The Aaron Swartz lesson: how undeveloped laws target the vulnerable

A tragedy, with a powerful moral.

On Friday 11 January, Aaron Swartz was found dead at his apartment in New York. He was 26. The following day, Tim Berners-Lee, creator of the World Wide Web, tweeted: “Aaron dead. World wanderers, we have lost a wise elder. Hackers for right, we are one down. Parents all, we have lost a child. Let us weep.”

The response to his death by suicide was overwhelming but unsurprising – Swartz had been an internet legend since his teenage years. At 14, he helped to put together RSS – technology that is part of the backbone of the web. While still in his teens, he played a vital role in creating Reddit, the hugely popular networking news site, and shared the profits when it was later bought by Condé Nast.

Swartz was a hero to activists pushing for open access to content on the internet, working to create a free public library and founding Demand Progress – a pressure group that successfully campaigned against the Stop Online Piracy Act. He was also an inspiration to many.

His friend Lawrence Lessig, a Harvard professor, wrote: “He was brilliant, and funny. A kid genius. A soul, a conscience, the source of a question I have asked myself a million times: What would Aaron think?”

Then there were the stunts. At one point, Swartz made about 20 per cent of US case law available on the web for free. Although it was officially in the “public domain”, the system that categorised it – Pacer – charged a fee to everyone who tried to access it. Activists created Recap, a database that collected what people had already bought and gave it to others for free. Through this – devised at his own expense – Swartz moved a large amount of data on to the web. He was pursued by the FBI but it dropped the charges. The rumour was it bore a grudge.

The big problems started when Swartz crept into the Massachusetts Institute of Technology with a laptop and started downloading millions of academic journal articles from the subscription-only service JSTOR. At the time he was charged, he hadn’t yet distributed them. And he never intended to make money from any of it.

However, US government prosecutors hit him with the harshest possible penalties. Swartz ended up facing more than 30 years in jail, trapped by laws that had been designed to deal with organised criminals, bank robbers and those who steal corporate information for profit.

“Stealing is stealing,” said the federal attorney Carmen Ortiz, speaking for the prosecution at the time, “whether you use a computer command or a crowbar, and whether you take documents, data or dollars.”

Her phrasing echoes the much-mocked anti-piracy ads that begin “You wouldn’t steal a car . . . You wouldn’t steal a handbag” and feature sirens wailing and cops approaching as a schoolchild tries to download a copy of what is probably Mean Girls off Pirate Bay. Those ads are mocked for a reason. Downloading a film (or an article) is self-evidently not the same as stealing one from a shop. For one thing, the precise laws governing online behaviour are ill-defined and badly enforced. And when the laws are enforced, it seems random, unforeseeable and badly out of proportion.

Graham Smith, an IT and copyright lawyer for the international legal firm Bird & Bird, says that the law governing the digital world is very much “in a state of development” and, as a result, “One should be very careful about criminalising things online. Criminal law is a blunt instrument.”

But we have not been careful with these laws – in the UK as well as in the US – and they seem to have hit only the vulnerable. Take Glenn Mangham, a British student who hacked into Facebook just to see if he could. He did nothing with the information. “It was to expose vulnerabilities in the system,” Mangham told the crown court. He was jailed for eight months.

One of the saddest ironies of this story is that Swartz spent his life trying to show everyone just how unreasonable laws can become when they are rigidly applied to the internet. Last year, he identified an ongoing “battle” over copyright law, “a battle to define everything that happens on the internet in terms of traditional things that the law understands”. If the battle was left unresolved, Swartz said, “New technology, instead of bringing us greater freedom, would have snuffed out fundamental rights we’d always taken for granted.”

His suicide was “the product of a criminal justice system rife with intimidation and prosecutorial overreach”, his family said in a statement on 12 January. A tragedy, with a powerful moral.

Aaron Swartz had been an internet legend since his teenage years, Photograph: Getty Images

Martha Gill writes the weekly Irrational Animals column. You can follow her on Twitter here: @Martha_Gill.

This article first appeared in the 21 January 2013 issue of the New Statesman, The A-Z of Israel

Getty
Show Hide image

Marcus Hutchins: What we know so far about the arrest of the hero hacker

The 23-year old who stopped the WannaCry malware which attacked the NHS has been arrested in the US. 

In May, Marcus Hutchins - who goes by the online name Malware Tech - became a national hero after "accidentally" discovering a way to stop the WannaCry virus that had paralysed parts of the NHS.

Now, the 23-year-old darling of cyber security is facing charges of cyber crime following a bizarre turn of events that have left many baffled. So what do we know about his indictment?

Arrest

Hutchins, from Ilfracombe in Devon, was reportedly arrested by the FBI in Las Vegas on Wednesday before travelling back from cyber security conferences Black Hat and Def Con.

He is now due to appear in court in Las Vegas later today after being accused of involvement with a piece of malware used to access people's bank accounts.

"Marcus Hutchins... a citizen and resident of the United Kingdom, was arrested in the United States on 2 August, 2017, in Las Vegas, Nevada, after a grand jury in the Eastern District of Wisconsin returned a six-count indictment against Hutchins for his role in creating and distributing the Kronos banking Trojan," said the US Department of Justice.

"The charges against Hutchins, and for which he was arrested, relate to alleged conduct that occurred between in or around July 2014 and July 2015."

His court appearance comes after he was arraigned in Las Vegas yesterday. He made no statement beyond a series of one-word answers to basic questions from the judge, the Guardian reports. A public defender said Hutchins had no criminal history and had previously cooperated with federal authorities. 

The malware

Kronos, a so-called Trojan, is a kind of malware that disguises itself as legitimate software while harvesting unsuspecting victims' online banking login details and other financial data.

It emerged in July 2014 on a Russian underground forum, where it was advertised for $7,000 (£5,330), a relatively high figure at the time, according to the BBC.

Shortly after it made the news, a video demonstrating the malware was posted to YouTube allegedly by Hutchins' co-defendant, who has not been named. Hutchins later tweeted: "Anyone got a kronos sample."

His mum, Janet Hutchins, told the Press Association it is "hugely unlikely" he was involved because he spent "enormous amounts of time" fighting attacks.

Research?

Meanwhile Ryan Kalember, a security researcher from Proofpoint, told the Guardian that the actions of researchers investigating malware may sometimes look criminal.

“This could very easily be the FBI mistaking legitimate research activity with being in control of Kronos infrastructure," said Kalember. "Lots of researchers like to log in to crimeware tools and interfaces and play around.”

The indictment alleges that Hutchins created and sold Kronos on internet forums including the AlphaBay dark web market, which was shut down last month.

"Sometimes you have to at least pretend to be selling something interesting to get people to trust you,” added Kalember. “It’s not an uncommon thing for researchers to do and I don’t know if the FBI could tell the difference.”

It's a sentiment echoed by US cyber-attorney Tor Ekeland, who told Radio 4's Today Programme: "I can think of a number of examples of legitimate software that would potentially be a felony under this theory of prosecution."

Hutchins could face 40 years in jail if found guilty, Ekelend said, but he added that no victims had been named.

This article also appears on NS Tech, a new division of the New Statesman focusing on the intersection of technology and politics.

Oscar Williams is editor of the NewStatesman's sister site NSTech.