In our group discussion, we came up on an issue: the hacking community has greatly contributed to the development of the Internet. Hackers break into systems, do no harm, and report issues to the people who want them fixed. Should this attitude be encouraged? Should it be discouraged? Should the law leave it up to the potential victims to decide whether or not to sue? How can we separate it from the cracker issue? Is this separation even possible?

-- Anonymous, November 22, 1998

Answers

Wow, I had not realized how much had been written here!

To answer Kristina's last point, I don't think we want to make information so public by nature that keeping information private would require a renewal. This would *not* make private entities (like companies) very happy about being on the Internet (i.e. what if you forget to renew?).

Now, on a separate point, in current law, trespass is such that if the owner doesn't sue, nothing happens, right? If I walk onto somebody's land, only the owner of that land can sue me, right? So, I certainly don't think it should be any harsher in cyberspace. The trespasser should only be accused if the owner wants to sue.

So, the question is, in current law, it *remains* illegal for me to just walk onto somebody's land, even if I don't do any damage. I can still get sued. What happens then? What is my sentence? Whatever the answer, I think the same should apply in cyberspace. Entering is enough to get sued, without having to prove damages, but the owner is the one who sues.

Apart from all of this, I agree 100% with Michelle and Lydia. No matter what we do or say, no system will be completely secure. Ever. Hackers will continue to break in, and some will contribute their knowledge to improve the security of a system over time. Lauren, do you still think we should somehow do more than this? I'm not quite sure how...

-- Anonymous, November 25, 1998

I think we can make the assumption that hackers will always exist. No matter how hard-core the security of any system, there are "safe crackers" or "phone phreaks" or whatever. We have to establish security for other reasons. We can only assume that hackers will find their niche.

-- Anonymous, November 22, 1998

From my understanding of our discussion today, the following idea was proposed: It should be illegal to hack into a system, but social norms will dissuade network owners from suing hackers when no damage occurs. The rationale behind this is to utilize hacking as a resource as Ben described above. I think this is a very forward-looking way of approaching the topic. I would like to accept the idea of allowing hacking as a resource, but here are my problems with the suggestion:

1. This system opens the door for hackers to break into a system illegally and then expects system owners to take legal recourse only after they have been victimized and damage has occurred. I would prefer an architecture that prevents this damage from occurring rather than contributing to the vulnerability of the system. To use a bad analogy (that is not an entirely accurate comparison, but shows the point), I would rather avoid an unintended, but nonetheless harmful, car accident than win a multi-million dollar lawsuit for injuries suffered. (Really, I would!)

2. The system being hacked is clearly private space, according to the terms we have been defining, since barriers to entry exist. The hacker should not be in this space unless allowed, either explicitly or implicitly. Beating the system is not one of the accepted signals. This definitely goes against our goal of trying to make it clear who should be where and when.

3. This system encourages, or at least is neutral to, breaking the law. The ideal should not be to have laws and social norms in conflict. Why make a law we do not intend to use?

4. Hackers often like to brag about their accomplishments and share them with the hacking community (look at all the postings by hackers on the Web). This information could be used by people with malicious intentions to break into other systems.

5. It's not just about the security of the network; the security of all information contained within becomes vulnerable. Hackers do not have to damage the network or data to cause harm. They could simply "look around" and use information they find for harmful purposes in the real world (i.e. messing with financial statements). The victimized company may never know that it was a hacker who screwed them!

6. It is difficult to distinguish between hackers and crackers.

An alternate proposal:

1. Keep these systems private, legally and through norms. Make it illegal to hack or crack a system, and enforce this law. Hackers have no right to look around a private system even if they intend no harm (or intend to help).

2. Use markets and devote resources to testing and improving the security of a system. Let the hackers get paid for their services!

3. With current technology, system break-ins are inevitable. But our policy should not encourage unauthorized access of private space. Instead, we should work to deter this behavior.

-- Anonymous, November 23, 1998

Lauren,

You raise several good points, but I still think that originally proposed regime works best.

>1. This system opens the door for hackers to break into a system >illegally and then expects system owners to take legal recourse only >after they have been victimized and damage has occurred. I would >prefer an architecture that prevents this damage from occurring rather >than contributing to the vulnerability of the system.

Here, I think you misstate the regime. It does not "expect system owners to take legal recourse only after they have been victimized." Rather, it expects system owners to do whatever they want. They can sue or they can not sue. Hacking is illegal, and the instant you do it, you create a cause of action that the system owner can choose to pursue, or not pursue, and either is perfectly fine and respected.

>To use a bad >analogy (that is not an entirely accurate comparison, but shows the >point), I would rather avoid an unintended, but nonetheless harmful, >car accident than win a multi-million dollar lawsuit for injuries >suffered. (Really, I would!)

What if the unintended, but nonetheless harmful car accident made you realize that there was a design flaw, prompting the car manufacturers to recall already-sold cars and correct the mistake in future cars, thereby avoiding multi-BILLION dollar damages that would have happened otherwise? This is what we are saying. The system owner may decide that whatever damage was caused by the hacker was worth it, because of the valuable information about security holes that he got in return. Obviously, if you (Lauren) were a system owner, you would sue his ass. But if the system owner decides he doesn't want to sue the hacker, and in fact is grateful to him, should he be FORCED to sue? No, because the law can't force victims to sue if they don't want to. And victims won't want to sue if they realize that they got more out of the supposed crime than they lost.

>2. The system being hacked is clearly private space, according to the >terms we have been defining, since barriers to entry exist. The >hacker should not be in this space unless allowed, either explicitly >or implicitly.

Agreed. The law would clearly say "It is illegal to enter a private space." The hacker is breaking the law, yes. This is consistent with the proposed regime.

> Beating the system is not one of the accepted signals. > This definitely goes against our goal of trying to make it clear who >should be where and when.

I disagree -- in the proposed regime, the hacker WOULD know that he shouldn't go there. But he breaks the law anyway. He expects that the system owner will not sue him, but he knows that there's a chance.

You can lead a horse to water, but you can't make him drink. This applies to both the hacker and to the system owner.

>3. This system encourages, or at least is neutral to, breaking the >law. The ideal should not be to have laws and social norms in >conflict. Why make a law we do not intend to use?

Every law is discretionary. Sometimes the discretion is built into the actual language of the law; e.g., "the judge in his discretion may adjust the sentence upwards to a maximum of 20 years." Other times, the discretion is in the enforcement. Local prosecutors decide not to pursue at least 80% of the crimes they find out about, sometimes because they lack the resources, but sometimes because it just wouldn't be equitable. "Sure, this woman violated 'Anti Trash-Digging' statute by rummaging through public trashcans, but she was just trying to help our community by collecting all the recyclable materials. So we're not going to prosecute her." Policemen let speeders go if they hear a compelling story ("I'm sorry, officer, I've been out of town for 6 months and I'm rushing home to see my wife for the first time since June."). It is well settled that if punishing the supposed "crime" would not advance the purpose of the law, then the crime should not be punished, because of (1) the chilling and demoralizing effect such formalistic enforcement has on the general public, (2) the waste of resources, and (3) general loss of respect for the law.

>4. Hackers often like to brag about their accomplishments and share >them with the hacking community (look at all the postings by hackers >on the Web). This information could be used by people with malicious >intentions to break into other systems.

Yes, but then those other malicious people WOULD be prosecuted.

>5. It's not just about the security of the network; the security of >all information contained within becomes vulnerable. Hackers do not >have to damage the network or data to cause harm. They could simply >"look around" and use information they find for harmful purposes in >the real world (i.e. messing with financial statements). The >victimized company may never know that it was a hacker who screwed >them!

This is true, but it is true under both the proposed regime AND under your regime. This problem will always exist, and it is therefore not a fair count against the proposed regime.

>6. It is difficult to distinguish between hackers and crackers.

Yes. And that is exactly why the LAW shouldn't purport to do it, because the law will screw up more than the individual victim in each incident. The individual victim is in the absolute best position to determine whether there has been damage (even if the damage is simply moral outrage).

>An alternate proposal: > >1. Keep these systems private, legally and through norms. Make it illegal to hack or crack a system,

So far, so good.

>and enforce this law.

But what do you mean by this? Do you want to force the victim to sue the hacker? Do you want the state to prosecute the hacker, against the wishes of the victim? If so, how do you plan on putting on a case and getting a conviction without the cooperation of the victim? I think it's impossible to mandate enforcement. The proposed regime merely takes this into account.

>Hackers have >no right to look around a private system even if they intend no harm >(or intend to help).

Agreed. Once a hacker looks around a private system, the owner has a right to sue. This is consistent with the proposed regime.

>2. Use markets and devote resources to testing and improving the >security of a system. Let the hackers get paid for their services!

This already happens. But as Lydia said, even with the best R&D teams working on developing system security, there will always be flaws.

>3. With current technology, system break-ins are inevitable. But our >policy should not encourage unauthorized access of private space. >Instead, we should work to deter this behavior.

Agreed. But the proposed regime suggests that there is an implicit authorization for well-intentioned hackers to access private space if for research purposes only (i.e. to research the system's flaws and report them to the system owner). Such activity, therefore, would not be "unauthorized access."

I think we have spent a lot of time on this issue. If you are still unconvinced, then in the interest of time I propose that we take a quick vote and adopt the majority viewpoint for the main text of our whitepaper. We should then drop a substantial footnote explaining the dissenting view. If people change their minds later, we can modify the paper accordingly. Or does everybody else want to keep debating?

- Michelle.

-- Anonymous, November 23, 1998

To answer Michelle's question about continuing the debate, I give my resounding YES!

I may be missing something, but I don't see how victims of hackers can be compensated for the hacker's unauthorized access if there is *no damage* caused by the hacker's entry. Civil suits by victims require proof of actual damages. There won't be any damages by a hacker who enters, looks around (assuming she doesn't profit from the information she obtains during the hack or facilitate anyone else profiting from this information) and reports the security or code flaw.

Let me explain:

Idea from Sunday discussion: "It should be illegal to hack into a system, but social norms will dissuade network owners from suing hackers when no damage occurs."

If it is illegal to hack  even when no damage occurs -- then there is a criminal statute which prevents hacking (~ unauthorized access without damage). If there is a criminal statute against hacking, then hackers *who are detected* risk prosecution by the government entity which enacted the criminal statute, regardless of whether the victim decides to sue or not. If the hacker *admits* hacking (and admits having the intent required by the criminal statute), then she will be convicted is most cases, unless the district attorney decides not that the case is not worth prosecuting (i.e. the crime is on the books, but the D.A. is just letting violators slide on this one; I think this is unlikely.) So if hacking is illegal, you can't expect it to be used to generate helpful information about problems in security systems or software. The social norms which made hacking illegal *should* encourage victims to sue (civil suit) if they can show damages because conviction under the criminal statute imposes social opprobrium on the hacker for her "bad act ." If hacking does occur, you can't expect hackers to admit a criminal violation and risk prosecution by the government. Additionally, if there is no damage caused by the hacker, what damages could the victim receive by suing in civil court? There are no expenses for repair or replacement of property. There are no lost profits or commercial losses associated with the value of the post-hack property. De facto and de jure, the victim's only remedy is a criminal prosecution.

If our position is all unauthorized access is illegal, we should realize that we are essentially foreclosing hacking which causes no damage and does not facilitate (by the hacker or a third party) illegal use of data that can be observed during the hack. As a Texan, I believe strongly in individual autonomy and personal freedom so this regime would work for me. But linking back to our discussion with Lessig and Abelson and my comments then on digital rights architectures for IP ("it is *outragous* to prevent an owner from strictly limited access to her copyrighted materials through code"), many of us felt that it was important to allow some access to copyrighted materials in order to make society better off. I realize that a privilege to hack isn't fully comparable to the privilege of fair use (copyrighted materials are those with only commercial value and hackers are infringing on privacy interests as well as commercial interests), but fair use represents society's determination that complete propertization (is this a word?) of rights is a bad thing. If we allow individual determinations of what is private to set the rule for what is accessible, individual determination will trump any benefit to society of allowing hacking which exceeds the costs of this violation to individual rights.

I know we need clear rules for conduct, but we live in a complicated world. The Supreme Court has expressed disdain for "tidy" solutions and bright line rules in many areas of the law. I think we should clearly and carefully balance the interests at stake here. Do we believe that hacking without causing damage produces useful info which benefits society? I agree with the difficulties Lauren points out in her post. But I think an analysis of the interests at stake (commercial transactions which are viable and encouraged; free exchange of ideas on the Internet; preventing over-privatization and too widespread property rules) requires more than a footnote.

A POSSIBLE, PARTIAL SOLUTION: I believe that we should limit the amount of information that one can designate as "private" or create increasing costs to making more and more data private or maintaining a "private" designation over time (e.g. an individual is not able to declare something is private once and for all and forget about this decision thereafter; instead she must periodically reassess the 'private' designation, otherwise, the data becomes public.) I think this approach would encourage free exchange of information over time and make individuals aware of the continuing costs to the Internet as a whole of maintaining a private designation for info. I think this approach also supports a norm of allowing privacy on the Net if one takes specific actions.

Any comments? :-)

-- Anonymous, November 23, 1998

Ben, from my understanding of what Kristina told me yesterday (and please correct me if I am mistaken), the owners of land cannot sue for trespass itself. Trespass is criminally illegal, and the government can prosecute this crime. Owners of land can sue trespassers only when damage has occurred. Proof of damage is necessary in order for the owner of the land to have any claim. So, my question is: when we say we want to make hacking illegal, are we talking about criminally or are we just saying that the owner of the computer system only has a right to take civil action?

My other question is: what expectation of privacy does a group, such as a company, have when it connects to the Internet? Consider the case of a company that has a private network that they intend not to be viewed by the public in any way (I'm not talking about putting up a Web page, but merely having private information stored on computers). However, since the company uses these same computers to connect to the Internet for other purposes, hackers can now use these network connections as avenues to break into this completely private system. Are we saying that just by connecting to the Internet this company has opened itself up to outsiders viewing its private information (not on the Web, but in their private databases)? I think the company has every right to this privacy even if no "damage" occurs. Also, this violates our goals of (1) private space (ownership implies some right to establish privacy) and (2) privacy includes the right of self-determination.

I do not think we are as far apart on this issue as you seem to think. I think that if someone can answer these questions for me, it will be clearer in my mind. Thanks!

-- Anonymous, November 25, 1998

I was wrong in explaining trespass to Lauren. In real space, an owner of land can sue a trespasser for trespass in civil court, even when no damage is caused. This is in addition to criminal trespass statutes.

But the remedy for an owner against a trespasser who causes no damage is only *nominal damages* (i.e. a trivial sum like $.01 or $1). I have read that in special cases, the owner may be able to recover punitive damages from a trespasser where the owner can show that the trespasser knew that his entry was without the owner's consent and such entry was a complete disregard of the possessor's legally protected interest in exclusive possession of his land.

My original concern when I tried to explain trespass to Lauren and in my earlier posting was the limited remedy available to owners when the trespasser causes no damage. If the remedy is inadequate (as in nominal damages), then giving owners a right to exclude others from their property will not deter trespassers who can enter and cause no damages. (Of course the trespasser always risks causing damage and is liable for all actual damages caused (i.e. compensatory damages.)) I will have to find and read the cases where punitive damages were awarded against trespassers who caused no damage but knew that their entry was against the owners rights.

To read more on damages awarded in trespass, see below.

p.s. Lauren's mentioned 'expectation of privacy' in her last post. This concept applies to criminal cases where the defendant evokes the 4th Amendment in order to suppress evidence obtained during a search or seizure. I don't think we should get into this much in our paper.

****Trespass***** (from American Jurisprudence) a. Actual and Nominal Damages ['' 141]

' 141. GENERALLY

In an action of trespass, the prevailing plaintiff is ordinarily entitled to an amount which will compensate him for actual damages sustained [FN36] as a direct result of the act of trespass, even though the damages were not sustained until some time after the act of trespass was committed. [FN37] Actual damages, sometimes called compensatory damages, are the damages awarded to a person as compensation, indemnity, or restitution for harm sustained by him. [FN38] A prevailing plaintiff in an action for trespass to real property is always entitled at least to nominal damages, [FN39] even in the absence of proof of injury and where the plaintiff is benefited by the trespass. [FN40] In an action seeking the recovery of damages for injuries to realty by innocent trespassers, the underlying purpose of the court is to compensate the owner for the injury received; [FN41] and, even the most innocent of trespassers is liable for nominal damages at a minimum. [FN42]

Definition: Nominal damages are those damages recoverable either where a legal right is to be vindicated against a trespass that has produced no actual present loss of any kind or where, from the nature of the case, some compensable injury has been shown but the amount of the injury has not been proved. For example, nominal damages have been defined as a trivial sum such as one cent or one dollar awarded to a plaintiff whose legal right has been invaded but who has failed to prove any compensatory damages. [FN43]

Distinction: Nominal damages are to be distinguished from compensatory damages on the one hand and from punitive damages on the other, in that they are granted irrespective of harm to the plaintiff or of a bad state of mind on the part of the defendant; they are intended neither to compensate the plaintiff nor to punish the trespasser. [FN44]

One who intentionally enters land in the possession of another is subject to liability even in the absence of harm. [FN45] On the other hand, one who trespasses unintentionally and negligently is not liable in damages, even though the entry causes harm, [FN46] except when engaged in an abnormally dangerous activity. [FN47]

-- Anonymous, November 26, 1998