Hacking: Rights, Hacktivism, and Counterhacking Kenneth Einar Himma acknowledges that hacker once had a positive connotation, but reserves the term hacking to refer to acts in which one person gains unauthorized entry to the computers of another person (191-2) Himma s views (in some contrast to Wilson s!) are a good deal more skeptical about what, if anything, might morally justify hacking. 1
The Prima Facie Case Defined as a species of unauthorized entry, it seems obvious that hacking is prima facie morally wrong: Hacking is analogous to trespass; trespass onto physical property is wrong (whether or not it gives rise to harm) since it violates the owner s property rights; similarly, digital trespass is wrong since it violates the computer owner s right to exclude others from the use of her property. But, the trespass analogy is imperfect 1. Not all trespass is morally wrong; infringement of property rights can sometimes be justified (e.g., venturing onto private property in order to apprehend a fleeing murderer). So, hacking could be morally justified if it brings about a good that outweighs the evil that it creates. 2. Hacking does not (except trivially e.g., by consuming electricity, bandwidth, computing cycles) involve the kind of physical intrusion associated with trespass. 2
So perhaps we can supplement property rights considerations with privacy rights considerations: My computer is not only my (physical) property, it is also a space in which I have a legitimate expectation of privacy. a private space in which I may store sensitive information. Unauthorized access intrudes on this expectation. But privacy rights too hold only prima facie (e.g., intrusion into a terrorist s computer to prevent an imminent attack) Benign Hacking: Social Benefits So infringement of rights can sometimes justified; the onus presumably then lies with the hacker to show that specific instances of hacking are justified and so morally permissible. Can benign motivations based on social benefits, such as testing systems for security or drawing attention to security flaws ( Wilson s research and security hackers ) serve to justify hacking? 3
Himma: No, since these social benefits could be achieved without infringing property or privacy rights. More importantly: If privacy and property are genuine moral rights, then we cannot justify their infringement simply on the grounds that doing so would be beneficial: rights trump consequences (Dworkin) This, I d say, approaches question-begging. Compare stealing $1B from Bill Gates (in order to do good) with taxing him the same amount (in order to support welfare rights). Benign Hacking: Preventing Waste Himma: This is at least the right kind of argument (in that it seeks to identify a principle [i.e., a countervailing right] that could justify infringing property/privacy rights) But again, according to Himma, the argument fails; essentially on the same grounds as above: A property right is a right to exclude. The fact that I m not using my bike doesn t justify you borrowing it; ditto when it comes to my computing resources or software. 4
Benign Hacking: Free Flow of Content Perhaps a right to freedom of expression is strong/important enough to justify infringement of property/privacy rights (and so to justify hacking)? Himma: If a right to freedom of expression is held to entail that therer can be no legitimate restrictions on the free flow of content, then a) the very idea of privacy rights becomes untenable and b) this would be inconsistent with the idea of moral IPRs (e.g., copyright) (I m not sure that even the most rabid defender of an IP anarchist view would make a claim quite that strong) Still, Himma larger point is worth considering: Just because some has a right (e.g., to freedom of expression), this does not entail that she can do whatever she likes to exercise that right. Assume I have a right to certain information on your computer. This does not justify me breaking into your home to access this information. This again may verge onto question-begging, however: Never? Not if, say, I m your parent or a professional with whom you have a fiduciary relationship? This would still be an infringement of property rights, but acting to exercise a right to information might still at least be mitigating. 5
Hactivism & Civil Disobedience As we ve seen, some benign hacking (e.g., a DoS directed toward a wicked organization) is purported to be justified on political grounds. So perhaps civil disobedience can provide a justification for at least some forms/instances of hacking? Civil Disobedience (CD) 1. open 2. knowing 3. commission of some nonviolent act 4. that violates law L 5. for the expressive purpose of protesting or calling attention to the injustice of L, some other law, or the legal system as a whole (195, approximately in keeping with Rawls, 1971) 6
Himma: CD involves expression but it should not be adequated to expression; it is primarily conduct rather than a pure speech act (and so demands a higher standard of moral justification) In a decent democratic society, justified CD will presumably be relatively rare, since citizens have other means available to express their views (197). Nonetheless, CD is at least sometimes morally justified. Hacktivism vs. Cyberterrorism In justifying CD, actors should consider that there are moral limits on the costs one can impose on innocent third parties on the strength of even a laudable motivation (198, emphasis added). Defacement of a web site will presumably cause only relatively minor harm to third parties; a sustained DoS attack (say, on a private commercial web site) may cause very considerable harm. (Though we might want to ask whether third parties are always necessarily innocent third parties.) 7
Also: Himma (and others) assert that agents must be willing to accept responsibility for CD as a necessary (but not sufficient) condition for justification. Acting anonymously, clandestinely, shades into cyberterrorism and/or ordinary vandalism. Proper hactivism should show itself to be ethically motivated. Accepting responsibility as a group (as terrorists often do), Himma suggests, is not sufficient, since it allows the individual hacktivist to avoid facing the consequences of her action. Also: the motivating agenda behind electronic CD may be less transparent in cases of ordinary CD (204). A DDos against Amazon could mean many things, not all of them appropriately political. Moreover, even when the motivating agenda is clear, it may be morally inadequate or unacceptable. See his discussion of the Hacker Ethic and MilwOrm (205-6) So, in sum, hacking-as-cd might be justifiable, but most actual CD hackers fail to offer an adequate justification. 8
Counterhacking Is active response either cause harm to hackers or identify them morally justified? 1. Digitally-based (as opposed to, e.g., physical assault) 2. Implemented after intrusion has been detected, for investigative, defensive or punitive purposes 3. Non-cooperative implemented without the consent of at least one of the parties involved or affected 4. Have causal impacts on remote systems Nonstarters: Retaliation and Punishment Retaliation is morally wrong in that is motivated simply by a desire to even the score, for revenge, and is not responsive to justice or desert. In a society with a functioning legitimate government it is morally impermissible for private persons to punish those powers are monopolized by governments. (I.e., Himma is presuming the context of judicial punishment if, e.g., parents have the moral prerogative to punish their children, this would be an important exception to his assertion.) 9
The Defense Principle We general accept that persons have a moral right to use force in self-defence, provided that the force used is i) proportional, ii) necessary, and iii) directed only toward the immediate source of the threat. In view of iii) the Defense Principle will not justify force used against an innocent bystander (i.e., third party) The Necessity Principle It is also (fairly) commonly accepted that it is morally acceptable to infringe (as opposed to violate) rights in order to bring about a significantly greater good. This will be the case when i) the value of the right being infringed < the value of the good being secured and ii) there is no other way to bring about the good being secured except through infringement of the right. The Necessity Principle could justify infringement of the rights of innocent bystanders (e.g., shoving a bystander out of the way in order to save a life) 10
Aggressive (i.e., harm directing) responses will generally be ruled by out the Defense Principle in that they are a) not necessary and b) will (often) involve harm to third parties (e.g., owners of malware-infected computers used in DDoS attack) They will also generally be ruled by the Necessity Principle in that the unpredictable harms created by an aggressive response may well outweigh the moral good that the response intended to produce. Benign responses intended to identify an attacker (e.g., tracebacks) cannot be justified by the Defense Principle (since they do not defend against attacks), but might be justified under the Necessity principle (e.g., to secure the good of brining wrongdoers to justice ) But even benign responses can potentially infringe the rights of innocent third parties (e.g., they may identify the wrong party, in the case of a sophisticated, multi-layer attack and, in any case, involve accessing the third party s computer with her permission). 11
Inadequacy of Law Enforcement Perhaps active response can be justified on the grounds that i) digital intrusion is the sort of thing that the state ought to protect us from and ii) the state is doing an inadequate job of it, so, iii) private parties are entitled to use active measures to protect themselves. ii) is likely correct: law-enforcement agencies typically lack sufficient resources for digital crime investigations, which both highly labour-intensive and may involve jurisdictional complexities. Himma: Nonetheless, this argument falls short. It assumes that private parties will be able to do for themselves what the state has failed to do, but this is usually just factually in correct. Moreover, aggressive countermeasures are not only unlikely to succeed in protecting against attack, they may simply result in escalation. 12