Blog Ipsa Loquitur

The Awl has a piece on the Aaron Swartz saga that I genuinely like, but has a few paragraphs that deserve some clarification.

It’s been widely asserted that Swartz intended to distribute the material he downloaded from JSTOR to the public, e.g. by posting the lot onto a file-sharing site like The Pirate Bay. And it’s no wonder that people are saying this, because the government’s indictment alleges it directly, but the indictment provides not a single shred of evidence to support these claims.

An explanation of criminal procedure would be helpful here. A grand jury only indicts someone for a crime after hearing evidence of the defendant’s guilt. The contents of the indictment do not represent the sum total of the evidence against the defendant; it represents the suspicions of the grand jury after having heard evidence against the defendant. The indictment’s allowed to be sparse.

I agree entirely with the ridicule of the U.S. Attorney Ortiz’s platitudes on stealing. Swartz wasn’t stealing, no matter how you slice it. Heck, he’s not even being charged with copyright infringement, which is usually what folks conflate with stealing. Neither hacking nor copying is stealing.

on pressing charges

The Awl article muses about why Swartz is still in hot water, as JSTOR doesn’t want to press charges. Pressing charges is something that happens on TV; that JSTOR and Swartz have kissed and made up already does not make Swartz a free man. In real life, when you’re a victim of a crime, you call the police. The police take your statement, write a report of their investigation, and ask you to sign a complaint – this is usually what folks mean by “pressing charges.” Obviously, the police can turn their report over to the local District Attorney’s office regardless of whether the victim signs a complaint. How else would anyone ever get charged for murder?

For federal crimes, it’s a little different. But take that last paragraph, replace “police” with “FBI/DEA/etc” and District Attorney with U.S. Attorney, and you have a reasonably accurate description of how federal crimes get prosecuted. The FBI doesn’t really go around asking if you’d like to press charges, generally because there are no low-stakes federal crimes.

Again, JSTOR doesn’t want to press charges, but they’re not involved in the trial. Criminal cases are between the government and the defendant. On the other hand, civil cases are between two private parties who are encouraged to settle out of court.

That being said, The Awl is absolutely correct about why the government is so interested in this relatively middling case; one of the reasons Swartz is being charged for this (even though the parties involved don’t seem to really care all that much) is that Swartz has been an agitator for years. I’m personally a fan of his work in liberating the PACER library, but he didn’t exactly endear himself to federal authorities with his quixotic work.

However, It should go without saying that prosecuting for X because you’re mad that you couldn’t prosecute for Y is not a terribly sound strategy.

on free

I sincerely love this next quote from The Awl:

But the worst misapprehension in Maxwell’s remarks is his total misunderstanding of what public domain really means. Shakespeare is “part of the shared heritage of all mankind,” too, but does that mean you can march into a Barnes & Noble and take any copy of Shakespeare that you want out of there for free? No! You have to pay Barnes & Noble and Penguin Classics or whomever for making it available to you in a form you can use, in this case a book. To fail to appreciate this point is to weaken the argument for open access by depriving it of clarity and focus.

For context, one of Swartz’s fans by the name of Maxwell uploaded 33GB of public domain documents to a file-sharing site, in the name of giving the “shared heritage of all mankind” back to its rightful owners (us) for the right price (free). This of course confuses the price you pay for the public domain content with the price you pay for accessing the public domain content.

Sure, the information is like totally free, man; but the computers that host 33GB of scanned PDFs isn’t free; the internet connection for a frillion Gb of bandwidth a month isn’t free; the electricity that keeps all those computers computing and routers routing isn’t free; the salaries of the IT folks that keep all those computers computing aren’t free.

Maxwell’s almost certainly aware of this. His response, I imagine, is something like the following. Great news for JSTOR – we can save them tons of money every month. If the public mirrors the public domain files and makes them available on peer to peer networks, we can eliminate the need for servers, industrial levels of bandwidth, and so on. Of course, the computing power required to search 33GB of non-OCR’d PDFs is nothing to sneeze at.

The Awl makes the point that the various efforts to collate, compile, and make searchable all the public domain documents are the services for which the price is charged, not the public domain documents themselves. If Maxwell had transcribed these 33GB of public domain documents himself, well, he’d have invented Project Gutenberg.

on crimes

This one is less good:

Swartz is being charged with hacker crimes, not copyright-infringement crimes, because he didn’t actually distribute any documents, plus JSTOR didn’t even want him prosecuted.

Really? For the record, you don’t have to distribute an illegal copy of something to be guilty of copyright infringement. Again, what JSTOR wants doesn’t really enter into this picture. Swartz is being charged with hacker crimes because he did things to MIT’s and JSTOR’s networks that he wasn’t supposed to do. The Philadelphia trial lawyer has a lot more experience in the legal field than I do, but I don’t think that’s why his logic is beyond me. He writes:

JSTOR already settled their claims with him. What more needs to be done here? The “criminal violation” here arises not from any social duty — like, you know, our society’s communal prohibition on murder — but rather from Swartz “exceeding the authorization” imposed by JSTOR on its servers.

I’m not sure how to take that. Only crimes as serious as murder deserve prosecution? Only crimes forbidden in ancient times deserve prosecution today? Computer crimes are silly and there ought not to be any laws governing hacking? I must presume that if the Ten Commandments had forbidden computer hacking, I wouldn’t having written this sarcastic paragraph. There’s no serious doubt that hacking is less serious than murder, but again, you don’t get off the hook for federal crimes because you managed to get a pardon from your victim.

not for sale

On the other hand, the bit about wire-defrauding JSTOR by agreeing to the terms while intending to defy them is spot on. Again, like the MySpace case, common sense seems to require we don’t make a federal crime out of clicking “I Agree” to a EULA when we don’t actually agree. I like the bit about the pecuniary gain – while I think I can imagine cases where it’s possible to commit fraud without pecuniary gain, for the purposes of EULA-based wire fraud, I’m more comfortable with a pecuniary requirement. Not that Congress or the federal judiciary consults me, but it seems like the right result.

The latter half of the article veers off into discussing the wire fraud charge, and dissecting whether or not Swartz intended to make money off his JSTOR downloads. This is a good excuse for the warm and fuzzy bits about how Swartz is a nice guy. I believe he is; he spoke at my law school and talked about his career as an activist – the photo of him and Lessig is just icing on the gravy, as far as I’m concerned. Swartz has the pedigree. I’m sure he wasn’t trying to make money.

But really, the wire fraud charge is one of the weakest ones in the indictment. It’s the hacking charges that I think he’s really screwed on. All that sneaking around MIT and breaking into their server closets puts him in a rough spot, which I’ve gone on about at length before.

Filed on under Legal Theory

The FOSS Patents blog has a great post on the newest development continuing litigation between Oracle and Google. Google’s Android operating system allegedly includes code from Oracle’s Java platform, and Oracle has sued Google for copyright infringement. Google says that they really only copied Java’s APIs, and functional processes aren’t copyrightable; just the idiosyncratic code you wrote that accomplishes that function.

I don’t want to cover the entire course of the litigation here, just an email from one of Google’s engineers, Tim Lindholm in 2010:

“What we’ve actually been asked to do (by Larry and Sergey) is to investigate what technical alternatives exist to Java for Android and Chrome. We’ve been over a bunch of these, and think they all suck. We conclude that we need to negotiate a license for Java under the terms we need.”

While I’ve seen this quote making the rounds as more or less definitive proof of Google’s guilt, I think it’s a bad idea to read too much into this. First, this is an engineer, not a lawyer, talking about the feasibility of dropping Java from Android after five years of development. In his engineer opinion, he thinks Android should still use Java. He uses the phrase “negotiate a license” because he’s presumably not stupid enough to use “infringe the copyrights” instead. (Faint praise, indeed.)

Second, this Lindholm email doesn’t actually prove any copying one way or another; this statement is really meant for a jury trial. Specifically, this email lets a jury find that Google ignored basic IP rights and took what they wanted; I’m certain Oracle’s lawyers will wave this email about to show a jury that Google knew they were infringing and they were trying to bail out of the trouble schooner S.S. Java on the eve of trial. So Google and Oracle are going to do some furious lawyering back and forth over this, not to prove the case, but to increase the size of a potential judgment.

but wait there’s more

FOSS Patents very astutely points out that it’s even worse for Google than just one incriminating-ish email. Back in 2005, when Android was still in development, (and before dropping Java from Android would have undone five years of work,) one of the founders of Android wrote an email similar in tone:

In that one, [Android founder Andy] Rubin outlined two options, the second one of which was apparently chosen: it amounted to going ahead with Java on an unlicensed basis, despite being fully aware of the risk of blowback at a later point in time (“Do Java anyway and defend our decision, perhaps making enemies along the way”).

You can read the second email in its entirety here. Again, this doesn’t demonstrate copying. It does show that they were aware they didn’t have licenses, but there are lots of reasons to not have licenses – probably the best one is that you didn’t take any copyrighted code. Again, this is really meant to increase the stakes for Google: Oracle isn’t proving infringement here, they’re just proving willfulness.

because i can’t resist

As for the merits of the copyright claim, Oracle is in a silly spot. To gloss over many of the important technical details, the Android OS doesn’t run Java; it runs special Java-compatible programs in a special Android-only way (called “Dalvik”). Oracle tells everyone how to write Java programs – it would be the world’s least successful programming language if it were secret and no one was allowed to use it. Oracle lets anyone make use of the Java APIs, but when Google starts shipping millions of Android devices running computer programs written to use some Java APIs, they start to wonder if it ought to be allowed on Dalvik at all.

If Oracle had only made Java a little less friendly for developers (if you write Java programs, you run them with Java, not with Dalvik! Now buy a license for that, thanks!), they could be rich. Or, more likely, Android would have been built from the ground up to use a more developer-friendly language.

So Oracle has an army of next-generation programmers learning to write in Java for Android and Dalvik, and their solution isn’t to court these young enthusiasts, but rather to try to extort the guys that make the phones? That strikes me as immensely short-sighted.

Filed on under Legal Theory

During a ten-minute phone call to an audience gathered in the parking lot of a Pizza Ranch restaurant in Newton, IA, Republican presidential hopeful Michele Bachmann vowed to vote against the debt deal, NBC’s Jamie Novogrod says. A crowd of about 25 people stood under a tent in noon heat. Bachmann apologized for not being there in person. She urged her audience to drink water, and explained she had returned to Washington for the vote.

“Let me ask you this question. Raise your hand. Do you want me to vote ‘no’ on raising the debt ceiling?” she said. After a pause, several people raised their hands. “I can’t see the results,” Bachmann said, “but if the show of hands is anything like the rest of the country,” Bachmann said, “it is a very strong ‘no.

This literally happened; I get the impression Bill Maher’s going to have fun with that one.

Filed on under The News

Noted internet activist Aaron Swartz has been indicted on a number of federal crimes, and I thought it would be fun to run through the accusations against him, to preview what the trial looks like. In a subsequent post, I’ll discuss the actual charges and how screwed Swartz is. MIT has a copy of the indictment in PDF form, which is probably ironic, but prolonged exposure to Brooklyn has rendered me incapable of detecting irony anymore.

Very briefly, a non-profit called JSTOR has spent a lot of money buying tons of academic journals every month. They charge universities (and by extension, the students of said universities) as much as $50,000 a year for Netflix-style access to the JSTOR library. JSTOR also allow purchase of individual articles, at the publishers’ option.

Aaron Swartz has been accused by a federal grand jury of writing a computer program to download millions of JSTOR’s articles, and tampering with MIT’s network to do it. He’s been charged with a number of federal anti-hacking crimes, which I’ll cover in a separate post. Today, I just want to go over the indictment.

One last thing: as a nerd reading this indictment, I can’t help but notice areas where MIT is awfully inept. I’ll be keeping a scorecard through this post: sketchy things Swartz did, and inept things MIT did. These aren’t legal standards (doing something “sketchy” is definitely not a federal crime), but keeping score in these terms will be helpful in piecing together the overall narrative of the indictment; “Swartz deliberately crossed the line over and over again.”

Federal Anti-Hacking Law

Paragraph 8 mentions that “MIT also allowed guests of the Institute to have the same access as its students, faculty, and employees for short periods of time while they were on campus.” This is important, because Swartz plugged a computer into the MIT network for days at a time, and one of the key elements to most of the charges is “unauthorized access” – that Swartz exceeded his authority in accessing MIT’s network, and through it, JSTOR’s.

This is because the crimes he’s charged with forbid unauthorized access of a computer [when x happens after y and z, etc]. Over and over, the indictment makes the case that ‘Swartz understood that MIT and JSTOR wanted him to knock off the downloading; he used his technical expertise to access the networks against the wishes of MIT and JSTOR.’

In that same vein, paragraph 9 reads:

JSTOR’s computers were located outside the Commonwealth of Massachusetts, and thus any communications between JSTOR’s computers and MIT’s computers in Massachusetts crossed state boundaries. JSTOR’s computers were also used in and affected interstate and foreign commerce.

This tracks the language of the Computer Fraud & Abuse Act’s definition of Protected Computer in 18 U.S.C. 1030 (e)(2). Virtually every computer (and most cell phones) fits this definition by now, but it’s one of those things that still has to be recited. Don’t read too much into the “commerce” bit; when the CFAA was passed into law in 1986, the Internet wasn’t quite as ubiquotous as it is 25 years on. Most anything connected to the internet is used in interstate commerce these days.

I think this is a silly paragraph with which to take exception with the indictment. The New Yorker, however, thinks this is the part of the CFAA that courts have struggled to define. Longtime readers of Barely Legally will recall that it’s not “interstate commerce” that has been expansively defined, it’s “unauthorized access” – a good example is my first post on the Lori Drew case. Again, the narrative is ‘Swartz knew he was supposed to stop, but he kept pushing,’ not ‘MIT’s network is used in interstate commerce.’

Anyway, on to the good stuff.

Trapped in the Closet

Right off the bat, Paragraph 11a accuses Swartz of “breaking into a restricted computer wiring closet at MIT,” and 11b says he plugged directly into an internal network switch [instead of into one of the plugs in the library]. I’m struck by the bit about the closet; the indictment drops that accusation quickly, and moves along. If Swartz had actually picked a lock or something, it would certainly would have been mentioned. As it is, it seems like MIT forgot to lock their expensive network bits up.

For those that aren't giant nerds like me, a network switch is kind of like a power strip, but for networks. So if you have a lot of things to plug in all over a campus, you can plug switches into switches, kind of like how [Uncle Clark]( plugs power strips into power strips every Christmas to wire the entire house with festive lights.

As I said, this indictment is full of things that Swartz did that seem pretty sketchy, and things that MIT did that seem pretty inept. Do note that regardless of whether or not MIT locked the closet with its expensive network bits, “breaking into” opening and walking through a door without permission. This one ends up a push. 

Swartz: 1, MIT: 1.

With Intent To Harvest

Paragraph 13 accuses Swartz of buying an Acer laptop “with the intent of using it to automatically and systematically harvest JSTOR’s archive of digitized journal articles.” Swartz plugged the laptop in the closet and registered it under the name “Gary Host” - Swartz/Mr. Host combined his first initial with his last name to designate the laptop “Ghost Laptop.” Swartz/Mr. G. Host also provided a fake email address. I don’t think it’s a stretch to think that he’s trying to hide something already. 

Swartz: 2, MIT: 1.

Swartz then ran a program from his laptop within MIT that automated the process of downloading as many articles from JSTOR as possible; the indictment says this program was “designed to sidestep or confuse JSTOR’s efforts to prevent this behavior.” This phrase comes up a few times, but the indictment never explains exactly how this program sidestepped or confused anyone.

Beginning with paragraph 18, the indictment explains the game of cat and mouse that Swartz, MIT, and JSTOR played to keep the former’s laptop(s) off the latter’s network(s).

September 2010:

  • September 24, Swartz installs an Acer laptop in the MIT storage closet.
  • September 25, Swartz downloads “an extraordinary volume of articles from JSTOR.”
  • September 25, JSTOR blocks the Acer laptop’s IP address.
  • September 26, Swartz obtains a new IP address from the MIT network.
  • September 26, JSTOR blocks the Acer laptop’s new IP address.
  • September 26, JSTOR also blocks the entire octet of IP addresses of 18.55.6.*, which knocks 255 legitimate MIT users off JSTOR. This ban lasts for three days.
  • September 27, JSTOR notifies MIT that someone is downloading tons of articles using MIT’s network. MIT blocks the Acer laptop’s MAC address. (Despite what the indictment says, a laptop’s MAC address is absurdly easy to change.)

This is a lot to unpack so far. Crawling the JSTOR web site and downloading everything you find is quite specifically forbidden in the JSTOR Terms and Conditions of Use, under 2.2(f). That raises our scorecard of sketchy things to Swartz: 3, MIT: 1. When JSTOR blocks the Acer laptop’s IP address, Swartz just requests a new IP address from MIT and carries on. 

Swartz: 4, MIT: 1.

MIT apparently only figures out there’s a problem when JSTOR bans Swartz’s laptop along with 255 others at MIT. Then, MIT bans the Acer laptop’s MAC address. (An IP address indicates a computer’s location on a network. The MAC address is like a serial number that uniquely identifies a device.) I don’t think it’s fair to say that’s as inept as leaving server closets unlocked, because it’s not necessarily a knock against MIT that they don’t police JSTOR’s network for them.

October 2010:

  • October 2, Swartz changes the Acer laptop’s MAC address and gets a new IP address.
  • October 8, Swartz connects an Apple laptop to MIT’s network under the name Grace Host, calling it “ghost macbook” with another fake email.
  • October 9, Swartz uses both laptops in concert to download so many articles that some of JSTOR’s servers go down.
  • October 9, JSTOR blocks the entire MIT network from access to JSTOR’s network, “for several days.”

After Swartz changes the MAC address on his Acer laptop, adds a second laptop to MIT’s network, and accidentally brings down parts of JSTOR’s network, I have it as Swartz: 5, MIT: 1. I’d like to think that at some point in all this, MIT would have been more aggressive in kicking Gary and Grace Host off the network. I don’t know what MIT’s network looks like, but if they really have no filtering other than by MAC address, all their server closets might as well be unlocked.

Swartz: 5, MIT: 2.

Download 2: Electric Boogaloo

During November and December of 2010, Swartz uses his two laptops to download more than two million articles from JSTOR. The indictment notes that this is more than one hundred times the number of downloads by all legitimate MIT JSTOR users** combined**. Swartz is familiar enough with the network architecture at MIT by this point that he assigns his laptops their own IP addresses.

This means he gets to skip the Guest Registration process entirely, because his computers tell the MIT network that they’re supposed to be online at 18.55.6.whatever, and MIT’s network is perfectly okay with this. He goes from “Hi, I’m Gary Host, using Ghost Laptop, and I’d like an IP address, please” to “I’ll be using, thanks. Hold all my calls.”

Now, my network at home is set to allow self-assigned IP addresses. But I also keep my front door locked, and my wi-fi behind a password. MIT just leaves the server closet door unlocked. The mind boggles. Either lock up your network switches, or don’t configure them to let every Tom, Dick, and Gary [Host] self-assign an IP address. Swartz: 6, MIT: 3.

According to Paragraph 26 of the indictment, Swartz also hid his laptop (and its many external hard drives that hold the JSTOR articles) under a box in the closet, which is probably no sketchier than self-assigning an IP address and plugging into a server closet, but it’s yet another step he took to maintain his access to MIT’s network, and through that, JSTOR’s. Swartz: 7, MIT: 3.

In January, Swartz removed his computer equipment from the server closet, entering the basement while holding his bike helmet over his face like a mask. Swartz is pretty clearly aware that he’s crossing a line here: I don’t imagine most MIT students walk around campus like that. Later that day, he connected the Acer laptop to the MIT network in a different building, with a new MAC address. This time, he went through the guest authorization process, again with a fake name, though probably not from a server closet. Swartz: 8, MIT: 3.

The Loose Ends

Altogether, Swartz downloaded approximately 4.8 million articles, of which 1.7 million were available for sale. The indictment says he “stole” 4.8 million, but stealing is the act of taking something away from something else. Really, he accessed a network and made copies he didn’t have permission to make.

The grand jury also found that Swartz intended to distribute these files, but this doesn’t have anything to do with the unauthorized access charges, or his purported “stealing.” I think this is meant to add to the parade of sketchy things the jury is supposed to consider, but frankly, it’s not relevant to any of the charges.

In my next post, I’ll review what crimes Swartz is charged with, as well as my two cents about the merits. Spoiler: the first one’s a laugher!

Filed on under The News

The New York Criminal Law and Procedure blog tries to answer what is the “interest of justice”? Courts in New York are authorized by the Criminal Procedure Law to disregard certain rules only in the interest of justice, but it’s undefined and (I think) rather vague.

Larry Cunningham took a stab at it in an article about the appeals process. It’s a good read, and you really don’t want to be outside on the East Coast right now, anyway.

Filed on under Legal Theory

Yesterday, on Father’s Day, Google automatically added a reminder for users to call their fathers via the Gmail web site. We pick up the resulting scandal from Tech Crunch:

Albeit micro, ‘Reminder: Call dad’ is just one more example of Google not entirely grasping social niceties. It should be obvious that putting up a status message that’s offensive to some users especially users whose fathers have passed away, or were abusive, et al., in a place that most people consider private, might not go over well.  But it wasn’t.

Notwithstanding the bit about folks’ fathers who have just passed away, because that is inarguably sad; I’m going to post a link to Louis C.K.’s sketch about White People Problems and make one smartass comment myself.

The giant international corporation that indexes a startling approximation of the sum total of human knowledge and makes it available for free on a global information network does not entirely grasp social niceties. Everything is ruined forever.

Filed on under Irreverently Irrelevant