by

The Hacks and the Hackers

The late Aaron Swartz was a “hacker” according to many newspaper accounts. But what does that mean? Few terms are as sloppily used in contemporary journalism as the verb hack and the noun hacker. A claim of “hacking” gives scarcely a clue about what the accused person might have done.

The core of the concept seems to involve obtaining information, or accomplishing remote actions, by means of computer programming, or information systems more generally, and especially through nefarious use of devices or gadgets: personal computers, bank machines, burglar alarms, card readers, keypads, garage-door openers, network routers, phones, remote controls—just about anything that controls more than a toaster oven.

Swartz, an open-access activist, disapproved of JSTOR’s policy of paying fees to wealthy publishers of academic papers while authors get nothing. His campaign against JSTOR began with downloading about 4.8 million articles which he apparently planned to release through file-sharing sites.

The Department of Justice charged him with 13 counts of serious crimes like wire fraud, computer fraud, and “recklessly damaging a protected computer.” He faced 30 years’ jail and a million-dollar fine. A guilty plea to all charges would still get him six months’ jail time. He was 26 and subject to depression. On January 11 he hanged himself.

His defenders characterize him as an innocent idealist hounded to death by federal prosecutors, claiming that morally he did nothing worse than taking out too many books from a free library. But as Stuart Shieber noted in an interesting post back in 2011, that’s a bit disingenuous.

The indictment document notes that Swartz did not access JSTOR from Harvard, where he had legitimate access as a Fellow at the Center for Ethics. He went down to MIT, where he had no affiliation, and broke into a wiring closet. There he hard-wired a concealed laptop and extra hard drive into a network switch, opened a guest account under a fake name, and started running a Python script called keepgrabbing.py to suck papers off JSTOR at such a rate that service slowed to a crawl and eventually JSTOR servers crashed.

MIT staff spotted the huge surge of activity on the network and tried to curtail it, because it was disrupting other people’s access, but Swartz used his technical skills to defeat them. They canceled his IP address, but he re-registered his laptop to get it assigned a new one. They barred his machine from getting IP addresses altogether, so he used MAC address spoofing to get it to misreport its identity. Eventually JSTOR simply cut off its service, denying all MIT researchers access for several days.

So it won’t do to pretend that Swartz did nothing illegal or harmful.

However, information-access offenses differ wildly in their degree of malignity and harmfulness. We are ill-served by the newspapers’ practice of deploying the “hacking” label in a way that conflates them all.

The extremes of malice and harmfulness are seen in activities like planting malware, releasing viruses, online identity theft, destroying records, deliberate overloading (“denial of service”), hijacking systems for use as robot spam-senders, robbing banks by tampering with financial systems, or reprogramming control systems at an Iranian nuclear plant in order to wreck centrifuges.

At the other end of the “hacking” spectrum lie activities like reading files, making unauthorized personal copies, unlocking archived information to give the public free access, or simply establishing an unauthorized login to a system and looking around to see what files there are.

Some activities described as “hacking” amount to little more than eavesdropping. A huge kerfuffle in Britain last year forced Rupert Murdoch to shut down an entire tabloid newspaper, The News of the World, over something called “mobile-phone hacking” by reporters. What is that, exactly? Apparently nothing more than dialing a cellphone number and trying out factory-set default voicemail access codes (e.g. 000) to see if you can listen to the phone messages. That’s illegal in Britain, as well as reprehensible, but it’s not a tech-savvy feat; it involves about as much technical sophistication as hiding behind someone’s seat on the bus to eavesdrop on their conversation.

Last week I read in a free British newspaper (Metro, January 15, 2013, Page 6) an allegation that teachers who “let children use Web images” for their school projects “are helping to produce a generation of hackers.” Get a grip! Use of images from the Web for personal projects in a nonprofit or educational context doesn’t even violate copyright provisions.

Whatever view we take about where particular activities sit in the spectrum of information-access crimes, we deserve better than this sort of linguistic sloppiness in newspaper discussions. Journalists need to explain clearly what alleged miscreants have done. Vague and lazy talk about “hacking” is not good enough.

Return to Top