United States v. Swartz

United States v. SwartzNo. 11-cr-10260 (D. Mass.)

Swartz’s objective?nothing/tbd | corpus analysis | limited works distribution

limited geography distribution| total distribution | commercial distribution

•Sept. 2010 - Downloading began using Python script•25 Sept. 2010 - JSTOR blocked 18.55.6.215•26 Sept. 2010 - Swartz to 18.55.6.216•26 Sept. 2010 - JSTOR blocked 18.55.*.* (later alleged to have blocked 18.55.6.*)•27 Sept. 2010 - JSTOR contacts MIT, MIT denies MAC address 0:23:5a:73:5f:fb a network connection.•2 Oct. 2010 - Swartz changed MAC address to 0:23:5a:73:5f:fc

•9 Oct. 2010 – JSTOR blocks all of MIT (restored few days later)•Nov. & Dec. 2010 - Swartz hard wires into MIT via closet in Bldg. 16. Hid laptop. Obtains and begins using a second laptop.•4 Jan 2011 – MIT sysadmin traced IP address to network switch in closet of MIT Bldg. 16.

•Cambridge Police, MIT Police, & Secret Service. •External forensics, network monitoring, and video surveillance.

•4 Jan 2011 – Swartz observed entering closet.•6 Jan 2011 – Swartz observed entering closet second time.

•MIT Police ID’d Swartz on street, arrested, seized USB device in backpack.

•Computer later recovered from the student center.•In February, search warrants executed by USSS of apartment, office, laptop, external hard drive, and USB storage device (the latter 3 had been seized at arrest).

•Spring/Summer 2011: Resolved civil claims with JSTOR; returned corpus.•Same time: grand jury investigation•First indictment issued on 14 July 2011

Superseding Indictment (12 Sept. 2012)

•Two counts of wire fraud (18 U.S.C. § 1343)•Fives counts of computer fraud (18 U.S.C. § 1030(a)(4))•Five counts of unlawful access to protected computer (§ 1030(a)(2))•One count of reckless damage to protected computer (§1030(a)(5))

Wire Fraud

18 U.S.C. § 1343 – “Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both. […]”

•Scheme to defraud a person out of money or property (can be intangible).•Uses a false pretense.

•Must be material (Neder v. United States (SCOTUS)) •Employs use of a wire communication

Wire Fraud

Four theories:

1. appearing to JSTOR that he was affiliated with MIT.2. changing IP and MAC address to conceal identity.3. using python script to appear as though he was multiple users4. concealing physical location

Wire Fraud

Four theories:

1. appearing to JSTOR that he was affiliated with MIT.2. changing IP and MAC address to conceal identity. (doubtful)3. using python script to appear as though he was multiple users. (maybe)4. concealing physical location

CFAA Claims

§ 1030(a)(4)Computer fraud

§ 1030(a)(2)Unauthorized access of

protected computer

§ 1030(a)(5)(B)Computer damage

“exceeds authorized access”

“without authorization”

- intent to defraud- accessed computer to further- obtained a thing of value

- obtained “information”- felony if value > $5000

- recklessly cause damage- felony if “loss” > $5000

CFAA Claims

§ 1030(a)(4)Computer fraud

§ 1030(a)(2)Unauthorized access of

protected computer

§ 1030(a)(5)(B)Computer damage

“exceeds authorized access”

“without authorization”

- intent to defraud- accessed computer to further- obtained a thing of value

- obtained “information”- felony if value > $5000

- recklessly cause damage- felony if “loss” > $5000

CFAA Claims

§ 1030(a)(4)Computer fraud

§ 1030(a)(2)Unauthorized access of

protected computer

§ 1030(a)(5)(B)Computer damage

“exceeds authorized access”

“without authorization”

- intent to defraud- accessed computer to further- obtained a thing of value

- obtained “information”- felony if value > $5000

- recklessly cause damage- felony if “loss” > $5000

- “outsider” required?

Compare LVRC Holdings v. Brekka (9th Cir.); with Int’l Airport Centers v. Citrin (7th Cir.)

1st Cir. has split D. Ct. authority.

CFAA Claims

§ 1030(a)(4)Computer fraud

§ 1030(a)(2)Unauthorized access of

protected computer

§ 1030(a)(5)(B)Computer damage

“exceeds authorized access”

“without authorization”

- intent to defraud- accessed computer to further- obtained a thing of value

- obtained “information”- felony if value > $5000

- recklessly cause damage- felony if “loss” > $5000

CFAA Claims

§ 1030(a)(4)Computer fraud

§ 1030(a)(2)Unauthorized access of

protected computer

§ 1030(a)(5)(B)Computer damage

“exceeds authorized access”

“without authorization”

- intent to defraud- accessed computer to further- obtained a thing of value

- obtained “information”- felony if value > $5000

- recklessly cause damage- felony if “loss” > $5000

CFAA Claims

§ 1030(a)(4)Computer fraud

§ 1030(a)(2)Unauthorized access of

protected computer

§ 1030(a)(5)(B)Computer damage

“exceeds authorized access”

“without authorization”

- intent to defraud- accessed computer to further- obtained a thing of value

- obtained “information”- felony if value > $5000

- recklessly cause damage- felony if “loss” > $5000

Code | Contract | Norms

CFAA Claims

§ 1030(a)(4)Computer fraud

§ 1030(a)(2)Unauthorized access of

protected computer

§ 1030(a)(5)(B)Computer damage

“exceeds authorized access”

“without authorization”

- intent to defraud- accessed computer to further- obtained a thing of value

- obtained “information”- felony if value > $5000

- recklessly cause damage- felony if “loss” > $5000

- United States v. Drew (C.D. Cal.)Code | Contract | Norms

CFAA Claims

§ 1030(a)(4)Computer fraud

§ 1030(a)(2)Unauthorized access of

protected computer

§ 1030(a)(5)(B)Computer damage

“exceeds authorized access”

“without authorization”

- intent to defraud- accessed computer to further- obtained a thing of value

- obtained “information”- felony if value > $5000

- recklessly cause damage- felony if “loss” > $5000

- United States v. Drew (C.D. Cal.)Code | Contract | Norms

- JSTOR’s terms- MIT’s terms- but see United States v. Nosal (9th Cir. en banc)

CFAA Claims

§ 1030(a)(4)Computer fraud

§ 1030(a)(2)Unauthorized access of

protected computer

§ 1030(a)(5)(B)Computer damage

“exceeds authorized access”

“without authorization”

- intent to defraud- accessed computer to further- obtained a thing of value

- obtained “information”- felony if value > $5000

- recklessly cause damage- felony if “loss” > $5000

- United States v. Drew (C.D. Cal.)Code | Contract | Norms

- JSTOR’s terms- MIT’s terms- but see United States v. Nosal (9th Cir. en banc)

- JSTOR’s restrictions?- MIT’s restrictions?- “cat-and-mouse”

- with IP- with MAC- through use of script

CFAA Claims

§ 1030(a)(4)Computer fraud

§ 1030(a)(2)Unauthorized access of

protected computer

§ 1030(a)(5)(B)Computer damage

“exceeds authorized access”

“without authorization”

- intent to defraud- accessed computer to further- obtained a thing of value

- obtained “information”- felony if value > $5000

- recklessly cause damage- felony if “loss” > $5000

- United States v. Drew (C.D. Cal.)Code | Contract | Norms

- JSTOR’s terms- MIT’s terms- but see United States v. Nosal (9th Cir. en banc)

- JSTOR’s restrictions?- MIT’s restrictions?- “cat-and-mouse”

- with IP- with MAC- through use of script

CFAA Claims

§ 1030(a)(4)Computer fraud

§ 1030(a)(2)Unauthorized access of

protected computer

§ 1030(a)(5)(B)Computer damage

“exceeds authorized access”

“without authorization”

- intent to defraud- accessed computer to further- obtained a thing of value

- obtained “information”- felony if value > $5000

- recklessly cause damage- felony if “loss” > $5000

- United States v. Drew (C.D. Cal.)Code | Contract | Norms

- JSTOR’s terms- MIT’s terms- but see United States v. Nosal (9th Cir. en banc)

- JSTOR’s restrictions?- MIT’s restrictions?- “cat-and-mouse”

- with IP- with MAC- through use of script

| Physical?

CFAA Claims

§ 1030(a)(4)Computer fraud

§ 1030(a)(2)Unauthorized access of

protected computer

§ 1030(a)(5)(B)Computer damage

“exceeds authorized access”

“without authorization”

- intent to defraud- accessed computer to further- obtained a thing of value

- obtained “information”- felony if value > $5000

- recklessly cause damage- felony if “loss” > $5000

CFAA Claims

§ 1030(a)(4)Computer fraud

§ 1030(a)(2)Unauthorized access of

protected computer

§ 1030(a)(5)(B)Computer damage

“exceeds authorized access”

“without authorization”

- intent to defraud- accessed computer to further- obtained a thing of value

- obtained “information”- felony if value > $5000

- recklessly cause damage- felony if “loss” > $5000

CFAA Claims

§ 1030(a)(4)Computer fraud

§ 1030(a)(2)Unauthorized access of

protected computer

§ 1030(a)(5)(B)Computer damage

“exceeds authorized access”

“without authorization”

- intent to defraud- accessed computer to further- obtained a thing of value

- obtained “information”- felony if value > $5000

- recklessly cause damage- felony if “loss” > $5000

what remains…