July 19, 2011: Anonymous Arrests and the Aaron Swartz Indictment

Two major cybercrime stories collided on July 19, 2011, marking one of the most consequential days in hacking-related law enforcement. The U.S. Department of Justice unveiled charges against sixteen suspected members of the hacktivist collectives Anonymous and LulzSec. On that same day, programmer and activist Aaron Swartz found himself facing a federal indictment for mass-downloading academic papers from the JSTOR digital library.

DDoS Charges Against Anonymous and LulzSec Operatives

Among the sixteen charged, several defendants faced prosecution in the Northern District of California for their alleged roles in a coordinated distributed denial-of-service (DDoS) campaign targeting PayPal. The motivation behind the assault was PayPal’s decision to sever its payment processing relationship with WikiLeaks, the transparency organization founded by Julian Assange.

The attackers reportedly used an open-source network stress tool known as LOIC (Low Orbit Ion Cannon), which allowed individual participants to voluntarily contribute their computer’s bandwidth to an overwhelming flood of traffic aimed at PayPal’s servers. The combined assault ultimately succeeded in knocking the payment platform offline.

The indictment itself offered few details about how federal investigators identified the participants. The FBI has long possessed the capability to trace internet traffic originating directly from residential connections, which likely played a role. However, a lingering question remained: could more technically sophisticated Anonymous members have compromised these individuals’ machines and used them as unwitting proxies, effectively framing less experienced sympathizers?

The government also alleged a conspiracy, meaning prosecutors would need to demonstrate that the defendants had agreed with one another or with Anonymous leadership to conduct the attack. The act of downloading LOIC and directing it at PayPal served as partial evidence of coordinated intent, but the deeper question involved whether prosecutors could link these lower-level participants to AnonOps, the loosely defined command structure behind Anonymous operations. If such connections existed, authorities might attempt to secure cooperation agreements in exchange for reduced sentences, turning foot soldiers into witnesses against organizers.

The AT&T Contractor Leak and the InfraGard Website Breach

Two additional cases rounded out the day’s enforcement actions. One involved an AT&T outside contractor who allegedly accessed and leaked internal corporate documents that later surfaced through LulzSec. According to the criminal complaint, AT&T’s internal investigation traced the activity to the contractor’s account, showing it was connected to the corporate network at the exact time confidential files were exfiltrated. Records further showed the same account searching for file-hosting services and uploading materials that day.

The second case concerned a defendant who discovered a configuration vulnerability on the InfraGard Tampa website (InfraGard being an FBI-affiliated public-private cybersecurity partnership) and exploited it to upload unauthorized files. The defendant’s operational security was virtually nonexistent. After the intrusion, he posted about it on Twitter using his personal account. A simple search of the associated username on Wikipedia revealed his real name, personal website (where he also claimed credit), and a photograph. An IP address trace merely confirmed what open-source intelligence had already established.

Interestingly, prosecutors charged this defendant under 18 U.S.C. 1030(a)(5)(A), which prohibits knowingly transmitting code or commands that intentionally cause damage to a protected computer. The statute defines “damage” as any impairment to data integrity, system availability, or information reliability. However, uploading files to a misconfigured server seemed more accurately characterized as unauthorized access rather than transmission of harmful code. The FBI agent who prepared the supporting affidavit apparently recognized this mismatch, hand-writing an addendum stating that the uploaded files “caused damage to the server by impairing the integrity of the server” — a creative legal theory that would have made for compelling appellate briefing.

Aaron Swartz and the JSTOR Mass Download Prosecution

The most culturally significant case that day involved Aaron Swartz, a 23-year-old programmer who had already made substantial contributions to the internet’s infrastructure, including work on RSS and Creative Commons. According to his indictment, Swartz connected a laptop in a network closet at MIT and initiated automated downloads of academic journal articles available through JSTOR, a nonprofit repository that provides free access to affiliated students and researchers.

When MIT administrators noticed the unusual traffic and blocked the computer’s IP address, Swartz allegedly obtained a new one. After MIT escalated by blocking the laptop’s MAC address (a hardware-level identifier meant to be permanent and globally unique), Swartz spoofed that identifier as well. He reportedly took additional steps to conceal his activities, including covering his face with a bicycle helmet when visiting the closet where the laptop was hidden.

The automated downloading allegedly degraded JSTOR’s ability to serve other institutional clients, and the ensuing investigation prompted JSTOR to temporarily suspend all service to MIT for several days. Yet the fundamental question at the heart of the case was deeply uncomfortable: Swartz, as an affiliate of both MIT and Harvard (where he held a fellowship), could have lawfully accessed and downloaded every one of those articles individually. What transformed that lawful activity into alleged criminal conduct was automation and scale.

When Automation Transforms Legal Activity Into Criminal Conduct

The Swartz prosecution crystallized a question that courts across multiple domains were grappling with in 2011: does the mere automation of otherwise permitted activity create criminal liability?

The same principle was being tested in U.S. v. Lowson, where defendants faced prosecution for using automated software to purchase concert tickets — an activity perfectly legal when done manually. In Facebook v. Power Ventures, a company was sued for providing users with automated tools to aggregate their own social media data across platforms. And in the landmark surveillance case U.S. v. Jones, then before the Supreme Court, the government argued that GPS vehicle tracking required no warrant because officers could lawfully follow a suspect on public roads, meaning technological enhancement of that same capability should carry no additional constitutional burden.

These cases collectively asked whether there exists a threshold at which technological amplification of human capability becomes so qualitatively different that the law must intervene. The Swartz case was destined to become a proving ground for that principle, and it was deeply unfortunate that a young man who had contributed so much to the public good in just 23 years was forced to bear the weight of that societal reckoning.

Originally reported by Zwillgen Blog on July 21, 2011. Rewritten for DecryptedMatrix.