Aaron Swartz was no criminal
Dan Purcell, one of Swartz’ lawyers, writes about the spiteful and unreasonable charges that led to his suicide—and MIT’s gutless support of his prosecutors.
Reprinted from boingboing.net, Nov. 18, 2014.
I am a lawyer in San Francisco with a firm called Keker & Van Nest. I was one of Aaron’s lawyers in his criminal case, in 2012 and early 2013.
I didn’t know Aaron that well, and our interactions were always colored by the fact that he didn’t really want to be talking to me. I was a criminal defense lawyer after all, and the only reason we knew each other was because he was facing a federal criminal indictment under the CFAA (Computer Fraud and Abuse Act) for computer fraud.
Those of you who knew Aaron don’t need me to tell you what kind of person he was. Brian Knappenberger’s excellent movie, “The Internet’s Own Boy,” will tell you more about Aaron than I could. But one thing Aaron was not was a criminal, and I’m here to clear up a few misconceptions you may have about what he did and what he was charged with.
One thing that drives me crazy is when people refer to his criminal case as a case about “hacking.” And they do it in sort of a pejorative, scary way. And it’s just nonsense. Aaron was, of course, a hacker in the broad sense of the term: he was an innovative thinker, looking for creative ways around problems. But in the criminal sense of the word, as somebody who breaks into a secure computer system for nefarious purposes, Aaron was no hacker, and he didn’t do anything like that.
One thing that Aaron strongly believed was that the advances, the discoveries and the secrets we’ve collectively unlocked over the past millennia, about how the world works, belong to all of us. Aaron greatly resented people or entities who try to lock up scientific knowledge and keep it away from general use, so they might monetize it for personal gain.
You might be surprised at how much money is being made in this world by entities that follow just that business model. They take things that are in the public domain, and take them out of the public domain, and then charge for access to them. One field where this happens a lot is academic publishing. Obviously, there is so much information in so many books that it’s not practical to just have physical copies of them all. Digitizing all that data is an easy solution, and indeed there are many places to look up scholarly content online. But when you go to try to do that, you’ll generally find that there’s a subscription fee, or you can’t access them unless you are affiliated with a certain institution. They’re in the public domain—meaning that everyone is entitled to read it—but they’re not actually public or available for public use.
This bothered Aaron. It bothered him a lot. And he had fought against this problem throughout his life. He wanted to teach the system a lesson. So, he went to MIT, a university that had, and still has, one of the most permissive computer networks in the world—certainly for an institution of that size. At the time he did what he did, in 2010-2011, anyone in the world could walk onto MIT’s campus. With or without a student ID. With or without any affiliation with MIT at all. They could log on to MIT’s system as a guest. They didn’t have to use their real name. And then they could do whatever they wanted on MIT’s system.
One thing that MIT made available to its users was access to JSTOR, an online database of scholarly materials. So anybody in the world could go to MITs campus, they could get on to JSTOR, and they could download articles from JSTOR Anyone.
That’s what Aaron did.
He went to the MIT campus, like anyone could have done. He logged onto the system, like anyone could have done. He went on to JSTOR, like anyone could have done. And he downloaded articles.
That is not hacking. That is walking through a door that MIT, the owner of the door, deliberately left open for anyone to walk through.
Of course, the story’s not exactly that simple, because Aaron didn’t want to take the time to manually download thousands of articles, which would have been impractical. He wrote what experts have confirmed was a fairly simple computer program to automate the downloading. So he left his laptop behind, and he went on his way. He downloaded the files, but he didn’t steal anything; he used the access freely given at MIT. All the articles that he downloaded stayed in the JSTOR database. They were still available to anybody with access to JSTOR. If you have a JSTOR subscription, and you go to the database, they are still there today. He didn’t deprive anybody of access to that material.
After a while, JSTOR noticed the downloading activity and JSTOR shut down access to their database from MIT’s network. For a few days, nobody could get onto JSTOR using the MIT network. That was an inconvenience, for sure, but it was temporary, and MIT’s access to JSTOR was soon restored.
What Aaron did, whether you call it a prank or a consciousness-raising exercise, was not a crime. He downloaded a bunch of articles he was permitted to access using an automated program that made it easier. The idea that anybody could think that was a crime was insane to me. Was it inconsiderate? Possibly. Many acts of civil disobedience and conscious-raising are, and I think Aaron probably would have pleaded guilty to that.
JSTOR was the ostensible victim here, but JSTOR made it clear from the start that they didn’t see this as a Federal case. They didn’t want Aaron to be prosecuted; they just basically wanted it to be over.
So, why all the fuss? Why did this terrible thing happen?
The first reason is prosecutorial discretion. The prosecutor was Steve Heymann, the head of the Computer Crimes division of the United States Attorney’s office in Boston. You’ll hear a little from him, and a little about him, in Brian’s movie, but I have nothing good to say about him. You might ask, like I did, what Aaron’s actions had to do with “computer crimes.” Aaron hadn’t broken into a secure network and stolen credit card numbers. He hadn’t stolen anyone’s healthcare data. He hadn’t violated anyone’s privacy. He hadn’t caused anybody to lose any money. There are things that are “computer crimes” that we all recognize are invasive and dangerous, and this was not one of them.
But Steve Heymann did what bureaucrats and functionaries often choose to do. He wanted make a big case to justify his existence and justify his budget. The casualties be damned.
Unfortunately, he had a lot of weapons on his side, in addition to having the power of the Federal Government. He had the Computer Fraud and Abuse Act, which is an over broad federal statute that has been made more broad by federal prosecutors trying to stretch its terms. But under the indictment in Aaron’s case, the government still had to prove that Aaron had gained unauthorized access to a computer system. Our defense was really pretty simple. There were going to be other nuances, and we were going to talk a lot about Aaron’s motivations and the type of person Aaron was, but our bottom line was going to be that Aaron had done only what MIT permitted him to do. He hadn’t gained unauthorized access to anything. He had gained access to JSTOR with full authorization from MIT. Just like anyone in the jury pool, anyone reading Boing Boing, or anyone in the country could have done.
We hoped that the jury would understand that and would acquit Aaron, and it quickly became obvious to us that there really wasn’t going to be opportunity to resolve the case short of trial because Steve Heymann was unreasonable.
Of course, after Aaron’s passing, it’s really easy for them to say “35 years. That was a bluff. It was never gonna happen.” That was not what they were telling us. Heymann always insisted on a sentence of hard time in Federal Prison. We said, “this is really a very trivial thing. Can’t we resolve it with probation or some other thing that made a little more sense and would make it possible for Aaron to go on with his life?”
He said “no.” He insisted that Aaron plead to a felony and serve prison time. And of course, what he said, as prosecutors often do, is that if we go to trial, it won’t be so easy, and if we lose, well, this is a tough judge, and the prosecution is going to recommend a very difficult sentence. Aaron may end up having a term of years.
These after-the-fact statements they’re making in the media, to try to make them seem more reasonable? That’s all they are.
It really goes to show you how much power prosecutors wield in our Federal system. They dictate the charges that are brought. They dictate how serious the sentence will be, because the sentence depends on how the crime is charged, and there are sentencing guidelines that limit the judge’s discretion. And if a prosecutor has bad judgment, as Steve Heymann did—blowing out of all proporition a harmless effort to point out a problem with how public-domain information is being locked up—there isn’t a lot you can do about that other than fight, and the consequences can be terrible.
The second reason for this terrible outcome is MIT.
As a defense attorney, I never expect the prosecutors to do the right thing, but I did expect MIT to do the right thing. JSTOR, as I said, came out and said “We don’t want to see Aaron prosecuted. We consider the matter closed.” MIT never did that. MIT carries a lot of water in Boston. I don’t know if they could have stopped Heymann from prosecuting Aaron, but they could have done a lot more than they did.
MIT is an institution that was known for creativity, for hacking, for pranks, for pushing the boundaries—and for showing the good can come out of it. In this case, they responded like a typical corporation. They were entirely gutless. They were supplicants to the government, and they did whatever they could to help the government’s case. They were not cooperative with us. A lot of people in the MIT community are furious with MIT, and I think they have good reason to be.
There’s no question that Aaron paid a price because of who he was, because he was in the habit of sticking his thumb in the eye of the government, of challenging things, and of challenging certain things that were happening that weren’t fair. He was an activist, and he wasn’t afraid to ruffle a few feathers.
We’ll see what the FOIA requests come to. I don’t think there were orders from on high to hurt Aaron, and that Steven Heymann was just the arm of the law. But there’s no question in our society, those that go along, get along better, and Aaron wasn’t willing to go along, much to his credit.
In the end, the whole thing makes me very sad. It is sad for all of us that Aaron is no longer with us. Sad for his family and friends, most of all. I’m sad I didn’t have the chance to try to help him, and walk him out of the courtroom a free man. We could have done that, and it was certainly what he deserved. But I’m glad to honor Aaron’s memory, and to think about what we can do for our own sakes, and our country’s sake.
About the Author
Dan Purcell is a trial lawyer at Keker & Van Nest LLP in San Francisco and a graduate of UC-Berkeley School of Law. In 2012 and 2013, he defended Aaron Swartz against allegations of computer fraud.