He hacked into a server to release a database of paywalled studies to the public. Not only is it not the same but it was the hacking that brought charges upon him.
It's been quite a few years, but AFAIK he didn't hack JSTOR. He downloaded papers en mass using a guest MIT account that had legal access to JSTOR. Maybe he violated their terms, but that is not illegal. He did illegally trespass an unlocked MIT switch closet to do this. They blocked several IPs but his script would rotate to continue. The downloading was over a week or two, enough for security to set up a camera in the closet to catch him retrieving the laptop.
I believe JSTOR sued him to prevent him from releasing the downloaded materials, worried he had offloaded the papers separately from the laptop. The final blow was an outrageous set of charges by the federal government. I also recall several prominent leaders in the open source movement calling it out for what it was, a power trip to make an example of a "digital terrorist". Such a shame.
This just all depends on what circle you're using the word "hacking" in. While technical circles are mostly concerned about the technical details on how someone might exploit a system, legal circles don't really care. They usually avoid using the word "hacking" anyway.
The relevant law here, the CFAA, is often referred to as the US law that criminalizes "hacking", but what it specifically does is criminalize anyone who "intentionally accesses a computer without authorization or exceeds authorized access" which is much more broad than how technical disciplines might use the word.
So yes, stealing a password off a friend's post-it note and Hasselhoffing their instagram might not be considered "hacking" if you're hanging out at Defcon, this would be considered "hacking" in legal or colloquial terms.
> AFAIK he didn't hack JSTOR. He downloaded papers en mass using a guest MIT account that had legal access to JSTOR.
Potato, potahto. Or, like kids these days say it, "corporate wants you to find differences between these two pictures...".
Fact is, from the POV of the legal system, "using a guest account that had legal access to" a system, but to which (the account) you didn't have legal access, would typically be seen as hacking. So is running curl in a loop, if it results in you getting sued for it. So is just guessing the URL (e.g. incrementing a user ID in a GET query param), if it lets you access things you shouldn't be able to.
Yes, it's not aligned with how technology works. But it is aligned with expectations of behavior, which is what the law is really about.
> Fact is, from the POV of the legal system, "using a guest account that had legal access to" a system, but to which (the account) you didn't have legal access
I don't think that is accurate.
He had legal access to the account. The account had legal access to the service.
The argument was that downloading articles en masse was an _abuse_ of the service, which was a violation of the Terms of Service and therefore a CRIMINAL ACT.
