"Nicely done Steve and kudos! All points . . . are as accurate as I've ever seen,"

Sun Mar 30 18:23:53 PDT 2014

http://www.bostonglobe.com/metro/2014/03/29/the-inside-story-mit-and-aaron-swartz/YvJZ5P6VHaPJusReuaN7SI/story.html

The inside story of MIT and Aaron Swartz

More than a year after Swartz killed himself rather than face
prosecution, questions about MIT's handling of the hacking case
persist

 By Marcella Bombardieri | Globe Staff   March 30, 2014

CAMBRIDGE -- The mysterious visitor called himself Gary Host at first,
then Grace Host, which he shortened for his made-up e-mail address to
"ghost," a joke apparently, perhaps signaling mischievousness -- or
menace. The intruder was lurking somewhere on the MIT campus,
downloading academic journal articles by the hundreds of thousands.

The interloper was eventually traced to a laptop under a box in a
basement wiring closet. He was Aaron Swartz, a brilliant young
programmer and political activist. The cascade of events that followed
would culminate in tragedy: a Secret Service investigation, a federal
prosecution, and ultimately Swartz's suicide.

But in the fall of 2010, Swartz was still a stranger in the shadows,
and the university faced a hard question: How big a threat was the
"ghost" downloader? And a harder one: What should be done about him?

Answering those questions would prove a particularly knotty puzzle for
the Massachusetts Institute of Technology, a place long supportive of
the free flow of information and so famously friendly to pranks, known
in MIT lingo as hacks, that a book published by the MIT Museum in the
1990s offered pranksters such tips as "always have two ways to run."

And yet, MIT is a cradle of world-class scientific research with
unpublished data and unpatented inventions on its network, and its
leaders felt vulnerable to the rising tide of high-tech espionage.

"There is some speculation that this might have been an MIT student
experimenting with a robot," one MIT employee noted in an e-mail after
a second breach by Swartz was discovered. But another pointed out that
"sinister foreigners'' may have stolen credentials or compromised a
computer.

MIT's efforts to track down Swartz, while under intense pressure from
JSTOR, the not-for-profit that ran the journal database, eventually
would lead to felony computer crimes charges that might have brought
years in jail. Swartz, 26, was under indictment when he committed
suicide in January 2013.

Critics, both on campus and around the world, have accused MIT of
abandoning its values celebrating inventive risk-taking by helping to
doom a young man whose project -- likely an act of civil disobedience
to make information freely available -- didn't in the end cause serious
harm.

MIT has insisted it maintained an appropriate, even compassionate,
neutrality toward a determined hacker who stole 4.8 million articles
and eluded numerous efforts to stop him before the college sought help
from police.

But MIT's brand of neutrality proved one with notable limits,
according to a Globe review of more than 7,000 pages of discovery
documents -- many of them e-mails -- from Swartz's court case. In the
wake of his death, both MIT and JSTOR posted online documents that
they had turned over to authorities, a trove that drew little if any
notice at the time. The Globe also obtained a number of e-mails
related to the case not available publicly.

Only with a patient review of the complete record does the full
picture of the dilemma MIT faced become clear. The aftershocks of the
choices the institution made in the wake of the "ghost" continue to
reverberate, on campus and off, more than a year after Swartz's death.

Most vividly, the e-mails underscore the dissonant instincts the
university grappled with. There was the eagerness of some MIT
employees to help investigators and prosecutors with the case, and
then there was, by contrast, the glacial pace of the institution's
early reaction to the intruder's provocation.

MIT, for example, knew for 2 1/2 months which campus building the
downloader had operated out of before anyone searched it for him or
his laptop -- even as the university told JSTOR they had no way to
identify the interloper.

And once Swartz was unmasked, the ambivalence continued. MIT never
encouraged Swartz's prosecution, and once told his prosecutor they had
no interest in jail time. However, e-mails illustrate how MIT
energetically assisted authorities in capturing him and gathering
evidence -- even prodding JSTOR to get answers for prosecutors more
quickly -- before a subpoena had been issued.

In a handful of e-mails, individual MIT employees involved in the case
aired sentiments that were far from neutral. One, for example, gushed
to prosecutor Stephen P. Heymann about the quality of the indictment
of Swartz.

"Nicely done Steve and kudos! All points . . . are as accurate as I've
ever seen," wrote the information technology employee. "(I only say
that because every time I've ever given an interview, details are
always slightly to horribly munged; not that I ever expected any less,
it's just a true relief and very refreshing to see your accuracy and
precision)."

Yet if MIT eventually adopted a relatively hard line on Swartz, the
university had also helped to make his misdeeds possible, the Globe
review found. Numerous e-mails make it clear that the unusually easy
access to the campus computer network, which Swartz took advantage of,
had long been a concern to some of the university's information
technology staff.

Some at MIT believed that officials had failed to pay serious
attention to what one person called "poor, limited, or outdated
security protections" on resources like the JSTOR database.

The documents also put JSTOR's role in the case in a new light. In
contrast to MIT, the journal archive organization has been widely
hailed for publicly distancing itself from Swartz's prosecution,
declaring that once Swartz returned the documents, it "had no interest
in this becoming an ongoing legal matter."

But a number of JSTOR's internal e-mails show a much angrier face in
the months that Swartz eluded capture, with employees sharing
frustration about MIT's "rather tepid level of concern." JSTOR
officials repeatedly raised the prospect, among themselves, of going
to the police, e-mails show.

"What's wrong with us . . . alerting the cyber-crimes division of law
enforcement and initiating an investigation, having a cop search a
dorm room and try to retrieve any hard drive that contains our
content?" asked one JSTOR official, whose name -- like most -- was
redacted in the released documents.

In the end, JSTOR neither called the police nor asked MIT to do so,
according to its president.

Eric Grimson, who recently stepped down as chancellor of MIT, defended
the university's handling of the case as a judicious effort to protect
the community without seeking retribution. MIT's first steps, he said,
were simply to deny the downloader access to the network. They didn't
search for the laptop for many weeks because they thought he had been
thwarted.

When Swartz proved undeterred, he said, MIT had to do more.

"We were confronted with a situation of an unknown user accessing our
network," he said in an interview, "using it to download massive
amounts of material . . . for a three-month period, and evading our
efforts to try and stop it."

MIT was harmed in the process, Grimson said, with 10,000 researchers
denied an important resource for several days as JSTOR sought to cut
off the mass downloading.

Helping investigators pursue the campus intruder was the only
reasonable course, he said.

"I think we should as a matter of principle cooperate with law
enforcement in an investigation of an alleged crime being committed on
our campus," he said. "That's protecting our community."

After Swartz's arrest, Grimson said, the university went out of its
way to be fair to the defense, voluntarily making staff members
available to answer questions from Swartz's attorneys.

"I would like to suggest we took a path to try to balance being
empathetic to Aaron's situation while acknowledging that there was a
legal process involved," he said.

Allure of openness

Swartz was an Internet prodigy. By age 19, he had helped to build RSS,
a service that allowed users to create personalized news feeds; to
develop the social news website Reddit; and to establish Creative
Commons, an alternative to traditional copyright more friendly to
sharing.

In his 20s, the restless Stanford dropout turned his energies to
political activism. He helped launch several progressive political
groups and was a major force behind a national wave of protest against
the Stop Online Piracy Act, which targeted unauthorized sharing of
videos and music, but which Swartz and others saw as an attack on free
speech.

While Swartz's motive for downloading the JSTOR archive remains
unknown, there is one simple and plausible possibility: to make
academic research freely available to the public. In 2008, he
published a "Guerrilla Open Access Manifesto" in which he avowed a
"moral imperative" to share scholarship locked behind exorbitant
subscription walls.

"It's time to come into the light and, in the grand tradition of civil
disobedience, declare our opposition to this private theft of public
culture," he wrote.

But why use MIT as his gateway -- or, to some eyes, his victim? He had
a fellowship at Harvard at the time, which gave him access to JSTOR,
but apparently worried about getting himself or his colleagues in hot
water, since bulk downloading is forbidden by JSTOR.

Since MIT had been known for generations for its idealistic devotion
to the spirit of openness, venturing a couple of miles down
Massachusetts Avenue may have seemed irresistible to Swartz. He had no
formal tie to the university but had friends there and had been
involved in campus activities.

A blog entry Swartz wrote in 2009, titled "Honest Theft," neatly
details his view of the school as a haven for rebelliousness. He
described friends who he said secretly lived for free on campus,
sleeping on couches in common rooms and stealing food from the
cafeterias -- and using the money they saved "to promote the public
good."

"MIT has a notoriously relaxed security policy," he wrote, so his
friends "likely wouldn't get in too much trouble."

Indeed, MIT's own 180-page internal report on the Swartz case,
released in July by a panel led by professor Hal Abelson, described a
"culture of creative disobedience where students are encouraged to
explore secret corners of the campus, commit good-spirited acts of
vandalism . . . and resist restrictions that seem arbitrary or
capricious."

Student "hacks" have included putting a faux firetruck on the MIT
Great Dome and turning a high-rise facade into a working Tetris game.
They are meant to be public and harmless, but often involve
trespassing and "borrowing" materials without permission, like a 3-ton
cannon brazenly snatched from Caltech.

The ethic of openness extends to MIT's computer network, where anyone
on campus can get onto the wired network for 14 days by logging on as
a guest, an extremely unusual perk for visitors to a university
campus.

As an MIT manager of network security noted in an e-mail reviewing the
downloading case as it unfolded in October 2010, misuse of the MIT
network was made possible by the fact that there was "no
authentication of visitors" and "no identity verification."

The open-door policy meant Swartz could easily sign in, as he did, as
an anonymous guest with fake names and disposable e-mail addresses.

Between 5 p.m. on Sept. 25, 2010, and 4 a.m. the next morning, the
code Swartz wrote, which he called "keepgrabbing," downloaded 450,000
JSTOR articles.

It was the opening salvo in a cat-and-mouse game that would extend
over three months. JSTOR would cut off the Internet protocol address
Swartz was using; he would switch to another. MIT detected and shut
down the registration for his computer; he altered his computer's
identifying information.

Officials would conclude the ghost downloader had moved on, then he'd
reappear weeks later.

The maddening pursuit prompted some MIT technology personnel to say,
essentially, I told you so. Databases like JSTOR's, some said, should
have been kept behind a virtual gate -- though this would inconvenience
legitimate users.

"I frankly don't know why it's not used more," an employee wrote about
such a security measure.

Another employee in network security lamented that only the Swartz
case prompted MIT to smarten up. "I hope it helps enlighten them to
the need to really think long and hard about these issues. Kind of
silly that it took a JSTOR crawling issue to get everyone a little
frenzied."

MIT and JSTOR did agree to a security upgrade after Swartz's second
round of downloading was discovered in October 2010, requiring those
seeking access to have MIT credentials. But it took JSTOR weeks to
prepare for the change, the e-mails show.

That delay would prove fateful. Aaron Swartz had only gotten started.

Drawing concern at JSTOR

Given the institution's global stature, MIT inevitably drew most of
the public focus. But what Swartz did was more of a threat to JSTOR, a
small organization in a precarious position. Its business is selling
access to journal articles, but it doesn't own those articles. If it
can't protect them, the journals could yank their material out of the
library and threaten JSTOR's survival.

Swartz ultimately downloaded 80 percent of JSTOR's archive, 4.8
million articles. At one point his downloading was so rapid, JSTOR
e-mails said it created "a monstrous amount" of traffic that was
"threatening the website."

The stakes for MIT were murkier. The university's contract with JSTOR
promised that it would guard against misuse, so there was some risk of
losing an important library resource. And a rogue stranger poking
around MIT's network could be truly dangerous. The discovery shortly
before Swartz's arrest that his computer was being contacted from
China raised passing fears of a foreign cyberattack, e-mails show,
although such probing from overseas is quite routine.

Yet MIT was used to seeing excessive downloading -- albeit on a much
smaller scale -- and some staff downplayed the threat.

"There will always be one person a semester who, regardless of intent,
will write a script to crawl through some catalog," an MIT employee
wrote when JSTOR first cut off the portion of campus where Swartz was
operating. The MIT worker called JSTOR's move "draconian" and
"knee-jerk."

The result of their differing vulnerabilities, e-mails indicate, was
that JSTOR was far more bellicose toward the interloper than was MIT --
at least until the days right before Swartz's arrest.

JSTOR pressed again and again for MIT to find the downloader. Some of
the archive's employees said MIT was being cooperative, but other
staff members were irate at the university.

"I am sure that if they had lost an equivalent number of books from
their library overnight (what 25,000-30,000 books) they would not be
so nonchalant," someone at JSTOR wrote in an e-mail.

"This is an astronomical number of articles -- again, real theft,"
another wrote. "Does the university contact law enforcement? Would
they be willing to do so in this instance?"

When Swartz popped up again in late December after weeks of quiet, the
tension was even plainer.

"I might just be irked because I am up dealing with [the downloader]
on a Sunday night," a JSTOR employee wrote, "but I am starting to feel
like [MIT needs] to get a hold of this situation and right away or we
need to offer to send them some help (read FBI)."

These were "heat of the moment" reactions by officials anxious about
an unknown threat, said Kevin M. Guthrie, president of ITHAKA, JSTOR's
parent organization.

"You get a report that 100,000 articles have been downloaded on a
Saturday, you're trying to figure out what to do," he said in an
interview.

As for JSTOR's internal comments about calling the police, he said,
"We talked about it, but we made a decision -- no, this wouldn't be
appropriate; it's not our role to indicate that law enforcement should
be called."

When it came to Swartz's prosecution, JSTOR was notably reticent. It
insisted on being served with a subpoena before it would provide
information to the government and then, according to Abelson's report,
tried to limit its answers.

Guthrie told the Globe that the not-for-profit was simply trying to be
careful. As for its decision to publicly oppose prosecution, he said,
once Swartz returned the files, the journal provider was no longer
interested in the matter.

JSTOR was "trying to balance our obligation both to be good stewards
of the content for the content owners and publishers, for our own
viability, for broad access to information, and then the personal
situation, the human situation," Guthrie said.

JSTOR's very existence, he said, is all about broadening access to
scholarly journals. Its fees go to support the archive, and it
provides free access in developing countries.

E-mails from before Swartz was captured suggest that JSTOR might also
have been worried about its public image. The archive is already
viewed in some quarters as a greedygatekeeper constricting the pursuit
of knowledge. One JSTOR employee, in an e-mail addressing the
possibility of bringing in law enforcement, noted several technical
obstacles after opening with, "aside from the considerations about the
PR of it all . . . "

A sudden shift

If MIT was initially slow to react to the "ghost," even tepid about
the whole thing as some at JSTOR surmised, that changed drastically
after the university learned of another breach in December 2010.

After the laptop Swartz was accused of setting up to download JSTOR
articles was found in a wiring closet at MIT, investigators left the
computer up and running and installed a hidden camera.

On the night after Christmas, JSTOR discovered a new round of
downloading. It had actually started some 10 weeks earlier, but Swartz
had slowed the process enough to avoid tripping alarms.

Out on a furlough, MIT staff did not get the urgent messages from
JSTOR until Jan. 3, 2011. "This is a heck of a way to start the new
year," one person at MIT wrote. "We need to escalate the seriousness
of our response. This looks like grand theft."

And escalate MIT did. The academic building where the activity seemed
to emanate from had been pinpointed in mid-October. But only on the
morning of Jan. 4 did a network engineer began searching Building 16.
He quickly discovered a laptop, hidden under a cardboard box,
connected to the network from a wiring closet in the basement.

MIT police decided they needed more help, and called a Cambridge
police detective who belonged to a regional electronic crimes task
force. He showed up with another task force member, a Secret Service
agent named Michael S. Pickett.

Seeking not only to find the downloader but to collect as much
evidence as possible, they set up a hidden camera in the wiring
closet. And instead of shutting down the laptop, the authorities
decided to "leave it up and running for a couple of days while the
investigation continues," a library employee wrote in an e-mail.

"Now a federal case," the library staffer wrote in separate notes she
took on a conversation with an MIT security analyst. "We [MIT] are
considered the victim. All we provide is by choice -- not subpoenaed."

That cooperation with law enforcement also extended to a senior MIT
network engineer who monitored traffic to and from Swartz's laptop and
appeared to be looking to Pickett for instructions. On Jan. 5, having
collected 70 gigabytes of network traffic, he e-mailed the agent, "I
was just wondering what the next step is."

Swartz's lawyers argued that MIT, by monitoring Swartz and turning
over materials to law enforcement without a court order, violated his
Fourth Amendment rights. Abelson, who wrote MIT's own review,
disagreed, and legal experts interviewed by the Globe differed on
whether those arguments had merit. They were never ruled on by the
judge in the case.

Grimson, the former university chancellor, acknowledged in an
interview that it would have been "cleaner" to ask prosecutors to seek
a court order sooner. Turning over evidence without a subpoena raised,
in some eyes, painful questions about MIT's avowed neutrality.

Swartz was identified by the hidden camera and arrested on Jan. 6
after allegedly trying to flee police on Massachusetts Avenue in
Cambridge.

The startling discovery that the "ghost" downloader was a well-known
activist prompted a few MIT employees to share their opinions with
Pickett, the Secret Service agent, or their colleagues.

"Looks like he is a big hacker, i googled him," one wrote to Pickett
at midnight the morning after Swartz's arrest.

That afternoon, someone from the IT security department wrote to
Pickett, deeming Swartz a "really intelligent kid that just got buried
under an avalanche of dumb."

A few days later, Swartz took to Twitter to ask his followers if they
knew anyone at JSTOR, presumably hoping he could defuse the situation.
One person at MIT responded by circulating among colleagues a made-up
message purporting to be what Swartz wanted to say to JSTOR.

"hi, jstor, I'm still a few million pdf's shy of grabbing your whole
db; really had high hopes on collecting the whole set by 1/1/11," it
read. "could you tell me what number I left off at, because I don't
currently have access to my lappy that was keeping track. k thnx bye."

The MIT employee's commentary on his or her own fictional tweet: "LOL."

The documents say little about what MIT was thinking and doing once
the case morphed from an investigation into an active prosecution. But
MIT's own report on the case raises serious questions about the wisdom
of MIT's neutrality stance.

The report noted that some within MIT believe "there has been a change
in the institutional climate over recent years, where decisions have
become driven more by a concern for minimizing risk than by strong
affirmation of MIT values."

The Computer Fraud and Abuse Act has been widely condemned as extreme
in both its sweeping scope and its grave punishments. Sentencing
guidelines suggest Swartz faced up to seven years in prison.

To his supporters, MIT bears some responsibility for that fact. MIT
officials privately told the prosecutor that the university had no
interest in jail time, but refused to oppose his prosecution publicly
or privately, despite repeated entreaties from Swartz's father, his
lawyers, and a couple of faculty members, who argued MIT had the
institutional heft to influence the US attorney's office.

MIT may have also missed an opportunity to point out a potentially
serious flaw in the case against Swartz.

The Computer Fraud and Abuse Act charges centered on the claim that
Swartz had unauthorized access to MIT and JSTOR's networks. But even
if he was doing something improper, Swartz was logged on at MIT as a
guest, leading Abelson and some legal observers to conclude that his
access could be construed as authorized.

It was hardly a clear-cut case, and the judge may not have agreed. But
either way, MIT -- resolute about not getting drawn into a criminal
case to which it was not a named party -- "paid little attention to the
details of the charges," Abelson found. The institute simply did not
consider whether Swartz may have been an authorized user under the
terms of the law, according to the report.

The defense didn't raise it, either, until close to Swartz's death.

MIT was helping the prosecution "understand how to prosecute, what
information is necessary to prosecute, but not taking steps to help
them understand the limits to their prosecution," said Lawrence
Lessig, a Harvard Law School professor who was close to Swartz.
"Nobody would call that neutral. That's aiding and abetting the
prosecution.''

Grimson defended MIT's decision to leave it up to the justice system
to decide Swartz's fate, given that MIT leaders believe he harmed the
school. And he disagreed that MIT is less driven by its ideals than it
once was. He pointed to the Abelson report as an example of MIT's
willingness to soul-search and learn from a tragedy.

Still, he said, MIT will be second-guessing itself for a long time,
and the university is still considering some policy changes in light
of what happened to Swartz. Its first concrete move, last month, was
to set up a presidential committee that will create an online data
privacy policy.

A famously sensitive person, Swartz had some history with depression.
Yet loved ones insist that he was not clinically depressed before he
hanged himself in his Brooklyn apartment on Jan. 11, 2013, but
overwhelmed by the threat of years injail and the toll of fighting the
charges.

His father, Bob Swartz, believes that MIT's lack of compassion helped
destroy his son's life.

"We can't bring Aaron back, he can no longer be the tireless worker
for good," he said at a memorial service for his son held at MIT last
spring. "What we can do is change things for the better. We can work
to change MIT so that it . . . once again becomes a place where risk
and coloring outside the lines is encouraged, a space where the
cruelties of the world are pushed back and our most creative flourish
rather than being crushed."