Prosecutors are warping the law to throw activist hackers like Aaron Swartz behind bars for years.
Peter Ludlow(AP Photo/File)
When Aaron Swartz committed suicide at the age of 26 in January, the online world was stunned. He had been the golden boy of the Internet—a leader in the advocacy of online rights who had also made major programming contributions to some of the most important platforms on the Web.
Why did he kill himself? His friends and family are convinced it was because unrelenting federal prosecutors indicted him on thirteen felony counts, threatening to put him away for up to ninety-five years. There is certainly no disputing that Swartz found himself on the wrong side of prosecutors who were going to do everything in their power to incarcerate him, even though it is now clear that he committed no crime. But apart from the tragedy of his death, the worst thing is that his case is just the tip of a growing iceberg.
In the year since Swartz’s death, a number of other computer hacktivists and whistleblowers have become the targets of the wrath of prosecutors and judges, and they have either gone to jail or are facing decades in prison—in one case 105 years. In each instance, the general theme seems to be the same: these are people who were interested in freeing up knowledge for the social good. In Swartz’s case, the goal was to liberate publicly funded knowledge that had been captured and placed behind a paywall. In other cases, it was to gain and disseminate knowledge about the nefarious dealings between our government and unaccountable private intelligence contractors. And in still other cases, it was to expose the ways corporations and private intelligence firms run psychological operations against Americans.
Taken together, the lesson appears to be that computer hacking for social causes and computer hacking aimed at exposing the secrets of governing elites will not be tolerated. The state will come down on such people as hard as it can. “The same beast bit us both,” jailed hacktivist Jeremy Hammond told The Guardian, referring to himself and Swartz. In both cases, as in many others, the question is why?
The prosecution of Aaron Swartz was based on the premise that he had obtained unauthorized access to the computer network at the Massachusetts Institute of Technology and downloaded millions of pages of academic journal articles from JSTOR, an online library. According to prosecutors, this act amounted to a violation of the 1986 Computer Fraud and Abuse Act, which makes it a felony to use a computer network in an unauthorized manner.
The CFAA was inspired in part by Hollywood fantasy: after political leaders watched the Matthew Broderick movie WarGames, they became concerned that a computer hacker might hack into NORAD via a dial-up modem. (Representative Victor Fazio reported that Ronald Reagan thought the movie was nonfiction.) The law is antiquated to say the least, and it is fair to say that prosecutors use—and abuse—it in ways not intended when it was written in the era before the Internet. For example, the Justice Department has held that a person can violate the CFAA simply by breaching the terms of service on an online user agreement (i.e., by lying in your user profile on Match.com). The result is that just about everyone, at some point, has violated the CFAA, making it an ideal tool for overzealous prosecutors.
Swartz’s actions were undoubtedly intended to make a statement: academic research paid for by the public should not be kept behind a paywall. In Swartz’s view, the system amounted to “the private theft of public culture.” Indeed, it is arguable that the current system of distribution of academic research amounts to an extortion racket in which private companies seize control of publicly funded research and hold it hostage for money. Swartz found this deeply immoral; his way of protesting was to download pages of academic publications via MIT’s computer network.
But did this act of civil disobedience actually break any laws? This past summer, MIT answered the question when it released an internal report on Swartz’s actions and his subsequent prosecution. The report was stunning for several reasons, but one in particular stood out: MIT found no reason to think that Swartz engaged in an unauthorized access of MIT’s computer network; the entire premise of the prosecution was false. Lawrence Lessig, a Harvard law professor and close friend of Swartz, summed up the matter as follows:
The report says that MIT never told the prosecutor that Aaron’s access was “unauthorized.”… The whole predicate to the government’s case was that Aaron’s access to the network was “unauthorized,” yet apparently in the many many months during which the government was prosecuting, they were too busy to determine whether, indeed, access to the network was “authorized.”
Furthermore, MIT’s review panel reported that the prosecutor never even asked if Swartz had violated the MIT access rules, adding, “The Review Panel wonders why.”
Not only did prosecutors file unfounded charges that carried the threat of nearly a century in prison; the MIT report also revealed that prosecutors turned up the heat on Swartz once he showed the audacity to try to defend himself in public. According to Lessig, “The prosecutor said that the straw that broke the camel’s back was that when he indicted the case, and allowed Swartz to come to the courthouse as opposed to being arrested, Swartz used the time to post a ‘wild Internet campaign’ in an effort to drum up support.” By “wild Internet campaign,” the prosecutor apparently was referring to an online petition by Demand Progress, conducted in support of Swartz.
In other words, the prosecution acted in a retaliatory manner because Swartz had dared to exercise his First Amendment rights. But when can it be more important to exercise your First Amendment rights than when you or a friend is being falsely accused of a crime? And what theory of justice says it is appropriate for a prosecutor to retaliate against someone for exercising that constitutional right?
By the end, Swartz was financially and emotionally exhausted. He could not bring himself to plead guilty to a crime he did not commit, but he also could not afford to fight on. Others might have taken a plea, as so many defendants do. After all, 95 percent of felony prosecutions result in plea bargains. Despite our ideals about a fair trial by jury, going to court and defending oneself is just not economically feasible for most except the very richest Americans.
* * *
On November 15, a 28-year-old Chicago hacker named Jeremy Hammond also learned just how impossible it is to defend oneself in today’s hacktivist-hunting climate. Hammond hacked a private intelligence company named Stratfor and released millions of e-mails detailing its role in spying on American citizens and engaging in psychological operations (psyops) against activist groups that were, for example, protesting environmental damage. The e-mails detailed the ways Stratfor’s agents would identify the personality types of the members of activist groups and then “neutralize” them based on those personality types (the playbook: isolate the “radicals,” cultivate the “idealists,” educate them into becoming “realists” and then co-opt the realists).
When Hammond pleaded guilty to the Stratfor hack, he noted that even if he could defend himself against the charges on grounds of civil disobedience, the federal prosecutors had threatened that he would face the same charges in eight different districts and he would be shipped to each of them in succession. He would become a defendant for life. With no financial resources to fight on, Hammond had no choice but to accept a deal by which he would be sentenced to ten years in prison. But as he made the plea, he issued a statement saying, “I did this because I believe people have a right to know what governments and corporations are doing behind closed doors. I did what I believe is right.”
The key element in Hammond’s statement is his concern about finding out what was going on “behind closed doors,” because this, not the hack itself, is arguably the reason the government came down on him so hard. We lionize people like Bill Gates and Steve Jobs, who began their careers as hackers. (Jobs and Steve Wozniak got their start making and selling “blue boxes”—devices whose sole purpose was defrauding the phone company.) And the government itself hires hackers—recruits them—to probe its various systems for weaknesses, protect them from cyber attacks and, yes, perform hacks. As Hammond told the court at his sentencing, the same FBI informant who helped unmask him also directed him to break into the websites of several foreign governments, including those of Iran, Brazil and Turkey.
One gets the impression, then, that Hammond incurred the government’s full prosecutorial wrath not because he hacked, but because of whom and for whom he hacked. His “mistake” was to hack for the people and in particular to hack his way into the shadowy world of private surveillance companies and expose the ways popular movements are spied on and undermined.
This is supported by the case of Barrett Brown, a journalist who established a journalistic project (Project PM) that crowd-sourced the analysis of the Stratfor and other hacks. Brown did not hack anything; he copied a link to the e-mails that Hammond uploaded to the Internet and brought the link to the attention of the editorial board of Project PM. Today, Brown sits in federal custody, facing 105 years in prison. He has been denied bail. The pretext for most of the charges that led to his incarceration is that because there were unencrypted credit card numbers and validation codes in the Stratfor e-mails, when he shared that link with Project PM he was guilty of trafficking in stolen authentication features, access device fraud and aggravated identity theft.
But, of course, what the FBI was more likely interested in was Project PM and what it had learned about Stratfor and other private intelligence firms. In March, the Justice Department served the domain hosting service CloudFlare with a subpoena for all records on the Project PM website, and asked in particular for the IP addresses of everyone who had accessed and contributed to Project PM.
Just as prosecutors had retaliated against Swartz for trying to defend himself on the Internet, prosecutors moved to prevent Brown and his legal team from doing the same. On June 18, I published an article on TheNation.com called “The Strange Case of Barrett Brown.” After it came out, I was interviewed about Brown on Democracy Now! Based on the article, the TV appearance and a handful of similar media mentions of Brown, the prosecution cobbled together a false story claiming that defense attorneys for Brown were orchestrating a PR campaign on his behalf. Prosecutors sought a gag order on Brown and his defense team; now neither he nor his lawyers are allowed to discuss his case in the media.
What could be the justification for this? Prosecutors claimed that the media mentions were making it impossible to empanel a neutral jury in north Texas. But it seems more likely that the prosecution was concerned that media attention would shed more light on the secrets divulged by Project PM as well as the prosecution’s own malfeasance in the matter.
In Brown’s case as in others, prosecutors drew on existing laws and then stretched, warped and mutilated the interpretation of those laws beyond their obvious intent. Laws against credit card fraud were stretched to include sharing a hyperlink to a public database. Likewise, in Swartz’s case, the prosecutors relied on the CFAA and warped it to mean any unauthorized use of a computer system, even when the supposed victim does not consider the use unauthorized. (There is a move in Congress to pass Aaron’s Law, an attempt to reform the CFAA, but clearly this is only part of the problem. Prosecutors will take any law—the CFAA or credit card fraud law or, in the case of Chelsea Manning, the 1917 Espionage Act—and warp it as needed to prosecute their targets.)
The CFAA was also used to prosecute Andrew Auernheimer, who is serving forty-one months in prison. Auernheimer’s case is less well-known than those of Swartz, Hammond and Brown, but they share certain characteristics. Auernheimer and an associate harvested the e-mail addresses of early iPad users from public web pages maintained by AT&T. They did this by building a little web crawler that could go through URLs numerically and extract the data. In other words, they did what Google web crawlers do every second of every day. Auernheimer then gave the results to the website Gawker to illustrate that AT&T was not properly protecting the security of its customers. He might have expected a thank-you note from AT&T, but federal prosecutors decided that instead he should be tried for violating the CFAA. Even though the information was publicly available on the Internet, its availability was a surprise and an embarrassment to AT&T, and hence, according to prosecutors, the access must have been unauthorized.
* * *
Why should we care about the cases of Aaron Swartz, Jeremy Hammond, Barrett Brown and Andrew Auernheimer? Apart from the great injustices done to them, there is the problem that when laws are overextended for cases like these, a precedent is established that can be used to incarcerate any of us.
In a world where everyone is potentially a felon in the eyes of the law, who will go to prison? In the cases of Swartz, Hammond, Brown and Auernheimer, it appears that they became targets because they allowed us to peer behind the veil of power to see how it is maintained by psyops, disinformation, and the illusion of care and competence. And what better way to quash future attempts than high-profile prosecutions? As Hammond has said, “They have made it clear they are trying to send a message to others who come after me.”
The crackdown on hacktivists is therefore not merely part of a war on dissent. It is part of a war on knowledge, which goes beyond hackers to include whistleblowers like Edward Snowden, Manning and Thomas Drake. They incurred the wrath of the state because they insisted on telling the truth, and all of them have suffered and/or been forced into exile, as have some journalists who reported their leaks and discoveries.
Aaron Swartz’s last project was called Strong Box. It was an application, made for The New Yorker, to allow whistleblowers to anonymously and securely submit documents to reporters. Had he not died, he may well have gone on to develop similar applications for other journalistic projects, including WikiLeaks.
Yet Strong Box lives on, and while Jeremy Hammond and Barrett Brown sit in jail, others have begun where they left off, investigating the private intelligence business. The government may be winning individual battles, but perhaps, thanks to the efforts of Swartz, Hammond, Brown and others, the advocates of transparency and knowledge will yet prevail.
The Justice Department has been ruthless in targeting those who bring hidden information into the public realm, writes Chase Madar, in “Government Persecution, From Aaron Swartz to Bradley Manning.”
Peter LudlowPeter Ludlow, a professor of philosophy at Northwestern University, has written on topics related to whistleblowing, hacktivism, private intelligence firms and the surveillance state.