[ISN] Computer hacker -- vandal or terrorist?

From: InfoSec News (isnat_private)
Date: Thu Oct 04 2001 - 01:05:28 PDT

  • Next message: InfoSec News: "[ISN] Three Minutes with Rain Forest Puppy"

    Jennifer S. Granick 
    Wednesday, October 3, 2001 
    WHEN TERRORISM hit home on Sept. 11, there was nothing
    "cyberterrorist" about it. Yet, the House is now considering a bill
    that would reclassify computer hacking as a terrorist offense if it is
    done to influence government action by intimidation or coercion, or to
    retaliate against government conduct.
    The proposal, the PATRIOT (Provide Appropriate Tools Required to
    Intercept and Obstruct Terrorism) Act of 2001, increases the statute
    of limitations for hacking from five to 15 years. Those convicted
    could be sentenced to life in prison, and the federal system does not
    have parole. Another amendment would make those who give "expert
    advice" into terrorists themselves if they advised knowing that it may
    be used in the preparation or commission of computer hacking.
    The spirit of national unity and the aching fear of terrorism foretell
    that some form of this bill or the Senate version will pass into law.
    The House is expected to vote on its version tomorrow.
    With that vote, I could become a terrorist, depending on how judges
    interpret the prohibition against giving "expert advice" to hackers. I
    am a criminal defense lawyer who represents people charged with
    computer-hacking offenses. I also teach at Stanford Law School,
    examining how laws affect computer security, freedom of speech,
    privacy and scientific progress.
    Legally speaking, hacking offenses are defined like trespass or
    burglary, an instance where the perpetrator illegally enters someone
    else's computer and intentionally causes damage. Technologically,
    there may be no walls, no passwords, no definitions, no clear
    boundaries. Disgruntled ex-employees have been found guilty of
    computer trespass for sending unwanted e-mails complaining about the
    boss to their former co-workers, and companies have been held liable
    for using a software program to scan a public Web site for online
    auction prices. Before these rulings, many people would not have
    thought these things were crimes.
    The proposed anti-terrorism law adds another layer of uncertainty to
    the already vague definition of criminal hacking. The bill singles out
    hacking "calculated to influence the conduct of government by
    intimidation or coercion, or to retaliate against government conduct."
    I agree that coercing government action through fear is a terrible
    crime that subverts the very essence of democracy.
    But there have been hackers who have defaced Web pages to protest
    Indonesia's occupation of East Timor, or altered the New York Times
    Web site to protest a government decision to prosecute Kevin Mitnick.
    The public Web sites of the Department of Justice, the FBI and the CIA
    have all been hacked and vandalized in the name of online protest, in
    varying degrees of eloquence. No important government functions were
    threatened, but the new terrorism law and its penalties would apply,
    since these acts were in retaliation to government policy. Whether you
    view "hacktivism" as criminal behavior or political protest, these
    offenders are, at most, digital vandals.
    By focusing solely on the motivation of the hacker, and not on the
    capability of the hack to threaten health, safety or welfare and
    thereby to create fear, the proposed law fails to strike at the heart
    of terrorism, which is to cause terror.
    And once hacking is terrorism, one who harbors or provides expert
    advice or material assistance to these people is also a terrorist.
    Since most computer- security tools can be used to both safeguard and
    crack a system, vendors should beware -- as should lawyers.
    Hard as it is to believe that a lawyer could be investigated for
    providing advice to hackers, I believe it is possible. Before one
    presentation I gave a few years ago at a hacker conference in Las
    Vegas, the San Francisco FBI called me to warn me not to advise the
    attendees how to escape capture or to encourage them to break the law.
    And that was then. . .
    I've been very critical of the current law against computer hacking
    because it doesn't distinguish between digital vandalism and something
    more serious, like breaking into the 911 system or taking over nuclear
    power plant computers.
    The new law compounds the problem.
    Americans, myself included, fear future terrorist attacks. But if we
    make terrorists out of Web vandals, "hacktivists" or security-tool
    vendors, we will not be safer. In fact, security will suffer, and we
    will find the lesser criminals among us treated with an unearned
    harshness. There is no bargain here. We all would lose.
    Jennifer S. Granick is the director of the Stanford Law School's Law
    and Technology Clinic.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 03:01:20 PDT