Blog Ipsa Loquitur

Published on under Legal Theory

One of my favorite blogs, written by an Emergency Department physician (WhiteCoat), covers a lot of medical issues and medical policy news; I’m always intrigued by perspectives on these topics other the litany of articles by lawyers and economists. It’s journalism from the trenches, and everyone can appreciate a perspective informed by a career on the front lines. If a doctor says a certain part of the health care system sucks, or a “reform” would actually make things worse, it’s hard to argue.

A few weeks back, a hospital in New Orleans settled a class-action lawsuit for $25 million. The hospital was sued after Hurricane Katrina: the complaint chiefly focused on the allegedly insufficient disaster preparation of the hospital’s owner, Tenet Healthcare Corporation. Such failure to prepare was alleged to have caused injury to hundreds of patients, and led to the death of forty-five of them.

WhiteCoat posted a rather narrow-minded critique of a legal system that allows for this sort of result, titled “Where Are Force Fields When You Need Them?” In the comments of his blog post, I attempted to explain why the settlement wasn’t a miscarriage of justice, and what the legal standard was for a lawsuit like this (hint: it does not involve Force Fields).

If you scroll down to the comments section, you’ll see that I was not what one could safely call “successful.” I may have more success if I’m not constrained to a comment on someone else’s blog. Let’s try that again.

Not All Liability is the Same

Fundamentally, lawsuits like this are about negligence. The hospital was negligent in planning for a disaster, so sick people died. The supermarket was negligent for not cleaning a spill on the floor, so someone slipped and fell. The guy tossing his cigarette in the bushes was negligent, so the lawn caught fire and your whole house burned down. These scenarios all have a lot more in common than “something bad happened, and we will hold someone accountable.”

Note: there is a legal standard where that’s all the plaintiff needs to demonstrate. It’s Strict Liability, and it’s harsh. Way harsh. The plaintiff doesn’t have to show fault, or carelessness, or recklessness, or malfeasance, or anything other than “this guy did this, now where’s my money?” That’s not what the Tenet lawsuit is about, nor should it be: we’re only going to be discussing Negligence now.

We see Strict Liability chiefly in products liability cases. Say you were using a chainsaw when the chain broke and cut your leg; the legal system doesn’t require you to figure out where the design flaw in the chainsaw lay, or whether it was the fault of the steel supplier, the plastic supplier, the assembly robot, the assembly robot installation guy, or any of the five thousand other people remotely related to the production and sale of the chainsaw. That’s silly. It’s almost as simple as ‘show up at the courthouse and bring your receipt.’

Negligence Was the Case they Gave Me

Defined briefly, Negligence is the breach of duty of reasonable care owed to a person who was foreseeably injured by a defendant’s unreasonable act. There’s a lot to unpack here, but the key word is “reasonable.”

This is really where WhiteCoat missed the point. His big gripe is that, for a hurricane as devastating as Katrina, only force fields or nuclear-powered hovercrafts would have saved everyone. He’s probably right. But we’re not looking at the results and saying “Tenet should have done better” here. That’s not how Negligence actions work.

In the best case scenario, maybe there could have been no deaths, maybe there could have been forty deaths, or maybe four hundred deaths, and this case still could have turned out the other way. It’s irrelevant. Negligence isn’t about a failure to have the best possible results, or even the failure to have good results. It’s a failure to act reasonably, thus causing injury to people to whom you owed a duty to act reasonably.

If you don’t act reasonably, yes, it’s likely that you’ll fall short of the ideal outcome, and someone could suffer an injury. The Negligence lawsuit happens when someone is injured, but the defendant is not liable because he could have done better by not injuring anyone. The defendant is liable because he owed a duty to exercise reasonable care, he failed to do it, and someone was injured.

Meet the Tenet Healthcare Corporation

So here’s the deal. Tenet owns lots of hospitals, but they’re not terribly good citizens. They have settled a number of lawsuits over the years with just about everyone they deal with: patients, employees, investors, regulators, labs, etc. They have paid a lot of money to avoid juries over the last decade: $29 million for Medicare fraud in 2002. $17 million for overcharging federal health care programs in 2002. $54 million for medical necessity fraud in 2003. $30 million for overcharging patients in 2005. $395 million for unnecessary open heart surgery in 2005. $900 million for Medicare fraud in 2006. $215 million for misleading its investors in 2006. $85 million for denying employees overtime pay in 2009.

This does not represent every lawsuit Tenet has defended. Not even close. These are the cheaper(!) ways out of some of the closer calls they might have had. You could say that this is symptomatic of a legal system that’s gone out of control, and just doesn’t know when to stop second-guessing hardworking professionals.

Or, you could see a company with a demonstrated history of executive malfeasance. Lying to investors, lying to regulators, lying to patients, mistreating employees, defrauding Medicare; hospitals owned by Tenet have a long history of this kind of behavior. One of the other commenters on WhiteCoat’s blog post used to work at a Tenet facility. She says:

They’re cheap bastards that will compromise patients’, families’ and staff safety for a buck. I live in St. Louis, worked at my hospital for 9 years and NEVER once saw them run through even a basic tornado drill. Most of the nurses I work with don’t know the basics to this.

(For those outside the US, St. Louis is in a state that has seen nearly 2000 tornadoes in the last 60 years, though only a few dozen were within St. Louis, they’ve injured over 600 people. Tornadoes in the midwest are a serious danger.)

This is not a company that seems to keep a tight leash on what their hospitals are up to. Indeed, if you read the original New York Times article about the Hurricane Katrina Aftermath trial, you get a distinctly different impression.

The class-action suit is expected to highlight desperate e-mail exchanges, not previously made public, between the hospital and its corporate parent.

“Are you telling us we are on our own and you cannot help?” Sandra Cordray, a communications manager at Memorial Medical Center, which sheltered some 1,800 people, wrote to officials at the Tenet Healthcare Corporation’s Dallas headquarters after begging them for supplies and an airlift.

Tenet corporate headquarters did not have an emergency command system in place and established one as the disaster unfolded. Company officials lobbied hard to get federal rescuers to prioritize Memorial, warning that dozens of patients were in danger of dying.

If Plan B was really “lobby federal officials,” I think they must have become used to solving their problems by throwing lots of money around. (See: that paragraph above with all the $$$ for settlements.) Tenet may not have been on the ball. The fact is that they just paid $25 million to keep a judge from asking a jury if they were negligent. That means Tenet thinks at least twelve people might see it that way, too.

Hurricanes and Hospitals: A Primer

Why would a jury see it this way, anyway? Again, Reasonableness is the key word in avoiding liability in a lawsuit like this. What’s a reasonable way to handle this situation? Force fields and hovercrafts are way, way beyond reasonable, though they would probably work. The reasonable way to handle the situation may still result in some fatalities: certainly, in the case of hurricane Katrina, most folks were not completely and omnisciently prepared for how badly that ended up going. And that’s okay.

However, a failure to make reasonable preparations for a hurricane when you’re a hospital in a hurricane-prone town below sea level isn’t okay. What would have been reasonable? That’s a good question. From the New York Times article again:

It has been previously reported that [Tenet’s subsidiary] Memorial did not act on a 2004 recommendation to move components of its electrical system above the ground floor. New documents raise questions about whether design, maintenance or other factors led to the total failure of backup power after the floodwaters rose.

The Times article also mentions that the backup generators might have failed due to improper maintenance, not rising floodwaters. Not keeping your backup generators ready to generate power for more than a few hours might mean you’re not reasonably prepared for a disaster. Deciding to keep sensitive electrical equipment below sea level also might mean you’re not reasonably prepared for a disaster. These are the sorts of issues that would have come out at trial, and Tenet decided to skip the trial and go right to the checkbook.

Really, the point is that Tenet did not need to plan for every contingency, save every life, and magically turn back the waters. The legal system doesn’t hold a hospital to this kind of standard, which is great, because no one could have. I certainly can’t, otherwise I’d have a great line for my cover letter when sending my resume to Tenet Healthcare: “boy, can I save you guys a lot of money in (some of your smaller) settlements!” Tenet needed to be reasonably prepared; that’s all the law requires. No force fields, no hovercrafts, no perfect outcomes, no happy people.

One last bit that really confused me was WhiteCoat’s insistence that it’s never fair to look back on someone’s actions and tell them that they should have acted differently. Virtually all legal actions are retrospective judgments of past behavior. Golly, OJ, you really shouldn’t have stabbed your wife to death. Gee, Kenneth Lay, you shouldn’t have committed all that corporate fraud. Wow, Dominic, you really shouldn’t have written libelous things about Mr. Simpson or Mr. Lay. Lawsuits talk about things that happened in the past because that’s how we evaluate our actions.

Seriously, when else would you sue? Before the negligence or any injury happens? Do you stand around and hope that Tom Cruise can crack the case before the court date? Doctors don’t give you chemo before you get cancer. Lawyers don’t file lawsuits before there’s an injury.

(Yeah, yeah, injunctions are prospective prohibitions on certain actions, but it’s just as unreasonable to expect patients sitting in a hospital to enjoin negligent preparation as it is to Minority Report your way through pre-emptive negligence actions.)

Part of what lawyers and the other risk-management types do is prospectively examine their clients’ potential liability from regulators or plaintiffs. I guarantee that Tenet’s legal department would have had conniptions if they knew the generators weren’t regularly repaired, or that a report suggesting the electrical equipment be moved off the ground was ignored. (Hell, I bet the doctors working in the hospital would have been pretty freaked out, too.) Then again, Tenet’s legal department seems to spend a lot of time negotiating settlements and writing checks to dodge juries, so maybe I’m giving them too much credit.

In that case, I’m for hire, guys.

Published on under Legal Theory

The Awl has a piece on the Aaron Swartz saga that I genuinely like, but has a few paragraphs that deserve some clarification.

It’s been widely asserted that Swartz intended to distribute the material he downloaded from JSTOR to the public, e.g. by posting the lot onto a file-sharing site like The Pirate Bay. And it’s no wonder that people are saying this, because the government’s indictment alleges it directly, but the indictment provides not a single shred of evidence to support these claims.

An explanation of criminal procedure would be helpful here. A grand jury only indicts someone for a crime after hearing evidence of the defendant’s guilt. The contents of the indictment do not represent the sum total of the evidence against the defendant; it represents the suspicions of the grand jury after having heard evidence against the defendant. The indictment’s allowed to be sparse.

I agree entirely with the ridicule of the U.S. Attorney Ortiz’s platitudes on stealing. Swartz wasn’t stealing, no matter how you slice it. Heck, he’s not even being charged with copyright infringement, which is usually what folks conflate with stealing. Neither hacking nor copying is stealing.

on pressing charges

The Awl article muses about why Swartz is still in hot water, as JSTOR doesn’t want to press charges. Pressing charges is something that happens on TV; that JSTOR and Swartz have kissed and made up already does not make Swartz a free man. In real life, when you’re a victim of a crime, you call the police. The police take your statement, write a report of their investigation, and ask you to sign a complaint – this is usually what folks mean by “pressing charges.” Obviously, the police can turn their report over to the local District Attorney’s office regardless of whether the victim signs a complaint. How else would anyone ever get charged for murder?

For federal crimes, it’s a little different. But take that last paragraph, replace “police” with “FBI/DEA/etc” and District Attorney with U.S. Attorney, and you have a reasonably accurate description of how federal crimes get prosecuted. The FBI doesn’t really go around asking if you’d like to press charges, generally because there are no low-stakes federal crimes.

Again, JSTOR doesn’t want to press charges, but they’re not involved in the trial. Criminal cases are between the government and the defendant. On the other hand, civil cases are between two private parties who are encouraged to settle out of court.

That being said, The Awl is absolutely correct about why the government is so interested in this relatively middling case; one of the reasons Swartz is being charged for this (even though the parties involved don’t seem to really care all that much) is that Swartz has been an agitator for years. I’m personally a fan of his work in liberating the PACER library, but he didn’t exactly endear himself to federal authorities with his quixotic work.

However, It should go without saying that prosecuting for X because you’re mad that you couldn’t prosecute for Y is not a terribly sound strategy.

on free

I sincerely love this next quote from The Awl:

But the worst misapprehension in Maxwell’s remarks is his total misunderstanding of what public domain really means. Shakespeare is “part of the shared heritage of all mankind,” too, but does that mean you can march into a Barnes & Noble and take any copy of Shakespeare that you want out of there for free? No! You have to pay Barnes & Noble and Penguin Classics or whomever for making it available to you in a form you can use, in this case a book. To fail to appreciate this point is to weaken the argument for open access by depriving it of clarity and focus.

For context, one of Swartz’s fans by the name of Maxwell uploaded 33GB of public domain documents to a file-sharing site, in the name of giving the “shared heritage of all mankind” back to its rightful owners (us) for the right price (free). This of course confuses the price you pay for the public domain content with the price you pay for accessing the public domain content.

Sure, the information is like totally free, man; but the computers that host 33GB of scanned PDFs isn’t free; the internet connection for a frillion Gb of bandwidth a month isn’t free; the electricity that keeps all those computers computing and routers routing isn’t free; the salaries of the IT folks that keep all those computers computing aren’t free.

Maxwell’s almost certainly aware of this. His response, I imagine, is something like the following. Great news for JSTOR – we can save them tons of money every month. If the public mirrors the public domain files and makes them available on peer to peer networks, we can eliminate the need for servers, industrial levels of bandwidth, and so on. Of course, the computing power required to search 33GB of non-OCR’d PDFs is nothing to sneeze at.

The Awl makes the point that the various efforts to collate, compile, and make searchable all the public domain documents are the services for which the price is charged, not the public domain documents themselves. If Maxwell had transcribed these 33GB of public domain documents himself, well, he’d have invented Project Gutenberg.

on crimes

This one is less good:

Swartz is being charged with hacker crimes, not copyright-infringement crimes, because he didn’t actually distribute any documents, plus JSTOR didn’t even want him prosecuted.

Really? For the record, you don’t have to distribute an illegal copy of something to be guilty of copyright infringement. Again, what JSTOR wants doesn’t really enter into this picture. Swartz is being charged with hacker crimes because he did things to MIT’s and JSTOR’s networks that he wasn’t supposed to do. The Philadelphia trial lawyer has a lot more experience in the legal field than I do, but I don’t think that’s why his logic is beyond me. He writes:

JSTOR already settled their claims with him. What more needs to be done here? The “criminal violation” here arises not from any social duty — like, you know, our society’s communal prohibition on murder — but rather from Swartz “exceeding the authorization” imposed by JSTOR on its servers.

I’m not sure how to take that. Only crimes as serious as murder deserve prosecution? Only crimes forbidden in ancient times deserve prosecution today? Computer crimes are silly and there ought not to be any laws governing hacking? I must presume that if the Ten Commandments had forbidden computer hacking, I wouldn’t having written this sarcastic paragraph. There’s no serious doubt that hacking is less serious than murder, but again, you don’t get off the hook for federal crimes because you managed to get a pardon from your victim.

not for sale

On the other hand, the bit about wire-defrauding JSTOR by agreeing to the terms while intending to defy them is spot on. Again, like the MySpace case, common sense seems to require we don’t make a federal crime out of clicking “I Agree” to a EULA when we don’t actually agree. I like the bit about the pecuniary gain – while I think I can imagine cases where it’s possible to commit fraud without pecuniary gain, for the purposes of EULA-based wire fraud, I’m more comfortable with a pecuniary requirement. Not that Congress or the federal judiciary consults me, but it seems like the right result.

The latter half of the article veers off into discussing the wire fraud charge, and dissecting whether or not Swartz intended to make money off his JSTOR downloads. This is a good excuse for the warm and fuzzy bits about how Swartz is a nice guy. I believe he is; he spoke at my law school and talked about his career as an activist – the photo of him and Lessig is just icing on the gravy, as far as I’m concerned. Swartz has the pedigree. I’m sure he wasn’t trying to make money.

But really, the wire fraud charge is one of the weakest ones in the indictment. It’s the hacking charges that I think he’s really screwed on. All that sneaking around MIT and breaking into their server closets puts him in a rough spot, which I’ve gone on about at length before.

Published on under Legal Theory

The FOSS Patents blog has a great post on the newest development continuing litigation between Oracle and Google. Google’s Android operating system allegedly includes code from Oracle’s Java platform, and Oracle has sued Google for copyright infringement. Google says that they really only copied Java’s APIs, and functional processes aren’t copyrightable; just the idiosyncratic code you wrote that accomplishes that function.

I don’t want to cover the entire course of the litigation here, just an email from one of Google’s engineers, Tim Lindholm in 2010:

“What we’ve actually been asked to do (by Larry and Sergey) is to investigate what technical alternatives exist to Java for Android and Chrome. We’ve been over a bunch of these, and think they all suck. We conclude that we need to negotiate a license for Java under the terms we need.”

While I’ve seen this quote making the rounds as more or less definitive proof of Google’s guilt, I think it’s a bad idea to read too much into this. First, this is an engineer, not a lawyer, talking about the feasibility of dropping Java from Android after five years of development. In his engineer opinion, he thinks Android should still use Java. He uses the phrase “negotiate a license” because he’s presumably not stupid enough to use “infringe the copyrights” instead. (Faint praise, indeed.)

Second, this Lindholm email doesn’t actually prove any copying one way or another; this statement is really meant for a jury trial. Specifically, this email lets a jury find that Google ignored basic IP rights and took what they wanted; I’m certain Oracle’s lawyers will wave this email about to show a jury that Google knew they were infringing and they were trying to bail out of the trouble schooner S.S. Java on the eve of trial. So Google and Oracle are going to do some furious lawyering back and forth over this, not to prove the case, but to increase the size of a potential judgment.

but wait there’s more

FOSS Patents very astutely points out that it’s even worse for Google than just one incriminating-ish email. Back in 2005, when Android was still in development, (and before dropping Java from Android would have undone five years of work,) one of the founders of Android wrote an email similar in tone:

In that one, [Android founder Andy] Rubin outlined two options, the second one of which was apparently chosen: it amounted to going ahead with Java on an unlicensed basis, despite being fully aware of the risk of blowback at a later point in time (“Do Java anyway and defend our decision, perhaps making enemies along the way”).

You can read the second email in its entirety here. Again, this doesn’t demonstrate copying. It does show that they were aware they didn’t have licenses, but there are lots of reasons to not have licenses – probably the best one is that you didn’t take any copyrighted code. Again, this is really meant to increase the stakes for Google: Oracle isn’t proving infringement here, they’re just proving willfulness.

because i can’t resist

As for the merits of the copyright claim, Oracle is in a silly spot. To gloss over many of the important technical details, the Android OS doesn’t run Java; it runs special Java-compatible programs in a special Android-only way (called “Dalvik”). Oracle tells everyone how to write Java programs – it would be the world’s least successful programming language if it were secret and no one was allowed to use it. Oracle lets anyone make use of the Java APIs, but when Google starts shipping millions of Android devices running computer programs written to use some Java APIs, they start to wonder if it ought to be allowed on Dalvik at all.

If Oracle had only made Java a little less friendly for developers (if you write Java programs, you run them with Java, not with Dalvik! Now buy a license for that, thanks!), they could be rich. Or, more likely, Android would have been built from the ground up to use a more developer-friendly language.

So Oracle has an army of next-generation programmers learning to write in Java for Android and Dalvik, and their solution isn’t to court these young enthusiasts, but rather to try to extort the guys that make the phones? That strikes me as immensely short-sighted.

Published on under The News

During a ten-minute phone call to an audience gathered in the parking lot of a Pizza Ranch restaurant in Newton, IA, Republican presidential hopeful Michele Bachmann vowed to vote against the debt deal, NBC’s Jamie Novogrod says. A crowd of about 25 people stood under a tent in noon heat. Bachmann apologized for not being there in person. She urged her audience to drink water, and explained she had returned to Washington for the vote.

“Let me ask you this question. Raise your hand. Do you want me to vote ‘no’ on raising the debt ceiling?” she said. After a pause, several people raised their hands. “I can’t see the results,” Bachmann said, “but if the show of hands is anything like the rest of the country,” Bachmann said, “it is a very strong ‘no.

This literally happened; I get the impression Bill Maher’s going to have fun with that one.

Published on under The News

Noted internet activist Aaron Swartz has been indicted on a number of federal crimes, and I thought it would be fun to run through the accusations against him, to preview what the trial looks like. In a subsequent post, I’ll discuss the actual charges and how screwed Swartz is. MIT has a copy of the indictment in PDF form, which is probably ironic, but prolonged exposure to Brooklyn has rendered me incapable of detecting irony anymore.

Very briefly, a non-profit called JSTOR has spent a lot of money buying tons of academic journals every month. They charge universities (and by extension, the students of said universities) as much as $50,000 a year for Netflix-style access to the JSTOR library. JSTOR also allow purchase of individual articles, at the publishers’ option.

Aaron Swartz has been accused by a federal grand jury of writing a computer program to download millions of JSTOR’s articles, and tampering with MIT’s network to do it. He’s been charged with a number of federal anti-hacking crimes, which I’ll cover in a separate post. Today, I just want to go over the indictment.

One last thing: as a nerd reading this indictment, I can’t help but notice areas where MIT is awfully inept. I’ll be keeping a scorecard through this post: sketchy things Swartz did, and inept things MIT did. These aren’t legal standards (doing something “sketchy” is definitely not a federal crime), but keeping score in these terms will be helpful in piecing together the overall narrative of the indictment; “Swartz deliberately crossed the line over and over again.”

Federal Anti-Hacking Law

Paragraph 8 mentions that “MIT also allowed guests of the Institute to have the same access as its students, faculty, and employees for short periods of time while they were on campus.” This is important, because Swartz plugged a computer into the MIT network for days at a time, and one of the key elements to most of the charges is “unauthorized access” – that Swartz exceeded his authority in accessing MIT’s network, and through it, JSTOR’s.

This is because the crimes he’s charged with forbid unauthorized access of a computer [when x happens after y and z, etc]. Over and over, the indictment makes the case that ‘Swartz understood that MIT and JSTOR wanted him to knock off the downloading; he used his technical expertise to access the networks against the wishes of MIT and JSTOR.’

In that same vein, paragraph 9 reads:

JSTOR’s computers were located outside the Commonwealth of Massachusetts, and thus any communications between JSTOR’s computers and MIT’s computers in Massachusetts crossed state boundaries. JSTOR’s computers were also used in and affected interstate and foreign commerce.

This tracks the language of the Computer Fraud & Abuse Act’s definition of Protected Computer in 18 U.S.C. 1030 (e)(2). Virtually every computer (and most cell phones) fits this definition by now, but it’s one of those things that still has to be recited. Don’t read too much into the “commerce” bit; when the CFAA was passed into law in 1986, the Internet wasn’t quite as ubiquotous as it is 25 years on. Most anything connected to the internet is used in interstate commerce these days.

I think this is a silly paragraph with which to take exception with the indictment. The New Yorker, however, thinks this is the part of the CFAA that courts have struggled to define. Longtime readers of Barely Legally will recall that it’s not “interstate commerce” that has been expansively defined, it’s “unauthorized access” – a good example is my first post on the Lori Drew case. Again, the narrative is ‘Swartz knew he was supposed to stop, but he kept pushing,’ not ‘MIT’s network is used in interstate commerce.’

Anyway, on to the good stuff.

Trapped in the Closet

Right off the bat, Paragraph 11a accuses Swartz of “breaking into a restricted computer wiring closet at MIT,” and 11b says he plugged directly into an internal network switch [instead of into one of the plugs in the library]. I’m struck by the bit about the closet; the indictment drops that accusation quickly, and moves along. If Swartz had actually picked a lock or something, it would certainly would have been mentioned. As it is, it seems like MIT forgot to lock their expensive network bits up.

For those that aren't giant nerds like me, a network switch is kind of like a power strip, but for networks. So if you have a lot of things to plug in all over a campus, you can plug switches into switches, kind of like how [Uncle Clark]( plugs power strips into power strips every Christmas to wire the entire house with festive lights.

As I said, this indictment is full of things that Swartz did that seem pretty sketchy, and things that MIT did that seem pretty inept. Do note that regardless of whether or not MIT locked the closet with its expensive network bits, “breaking into” opening and walking through a door without permission. This one ends up a push. 

Swartz: 1, MIT: 1.

With Intent To Harvest

Paragraph 13 accuses Swartz of buying an Acer laptop “with the intent of using it to automatically and systematically harvest JSTOR’s archive of digitized journal articles.” Swartz plugged the laptop in the closet and registered it under the name “Gary Host” - Swartz/Mr. Host combined his first initial with his last name to designate the laptop “Ghost Laptop.” Swartz/Mr. G. Host also provided a fake email address. I don’t think it’s a stretch to think that he’s trying to hide something already. 

Swartz: 2, MIT: 1.

Swartz then ran a program from his laptop within MIT that automated the process of downloading as many articles from JSTOR as possible; the indictment says this program was “designed to sidestep or confuse JSTOR’s efforts to prevent this behavior.” This phrase comes up a few times, but the indictment never explains exactly how this program sidestepped or confused anyone.

Beginning with paragraph 18, the indictment explains the game of cat and mouse that Swartz, MIT, and JSTOR played to keep the former’s laptop(s) off the latter’s network(s).

September 2010:

  • September 24, Swartz installs an Acer laptop in the MIT storage closet.
  • September 25, Swartz downloads “an extraordinary volume of articles from JSTOR.”
  • September 25, JSTOR blocks the Acer laptop’s IP address.
  • September 26, Swartz obtains a new IP address from the MIT network.
  • September 26, JSTOR blocks the Acer laptop’s new IP address.
  • September 26, JSTOR also blocks the entire octet of IP addresses of 18.55.6.*, which knocks 255 legitimate MIT users off JSTOR. This ban lasts for three days.
  • September 27, JSTOR notifies MIT that someone is downloading tons of articles using MIT’s network. MIT blocks the Acer laptop’s MAC address. (Despite what the indictment says, a laptop’s MAC address is absurdly easy to change.)

This is a lot to unpack so far. Crawling the JSTOR web site and downloading everything you find is quite specifically forbidden in the JSTOR Terms and Conditions of Use, under 2.2(f). That raises our scorecard of sketchy things to Swartz: 3, MIT: 1. When JSTOR blocks the Acer laptop’s IP address, Swartz just requests a new IP address from MIT and carries on. 

Swartz: 4, MIT: 1.

MIT apparently only figures out there’s a problem when JSTOR bans Swartz’s laptop along with 255 others at MIT. Then, MIT bans the Acer laptop’s MAC address. (An IP address indicates a computer’s location on a network. The MAC address is like a serial number that uniquely identifies a device.) I don’t think it’s fair to say that’s as inept as leaving server closets unlocked, because it’s not necessarily a knock against MIT that they don’t police JSTOR’s network for them.

October 2010:

  • October 2, Swartz changes the Acer laptop’s MAC address and gets a new IP address.
  • October 8, Swartz connects an Apple laptop to MIT’s network under the name Grace Host, calling it “ghost macbook” with another fake email.
  • October 9, Swartz uses both laptops in concert to download so many articles that some of JSTOR’s servers go down.
  • October 9, JSTOR blocks the entire MIT network from access to JSTOR’s network, “for several days.”

After Swartz changes the MAC address on his Acer laptop, adds a second laptop to MIT’s network, and accidentally brings down parts of JSTOR’s network, I have it as Swartz: 5, MIT: 1. I’d like to think that at some point in all this, MIT would have been more aggressive in kicking Gary and Grace Host off the network. I don’t know what MIT’s network looks like, but if they really have no filtering other than by MAC address, all their server closets might as well be unlocked.

Swartz: 5, MIT: 2.

Download 2: Electric Boogaloo

During November and December of 2010, Swartz uses his two laptops to download more than two million articles from JSTOR. The indictment notes that this is more than one hundred times the number of downloads by all legitimate MIT JSTOR users** combined**. Swartz is familiar enough with the network architecture at MIT by this point that he assigns his laptops their own IP addresses.

This means he gets to skip the Guest Registration process entirely, because his computers tell the MIT network that they’re supposed to be online at 18.55.6.whatever, and MIT’s network is perfectly okay with this. He goes from “Hi, I’m Gary Host, using Ghost Laptop, and I’d like an IP address, please” to “I’ll be using, thanks. Hold all my calls.”

Now, my network at home is set to allow self-assigned IP addresses. But I also keep my front door locked, and my wi-fi behind a password. MIT just leaves the server closet door unlocked. The mind boggles. Either lock up your network switches, or don’t configure them to let every Tom, Dick, and Gary [Host] self-assign an IP address. Swartz: 6, MIT: 3.

According to Paragraph 26 of the indictment, Swartz also hid his laptop (and its many external hard drives that hold the JSTOR articles) under a box in the closet, which is probably no sketchier than self-assigning an IP address and plugging into a server closet, but it’s yet another step he took to maintain his access to MIT’s network, and through that, JSTOR’s. Swartz: 7, MIT: 3.

In January, Swartz removed his computer equipment from the server closet, entering the basement while holding his bike helmet over his face like a mask. Swartz is pretty clearly aware that he’s crossing a line here: I don’t imagine most MIT students walk around campus like that. Later that day, he connected the Acer laptop to the MIT network in a different building, with a new MAC address. This time, he went through the guest authorization process, again with a fake name, though probably not from a server closet. Swartz: 8, MIT: 3.

The Loose Ends

Altogether, Swartz downloaded approximately 4.8 million articles, of which 1.7 million were available for sale. The indictment says he “stole” 4.8 million, but stealing is the act of taking something away from something else. Really, he accessed a network and made copies he didn’t have permission to make.

The grand jury also found that Swartz intended to distribute these files, but this doesn’t have anything to do with the unauthorized access charges, or his purported “stealing.” I think this is meant to add to the parade of sketchy things the jury is supposed to consider, but frankly, it’s not relevant to any of the charges.

In my next post, I’ll review what crimes Swartz is charged with, as well as my two cents about the merits. Spoiler: the first one’s a laugher!