothing has changed. In fact, the Obama administration has gone out of its way to continue these miscarriages of justice.

info
info

I found it very interesting to read your comments on the relevance of MAC and IP addresses, which sound perfectly understandable to me. Do you know that in some jurisdictions, responsibility for unlawful acquisition of data is allocated by the courts on the basis of such addresses the claimant researches as the place of violation of protected rights regardless whether the owner of the device was aware of the facts or not? There is no escape to this, unless the respective owner can prove that and who did use this address without permission and that this individual is legally responsible for such action.

Dave Keays
Dave Keays

Earlier this month I thought the Government moves against Aaron Swartz were ridiculous and way out of whack. Now I see that he and anonymous are deciding which rules to abide by and are playing both judge and jury. Thanks to Anonymous, Aaron Swartz looks more like a modern Bonnie and Clyde than a George Washington. While it is true that no "hacker" is similar to Bonnie and Clyde when it came to physical violence, times are changing. Plus they are very similar to each other in the fact that they both claim to be able to proclaim that what [b]they[/b] do is right and everybody around them must abide by the law [b]they[/b] lay down. If he were a true rebel he must be willing to pay the price for the sake of the cause. Anonymous is making him look like a simple coward that was only using the motif of a rebel to justify his lack of integrity and was willing to bail-out once the going got tough.

Janetmwoo
Janetmwoo

Concealment is not a criminal intent. And an Innocuous intent is not criminal. The intent needs to have malice. While Aaron's intent is currently unknown (yes we would have found out at trial) the punishment of having to go to trial just to prove your innocence is the opposite of American Jurisprudence. And the outrage is that the prosecutor was going to ask for no more than six months in jail for potential copyright infringement ???!!, malicious digital access, or just being smarter than everyone else and not having the decency to hide the fact. Something is wrong with the justice system when a public prosecutor abuses her authority, and her superior's and the judges allow this to happen. It is not just one person's doing here, it is a whole system of injustice that needs to be brought to light.

jhardy
jhardy

jiiwill - With regard to the public domain docs, they dropped those charges. The recent prosecution was related to the JSTOR issue--which was definitively NOT public domain. And even though JSTOR decided to not press charges, that decision is not the victim's to make. The prosecutor's office decides these things. Otherwise, a victim could be "bribed" to dismiss. The prosecutors are tasked with pursuing justice, even if a victim "forgives" or otherwise wants the whole thing to go away. The founders wrote trademark and copyright protections into the founding docs for a reason. To extend your metaphor, they did indeed break English law. But equally so they were willing to suffer the consequences if they were not successful; "we pledge our lives, fortunes, and sacred honor." If Aaron Swatz thought them in error, he should have taken his chances in court where a jury of his peers (such as they are) would have determined his fate. But It should be said and maintained that his suicide was indicative of more than fear of a trial. Such things are always indicative of deeper, psychological issues, and were I his attorney (I am not a lawyer) I would have used those in his defense.

jiiwill
jiiwill

jhardy . . . You do have a good point from a legal standpoint but . . . what about the moral point. Aaron was doing what he believed in just like our Founding Fathers. According to the legal aspect all of our Founding Fathers were traitors and should have been hung. They held secret meetings, they hid what they were doing from the legal government, they damaged property, and they killed people. By all legal aspects of the time they were nothing but criminals who were subverting established legal principles, laws, and the intent behind those laws. Yet, they are the heroes of our Revolution doing what must be done to rid our country of tyranny. I believe Aaron was the same caliber of person doing what he believed to be right in an attempt to gain freedom of information. Since copyright laws were not violated and only public domain articles were involved, how can there be a legal leg to stand on? How is it that an organization can charge for the information that can be readily found through public sources? From my experience those "public domain" documents are sold by those organization that sell them at a price far above the means and efforts to provide them as a public service. These organizations also bury the public domain documents in a way which makes it hard for the public to gain access to them. As I see it, Aaron was only trying to break the tyrannical conrol these organizations have over information that should be free to everyone.

Ajax4Hire
Ajax4Hire

Clear case of Cyber-bullying. The US Constitution's 2nd amendment was put in place to protect you from the heavy hand of the government. Today, we may not need a rifle for protection but we as individual private citizens still need protection from the government.

jiiwill
jiiwill

As I see it these ridiculous charges and the outrageous penalties the prosecutors brought against Aaron Swartz have a very sinister aspect to them. First another nitwit bureaucratic prosecutor saw an opportunity to make a "name" for him/her-self and further their career at the expense of a highly talented and innovative person who was actively standing up for what he believed in. But the most sinister aspect is the government once more jumping into areas they have no business getting involved in. This case could have set legal precedents that would have been used to undermine the freedoms we all currently enjoy on the Internet. It has probably already set a certain level of fear within the Information Freedom Community that could give activists like Aaron second thoughts about furthering their ideas . . . which I believe is a violation of the First Amendment rights.

tepell
tepell

It should be in the same category as bullying, such as school bullies or on a social network. They should be held accountable.

jhardy
jhardy

You make a mistake to focus on the technology behind his access. The rules governing simple technological processes and the legal definition of "intent" are very important here. Going to the driver's license bureau and applying for a new license is not a crime--even is you use a different name. My wife has done this a few times, once when we got married to change here last name, and again when she decided that that she no longer wanted to be know by her middle name (as she had done for years) and wanted to start using her legal first name. Her intent was to manage her identity. If, on the other hand, she was accessing new credentials with the "intent" of defrauding, avoiding taxes or other debts, or evading a criminal prosecution, it is an entirely different matter. It was not the act of changing a MAC address, it was the intent of concealment that was the crime in the context of doing something that he knew or reasonably supposed to be "legally wrong" and thus a valid charge. An alternate legal description / argument is "awareness of guilt." I am not saying that I would have filed the charges myself or that they would have ultimately prevailed. i am only saying that it is not the act that is the issue and that the attorney general is not as far out of line as represented in the article. Regards, Jeff

omg.itlead
omg.itlead

The agressive lawyers weren't even trying to protect copy rights. All the info was public domain and yes, it should be freely available to the public.

Andrea Solinas
Andrea Solinas

tsadowski i completely agree with you..... how can some people sleep at night ??

Dr_Zinj
Dr_Zinj

That's the main problem with lawyers. Far too many of them don't care about right or wrong, only about winning. And they don't care how many innocents they destroy or kill on the way up.

tsadowski
tsadowski

These charges were so ridiculous, and the proposed penalties so outrageous, that they were clearly trying to "make an example" of Aaron. They all but handed him a rope and said, "Why don't we make this easy on everyone...". So I ask, very seriously, should the prosecutors in this case be charged in Aaron's death? If your actions, unintentionally, but through recklessness cause the death of someone else, is that NOT manslaughter?!? At the very least they should be blackballed from practicing law ever again. We should tell the justice system that this sort of witch hunt in the name of copyrights will not be tolerated!

jbenton
jbenton

... like taking 10 free samples and giving them away outside the store which charges an admission fee to get the free samples, thus depriving the store of an expected income (could be Right, could be Wrong - depends how you spin it)

techrepublic@
techrepublic@

... (Ministério Público) stated that an IP is NOT enough to identify a person and would not bring charges against anyone based solely on a IP. This statement was made after the ACAPOR (http://acapor.pt/, an organization of audiovisual works creators and distributors) accused 2000 unknowns of copyright infringement with only the IPs as clues of the suspects identities.

Charles Bundy
Charles Bundy

Otherwise "powerless" masses have used these tactics to balance the scales wrt the "powerful" few. Depending on who writes the history they are either heroes or villains. You sir are apparently not a student of history. Lets just say another group of Bostonians did something similar concerning taxes and tea. You enjoy the fruits of such "Bonnie and Clyde" activities but certainly don't seem to appreciate at what cost they were delivered to you.

Charles Bundy
Charles Bundy

throw out a few facts. Charges were never brought wrt PACER, thus nothing to "drop". American justice punishes you at sentencing if you decide to exercise your constitutional right to trial. Last time I dealt with it you got an extra six points added at the federal sentence level. Aaron had legitimate access to JSTOR. If you read the indictment that's why they claim CFAA wrt him violating contract by using a scraper program. BTW most legal scholars decry the facts in this case. And the victim JSTOR along with local law enforcement weren't even going for one felony, much less going from four to thirteen in an effort to intimidate the defendant into a plea agreement to further their careers. That is what happened here, not a "pursuit of justice". Aaron not only thought they were in error (he would not plea), [b]everybody but Carmen Ortiz's office considered the DOJ actions egregious[/b]. Go to Google and search for - "Swartz didn't face prison until feds took over case, report says" "Ham Sandwich Nation: Due process when everything is a crime"

apotheon
apotheon

It's just another attack on anonymity, ultimately leading to attempts to make it illegal to use pseudonyms online at all, I think. Governments hate anonymity because they like to be able to target activists and critics just like they targeted Aaron Swartz.

info
info

Sorry, Jeff, but you are wrong. In any jurisdiction, the intent as such is not a crime, it is a compulsory element to commit a breach of rules, if this breach is declared to be a criminal offense by law. In other words - there is no crime even if there is such a breach without the proven intent of the person having willfully broken the rule to do so. In this regard, intent can be negligence - not caring that the breach may constitute a crime - or some sort of knowledge about the nature of the crime. If a person is self-reponsible of its actions in the face of the law, the law imposes that it is aware of all such rules properly published in the statute boooks regardless of individual knowledge. It is therefore totally irrelevant why Aaron Swartz was trying to hide his identity by changing MAC addresses. The crime is committed when and if such behaviour regardless of the hiding constitutes a breach of rules declared to be a crime by law. Actually, he did not hide his identity, as he made the facts public and some investigator working more or less hard to prove this, thus inciting him to declare himself. From what I have read about the Swartz case so far, I find it very difficult to understand for what he should be punished under criminal law. It may well be that for some reasons, he may have not respected all the ethical rules in place when playing with the elements showing his identity. This is certainly not a crime - we all are faced with this problem on a daily basis and must choose the appropriate solution our conscience will allow us to live with. However, there are some very eager individuals working in certain administrations or public institutions charged with enforcing the law trying to extend criminal protection beyond established principles. The idea is to disenchant others to do from what shall be made criminal by enlarging the scope of existing criminal law protection. Should the courts collaborate, to stop these efforts requires calling on civil liberty movements. In another context, administrative practice as experienced here is usually called mobbing. Tragic enough, this happend to the extent of driving Aaron Swartz to take his own live and therefore deserves proper consideration. The question is, what the movement he initiated will do now to stop this happen again. It was possible to dismantle SOPA and CISPA to a large extent for very good reasons, to stop the forces of evil to destroy the Internet liberties by using the IPU last year - so what is now the movement's answer to such mobbing?

apotheon
apotheon

As I understand it, he was trying to avoid being subjected to a second frivolous, highly stress-inducing investigation based on people trying to persecute him for doing nothing wrong. Are you now telling me that it's a case of fraud to try to avoid drawing the attention of those seeking to persecute you for nothing more than performing perfectly legal actions? The fact the investigators in the first case were FBI agents doesn't absolve them of culpability for pursuing an improper witch hunt investigation -- and the fact such a witch hunt investigation could result from Aaron's perfectly legal actions might have been enough to give him pause, to rethink how he does things so that he might be better protected. He probably figured "Well, this won't protect me from a targeted investigation, as it in no way really conceals the identity of the person doing it, but it might not trigger flags in some piece of software following network access behavior patterns on behalf of the witch hunt division of the FBI this time." Everything before the last comma in that hypothetical quote says "This is not fraud. I am not pretending to be someone else." Everything after that last comma says "I'm afraid of how people will ruin my life for doing something perfectly legal, so I should try to mitigate the likelihood of that." Yes, the technology is relevant, because the person using the technology in this case surely knows how it works and, as a result, surely is not using it to try to accomplish something (fraudulent concealment of identity) that he would know would not work anyway. How do you get form "This totally doesn't work like that, and Aaron Swartz would know it!" to "Aaron Swartz must have been trying to use it like that!" anyway? That makes no sense. It's like trying to prosecute a greenhouse manager for allowing Japanese maples to be grown in his greenhouse because they look like marijuana to the layman. "Marijuana is illegal, and this looks like marijuana, so we should put people in jail for growing this even though it's not actually marijuana or illegal in any way to grow it -- even if he's growing it knowing it's not marijuana because he's an expert horticulturist."

techrepublic@
techrepublic@

Changing MAC address does NOT in any way conceal a system. Someone like Aaron Swartz would know that. The change MAC to conceal system/user accusation is complete nonsense.

sboverie
sboverie

This type of lawyer gives a bad name to the ambulance chasers. The really bad news is that this type of lawyer is ambitious and will use the powerless to jump into an elected position and into congress.

SimonHobson
SimonHobson

Any reasonable person can see, and there is previous evidence for it, that applying too much pressure can drive someone to take their own life - hence I believe you would be correct in that there could be a charge of manslaughter to answer. However, there's not the slightest chance of ever getting that one off the ground. Lawyers attacking their own ? It would be like turkeys voting for Christmas (or insert relevant public holiday for your area).

info
info

The public prosecutor in Portugal is an official body charged with pursuing prospective criminal offenders to court for crimes committed there. Refusals can be scrutinized and overruled by the competent court. Courts and law enforcement have been very generous in helping bodies like ACAPOR to collect income for its members, if the infringement is substantiated. Bodies like ACAPOR always consider to shift respective work to legal enforcement. Without having examined the case, this may be sitting behind the prosecutor's refusal. Based on copyright, upper courts in Europe are very clear in holding a person seen as the owner of a machine using a specific IP address fully responsible for what is allocated to this machine in terms of civil as well as public and criminal law. SPs are obliged to take part in respective investigations on simple request by a claimant. In such regions, SPs expressively advise private customers to be careful with access rights and to control strictly users as well as use extent. This is publicly known and enforced against any traceable holder of the IP address, whose only excuse is to indicate the real offender.