Bunny Bytes: Hacktivism & the CFAA

What is Hacktivism?

Hacktivism is exactly what it sounds like: Activism via Computer Hacking. Hacktivists express their disdain for social or political issues in a number of ways, some more harmful than others. One of the most well known hacktivist groups of the twenty-first century is Anonymous; a self-identified legion of faceless hackers who band together through online networks to launch various cyber attacks, with no specific centralized political or social goal. Another popular hacktivist of the moment is Alexandra Elbakyan, a graduate student and scientific researcher from Kazakhstan. Alexandra has made more than 50 million stolen scientific research articles available on her website, Sci-Hub. Despite reoccurring injunctions against the website, Alexandra has found ways to keep the project going. Her hacktivist goal is “to remove all barriers in the way of science” by “provid[ing] mass & public access to research papers.” Alexandra’s efforts sound hauntingly familiar to another hacktivist whose name is frequently associated with the CFAA: Aaron Swartz.

Who is was Aaron Swartz?

Aaron Swartz was a gifted computer programmer who made several contributions to the

modern Internet experience, including his work to help create RSS and the popular website Reddit. Aaron was also an outspoken activist, openly rallying against political issues such as the proposed Stop Online Piracy Act (SOPA), and was passionate about open access to all scholarship. Unfortunately, Aaron committed suicide on January 11, 2013, at the age of 26. Although no suicide note was found, his death occurred amidst felony charges from the U.S. Attorney after Swartz had downloaded 4.8 million articles from JSTOR, the academic online journal database, utilizing the MIT network.

United States v. Aaron Swartz

While Aaron was a research fellow at Harvard’s Safra Research Lab on Institutional Corruption, he made numerous trips to the MIT campus and used the university’s JSTOR subscription to download mass amounts of journal articles. Over the span of five months, Aaron managed to download approximately 4.8 million articles, accounting for 80% of JSTOR’s total catalog. It is important to note that JSTOR is not a free service, and access to the database requires an extremely expensive annual subscription fee that academic institutions pay for the benefit of their students and faculty.

It did not take long for both MIT and JSTOR to notice the unusual activity and take measures to block the overwhelming amounts of downloads. From the beginning, Aaron used fake names and disposable email accounts when he engaged in the JSTOR downloading scheme to shield his identity. The large amount of files being siphoned from JSTOR’s servers was not only a red flag of nefarious behavior, but the overwhelming activity frequently caused the JSTOR servers to crash. Both MIT and JSTOR repeatedly blocked Aaron’s MAC address, so Aaron programmed his laptop to repeatedly spoof its own MAC address. In simpler terms, Aaron’s computer would identify itself by a false identification number, and when that number was flagged and blocked by the servers, his computer would generate a new false identification number to continue accessing the servers.

At one point, Aaron had connected two different laptops directly to MIT’s servers, which were located inside closets on the campus, and left them there with additional external hard drives to continuously download the articles from JSTOR. Apparently the hack had become so unwieldy that the FBI had been brought in to investigate. Eventually, MIT was able to track down the location of one of the laptops and installed a camera in the closet to catch the perpetrator upon his return. A couple of days after Aaron was caught on tape, he was arrested by MIT’s campus police and a U.S. Secret Service agent.

Ultimately, both MIT and JSTOR settled out of court with Aaron in exchange for return of the pilfered documents. The U.S. Government, however, pursued felony criminal charges against him, with 11 violations of the CFAA, carrying a maximum penalty of $1 million and 35 years imprisonment.

Were the CFAA charges against Aaron Swartz justified?

There is little dispute that Aaron Swartz violated the CFAA. He knowingly and intentionally downloaded information from JSTOR’s servers despite repeated attempts to block his activity and deny him access. Although there is no absolute proof, it is widely speculated that Aaron intended to distribute these articles to the public in conjunction with his other open source projects. Even legal scholar and cyber-crime expert Orin Kerr concedes: “I think it’s pretty clear that Swartz exceeded his authorized access here.

Three years prior to his hack on JSTOR’s servers, Aaron performed a similar hack on the Public Access to Court Electronic Records (PACER) website, downloading 20% of the website’s total content of court documents within a single month that Aaron was granted a free trial subscription. The government ran website did not detect Aaron’s activity until he had downloaded 2.7 million documents. Aaron then gave the files to Carl Malamud, founder of Public.Resource.org—a non-profit that intends to make all government records available to the public. After the FBI investigated the PACER incident for two months, no charges were brought against Aaron.

As previously stated, both JSTOR and MIT dropped their civil charges against Aaron and settled out of court. In their own words, “the harm to JSTOR was limited.” However, the Justice Department still felt compelled to prosecute Aaron. He declined a plea deal of four months imprisonment, hoping to avoid being labeled as a felon for the rest of his days. The alternative was to fight the validity of the charges in court, and the potential of 35 years of prison hung over Aaron’s head. Orin Kerr points out that “such a [lengthy] sentence was never a realistic possibility.” Thirty-five years emphasizes the potential maximum punishment prescribed by the accumulative charges that Aaron faced under the CFAA, but realistically a judge would have had the ultimate discretion. Kerr speculates that “Swartz could have faced anything from probation to a few years in jail depending on the valuation question and what punishment the judge thought was appropriate.

If your reaction to this assessment causes you to think that Aaron Swartz should have sucked it up and taken the few months in prison, I suggest that you put yourself in his shoes for a moment and realize that Aaron faced the most serious classification of criminal offenses. A felony conviction carries not only an array of restrictions on civil liberties, but also a significant social stigma that often lasts a lifetime. In my mind, the real question regarding Hacktivists and the CFAA is not whether the punishment fits the crime, but a deeper inquiry that we should make as a society into the legitimacy of felony convictions for non-violent crimes.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s