It is alleged that he signed up for guest accounts on their network with different laptops, changed his MAC address and re-registered if the IP he was using was blocked (by JSTOR) or cut off of the network (by MIT), and finally connected a laptop in a basement networking closet.
I guess you could say that is 'hacking' in the unauthorized access sense, but not in any meaningful sense. It isn't breaking and entering if someone repeatedly trespasses somewhere (say, banned from a store) even if they change their clothes to avoid detection.
How long until posting a negative comment to a blog is "unautorized access" to that blog? Gaining access was easy: all you had to do was type a comment and hit submit. But some Powers That Be decided they didn't really want you to post that, so now it's a federal computer crime.
That's currently unsettled, and yes a lot of computer-crime experts (even typically law-and-order-leaning ones) consider it a huge problem--- it might actually be a federal crime to post a comment on a blog in violation of the blog's Terms of Service.
Speaking of "TV drama levels of understanding of criminal justice"... :)
With only a few exceptions, persons accused of crimes are not presumed to have mens rea. Statutory rape, for instance, has "strict liability"; even if you don't know you're committing a crime, you're liable. Most criminal offenses are not like this. The state is required to establish mens rea.
A prosecutor could say that a ToS-infringing blog comment is a criminal violation, but unless that prosecutor can establish that the comment was made in purposeful, knowing, or reckless violation of the ToS, they'd be wasting their time.
You're getting hung up on the "access" part, it's the "authorization" that's important. In your example it would likely be almost impossible for the blog owner to prove that someone intent on posting negative comments was not authorized to do so.
As a side note, I think we all should be more careful with "omg, we're losing our freedoms!" comments. They're usually not as clever as they feel at the time, and have the dangerous property of inuring us to such claims.
This was struck down by the courts by the way. Why? If unauthorized access is a federal offense, and unauthorized access can be determined by (e.g.) a EULA, then it basically allows a business to dictate criminal law. For example:
1. This would allow all of those 'You agree that you are not a law enforcement official' B.S. 'terms of use' on warez servers to actually have teeth.
2. "If you are a {black,hispanic,gay,etc} person, you are not allowed to access my website."
Do any of these sound reasonable? I should hope not.
* How about "You are not allowed to hyperlink to this page?"
* How about that 'MySpace Hacking' case? From Wikipedia:
Judge Wu summed up his opinion by stating that allowing a violation of a
website's Terms of Service to constitute an intentional access of a computer
without authorization or exceeding authorization would "result in
transforming section 1030(a)(2)(C) into an overwhelmingly overbroad enactment
that would convert a multitude of otherwise innocent Internet users into
misdemeanant criminals." For these reasons, Judge Wu granted Drew's motion
for acquittal. Government eventually decided not to appeal [16].
There are two separate issues as well, whether or not a restriction is valid and the ease with which it is circumvented. Lots of EULA/TOS terms are unreasonably broad. But let's say the TOS says "use of service without a password is unauthorized". Seems reasonable.
Somebody runs a program to guess passwords until they find one that works. "Ah ha," they say, "I have a password, so my usage is now authorized." I don't think a judge or jury will buy that. Even if the password was easy to guess.
I believe that was SpikeGronim's point. Assuming the definition of unauthorized is legit, there's no such "it was too easy" defense. Or "I could do it, therefore I must have been allowed to do it."
It isn't breaking and entering if someone repeatedly trespasses somewhere (say, banned from a store) even if they change their clothes to avoid detection.
It might not be breaking & entering, but it's still trespassing, which is a crime.
I'm not sure what you're appealing to. Real-world analogies don't always transfer readily to digital law. Even in the words of the ageing CFAA, "exceeding authorization" to steal commercial information is most certainly a punishable crime. You don't have to pull out nmap and zero days to be convicted of hacking.
He found ways to get around the (minor) protections put in place using a computer. That fits the colloquial definition of hacking. We don't own the term anymore - if we ever did.
22.
On October 8, 2010, Swartz connected a second computer to MIT’s network and
registered as a guest, using similar naming conventions: the computer was registered under the
name "Grace Host," the computer client name "ghost macbook," and the throw-away e-mail
address “ghost42@mailinator.com."
23.
The next day, October 9, 2010, Swartz used both the “ghost laptop” and the
“ghost macbook” to systematically and rapidly access and download an extraordinary volume of
articles from JSTOR. The pace was so fast that it brought down some of JSTOR’s computer
servers.
Also mentioned is that Swartz used the network closet to take 2 IP addresses. Are we to infer he hooked up both laptops with an IP each? Or is the real scenario that he was using one laptop under 2 identities? (Not that impossible.)
How is this not "unauthorized access" "in any meaningful sense"?
They blocked his IP, they blocked his MAC, and he hid a machine in a wiring closet to get on MIT's network. What would he have to do to make it "meaningful"?
Crack a password. Use SQL injections. Steal a credit card. Spoof someone else's MAC and IP. Steal a cookie. Something like that.
He was accused of using a guest network account on MIT, with a fake name, new MAC and IP, and throw-away email address. From there, he used a script to download lots of JSTOR documents.
This isn't the internet equivalent of "checking out too many library books". It's the internet equivalent of "checking out too many library books whilst wearing a false mustache".
Nah. It should only be illegal if normal people can't do it. Most of what Aaron did is stuff lots of people do.
There's a difference between wearing a dummy badge that says "I am Gary Host", a badge that incorrectly says "I am Bill Gates" (as that would be some kind of identity theft) and forging a passport in "Gary Host"'s name. What aaronsw did was far closer to the first.
Now, you could argue that scripts are power tools, and using them requires a higher standard of behavior. If you are driving a plane, giving dummy credentials over the radio is a lot more serious than a kid with a toy CV radio.
Even then, the dummy credentials didn't really cause any damage. The damage was done by the script itself. Even if he used his real name, the damage would have been done.
I did not say that it was not unauthorized access, just that hacking (in the breaking into computer systems sense) involves actually breaking in.
Changing a MAC address (on a device that you own and control) does not constitute hacking. It is as simple as ifconfig(8) and if you have a consumer router it probably has an option in the web interface to do it.
Anyone on MITNet has access to JSTOR articles free of charge to the user. Similarly the ACM, IEEE, etc. all have agreements like this with major universities.
JSTOR offers packages and any articles not included in those packages can be purchased by individuals. Most choose instead to request it via interlibary loan and you'd have it within 24 hours usually.
Yeah, I was laughing about how an Acer laptop took down their service and did damage to their network. If I was JSTOR, I wouldn't prosecute just because it makes our company look ridiculous.
Because, of course, JSTOR plans for 100x usage spikes and performs neither logging nor accounting, so serving a file is just as simple for them as downloading it is for the client.
> Does anyone think it's odd that an Acer laptop could write these files to disk faster than JSTOR could serve them?
Why would that be odd? SATA = 3 Gbps throughput with minimal overhead, Ethernet = 1 Gbps with lots of overhead (IP headers, Ethernet headers, HTTP headers)
Did it specify that he was writing to local disk? If I did a stunt like this, I'd probably try to write to some cloud storage like Amazon S3. I'd bet that Amazon's servers can drown JSTOR's, particularly if there's a big pipe like MIT's in-between.
It sounds like JSTOR's servers aren't really optimized for high article download rates, to the point that his one laptop accounted for a significant part of normal continental US load. They probably had some bottleneck in the system that they never noticed before — maybe their logging infrastructure was absurdly slow or something.
He is the author of numerous articles on a variety of topics, especially the corrupting influence of big money on institutions including nonprofits, the media, politics, and public opinion. In conjunction with Shireen Barday, he downloaded and analyzed 441,170 law review articles to determine the source of their funding; the results were published in the Stanford Law Review. From 2010-11, he researched these topics as a Fellow at the Harvard Ethics Center Lab on Institutional Corruption.
He has also assisted many other researchers in collecting and analyzing large data sets with theinfo.org. His landmark analysis of Wikipedia, Who Writes Wikipedia?, has been widely cited.
Interestingly, while the Grand Jury Indictment does discuss evidence for many of the other accusations, they do not discuss any evidence for this intent-to-distribute claim.
So he allegedly goes out and buys a laptop just to do this heist...and then he blows his cover by doing a scrape fast enough to apparently bring down some of the MIT servers? Why was he in such a rush?
Most likely the servers crashed for whatever reason, and they looked at the logs and saw lots of recent accesses from a particular computer, and post hoc ergo propter hoc. Sysadmins often blame outlier users for crashes.
The indictment asserts that Mr. Swartz intended to distribute the files downloaded but did not substantiate this claim. I wonder what proof they have of this? (There are, of course, a great many laws dealing with probable intent that need only convince a jury of said intent without demonstrating it's validity.)
Right... the real question seems to be what was he going to do with the files. The indictment doesn't really offer any evidence to this, and I doubt Aaron will be doing much talking until his defense.
That was what he did in that case, but it wasn't what he did with the four hundred thousand law review articles he analyzed for conflicts of interest more recently.
The indictment doesn't have to provide all the evidence presented to the Grand Jury, and the Grand Jury process itself is secret (the actual court case won't be).
I've heard that, in drug law, possession of more than a certain amount is automatically interpreted as intent to distribute. Maybe the prosecutors in this case intend to argue something similar based on the nature or quantity of the documents retrieved.
The man is a heroic martyr, who risked everything to set knowledge free. (Knowledge most of which was produced at the public's expense!)
He may very well die in prison.
Or perhaps he will be forced to publicly recant and merely be forbidden from using computers. I hope that in the latter case he will have the good sense to emigrate.
One day, his tormentors will be harshly punished. Unless, of course, "the future is a boot stamping on a human face — forever."
"Keeping medicines from the bloodstreams of the sick; food from the bellies of the hungry; books from the hands of the uneducated; technology from the underdeveloped; and putting advocates of freedom in prisons. Intellectual property is to the 21st century what the slave trade was to the 16th."
Can we be done with this thread? I know for a fact that I am not the only one who has flagged it. No good can come of this. In a likely worst case given who we're talking about, Aaron will be prodded into commenting publicly on a criminal case.
You are, however, free to believe that I was trolling. I can't stop you.
I invite the moderators to delete my account, if they believe that I am a troll. As things are, I merely refuse to go along with the herd-think on this site.
You seem to have a lot of comments for someone who doesn't even have a TV Drama-level understanding of the criminal justice system. You know that even people accused of murder are often free during their trials, right?
A political prisoner is not usually granted bail. It isn't hard to see why.
Murder is a genuine crime recognized by all nations. One accused of murder will find few people who are automatically sympathetic.
On the other hand, the "crime" Mr. Swartz is accused of would be seen as an entirely moral act by a great many people around the world, myself included. It is quite possible that if he were to board a plane, he could find a place where he would not only be able to continue in his line of work, but would be respected as a hero who flipped the finger at the Evil Empire and its fat rent-seeking parasites.
The prosecutor would be quite foolish to grant bail.
Heading off a message board nerd response: the prosecutor does make influential bail recommendations. But don't you get the impression that this particular commenter would be disappointed if Swartz wasn't imprisoned immediately? That sure would cut down the drama and cost the commenter some opportunities to howl at the moon about political prisoners.
For some of us, memory of how Mitnick was treated (or for a more modern example, Manning), still taints how we expect accused "hackers" to be treated by the criminal justice system.
Physical detainment of someone accused of such crimes is hardly unheard of.
Mitnick's story is absolutely nothing like Aaron's. Mitnick was a fugitive after already having done prison time and had to be tracked down via cell phone triangulation.
Thanks for the reply. I had been thinking of submitting the NYT article but based on your response decided to hold off. Not sure I think that flagging it is the right thing but I don't want to pour gasoline on the flames.
Well, I'm going to guess that the prosecution is putting that in there just in case they can get the jury to agree. They can claim anything they want, the jury has to decide if it's true without a doubt.
Um, I don't know, maybe because he wrote a manifesto to that effect and has circulated various methods for doing so? He was sponsoring a google group for article requests for awhile. Seems to be gone now.
I wonder what they'll push for. He sounds pretty screwed if this evidence pans out. Looks like he could even end up with a few years' time if the prosecutors want.
The repeated use of "stole" in the indictment is interesting, even beyond the usual metaphorical usage to discuss copyright infringement.
In this case, the indictment alleges that the documents were stolen from JSTOR, which does not even own them! In the vast majority of cases JSTOR scanned documents whose copyright is owned by someone else, and acquired or was donated a non-exclusive license to distribute copies via its service. In many cases the documents are even public domain. The indictment continues the theft metaphor by discussing the effort and expense JSTOR incurred in scanning the documents, and the alleged attempt to render this less valuable by redistributing "its" documents, analogizing this to the loss someone suffers in a theft.
But effort expended to build a private repository consisting of copies of things you don't own doesn't give you ownership of the result, any more than Google Books doing the same has given them ownership of the documents that they've scanned. If you scraped Google and "stole" their scans, you would be violating Google's Terms of Service, and Google might indeed feel subjectively like you've taken something of value (their exclusive access to this repository of scans), but I think it would be a stretch to say that you've "stolen" "their" documents.
Yeah, that bothered me too. Especially on page 14, where they demand that he give back the "proceeds obtained." How is that going to be determined in such an unrealistic sense?
They are talking about theft of services, not copyright infringement. In any event these charges are going to be very difficult to beat since they're federal, even though there are some obvious holes in the indictment. It will be almost impossible to get any of the evidence thrown out even if there was an illegal search and seizure. His best bet is probably to get the Harvard legal team to go to bat for him, although it's difficult to say how likely that is.
I wasn't really commenting on the legal sufficiency of the indictment, just the rhetorical dishonesty of accusing someone of "steal[ing] well over 4,000,000 articles from JSTOR" (quote from the indictment) when JSTOR didn't own those articles. They could've just alleged violation of JSTOR's TOS and thereby theft of network services. I suspect JSTOR or people sympathetic to them had a hand in writing the indictment, though; JSTOR has a long history of attempting to spread the misinformation that it somehow "owns" its archive.
He is accused of stealing bandwidth from JSTOR, not the documents. "Theft of services" not theft of property. Theft of bandwidth is almost as absurd as theft via copying. JSTOR apparently isn't interested in free transmission of knowledge
If you read the indictment you'll see that they very much are not interested in free transmission of knowledge.
They charge >$50k/yr for access: " For a large research university, this annual subscription fee for JSTOR’s various collections of content can cost more than $50,000."
That price actually seems pretty reasonable for a large research university.
The real question is how much they charge individuals who want to get an article. My first google search (http://www.jstor.org/pss/27757488) results in $12/article. This is very steep when you're trying to do research and don't even know if the article is what you're looking for.
Well, you wouldn't want any old rabble getting access to valuable knowledge. Far better for that access to be safely controlled by the major research institutions, who can clearly be trusted to pursue knowledge in a responsible manner.
How is that reasonable? Sounds like Mr. Swartz was willing to host them for free! And he would have gotten away with it too if it wasn't for those meddling police.
But seriously, $12/article is ludicrous. That must be way above cost recovery or they're not doing a very efficient job of running JSTOR. Perhaps the co-founder of Reddit would do a better job...
Most public libraries have relationships with JSTOR that allow members to access the articles online. I use the Boston Public Library and look up articles via Google Scholar. All free.
I admit that I don't have statistics [edit: on libraries], but most libraries in the world are not large or in the US, and JSTOR's prices for a "small" library in "the rest of the world" are much, much larger than [edit: wrong — comparable to or perhaps a bit larger than, but not much, much larger than] their entire budget. Check out http://support.jstor.org/csp/PriceCalculator/. This code (for Chrome) gives me a yearly price of $81162.70, although it hangs the browser for a while first:
function mouseEvent() { var event = document.createEvent("MouseEvents"); event.initMouseEvent("click", true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null); return event; }
function each(list, thunk) { list = Array.prototype.slice.call(list); for (var ii = 0; ii < list.length; ii++) { thunk(list[ii]); } }
each(document.getElementsByClassName('expand'), function(link) { link.dispatchEvent(mouseEvent()) })
each(document.getElementsByClassName('e-only'), function(link) { link.dispatchEvent(mouseEvent()) })
It's sad that you have to write javascript code to do that! (But also cool that you did. :)
"Complete Current Scholarship Collection" for 22751.90 is a duplicate of all the things above it. So I think some of the entries have been double counted.
The real price for most libraries may about 1/2 or less of your estimate (they won't be interested in everything). And 20,000 to 40,000 is (well, shouldn't) be a lot of money for a public library.
That's the salary for a single employee! I would expect a library to have at least 5 employees, plus a budget to buy books.
Also I would expect a small library to have only a subset of the papers, and for serious research you would need to "go into the city".
I think you're thinking very much of US salaries. $40,000 a year shouldn't be a lot of money for a public library in the US, because it's the salary for a single employee (or the total costs for half an employee!), and the wonderful public library system in the US does indeed have multiple libraries. But world GDP per person is about US$10k per year, compared to the US's US$47k — and the bulk of that GDP comes from a few rich countries with only a small fraction of the population. An average country is something like Jamaica, Thailand, or the Dominican Republic, where the per-capita GDP is something like US$8.8k.
So US$40k per year is the salary for almost five employees. Except that within Jamaica or Thailand (or, to a lesser extent, the US) the median salary is much lower. And it's probably not the prime minister's niece who's working the librarian job. So maybe it's more like eight to ten employees.
So, yeah, most libraries — even measured numerically, but especially measured by the number of people who rely on them — are a lot poorer than what you're used to.
I haven't checked yet to see if the National Library here in Buenos Aires has JSTOR access.
I don't know this for sure, but I suspect that if you contacted JSTOR from a low income country they may give a better deal.
BTW, if you really do need JSTOR, it's not hard to find a library card number from a US library and use that for access anywhere. (Well, I don't know JSTOR specifically, but all the other databases I've used from my library are available to me at home after I put in my library card number.)
Their price schedule divides "Public Library – Small" into "US", "Canada", and "Rest of the World". It's possible that someone phoning them up from Senegal or Paraguay would be able to negotiate a lower price, but it's not as if their existing price list doesn't recognize the existence of different countries. (Still, lumping Switzerland and Malawi into the same category might not represent a deep level of consideration of the issues.)
For what it's worth, I was using their web site from my house here in Argentina, which is usually classified as a "middle-income country," but where you can hire a full-time employee illegally for US$4000 per year.
I was rebutting a factual claim ("Most public libraries have relationships with JSTOR that allow members to access the articles online"), not a normative one. An analogous factual claim might be that most Zimbabweans drive Mercedes. Even without having access to Mercedes's sales figures by nation, that ought to appear unlikely to you?
Yes, let's agree on and further reason from the the premise that it is not currently true that most Zimbabweans drive Mercedeses ;)
My point was: your argument seems to be based on refuting the argument that the JSTOR subscription is not expensive for the average library because it is only about one yearly salary of the average rank-and-file employee, by saying that that only holds for the libraries in the US (maybe some parts of Europe, but let's say the US for the sake of this argument), and that in many other countries salaries are lower and therefor the relative cost of a JSTOR subscription higher.
So, my (perhaps naive) interpretation of this is that your ulterior argument is that JSTOR is too expensive for many libraries outside of the US, and that they therefore don't have access to its contents.
I further deduce from that, from the context in which you bring it up, is that you don't find it a problem that people take the content from JSTOR and redistribute it to people who don't have easy access to libraries who do have a subscription. Now I'll grant that this is a fairly big leap to make, and maybe you're not holding that position; but within the given context (of people arguing pro and con the actions of the Reddit guy what's-his-name), I think it's not unreasonable of me to assume so, either.
So, to close the circle, my 'question' was (but of course it is a 'question' that is, in the end, a way of stating my position in the discussion...) if it is reasonable to hold that when something is too expensive for people, it is OK to circumvent the rights holders' restrictions on the use of something. (I'm deliberately being vague on issues like 'moral ought' vs 'legal ought', if JSTOR really has a common-law variation of a database right on their collection, jurisdiction etc. - I don't really think they're important for the question at hand).
There is no non-exclusive copyright. J-STOR is not the copyright owner, period.
They do own the right to the composition of their collection, so someone who got the whole collection would be liable to infringing their right on the composition of the collection; in contrast, a random sample of articles would infringe on the publishers' IP rights rather than J-STOR's.
The subtle point is that J-STOR is absolutely not interested in the original copyright owners having to hunt down abusers, because that would (in all likelihood) appear like an additional, avoidable hassle to the latter and would make them less likely to agree to have J-STOR distribute their content. [edit: apparently it's the US Attorney General more than J-STOR who is pushing this case forward]
In comparison: if someone sneaks into a cinema to see a movie, you would accuse him of cheating them of the entrance fee, and not of "stealing the movie". If someone sneaks into a cinema and uses his camcorder to record the movie, he is cheating the movie theater of the entrance fee and misappropriating the production company's movie (with the suspicion that he might pirate it later), but he did not steal the movie from the theater. That would involve something like walking away with the movie theater's copy of the movie, which would fulfill the criterion that what's stolen is not there afterwards.
Misappropriation of IP is not stealing. It's unauthorized copying - that certainly has the potential to harm the bottomline of the copyright owner, but with an impact that is much harder to quantify than the stealing of an actual physical thing.
IP owners and friends of them who use the word 'stealing' want to frame the situation in such a way that appeal to the nonexistence of monetary loss is excluded - mostly because these same owners are investors in, and not creators of, the IP and do not have any other perspective than squeezing whatever value they can out of their investment.
(The authors of the original articles probably couldn't care less about some punk illegally downloading their texts, because they don't see any money from it anyways).
Excerpt:
In the terminology of the copyright law, a database is a “compilation.” The Copyright Act defines a compilation as “a work formed by the collection and assembling of preexisting materials or of data....” (1) Compilations were protected as “books” as early as the Copyright Act of 1790.
§ 103. Subject matter of copyright: Compilations and derivative works
(a) The subject matter of copyright as specified by section 102 includes compilations and derivative works, but protection for a work employing preexisting material in which copyright subsists does not extend to any part of the work in which such material has been used unlawfully.
(b) The copyright in a compilation or derivative work extends only to the material contributed by the author of such work, as distinguished from the preexisting material employed in the work, and does not imply any exclusive right in the preexisting material. The copyright in such work is independent of, and does not affect or enlarge the scope, duration, ownership, or subsistence of, any copyright protection in the preexisting material.
Your use of the JSTOR archive indicates your acceptance of JSTOR's Terms and Conditions of Use, available at .http://www.jstor.org/page/info/about/policies/terms.jsp. JSTOR's Terms and Conditions of Use provides, in part, that unlessyou have obtained prior permission, you may not download an entire issue of a journal or multiple copies of articles, and you may use content in the JSTOR archive only for your personal, non-commercial use.
Each copy of any part of a JSTOR transmission must contain the same copyright notice that appears on the screen or printed page of such transmission. JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range of content in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new forms of scholarship.
Yeah, fortunately they don't appear to actually enforce that regularly through technical measures. As a researcher with legitimate paid access (via my institution) to JSTOR, it would be absurd if this were enforced. If there is a special issue of a journal exactly in my research area, I pretty much need to read all the articles in it, or at least skim them. To comply with the terms, do I really have to choose an article to avoid reading, so I only download (N-1) of the articles in the issue?
I agree with most of your comment, but there are a couple of points where I wanted to add some commentary.
Compilation copyright only applies to compilations where some creativity is employed in selecting the items to be included. There is no "sweat of the brow" database right under US law. JSTOR almost certainly does not have a compilation copyright on their collection, since any creativity being employed in selection is being employed by the journals they archive, not JSTOR employees.
At any rate, the indictment does not include any charges of copyright infringement.
I hate to quibble over words, but a painting can be stolen "from the Louvre" even if it's there on loan from a private collection, just as you could say, "The necklace was stolen from my jewelry box," without implying that your jewelry box was the legal owner of the necklace.
This is more like taking a photograph of a painting on loan to the Louvre, though--- they're alleging that a copy was made, in violation of their terms of service, of a document that they don't even own (but do host). In that case, I would think that you might be violating the Louvre's camera policy, and you might even be colloquially "stealing" something from the painting's author (e.g. if you go on to publish illicit copies from your photo), but you aren't plausibly stealing anything from the Louvre.
The argument over whether something digital can be stolen at all is a different argument than the one you made in the comment I replied to. The question of taking photographs of artwork (which are not exact copies, but which have their own cultural, educational, and commercial value) is a third question which is interesting in its own right. At this pace, I'm having a hard time keeping track of what we're arguing about.
In any case, my intention was not to signal my support for one of two predefined sides in a battle over the concept of intellectual property, it was just to point out stealing "from" doesn't have to have the meaning you read into it.
Well, if someone stole $100,000 of property from a storage facility, that wouldn't mean the storage facility claimed ownership of the property, just that it was the location of the theft. Maybe you're overthinking this a bit.
Well this is more akin to breaking into the storage facility and making a copy of all the Paintings stored there. The value of the goods being stored has not been reduced.
Not to torture this analogy any further, but would you feel safe storing your stuff at such a facility after something like that? No, you'd probably look elsewhere for your storage needs. Breaking in is still bad and would be the subject of criminal charges. If the US attorneys decide that use of the word 'stole' is somewhat over the top, then guess what? they can amend the indictment - just as the defense can amend their motions.
My point is not that the government is correct or morally justified in bringing this indictment, but that getting hung up on terminology like this obscures the legally problematic issue of having (allegedly) bypassed the security systems to download material he was not supposed to have access to, regardless of who actually owns said material.
But: (1) JSTOR isn't a storage facility in that sense; the copyright holders do not pay JSTOR to store their items, so this is a bad analogy.
(2) If the outrage is supposed to be about bypassing security systems, why is the government hung up on the "theft" terminology? Especially when JSTOR, the party arguably injured (in some way not specified), has asked the government not to prosecute?
No, this is clearly a convenient way to get a politically inconvenient person labeled a felon.
1. The analogy is only to point out that a 3rd party repository can be negatively affected by a break-in event if it doesn't have an ownership interest in the materials it stores.
2. The government is not hung up on the 'theft' terminology. The words 'steal' or 'stole' only appear three times in the 15 page indictment and the actual offenses he is charged with are wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer.
Except that copyright infringement is definitely not theft. The owner doesn't lose his documents. It's fine if your opinion is that copyright infringement is wrong, but let's not call it by inappropriate names.
My point being, i have no idea what service they provide, didn't read the fine article. But if they have an all-you-can-eat plan for like $300 a month per seat. Then the charges should have been "joe doe hacks MIT network and steals $300 worth of replaceable goods".
In the same lines that if someone break into a car-wash and use 5min of their water, he will hardly be convicted of organized crime and causing damages over $300 (because that's what they charge for the premium wash)... why it's so messed up when you put a computer in the middle?
You're precisely incorrect as far as the law is concerned.
If I make a painting, I own the copyright. If you take a picture of said painting, you own the copyright on the picture. If someone makes a collage of your picture they own the copyright on the collage. Both of you are liable for copyright infringement against my rights, but this is independent of your own rights as described above.
This is the most technically competent charging document I've ever read. I guess there must have been some hackers on the grand jury.
Paragraph 35 & 36: which "protected computer" on MIT's network did he access? Certainly they're not trying to claim his laptop was a protected computer? Are they talking about the DHCP server or whatever registration frontend MIT has for the DHCP assignments? I have trouble with the concept that a violation of a computer use agreement (when there are no operative security barriers in place) constitutes a violation of the computer fraud and abuse act. Then again, I've always thought that act was vague and therefore overbroad.
Obviously what he did was bad in some sense (at least from the perspective of JSTOR and MIT), but even if it should be a crime rather than a civil dispute or internal disciplinary action at MIT, I don't like the fact that just about any misbehavior on the internet becomes a federal case because the probability of no interstate resources being used is very low.
Finally, I take issue with the notion that someone who is accessing a service through a public interface is criminally responsible for downtime if too high an access rate causes service degradation or an outage. The claims that JSTOR's servers were overloaded and (one?) even went down at some point are clearly there to set up a later claim of damages. Haven't they heard of rate limiting (in this case, since it was a rogue laptop stashed in a data closet, rate limiting by IP)? That wouldn't work against a concerted denial of service attack, but this was no denial of service attack. JSTOR seems to have been relying on manual intervention to stop article leeching that could lead to a (partial) outage. That's naive, and not a good idea.
But there is an element of permission inherent in DHCP. Your device is actively configuring my device specifically to allow network access. It's not an open door; it's a sign saying "This way please". That said, its obvious this was an attempt to circumvent access controls.
I'm unfamiliar with MIT's guest setup, but I assume they let you get an IP address, but before you can access anything, you have to acknowledge their terms of service / acceptable use policy. If you fail to abide by this, you'd be accessing the network without permission.
You're right that (as alleged), this would be an obvious attempt to circumvent access controls.
Given the way things are worded, I'm guessing that the MIT computer that was improperly accessed was a router or switch. Hell, just plugging into the switch directly could be construed as unapproved access to a computer device. I think the Federal law treats anything with a processor a computer.
Yeah, I think it's a bad argument to personify network protocols or imbue them with intent. Legally speaking, what is more important is the intent of the person using them.
There's an element of permission inherent in a door! I mean, it's a breach in a wall, specifically put there at great additional expense, just to allow people entry! In either case, an enabling technology isn't inherently an invitation. Again, just because you CAN use a technology to do something, doesn't mean you MAY.
And with respect to the comment about "this way please", and the "actively configuring my device", please note that the client initiates the DHCP conversation with a Discovery message.
Discovery: "Can anyone give me DC info so I can set up my H, please?",
Offer: "Yes, I can, here's one configuration option!"
Request: "Yes please, that sounds good, I'll take it"
Ack: "Okay, you got it".
A stranger would probably be allowed to enter the property unless you had posted No Trespassing signs. They'd be required to leave upon request but I'm not sure that simply entering your house via an open door would constitute a crime or tort. An open door could likely be construed as implied consent.
I think 18USC1030 is pretty broad in its definition of a "computer". Back in the MBTA hacking case, MBTA claimed a magnetized piece of paper was a computer under this clause, and the first judge that looked at it bought that (sanity prevailed and that decision was later over-ruled). I wouldn't be surprised if they are considering the MIT network or at least the routers that were configured to prevent his access the protected computer in this case.
* Prosecutor presents evidence to Grand Jury. This may include witnesses or documents.
* Grand Jury votes on if there is enough there to approve indictment
If they've got a computer crimes division, then they're going to have hacker types in the prosecutor's office to do this stuff and get the details right.
The indictment is going to be the most slam dunk part of the evidence that there is, as it's written by the prosecutor and there's no counter to it. If it doesn't look airtight, then it's probably a very weak case.
Though, looking at it here, It's not looking very good for aaronsw. The combination of mac address spoofing and a locked wiring cabinet show physical and electronic security that was bypassed, repeatedly. That's easy to explain to a jury.
A funny omission is that the indictment never actually says that the wiring cabinet was locked, or how Aaron supposedly broke into it. I infer that it wasn't locked.
But, given the rest of the indictment, I'd think that the prosecutor would be sure to throw in "Swartz picked the lock on the restricted wiring closet in order to introduce the Acer computer," since it would incline the grand jury to be more likely to hand down an indictment — unless she knew this was false.
>I take issue with the notion that someone who is accessing a service through a public interface is criminally responsible for downtime if too high an access rate causes service degradation or an outage
Ah... well surely you've heard of people being prosecuted for denial of service attacks? Most recently, members of anon getting raided because they used LOIC? If you use a network in a way that is intended to degrade others' quality of service, even if you are just accessing things via normal protocols at a really high rate, you are breaking the law. In this case, it does not look like they are alleging that he intended to cause a service disruption, but they claim that he repeatedly circumvented measures that JSTOR put in place to halt his unauthorized activities, which caused service disruptions for other legitimate users and therefore denial of service.
I don't like the fact that just about any misbehavior on the internet becomes a federal case because the probability of no interstate resources being used is very low.
So is that why Comcast routes traffic to networks 30 miles away across three states and back?
This all hinges on what he was going to do with the documents. If he was looking to perform some large-scale analysis (such as he has done before) and publish the results academically, then this would fall under the academic mission of MIT, and therefore be legit. But if this were the case, why go through the hassle of hacking the system? Why not just ask JSTOR for cooperation? Or maybe he did, and they rejected it?
There has got to me more to this story, because I just can't for the life of me believe that he would download the documents to "free" them on internet (as is alleged).
“It’s even more strange because the alleged victim has settled any claims against Aaron, explained they’ve suffered no loss or damage, and asked the government not to prosecute,” Segal added.
JSTOR is being very vague about their role in this, so that might unfortunately be wrong about just how settled JSTOR considers things on their side. Their statement feels extremely carefully worded: http://about.jstor.org/news-events/news/jstor-statement-misu...
MIT (and the alleged disruption to other MIT JSTOR users' access) may also be relevant to the decision to charge.
My understanding is that MIT has a freewheeling attitude to information, but also deep organizational and funding links to national security institutions. So their hacker ethos might tell them to brush it off, while their federal relationships require them to take a tougher stance.
In terms of broader implications, I would actually have many fewer problems with MIT pressing straightforward trespassing charges. If he broke into a server room and messed with equipment there without the owner's permission, they could prosecute that under very ordinary state criminal law long predating the computer age.
It's the weird "stealing documents from JSTOR" federal case under the Computer Fraud and Abuse Act that's more worrying, because it's extremely vague what those kinds of charges can cover (in some interpretations, essentially any violation of a ToS).
Why the hell is MIT stashing information in closed systems in first place? I thought the idea (OCW etc.) was to enable more people to learn, participate and benefit from work of academics and researchers. Hell I even donate a few hundred bucks every now and then to OCW.
It is mind boggling how the supposedly smart people are not getting their heads out of their asses so late in a world frighteningly short on distribution of knowledge that can be effectively used to solve the wicked problems that are crippling it for so long.
We really need a global, openly accessible knowledge network and a platform where all eligible can contribute and collaborate to research at least when it comes to areas that impact human society at large - medicines, natural resources etc. It is hard otherwise to see how things like Cancer and Energy shortage can be tackled.
But is it clear that MIT does not also store its research papers in JSTOR instead of making them publicly available? Reading the article I did not get that impression.
While many researchers at MIT publish in journals that sometimes have restrictions on the distribution of their papers (exclusivity, etc.), most MIT publications are issued via:
1) DSpace http://dspace.mit.edu (an open publishing platform for academic material. Most all theses produced by MIT researchers can be accessed by the public here)
2) as an MIT technical report (mostly published via dspace)
Certainly, a huge number of MIT publications do end up being mirrored in JSTOR, but they are usually published via whatever journal or conference proceeding they are accepted to first. If an author cannot find a journal that is willing to publish their paper, then they will probably issue it as an MIT technical report.
Ok, that's actually useful information. I find MIT's approach fairly reasonable - may be all others should follow suit and JSTOR-like walls would not be necessary some day.
I donate to OCW as well (LOVE OCW) but I don't think any of this information is on a closed system. I believe JSTOR allowed all mit ip addresses access (for free) to every article in their system.
Aaron's downloads came from an MIT address to the JSTOR database.
I agree with you that knowledge needs to be more accessible, but this is not the method to achieve it.
323 comments
[ 3.2 ms ] story [ 287 ms ] thread"As Swartz entered the wiring closet, he held his bicycle helmet like a mask to shield his face, looking through ventilation holes in the helmet."
It is alleged that he signed up for guest accounts on their network with different laptops, changed his MAC address and re-registered if the IP he was using was blocked (by JSTOR) or cut off of the network (by MIT), and finally connected a laptop in a basement networking closet.
I guess you could say that is 'hacking' in the unauthorized access sense, but not in any meaningful sense. It isn't breaking and entering if someone repeatedly trespasses somewhere (say, banned from a store) even if they change their clothes to avoid detection.
How long until posting a negative comment to a blog is "unautorized access" to that blog? Gaining access was easy: all you had to do was type a comment and hit submit. But some Powers That Be decided they didn't really want you to post that, so now it's a federal computer crime.
Land of the free.
This case is currently winding its way through the courts, and will hopefully be overturned: http://volokh.com/2011/06/14/petition-for-rehearing-filed-in...
With only a few exceptions, persons accused of crimes are not presumed to have mens rea. Statutory rape, for instance, has "strict liability"; even if you don't know you're committing a crime, you're liable. Most criminal offenses are not like this. The state is required to establish mens rea.
A prosecutor could say that a ToS-infringing blog comment is a criminal violation, but unless that prosecutor can establish that the comment was made in purposeful, knowing, or reckless violation of the ToS, they'd be wasting their time.
As a side note, I think we all should be more careful with "omg, we're losing our freedoms!" comments. They're usually not as clever as they feel at the time, and have the dangerous property of inuring us to such claims.
1. This would allow all of those 'You agree that you are not a law enforcement official' B.S. 'terms of use' on warez servers to actually have teeth.
2. "If you are a {black,hispanic,gay,etc} person, you are not allowed to access my website."
Do any of these sound reasonable? I should hope not.
* How about that 'MySpace Hacking' case? From Wikipedia:
http://en.wikipedia.org/wiki/United_States_v._Lori_DrewSomebody runs a program to guess passwords until they find one that works. "Ah ha," they say, "I have a password, so my usage is now authorized." I don't think a judge or jury will buy that. Even if the password was easy to guess.
I believe that was SpikeGronim's point. Assuming the definition of unauthorized is legit, there's no such "it was too easy" defense. Or "I could do it, therefore I must have been allowed to do it."
It might not be breaking & entering, but it's still trespassing, which is a crime.
Jaywalking is murder! Well, it's still a crime...
23. The next day, October 9, 2010, Swartz used both the “ghost laptop” and the “ghost macbook” to systematically and rapidly access and download an extraordinary volume of articles from JSTOR. The pace was so fast that it brought down some of JSTOR’s computer servers.
Also mentioned is that Swartz used the network closet to take 2 IP addresses. Are we to infer he hooked up both laptops with an IP each? Or is the real scenario that he was using one laptop under 2 identities? (Not that impossible.)
They blocked his IP, they blocked his MAC, and he hid a machine in a wiring closet to get on MIT's network. What would he have to do to make it "meaningful"?
He was accused of using a guest network account on MIT, with a fake name, new MAC and IP, and throw-away email address. From there, he used a script to download lots of JSTOR documents.
This isn't the internet equivalent of "checking out too many library books". It's the internet equivalent of "checking out too many library books whilst wearing a false mustache".
There's a difference between wearing a dummy badge that says "I am Gary Host", a badge that incorrectly says "I am Bill Gates" (as that would be some kind of identity theft) and forging a passport in "Gary Host"'s name. What aaronsw did was far closer to the first.
Now, you could argue that scripts are power tools, and using them requires a higher standard of behavior. If you are driving a plane, giving dummy credentials over the radio is a lot more serious than a kid with a toy CV radio.
Even then, the dummy credentials didn't really cause any damage. The damage was done by the script itself. Even if he used his real name, the damage would have been done.
Changing a MAC address (on a device that you own and control) does not constitute hacking. It is as simple as ifconfig(8) and if you have a consumer router it probably has an option in the web interface to do it.
Also: nice going, Aaron! Drag research access into the 21st century, kicking and screaming!
Does anyone think it's odd that an Acer laptop could write these files to disk faster than JSTOR could serve them?
Nope. I bet the JSTOR servers are serving many concurrent requests. If he had the servers to himself then yes, that would be surprising.
It sounds like he was using the majority of their resources. But maybe those servers serve lots of places, and they only mentioned MIT as an example.
Why would that be odd? SATA = 3 Gbps throughput with minimal overhead, Ethernet = 1 Gbps with lots of overhead (IP headers, Ethernet headers, HTTP headers)
USB HD's top out about 200Mbit/s. JSTOR's RAID arrays should be able to drown his laptop without breaking a sweat.
Also, it's a lot easier to find the owner of a Amazon account (credit card) than a "ghost" laptop under a cardboard box in a closet.
Not at all. Writing to the hard drive is going to take much less time than downloading the articles from a remote server.
He is the author of numerous articles on a variety of topics, especially the corrupting influence of big money on institutions including nonprofits, the media, politics, and public opinion. In conjunction with Shireen Barday, he downloaded and analyzed 441,170 law review articles to determine the source of their funding; the results were published in the Stanford Law Review. From 2010-11, he researched these topics as a Fellow at the Harvard Ethics Center Lab on Institutional Corruption.
He has also assisted many other researchers in collecting and analyzing large data sets with theinfo.org. His landmark analysis of Wikipedia, Who Writes Wikipedia?, has been widely cited.
http://www.wired.com/threatlevel/2009/10/swartz-fbi/
This does not necessarily mean shovelling the articles out to file-sharing sites.
(I understand that you may not have intended to imply it. Just wanted to put that out there.)
So since we don't disagree on that: Do you think what he did is ethical?
edit: also, boston.com says he "is a fellow at Harvard’s University’s Center for Ethics". A quick google says that he was at least as of October 2010:
http://www.google.com/search?hl=en&q=swartz+ethics+fello...
"Do Ethicists Steal More Books?" is particularly tasty.
He may very well die in prison.
Or perhaps he will be forced to publicly recant and merely be forbidden from using computers. I hope that in the latter case he will have the good sense to emigrate.
One day, his tormentors will be harshly punished. Unless, of course, "the future is a boot stamping on a human face — forever."
"Keeping medicines from the bloodstreams of the sick; food from the bellies of the hungry; books from the hands of the uneducated; technology from the underdeveloped; and putting advocates of freedom in prisons. Intellectual property is to the 21st century what the slave trade was to the 16th."
(http://en.wikipedia.org/wiki/User:Lulu_of_the_Lotus-Eaters)
Can we be done with this thread? I know for a fact that I am not the only one who has flagged it. No good can come of this. In a likely worst case given who we're talking about, Aaron will be prodded into commenting publicly on a criminal case.
FLAGGED.
Nacht und Nebel.
What a "favor."
Do you really think that he will be invited to post incriminating comments here from his jail cell?
I will be surprised if he is allowed into an airport.
You are, however, free to believe that I was trolling. I can't stop you.
I invite the moderators to delete my account, if they believe that I am a troll. As things are, I merely refuse to go along with the herd-think on this site.
Murder is a genuine crime recognized by all nations. One accused of murder will find few people who are automatically sympathetic.
On the other hand, the "crime" Mr. Swartz is accused of would be seen as an entirely moral act by a great many people around the world, myself included. It is quite possible that if he were to board a plane, he could find a place where he would not only be able to continue in his line of work, but would be respected as a hero who flipped the finger at the Evil Empire and its fat rent-seeking parasites.
The prosecutor would be quite foolish to grant bail.
This is what I'm saying. The prosecutor does not make bail decisions. That's a decision for a presumably-neutral judge.
Physical detainment of someone accused of such crimes is hardly unheard of.
How do they know this? Has he said something to that effect?
--edited for formatting.
1. Wire fraud maxes out at 20 years outside of a presidentially-declared emergency. No fine cap, it seems. http://uscode.house.gov/download/pls/18C63.txt
2. Computer fraud under 1030(a)(4) caps out at 5 years with no prior offense, no fine cap. http://uscode.house.gov/download/pls/18C47.txt
3. 1030(a)(2), (c)(2)(B)(iii) looks to be another cap of 5 years. Ibid.
4. 1030(a)(5)(B), (c)(4)(A)(i)(I),(VI) looks like another cap of 5 years. Ibid.
IANAL, just trying my best to read the code itself.
In this case, the indictment alleges that the documents were stolen from JSTOR, which does not even own them! In the vast majority of cases JSTOR scanned documents whose copyright is owned by someone else, and acquired or was donated a non-exclusive license to distribute copies via its service. In many cases the documents are even public domain. The indictment continues the theft metaphor by discussing the effort and expense JSTOR incurred in scanning the documents, and the alleged attempt to render this less valuable by redistributing "its" documents, analogizing this to the loss someone suffers in a theft.
But effort expended to build a private repository consisting of copies of things you don't own doesn't give you ownership of the result, any more than Google Books doing the same has given them ownership of the documents that they've scanned. If you scraped Google and "stole" their scans, you would be violating Google's Terms of Service, and Google might indeed feel subjectively like you've taken something of value (their exclusive access to this repository of scans), but I think it would be a stretch to say that you've "stolen" "their" documents.
They charge >$50k/yr for access: " For a large research university, this annual subscription fee for JSTOR’s various collections of content can cost more than $50,000."
The real question is how much they charge individuals who want to get an article. My first google search (http://www.jstor.org/pss/27757488) results in $12/article. This is very steep when you're trying to do research and don't even know if the article is what you're looking for.
But seriously, $12/article is ludicrous. That must be way above cost recovery or they're not doing a very efficient job of running JSTOR. Perhaps the co-founder of Reddit would do a better job...
"Complete Current Scholarship Collection" for 22751.90 is a duplicate of all the things above it. So I think some of the entries have been double counted.
The real price for most libraries may about 1/2 or less of your estimate (they won't be interested in everything). And 20,000 to 40,000 is (well, shouldn't) be a lot of money for a public library.
That's the salary for a single employee! I would expect a library to have at least 5 employees, plus a budget to buy books.
Also I would expect a small library to have only a subset of the papers, and for serious research you would need to "go into the city".
I think you're thinking very much of US salaries. $40,000 a year shouldn't be a lot of money for a public library in the US, because it's the salary for a single employee (or the total costs for half an employee!), and the wonderful public library system in the US does indeed have multiple libraries. But world GDP per person is about US$10k per year, compared to the US's US$47k — and the bulk of that GDP comes from a few rich countries with only a small fraction of the population. An average country is something like Jamaica, Thailand, or the Dominican Republic, where the per-capita GDP is something like US$8.8k.
So US$40k per year is the salary for almost five employees. Except that within Jamaica or Thailand (or, to a lesser extent, the US) the median salary is much lower. And it's probably not the prime minister's niece who's working the librarian job. So maybe it's more like eight to ten employees.
So, yeah, most libraries — even measured numerically, but especially measured by the number of people who rely on them — are a lot poorer than what you're used to.
I haven't checked yet to see if the National Library here in Buenos Aires has JSTOR access.
BTW, if you really do need JSTOR, it's not hard to find a library card number from a US library and use that for access anywhere. (Well, I don't know JSTOR specifically, but all the other databases I've used from my library are available to me at home after I put in my library card number.)
For what it's worth, I was using their web site from my house here in Argentina, which is usually classified as a "middle-income country," but where you can hire a full-time employee illegally for US$4000 per year.
The only thing that seems to change the price is the organization type.
My point was: your argument seems to be based on refuting the argument that the JSTOR subscription is not expensive for the average library because it is only about one yearly salary of the average rank-and-file employee, by saying that that only holds for the libraries in the US (maybe some parts of Europe, but let's say the US for the sake of this argument), and that in many other countries salaries are lower and therefor the relative cost of a JSTOR subscription higher.
So, my (perhaps naive) interpretation of this is that your ulterior argument is that JSTOR is too expensive for many libraries outside of the US, and that they therefore don't have access to its contents.
I further deduce from that, from the context in which you bring it up, is that you don't find it a problem that people take the content from JSTOR and redistribute it to people who don't have easy access to libraries who do have a subscription. Now I'll grant that this is a fairly big leap to make, and maybe you're not holding that position; but within the given context (of people arguing pro and con the actions of the Reddit guy what's-his-name), I think it's not unreasonable of me to assume so, either.
So, to close the circle, my 'question' was (but of course it is a 'question' that is, in the end, a way of stating my position in the discussion...) if it is reasonable to hold that when something is too expensive for people, it is OK to circumvent the rights holders' restrictions on the use of something. (I'm deliberately being vague on issues like 'moral ought' vs 'legal ought', if JSTOR really has a common-law variation of a database right on their collection, jurisdiction etc. - I don't really think they're important for the question at hand).
It does own its archive. They just may not own the exclusive copyright to the contents of the archive... there is a subtle distinction.
They do own the right to the composition of their collection, so someone who got the whole collection would be liable to infringing their right on the composition of the collection; in contrast, a random sample of articles would infringe on the publishers' IP rights rather than J-STOR's.
The subtle point is that J-STOR is absolutely not interested in the original copyright owners having to hunt down abusers, because that would (in all likelihood) appear like an additional, avoidable hassle to the latter and would make them less likely to agree to have J-STOR distribute their content. [edit: apparently it's the US Attorney General more than J-STOR who is pushing this case forward]
In comparison: if someone sneaks into a cinema to see a movie, you would accuse him of cheating them of the entrance fee, and not of "stealing the movie". If someone sneaks into a cinema and uses his camcorder to record the movie, he is cheating the movie theater of the entrance fee and misappropriating the production company's movie (with the suspicion that he might pirate it later), but he did not steal the movie from the theater. That would involve something like walking away with the movie theater's copy of the movie, which would fulfill the criterion that what's stolen is not there afterwards.
Misappropriation of IP is not stealing. It's unauthorized copying - that certainly has the potential to harm the bottomline of the copyright owner, but with an impact that is much harder to quantify than the stealing of an actual physical thing.
IP owners and friends of them who use the word 'stealing' want to frame the situation in such a way that appeal to the nonexistence of monetary loss is excluded - mostly because these same owners are investors in, and not creators of, the IP and do not have any other perspective than squeezing whatever value they can out of their investment.
(The authors of the original articles probably couldn't care less about some punk illegally downloading their texts, because they don't see any money from it anyways).
This was the point I was trying to make.
They own their database, even if they don't own the articles in it. The GP poster was trying to claim that they didn't "own their archive".
Is this a right recognized under US law?
http://www.copyright.gov/docs/regstat092303.html
Excerpt: In the terminology of the copyright law, a database is a “compilation.” The Copyright Act defines a compilation as “a work formed by the collection and assembling of preexisting materials or of data....” (1) Compilations were protected as “books” as early as the Copyright Act of 1790.
(a) The subject matter of copyright as specified by section 102 includes compilations and derivative works, but protection for a work employing preexisting material in which copyright subsists does not extend to any part of the work in which such material has been used unlawfully.
(b) The copyright in a compilation or derivative work extends only to the material contributed by the author of such work, as distinguished from the preexisting material employed in the work, and does not imply any exclusive right in the preexisting material. The copyright in such work is independent of, and does not affect or enlarge the scope, duration, ownership, or subsistence of, any copyright protection in the preexisting material.
http://www.copyright.gov/title17/92chap1.html#103
Your use of the JSTOR archive indicates your acceptance of JSTOR's Terms and Conditions of Use, available at .http://www.jstor.org/page/info/about/policies/terms.jsp. JSTOR's Terms and Conditions of Use provides, in part, that unlessyou have obtained prior permission, you may not download an entire issue of a journal or multiple copies of articles, and you may use content in the JSTOR archive only for your personal, non-commercial use.
Please contact the publisher regarding any further use of this work. Publisher contact information may be obtained at .http://www.jstor.org/action/showPublisher?publisherCode=hyi.
Each copy of any part of a JSTOR transmission must contain the same copyright notice that appears on the screen or printed page of such transmission. JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range of content in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new forms of scholarship.
I didn't know this. It's as if the New York Times told paid subscribers they can only read 90% of any one issue.
Compilation copyright only applies to compilations where some creativity is employed in selecting the items to be included. There is no "sweat of the brow" database right under US law. JSTOR almost certainly does not have a compilation copyright on their collection, since any creativity being employed in selection is being employed by the journals they archive, not JSTOR employees.
At any rate, the indictment does not include any charges of copyright infringement.
In any case, my intention was not to signal my support for one of two predefined sides in a battle over the concept of intellectual property, it was just to point out stealing "from" doesn't have to have the meaning you read into it.
My point is not that the government is correct or morally justified in bringing this indictment, but that getting hung up on terminology like this obscures the legally problematic issue of having (allegedly) bypassed the security systems to download material he was not supposed to have access to, regardless of who actually owns said material.
(2) If the outrage is supposed to be about bypassing security systems, why is the government hung up on the "theft" terminology? Especially when JSTOR, the party arguably injured (in some way not specified), has asked the government not to prosecute?
No, this is clearly a convenient way to get a politically inconvenient person labeled a felon.
2. The government is not hung up on the 'theft' terminology. The words 'steal' or 'stole' only appear three times in the 15 page indictment and the actual offenses he is charged with are wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer.
if it's theft of service why measure it on number of works?
it's like accusing you of using your neighbour wifi to steal over one thousand emails (which you read from your own email account)
In the same lines that if someone break into a car-wash and use 5min of their water, he will hardly be convicted of organized crime and causing damages over $300 (because that's what they charge for the premium wash)... why it's so messed up when you put a computer in the middle?
If I make a painting, I own the copyright. If you take a picture of said painting, you own the copyright on the picture. If someone makes a collage of your picture they own the copyright on the collage. Both of you are liable for copyright infringement against my rights, but this is independent of your own rights as described above.
This is not a legal advice, talk to a lawyer.
What if someone hacked into Netflix and downloaded copies of all of the media that Netflix offered?
Surprisingly, it sometimes does in the EU: http://en.wikipedia.org/wiki/Database_right
http://www.aaronsw.com/weblog/updates
It doesn't seem directly related but still curious.
Paragraph 35 & 36: which "protected computer" on MIT's network did he access? Certainly they're not trying to claim his laptop was a protected computer? Are they talking about the DHCP server or whatever registration frontend MIT has for the DHCP assignments? I have trouble with the concept that a violation of a computer use agreement (when there are no operative security barriers in place) constitutes a violation of the computer fraud and abuse act. Then again, I've always thought that act was vague and therefore overbroad.
Obviously what he did was bad in some sense (at least from the perspective of JSTOR and MIT), but even if it should be a crime rather than a civil dispute or internal disciplinary action at MIT, I don't like the fact that just about any misbehavior on the internet becomes a federal case because the probability of no interstate resources being used is very low.
Finally, I take issue with the notion that someone who is accessing a service through a public interface is criminally responsible for downtime if too high an access rate causes service degradation or an outage. The claims that JSTOR's servers were overloaded and (one?) even went down at some point are clearly there to set up a later claim of damages. Haven't they heard of rate limiting (in this case, since it was a rogue laptop stashed in a data closet, rate limiting by IP)? That wouldn't work against a concerted denial of service attack, but this was no denial of service attack. JSTOR seems to have been relying on manual intervention to stop article leeching that could lead to a (partial) outage. That's naive, and not a good idea.
I don't know... Even if my front door was open, you still aren't allowed to enter my house without my permission.
You're right that (as alleged), this would be an obvious attempt to circumvent access controls.
Given the way things are worded, I'm guessing that the MIT computer that was improperly accessed was a router or switch. Hell, just plugging into the switch directly could be construed as unapproved access to a computer device. I think the Federal law treats anything with a processor a computer.
And with respect to the comment about "this way please", and the "actively configuring my device", please note that the client initiates the DHCP conversation with a Discovery message.
Note that the DHCP DiscoveryI would not advise that you try that in many parts of the US. You'll be risking getting shot, and the homeowner would not have committed a crime.
The procedure as I understand it is:
* Prosecutor assembles evidence, writes indictment.
* Prosecutor presents evidence to Grand Jury. This may include witnesses or documents.
* Grand Jury votes on if there is enough there to approve indictment
If they've got a computer crimes division, then they're going to have hacker types in the prosecutor's office to do this stuff and get the details right.
The indictment is going to be the most slam dunk part of the evidence that there is, as it's written by the prosecutor and there's no counter to it. If it doesn't look airtight, then it's probably a very weak case.
Though, looking at it here, It's not looking very good for aaronsw. The combination of mac address spoofing and a locked wiring cabinet show physical and electronic security that was bypassed, repeatedly. That's easy to explain to a jury.
I'm guessing MIT had a hand in penning it, or at least provided someone who could easily explain the relevant material to the DA/Grand Jury.
Ah... well surely you've heard of people being prosecuted for denial of service attacks? Most recently, members of anon getting raided because they used LOIC? If you use a network in a way that is intended to degrade others' quality of service, even if you are just accessing things via normal protocols at a really high rate, you are breaking the law. In this case, it does not look like they are alleging that he intended to cause a service disruption, but they claim that he repeatedly circumvented measures that JSTOR put in place to halt his unauthorized activities, which caused service disruptions for other legitimate users and therefore denial of service.
So is that why Comcast routes traffic to networks 30 miles away across three states and back?
There has got to me more to this story, because I just can't for the life of me believe that he would download the documents to "free" them on internet (as is alleged).
“It’s even more strange because the alleged victim has settled any claims against Aaron, explained they’ve suffered no loss or damage, and asked the government not to prosecute,” Segal added.
Nowhere do they say he did not do it however.
cached: http://webcache.googleusercontent.com/search?q=cache:http://...
My understanding is that MIT has a freewheeling attitude to information, but also deep organizational and funding links to national security institutions. So their hacker ethos might tell them to brush it off, while their federal relationships require them to take a tougher stance.
It's the weird "stealing documents from JSTOR" federal case under the Computer Fraud and Abuse Act that's more worrying, because it's extremely vague what those kinds of charges can cover (in some interpretations, essentially any violation of a ToS).
http://google.com/search?q=cache%3Ahttp%3A%2F%2Fweb.mit.edu%...
It is mind boggling how the supposedly smart people are not getting their heads out of their asses so late in a world frighteningly short on distribution of knowledge that can be effectively used to solve the wicked problems that are crippling it for so long.
We really need a global, openly accessible knowledge network and a platform where all eligible can contribute and collaborate to research at least when it comes to areas that impact human society at large - medicines, natural resources etc. It is hard otherwise to see how things like Cancer and Energy shortage can be tackled.
1) DSpace http://dspace.mit.edu (an open publishing platform for academic material. Most all theses produced by MIT researchers can be accessed by the public here)
2) as an MIT technical report (mostly published via dspace)
3) as an MIT "Working Paper"
You can find more information here: http://libraries.mit.edu/docs/research-publications.html
Certainly, a huge number of MIT publications do end up being mirrored in JSTOR, but they are usually published via whatever journal or conference proceeding they are accepted to first. If an author cannot find a journal that is willing to publish their paper, then they will probably issue it as an MIT technical report.
Aaron's downloads came from an MIT address to the JSTOR database.
I agree with you that knowledge needs to be more accessible, but this is not the method to achieve it.