http://www.bostonglobe.com/metro/2014/03/29/the-inside-story-mit-and-aaron-s... The inside story of MIT and Aaron Swartz More than a year after Swartz killed himself rather than face prosecution, questions about MIT's handling of the hacking case persist By Marcella Bombardieri | Globe Staff March 30, 2014 CAMBRIDGE -- The mysterious visitor called himself Gary Host at first, then Grace Host, which he shortened for his made-up e-mail address to "ghost," a joke apparently, perhaps signaling mischievousness -- or menace. The intruder was lurking somewhere on the MIT campus, downloading academic journal articles by the hundreds of thousands. The interloper was eventually traced to a laptop under a box in a basement wiring closet. He was Aaron Swartz, a brilliant young programmer and political activist. The cascade of events that followed would culminate in tragedy: a Secret Service investigation, a federal prosecution, and ultimately Swartz's suicide. But in the fall of 2010, Swartz was still a stranger in the shadows, and the university faced a hard question: How big a threat was the "ghost" downloader? And a harder one: What should be done about him? Answering those questions would prove a particularly knotty puzzle for the Massachusetts Institute of Technology, a place long supportive of the free flow of information and so famously friendly to pranks, known in MIT lingo as hacks, that a book published by the MIT Museum in the 1990s offered pranksters such tips as "always have two ways to run." And yet, MIT is a cradle of world-class scientific research with unpublished data and unpatented inventions on its network, and its leaders felt vulnerable to the rising tide of high-tech espionage. "There is some speculation that this might have been an MIT student experimenting with a robot," one MIT employee noted in an e-mail after a second breach by Swartz was discovered. But another pointed out that "sinister foreigners'' may have stolen credentials or compromised a computer. MIT's efforts to track down Swartz, while under intense pressure from JSTOR, the not-for-profit that ran the journal database, eventually would lead to felony computer crimes charges that might have brought years in jail. Swartz, 26, was under indictment when he committed suicide in January 2013. Critics, both on campus and around the world, have accused MIT of abandoning its values celebrating inventive risk-taking by helping to doom a young man whose project -- likely an act of civil disobedience to make information freely available -- didn't in the end cause serious harm. MIT has insisted it maintained an appropriate, even compassionate, neutrality toward a determined hacker who stole 4.8 million articles and eluded numerous efforts to stop him before the college sought help from police. But MIT's brand of neutrality proved one with notable limits, according to a Globe review of more than 7,000 pages of discovery documents -- many of them e-mails -- from Swartz's court case. In the wake of his death, both MIT and JSTOR posted online documents that they had turned over to authorities, a trove that drew little if any notice at the time. The Globe also obtained a number of e-mails related to the case not available publicly. Only with a patient review of the complete record does the full picture of the dilemma MIT faced become clear. The aftershocks of the choices the institution made in the wake of the "ghost" continue to reverberate, on campus and off, more than a year after Swartz's death. Most vividly, the e-mails underscore the dissonant instincts the university grappled with. There was the eagerness of some MIT employees to help investigators and prosecutors with the case, and then there was, by contrast, the glacial pace of the institution's early reaction to the intruder's provocation. MIT, for example, knew for 2 1/2 months which campus building the downloader had operated out of before anyone searched it for him or his laptop -- even as the university told JSTOR they had no way to identify the interloper. And once Swartz was unmasked, the ambivalence continued. MIT never encouraged Swartz's prosecution, and once told his prosecutor they had no interest in jail time. However, e-mails illustrate how MIT energetically assisted authorities in capturing him and gathering evidence -- even prodding JSTOR to get answers for prosecutors more quickly -- before a subpoena had been issued. In a handful of e-mails, individual MIT employees involved in the case aired sentiments that were far from neutral. One, for example, gushed to prosecutor Stephen P. Heymann about the quality of the indictment of Swartz. "Nicely done Steve and kudos! All points . . . are as accurate as I've ever seen," wrote the information technology employee. "(I only say that because every time I've ever given an interview, details are always slightly to horribly munged; not that I ever expected any less, it's just a true relief and very refreshing to see your accuracy and precision)." Yet if MIT eventually adopted a relatively hard line on Swartz, the university had also helped to make his misdeeds possible, the Globe review found. Numerous e-mails make it clear that the unusually easy access to the campus computer network, which Swartz took advantage of, had long been a concern to some of the university's information technology staff. Some at MIT believed that officials had failed to pay serious attention to what one person called "poor, limited, or outdated security protections" on resources like the JSTOR database. The documents also put JSTOR's role in the case in a new light. In contrast to MIT, the journal archive organization has been widely hailed for publicly distancing itself from Swartz's prosecution, declaring that once Swartz returned the documents, it "had no interest in this becoming an ongoing legal matter." But a number of JSTOR's internal e-mails show a much angrier face in the months that Swartz eluded capture, with employees sharing frustration about MIT's "rather tepid level of concern." JSTOR officials repeatedly raised the prospect, among themselves, of going to the police, e-mails show. "What's wrong with us . . . alerting the cyber-crimes division of law enforcement and initiating an investigation, having a cop search a dorm room and try to retrieve any hard drive that contains our content?" asked one JSTOR official, whose name -- like most -- was redacted in the released documents. In the end, JSTOR neither called the police nor asked MIT to do so, according to its president. Eric Grimson, who recently stepped down as chancellor of MIT, defended the university's handling of the case as a judicious effort to protect the community without seeking retribution. MIT's first steps, he said, were simply to deny the downloader access to the network. They didn't search for the laptop for many weeks because they thought he had been thwarted. When Swartz proved undeterred, he said, MIT had to do more. "We were confronted with a situation of an unknown user accessing our network," he said in an interview, "using it to download massive amounts of material . . . for a three-month period, and evading our efforts to try and stop it." MIT was harmed in the process, Grimson said, with 10,000 researchers denied an important resource for several days as JSTOR sought to cut off the mass downloading. Helping investigators pursue the campus intruder was the only reasonable course, he said. "I think we should as a matter of principle cooperate with law enforcement in an investigation of an alleged crime being committed on our campus," he said. "That's protecting our community." After Swartz's arrest, Grimson said, the university went out of its way to be fair to the defense, voluntarily making staff members available to answer questions from Swartz's attorneys. "I would like to suggest we took a path to try to balance being empathetic to Aaron's situation while acknowledging that there was a legal process involved," he said. Allure of openness Swartz was an Internet prodigy. By age 19, he had helped to build RSS, a service that allowed users to create personalized news feeds; to develop the social news website Reddit; and to establish Creative Commons, an alternative to traditional copyright more friendly to sharing. In his 20s, the restless Stanford dropout turned his energies to political activism. He helped launch several progressive political groups and was a major force behind a national wave of protest against the Stop Online Piracy Act, which targeted unauthorized sharing of videos and music, but which Swartz and others saw as an attack on free speech. While Swartz's motive for downloading the JSTOR archive remains unknown, there is one simple and plausible possibility: to make academic research freely available to the public. In 2008, he published a "Guerrilla Open Access Manifesto" in which he avowed a "moral imperative" to share scholarship locked behind exorbitant subscription walls. "It's time to come into the light and, in the grand tradition of civil disobedience, declare our opposition to this private theft of public culture," he wrote. But why use MIT as his gateway -- or, to some eyes, his victim? He had a fellowship at Harvard at the time, which gave him access to JSTOR, but apparently worried about getting himself or his colleagues in hot water, since bulk downloading is forbidden by JSTOR. Since MIT had been known for generations for its idealistic devotion to the spirit of openness, venturing a couple of miles down Massachusetts Avenue may have seemed irresistible to Swartz. He had no formal tie to the university but had friends there and had been involved in campus activities. A blog entry Swartz wrote in 2009, titled "Honest Theft," neatly details his view of the school as a haven for rebelliousness. He described friends who he said secretly lived for free on campus, sleeping on couches in common rooms and stealing food from the cafeterias -- and using the money they saved "to promote the public good." "MIT has a notoriously relaxed security policy," he wrote, so his friends "likely wouldn't get in too much trouble." Indeed, MIT's own 180-page internal report on the Swartz case, released in July by a panel led by professor Hal Abelson, described a "culture of creative disobedience where students are encouraged to explore secret corners of the campus, commit good-spirited acts of vandalism . . . and resist restrictions that seem arbitrary or capricious." Student "hacks" have included putting a faux firetruck on the MIT Great Dome and turning a high-rise facade into a working Tetris game. They are meant to be public and harmless, but often involve trespassing and "borrowing" materials without permission, like a 3-ton cannon brazenly snatched from Caltech. The ethic of openness extends to MIT's computer network, where anyone on campus can get onto the wired network for 14 days by logging on as a guest, an extremely unusual perk for visitors to a university campus. As an MIT manager of network security noted in an e-mail reviewing the downloading case as it unfolded in October 2010, misuse of the MIT network was made possible by the fact that there was "no authentication of visitors" and "no identity verification." The open-door policy meant Swartz could easily sign in, as he did, as an anonymous guest with fake names and disposable e-mail addresses. Between 5 p.m. on Sept. 25, 2010, and 4 a.m. the next morning, the code Swartz wrote, which he called "keepgrabbing," downloaded 450,000 JSTOR articles. It was the opening salvo in a cat-and-mouse game that would extend over three months. JSTOR would cut off the Internet protocol address Swartz was using; he would switch to another. MIT detected and shut down the registration for his computer; he altered his computer's identifying information. Officials would conclude the ghost downloader had moved on, then he'd reappear weeks later. The maddening pursuit prompted some MIT technology personnel to say, essentially, I told you so. Databases like JSTOR's, some said, should have been kept behind a virtual gate -- though this would inconvenience legitimate users. "I frankly don't know why it's not used more," an employee wrote about such a security measure. Another employee in network security lamented that only the Swartz case prompted MIT to smarten up. "I hope it helps enlighten them to the need to really think long and hard about these issues. Kind of silly that it took a JSTOR crawling issue to get everyone a little frenzied." MIT and JSTOR did agree to a security upgrade after Swartz's second round of downloading was discovered in October 2010, requiring those seeking access to have MIT credentials. But it took JSTOR weeks to prepare for the change, the e-mails show. That delay would prove fateful. Aaron Swartz had only gotten started. Drawing concern at JSTOR Given the institution's global stature, MIT inevitably drew most of the public focus. But what Swartz did was more of a threat to JSTOR, a small organization in a precarious position. Its business is selling access to journal articles, but it doesn't own those articles. If it can't protect them, the journals could yank their material out of the library and threaten JSTOR's survival. Swartz ultimately downloaded 80 percent of JSTOR's archive, 4.8 million articles. At one point his downloading was so rapid, JSTOR e-mails said it created "a monstrous amount" of traffic that was "threatening the website." The stakes for MIT were murkier. The university's contract with JSTOR promised that it would guard against misuse, so there was some risk of losing an important library resource. And a rogue stranger poking around MIT's network could be truly dangerous. The discovery shortly before Swartz's arrest that his computer was being contacted from China raised passing fears of a foreign cyberattack, e-mails show, although such probing from overseas is quite routine. Yet MIT was used to seeing excessive downloading -- albeit on a much smaller scale -- and some staff downplayed the threat. "There will always be one person a semester who, regardless of intent, will write a script to crawl through some catalog," an MIT employee wrote when JSTOR first cut off the portion of campus where Swartz was operating. The MIT worker called JSTOR's move "draconian" and "knee-jerk." The result of their differing vulnerabilities, e-mails indicate, was that JSTOR was far more bellicose toward the interloper than was MIT -- at least until the days right before Swartz's arrest. JSTOR pressed again and again for MIT to find the downloader. Some of the archive's employees said MIT was being cooperative, but other staff members were irate at the university. "I am sure that if they had lost an equivalent number of books from their library overnight (what 25,000-30,000 books) they would not be so nonchalant," someone at JSTOR wrote in an e-mail. "This is an astronomical number of articles -- again, real theft," another wrote. "Does the university contact law enforcement? Would they be willing to do so in this instance?" When Swartz popped up again in late December after weeks of quiet, the tension was even plainer. "I might just be irked because I am up dealing with [the downloader] on a Sunday night," a JSTOR employee wrote, "but I am starting to feel like [MIT needs] to get a hold of this situation and right away or we need to offer to send them some help (read FBI)." These were "heat of the moment" reactions by officials anxious about an unknown threat, said Kevin M. Guthrie, president of ITHAKA, JSTOR's parent organization. "You get a report that 100,000 articles have been downloaded on a Saturday, you're trying to figure out what to do," he said in an interview. As for JSTOR's internal comments about calling the police, he said, "We talked about it, but we made a decision -- no, this wouldn't be appropriate; it's not our role to indicate that law enforcement should be called." When it came to Swartz's prosecution, JSTOR was notably reticent. It insisted on being served with a subpoena before it would provide information to the government and then, according to Abelson's report, tried to limit its answers. Guthrie told the Globe that the not-for-profit was simply trying to be careful. As for its decision to publicly oppose prosecution, he said, once Swartz returned the files, the journal provider was no longer interested in the matter. JSTOR was "trying to balance our obligation both to be good stewards of the content for the content owners and publishers, for our own viability, for broad access to information, and then the personal situation, the human situation," Guthrie said. JSTOR's very existence, he said, is all about broadening access to scholarly journals. Its fees go to support the archive, and it provides free access in developing countries. E-mails from before Swartz was captured suggest that JSTOR might also have been worried about its public image. The archive is already viewed in some quarters as a greedygatekeeper constricting the pursuit of knowledge. One JSTOR employee, in an e-mail addressing the possibility of bringing in law enforcement, noted several technical obstacles after opening with, "aside from the considerations about the PR of it all . . . " A sudden shift If MIT was initially slow to react to the "ghost," even tepid about the whole thing as some at JSTOR surmised, that changed drastically after the university learned of another breach in December 2010. After the laptop Swartz was accused of setting up to download JSTOR articles was found in a wiring closet at MIT, investigators left the computer up and running and installed a hidden camera. On the night after Christmas, JSTOR discovered a new round of downloading. It had actually started some 10 weeks earlier, but Swartz had slowed the process enough to avoid tripping alarms. Out on a furlough, MIT staff did not get the urgent messages from JSTOR until Jan. 3, 2011. "This is a heck of a way to start the new year," one person at MIT wrote. "We need to escalate the seriousness of our response. This looks like grand theft." And escalate MIT did. The academic building where the activity seemed to emanate from had been pinpointed in mid-October. But only on the morning of Jan. 4 did a network engineer began searching Building 16. He quickly discovered a laptop, hidden under a cardboard box, connected to the network from a wiring closet in the basement. MIT police decided they needed more help, and called a Cambridge police detective who belonged to a regional electronic crimes task force. He showed up with another task force member, a Secret Service agent named Michael S. Pickett. Seeking not only to find the downloader but to collect as much evidence as possible, they set up a hidden camera in the wiring closet. And instead of shutting down the laptop, the authorities decided to "leave it up and running for a couple of days while the investigation continues," a library employee wrote in an e-mail. "Now a federal case," the library staffer wrote in separate notes she took on a conversation with an MIT security analyst. "We [MIT] are considered the victim. All we provide is by choice -- not subpoenaed." That cooperation with law enforcement also extended to a senior MIT network engineer who monitored traffic to and from Swartz's laptop and appeared to be looking to Pickett for instructions. On Jan. 5, having collected 70 gigabytes of network traffic, he e-mailed the agent, "I was just wondering what the next step is." Swartz's lawyers argued that MIT, by monitoring Swartz and turning over materials to law enforcement without a court order, violated his Fourth Amendment rights. Abelson, who wrote MIT's own review, disagreed, and legal experts interviewed by the Globe differed on whether those arguments had merit. They were never ruled on by the judge in the case. Grimson, the former university chancellor, acknowledged in an interview that it would have been "cleaner" to ask prosecutors to seek a court order sooner. Turning over evidence without a subpoena raised, in some eyes, painful questions about MIT's avowed neutrality. Swartz was identified by the hidden camera and arrested on Jan. 6 after allegedly trying to flee police on Massachusetts Avenue in Cambridge. The startling discovery that the "ghost" downloader was a well-known activist prompted a few MIT employees to share their opinions with Pickett, the Secret Service agent, or their colleagues. "Looks like he is a big hacker, i googled him," one wrote to Pickett at midnight the morning after Swartz's arrest. That afternoon, someone from the IT security department wrote to Pickett, deeming Swartz a "really intelligent kid that just got buried under an avalanche of dumb." A few days later, Swartz took to Twitter to ask his followers if they knew anyone at JSTOR, presumably hoping he could defuse the situation. One person at MIT responded by circulating among colleagues a made-up message purporting to be what Swartz wanted to say to JSTOR. "hi, jstor, I'm still a few million pdf's shy of grabbing your whole db; really had high hopes on collecting the whole set by 1/1/11," it read. "could you tell me what number I left off at, because I don't currently have access to my lappy that was keeping track. k thnx bye." The MIT employee's commentary on his or her own fictional tweet: "LOL." The documents say little about what MIT was thinking and doing once the case morphed from an investigation into an active prosecution. But MIT's own report on the case raises serious questions about the wisdom of MIT's neutrality stance. The report noted that some within MIT believe "there has been a change in the institutional climate over recent years, where decisions have become driven more by a concern for minimizing risk than by strong affirmation of MIT values." The Computer Fraud and Abuse Act has been widely condemned as extreme in both its sweeping scope and its grave punishments. Sentencing guidelines suggest Swartz faced up to seven years in prison. To his supporters, MIT bears some responsibility for that fact. MIT officials privately told the prosecutor that the university had no interest in jail time, but refused to oppose his prosecution publicly or privately, despite repeated entreaties from Swartz's father, his lawyers, and a couple of faculty members, who argued MIT had the institutional heft to influence the US attorney's office. MIT may have also missed an opportunity to point out a potentially serious flaw in the case against Swartz. The Computer Fraud and Abuse Act charges centered on the claim that Swartz had unauthorized access to MIT and JSTOR's networks. But even if he was doing something improper, Swartz was logged on at MIT as a guest, leading Abelson and some legal observers to conclude that his access could be construed as authorized. It was hardly a clear-cut case, and the judge may not have agreed. But either way, MIT -- resolute about not getting drawn into a criminal case to which it was not a named party -- "paid little attention to the details of the charges," Abelson found. The institute simply did not consider whether Swartz may have been an authorized user under the terms of the law, according to the report. The defense didn't raise it, either, until close to Swartz's death. MIT was helping the prosecution "understand how to prosecute, what information is necessary to prosecute, but not taking steps to help them understand the limits to their prosecution," said Lawrence Lessig, a Harvard Law School professor who was close to Swartz. "Nobody would call that neutral. That's aiding and abetting the prosecution.'' Grimson defended MIT's decision to leave it up to the justice system to decide Swartz's fate, given that MIT leaders believe he harmed the school. And he disagreed that MIT is less driven by its ideals than it once was. He pointed to the Abelson report as an example of MIT's willingness to soul-search and learn from a tragedy. Still, he said, MIT will be second-guessing itself for a long time, and the university is still considering some policy changes in light of what happened to Swartz. Its first concrete move, last month, was to set up a presidential committee that will create an online data privacy policy. A famously sensitive person, Swartz had some history with depression. Yet loved ones insist that he was not clinically depressed before he hanged himself in his Brooklyn apartment on Jan. 11, 2013, but overwhelmed by the threat of years injail and the toll of fighting the charges. His father, Bob Swartz, believes that MIT's lack of compassion helped destroy his son's life. "We can't bring Aaron back, he can no longer be the tireless worker for good," he said at a memorial service for his son held at MIT last spring. "What we can do is change things for the better. We can work to change MIT so that it . . . once again becomes a place where risk and coloring outside the lines is encouraged, a space where the cruelties of the world are pushed back and our most creative flourish rather than being crushed."