I didn’t know Aaron Swartz, but I wish I’d followed the out-of-all-proportion charges the Department of Justice brought against him before his death. Swartz, of course, is the Internet prodigy who took his own life over the weekend, a few days after prosecutors insisted, according to his lawyer, that he go to prison for allegedly committing computer fraud by downloading 4.8 million articles from the academic database JSTOR.
The causes of suicide are almost always complex, and Swartz suffered from depression. I’m glad that’s been a clear thread running through the coverage of his death. But Swartz’s mental health history doesn’t change the fact that he was on the receiving end of blatant prosecutorial intimidation—an egregious overcharging of crimes by the U.S. attorney’s office in the name of setting an example. If the prospect of prison and high legal fees contributed to Swartz’s decision to take his life, as his family and his girlfriend say, then that is a tragedy that should lead to some serious soul searching at the Justice Department. Prosecutors wield enormous power over all of us. This case is one terribly sad example of what can happen when they abuse it.
Swartz was accused of going into an unlocked computer-wiring closet at MIT in September 2010, changing an IP address on a university computer, and using it to download the papers from JSTOR, which normally charges per article or per subscription. Why did Swartz monkey around this way with JSTOR? I’m not sure he ever explained this particular act, but it’s not wholly surprising given his record of passionate advocacy for freeing information online. He’s the guy who also figured out a way to download 20 percent of the government’s federal court database, PACER, another giant repository of information that charges user fees.
For this, Swartz was charged with fully 13 counts of violating the Computer Fraud and Abuse Act, which meant he faced millions of dollars in fines and up to 35 years in prison. This law is notoriously capacious. Prosecutors can stretch it to cover misdeeds that would otherwise barely qualify as illegal. To illustrate just how much overreach the act allows, law professor Orin Kerr, who writes at Volokh Conspiracy, once posted a ridiculous new terms of service for the blog and then wrote, “If you post an abusive comment; you are an employee of the U.S. government; your middle name is Ralph; you’re not super nice, as judged by me; or you have visited Alaska, I have kinda bad news for you: You are a criminal, as you have just violated 18 U.S.C. 1030(a)(2)(C) by accessing the Volokh Conspiracy’s service without authorization or in excess of authorization.”
You can argue with Swartz’s tactics—as Harvard law professor Lawrence Lessig, who knew and clearly loved Swartz, writes: “The causes that Aaron fought for are my causes too. But as much as I respect those who disagree with me about this, these means are not mine.” As Lessig emphasizes, however, not every miscreant deserves to have the full weight of the U.S. government come crashing down on him. JSTOR said Swartz did not sell or give away the articles he’d downloaded and declined to take any action against him. (MIT, by contrast, lamely remained silent throughout his prosecution—only now are administrators investigating the university’s involvement in Swartz’s case and promising a public accounting.)
In a detailed and convincing post, Alex Stamos, the expert witness who was planning to testify for Swartz at trial, points out that MIT deliberately operates an “extraordinarily open network” with few controls to prevent abuse. Any visitor can register, and it’s easy to bypass the controls that do exist by assigning yourself an IP address, according to Stamos. There are no terms of use or definition of abusive practices. And when Swartz downloaded the JSTOR articles, “the JSTOR website allowed an unlimited number of downloads by anybody” on MIT’s network. There were no controls for catching bulk downloads. And so, Stamos concludes,
Aaron did not “hack” the JSTOR website for all reasonable definitions of “hack.” Aaron wrote a handful of basic python scripts that first discovered the URLs of journal articles and then used curl to request them. Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing “Save As” from your favorite browser.
Compare this to the defense of the charges against Swartz by Carmen M. Ortiz, the U.S. attorney for Massachusetts, in 2011: “Stealing is stealing, whether you use a computer command or a crowbar, and whether you take documents, data, or dollars.” Whose characterization of the facts is more convincing? The government’s ratcheting up of charges against Swartz reeks of the worst kind of prosecutorial intimidation. I’m sure no one in the U.S. attorney’s office thought Swartz should actually go to prison for 35 years. But the heavy penalty was leverage to induce him to plead guilty—and, according to his lawyer, ensure that he accepted a plea agreement with some time behind bars.
Why do this to an icon of the hacker movement? In a fierce post that you should read in its entirety, Danah Boyd argues that the government saw Swartz as a way to show the hacker community who is boss. She writes:
When the federal government went after him—and MIT sheepishly played along—they weren’t treating him as a person who may or may not have done something stupid. He was an example. And the reason they threw the book at him wasn’t to teach him a lesson, but to make a point to the entire Cambridge hacker community that they were p0wned. It was a threat that had nothing to do with justice and everything to do with a broader battle over systemic power.
The underlying point Boyd is making, I think, is that the government doesn’t understand hackers and isn’t good at distinguishing between miscreant vigilantes like Swartz who are trying to free information systems and profit-driven or diabolical hackers who are trying to bring down those systems. That’s when an expansive law like the Computer Fraud and Abuse Act becomes dangerous. Prosecutors persuaded of their own righteousness, and woodenly equating downloading a deliberately unprotected database with stealing, lose all sense of proportion and bring in the heavy artillery when what’s in order is a far more mild penalty.
I’d like to tell you that the prosecutorial overreach that took place in Swartz’s case rarely happens. But that’s not true. There are many principled prosecutors who only bring charges they believe they can prove beyond a reasonable doubt. But there are also some who bring any charge they can think of to induce a defendant who may be guilty of a minor crime to plead guilty to a major one. These cases usually are hard to call attention to: They’re not about innocence, easy and pure. They’re about the muddier concept of proportionality. If any good at all can come from Swartz’s unspeakably sorrowful death, maybe it will be how this case makes prosecutors—and the rest of us—think about the space between guilt and innocence.
