Should MIT develop additional on-campus expertise for handling potential computer crime incidents, thus giving the Institute more flexibility in formulating its responses?

Should MIT develop additional on-campus expertise for handling potential computer crime incidents, thus giving the Institute more flexibility in formulating its responses?

23 Comments

Absolutely. As technology

Absolutely. As technology evolves, laws become increasingly outdated and uncertainly applicable. With the innovation, intelligence, and experimentation that we have here on MIT's campus, the likelihood of an event that lands in a legal gray area - or that raises issues never before even considered - is exceptionally likely.

Having expertise within the institute to address these issues when they inevitably arise will be invaluable.

MIT should strive to handle

MIT should strive to handle all security issues as internally as possible---not just those involving computer crime---and should craft policies that further this goal. As the report indicates, MIT students have suffered inappropriate prosecution by external law enforcement even in other types of cases, such as those involving physical access to restricted areas.

The broad lesson we must draw from the Aaron Swartz case is that the standards of conduct and justice currently upheld by the U.S. legal system are not fully compatible with those we hold at MIT. As a consequence, for MIT to best serve justice by its own standards, MIT must erect a strong barrier between conduct on its own campus and the outside legal system. MIT should establish an institutional policy to discourage the involvement of outside law enforcement, except in cases of imminent danger to persons or property at MIT that require such assistance.

The critical moment in this case occurred when MIT Police involved the New England Electronic Crimes Task Force, rather than continuing with a strictly internal investigation. Though a reasonable decision on the part of the officers involved, given their own expertise, precaution for the community, and current MIT practices, this decision does not make sense in the context of protecting the community and ensuring the service of justice. To anyone familiar with the conduct observed up to that point, it was clear that no immediate danger to persons or property was evident.

Instead, MIT could easily have continued to pursue the matter internally in the justifiable hope of a far more appropriate resolution.* However, this could only have occurred in practice if an
institutional policy existed to discourage outside legal involvement. The officers responding to the case could not be expected to fully understand MIT's capability to pursue the matter on its own. Only in seeking an exception to such a policy would MIT have gathered sufficient perspective to decline outside assistance. Under the existing practice of rapid and close cooperation with outside law enforcement, it took only a cell phone call by an MIT police officer to bring the leviathan U.S. legal system bounding through the doors, bringing with it a wholly different (and apparently irrevocable) context for the investigation.

To best protect members of the MIT community and further the service of justice, MIT must set a high bar for bringing external law enforcement to campus. When no imminent danger exists, MIT police officers should seek approval for such involvement from a higher authority that can adequately consider the probable consequences both of troublesome conduct and of law enforcement to members of our community, and the ability of MIT to find its own remedies.

* The Review Panel notes that MIT had already expended significant resources in the matter at that point, without substantial effect. However, this fact carries little weight, since further steps involving resources of similar scale were readily available. Moreover, these resources pale in comparison to the resources ultimately expended in dealing with the eventual external legal case. Again, the complexity of making this assessment points to the need for a review by higher authority at MIT before involving external law enforcement.

For MIT to seek external

For MIT to seek external assistance with network and computer troubles -- whether or not they be caused by unknown, possibly malicious individuals -- seems ludicrous. You should call up Rob Morris and Ron Rivest before the Secret Service. (And, frankly, before you go calling anyone's cellphones, physically walking the halls of CSAIL saying "Hey, we found a mysterious laptop hidden in a closet... can anyone help us figure out what's going on?" would probably work just fine.)

This is, I think, symptomatic of a general phenomenon of MIT staff's underuse of the tremendous human capital present in the faculty and student body. Perhaps there's some outdated perception that staff are meant to provide services to faculty and students and not the other way around, but seriously, this makes no sense. So I wouldn't address it as narrowly as cybercrime. Rather, I recommend creating a staff-wide expectation that it is okay to call upon faculty and student resources, and to codify institutional procedures as necessary to make that easier than involving external entities. (MIT Police and MIT Medical may need special treatment, due to the highly regulated functions they perform, but the end goal should be the same: to more efficiently utilize MIT's vast human capital in serving MIT's needs.)

Also, I forgot to mention

Also, I forgot to mention SIPB. SIPB already possesses unusual authority for a group within the student body, apparent precedent for institutional recognition of its extreme competence. Formally including SIPB in a standard MIT Police process for computer crime investigations would probably be the best and easiest way to address this question as asked.

I agree with tcoffee's

I agree with tcoffee's statement, "The broad lesson we must draw from the Aaron Swartz case is that the standards of conduct and justice currently upheld by the U.S. legal system are not fully compatible with those we hold at MIT." However, I come to the opposite conclusion. Many members of the MIT community are already privileged in many ways, and the idea that we should be not be fully subject to our society's justice system is offensive to me. One of the reasons that our system continues to be incredibly broken is that most Americans, particularly those who are college educated, are so isolated from what happens in it. Our response to the flaws of our justice system should be protest, not ivory tower elitism. If the outcome of the Swartz case and MIT's response is that the Computer Fraud and Abuse Act remains unchanged but no MIT affiliate is ever charged under it again, then we should be ashamed of ourselves. MIT and members of our community must use our privilege to influence policy, change the law, and make our justice system just.

No. MIT should protect all

No. MIT should protect all users of its network from accusations of computer crime, rather than let NSA and FBI people teach us how to "identify criminals". Fuck that. We should not allow the prosecution of any "criminals" who are members of the MIT community until those who enforce such laws are held to the same "criminal" standard.

Which past NSA or FBI agent is currently in jail for blackmailing and corruption? We should not be so naive to assume everyone fingered by authorities as a "criminal" is an actual criminal and agree implicitly, as led to the suicide of Mr. Swartz. If they can build a case without coercing information from MIT, good for them, that's their job. If not, we should not help, because we cannot know the administration at MIT is immune from NSA coercion. What if Susan Hockfield was being personally blackmailed by the director of National Intelligence?

What are the campus procedures to prevent high-level blackmail of officials by government employees? That is the important question, which might have been asked by a better committee, offense intended. That MIT takes no responsibility for its actions in the death of this young man is disgusting.

I support all of the above

I support all of the above comments. I believe having the ability to investigate and address security events internally enables the preservation of the creative innovative culture at MIT. Can you imagine the legal ramifications of MIT hacks in some other location such as the White House, Google's corporate buildings or someone's personal residence (http://hacks.mit.edu/Hacks/by_year/)? No! The ardent support of ingenuity and risk taking for aspiring brilliant young people is what makes MIT one of the most revered places on earth and the cultural norm to push the limits at this level is not homogeneous across the United States.

While I agree with gwprice that the US laws need to change, I see this as a separate initiative. MIT also needs to be proactive in defending the cultural safety for students to thrive.

davidad's first comment

davidad's first comment (20130905 1639) is extraordinarily insightful, accurate, and practical, presuming that the Institute has not changed its spots in the last forty years. The administration should make this a policy forthwith, till something better can be devised. If such a devising is possible.

I strongly agree with tcoffee

I strongly agree with tcoffee's and boneye's statements, which I read as essentially identical; boneyes is stronger, but both distrust the US legal system and federal law enforcement at some level (sensibly), So do others of the eight that were posted when I first read this (davidad, gwprice, cnb, perhaps benreed and jbreen). Is this consensus? Too early to say, I suppose.

An historical note. I and a friend ran afoul of the "law" of the day in my freshman year. The external legal system was never involved, rather a member of our living group informed the dean of men (?--not sure of the exact nomenclature; Ken ? was the dean) of our transgressions. We were called on the carpet, rebuked, disciplined, and required to turn our booty over to the campus police, for anonymous delivery, by them, to the appropriate authorities. What we had done was certainly illegal, possibly felonious if prosecutors then were as rabid as those of these sad times. So far as I know, no whisper of our sin ever escaped the files of the dean's office. I got two security clearances, my friend at least one.

What has happened that something so trivial as what Mr. Swartz did should be handed over to amoral, unethical, brutal, careerist federal persecutors? I thought that the institute was no longer a lap dog of the federal funding organs. Perhaps I am wrong?

On a more positive note, gwprice laudably suggests that, "Our response to the flaws of our justice system should be protest," and that MIT should forego protecting its own in pursuit of "justice." I suggest with cnb that there is no conflict between the two goals, and that 1) first and foremost MIT should protect its own; and 2) all who are so inclined should work to "make our justice system just." With reasonable support from the Institute. In the harsh confines of my realism, I believe that elephants will fly before our justice system (or any other) becomes just, but I applaud and admire those who intend to make it so.

There has always been a small

There has always been a small hacking community seeking personal benefit at MIT going as far back as at least the early 1950's and telephone "blue boxes". What should be considered is the establishment of a culture at MIT resistant to such illegalities, and a set of social norms creating pariahs rather than folk heroes.At the same time, a strong policy study and advocacy center should be established to concentrate focus on needed legal reforms, including patent law reforms, that would contribute to innovation, reward innovators, and address such intellectual property issues as "patent trolls", patenting of elements of nature, and the sequestration of patents to delay or suppress innovations for business reasons.

There has always been a small

There has always been a small hacking community seeking personal benefit at MIT going as far back as at least the early 1950's and telephone "blue boxes". What should be considered is the establishment of a culture at MIT resistant to such illegalities, and a set of social norms creating pariahs rather than folk heroes.At the same time, a strong policy study and advocacy center should be established to concentrate focus on needed legal reforms, including patent law reforms, that would contribute to innovation, reward innovators, and address such intellectual property issues as "patent trolls", patenting of elements of nature, and the sequestration of patents to delay or suppress innovations for business reasons.

What is needed is greater

What is needed is greater competence on the part of MIT in responding to this kind of hacking, in order to protect the broad short-term interests of MIT. The broad short-term interests of MIT would have been served by stopping the hack, and by preventing it in the future, not by acting to criminalize it. If one holds something of value in one's house, start by better locking the front door [or in this case the closet,] not by dumping hot oil on the would-be intruder. And MIT should better publicly respond long-term to the hack's implied institutional criticism of paywalling. As users of JSTOR MIT in practice acted extremely strongly to support paywalling.

@jimad says "If one holds

@jimad says "If one holds something of value in one's house, start by better locking the front door ..." Why should the onus be on the innocent to defend himself against an attacker? For every Aaron Swartz, there are a thousand petty thieves. While I disagree with your reasoning, I nevertheless agree with the conclusion -- MIT should try to handle these types of incidents internally ... if only because MIT is an institution large enough and resourceful enough to withstand and to neutralize an intrusion, and to resolve it in a way consistent with MIT's own values and objectives.

1) I agree with @tcoffee that

1) I agree with @tcoffee that "The broad lesson we must draw from the Aaron Swartz case is that the standards of conduct and justice currently upheld by the U.S. legal system are not fully compatible with those we hold at MIT."

I want to highlight the Review Panel's observation about the Institute's inattention to "ruinous collision of hacker ethics, open-source ideals, questionable laws, and aggressive prosecutions that was playing out in its midst." Elsewhere, the panel called out the CFAA specifically as a poorly drafted piece of legislation.

I do not think that the MIT administrative apparatus - and, to be fair, many members of the academic community - fully appreciate or understand this ruinous collision. Paul Ohm has called it the "Myth of the Superuser" (http://papers.ssrn.com/sol3/papers.cfm?abstract_id=967372); recent graduate Molly Sauter studied it in the case of Kevin Mitnick. The sort of creative disruption / thoughtful rulebreaking which has *allowed MIT to become MIT* is directly opposed by the standards of conduct and justice which define the U.S. legal system, most specifically with regards to computer crime.

I am not a libertarian; I do not think MIT should try to become some kind of extrajudicial Sealand-on-the-Charles. I do think, however, that this case, along with many others, shows conclusively that state and federal computer law is fundamentally broken, and that it is in our institutional interests to develop as much internal capacity as problem so that calls to the outside are at a last, not a first, resort.

None of my words will serve

None of my words will serve more eloquently than those already expressed here. MIT creates new policy for the rest of the world, not the other way around.

I think the situation is well summarized through davidad, tcoffee, and boneye. MIT has a strong moral compass. We should learn to trust it more -- even when it seems to be pointing in a different direction than local, state, and federal regulations.

Yes. MIT should never have

Yes. MIT should never have involved the cops and Feds in Swartz's hack. By doing so, MIT became pawns of prosecutors intent on using the case for political aggrandizement. MIT's reputation and credibility have suffered over this case.

Another point: because of the inbalance of power between the State and Swartz, the MIT Report's contention of neutrality is bogus. By doing nothing, you side with power.

Not in the sense of a police

Not in the sense of a police force or detective agency. The Office of General Council should certainly be aware of current law and how it may conflict with MIT's policies. MIT's policies and rules for access should be clear, and MIT's network should never be exploited for criminal activity. MIT should make sure that its rules and policies do not entrap those intent on harmless "hacks" in crime.

@davidad - "underuse of the

@davidad - "underuse of the tremendous human capital".... really?!?!!

It's called opportunity cost.

Unless its an extraordinary situation (well, we did here for Hal Abelson), what's the value of taking up our professors and researcher's time when they could be developing new and novel technologies, teaching students and doing what professors and researchers are _supposed_ to do.

Though, I could be out of date on my Course 6 faculty, but I wasn't aware of a cybercrime department last I heard. If there were, then perhaps it _would_ make sense for that faculty and member students to participate in investigating internal computer crime incidents.

Though, I have a separate philosophical question - why should MIT be above the law? Why should we be held to different internal standards if we create an internal security buffer? Or, do we get to make the relative decision that one crime does involve authorities, but our feelings in another case doesn't? Who makes someone at MIT judge and jury of that? This is where I'm totally with @gwprice. The implicit interpretation of the question's "thus giving the Institute more flexibility in formulating its responses": flexibility in skirting laws we don't like.

If the law is broken, don't break it. Fix the law (or in classic MIT style hacking, skirt the law creatively. Just do your legal homework first.)

The death of this talented

The death of this talented individual and MIT’s role—intended or not—was very troubling to me. The loss of such a special, gifted person! Shouldn’t we as a campus and a community do whatever we can to protect people like this?! People like us, who have benefited from loving parents, nurturning teachers, caring and intellectually curious friends. The time and care and resources that have been invested in us!

I support the comments expressed eloquently by tcoffee and davidad that matters like this are best handled first by MIT internally, provide that, like in this case, it can quicly be determined that there is no threat to the community.

I believe the comments expressed supporting the “fix the law” approach—alian, gwprice, etc.—are well intended, but reflect considerable naievity about the United States legal process, and frankly, the world we live in.

The first reality is that MIT is very unlikely to change federal law.

The second reality is that laws are generally designed to govern the many, and fail spectularly when applied to special cases. For this reason, judgment is highly valued—and recruited for—among law enforcement professionals. Objectively, a place that attracts the people and enables the accomplishments, breakthroughs, discoveries, Nobel prizes, etc. that MIT does is one very big, special case.

I invite those who support the “we are all the same” approach to visit New York City and interact with the NYPD. Then one can decide if this is the respectful, fair for all environment that is best equiped to handle a wayward computer genius with emotional problems.

MIT should balance the needs of maintaining a safe and nurturing environment for its students and the broader community that touches its campus—while recognizing its very important role in protecting and guiding the talented individuals that come there. In cases like this where there is no immediate danger, MIT should go the extra mile for the people we attract, and protect and re-direct them gently when they need it. After it is clear that this approach is failing, then outside resources should be brought in.

Thank you to davidad for

Thank you to davidad for expressing so eloquently the astonishment and dismay many of us felt on learning that someone at MIT called the Cambridge police for technical expertise!! The idea is indeed ludicrous, and the construct of this "Question for the MIT Community" is in itself rather sad. The issue, in my opinion, is not MIT's ability to respond to potential computer crimes, but rather unwillingness on the part of some to deal with a potential issue rather than pass the buck. It is bad enough that someone called the MIT Police when they found a laptop (even in a closet), but for the MIT Police to call in external resources for their "expertise" (and on a personal cell phone at that!) is quite incomprehensible.

I am adding this comment on

I am adding this comment on behalf of an anonymous commenter within the Media Lab who did not want to be identified:

"no. that indicates that what was done was wrong, and preventable."