July 19th was a big day in hacker news. First, the Department of Justice announced the arrests of sixteen individuals thought to be associated with Anonymous and LulzSec, the loosely affiliated hacker groups that have been romping through corporate networks (and consumer data) this summer. Second, Reddit founder Aaron Swartz was arrested and charged with mass download of academic articles from JSTOR, a non-profit that contracts with universities to make such research materials available for free to affiliated students and scholars.
[Disclaimer: I've known Aaron since he was about 16 years old and was helping my former boss Larry Lessig with some projects. He is now 23.]
As for the Anonymous arrests, one of the cases is against multiple individuals and was filed in my home court, the Northern District of California. Anonymous had called for an attack on online payment service PayPal in retaliation for its decision to stop processing donations to the anti-secrecy group Wikileaks. The attacks were ultimately successful in bringing the site down. The indictment is pretty bare bones and doesn’t reveal much about how the FBI identified these individuals as having participated. However, it appears that everyone included in the case was using a program called LOIC to participate in a distributed denial of service attack (DDoS) against the online payment service PayPal. In a DDoS, multiple attackers band together to send so much traffic to a target machine that it can’t handle the load and shuts down. LOIC stands for Low Orbit Ion Cannon and is a network stress testing tool that individuals can also use to add their computer’s power to a DDoS attack. Essentially, these people voluntarily joined their home computers to a botnet attack on PayPal, probably out of some political sympathy with Wikileaks.
Forensics in the case may not be particularly interesting. The FBI has long been able to trace internet traffic sent straight from your home computer. On the other hand, it’s possible that these people may have been made scapegoats by more skilled Anonymous members who compromised their machines and used them in the attack to hide the true attackers’ identities.
The DOJ also alleges a conspiracy, and that means they’ll have to show that these people agreed with each other and/or Anonymous to bring down PayPal. Certainly, the very act of voluntarily downloading LOIC and using it to target PayPal is part of the conspiracy, but it will be interesting to see if the government can develop any other connection between these individuals and AnonOps, the core group of people who allegedly “run” Anonymous, to the extent that Anonymous is a coherent group that anyone operates. (If so, the government may try to flip these lower level participants into cooperating witnesses who give up what they know about the ringleaders for more lenient sentences). It will also be interesting to see whether and how the government uses any statements these people may have made about sympathy for the Wikileaks cause, a political point of view that many share, as evidence of criminal intent.
The other two cases were filed against individuals, one of whom was an AT&T outside contractor who obtained and leaked some of the company’s corporate documents, which were later distributed by LulzSec. The other found a bug in the configuration of InfraGard Tampa’s website which allowed him to upload a couple of files. These indictments show their work, giving an interesting portrait of the FBI’s cybercrime investigative techniques.
The AT&T complaint details an AT&T investigation of their network which showed that the defendant’s contractor account was connected to the corporate network at the time confidential information was taken, that that account was used to search for file storage sites on which such documents could be hosted and that the defendant’s user name accessed the file hosting site on which the document was posted, all on the same day. LulzSec claimed it had access to the document a few months later, but the defendant appears to have no connection to LulzSec.
The Infragard case appears to have been more straightforward. Apparently, after uploading his files, the defendant tweeted about it using his Twitter account, and a search on Wikipedia for that nickname also provided the defendant’s real name, webpage (where he also took credit for the hack) and a photograph. The IP address trace simply confirmed everything.
The charge, however, is under 18 U.S.C. 1030(a)(5)(A) which prohibits:
“knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.”
Damage is defined as any impairment to the integrity or availability of data, a program, a system, or information. 18 U.S.C. 1030(e)(8).
I would have thought uploading files more accurately an unauthorized access, not a transmission of harmful code. Apparently on review the FBI agent spotted the same problem because in the affidavit filed in support of the criminal complaint, the FBI agent hand wrote in “The three files uploaded by [the defendant] caused damage to the server by impairing the integrity of the server.” Interesting theory. I’ll be curious to see the briefing on that.
That brings us to the Swartz case. According to the indictment, Aaron hooked his laptop up in a computer closet at MIT and began automated download of journal articles offered to MIT affiliates at no cost. When MIT tried to block the automated downloads by blocking the computer’s IP address, Swartz obtained a new IP address (maybe by shutting it off and turning it on again?). MIT then blocked the hardware device number associated with the laptop (MAC address, which has nothing to do with Apple versus PC), and Swartz then changed that number. For those of you who think that you are entitled to anonymity in connection with your internet use, you’ll be particularly interested in this line from the indictment: “Although a MAC address is intended to be a permanent and globally unique identification, a user with the right knowledge can change the MAC address, an action referred to as MAC address spoofing…”
Allegedly, the automated downloads impaired JSTORs ability to service other client requests, and the investigation into who was making the downloads caused JSTOR to stop serving MIT all together for a couple of days. Swartz allegedly took a number of acts to hide his identity and the existence of the laptop, including covering his face with a bicycle helmet when he visited the closet in which the laptop was secreted. But the sum and substance of the case is that he defrauded JSTOR by accessing the JSTOR archive without authorization and making copies of articles that students at MIT (and at Harvard, where Swartz was a Fellow) could obtain for free.
Swartz could have downloaded the articles one by one without violating the law. Is it a crime, therefore, that he used an automated process to do so? Or does it only become a crime after JSTOR and MIT tried to block him? Or is it because the technique slowed the system down, and if so, wouldn’t the defendant have had to intend that damage under longstanding principles of criminal due process? In multiple contexts, we are confronting the question of whether automating and thereby enhancing human ability converts otherwise lawful conduct into something improper. For example, we have the same issue in cases like U.S. v. Lowson, where the defendants were prosecuted for automating purchases of concert tickets, in Facebook v. Power, where the defendant was sued for providing Facebook users with an automated tool to aggregate their social network content, and in surveillance litigation like U.S. v. Jones, which is currently before the Supreme Court to decide the issue of whether GPS tracking of vehicles violates the Fourth Amendment. In Jones, the government is arguing that it is of no constitutional importance that GPS tracking technology is far more powerful, efficient and revealing than physical surveillance, including that aided by a bumper beeper. Since officers are allowed to follow you on a public street, the thinking goes, they should be allowed to use GPS to remotely track you in those same places.
Courts are struggling to answer the question of whether there is a point at which there is a difference in effectiveness that should require the law regulate the use of a particular technology and Swartz’s case will be one of those occasions. It’s an abject shame that a man who has done so much good in his 23 years is forced to bear the weight of our social struggle to find the right answer.