Letter to Carmen Ortiz about Aaron Swartz

Stepping off my usual entrepreneurship topics, here’s a letter I sent to Carmen Ortiz, Stephen Heymann, and Scott Garland (the prosecutors in the Aaron Swartz case) earlier this week.

I’m expecting precisely zero effect on anything here, but it captures my analysis of what happened.  Apart from the sadness and tragedy, I think we all need to be very mindful of the growing gaps between technology and our laws.


January 28, 2013

The Honorable Carmen M. Ortiz
United States Attorney for Massachusetts
John Joseph Moakley
United State Federal Courthouse
1 Courthouse Way, Suite 9200
Boston, MA  02210

Dear Mrs. Ortiz:

I’m writing you (and Mr. Heymann), as many have, regarding Aaron Swartz.  I know emotions are high, and I’m sorry the criticism has been so unfair and uninformed.  I’m sharing constructive comments I hope will be helpful as you consider this matter.  I’ve reviewed the public court documents and several relevant legal opinions.  I am a pioneer of the Internet economy, and a technology and business method expert in the subjects of this case.

It is clear Swartz did something wrong and should have been punished.  However, I have come to agree the prosecutorial stance did not match the severity of Swartz’s deeds.

I believe that you and Mr. Heymann were doing “what any good prosecutor would do”, and as you’ve noted, prosecutors don’t make the laws and penalties.  However, the CFAA is unusually broad and ambiguous, by design, to address a major policy issue.  Technology is advancing much faster than our laws, and the Justice Department has argued for legal flexibility with this Act (e.g. Richard Downing’s House Judiciary Subcommittee testimony in Nov, 2011).  That flexibility requires discretion in application, perhaps more than any other statute you prosecute.

This case is a nearly perfect test of that discretion, because it’s missing most of the typical criminal elements.  Swartz was not pursuing financial gain.  He wasn’t trafficking in credit cards, passwords, national secrets, or confidential/proprietary information.  He didn’t destroy data or access personal records.  He didn’t access something he wasn’t supposed to; he accessed more than he should have.

Swartz, like any MIT guest, was allowed to download JSTOR articles.  He enjoyed no greater access than any normal user would, but he violated JSTOR’s Terms of Service (ToS) by automating his download process.  His violation of MIT’s guest ToS is less clear:  MIT is famously and widely known for an open campus and network, and there’s a reasonable argument MIT’s effective ToS is much more permissive.  (Also, MAC address manipulation is not analogous to VIN tampering; if it were, it would criminalize the “Change MAC Address” feature available in nearly every consumer router.)

Regarding damages, JSTOR’s articles are freely available at 7,000 institutions worldwide, and many documents are public domain.   MIT’s $50,000 annual subscription amounts to $136/day, a starting point for calculating damages.  However, subscription fees have limited use in determining damages, because they mix the access costs with document value.  For example, PACER’s public documents “cost” $0.10/page, but their value is zero.  JSTOR’s quick civil settlement, their public stance in this case, and their subsequent public release of millions of articles are all extremely telling.

Swartz did not destroy or damage data or infrastructure.  There’s no (public) evidence his actions caused more than minor service outages and investigation costs at MIT and JSTOR.  Swartz’s actions were “minimally criminal”, and justice should have been sought on those terms.  (In addition, if your case had prevailed on the basis of ToS violations, there’s a solid appeal to void this interpretation for vagueness.  It’s nearly impossible to pass the “average citizen” test for defining criminal behavior with CFAA+ToS.)

At this point, you will likely say Swartz would have had every opportunity to make these arguments.  That’s true of course, but I’d respectfully say it’s disingenuous.  From the moment you indict and issue a press release, you frame the case.  The use of Secret Service resources, the home search warrant, the discovery refusal to provide raw hard drive images, the superseding indictment, and the reported plea negotiations & constraints; these all signal that Swartz’s acts were extremely serious, worthy of government resources.  Furthermore, Mr. Heymann is a seasoned prosecutor and computer crime expert;  the judges, jury, MIT, and JSTOR take cues from his stance.

Again, the unique ambiguity in the CFAA demands a prosecutorial duty of discretion above and beyond normal.  Our goal is to seek justice, and to that end, I share several suggestions.  First, I strongly recommend you proactively and immediately release all non-exempt case documents, and consider selectively waiving FOIA exemptions for other material.  The content may be unflattering, but transparency would be a very powerful leadership act on your part.  The people have a right to know how their attorneys conduct business, and the full record will help us enact the best policies.

Second, I would encourage you to support sensible CFAA revisions.  For critics, this case is a poster example of why the statute needs to be less vague.  Congress looks to Justice for advice, and you now have the best perspective of any prosecutor on finding a balance between (a) a flexible law, (b) a clear definition of criminal behavior, and (c) the prosecutor’s duty of discretion.

Third, I suggest you consider future CFAA cases more carefully, especially cases missing the obvious criminal elements.  The computer fraud case volume is relatively thin, making each case a bounds test almost by definition.

I pray you find these thoughts helpful in this sad and tragic story, and I hope they constructively capture the broader criticism about proportionality.

Finally, if an informal discussion regarding this matter (or fraud policy in general) would ever be useful, I would welcome that opportunity.

My email is <andy [at] payne [D O T] org>.


Andrew C. Payne

Cc:       Stephen P. Heymann, Assistant U.S. Attorney
Scott L. Garland, Assistant U.S. Attorney

Built-in QR/Barcode Scanning?

I wish Apple (and Android) would build QR code/barcode scanning into all phones, either in the camera app or as a dedicated scanning app.qrcode.10740790

QR codes are so helpful for connecting the physical and digital worlds:  imagine scanning the bottom of a product to see the current owner’s manual, or to get reorder information.  Or scanning codes at a museum or park to get more information about an exhibit.  Or scanning the “missed delivery” door tag that FedEx left, to figure out your delivery options.

It’s not a new idea, but for the first time we’ve all got scanners in our pocket.  However, QR codes are still a little geeky:  you need to know what they are, and install an scanning app.  It’s a chicken-and-egg problem, and including scanning as a built-in phone feature would go a long way to seeding things.

Paul Graham on Hardware

I think Paul Graham’s recent essay on The Hardware Renaissance was very interesting:

 …one of the most conspicuous trends in the last batch was the large number of hardware startups. Out of 84 companies, 7 were making hardware. On the whole they’ve done better than the companies that weren’t.

After doing software for nearly 20 years, I’ve now been spending most of my time on hardware, and especially, hardware projects that have a large software component.  (See my post last year on the Coming Bits and Atoms Disruption.)

As the essay points out:  it’s getting cheaper & easier to design and build hardware projects.  I think we’re going to see a lot of interesting products over the next few years.

3D Printing: Hype and Opportunity

If you haven’t seen a 3D printer yet, you’re missing something amazing. The technology has been around for a while, but recent efforts by the “maker” community have driven printer prices down.  It’s revolutionizing rapid prototyping: you can go from CAD model to holding something in your hand in a few hours.

However, there’s also a lot of hype surrounding 3D printing:  some imagine a “printer in every home” or replacing traditional manufacturing methods.

I’m skeptical.  3D printing has some very serious limitations: printers are slow, with no economies of scale. One-hundred parts takes almost exactly 100x as long and 100x the cost of one part. Even at low quantities, traditional manufacturing methods (e.g. injection molded plastic) are often more attractive.

Also, printer technologies vary widely, with a range of materials (plastic, metal, ceramic), durability, fidelity and color options. It’s not like paper printing, where anything that puts colored bits on paper gets you in the game – different 3D printing technologies have very different applications.

Hype aside, I think 3D printing will be disruptive in a few application areas:

  • 100% custom “quantity one” parts (e.g. anything that touches the human body)
  • Low-quantity parts. Examples: the long-tail of repair parts no longer manufactured, or “parametric parts”, where the design is a function of several parameters, and it’s not possible or practical to stock all combinations.
  • Parts that can’t be manufactured any other way. What’s most interesting:  3D printers control every bit of the part volume, including the “insides”.  Most “solid” parts aren’t solid at all; they usually have a honeycomb-like interior structure to save material, but that structure could be anything.  Now, you can build parts that have interior structure that you can’t build with traditional methods.

This last category is especially exciting, and I’m hoping to see interesting designs as 3D printers get more widely deployed.

My New Favorite UI Book

When I’m giving software product feedback, my most common rant is “you’re making the user work too hard!”  Software UIs are often non-obvious, visually cluttered, and/or fail to follow established conventions.  As software has transitioned from packaged installations to the Web, poor design is an acute problem:  with a bad UI, users will just……go away.

Last week, I got a copy of Steve Krug’s book, Don’t Make Me Think.  It’s a fabulous book on Web UI design, and I’m wondering why I didn’t find it sooner.  It’s short (216 pages, less than 1/2″ thick) and very tightly written.  You can speed read it in one sitting, and you’ll want to buy copies for the rest of your team.

Highly recommended.

Startup Pitch Practice

The fundraising process is usually very stressful for entrepreneurs.  It’s often the first time their “baby” is judged.  Also, investors frequently pass with a vague “no”, without sharing the underlying reason(s).  As a result, entrepreneurs spin their wheels because they’re not getting direct feedback.

As a modestly active angel investor and an LP in several venture funds, I hear many, many startup pitches.  I think I’ve a good sense of pitches that work (and why), and I’m good at giving specific feedback (on both the idea, and the way it’s presented).  AND, I’ll give very direct feedback, even if it’s something the entrepreneur doesn’t want to hear (not assuming I know all the answers, of course).

So, I’m trying a little experiment:   a “pitch practice” session.  If you’re interested, please email an overview of your company by Oct 3.

I’ll do a half-day with four 1hr slots, one per company (privately), each with 30 min for presenting and 30 min for feedback.  I’ll choose four (if anyone’s interested!) and schedule a half-day block for sometime in the next ~2 weeks.

Please note:

  • My background is in technology, specifically software and hardware with a significant software component.  I won’t be that helpful for projects outside of those areas.
  • In your overview, please include bios for the company principals and specifics on your idea.  “We’re building a revolutionary new ad network” is not specific enough.
  • Please explain what funding stage you’re at (e.g. seed, A, B, etc.)
  • I strongly prefer to meet in-person, but will consider Skype/Webex sessions for entrepreneurs outside of New England.
  • This is just for pitch and company feedback, and not for:  networking, investment, board seats, advisor relationships, customer leads, partnerships, and/or investor introductions.

Let me know!

I’m Not Sure Facebook’s IPO Was a “Dud”

Was Facebook’s IPO a dud?  It didn’t double on the first day like other high-profile IPOs, and it’s currently down about 10% from the IPO price of $38.

How much does a super-strong opening really matter, in the long term?  If their stock had closed at $60 (as I had predicted), that would have meant it was underpriced, leaving money on the table for the underwriters and their clients.

Some argue that a big IPO pop is important to the continued momentum of a company, but I’m not so sure.  Most of my friends don’t know (or care) they went public.  The initial price gyrations aren’t about long-term value;  they’re about underwriters and traders jockeying their positions (e.g. propping up at $38 on Friday, and likely selling today to minimize exposure).  Apart from NASDAQ’s problems handling the trading volume, I bet this IPO will be a distant memory in a few quarters.

I think Facebook actually played it pretty well.  Maybe it was priced slightly high, but most of the proceeds went to the company (and inside sellers), not aftermarket traders, which is how it should be.  The underwriters are certainly earned their fees by providing float for the stock on Friday.

I like owning companies that play it well.

Disclosure:  I’m long FB.

Concentration of Returns

I thought it was very interesting that 9 (!) of the 100 people on the 2012 Forbes Midas List of top tech investors had Facebook as their “big deal”.  The venture funds that had early Facebook investments will show very, very good performance relative to their peers (to the point where it’s not even fair to compare).  Early angel investors will get a nearly 10,000X return on their money.  That pays for a lot of writeoffs.

This shows how skewed and concentrated technology returns have gotten.  In the old days, a venture investor might have hoped for one home run in 10 for the investment math to work.  Now, it’s more like 1:100, or even worse.  How many groups went through Y Combinator before Dropbox and Airbnb?

For many Internet software and mobile investments, I think this is a symptom of the “gorilla ecosystem” that I’ve written about.   Many startups end up paying a tax, in some form, to Amazon, Google, Apple, and/or Facebook, causing a significant fraction of startup value creation to flow to the gorillas.

Net, net:  instead of a nice stream of $1b exits for the last 5-10 yrs, we’re going to have one gigantic $100b exit.

Gmail UI Design Flaws: Stars

Gmail has finally forced the new design on me, and there appears to be no way to revert back.  It’s tricky to separate style changes (highly subjective) from usability tweaks, but I really feel that the new design is a huge step backward in usability.

One case in point:  stars (flags) for messages.  They’ve been moved to the right side, so they now appear like this:

This is a less important place on the page — we read left to right, scanning the sender and subject first.  The star’s function is to mark the most important messages, so it should be in an important place (on the left).  Even worse, they’re not even aligned anymore because of the “reply” button, creating more visual work to locate the stars.  Why is this an improvement?

Also, the left rail has now been replaced with a person-info icon that you can hover over and click to expand messages, completely redundant with clicking or hovering over the sender’s name.  Why?

Worse, they show the person-info hover dialog for my own emails.  Why?


“I Have an Idea….”

I see a steady stream of entrepreneurs contacting me with various software ideas:  a Web site, a mobile app, etc.   All are looking for funding and developer help to implement the idea, and most won’t end up with either, even though some of the ideas are really interesting.

Why not?

The software business has changed profoundly over the past decade.  Software development has become extremely capital efficient:  dev tools are free, the software stack is free, and virtual servers are free to start (and then pay-as-you-go).  There are still large projects that need teams, but more and more, the only things needed for the next great Web site or iPhone app are:  time, talent, and a MacBook.

Programming languages are now first-class expressive mediums:  the brilliant designer/developer is as talented as any world-renowned author, but just writes in a different language.

As a result, the best designer/developer talent can now work for themselves.  “Bare ideas” are cheap; the real value is a good idea combined with talent to realize the vision.  That’s what investors want to invest in.  In analogous terms:  finding investors for a “bare” software idea is like finding investors for a fiction-novel idea — it’s really hard.

My advice:  find a willing co-author, or learn to write!