The MIT report (PDF) on the Aaron Swartz case is out. I am going to take some time to study it and understand it more fully. I’m away with my family and won’t be commenting on the report now, beyond the following:
The report says that MIT never told the prosecutor that Aaron’s access was “unauthorized.” They indicated that his machine was not supposed to be plugged into the ethernet jack it was plugged into, but there is no law against abusing an ethernet jack. The law regulates authorized access to a network. The whole predicate to the government’s case was that Aaron’s access to the network was “unauthorized,” yet apparently in the many many months during which the government was prosecuting, they were too busy to determine whether indeed, access to the network was “authorized.”
Here’s the section from the report (§11b):
The superseding indictment abandoned the theory of “exceeding authorized access,” and counts 9 and 12 (applicable to MIT) relied instead on “unauthorized access.” The allegations in the indictment focus on numerous means whereby Aaron Swartz obtained access to the computer through unauthorized means, such as repeatedly taking steps to change his computer’s apparent identities and to conceal his computer’s real identity. Clearly, these are means whereby Aaron Swartz obtained access to the computer in order to engage in unauthorized conduct, that is, to do something that MIT did not want him to do through its network: engage in massive downloading of JSTOR articles.
The question posed by this charge in the indictment is, however, different: it is whether— given MIT’s guest policy—Aaron Swartz accessed the MIT network without authorization. Put differently, it is whether Aaron Swartz was authorized to access the network, regardless of whether he used improper means to do so. To illustrate this distinction, the Review Panel has asked itself the following question: had Swartz, intending to engage in the conduct for which he was indicted, walked into an MIT library, shown his personal identification to the desk, and asked to log on to the MIT system as a guest—would he then have been given access? If the answer to this question is “yes,” then it seems possible that Aaron Swartz’s access to the MIT network was authorized, notwithstanding his inappropriate means of implementing access, or of then abusing such access (which may themselves have been violations of different criminal or civil prohibitions).
The Cambridge Detective involved in the prosecution explained to the Review panel that he repeatedly asked, in various ways, whether the laptop was authorized to be in closet; whether the cable from the laptop to the network switch was authorized to be there; whether the manner of downloading the articles was authorized; and, overall, whether the method of accessing and using MIT’s network in this manner was authorized. He was told “no,” and told that MIT had tried to prevent the downloading by disconnecting the computer of the (then) unknown suspect.
The Review Panel questioned five employees of MIT’s IS&T who were involved in the identification and monitoring of Aaron Swartz’s laptop found in the network closet of Building 16 and who provided information to the prosecution during its preparation of the criminal case. According to them, and also according to OGC and MIT’s outside counsel, at no time, either before or after the arrest of Aaron Swartz, did anyone from the prosecution inquire as to whether Aaron Swartz had authorized access to the MIT network. Given MIT’s open guest policy, it might be argued that Aaron Swartz accessed the MIT network with authorization. Put differently, there is apparently an issue as to whether Aaron Swartz was authorized to access the network, regardless of the considerations that (1) he might have used improper means to implement such access; and (2) once he was on the network, he might have used such access for an improper purpose.
The relevance of this distinction can be seen in the Department of Justice’s computer crime manual, Prosecuting Computer Crime (2nd ed.), published by the Office of Legal Education, Executive Office for United States Attorneys: “A more difficult question is whether a person with some authorization to access a computer can ever act “without authorization” with respect to that computer. The case law on this issue is muddy, but, as discussed below, there is growing consensus that such “insiders” cannot act “without authorization” unless and until their authorization to access the computer is rescinded.”
As far as the Review Panel could determine, MIT was never asked by either the prosecution or the defense whether Aaron Swartz’s access to the MIT network was authorized or unauthorized—nor did MIT ask this of itself. Given that (1) MIT was the alleged victim of counts 9 and 12, (2) the MIT access policy, its Rules of Use, and its own interpretation of those Rules of Use (including the significance or “materiality” of any violation of those terms) were at the heart of the government’s CFAA allegations in counts in both indictments, and (3) this policy and these rules were written, interpreted, and applied by MIT for MIT’s own mission and goals—not those of the Government— the Review Panel wonders why. (p137-39)
If indeed Aaron’s access was not “unauthorized” — as Aaron’s team said from the start, and now MIT seems to acknowledge — then the tragedy of this prosecution has only increased.