MIT clears itself of responsibility for Aaron Swartz's prosecution

Father says the university failed its 'moral obligation' to his son


Six months after the suicide of internet activist Aaron Swartz, MIT has released a 182-page report into the university's involvement in his arrest and prosecution, and has determined that it did nothing wrong.

Swartz, who at 14 coauthored the RSS standard, subsequently cofounded Creative Commons and the Reddit online community, and is a recent inductee to the Internet Hall of Fame, was found hanging in his New York apartment in January, weeks before he was due for court hearings on 13 felony charges relating to his use of MIT's network to download 4.8 million papers from the JSTOR academic database.

"MIT did not 'target' Aaron Swartz, we did not seek federal prosecution, punishment or jail time, and we did not oppose a plea bargain," said MIT president Rafael Reif in a statement, although he did add the university would be reviewing its policies.

The report, prepared by MIT computer science professor Hal Abelson, economics professor and Institute professor emeritus Peter Diamond, and Washington attorney Andrew Grosso, has taken so long because it's based on the detailed examination of over 10,000 documents and many personal interviews, the authors said.

They found that the university had maintained a policy of strict neutrality, and did not attempt to influence the prosecution of Swartz by federal authorities. It also notes that "Swartz was neither a member of the MIT staff, nor an enrolled student nor alumnus, nor a member of the faculty."

But the report has angered Swartz's father, himself a member of MIT's Media Lab. In a statement to The Register, he said the report showed that MIT handed over information to the prosecution without subpoena warrant (a courtesy not extended to Swartz's defense team), and withheld information and witness lists that were handed to government investigators.

"Having now read Abelson's report, it is clear that MIT in fact played a central role in Aaron's suicide," Robert Swartz said. "MIT made numerous mistakes that warrant further examination and significant changes. MIT was not neutral in the legal case against Aaron. Whether MIT was neutral or not is a red herring: the university had a moral obligation to advocate on Aaron's behalf."

Who called whom?

The report details how MIT was initially contacted by research archive JSTOR because of a server-crashing number of downloads being requested by MIT's network. The requests appeared to stop after a while, but JSOTR got back in touch when it became apparent that the request frequency had been slowed and 4.8 million articles had been copied.

Trying to trace the source, the university's IT staff found a laptop in a cardboard box in one of their network rooms and called MIT police, who determined they didn't have the skills to handle it. They called the local Cambridge police, and a local detective arrived with a Secret Service and an officer from the Boston Police Department in tow.

The Secret Service agent tried and failed to copy the hard drive, so the laptop was fingerprinted and a camera was installed to monitor it. Just half an hour later someone did come in and swap out the laptop hard drive, but then left before MIT police could arrive.

A second visit was noted two days later, and this time an off-duty MIT police officer was in an unmarked police car that just happened to be near the building. He had a still image of the laptop's visitor, saw a cyclist matching the picture, and stopped him for questioning.

The report says the cyclist was Swartz, who ran away when questioned but was later apprehended by the policeman and a colleague. He refused to answer questions, so the local police were called and he was taken away to be charged. MIT did not ask for charges to be brought, the report states, and JSTOR didn't wish to either. But the US Department of Justice had other ideas.

US attorney Carmen Ortiz and her assistant Stephen Heymann used the provisions of the Computer Fraud and Abuse Act to rack up 13 felony charges against Swartz that would have seen him behind bars for a maximum of 35 years and facing $1m in fines. Swartz, 26, committed suicide shortly before hearings began.

Two charges of misconduct have since been filed against Heymann, but Ortiz has defended her handling of the case, saying that her "office's conduct was appropriate in bringing and handling this case." She said that the prosecution was only planning to ask for six months in prison, and had no intention of asking for a maximum sentence, particularly as it was clear Swartz wasn't harvesting the JSTOR archives for personal gain.

You can't be neutral on a moving train

Harvard law professor Lawrence Lessig, who was a close friend of Swartz, said that MIT's report showed the "emptiness in the concept of 'neutrality'," and in fact shows the extent to which the university's lack of action doomed Swartz to prosecution.

"'Neutrality' is one of those empty words that somehow has achieved sacred and context-free acceptance – like 'transparency', but don't get me started on that again," he writes. "But there are obviously plenty of contexts in which to be 'neutral' is simply to be wrong."

The lynchpin of the government's case against Swartz was that he had unauthorized access to MIT's network. But, he says, the report states that MIT never told police of federal prosecutors if Swartz wasn't authorized to use the network, and apparently didn't even bother to decide this itself.

The report does note that had Swartz asked for access in the usual way he would have been granted it under the terms of MIT's open guest policy for network use and, "it might be argued that Aaron Swartz accessed the MIT network with authorization." The university neglected to mention this to the either prosecution or defense teams, however.

"If indeed MIT recognized this, and didn't explicitly say either privately or publicly that Aaron was likely not guilty of the crime charged, then that failure to speak can't be defended by the concept of 'neutrality'," Lessig concludes. ®

Narrower topics


Other stories you might like

  • Trio accused of selling $88m of pirated Avaya licenses
    Rogue insider generated keys, resold them to blow the cash on gold, crypto, and more, prosecutors say

    Three people accused of selling pirate software licenses worth more than $88 million have been charged with fraud.

    The software in question is built and sold by US-based Avaya, which provides, among other things, a telephone system called IP Office to small and medium-sized businesses. To add phones and enable features such as voicemail, customers buy the necessary software licenses from an Avaya reseller or distributor. These licenses are generated by the vendor, and once installed, the features are activated.

    In charges unsealed on Tuesday, it is alleged Brad Pearce, a 46-year-old long-time Avaya customer service worker, used his system administrator access to generate license keys tens of millions of dollars without permission. Each license could sell for $100 to thousands of dollars.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Feds raid dark web market selling data on 24 million Americans
    SSNDOB sold email addresses, passwords, credit card numbers, SSNs and more

    US law enforcement has shut down another dark web market, seizing and dismantling SSNDOB, a site dealing in stolen personal information.

    Led by the IRS' criminal investigation division, the DOJ, and the FBI, the investigation gained control of four of SSNDOB's domains, hobbling its ability to generate cash. The agents said it raked in more than $19 million since coming online in 2015.

    Continue reading
  • US won’t prosecute ‘good faith’ security researchers under CFAA
    Well, that clears things up? Maybe not

    The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

    Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

    Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading
  • Ukrainian crook jailed in US for selling thousands of stolen login credentials
    Touting info on 6,700 compromised systems will get you four years behind bars

    A Ukrainian man has been sentenced to four years in a US federal prison for selling on a dark-web marketplace stolen login credentials for more than 6,700 compromised servers.

    Glib Oleksandr Ivanov-Tolpintsev, 28, was arrested by Polish authorities in Korczowa, Poland, on October 3, 2020, and extradited to America. He pleaded guilty on February 22, and was sentenced on Thursday in a Florida federal district court. The court also ordered Ivanov-Tolpintsev, of Chernivtsi, Ukraine, to forfeit his ill-gotten gains of $82,648 from the credential theft scheme.

    The prosecution's documents [PDF] detail an unnamed, dark-web marketplace on which usernames and passwords along with personal data, including more than 330,000 dates of birth and social security numbers belonging to US residents, were bought and sold illegally.

    Continue reading

Biting the hand that feeds IT © 1998–2022