http://www.sfgate.com/cgi-bin/article.cgi?f=/chronicle/archive/2001/10/03/ED75949.DTL Jennifer S. Granick Wednesday, October 3, 2001 WHEN TERRORISM hit home on Sept. 11, there was nothing "cyberterrorist" about it. Yet, the House is now considering a bill that would reclassify computer hacking as a terrorist offense if it is done to influence government action by intimidation or coercion, or to retaliate against government conduct. The proposal, the PATRIOT (Provide Appropriate Tools Required to Intercept and Obstruct Terrorism) Act of 2001, increases the statute of limitations for hacking from five to 15 years. Those convicted could be sentenced to life in prison, and the federal system does not have parole. Another amendment would make those who give "expert advice" into terrorists themselves if they advised knowing that it may be used in the preparation or commission of computer hacking. The spirit of national unity and the aching fear of terrorism foretell that some form of this bill or the Senate version will pass into law. The House is expected to vote on its version tomorrow. With that vote, I could become a terrorist, depending on how judges interpret the prohibition against giving "expert advice" to hackers. I am a criminal defense lawyer who represents people charged with computer-hacking offenses. I also teach at Stanford Law School, examining how laws affect computer security, freedom of speech, privacy and scientific progress. Legally speaking, hacking offenses are defined like trespass or burglary, an instance where the perpetrator illegally enters someone else's computer and intentionally causes damage. Technologically, there may be no walls, no passwords, no definitions, no clear boundaries. Disgruntled ex-employees have been found guilty of computer trespass for sending unwanted e-mails complaining about the boss to their former co-workers, and companies have been held liable for using a software program to scan a public Web site for online auction prices. Before these rulings, many people would not have thought these things were crimes. The proposed anti-terrorism law adds another layer of uncertainty to the already vague definition of criminal hacking. The bill singles out hacking "calculated to influence the conduct of government by intimidation or coercion, or to retaliate against government conduct." I agree that coercing government action through fear is a terrible crime that subverts the very essence of democracy. But there have been hackers who have defaced Web pages to protest Indonesia's occupation of East Timor, or altered the New York Times Web site to protest a government decision to prosecute Kevin Mitnick. The public Web sites of the Department of Justice, the FBI and the CIA have all been hacked and vandalized in the name of online protest, in varying degrees of eloquence. No important government functions were threatened, but the new terrorism law and its penalties would apply, since these acts were in retaliation to government policy. Whether you view "hacktivism" as criminal behavior or political protest, these offenders are, at most, digital vandals. By focusing solely on the motivation of the hacker, and not on the capability of the hack to threaten health, safety or welfare and thereby to create fear, the proposed law fails to strike at the heart of terrorism, which is to cause terror. And once hacking is terrorism, one who harbors or provides expert advice or material assistance to these people is also a terrorist. Since most computer- security tools can be used to both safeguard and crack a system, vendors should beware -- as should lawyers. Hard as it is to believe that a lawyer could be investigated for providing advice to hackers, I believe it is possible. Before one presentation I gave a few years ago at a hacker conference in Las Vegas, the San Francisco FBI called me to warn me not to advise the attendees how to escape capture or to encourage them to break the law. And that was then. . . I've been very critical of the current law against computer hacking because it doesn't distinguish between digital vandalism and something more serious, like breaking into the 911 system or taking over nuclear power plant computers. The new law compounds the problem. Americans, myself included, fear future terrorist attacks. But if we make terrorists out of Web vandals, "hacktivists" or security-tool vendors, we will not be safer. In fact, security will suffer, and we will find the lesser criminals among us treated with an unearned harshness. There is no bargain here. We all would lose. Jennifer S. Granick is the director of the Stanford Law School's Law and Technology Clinic. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 03:01:20 PDT