Wow, there's a lot to read here.

I just read through Part V, Questions for the MIT Community (pages 89--100), and it is a particularly thoughtful and nuanced read. Recommended, especially if (like me) you don't really want to dive into the specific details of the case.
posted by RedOrGreen at 8:48 AM on July 30, 2013

It's an astoundingly comprehensive piece of work, considering the small size of the panel and the speed at which they researched these events. It's almost a primer on computer networks, campus security, law enforcement, and criminal prosecution. In the context of MIT's responsibility, though, it's only the first half. The second half, outside the scope of this report, is clarifying the Institute's response to unauthorized network-accessing activities by students and non-students when they intersect with the "information wants to be free" community and the "we will make a prosecution example out of you" community. Is it best to stay neutral, as MIT did here? I think so.

I was happy to see in Appendix 9 support of Star Simpson, who was, you'll recall, the MIT student arrested at gunpoint at Logan for wearing homemade electronic jewelry. The backlash that followed when MIT hung her out to dry is absolutely one of the reasons for their current policy of neutrality.
posted by Mapes at 9:54 AM on July 30, 2013 [2 favorites]

TarenSK: MIT report is a whitewash. My statement in response.
posted by homunculus at 10:17 AM on July 30, 2013 [2 favorites]

Lawrence Lessig: The MIT Report on #aaronsw
posted by homunculus at 10:17 AM on July 30, 2013 [2 favorites]

It's almost a primer on computer networks, campus security, law enforcement, and criminal prosecution.

If anyone was going to be consulted on that, Hal Abelson seems like a good start.
posted by maryr at 10:21 AM on July 30, 2013

MIT Moves to Intervene in Release of Aaron Swartz’s Secret Service File

I am the plaintiff in this lawsuit. In February, the Secret Service denied in full my request for any files it held on Swartz, citing a FOIA exemption that covers sensitive law enforcement records that are part of an ongoing proceeding. Other requestors reported receiving the same response.

When the agency ignored my administrative appeal, I enlisted David Sobel, a top DC-based FOIA litigator, and we filed suit. Two weeks ago U.S. District Judge Colleen Kollar-Kotelly ordered the government to “promptly” begin releasing Swartz’ records. The government told my lawyer that it would release the first batch tomorrow. But minutes ago, Kollar-Kotelly suspended that order at MIT’s urging, to give the university time to make an argument against the release of some of the material...

I have never, in fifteen years of reporting, seen a non-governmental party argue for the right to interfere in a Freedom of Information Act release of government documents. My lawyer has been litigating FOIA for decades, and he’s never encountered it either. It’s saddening to see an academic institution set this precedent.
posted by Blazecock Pileon at 10:33 AM on July 30, 2013 [7 favorites]

I think MIT's argument is guarding the privacy of people named in the report. Many of these names are already on the record somewhere, but I guess they're trying to not call further attention to it?

Here's what the report says, in footnote from a letter by the authors:

The Review Panel realizes that there has been significant controversy surrounding the events described in this report. We appreciate that many of the people involved have legitimate concerns about their privacy and their security, and we know that some have even been personally threatened. Consequently, our report generally does not identify individuals by name. Many of these individuals have already been identified in court filings and other public documents, and we are fully aware that their names are readily discoverable on the Internet. Even so, we see no need to further erode their personal privacy.

posted by maryr at 10:44 AM on July 30, 2013

Yes, because it's horrible of MIT to protect their personnel.
posted by NoxAeternum at 10:45 AM on July 30, 2013

Lessig's post, linked above, is on whether or not Swartz's activities constituted unauthorized access to the MIT computing network. On p136 of the report (Appendix 11, on the criminal charges and the issue of authorization), I think the panel gives Swartz quite too much credit in not taking him to task concerning MIT network Rule 6 ("Don’t restrict or deny access to the network by legitimate users."). The report says that "Aaron Swartz did not himself deny or intend to deny the system to other users."

But JSTOR, upon realizing Swartz was downloading huge amounts of content, blocked his IP address. He moved to another one. They shut down a block of addresses. He next attempt, which involved repeatedly deleting the JSTOR cookie, disconnecting, reconnecting, and requesting a new article, crashed multiple JSTOR servers. JSTOR then shut down access from all MIT addresses for three days.

This escalation of techniques in order to circumvent larger and larger restrictions by JSTOR shows a willfulness to deny access to others to further the goal of collecting JSTOR articles and seems to me like a clear violation of Rule 6, representing unauthorized access.
posted by Mapes at 10:48 AM on July 30, 2013

If your standard for "Don’t restrict or deny access to the network by legitimate users" is "Don't do anything that could conceivably cause a third-party outside the network to restrict or deny access to legitimate users," then you've opened the door to virtually anything. Publishing material critical of the Chinese Government might get your network blocked by the Great Firewall too. Certainly, Aaron could have seen that he was not using the service in the manner it was intended to be used, but extending Rule 6 to chains of causality would leave the rule uselessly vague.
posted by zachlipton at 11:04 AM on July 30, 2013 [3 favorites]

Except that JSTOR was a third party that MIT contracted with to provide a service to the university - a service threatened by Swartz's conduct.
posted by NoxAeternum at 11:16 AM on July 30, 2013

JSTOR terms of use specifically say that institutional access is contingent on not using automated programs to download content. There's no vague chain of causality here.
posted by Mapes at 11:17 AM on July 30, 2013

Publishing material critical of the Chinese Government might get your network blocked by the Great Firewall too.

Yes, but that's a bit different from writing a script that repeatedly agrees to follow certain guidelines in violation of those same guidelines. In addition, as Mapes noted, when Swartz overloaded the JSTOR servers they shut off access to his IP - so he switched to a new IP. Then they shut off access to all of 18.55.6.* - so he switched to a new new IP. That is not a good faith act toward other users of the network.
posted by maryr at 11:19 AM on July 30, 2013

Definitely have not had time to read the entire report, but I thought this passage on page 14 was noteworthy:

Among the factors not considered [by MIT] were that the defendant was an accomplished and well-known contributor to Internet technology; that the Computer Fraud and Abuse Act is a poorly drafted and questionable criminal law as applied to modern computing, one that affects the Internet community as a whole and is widely criticized; and that the United States government was pursuing an overtly aggressive prosecution. MIT’s position may have been prudent, but it did not duly take into account the wider background of information policy against which the prosecution played out and in which MIT people have traditionally been passionate leaders.

posted by compartment at 11:20 AM on July 30, 2013 [4 favorites]

From studying this review of MIT's role, I am confident that MIT's decisions were reasonable, appropriate and made in good faith. The report confirms my trust in the members of the MIT community involved in the Swartz events. Throughout, they have acted with integrity and heart, and served MIT with outstanding professionalism. I know the last seven months have been hard on them and their families, and they have my deepest respect and gratitude.

It's like when the CIA was tasked to investigate its own behavior in the 1980s, finding nothing wrong. This report helps MIT wash Swartz's blood off their hands, and the FOIA intervention is just the cherry on top.

MIT: A slimy place run by slimy people, doing slimy things slimily.
posted by Blazecock Pileon at 11:25 AM on July 30, 2013 [1 favorite]

Maybe I'm just paranoid but this "we did nothing wrong" report makes me think MIT may be a bigger culprit in this than previously thought...
posted by Pyrogenesis at 11:32 AM on July 30, 2013

MIT’s position may have been prudent, but it did not duly take into account the wider background of information policy against which the prosecution played out and in which MIT people have traditionally been passionate leaders.

I, too, think that's an insightful passage, compartment. But the report as a whole relies hugely on absolving MIT of blame because MIT's action in this or that regard was necessary in order to maintain neutrality. As if "neutrality" to what happens to a member of their community, whether just or unjust, is a virtue. Since I reject that premise, I can't do other than to largely dismiss this report.
posted by tyllwin at 11:34 AM on July 30, 2013 [3 favorites]

If your standard for "Don’t restrict or deny access to the network by legitimate users" is "Don't do anything that could conceivably cause a third-party outside the network to restrict or deny access to legitimate users,"

No, it;s "don't do anything that has ALREADY caused a third party outside the network to restrict or deny access to legitimate users."

Aaron was playing cat&mouse with MIT in full anticipation of getting slammed with disciplinary action. Unfortunately for him, disciplinary action requires some kind of relationship with MIT that MIT can threaten to sever, and that did not exist for him.
posted by ocschwar at 11:38 AM on July 30, 2013

As if "neutrality" to what happens to a member of their community

(Not a member of their community, in fact, but a non-affiliate who came in off the street, went to the basement of an academic building, and broke into a network room or relied on a broken lock to enter and connect and leave computer equipment.)
posted by Mapes at 11:41 AM on July 30, 2013

MIT is a bit different regarding locks and access to "forbidden" areas than almost anywhere else. Don't know if that context affects the analysis, but that context is a deep part of MIT institutional culture.
posted by zippy at 11:52 AM on July 30, 2013 [1 favorite]

Not a member of their community, in fact, but a non-affiliate who came in off the street

I see. As the report puts it:

Aaron Swartz was neither a member of the MIT staff, nor an enrolled student nor alumnus, nor a member of the faculty. He was a regular visitor to the MIT campus and interacted with MIT people and groups both on campus and off. His web publishing startup was developed with the help of an entrepreneurship accelerator company “boot camp” that arranged for him to be housed on the MIT campus for the summer of 2005. After a short period in San Francisco, he returned to Cambridge in 2006 and lived in an apartment on Massachusetts Avenue in Central Square, between Harvard and MIT. He was a member of MIT’s Free Culture Group, a regular visitor at MIT’s Student Information Processing Board (SIPB), and an active participant in the annual MIT International Puzzle Mystery Hunt Competition. Aaron Swartz’s father, Robert Swartz, was (and is) a consultant at the MIT Media Lab. Aaron frequently visited his father there, and his two younger brothers had been Media Lab interns.

Indeed, a virtual stranger.

And if I set in motion a chain of actions which will destroy him, I need only stay neutral and look only to the law and never to the consequences in human terms.
posted by tyllwin at 11:52 AM on July 30, 2013 [1 favorite]

Without wading into another debate about the ethics of Schwartz' behaviour, I thought this question presented in part V of the report was really thoughtful:

MIT’s first interest flows from the CFAA’s “exceeds authorized access” clause. Under
this clause, accessing MIT’s computer network beyond the bounds set by MIT for such
access can be a felony. However, MIT is not a legislature: it does not hold open debates
about how its Terms of Service (TOS)should be crafted, defined, provided with “safe
harbors,” and otherwise applied; and it cannot foresee how rapid advances in technology
and social uses of technology may make its TOS obsolete, unclear, or a dangerous and
unintended trap for the unwary. Does MIT want to be in the position of determining what
is and is not a felony?

I expect to see a lot more organized opposition to the Computer Fraud and Abuse Act (CFAA) from MIT following this report. There are a lot of other thoughtful questions in Section V as well, and the whole report is very thorough and even. I'm pretty impressed.
posted by Popular Ethics at 11:59 AM on July 30, 2013

compartment: That was one part of the report that I found troublesome - the idea that his fame should have been a get out of jail card.
posted by NoxAeternum at 12:01 PM on July 30, 2013

And if I set in motion a chain of actions which will destroy him,

If I start a police report over someone coming onto my property and doing something sketchy, and the cops catch him, from that moment on the matter is in the hands of people who do not answer to me.

Does this mean I should never ask the police for help in a situation like that?
posted by ocschwar at 12:06 PM on July 30, 2013

Does this mean I should never ask the police for help in a situation like that?

No. But if you're the "victim," you're powerful and influential, and a successful prosecution depends on you and your cooperation, you're not ethically entitled to just wash your hands of it. Legally, of course you can.
posted by tyllwin at 12:14 PM on July 30, 2013 [1 favorite]

MIT is a bit different regarding locks and access to "forbidden" areas than almost anywhere else. Don't know if that context affects the analysis, but that context is a deep part of MIT institutional culture.

Yes, MIT is a bit different regarding locks and such. It's an extremely open campus with the Infinite Corridor (and buildings attached to it) discretely but publicly accessible 24 hours a day. There's general encouragement to follow curiousity, to not be afraid to open unlocked (and sometimes locked) doors. That's without getting into hacks. But feeling the need to hide your laptop in a closet under a cardboard box does imply that you are doing something you know to be against the rules. (Especially if he had friends at SIPB, since that's where the laptop was ultimately found? Why didn't he leave it laptop there in the first place? Why hide it in a network closet in 16, home to a computer cluster and a bunch of bioengineering labs?) Besides which, this case is borderline on hacking ethics. No one was physically hurt, some folks were likely inconvenienced when trying to access journals, but you're not really supposed to take things either and it feels like an abuse of MIT's permissive culture toward open campus and internet access.
posted by maryr at 12:28 PM on July 30, 2013

Wow, the trial of Aaron Swartz continues to be prosecuted by volunteer hall monitors. Rest in Peace.
posted by mattbucher at 12:47 PM on July 30, 2013 [3 favorites]

compartment: That was one part of the report that I found troublesome - the idea that his fame should have been a get out of jail card.

I'm still reading and digesting, but I don't see it that way. The point is that Aaron was not, say, a crack addict off the streets who was trying to burglarize dorm rooms. Rather, he was a Harvard fellow (an institution that is certainly independent of MIT, but one with close ties beyond geography, including liberal cross-registration policies for students and reciprocal library privileges). It's not that actions should not have consequences, but rather that, after the investigation uncovered the outline of what was going on, it should have been clear to everyone at MIT that this was a member of their academic community who may have crossed lines in his use of network resources as part of his research, rather than a severe threat to the well-being of the campus community.

In general, it certainly feels like President Reif's letter paints a much more exculpatory brush than the report itself does: emphasizing how properly everyone behaved when the report asks more important questions about how they should have behaved.
posted by zachlipton at 12:51 PM on July 30, 2013 [3 favorites]

zachlipton: Yeah, I have a serious problem with that attitude. You're basically saying that the rules should be different because he's "one of us".
posted by NoxAeternum at 1:13 PM on July 30, 2013 [1 favorite]

zachlipton: Yeah, I have a serious problem with that attitude. You're basically saying that the rules should be different because he's "one of us".

The rules ARE different if you're one of us. If you're one of us, the admins use the threat of casting you into the world of mundanes to correct your behavior. No call to law enforcement at all.
posted by ocschwar at 1:47 PM on July 30, 2013 [1 favorite]

Open letters are intrinsically political in tone; the president shows the requisite sorrow and institutional blamelessness, whereas the actual report's concluding lines pointedly include: “Looking back on the Aaron Swartz case, the world didn’t see leadership. As one person involved in the decisions put it: “MIT didn’t do anything wrong; but we didn’t do ourselves proud.”
posted by polymodus at 2:25 PM on July 30, 2013 [2 favorites]

it should have been clear to everyone at MIT that this was a member of their academic community who may have crossed lines in his use of network resources as part of his research

Where "member of their academic community" equals "guy who hung around a lot", "crossed lines" equals "deliberately abused the network facilities and evaded counter-measures" and "his research" equals "ill-conceived political stunt".

MIT doesn't come up smelling of roses, but there's definite whiff of hagiography hanging around Swartz - too cool for rules and don't you dare try and apply them to him.
posted by outlier at 4:04 PM on July 30, 2013 [1 favorite]

Popular Ethics: That's another questionable bit for me as well. MIT is no more deciding what is and isn't a felony than I am when I take title to a plot of land. Of course, my solution to the CFAA issue is simple - replace it with laws defining unauthorized access of a computer network as a form of trespassing.
posted by NoxAeternum at 6:08 PM on July 30, 2013

"his research" equals "ill-conceived political stunt"

What's the opposite of hagiography? Because this is it.
posted by zippy at 6:23 PM on July 30, 2013 [1 favorite]

Popular Ethics: That's another questionable bit for me as well. MIT is no more deciding what is and isn't a felony than I am when I take title to a plot of land.

But that's exactly what happens under the CFAA: MIT sets the terms of authorised access, and the CFAA gives those terms the force of law by making any access outside them into a felony.

The equivalent result for property would be a law that means that if you put a sign up next to your front path saying "no entry" anyone who walks to your front door without prior permission is a felon (although from what I understand about how the CFAA works you might not even need a sign; it might be enough to write it down on a piece of paper you keep in a drawer, or maybe just think it).

Anyway, it's entirely reasonable to think that Swartz was being naughty and might reasonably have faced some kind of consequences for the JSTOR thing while also thinking that the CFAA is profoundly wrong, and that MIT should have taken a stand and done everything they could to stop such an obviously bad law being invoked against him.
posted by A Thousand Baited Hooks at 7:09 PM on July 30, 2013 [1 favorite]

A Thousand Baited Hooks: And that's how it works with criminal trespass, though some levels are misdemeanors. I can set the terms of how my property can be accessed, and people who go beyond that are in violation of the law. I don't see why that should be fundamentally different because we're talking about a computer network, not a piece of land.
posted by NoxAeternum at 7:22 PM on July 30, 2013

Is it really a felony to ignore a "no entry" sign and knock on someone's door? I guess this is the US we're talking about here.

Actually a better example would be a piece of land open to the public subject to conditions set by the owner (like a university). It's one thing to say that the owner should be able to get anyone who breaks the conditions to leave, another to say that just by breaking a condition while you're on the land you automatically commit a criminal offence, and quite another to say that the offence should be a felony.

Some more on the CFAA:

What are terms of service? Remember the last time you signed up for a Web site and clicked through several pages of fine print? Yep, that was it. Chances are, you didn’t read it, and didn’t think that it might be a federal felony to violate the provisions that it contained. The Justice Department has repeatedly taken the position that such violations are felonies. In the prominent cyberbullying case United States v. Drew, a federal prosecutor asserted that violating MySpace’s terms of service would be a federal felony. Similarly, the indictment threatening Aaron Swartz with thirty-five years in prison depended, in part, on a terms-of-service violation: when Swartz tried to download thousands of academic articles, he did so as an authorized guest user of the M.I.T. network. He didn’t actually “hack” or “break” into the network; he violated the terms of service for guests by downloading too much stuff.

posted by A Thousand Baited Hooks at 7:53 PM on July 30, 2013

No, he violated JSTOR's TOS, which explicitly prohibits automation of downloads, by using a script to sequentially grab files. Furthermore, not only did Swartz violate the MIT network TOS, when the network administrators blocked his MAC address (and thus indicating that he was no longer welcome on the MIT guest network), he repeatedly switched it in order to remain on the MIT guest network, showing willful disregard to the wishes of the administrators. Furthermore, he then broke into a wiring cabinet and directly installed his laptop to the network there, concealing it after doing so.

That is in no way equivalent to just ignoring a sign, and it would be nice if the false equivalence would stop.

(The same point stands for Lori Drew as well - it's not just that she broke the MySpace TOS, but did so in order to viciously prey on a young teenage girl, culminating in that girl's suicide. Mens rea is a key point in the law for a reason.)
posted by NoxAeternum at 8:54 PM on July 30, 2013 [2 favorites]

Wait, I thought we were talking about whether MIT is deciding what is and what isn't a felony. Obviously what Swartz did was more than just ignore a sign. But if all he had done was ignore a sign (or the equivalent) he would have been a criminal under the CFAA anyway.

That's the problem the "Does MIT want to be in the position of determining what is and is not a felony?" bit of the report is getting at.

(The same point stands for Lori Drew as well - it's not just that she broke the MySpace TOS, but did so in order to viciously prey on a young teenage girl, culminating in that girl's suicide. Mens rea is a key point in the law for a reason.)

That sounds more like motive than mens rea to me, but then I'm not a US lawyer and I don't really know how things work over there.
posted by A Thousand Baited Hooks at 10:06 PM on July 30, 2013

No, he violated JSTOR's TOS, which explicitly prohibits automation of downloads,

Do you have an historical time line of how JSTOR changed their TOS? Pretty sure that they changed their terms of service a couple of times in the midst of all this. Also, it should've been a boring legal argument between lawyers about how to define the terms against Swartz's actions. Instead, federal prosecutors looking for fame were only talking jail time. The legal arguments are not near as cut and dry as many commenters here seem to believe. And is anyone considering what would've happened if Swartz had gotten away with this? Would MIT or JSTOR have been seriously hurt? Would their revenue streams dry up? Please. Did MIT suffer any harm or cause of action at all? I have zero sympathy for multi-billion dollar institutions and err on the side of protecting individuals, open-access, and freedom of information.
posted by mattbucher at 8:22 AM on July 31, 2013 [2 favorites]

Do you have an historical time line of how JSTOR changed their TOS?

We have the time line of Aaron repeatedly playing cat & mouse with the MIT network admins. He was going against the terms of use of both institutions.

Now when you're a student, staffer, or faculty at MIT, you can play this kind of thing and MIT will use the threat of severing that relationship to put you back in line. Aaron had no such relationship with MIT. That makes MIT's first recourse putting a campus persona non grata, and that's immediately a police matter. Big mistake there.

Now, the Commonwealth deals with MIT campus hangers on as a matter of course, including those who wind up PNG, arresting them if need be and prosecuting them if need be, and they don't pull the kind of shit the Feds do. In fact, the Commonwealth's response to Aaron's actions was perfectly proportionate: a plea deal that suspends the entire prosecution if he stays out of trouble.
posted by ocschwar at 9:22 AM on July 31, 2013

The MIT report indicated the the prohibition against automated download predated the initial incident.

And yes, MIT and JSTOR would have been harmed if he had succeeded. One of JSTOR's key worries was that if the articles got into the wild, it would make the journals that they contract with unwilling to work with them. For MIT, developing a reputation as a perfect place to launch attacks against other entities would be very problematic for them.
posted by NoxAeternum at 9:24 AM on July 31, 2013

One of JSTOR's key worries was that if the articles got into the wild, it would make the journals that they contract with unwilling to work with them.

In fact, a percentage of the content they charge for access to is out of copyright or is government-funded research without copyright. Swartz faced fines up to $1M even though JSTOR, a non-profit btw, said they didn't want to press charges. No publishers threatened to stop working with JSTOR because of a security breach--however, several institutions did write scathing critiques of JSTOR changing their interface in 2010 so that search results showed journals not in their collections. The real threat to JSTOR and journals publishers is that one day they won't be able to charge libraries exorbitant prices.
posted by mattbucher at 10:14 AM on July 31, 2013

*facepalm*

JSTOR's service isn't just to be a gatekeeper controlling access to these articles. It's to be the archive of record. We could just let every journal post everything on the Web and let Google Scholar index everything. But then we would be in an Orwellian world.

"He who controls the present, controls the past."

Picture what happens if an organization serving these articles is bought up by the Koch brothers. What would happen to the climatology papers? A bit outlandish, to be sure, but when it comes to the responsibility for preventing that scenario on the Web (where it's far more feasible than in the good old days of paper publishing), you have to bear in mind that Google only indexes this stuff. They take no responsibility for archiving and preserving it. That's where bodies like JSTOR come in. And these archives have bills to pay.

There is not yet a funding model in place for organizations like JSTOR. All of that is still being negotiated between JSTOR and academia and other entities. Aaron's activities were interfering with the deal MIT had with JSTOR, and were thus a violation of MIT's autonomy.
posted by ocschwar at 11:10 AM on July 31, 2013 [1 favorite]

Has anyone found a good summary of the report yet? I was expecting some tech journalist to do a short article based on the report, but I haven't seen one.
posted by Nelson at 3:11 PM on July 31, 2013

Gosh, the crown jewels we're entrusting JSTOR to maintain must be hugely expensive to store and index! How big is their collection?

Wikipedia: JSTOR ... provides full-text searches of almost 2,000 journals

Wait. It's some sort of funding chore to store and index 2000 journals? I know servers aren't free, and someone has to do the backups, but 2,000 journals is the extent? Let's say there are on average 100 issues per journal, or 200,000 unique documents.

The Internet Archive over 2 million scanned books and texts, along with billions of web pages. That anyone can access. For free.

And they've been around for about as long as JSTOR.

What is it JSTOR does that another non-profit couldn't do for free?
posted by zippy at 7:25 PM on July 31, 2013 [1 favorite]

The Internet Archive over 2 million scanned books and texts, along with billions of web pages. That anyone can access. For free.


And how secure is their financing? And how good an idea would it be to have this done by just one entity rather than multiples?

There are questions that remain unanswered. JSTOR is part of the answer.

Free is the final intent for JSTOR. How they want to fund themselves in the meantime is a matter between them and their subscribers. JSTOR had one subscription with MIT. Aaron was wrong to interfere with it.
posted by ocschwar at 7:42 PM on July 31, 2013

If MIT had not responded they would have lost access to JSTOR, at least temporarily. I loathe and despise JSTOR, but it's absolutely necessary for academic research in many fields and even one day's loss would be burdensome. If MIT said that they wouldn't regulate Aaron Swartz's actions then I presume JSTOR would have cut MIT loose: he was directly attacking JSTOR's business model and it's better to lose one customer than your entire customer base.

Swartz's prosecution was inexcusably cruel, but that wasn't MIT's fault: they had repeatedly signalled that his actions were unwelcome and at some point the escalation would inevitably have involved calling the police, as it did. From that point on MIT's die was cast: they could no longer be on Aaron Swartz's side.
posted by Joe in Australia at 11:00 PM on July 31, 2013

EFF: MIT in Aaron Swartz Case: Not Neutral, Not Leading, Not Standing Up for Technologists
posted by homunculus at 11:37 AM on August 1, 2013 [3 favorites]

The problem I have with the EFF article is that doing nothing was not an option. Yes, the JSTOR articles were largely created with public money. Yes, the marginal costs are small. Yes, it's arguable that he wasn't a total outsider. But MIT had to stop Aaron Swartz, which meant it was on the side of the prosecution.

I hate the fact that Internet and database access is so tightly locked down on most university campuses. It wasn't always like this: it's because of abuse by Swartz and other people like him. MIT had a loose policy of allowing internet connections and access to JSTOR but it could not and should not have allowed unlimited access to someone trying to disrupt a third party's business model. Aaron Swartz's actions represent the tragedy of the commons and I'd have more respect for the EFF in this case if they acknowledged that public and semi-public goods disappear when they are abused. Have they nothing to say about this? If we want our society to be generous and light-handed then we have to have some mechanism for restraining resource hogs.

Once the prosecution commenced then I suppose MIT might have stepped up to say that it was heavy-handed and so forth. But the fundamental point is that Swartz's actions were both wrong and and disruptive to other people. By minimising his culpability the EFF is endorsing the bad hacker ethos that ability equals authority, and that things that take place online should not have real-world consequences. Freedom, electronic or otherwise, can only flourish in communities which respect other people's rights and boundaries.
posted by Joe in Australia at 3:51 PM on August 1, 2013

Aaron Swartz's actions represent the tragedy of the commons

No, this is a logically flimsy categorization. It's not like MIT planted a nice apple tree and some community member eats too many apples. To apply tragedy of commons, the work of mapping out the agents and relationships has to be done. I will leave that as an exercise, but it doesn't take much to realize that this situation does not readily correspond to the typical examples given in Wikipedia.

But the fundamental point is that Swartz's actions were both wrong and and disruptive to other people.

The fundamental point is that copyright in the information age is understood, by world experts, to be a controversial issue. "Right" and "wrong" are no longer clear-cut; the MIT report is far more nuanced, its concluding section implying as much when it calls broadly for more research in this problem area. Fundamental points rely neither on individualist-fallacy-type moralisms, nor on any relativistic notion of "disruption", obviously because both of these would are subjectives, not fundamentals.
posted by polymodus at 9:01 PM on August 2, 2013 [1 favorite]

The problem I have with the EFF article is that doing nothing was not an option. Yes, the JSTOR articles were largely created with public money. Yes, the marginal costs are small. Yes, it's arguable that he wasn't a total outsider. But MIT had to stop Aaron Swartz, which meant it was on the side of the prosecution.

I fully grant that MIT was perfectly reasonable in seeking to identify the source of traffic on its network, shutting it down, and identifying the person responsible. At that point, after finding Aaron and discussing the situation, and certainly after he settled the matter with JSTOR, MIT didn't have to stop Aaron Swartz because there was nothing to stop anymore. Discuss banning him from campus if you want, maybe report his actions to his employers at Harvard if you believe that would be useful, but that could have well been the end of it. I'm not arguing, and I don't think most people are, that MIT should have said "oh well; not our problem; maybe he'll start sending out millions of emails for cheap Viagra next" when they first discovered the situation.

But to put it in perspective, MIT does have a standard mechanism for "restraining resource hogs," as you put it. I'm not an MIT person, but as I understand it, the StopIt system has been around since 1992 to provide a simple and effective path outside of the Institute's discipline system to address incidents of computer misuse and simple harassment. While community members who feel that they are in danger are directed to the Campus Police for immediate attention, incidents that are merely annoying, unwanted, or involve the abuse of shared or restricted resources can be reported to StopIt, which is part of Information Systems, and they'll basically send an email asking the alleged perpetrator to, well, stop it. According to the (admitting rather old) link above "recipients virtually never repeat the offending behavior." Indeed: "even though recipients concede no guilt, and receive no punishment, they stop."

Now Aaron wasn't an MIT affiliate, and nobody knew who the network activity was coming from, so this procedure was never going to exactly apply. But there's a huge difference in responses from a standard course of action being "hey, please stop it" to "you're facing federal charges for a host of felonies and the prosecutor is insistent on jail time. By the way, you probably won't be able to touch a computer for a few years after you get out of prison." A portion of the latter response was not in MIT's direct control, sure, but they were the direct result of MIT's actions and snowballed as a clear result of MIT's failure to act despite knowledge of the situation at the highest levels of the administration. MIT failed to act in late 2012, a point where failing to intervene was equivalent to providing its approval.

And after chewing on this for a few days, that failure is what leads me to my biggest criticism of Professor Abelson's report: the avoidance of any individual or even systemic responsibility. The team made the decision not to report the names of virtually any MIT personnel, citing concerns for their privacy and safety. I don't want to debate that decision, and I think those concerns bear a certain degree of merit worthy of precaution, but the implications in the text are striking.

Normally, when, let's say, the GAO writes a report on some federal procurement going totally off the rails, it identifies everyone by name (except for the limited use of anonymous sources), but publicly releases a redacted copy where most of the names, usually excepting senior leadership and non-government employees, are replaced with identifiers: IRS Agent #1, EPA Analyst #3, Cleaning Technician #2, etc... Prof. Abelson didn't follow this practice here, instead opting to typically attribute actions and communications to the offices from which they originated: "OGC sent a short response to the Director," "The Libraries told JSTOR," etc... Many statements and beliefs are attributed only to "OGC" [Office of the General Counsel] or, incredibly, to "MIT" in general.

The problem is that offices and departments don't write emails, make phone calls, or decide anything: actual individual people do. By glossing over the actions of individuals and presenting every decision point as one blandly made "by MIT," any real sense of how these decisions came to be made is lost. What organizational characteristics and human factors, outside of Aaron Swartz's own fight with depression certainly, created this outcome? What ideas were considered and rejected? What information wasn't communicated and who was relying too much on someone else's views?

The report's conclusion, which takes a strikingly different tone to the rest of the report and especially to President Reif's letter, tells us that "It has not been the Panel’s charge for this review to make judgments, rather only to learn and help others learn. In doing so, let us all recognize that, by responding as we did, MIT missed an opportunity to demonstrate the leadership that we pride ourselves on." I recognize that its all too tempting to want a cartoonish villain to blame this all on, and the reality is far more complex than that. But the failure here was one of leadership and decision-making, the kind of collective organizational inertia you get into when your community stops being a collective of intelligent and intellectually curious individuals and becomes a hierarchy of important-sounding offices and titles.

And in that light, the decision to avoid names and eschew even anonymous identifiers is particularly striking as a symptom of this ongoing lack of leadership. The report rarely deviates from the raw documents and the timeline to ask the individuals installed about their thoughts and feelings. How can one reflect on the leadership and organizational decision-making practices displayed by these individuals if we just consider them as the mechanical black boxes of "OGC," "Chancellor," and "IS&T." Take this snippet, for instance, describing Robert Swartz' (Aaron's father and a consultant at MIT) meeting with MIT's Chancellor in fall 2011:

"The meeting was extremely disappointing to Robert Swartz. It seemed to him that MIT was not only denying his request, it was denying the very basis of the help he was seeking, in a manner that seemed to afford no way forward. Given his background at MIT, this seemed to him a shocking failure of compassion. At one point in the meeting, he reportedly asked, “Why are you destroying my son?” The Chancellor replied that this was not MIT’s intention or desire." (p. 63)

So what did the Chancellor believe to be MIT's "intention or desire" at the time? Who formed this intention and who did they discuss it with? What outcome, whether achieving that outcome was within the Institute's control, did he believe would best serve MIT's mission, values, and culture? What did this man, Chancellor Eric Grimson, feel when a father asked why he was "destroying [his] son," and was there any connection to the circumstances of this situation on a fundamental human level? Some of these questions may well be unanswerable, and truthful answers to some of them might well make us uncomfortable, but they are the questions ignored by the report's authors, who were the ones in a position to ask the Chancellor to reflect on these events, to probe for elements of humanity in this cold and disheartening narrative.

And I really do hope there is some of that humanity out there. I just also hoped we'd see a little bit of it in this report too. Aaron certainly didn't see any from MIT.
posted by zachlipton at 10:47 PM on August 3, 2013 [1 favorite]

Zachlipton, I'm can't the point of bringing up the StopIt system. Swartz might have been warned by IT staff if he had used a real email address, but as it was they had no way of identifying or contacting him. This is a recurring theme: he repeatedly evaded mechanisms that would have warned him or would have prevented his actions. If Swartz had used a real email address; if he had taken the hint upon being locked out the first time; or the second time; or after JSTOR access to MIT had been stopped altogether; or if he hadn't made an illicit network connection look criminal then the police would probably not have been called and the prosecution would not have taken place.

For a smart guy he was incredibly stupid: couldn't he have used a real email address? Couldn't he have taken a hint? Did he think that this was all a game in which he was battling wits with IT administrators, and may the best hacker win? What, did he think MIT should let people break into their closets and attach illicit network equipment? Of course the police would be called at some stage. And I think every hacker knows that prosecutors are censorious, captious, vindictive, and relentless.

This is where I think the EFF has fallen down. Aaron Swartz was stupid. Aaron Swartz was wasteful. Aaron Swartz hurt the whole of MIT and its guests by his arrogant, thoughtless behaviour. Not only was research using JSTOR interrupted at MIT (and other places served by the same machines) but JSTOR imposed a new policy on MIT: guests could no longer access JSTOR except at MIT libraries. Gee, thanks Aaron. Way to strike a blow for academic freedom.

Yes, it's arguable that MIT could have favorably influenced Swartz's prosecution. I suppose it's also arguable that they should have tried to do that - not because his prosecution was intrinsically unjust, but because it was excessively heavy-handed. Even granted all of that, the fundamental issue here is that MIT had generous, loose policies that Aaron Swartz abused; and those policies were made more restrictive as a consequence of his actions. It's fine that EFF stepped forward to protest the draconian laws used to punish hackers, but they might also have found some time to acknowledge that Swartz hurt the cause of electronic freedom.
posted by Joe in Australia at 12:30 AM on August 4, 2013

Aaron Swartz was stupid. Aaron Swartz was wasteful. Aaron Swartz hurt the whole of MIT and its guests by his arrogant, thoughtless behaviour.... Gee, thanks Aaron. Way to strike a blow for academic freedom.

Well now he's dead so I guess... your side wins? I think most people who paid attention to the case as it was unfolding would admit that Aaron could have gone about this whole plan in a different way, but I think people were also mindful of the fact that his was, actually, a plan. Sort of a civil disobedience thing which, yes, was inconvenient for some folks. And all the concern trolling about how bad it could have been ignore the fact that the at-the-time reported badness was virtually nothing. People got by. And the report from MIT outlines what the actual impact was. And you can definitely say "Well yeah but if everyone did it then the system would collapse..." or something, but that's true about all rule-bending actions that many of us take every day.

JSTOR has been slowly opening up access to a lot of its content in various ways but at the time that this incident occurred, they were still charging people for access to public domain materials (that stuff is now free and open to the public now, incidentally) and as much as I agree generally that they serve some public good, they also are a big corporation and ever their response to this whole thing was to minimize it and not go after Aaron, a decision MIT could have and did not make for the reasons they outlined.

I think this is a situation on which reasonable people can and do disagree, but this discussion does not require the name calling of our dead friend and it would be nice if you could find ways to discuss this that avoided some of that.
posted by jessamyn at 7:11 PM on August 4, 2013 [6 favorites]

I don't think anyone takes Aaron's death as a win.
posted by maryr at 8:11 PM on August 4, 2013

No, and I can't imagine any "side" of this I could possibly be on.

Jessamyn, if you're speaking personally then I'm sorry for hurting your feelings. None the less, this isn't a eulogy; it's a report on MIT's response to Aaron Swartz's actions. MIT justified their initial response with reference to consequences they had experienced and the ones they anticipated or feared. You may not think those consequences were severe but I suggest that this is relative to the life of a young man and in the light of hindsight. At the time they were sufficiently severe to disrupt an entire university and they continue to affect thousands or tens of thousands of people.(*)

In that context I think it's wholly appropriate to consider whether Aaron Swartz knew or should have known of those consequences, and whether his actions were reasonable. MIT lost access to JSTOR initially after he sucked down twice as many articles in one evening as the entire university downloaded over the course of a year. He went on to download a great deal more but after being shut down (twice) he must have known there was no possibility that he could continue. I believe that it was unreasonable to shut down a university's access to JSTOR in pursuit of a quest to free public-domain data; it was particularly unreasonable when it wasn't even something he could do.

I am very sorry that such a gifted young man despaired of his life. He didn't deserve the penalties that he had been threatened with; I can unhesitatingly say that these laws are false and unequal; that the prosecution was capricious; that the justice system in this regard seemed vindictive. None the less, looking at his actions, do I regret my characterisation of them? No.

(*) MIT reports that its use of JSTOR fell by nearly half from 2010 to 2012, which they ascribe to "more stringent access controls" imposed "in reaction to Aaron Swartz's downloading activities".
posted by Joe in Australia at 10:55 PM on August 4, 2013