So apparently this bright yet misguided ‘information activist’ decided to download as many academic documents as he could from JSTOR with a plan to upload them to a P2P network. The catch here is that JSTOR provides free access to academic networks (Schools, Colleges, etc…) but someone who wants to read this content and doesn’t have access to an academic network has to pay.
Personally – I don’t see the big deal here as far as offering free access to educational institutions and pay access to everyone else. It’s a valid business model that I’ve seen used over the years in schools and libraries alike. It encourages folks like myself to visit the library if we want to access the data without paying. Now of course, JSTOR had a ‘terms of service’ which this gent clearly used as a replacement for his ivy-league two ply.
He went as far as downloading as many as possible until the college blocked his IP. He then changed his MAC address (FYI www.google.com is a DOMAIN, 126.96.36.199 is an IP address, and the MAC address looks like 00:12:34:56:AB) which is the unique set of numbers/letters that identified his laptop on the college network so that he could regain access and download more. Lastly he just walked in to a network closet at the college (where all the black boxes with blinking lights that make the internet work exist) plugged in his laptop, and left it for a bit to download on its own. He knew what he was doing, and he knew what he was doing could get him in trouble since he hid his face from security cameras when placing/retrieving his laptop.
Eventually JSTOR blocked all access to its service for several days from the campus until they could figure out a way to keep him out, and according to an indictment his laptop was seized before he could upload the files. While I personally believe that information SHOULD be free, for the time being – if you want certain flavors of information for free, you have to play by the rules or pony up the cash. By Massachusetts (where he physically committed the crime) law, he committed an electronic trespass which carries with it a $100 fine and 30 days in jail if convicted. The folks at ARS are viewing this as a victimless crime and more of an indictment of the Federal Government for misusing an anti-hacking law passed in 1986 as well as of the market for academic documents.
Here’s the problem as I see it… First, while his goal may appear altruistic – he used some black hat (bad guy hacker) methods to accomplish it. Second, his actions caused an entire college campus to lose access to JSTOR for a period of time (which kept ordinary students from being able to use it). Lofty goals aside, if I had a paper due which required information from JSTOR, and I couldn’t access it because some idealistic twit wanted to prove a point – I don’t care about his goals or intentions – he just fucked me like when that Frosh tripped over the main power cable while an entire classroom was working on their theses in PCU…
As far as the Federal Government getting involved, there have been cases of them using the Computer Fraud and Abuse Act (CFAA) to prosecute people who have violated the terms of service of a website before… that I think is a stretch. The ‘terms of service’ in the simplest sense is a written agreement between a service provider and the people who use the service. Violating it gives service provider the right to terminate your ability to use the service. The Fed is saying that by accessing a service in violation of their terms, you’re also violating the CFAA which could land you in prison for decades. That’s a stretch to say the least, and in my opinion the best thing they could possibly do at this point is drop it and allow the state to prosecute the case. JSTOR didn’t involve the Feds, neither did MIT. They apparently did it all on their own, and in the wake of Wikileaks as well as the constant stream of national security leaks from the current administration, they’re probably feeling like the receiving end of prison sex.
From the point of view of someone who works in the IT industry, I think the biggest questions that should be asked are:
- How did a student get direct access to a network closet at a major university?
- Why doesn’t JSTOR have anything in place to limit the rate at which a user can download content?
I’ve seen both sides of the spectrum as far as securing physical resources is concerned… Some places simply don’t restrict access to sensitive equipment, which is completely retarded, and by proxy – MIT *should* be held accountable for its role in not preventing the access to its network hardware. Whether the guy will face any repercussions from that tresspass beyond the confines of Massachusetts law, I don’t know… but if i was in charge of their IT, heads would roll.
JSTOR could have easily implemented controls to limit access to its resources, again if I was in charge of IT there – heads would roll.
Beyond the possibility of an interstate crime being committed, the Fed really has no place in this equation… but they’re going to do their best to make an example out of this guy and in the process prove just how outdated their policies are as well as reinforce the pattern of stomping on the states to achieve its goals by any means necessary.