Photo by Daniel J. Sieradski, via Flickr
Aaron Swartz placed a bicycle helmet over his face as he entered a Massachusetts Institute of Technology (MIT) wiring closet on Jan. 6, 2011.
To prosecutors, the attempt to shield his identity while retrieving an Acer computer he had used to download more than four million JSTOR articles was evidence that Swartz was a hacker who was very much aware of the crime he had committed.
Swartz was arrested later that day, and prosecutors pursued felony wire fraud and computer fraud charges that could have led to years in prison. But on January 11, Swartz killed himself in his Brooklyn, NY apartment. He was 26.
In the days since, his case has been the focus of a firestorm over prosecutorial discretion.
Swartz’ supporters argue that the huge cost involved in defending himself in a long and unwarranted court case, along with the threat of a long prison term drove him over the edge. Prosecutors however insisted that they had no intention of seeking maximum penalties.
But for many in the cyberworld, the furor over his death has obscured the real issues surrounding the case against Swartz, already an iconic figure who helped develop RSS, Creative Commons and other groundbreaking Internet services.
He was at the center of a long-running debate among hackers and cyber security professionals about the limits of ”ethical hacking.”
And the circumstances of his case—and untimely end—have underscored the importance of that debate, which has gone mostly below the radar screen, but potentially affects millions of Internet users around the world.
When is hacking ethical?
The principal argument is between those who say hacking is unethical the moment it becomes illegal or done without prior approval, and those who say that hacking can be used for the greater good, even if that means breaking the law—a concept known as “hacktivism.”
Some say Swartz’s actions met the very definition of ethical hacking: a leader in the fight to prevent Congress from passing the “Stop Online Piracy Act,” a bill that would have made it easier for the United States government to shut websites suspected of copyright violations, Swartz used relatively simple computing tricks to download items he felt should never have been stuck behind a paywall.
Swartz had previously defended violating copyright laws to access academic information, most famously in his ‘Guerilla Open Access Manifesto,’ which he published in July 2008.
“… All of this action goes on in the dark, hidden underground. It's called stealing or piracy, as if sharing a wealth of knowledge were the moral equivalent of plundering a ship and murdering its crew,” Swartz wrote.
“But sharing isn't immoral — it's a moral imperative. Only those blinded by greed would refuse to let a friend make a copy.”
Copyright laws are at the heart of the ethical hacking debate, according to Douglas Salane, the Director of John Jay College’s Center for Cybercrime Studies.
As the Internet made access to material easier, lawmakers have regularly moved to restrict the amount of information that can enter the public domain—a trend that “there’s a lot of hostility toward,” Salane told The Crime Report.
But Salane said it’s hard to qualify hacking as ethical, even when unpopular copyright restrictions are the target.
“You have a cause that many would verify as very good, but you can’t just unilaterally say, ‘this is a good cause, so this hacking is OK,’” Salane said.
Faisal Kaleem, an adjunct professor at Florida International University who teaches a course called “Ethical Hacking,” agrees.
According to Kaleem, ethical hacking is defined by the pursuit of improved security.
Hackers can help expose vulnerabilities in security systems, he says, through a process called penetration testing — or “pentesting” — in which they are hired by companies and government agencies to break through Internet security.
He argues that a key tenet of ethical hacking is permission.
“The way (Swartz) did it, that he went to the MIT system, that he plugged his network into the system—that he didn’t tell anybody— that was unethical,” Kaleem said in a telephone interview.
But there’s never been consensus in the hacker community that permission, or even the boundaries of law, should be considered a basic ethical tenet.
Julian Assange — the activist made famous for his creation of the WikiLeaks website — summarized the ethical code he and other hackers followed during the late 1980s in Underground, a book he co-authored with reporter Suelette Dreyfus.
“Golden rules of hacking: don't damage computer systems you break into (including crashing them); don't change the information in those systems (except for altering logs to cover your tracks); and share information,” they wrote.
By Assange’s definition, Swartz stayed within ethical boundaries.
Although JSTOR temporarily blocked MIT students from accessing the journal database, in an attempt to cut off Swartz’s downloads, neither JSTOR nor MIT’s systems were damaged or altered.
And by all accounts, Swartz intended to share his downloads on P2P file-sharing sites.
In the days since Swartz’s death, his cause has been championed by Anonymous, the hacker group notorious for a series of politically motivated cyber-attacks against entities including the Pentagon, the Recording Industry Association of America, and an online pedophile community.
In a statement released on January 13, Anonymous pledged to advocate for changes in the way the Department of Justice pursues hackers.
“Some of the brightest men and women in the fields of information technology and security are being targeted by agencies that lack a basic understanding of the so-called crimes they are accusing people of,” the group wrote in the statement.
In the past year, dozens of Anonymous members from around the world have been arrested for their involvement with the hacktivist group. In February 2012, Interpol arrested 25 people suspected of ties to Anonymous.
In March 2012, the Federal Bureau of Investigation admitted to using an informant to penetrate the Anonymous-affiliated group LulzSec.
In December, Anonymous’ de facto former spokesperson, Barret Brown, was indicted for sharing a link to stolen credit card data.
Last week, The Crime Report reached out to several people claiming to be Anonymous members on the Internet Relay Chat server irc.anonops, a communications forum run by the group.
Anonymous members agreed to discuss ethical hacking with The Crime Report, but asked that not even their usernames be printed.
Editors note: the nature of the contact with Anonymous means that The Crime Report was unable to confirm that the members are who they say they are.
They argued that their version of hacking is like the Internet’s version of civil disobedience, “done with good means or intentions,” and far from the nefarious hacks that computer fraud laws were intended to prevent.
“Ethical hackers don't hack to hurt society, we want to make it better, and that’s always been Anonymous’ stance,” one person wrote during the chat.
Noting that Anonymous recently used its hacking skills to reveal discrepancies in a gang rape investigation in Steubenville, OH, the alleged Anonymous member said that the group sometimes breaks laws in pursuit of violent criminals.
“Bribery, distortion, drug trafficking, sex trafficking—all wrong things (that) we will fight,” the member said.
As altruistic as that sounds, Kaleem argues that it’s still wrong.
“When you talk to about activism, illegal is illegal, whether you are an activist or an educator,” says Kaleem. “There is always a line between illegal and not illegal.”
In the aftermath of Swartz’s death, where that line is drawn may change.
U.S. Rep. Zoe Lofgren, a Democrat from California, announced on January 15 that she will introduce legislation that would amend federal computer fraud and wire fraud laws to exclude terms of service violations from criminal enforcement.
If passed, her bill would protect many hacktivists from the most severe punishments available to prosecutors.
Graham Kates is Deputy Managing Editor of The Crime Report. He welcomes comments from readers. He can be found on Twitter, @GrahamKates