I spent many years at MIT and continue to support the Institute today, financially and with my time. What makes MIT special - for me - is the way that the administration (at least while I was there) embraces the hacker culture and understands that the type of brilliant, creative young people they recruit will break a lot of rules to test the system before they find their place in it. They continually shielded us from the outside world and maintained a bubble in which we could experiment and push the boundaries. If it went too far, you were suspended for awhile, but I can't remember anyone referred to criminal prosecution.
If that type of community spirit is lost, it's a loss for everyone because somewhere special like that deserves to exist.
It's worth pointing out that he wasn't a student or employee of MIT. Yes, he was a member of the hacker elite, but I would imagine any institution would be less likely to protect someone it can't internally discipline.
This case tells us that that spirit has in fact been lost to some degree. Any defense is an attempt at protecting what remains, but students and concerned members of the public now know that they have to second-guess their instincts contrary to the spirit you describe. The prosecution already occurred, there's no changing that.
As a member of the MIT community, I honestly do not feel very bad about how MIT (Administration) handled this situation. MIT's tradition of careful and thoughtful rule breaking clearly recognizes that rules will be enforced and that the police may be involved in criminal matters.
MIT does not and should not decide prosecution strategy. This was not a civil case, but a criminal prosecution in the American tradition of criminal justice. The victim is not the one prosecuting the crime but rather the government prosecutes on behalf of all people, not on behalf of the victim exclusively.
MIT involved the feds in the first place. That was a decision made by authorities on campus, one which was not inevitable. So yes, they do decide prosecution strategy, by deciding when there should be prosecution at all.
Yes, involving the USSS was the first seriously questionable decision MIT made. I hope Prof Abelson's report includes who made that decision, when, on what evidence, and why.
I'd be fine with invoking the USSS if there were serious crime going on -- someone using MIT to host cp, or compromising research integrity, or planning violence or financial crime, etc.
If it's someone using your network resources in excess of terms of service, to download another freely available resource in excess of service.
I'd give a technically lesser party (say, a small business, or an individual, or a local government office) a pass if they called the USSS in on something, since they might not be competent to figure out what is going on. However, MIT is clearly in a position to know exactly what was happening.
I'd be inclined to wait for Abelson's report, but from what I've seen so far, MIT Libraries, MIT IS&T, MIT Police, and the MIT Office of General Counsel are all to blame to some extent.
The lion's share of the blame falls on USA Carmen M. Ortiz, AUSA Stephen P. Heymann, and AUSA Scott L. Garland, however, and on Congress for passing unreasonable computer crime and copyright laws with such absurdly excessive criminal penalties.
> Yes, involving the USSS was the first seriously questionable decision MIT made.
The unknown intruder evaded several attempts to cut him off. The volume of downloads was so high that it was causing problems for JSTOR's servers, and JSTOR finally blocked ALL of MIT for several days.
MIT was suffering serious harm. Calling in the Feds for help doesn't seem all that questionable to me under the circumstances.
Ah, thanks (I didn't read it that closely). Having your entire netblock blocked from an important service definitely is more justification to bring in the SS, since it's actual ongoing harm to you.
Let me get this straight: You blame MIT for notifying the Federal Government that federal laws may have been broken by someone using MIT's computer network?
Yes. They had no duty to report in general or for these specific crimes. The specific crime was "gaining access to MIT's ethernet network in violation of policy" -- if your neighbor cracks your wireless password to get free Internet, it's reasonable to ask him to stop, rather than calling the SS. If your neighbor is using your hacked wireless to host child porn, you call the SS.
In the ideal world, the SS/USAO would be trusted to have some level of discretion in prosecution, but they don't, so as soon as you involve the feds, you've exercised the nuclear option.
I'm personally waiting on the Abelson report before going much deeper into assigning specific blame. For now, Ortiz, Heymann, and Garland are the enemy to be addressed.
Note that Swartz was trying to evade MIT as much as possible: they couldn't communicate with him because he was running from them. At that point, they didn't know who they were dealing with. All they know was that their systems had been infiltrated by someone who had managed for months to evade all their efforts to block his access or identify him. I'm not sure you can fault them for bringing in the big guns at that point....Were they supposed to just shrug it off?
I'm not sure if involving USSS helps in apprehending someone if you can't identify him. They have legal powers (although, MIT once it started acting as agents of the federal government lost some of their ability to act on their own private infrastructure...), and can do wiretaps on other networks, subpoenas, search warrants, etc., but if the crime is going on in your own facility, and you own the network, you are probably in a better position to observe what is going on than the USSS is.
Once you identify a person, USSS is certainly more capable of investigating him and apprehending, but at the sage of network cat and mouse, I'd put a decent sysadmin above the SS.
I think it can be very helpful. MIT had no idea they were dealing with a single individual or if they were dealing with an entity who was only targeting them. Pooling information from other potential victims through law enforcement seems like an obvious win.
Moreover, once they discovered the hardware Swartz had left, law enforcement could be extremely helpful by running fingerprints; MIT does not have access to the FBI's fingerprint database.
I agree it could help at that stage, and if this had been a sensitive private network, I'd err on the side of overkill. A university network, especially one as historically open as MIT, is different. Nothing he did was that out of the range of normal user behavior -- changing your dhcp reg, manually assigning an IP in the right range, etc. are all things people do when airport/hotel/etc. networks don't work. Leaving a hidden laptop plugged in is actually something I did a couple times (as a student) to download linux ISOs, mailing list archives, etc. (since we only had a T1 at the house, and the on-campus network was faster).
Which authorities? That does not seem to be clear. From what I've seen so far, that decision could have been made at a pretty low level. Also, when that decision was made, it seems clear that MIT had no idea what was actually going on; it wasn't until much later that the reason behind the anomalous network traffic was known, after the feds were already involved and it was too late to un-involve them.
It matters how you say things. I disagree with the statement that this is "quite clearly" saying that the penalties are too much:
> But the penalties in this case, and the sources of those penalties, are really remarkable. These penalties really go against MIT’s culture of breaking down barriers.
Using the phrase "really remarkable" sidesteps saying that they're wrong. It's classic weaseling.
If that type of community spirit is lost, it's a loss for everyone because somewhere special like that deserves to exist.