Programmer Is Charged With Hacking Into Journal Database

July 19, 2011, 6:25 pm

A 24-year-old online activist was charged Tuesday with sneaking into a computer closet at the Massachusetts Institute of Technology and making unauthorized downloads of more than four million journal articles.

The programmer, Aaron Swartz, was a fellow at Harvard University’s Center for Ethics at the time of the alleged hack, and he is the founder of a lobbying group called Demand Progress, which focuses on technology-policy issues. He pleaded not guilty to all charges and was released on $100,000 bail.

The programmer reportedly broke into a computer-wiring closet at the campus to access the university network and downloaded thousands of files from JSTOR—an online database of scholarly articles and journals. The university pays a subscription fee for use of the database.

The U.S. Attorney’s Office in the U.S. District Court of Massachusetts charged Mr. Swartz with wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer.

In a statement, JSTOR confirmed that it had secured the digital content Mr. Swartz allegedly stole and that none of the downloaded information included identifying information about database users.

The publisher of JSTOR attempted to distance itself from the criminal investigation, and noted in a statement that it was subpoenaed by the U.S. Attorney’s Office and was cooperating. “We were interested in making sure it was secure and wasn’t disseminated,” said Heidi McGregor, vice president of marketing and communications at JSTOR, of the recovered information.

According to the indictment, Mr. Swartz’s repeated attempts at downloading large numbers of files from September to January eventually caused JSTOR computers to crash and tipped off university officials of the breach.

MIT officials declined to comment on the case.

Demand Progress set up a petition in support of its founder on its Web site and wrote: “As best as we can tell, he is being charged with allegedly downloading too many journal articles from the Web.”

The group’s executive director, David Segal, was quoted in the same blog post as saying “it’s like trying to put someone in jail for allegedly checking too many books out of the library.” Mr. Segal called the charges bizarre and maintained Mr. Swartz’s commitment to ethics and open government.

The indictment outlined various attempts by Mr. Swartz to mask his identity while downloading the information, including setting up fake university accounts and obtaining new IP addresses after JSTOR and the university blocked access to his laptop computer.

Mr. Swartz faces up to 35 years in prison and up to $1 million in fees if convicted. His trial is set for September.

This entry was posted in Legal Troubles, Security. Bookmark the permalink.

E-mail

electronicmuse

The notion that “information” should be “free” is näive and disengenuous. Näive, because information has value just like other goods and services: human beings create it, and their efforts-and possibilities for remuneration, should not be trampled on by thieves. Disengenuous, because it is all to easy to babble about “freedom” when it’s your ox that is not being gored. Any of us might make a valid philosophical argument that food should be free. But, who then will farm? People really are hungry, Mr. Swartz. Why don’t you “free” some food at your local grocer, and see how that turns out for you? Come off your phony philosophical perch!

In this narrow example, JSTOR personnel spent a lot of time and money to amass those articles and prepare them for online dissemination. It’s a wonderful service for researchers. Who will do this in future if a fast-talking miscreant is allowed to gain unlawful access and give these materials away? Lest we forget, individuals create intellectual property, and if we expect to have such property in future, those who create it-and disseminate it, must have every reasonable expectation to be paid for their labors. Stopping theft of intellectual property dead in its tracks has both moral and practical imperatives, as indicated.

Mr. Swartz: do not pass Go, do not collect $200. Go directly to jail.
http://twitter.com/hpasmit Anja Smit

Interesting to see how ‘stealing’ information will be defined in this case.
electronicmuse

According to the article, “breaking and entering” is not a new concept . . .
nuffsed

Obviously, if the charges are true Harvard’s Center for Ethics is not doing a very good job.
joelpsu

Even crooks can have their ethics.
mbelvadi

This is a bizarre story and I’m suspicious about whether many of the facts are being reported accurately. First it says “4 million articles” then “thousands of files”. In JSTOR, an article is a PDF file, so these two numbers ought not to be off by 3 orders of magnitude. It doesn’t explain why he would break into a network closet to do what he could do openly at a computer in the library (unless MIT does not allow walk-in public users to access their databases or use USB sticks?). And I’m very skeptical of the claim that he actually crashed JSTOR’s servers – I’ve been involved once before with a case of a rogue public member abusing our JSTOR account, and learned that JSTOR has excellent trip-wire functions on their backend to catch this kind of activity long before it could actually crash their servers. I think it’s more likely that he triggered JSTOR’s auto blocking of MIT’s access, and somewhere along the reporting route someone converted that into a “crash” which certainly sounds more dramatic than “JSTOR cut off MIT’s access to the database”.
mbelvadi

I’m a little confused as to what is a civil action and what is a criminal charge in this story. The over-downloading of data from JSTOR strikes me as a civil lawsuit matter, violating the JSTOR contract with MIT regarding appropriate use of the service. But this article presents it as if he faces criminal charges for “theft” even though no actual theft occurred (copyright infringement is NOT theft, legally). Obviously there are some criminal actions described involving the MIT property and network facilities but I don’t see any criminal activity with regards to JSTOR itself and the journal articles, just a cause for civil action (and probably between JSTOR and MIT, the signatories to the contract). Copyright law does allow for criminal charges in cases involving “willfull” violations and maybe that’s what law enforcement is reaching for in this case, but I was under the impression that that clause was intended for situations in which widespread dissemination/sale of the illegally copied materials took place and this story seems to explicitly deny that kind of outcome.
schrameijer

I agree strongly with electronicmuses principle: the creators of information own it and should
be compensated for their efforts, including writing them down. What is left out of this argument, however, is who can lay claim to this authorship in the wider sense of the term. The proceeds of an article – brilliant or mediocre – in which no one else put any investment of any kind, belong to the writer. The writers’ teachers and source material are paid for already and other
contributors such as friends and parents are none of our business. It’s different as soon as tax-money went specifically into the research which informed the article. Then taxpayers have a right to free information about the results of their collective investment. Clear as the matter may be in principle, one would have to agree on a cut-off point: how large should the
public investment be before it should be easily, preferably freely available: 1%, 5%, 51%?
Or should a system be worked out in which the general public has to pay in (reverse) proportion to its investment?

Across a large gray area in which it is unclear to what extent the author should be the sole
recipient of the proceeds of his or her writing, there are problematic privately funded intellectual endeavors as well. On the face of it the public should pay to be informed about them, if it is to be informed at all. But how about the pharmaceutical industry: should it be allowed to suppress unwelcome results of its research, while publicizing widely, such as in advertisments, about economically promising results? I don’t think so. Here of course organizations such as the FDA in the US can impose the obligation not to hold back unfavorable results or devise any number of measures against this practice. In this and similar cases, however, two question marks are in order. One is the extent to which commercially relevant research actually is privately funded – less so then we are led to believe would be
my guess. The other stems from the efficacy of measures against the aforementioned self-interested cherry-picking in the publication of research results. I suspect this efficacy is low enough to advocate an obligation to make all research which underlies decisions that are relevant to the wellbeing of the general public to be easily available at no or minimum cost.

Though I still do agree with electromuses principle, I wouldn’t be surprised if these amendments would in practice lead to the reasonable conclusion that the vast majority of publications should be freely accessible.
elser

Swartz’s actions are illegal of course. But does he deserve to go in jail? A painful fee and a few months on parole should be sufficient to deter him from future hacking.

It is, by the way, worth reading Demand Progress’s statement on the issue. It seems to suggest that Swartz was using the articles for serious research …
lcsarin

Libraries have enough trouble negotiating contracts with vendors which require them to limit access and create security protocols which, though necessary, can create a barrier to access for students who want to use the libraries electronic resources for their intended purpose.

Swartz’s actions have the potential of creating newer and stricter security protocols for databases and online resources-just what libraries and patrons needed…
nyhist

If he was doing legitimate research, why adopt false accounts and IP addresses?
Why break into a computer facility at MIT if he was a fellow at Harvard? Both universities have access to JSTOR. Perhaps his connection with Harvard had ended and so he no longer had access to JSTOR under its contract?
From the statement by Demand Access, it appears he has done very interesting metanalysis of large numbers of published works (from Lexis-Nexis??), and that would certainly be an appropriate use of articles from JSTOR (which I consult frequently). Surely he could have informed JSTOR what he was up to, if it was indeed appropriate, and negotiated with them for extensive access.
But what was going on here? We may have to wait for his trial to find out.
Marie M

So if I took the time to download 4 million articles individually, could I get arrested? This lawsuit is silly. MIT and JSTOR are angry because a 24 year old was able to point out the feebleness of their security.
johnbarnes

I agree. The report seems to have been written or perhaps edited by someone who didn’t quite understand how things worked but was sure there was a story here somewhere. And there probably is, but it’s lost in the tangle of sentences that don’t sound right.
tonysanfilippo

Here’s the actual indictment, if you’d like to see what he’s actually being charged with. It doesn’t look like stealing information is on the list.
http://www.facebook.com/people/Antsy-Kuhnwisse/100002159499682 Antsy Kuhnwisse

Alleged actions, you mean. And I agree that 35 years in prison sounds *wayyy* out of line for what Swartz is alleged to have done. But the actions, as described, do seem callous and selfish and … *large* enough to warrant some jail time.
not4nothin

I must be missing the point. What’s his motive for downloading all that stuff? It has value as academic research reference material. It’s not like he could sell it on the street to students without access to JStor – like he could a JStor login and password. Is he gonna set up a knock-off database – “SwartzStor?” Why do it?
iliad1954

Kleptomaniacs really need a motive? It’s all about the rush, man! Ultimately, that’s probably the motivation here too.
iliad1954

Right. And if an investment of public money results in a new invention or a new drug, those ought to be provided free to everybody too. Like how everybody gets access the internet for free because the government originally built it. Except they don’t. Huh.
dunkertim

Their protective security may have been feeble, but their solution did catch him, so I doubt HE would say it was feeble.
vatican

WOW, I guess I better be careful not to download too many articles for my research.
teachfordamasses

Please understand that “ethics” is not the same thing as “legality” or even “right vs wrong.” It’s a meta-level philosophical construct that can be, and often is, used by some to violate social or legal norms and rules in the interest of what they see as a higher-order virtue. E.g (and I’m not supporting or criticizing these actions, just explaining what ethics means): lying to an oppressive political regime about resistance activities (Nazis/France), releasing lab animals (PETA), stealing a loaf of bread to feed your starving family (Les Miz).

The point I assume this hacker is trying to make is precisely that the hiding-for-profit of information IS an ethical issue (whether or not that position is justifiable and whether or not you or I agree), not merely a legal one. In most schemata of ethical development, focus on legal rules for behavior as the sole factor in making choices in difficult situations is not understood as being very far along the developmental dimension. I am not supporting what he did (I think it was criminal), but trying to explain how folks come to do things like this for what they see as an ultimate benefit to society.
jimislew

4.8 million articles, of which 1.7 were for purchase from JSTOR, is clearly theft.
jimislew

Count 3 is close.
ellenhunt

Oh, for fribble’s sake. This, and the age of the “perp” is on the order of a college prank. There does not appear to be (on its face) any particular rhyme or reason for what he did aside from that he did it. In my mind it goes in the category of placing the automobile on top of the tower at UC Berkeley. (We still don’t know how that was done.)

At absolute worst, this is like staging a sit-in in a library or occupying the offices of the administration in protest. B … F … D.

Jail? What kind of martinet sends a college kid to jail for something that caused no harm to the “victim” was of no financial utility to the “perp” and is as meaningless decorating the Dean’s house with toilet paper.

Dear god. Have SOME sense of proportion.
electronicmuse

Stealing the intellectual property of thousands of people is nothing like a prank. You’ve been taken in by the sheepdip grin of this “perp,” and he is one for certain. Whether there has been harm to the victims, or not, remains to be seen . . . can anybody truly vouchsafe that he hasn’t already disseminated these data? Don’t think they can.

Having some sense of proportion would include thinking about the victims. This is not a “victimless” crime. There are the authors, and all those at JSTOR who labored long and hard to bring this material to actual scholars. What kind of effort do you imagine it takes to create such a database? Then there are the fees paid to JSTOR, that represent a cost to each qualified faculty member, whether they use this service or not. How ya gonna pay all those paychecks?

Short-sheeting at camp is a prank. This is theft. Have you ever actually been in the position of having your intellectual property ripped off? Does your paycheck depend on what you actually produce? That is, is it your ox that is being gored? Right.
electronicmuse

How can you blame a group of people for the misdeeds of one?
electronicmuse

Intelligent comments. My caveat would be this, and I don’t think it’s merely a semantic: “freely accessible” and “free” are not the same thing. Thanks for your perspective.
electronicmuse

You’re dern tootin’. Either that, or he’s the “most prolific” scholar and “fastest speed reader” known to creation!
eajmtp2

I think the critical phrase in this whole article is: “The programmer reportedly broke into a computer-wiring closet at the campus to access the university network.” Would the commentators who approve of his actions feel the same way if he broke into their offices and used their computers to access materials that they had stored on them? The issue here is not one of tapping on amorphous freely flowing “information” as the advocates of information liberation would have it. Even if it were only a matter of remotely tapping into a computer, there is actually a physical theft involved – the theft of electricity – a fact which has been important in Japan, where, Rohas Nagpal notes: “unauthorised access is, also after the criminal law reform of 1987, only punishable with regard to certain consequences of the offence, e.g. as obstruction of business (Article 234-2 Penal Code) or theft of electricity (Article 245, 235 Penal Code).” The heart of the problem here (in Japan) is that plagiarism is largely unacknowledged as a social issue – therefore the unauthorized use of another’s ideas gets short shrift. However academics should realize that the rationale that information should simply be there for the taking is merely another way of saying we should be free to plagiarize whatever, whenever and wherever we want.