[caption id="attachment_2789" align="alignright" width="300"] Aaron Swartz was working on an open-source, anonymous inbox[/caption]
Posted by Kevin Poulsen New Yorker.
Aaron Swartz was not yet a legend when, almost two years ago, I asked him to build an open-source, anonymous in-box. His achievements were real and varied, but the events that would come to define him to the public were still in his future: his federal criminal indictment; his leadership organizing against the censorious Stop Online Piracy Act; his suicide in a Brooklyn apartment. I knew him as a programmer and an activist, a member of a fairly small tribe with the skills to turn ideas into code—another word for action—and the sensibility to understand instantly what I was looking for: a slightly safer way for journalists and their anonymous sources to communicate.
There’s a growing technology gap: phone records, e-mail, computer forensics, and outright hacking are valuable weapons for anyone looking to identify a journalist’s source. With some exceptions, the press has done little to keep pace: our information-security efforts tend to gravitate toward the parts of our infrastructure that accept credit cards.
Aaron was attuned to this kind of problem. I’d first met him in 2006, when he and two other coders sold the social-news site Reddit to Condé Nast, the parent company of Wired, where I’m an editor, and of The New Yorker. The three of them moved into a converted conference room in the corner of Wired’s San Francisco headquarters. Aaron stood out from his colleagues—he was moody, quiet, and blogged about how much he disliked working there.
Then, one Monday, he left the office to spend the day at a nearby federal courthouse where oral arguments were unfolding in Kahle v. Gonzales, a Constitutional copyright battle being waged by the law professor Lawrence Lessig. When he got back, he asked me, somewhat shyly, if he could write something for Wired about the proceedings. The resulting seven-hundred-word blog post was crisply written and clearly laid out the issues. I wondered about this young tech-startup founder who put his energy into the debate over corporate-friendly copyright term extensions. That, and his co-creation of an anonymity project called Tor2Web, is what I had in mind when I approached him with the secure-submission notion. He agreed to do it with the understanding that the code would be open-source—licensed to allow anyone to use it freely—when we launched the system.
He started coding immediately, while I set out to get the necessary servers and bandwidth at Condé Nast. The security model required that the system be under the company’s physical control, but with its own, segregated infrastructure. Requisitioning was involved. Executives had questions. Lawyers had more questions.
In October, 2011, Aaron came to the Wired office and we whiteboarded some of the details. In the intervening years, Aaron’s quiet withdrawal had shifted into a tentative confidence, his sullenness replaced by a disarming smile and a gentle generosity. Before he left, I walked him over to the new, much larger Reddit office next door. He stepped inside, looked around, and walked back out without anyone recognizing him.
By then, Aaron had been indicted for bulk downloading four million articles from JSTOR, an academic database, from M.I.T.’s public network, and the case must have been weighing on him. But he wouldn’t talk about it.
He lived in New York then, so my interactions with him from that point on were mostly electronic. The system, which we came to call DeadDrop, was a back-burner project for both of us, and Aaron had a lot of front burners. I learned his protocol: when he had the time to code, I could reach him on the phone or on Skype. We had long exchanges about security and features; Aaron rejected the ones he thought would overcomplicate the system—individual crypto keys for every reporter at a news organization, for example.
In New York, a computer-security expert named James Dolan persuaded a trio of his industry colleagues to meet with Aaron to review the architecture and, later, the code. We wanted to be reasonably confident that the system wouldn’t be compromised, and that sources would be able to submit documents anonymously—so that even the media outlets receiving the materials wouldn’t be able to tell the government where they came from. James wrote an obsessively detailed step-by-step security guide for organizations implementing the code. “He goes a little overboard,” Aaron said in an e-mail, “but maybe that’s not a bad thing.”
By December, 2012, Aaron’s code was stable, and a squishy launch date had been set. Then, on January 11th, he killed himself. In the immediate aftermath, it was hard to think of anything but the loss and pain of his death. A launch, like so many things, was secondary. His suicide also raised new questions: Who owned the code now? (Answer: he willed all his intellectual property to Sean Palmer, who gives the project his blessing.) Would his closest friends and his family approve of the launch proceeding? (His friend and executor, Alec Resnick, reports that they do.) The New Yorker, which has a long history of strong investigative work, emerged as the right first home for the system. The New Yorker’s version is called Strongbox; it went online this morning.
Nine days after Aaron’s death, his familiar Skype avatar popped up on my computer screen. Somewhere, somebody—probably a family member—had booted up his computer. I fought the irrational urge to click on the icon and resume our conversation. Then he vanished from my screen again.