Computer hacker -- vandal or terrorist?

[InfoSec News <isn () c4i org>]

http://www.sfgate.com/cgi-bin/article.cgi?f=/chronicle/archive/2001/10/03/ED75949.DTL

Jennifer S. Granick 
Wednesday, October 3, 2001 

WHEN TERRORISM hit home on Sept. 11, there was nothing
"cyberterrorist" about it. Yet, the House is now considering a bill
that would reclassify computer hacking as a terrorist offense if it is
done to influence government action by intimidation or coercion, or to
retaliate against government conduct.

The proposal, the PATRIOT (Provide Appropriate Tools Required to
Intercept and Obstruct Terrorism) Act of 2001, increases the statute
of limitations for hacking from five to 15 years. Those convicted
could be sentenced to life in prison, and the federal system does not
have parole. Another amendment would make those who give "expert
advice" into terrorists themselves if they advised knowing that it may
be used in the preparation or commission of computer hacking.

The spirit of national unity and the aching fear of terrorism foretell
that some form of this bill or the Senate version will pass into law.
The House is expected to vote on its version tomorrow.

With that vote, I could become a terrorist, depending on how judges
interpret the prohibition against giving "expert advice" to hackers. I
am a criminal defense lawyer who represents people charged with
computer-hacking offenses. I also teach at Stanford Law School,
examining how laws affect computer security, freedom of speech,
privacy and scientific progress.

Legally speaking, hacking offenses are defined like trespass or
burglary, an instance where the perpetrator illegally enters someone
else's computer and intentionally causes damage. Technologically,
there may be no walls, no passwords, no definitions, no clear
boundaries. Disgruntled ex-employees have been found guilty of
computer trespass for sending unwanted e-mails complaining about the
boss to their former co-workers, and companies have been held liable
for using a software program to scan a public Web site for online
auction prices. Before these rulings, many people would not have
thought these things were crimes.

The proposed anti-terrorism law adds another layer of uncertainty to
the already vague definition of criminal hacking. The bill singles out
hacking "calculated to influence the conduct of government by
intimidation or coercion, or to retaliate against government conduct."
I agree that coercing government action through fear is a terrible
crime that subverts the very essence of democracy.

But there have been hackers who have defaced Web pages to protest
Indonesia's occupation of East Timor, or altered the New York Times
Web site to protest a government decision to prosecute Kevin Mitnick.
The public Web sites of the Department of Justice, the FBI and the CIA
have all been hacked and vandalized in the name of online protest, in
varying degrees of eloquence. No important government functions were
threatened, but the new terrorism law and its penalties would apply,
since these acts were in retaliation to government policy. Whether you
view "hacktivism" as criminal behavior or political protest, these
offenders are, at most, digital vandals.

By focusing solely on the motivation of the hacker, and not on the
capability of the hack to threaten health, safety or welfare and
thereby to create fear, the proposed law fails to strike at the heart
of terrorism, which is to cause terror.

And once hacking is terrorism, one who harbors or provides expert
advice or material assistance to these people is also a terrorist.
Since most computer- security tools can be used to both safeguard and
crack a system, vendors should beware -- as should lawyers.

Hard as it is to believe that a lawyer could be investigated for
providing advice to hackers, I believe it is possible. Before one
presentation I gave a few years ago at a hacker conference in Las
Vegas, the San Francisco FBI called me to warn me not to advise the
attendees how to escape capture or to encourage them to break the law.
And that was then. . .

I've been very critical of the current law against computer hacking
because it doesn't distinguish between digital vandalism and something
more serious, like breaking into the 911 system or taking over nuclear
power plant computers.

The new law compounds the problem.

Americans, myself included, fear future terrorist attacks. But if we
make terrorists out of Web vandals, "hacktivists" or security-tool
vendors, we will not be safer. In fact, security will suffer, and we
will find the lesser criminals among us treated with an unearned
harshness. There is no bargain here. We all would lose.

Jennifer S. Granick is the director of the Stanford Law School's Law
and Technology Clinic.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.