July 31, 2013  ·  Lessig  · Reblogged from  Tumblr

It happens, sometimes,
that things are too much.

Stacks overflow.
Trusses break.

I get that.

What I don’t get is:
how one barrels through.
Where does that strength come from?
How is it fed?

And if it doesn’t appear on command,
how does one hold on, waiting?

Everything is collapsing.
By definition, that means:
nothing remains to be held.

Anon.

(Original post on Tumblr)

July 30, 2013  ·  Lessig  · Reblogged from  Tumblr

One of the most frustrating aspects of this report is the role of “neutrality” — especially in light of the criticism MIT makes of the prosecutors reported in the post below.

“Neutrality” is one of those empty words that somehow has achieved sacred and context-free acceptance — like “transparency,” but don’t get me started on that again. But there are obviously plenty of contexts in which to be “neutral” is simply to be wrong. 

For example, this context: The point the report makes in criticizing the prosecutors is that they were at a minimum negligent in not recognizing that under MIT’s open access policies, Aaron’s access was likely not “unauthorized.” As the report states (at 139): 

As far as the Review Panel could determine, MIT was never asked by either the prosecution or the defense whether Aaron Swartz’s access to the MIT network was authorized or unauthorized—nor did MIT ask this of itself. Given that (1) MIT was the alleged victim of counts 9 and 12, (2) the MIT access policy, its Rules of Use, and its own interpretation of those Rules of Use (including the significance or “materiality” of any violation of those terms) were at the heart of the government’s CFAA allegations in counts in both indictments, and (3) this policy and these rules were written, interpreted, and applied by MIT for MIT’s own mission and goals—not those of the Government— the Review Panel wonders why. (p139)

But that criticism goes both ways — if indeed MIT recognized this, and didn’t explicitly say either privately or publicly that Aaron was likely not guilty of the crime charged, then that failure to speak can’t be defended by the concept of “neutrality.” 

Indeed, the criticism of MIT could be stronger: At most, the prosecutor was negligent. But MIT was more than negligent: The issue was explicitly flagged for it, by a senior member of the MIT administration. As the report indicates, Joi Ito, in the summer of 2011, explicitly raised the point: 

One particularly pertinent moment was in June 2011 when the Media Lab Director [Joi Ito] informed the administration that Aaron Swartz was charged with “unauthorized access” and suggested that MIT would be in a position to cast doubt on this charge if so desired (see section III.B.1). …

A charge of “accessing [the MIT network] without authorization or in excess of authorized access” deeply involves MIT, since MIT provides the authorization and sets the rules of authorization. Thus MIT set rules that played a key role in determining what constituted a felony in the Aaron Swartz case. In the 1994 prosecution of David LaMacchia, MIT communicated to the USAO that, as a student, LaMacchia was authorized to accessthe computer as he had done. There was no reflection on the LaMacchia case during Swartz’s prosecution: institutional memory had been lost. Part V, Question 1, in considering the need for greater expertise at MIT relating to computer crime, also asks about ways to help preserve institutional memory.

MIT has justified intervening in the LaMacchia case and defended not intervening in the Swartz case on the basis that LaMacchia was a student and Aaron was not.

But that defense is absurd: If MIT knows that a human is being prosecuted on the basis of a false interpretation of MIT’s rules, what possible difference does it make whether that human is a student or not? If a MIT official sees someone bleeding on the Mass Ave, do they decide whether to call 911 only after checking for a student card? MIT knew something here that at a minimum could have cut short a prosecution, and which, it turns out, could also have saved someone’s life.

“Neutrality” does not justify failing to pick up the phone, and telling the prosecutor, “hey, in fact, his access was authorized.” Maybe it wouldn’t have mattered. Maybe the prosecutor would have stayed the course. But then that would have been (yet another) failure of the prosecution, not MIT’s.

(Original post on Tumblr)

July 30, 2013  ·  Lessig  · Reblogged from  Tumblr

The MIT report (PDF) on the Aaron Swartz case is out. I am going to take some time to study it and understand it more fully. I’m away with my family and won’t be commenting on the report now, beyond the following: 

The report says that MIT never told the prosecutor that Aaron’s access was “unauthorized.” They indicated that his machine was not supposed to be plugged into the ethernet jack it was plugged into, but there is no law against abusing an ethernet jack. The law regulates authorized access to a network. The whole predicate to the government’s case was that Aaron’s access to the network was “unauthorized,” yet apparently in the many many months during which the government was prosecuting, they were too busy to determine whether indeed, access to the network was “authorized.” 

Here’s the section from the report (§11b): 

The superseding indictment abandoned the theory of “exceeding authorized access,” and counts 9 and 12 (applicable to MIT) relied instead on “unauthorized access.” The allegations in the indictment focus on numerous means whereby Aaron Swartz obtained access to the computer through unauthorized means, such as repeatedly taking steps to change his computer’s apparent identities and to conceal his computer’s real identity. Clearly, these are means whereby Aaron Swartz obtained access to the computer in order to engage in unauthorized conduct, that is, to do something that MIT did not want him to do through its network: engage in massive downloading of JSTOR articles.

The question posed by this charge in the indictment is, however, different: it is whether— given MIT’s guest policy—Aaron Swartz accessed the MIT network without authorization. Put differently, it is whether Aaron Swartz was authorized to access the network, regardless of whether he used improper means to do so. To illustrate this distinction, the Review Panel has asked itself the following question: had Swartz, intending to engage in the conduct for which he was indicted, walked into an MIT library, shown his personal identification to the desk, and asked to log on to the MIT system as a guest—would he then have been given access? If the answer to this question is “yes,” then it seems possible that Aaron Swartz’s access to the MIT network was authorized, notwithstanding his inappropriate means of implementing access, or of then abusing such access (which may themselves have been violations of different criminal or civil prohibitions). 

The Cambridge Detective involved in the prosecution explained to the Review panel that he repeatedly asked, in various ways, whether the laptop was authorized to be in closet; whether the cable from the laptop to the network switch was authorized to be there; whether the manner of downloading the articles was authorized; and, overall, whether the method of accessing and using MIT’s network in this manner was authorized. He was told “no,” and told that MIT had tried to prevent the downloading by disconnecting the computer of the (then) unknown suspect. 

The Review Panel questioned five employees of MIT’s IS&T who were involved in the identification and monitoring of Aaron Swartz’s laptop found in the network closet of Building 16 and who provided information to the prosecution during its preparation of the criminal case. According to them, and also according to OGC and MIT’s outside counsel, at no time, either before or after the arrest of Aaron Swartz, did anyone from the prosecution inquire as to whether Aaron Swartz had authorized access to the MIT network. Given MIT’s open guest policy, it might be argued that Aaron Swartz accessed the MIT network with authorization. Put differently, there is apparently an issue as to whether Aaron Swartz was authorized to access the network, regardless of the considerations that (1) he might have used improper means to implement such access; and (2) once he was on the network, he might have used such access for an improper purpose. 

The relevance of this distinction can be seen in the Department of Justice’s computer crime manual, Prosecuting Computer Crime (2nd ed.), published by the Office of Legal Education, Executive Office for United States Attorneys: “A more difficult question is whether a person with some authorization to access a computer can ever act “without authorization” with respect to that computer. The case law on this issue is muddy, but, as discussed below, there is growing consensus that such “insiders” cannot act “without authorization” unless and until their authorization to access the computer is rescinded.”

As far as the Review Panel could determine, MIT was never asked by either the prosecution or the defense whether Aaron Swartz’s access to the MIT network was authorized or unauthorized—nor did MIT ask this of itself. Given that (1) MIT was the alleged victim of counts 9 and 12, (2) the MIT access policy, its Rules of Use, and its own interpretation of those Rules of Use (including the significance or “materiality” of any violation of those terms) were at the heart of the government’s CFAA allegations in counts in both indictments, and (3) this policy and these rules were written, interpreted, and applied by MIT for MIT’s own mission and goals—not those of the Government— the Review Panel wonders why. (p137-39)

If indeed Aaron’s access was not “unauthorized” — as Aaron’s team said from the start, and now MIT seems to acknowledge — then the tragedy of this prosecution has only increased. 

(Original post on Tumblr)

July 29, 2013  ·  Lessig  · Reblogged from  Tumblr

Inspired by the work of Zephyr Teachout and Zach Brugman, and aided by the work of two research assistants, Dennis Courtney and Zach D’Amico, the lawyers at the Constitutional Accountability Center and I have submitted this amicus brief to the Supreme Court for the upcoming McCutcheon v. F.E.C.

The basic question the brief addresses is this: What would the framers of the Constitution have understood the word “corruption” to mean? This question is important since at least 5 justices on the Supreme Court are “originalists,” and the Court has held that the meaning of “corruption” determines how far Congress may go to address the issue of “campaign finance reform.” 

To answer that question, Dennis Courtney and Zach D’Amico gathered every use of the term “corruption” from documents at the founding. They then each coded the uses. The basic questions they asked were first whether the term “corruption” was being predicated of an institution, or an individual; second, whether the use was discussing “quid pro quo” corruption; and third, whether it described “improper dependence” as a kind of corruption.

The results were striking. A significant majority of the times the Framers use the term “corruption,” corruption is predicated of an entity, not an individual (57%). Every instance of “quid pro quo” corruption is describing individual corruption, not entity corruption. And for the significant number of cases in which the Framers are discussing “improper dependence” as a kind of corruption, they are describing entity corruption (67%) not individual corruption (33%).

These numbers make it hard to believe that the Framers of our Constitution would have used the term “corruption” to refer to “quid pro quo” corruption alone. Or put more sharply, these number suggest that only a non-originalist could support the idea that “corruption” refers to “quid pro quo” corruption alone. 

You can see the original research at the tumblr blog, oCorruption.tumblr.com

(Original post on Tumblr)

July 8, 2013  ·  Lessig  · Reblogged from  Tumblr

Each year I try to take a chunk of time away with my family, off-the-grid, as an imperfect balance to the 100+ days away that defines the rest f the year. This year, we’re going to be near my parents, who are getting too old to visit, and so who we don’t see enough. They live near Hilton Head, SC, so we got a house on the Island, sort of near the beach.

Last night I rented bikes for the month online from Hilton Head Bicycle Co. My parents had warned me about island prices, but ok, it’s vacation.

This morning, I got an email from the owner: “I don’t feel good about the rate that came up for you,” he or she wrote. So they preemptively lowered the price by 25%.

When I was growing up, my dad (who ran a steel fabricating firm) would always explain behavior like this with a phrase like, “it’s the right thing to do, and it’s good for business.” That always puzzled me because it couldn’t always be both, or else why would we need to call it “right” (as opposed to “wrong”). 

But it strikes me the ether that are the Nets could help the second part a bit, so more did the first bit. So here, Nets, please notice: there was plenty of whuffie earned here. 

(And BTW: please excuse the silence after July 17.)

(Original post on Tumblr)