Alex Stamos talking:
Aaron was accused of, as been discussed a couple times, downloading too many files, or checking too many books out of the library. He found a loophole that hethat was a convenient way for him to get access to a lot of the JSTOR documents. And that loophole is the fact that MIT made two interesting decisions. First, MIT decided to license the JSTOR database in a way where access was provided to the entire MIT network without asking for any kind of individual authentication. Thats often not true with JSTOR databases. At a lot of universities, and actually today at MIT, if you want to access JSTOR and you have that affiliation, you have to say, “Im Bob Smith. Im a student. Im” and the university authenticates that you are, and so now you have an identity with JSTOR where they can monitor what youre doing and see how many downloads you have. MIT didnt have that setup. They wanted a setup that was completely open for people just to go to the JSTOR website, be able to click on a document and read it. And thats the deal they made with JSTOR.
The other decision that MIT made was that they decided to run an extremely open, unmonitored network, and in a method that allowed people to jump on from wireless or wired access points all over the campus and take on the identity of somebody affiliated with MIT. This is an intentional decision. They allow visitors, they allow people who just happen to be on campus this access. And they do so with very little need to authenticate or say who you are. And so, those things combined, Aaron realized, would allow him to go onto campus and to download articles from a variety of locations.
You know, I cant actually condone everything Aaron did. I thinkas I have written online, I think what he did was perhaps, you know, discourteous or inconsiderate of taking advantage of the, you know, library privileges that he was basically granted. But at no time did he actually do any actions that I would consider hacking. What Aaron did is he went to MIT, and he started downloading documents. And JSTOR, at some point, noticed a lot of documents were being downloaded from one address at MIT, and so they would cut off that address. Aaron would notice and then just ask the MIT network to give him a new one. Thats a pretty common thing. Thats something that people do, you know, all day at university and corporate or even like on a Starbucks Wi-Fi network. And its that action, though, of going and requesting a new identity that the government seems to consider wire fraud or computer fraud.
And probably one of the things that he did that brought it to a head was, in the end, AaronI believe this was his motivationwanted to find a place that he could leave his laptop for several days to continue downloading without him having to be there, and so he opened up and went into an unlocked wiring closet and plugged his computer into a switch. That, MIT was calling trespassing. And thats kind of the activity that allowed them to catch him, and seems to be where they believe he massively overstepped the line. But at no time even during that would he do anything that I would consider hacking.
One of the key problems here are the definitions in the Computer Fraud and Abuse Act. And theres this one word that is very difficult for even those of us who work professionally in this area to understand, and that word is “authorized.” Multiple of counts in the indictment against Aaron existed because they said that he had exceeded what he was authorized to do either on the MIT network or the JSTOR network. And the term “authorized” in an Internet context, it makes a lot less sense than it does in the real world. You know, for example, Im sure there are thousands of people right now going to democracynow.org watching the live stream. Did you authorize any of those people to do that, to interact with your computer, to take on the cost that you are taking of streaming that video to them? No, you didnt. And of course theyre allowed to, and you want them to, but how you express that authorization to them is a very difficult thing.
And at what point does somebody doing something that is allowed become in excess of authorization? What Aaron was doing was exactly the same activity that thousands of people do at MIT every year: He was going and looking at documents. Now, he was doing it at a much wider scale. He did it more than they seemed to want. But at what point does he exceed authorization? And by having these incredibly broad definitions and a word that doesnt really mean anything, like “authorized,” we end up in a situation where if a prosecutor doesnt like you or doesnt like what you did, if it happened to use a computer, they can find a way to call it “hacking” and an abuse of that system.
– source democracynow.org
Alex Stamos, chief technology officer of Artemis Internet. He is a computer security and forensics expert who had planned to testify on Aaron Swartzs behalf during his upcoming trial.