Late yesterday, Noam Cohen of The New York Times published a nuanced account of the events that led to the arrest of Aaron Swartz in January, 2011 for using MIT’s computer networks to illegally download millions of research articles owned by JSTOR, a non-profit organization that sells subscriptions to academic institutions. Cohen’s piece relied heavily on “internal MIT documents” that, as far as I know, have not been reported elsewhere; these included a “detailed internal timeline” by a senior security analyst employed by the university. It’s is unlikely to change the mind of those already convinced that MIT acted overzealously in investigating the case, but it does fill in some crucial holes in this tragic story.
I think Cohen is correct in locating the key moment in MIT’s involvement in the case in the time between when it discovered its network had been breached and when Swartz was identified as the culprit: “Mr. Swartz’s actions presented M.I.T. with a crucial choice: the university could try to plug the weak spot in its network or it could try to catch the hacker, then unknown.” Cohen also highlights several other factors that came into play at the time: First, that the MIT “tech team detected brief activity from China on the netbook [being used to illegally download the JSTOR articles]— something that occurs all the time but still represents potential trouble.” Second, JSTOR, which notably did not press charges after Swartz was arrested, was less forgiving before his identity was known: According to the account of the MIT employee who was dealing with JSTOR, it viewed the “systematic and careful nature of the abuses…as approaching criminal action.”
Another interesting quote comes from Michael Sussmann, a former federal prosecutor who specializes in Internet and technology law. Once law enforcement was called in to the case — something that occurred before anyone knew Swartz was the perpetrator — MIT’s hands were, Sussmann told Cohen, essentially tied: “After there’s a referral, victims don’t have the opportunity to change their mind.” That was something I’d been wondering about ever since this story broke. Another question I have that has not, as far as I know, been answered: At the time of his arrest, Swartz was a fellow at Harvard’s Safra Center for Ethics — and therefore already had legitimate access to JSTOR. Usage restrictions would have limited his ability to download articles simply using his own login — but why did Swartz use MIT’s network to illegally access JSTOR instead of Harvard’s?