Last weekend, Aaron Swartz, 26, hanged himself in his apartment in Brooklyn, New York. If his name is not familiar to you, let me fill in the pieces: Swartz was a programming prodigy. At the age of 14, he was a contributor to the RSS 1.0 standard. He later founded a company, Infogami, that was merged with several others to become Reddit, one of the most visited websites on the Web, and one of the favorite destinations of developers today. By all accounts, Swartz was a kind, thoughtful fellow, who was well liked by colleagues. His writings demonstrate a remarkable maturity lacking in the braggadocio, snarkiness, or animus often associated with young, very talented programmers. Instead, Swartz was inclined to give back: He founded the Open Library project, which helped make books more widely available, especially to disabled readers. And he also wrote web.py, one of the most popular Python Web frameworks.
- [SANS] The Need for Speed: Integrated Threat Response
- [ESG Report] Endpoint Security Must Include Rapid Query & Remediation Capabilities
In addition to these activities, Swartz was heavily involved in various campaigns to make information more freely available. One target of particular concern to him is one that resonates with many researchers; namely, the high cost of access to articles whose research was paid for by taxpayers. I'm not here talking about the ACM or the IEEE, which charge for access but make that access comparatively inexpensive at $199 per year; but rather, organizations like the one that Swartz focused on, JSTOR, which charges thousands of dollars per year for access to articles within a single discipline. In 2009, Swartz walked into a network closet at MIT, hooked his laptop to the network, and had it run a variety of scripts that downloaded hundreds of thousands of articles from JSTOR via the university's access. He was arrested shortly after retrieving his laptop.
Swartz's initial goal was to make the downloaded articles freely available on the Web. But he never got to put this dissemination into action, and JSTOR's content remained safely behind its paywall. Over the next two years, JSTOR and Swartz came to resolution and JSTOR removed itself from any role in prosecution or claims against him. MIT, however, was not quite so ready to forgive the stunt. The university's hesitation is all the office of the U.S. Attorney in Massachusetts one widely known for its tough stance on cybercrime needed. The office filed charges against Swartz that carried a maximum sentence of 35 years in jail and a $1 million fine. Although Swartz left no suicide note, comments from both friends and family were unequivocal that the Attorney General's aggressive pursuit of the case was a frequent source of deep concern to him and almost certainly the key motivation in his suicide.
It is tempting perhaps to recite the old line, "if you can't do the time, don't do the crime." But such a viewpoint overlooks a gross inadequacy in this particular situation: the extraordinary disproportion between the offense and the punishment. Assault in Massachusetts garners a maximum sentence of 2½ years, non-statutory rape of a child garners a minimum of 15 years. So by what stretch of the imagination can it be that Swartz's crime should trigger such excess punishment?
The answer is that our laws against cybercrime give prosecutors very wide leeway in the penalties they can seek. In their maximum term, the laws are nothing but draconian. Alas, this phenomenon occurs at a predictable point in the cycle of punishment for new kinds of crimes. The lifecycle consists of initial tolerance and mild punishment, followed by a protracted period of seeing a grave threat, which is answered with stern, ham-fisted measures. Finally, there is recognition of the true, more nuanced nature of the threat and the punishments are pulled back to be proportional to the crime.
To wit, the 1988 worm by Robert Morris that brought down much of the then-nascent Internet was met with three years' probation, community service, and a $10,000 fine. Today, we're at the summit of disproportion (at least, one hopes) with the charges filed in Massachusetts against Swartz. And sometime soon, perhaps, we'll see a more measured and balanced code that recognizes the differences between various activities and mandates proportional punishments.
I should note that such a cycle played out with recreational drugs, which were legal in the U.S. in many forms at the beginning of the century. Drugs were later viewed as being the source of much inner-city crime and, as such, were gravely punished. The height came with the Rockefeller laws of 1973, which specified 15 years to life for possession of two ounces of marijuana. Today, however, marijuana is fast heading towards decriminalization.
In the meantime, victims of excessive legal penalties whether small-time dope dealers locked up for decades or activists like Swartz who were broken by the threat of such punishment bear the terrible price as we await brighter, fairer minds to prevail.