What would cause an MIT IT executive (and this would have to be an executive decision) to bring in the Secret Service for someone running curl against academic journal website.
I have done precisely that type of thing dozens of times in the last 10 years, and it would have never occurred to me that I was doing anything wrong. And yes, I always had to login first through a browser, figure out how the hell the cookie was stored, export it into a format that curl liked, figure out the URLs for all the docs, etc, etc...
And yes - when I was younger and more energetic, sticking my laptop in unlocked cabinet with an open ethernet port is exactly the sort of thing I would have done, without for a second believing I was doing anything "criminal".
I have to believe that MIT has hundreds (thousands?) of these types of webscraping events occurring all the time.
What made this one different from their perspective?
He wasn't a member of the MIT Community, and was in a wiring closet.
If they'd charged him with trespassing, I would have contributed to his legal defense fund and bought him a drink when he finished his ~30 days of community service or whatever. Minimal harm, minimal foul.
I did way worse stuff from my machines at MIT when I was an undergrad. I actually was called to testify in a federal case over it, but told them to eat a bowl of dicks (well, more politely, and through the awesome attorney Jennifer Granick -- I was out of the country and didn't return until the trial was over, because you NEVER win if you set foot in a federal court, even as a witness).
MIT sold out Drink or Die, too, so fuck them in general.
Secret Service was involved prior to MIT knowing who was web-scraping JSTOR. Does MIT normally call the Secret Service when they find Laptops w/Hard Drives in wiring closets, particularly unlocked wiring closets that Homeless people were known to store their stuff in? This is all very strange.
"On January 4, MIT police officers were notified that a member of the university's technical-security staff had discovered a laptop in the wiring closet. That morning, a team including a Secret Service agent and police officers from Cambridge and Boston visited the site and installed a Webcam....JSTOR never contacted any law-enforcement authorities about the matter. The decision to pursue criminal charges, she says, was not JSTOR's."
MIT undergrads and at least one sysadmin were allegedly involved in the software releasing group DoD (who did some stuff related to DeCSS, as well as commercial scene piracy).
Course 14 (economics) machines got raided during Operation Buccaneer.
Yeah, I remember she was winding down her drunk driving practice when I first talked to her. I kind of miss the 90s -- fighting ITAR was a whole lot less depressing than fighting hollywood-funded congresspeople.
What made this one different from their perspective?
He was downloading millions of articles, well more than the rest of the campus all put together. That caught their attention.
And they kept on stopping him, by locking out his MAC addresses. And he kept on working around the ways they were stopping him.
and it would have never occurred to me that I was doing anything wrong
When you are going into a wiring closet wearing a mask over your face to hide your identity, you pretty much know you are "doing something wrong." Probably not something that necessarily warrants Federal prosecution, of course, but he was under no illusion his actions were approved.
You transposed my text a bit. The "wrong" reference was to me webscraping journals via curl.
I realize that sneaking into Wiring Closets and plugging in a laptop to get onto a privileged vlan isn't something sanctioned by the school. If I was caught, I probably would expect to get my hand slapped if I'm a student, and if I'm not a member of the community maybe even charged with trespass (though, I understand at MIT they dropped those charges)
But if I was a student, I wouldn't (and didn't) consider that behavior to be "criminal."
But what I find astonishing about the MIT case is that they pulled the secret service into the case (A) Just because someone was webscraping from a laptop and (B) Before they knew that the person doing the webscraping wasn't a student.
If it were me in charge of IT - I would have probably just asked campus security to lock the closet moving forward, make sure there are locks on all the wiring closets, and replace the laptop with a sign explaining campus-security had confiscated the laptop, and please go have a conversation with them to pick it up - return of Laptop being subject to (A) Apology for slamming JSTOR, and (B) Return of all the JSTOR IP.
Please read the indictment. It wasn't like he walked in on Monday to do this and they called the police on Tuesday. They were repeatedly trying to keep him out, and he knew it, and he kept on trying to get back in anyway. This went on for months. When they finally had a piece of physical evidence they called the Secret Service because they could get the guy. And he fled when campus police approached him.
I've read through the case - I understand what happened.
It's just that everything that was described was the type of thing that my university had to deal with all of the time. People were always spoofing MAC addresses, trying to get onto privileged VLANs, and the Campus IT was always playing Cat and Mouse with them, and, in a very, very few rare circumstances where the student did something really stupid, brought Campus Police into the conversation.
But Campus police was the absolute escalation - I don't ever recall my university calling in the RCMP (Canadian Federal Police, and municipal as well) to investigate someone doing the equivalent of what Aaron had done.
I absolutely agree with Aaron's parents. MIT and the Prosecutor over-reacted, and, when the truth of the matter surfaced, failed to course correct.
They made a choice to involve the feds. This could very easily have been handled internally, and the result would have been effective from their viewpoint. Catch him using the same methods and give him a stern talking to from campus police, then not press charges. Pretty much what happened to people bending and even openly breaking the rules on campuses around the world for decades, if not centuries.
But someone at MIT wanted to call in the feds. Make case hard and tough and send someone to prison for causing them inconvenience. This was a decision someone there made.
Yes, because someone -- they did not know who, but someone -- kept on breaking into their network. Over and over and over and over.
handled internally
He wasn't a student.
the result would have been effective from their viewpoint
They kept on telling him "no" and he kept on going in anyway. It seems you think the 13th time they told him "no" he would have stopped, when he ignored the first 12 times.
By the time you get to the police chasing someone through the halls, you have passed the point where you can expect to get away with "a stern talking to." (I shouldn't have to say it, but I will anyway: that doesn't mean that a Federal prosecution for decades in prison is the proper response, either.)
Whether or not he was a student has nothing to do with whether or not MIT could choose to handle it internally.
And yes, I do believe that being taken in by campus law enforcement and read the riot act, so to speak, would have been effective. That's much more serious than the previous attempts to tell him no.
I would appreciate it if you would stop misconstruing my position. I said that I had webscraped and didn't think it was wrong. I said as a student I would have stuck a laptop in an unlocked closet on campus with an Ethernet port and not thought that it was criminal. And, at no point, have I tried to characterize Aaron's thought and motives. Honestly - he working for higher principles than I ever have, so I am in no position to comment on his behavior, just mine.
I have done precisely that type of thing dozens of times in the last 10 years, and it would have never occurred to me that I was doing anything wrong. And yes, I always had to login first through a browser, figure out how the hell the cookie was stored, export it into a format that curl liked, figure out the URLs for all the docs, etc, etc...
And yes - when I was younger and more energetic, sticking my laptop in unlocked cabinet with an open ethernet port is exactly the sort of thing I would have done, without for a second believing I was doing anything "criminal".
I have to believe that MIT has hundreds (thousands?) of these types of webscraping events occurring all the time.
What made this one different from their perspective?