US DOJ’s Absurd Sanctions On Iranian $3.4 Billion Hacking Scheme


There’s no doubt that what was being done here by or on behalf of Iran’s Revolutionary Guard was and is illegal. Sure, it’s straight up theft. But it’s also absurd to the point of crazed lunacy to call it a $3.4 billion cyber theft scheme. For what was actually being done was hacking into academic email systems in order to gain free access to the university libraries. Yes, sure, naughty naughty and people shouldn’t do that at all. But the value of what was stolen ain’t, not possibly, $3.4 billion, the Department of Justice is playing with numbers to get to that. And rather than insisting upon the heinous nature of the crime we might more profitably consider why the crime was committed. What does this tell us about access to that public good of the knowledge of the world?

Nine Iranians charged in $3.4 billion cyber theft campaign targeting universities, Justice says

No, that $3.4 billion claim is drivel, sorry, but it is. That’s the total cost to American universities of having accumulated, sorted, stored and bought access to that knowledge. The actual loss to US universities as a result of this heist is, close enough and give or take a few dollars here and there, $0.

Yup, that’s right, nothing. Because we’re not actually talking about someone stealing the blueprints for a hypersonic ramjet and the like. We’re talking about the theft of access through the paywall to published academic papers. The universities pay the publishers a flat fee for such access through the university library system. Thus the loss, if any there is at all, is to the publishers whose paywalls were broken. Even there it’s rather moot, as the Iranians weren’t going to pay market price, not that $30 to $50 for one look at one paper that’s normal these days. So revenue lost is likely closer to $0 than any other number, and most certainly closer to $0 than to $3.4 billion.

No, I’m not making this up, this is the DOJ’s own description of what happened:

The Mabna Institute, through the activities of the defendants, targeted more than 100,000 accounts of professors around the world. They successfully compromised approximately 8,000 professor email accounts across 144 U.S.-based universities, and 176 universities located in foreign countries, including Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey and the United Kingdom. The campaign started in approximately 2013, continued through at least December 2017, and broadly targeted all types of academic data and intellectual property from the systems of compromised universities. Through the course of the conspiracy, U.S.-based universities spent more than approximately $3.4 billion to procure and access such data and intellectual property.

The members of the conspiracy used stolen account credentials to obtain unauthorized access to victim professor accounts, which they used to steal research, and other academic data and documents, including, among other things, academic journals, theses, dissertations, and electronic books. The defendants targeted data across all fields of research and academic disciplines, including science and technology, engineering, social sciences, medical, and other professional fields. The defendants stole at least approximately 31.5 terabytes of academic data and intellectual property, which they exfiltrated to servers outside the United States that were under the control of members of the conspiracy.

Essentially, they stole free access to Elsevier and similar academic publishing platforms by hacking into professors’ accounts and stealing their passwords. Sure, this is a crime, but it’s most certainly not a $3.4 billion one. That’s what the universities paid to gain access to the data themselves, not what they lost from other people accessing the data. That loss, the actual direct loss, to the universities, is $0.

My own reading of this – idosyncratic I know – is that this is a shot across the bows of Sci-Hub and similar.

In cramped quarters at Russia’s Higher School of Economics, shared by four students and a cat, sat a server with 13 hard drives. The server hosted Sci-Hub, a website with over 64 million academic papers available for free to anybody in the world. It was the reason that, one day in June 2015, Alexandra Elbakyan, the student and programmer with a futurist streak and a love for neuroscience blogs, opened her email to a message from the world’s largest publisher: “YOU HAVE BEEN SUED.”

It wasn’t long before an administrator at Library Genesis, another pirate repository named in the lawsuit, emailed her about the announcement. “I remember when the administrator at LibGen sent me this news and said something like ‘Well, that’s… that’s a real problem.’ There’s no literal translation,” Elbakyan tells me in Russian. “It’s basically ‘That’s an ass.’ But it doesn’t translate perfectly into English. It’s more like ‘That’s f**ked up. We’re f**ked.’”

The publisher Elsevier owns over 2,500 journals covering every conceivable facet of scientific inquiry to its name, and it wasn’t happy about either of the sites. Elsevier charges readers an average of $31.50 per paper for access; Sci-Hub and LibGen offered them for free. But even after receiving the “YOU HAVE BEEN SUED” email, Elbakyan was surprisingly relaxed. She went back to work. She was in Kazakhstan. The lawsuit was in America. She had more pressing matters to attend to, like filing assignments for her religious studies program; writing acerbic blog-style posts on the Russian clone of Facebook, called vKontakte; participating in various feminist groups online; and attempting to launch a sciencey-print T-shirt business.

That 2015 lawsuit would, however, place a spotlight on Elbakyan and her homegrown operation. The publicity made Sci-Hub bigger, transforming it into the largest Open Access academic resource in the world. In just six years of existence, Sci-Hub had become a juggernaut: the 64.5 million papers it hosted represented two-thirds of all published research, and it was available to anyone.

So, why the Iranians? Because we all know that the Iranians are the bad boys today, don’t we? (Disclosure, I write a column for an Iranian magazine and no, it’s not run by the Revolutionary Guard, yes I obey the sanctions regulations) The Revolutionary Guard are the bad boys of the bad boys. We can thus throw a criminal case at them, demand sanctions and the forfeit of property, without anyone enquiring too closely into what is really happening.

Once the principle is established then others who violate Elsevier’s copyright in this manner can also be gone after.

Yeah, sure, I’m paranoid but then so, as Slartibartfast pointed out, are all living things and rightly so in this universe.

Even if my theorising is wrong this still, absolutely, isn’t a $3.4 billion anything. That’s just DoJ making up some number to make them look good. The direct losses in this scheme almost certainly amount to zero, bupkiss, nada. Universities certainly haven’t lost anything – the data was copied, not taken. The publishers might have lost a bit, but even then it would only be the revenue they would have got from papers that would have been bought if they hadn’t been copied. A useful estimate of the size of that loss still being zero, bupkiss, nada.

A much, much, more interesting question would be why don’t Iranian – and any other – academic institutions have access to these papers at a price they could afford? Knowledge is, after all, the great public good. Even the pharmaceutical companies these days buy the argument that sure, charge full price to people in the rich countries but charge the poor what they can afford. It is extra marginal revenue after all. Why is it that the scientific publishers haven’t caught up with this entirely sensible idea as yet?

No, seriously, with the American universities paying that $3.4 billion a year and thus paying all of the costs of everything, why isn’t a poorer country like Iran being charged $100,000 a year for access to everything? Say, just to provide a number. Answering that question properly could well make the world a richer and better place. Instead of lying about numbers in order to big up how special the DoJ is.

But then it was the DoJ announcing this, wasn’t it. So what would we expect them to be saying? What’s that, press releases from bureaucracies always show how well the bureaucracy is working, how essential it is that we keep the budget flowing?

You don’t say. Although C. Northcote Parkinson did as I recall….