Saturday, March 24, 2007

Hackback as Self-Defense

My cybercrimes students and I are discussing hackback, or strikeback, in which the victim of a cybercrime retaliates directly against her victimizer without going through the police and the legal system.

I found our discussions useful in analyzing the arguments can be made for and against hackback, so I thought I'd share them with you.

The first question, logically, is why even discuss hackback? The reason it comes up is the actual and perceived inability of law enforcement to track down, arrest and bring to justice all or even most of those who commit cybercrimes.

As I hope everyone knows, even in the real-world police cannot arrest EVERY criminal. Instead, their goal is to arrest ENOUGH criminals to keep crime under control in a society.

Modern legal systems operate on the premise that the best way to keep crime under control is to deter people from committing crimes, and the way they do that is to make enough of us believe we will get caught if we commit a crime. Getting caught is very important. Studies have shown that the perception you will get caught if you commit a crime is much more effective as a deterrent than is raising the severity of the penalty imposed on those who are caught. If, say, I think I have a 5% chance of getting caught if I steal $50 million, I may very well weigh the odds of getting caught against the benefits of committing the crime (large) against the chances of not getting caught (good), and go for it.

The problem is, as I’ve said before, that cybercrime makes the implementation of this crime control strategy incredibly difficult. Aside from anything else, cybercrime often (usually) tends to come from “outside” the jurisdiction where the victim is, and this can pose terrific problems for police trying to investigate the crime and arrest the perpetrator. Another problem is that cybercrime is added to the crime that already exists in the real-world, so police have all that extra work to do, which means they often must triage their priorities: If people are being physically harmed in the real-world, that necessarily takes priority over what happens in the virtual world because, so far anyway, cybercrime involves little if any risk of direct physical injury or death to the victims.

So, given law enforcement’s increasing inability to apprehend cybercriminals, it only makes sense that hackback – victim self-help – begins to sound appealing. It’s the same phenomenon that generates vigilante activity. (One difference between vigilante activity and hackback is that vigilantes – a la Perverted Justice – tend to affirmatively seek out perpetrators or would-be perpetrators, while hackbackers are retaliating for what was specifically done to them.)

I’ve seen postings and articles that say hackback is permissible under our existing law because it constitutes self-defense. These sources sometimes note that the right of self-defense under U.S. (and most) law can encompass the use of deadly force against an attacker, and point out that since deadly force cannot (so far, anyway) be used online, the use of retaliatory force clearly falls within the doctrine of self-defense.

The first problem I have with these views is that the scenarios involved in hackback (so far, anyway) do not involve the threat of physical injury or death to the perpetrator; they involve the threat of damage to or loss of the victim’s property, which is a very different thing.

U.S. law (and, I believe, most other legal systems) recognizes two different justifications for using force against an attacker. One is self-defense, which means exactly what is says: I can protect my physical self from an attacker who threatens me with physical injury or death.

The Model Penal Code – the set of model laws that are the template for contemporary U.S. criminal law – says, for example, that “the use of force upon . . . another person is justifiable when the actor believes that such force is immediately necessary for the purpose of protecting himself against the use of unlawful force by such other person on the present occasion.” Model Penal Code § 3.04(1). A later section of the MPC defines “unlawful force” as “force . . . that is employed without the consent of the person against whom it is directed and the employment of which constitutes an offense or actionable tort”. Model Penal Code § 3.11(1). So, under these provisions and laws based on them, I can use force to protect myself to the extent I personally believe it is necessary (no other alternative) to protect myself from someone else’s using force to harm me. The MPC limits the use of deadly force to instances in which the would-be victim believes it is necessary to protect herself “against death, serious bodily injury, kidnapping or sexual intercourse compelled by force or threat”. Model Penal Code § 3.04(2)(b).

I do not see how these standards can apply online. The “force” that is used online is directed at things, not people. It is true that online activity can become the vector that is used to set a real-world physical attack in motion: A cyberstalker can use online postings and the manipulation of online information to try to persuade a naïf who likes to play sado-masochistic sexual games to attack the person the stalker is trying to set up, but the attack – and the victim’s use of defensive force, if any – all occur in the real-world.

Unless and until we acquire the capacity to directly cause physical injury to one another via cyberspace, hackback is really about a very different problem: defending property. U.S. law (and law in many other countries) lets people use force to defend their property, but only within limits.

Let’s go back to the Model Penal Code. Section 3.06 of the MPC says that you can use force “upon or toward the person of another” when you believe the use of such force “is immediately necessary . . . to prevent or terminate an unlawful entry or other trespass upon land or a trespass against or the unlawful carrying away of tangible, movable property” belonging to you. Model Penal Code § 3.06(1)(a). Under this provision, you can only use non-deadly force, i.e., force that is not likely to cause death or serious bodily injury. You can only use deadly force to protect property if (i) the attacker is trying to “dispossess” you of your “dwelling” or (ii) the attacker “is attempting to commit . . . arson, burglary, robbery or other felonious theft or property destruction” and has either used or threatened to use deadly force or the use of less than deadly force would expose you to a risk of death of serious bodily harm. The last option, of course, brings in self-defense. Model Penal Code § 3.06(3)(d).

So, how can we apply this to hackback? Would hacking back against someone who had unlawfully accessed your computer/data or infected your system with a virus or launched a DDoS attack on your website be a valid use of force to defend your property?

It doesn’t seem to me that these scenarios or any I can think of at the moment would qualify as “dispossessing” you from your “dwelling” . . . unless and until we decide that the computer system you use if your “dwelling.” I think that would be way too much of a stretch for the drafters of the MPC or for modern legislators, so we’ll give up on that option.

Unauthorized access to a computer system for the purposes of committing a crime (such as destroying or copying data) clearly qualifies as burglary. I can’t think of any online misconduct that would qualify as arson, so we’ll give that a pass. Robbery is using force to steal someone’s property; if we read “force” as “physical force,” this option would not seem to apply online, either. Clearly, though, spreading malware could qualify as the attempted (and consummated) destruction of property, so it falls within the traditional defense of using force to protect one’s property. I think a DDoS attack can also qualify as a destruction/attempted destruction of property if, of course, we broaden our concept of property a bit, to include lost business opportunities and costs incurred in dealing with such an attack.

One problem we do have with applying laws like the MPC provisions described above to hackback is the notion of “property.” If you look back at the MPC defensive use of force to protect property provision I quoted above, it only lets you use force to protect “tangible, movable property.” Data is certainly movable, but we’d have to qualify it as “tangible” property for this provision to apply to online attacks; the drafters of the MPC most certainly were not thinking of intangible property like data when they wrote this provision, but if we could convince legislators to broaden the scope of self-defense statutes, that would not be a problem.

It seems, then, that we can apply the “defense of property” doctrine to hackback, at least in certain instances and with certain modifications to the traditional doctrine. The one condition a hackback-er would have to meet in order to invoke this defense is the issue noted above, i.e., that the use of defensive force was “immediately necessary.” This means the hackback-er had no other alternatives but self-help; and what that generally means is that it would have been futile for the hackback-er to have taken the usual route and contacted law enforcement. The “defense of property” doctrine is really meant to apply to instances in which there is a face-to-face confrontation between a perpetrator and a would-be victim that makes it impossible, or dangerous, for the potential victim to try to call police. The “immediately necessary” element means the victim had to act at that moment or face the loss of her property.

That element might not be a problem for some instances of hackback . . . instances in which the hackback-er interrupted a perpetrator who was in the process of carrying out an attack. That scenario conforms more closely to the scenario the defense of property doctrine was intended to encompass. Applying the doctrine becomes much more difficult if the hackback occurs well after the attack has been completed and the damage has been inflicted. That starts to look a lot more like simple retaliation – hitting back to punish someone who has already hurt you – than the defense of property doctrine. The rules governing the defensive use of force all assume the victim is trying to prevent or minimize the infliction of “harm” in an ongoing, volatile situation. They do not sanction cold-blooded revenge.

There are other problems with applying the laws governing the defensive use of force to hackback, one being the accuracy of the response. That tends to be less of a problem for real-world scenarios than for online attacks because, as I just noted, in real-world attacks the attacker and victim are face-to-face. The victim may err in estimating the need to use force (and the level of force used), but the victim is usually accurate in deciding whom the force should be used against. As I assume we all know, this is not true online; attacks can be vectored through computers in many locations, so if we were to sanction hackback we would either have to incorporate an “accurate identification of the perpetrator” element or limit it to confrontations arising from attacks in progress.

Since this post is already long, I’ll take up that issue and a related issue (automating hackbacks) another time.

No comments: