PFIR - People For Internet Responsibility
PFIR Statement on Hacking

March 5, 2000

PFIR Home Page

Greetings. A common characteristic of many cultures is to largely ignore problems so long as the mainstream population doesn't seem to be inconvenienced or otherwise impacted. But often there are sudden and dramatic, knee-jerk reactions when such troubles eventually spread to the population at large, or especially if they affect its more powerful interest groups. In the rush to "do something" that follows, common-sense views of proportionality, balance, and fairness are often left far behind.

This phenomenon is becoming increasingly apparent in the trend of recent legislation and calls for increasingly harsh penalties for all forms of computer trespass or interference, often seemingly without a clear understanding or delineation of the various forms of such abuse and their varying goals and impacts. The word "hacking" has now come into general use as the term describing all such computer-related offenses, although years ago "hacking" was a completely benign description of dedicated computer programming work, without any negative connotations.

Unfortunately, the criminal justice systems in some countries, particularly in the U.S., have become increasingly less willing to distinguish between various classes of offenders, preferring simpler "one size fits all" approaches in many situations. This is also viewed (often incorrectly) as a cheaper alternative than dealing with such problems on a more individualized basis.

This is exemplified in the extreme by the trend to treat ever younger persons (that is, children) as adult criminals, subject to long periods of incarceration and even the death penalty. Many earlier generations would likely have found such an attitude perplexing, since they usually viewed most criminal offenses on the part of children to ultimately be a failure of their parents or other responsible adults. This of course is now an unpopular notion in many venues, in an era where "three-strikes" laws have resulted in life prison sentences for stealing a piece of pizza.

So it was to be expected that we'd see similar "get tough" policies being proposed for hacking, even for very youthful offenders. The problem is that all hacking is not created equal. A teenager who defaces a Web site with slogans (one of the most common forms of hacking) is the functional equivalent of a kid spraying graffiti on private property. Both actions are highly undesirable, obnoxious, and indeed criminal. But hacking of this sort does not rate the same degree of punishment as someone using the Internet to steal credit numbers, commit fraud, and generally enhance their own financial and material wealth at the expense of others. Denial of service attacks, where attempts are made to interfere with other persons' access to systems, would seem to fall somewhere between these two extremes in many cases.

Often a financial argument is used to elevate "defacement" hacking to the level of extreme felonies. It's suggested that vast sums were spent fixing the hacked sites (often installing basic security measures that should have been present in the first place) or that losses due to public embarrassment and theoretical "lost sales" are the equivalent to armed robbery. It would be wise to view many such comparisons with significant skepticism.

Let's be clear about this. Nobody is suggesting that deliberate interference with computer systems should be ignored or forgiven without suitable punishment. The fact that so many sites have inanely weak security, and that other sites may arguably glamorize defacement hacking by providing a permanent mirror of defaced pages, does not excuse the acts. But society needs to maintain a sense of proportionality that understands Internet defacement, denial of service attacks, and fraud to be three separate kinds of acts, each with varying goals and deserving of different sorts of sanctions depending upon the specific circumstances.

The Internet is massively increasing the ability of individuals, sitting alone in quiet rooms, to purposely or "unthinkingly" perform activities that they probably never would have become involved in without the pseudo-isolation that the net seems to offer. Some persons who never would have become involved with such despicable activities as child pornography or fanciful physical threats in the "real world" have engaged in such actions in cyberspace, and have found themselves subject to real-world punishments. This is certainly an area worthy of considerable discussion and study.

Adults need to take more personal responsibility for both themselves and the children in their charge, both at home and at school. Plopping a kid down in front of a computer for hours at a stretch without guidance, or depending upon arbitrary, unreliable, and counterproductive filtering programs in a vain attempt to somehow automate the supervisory process, is the height of irresponsibility. It's little better than handing a young child a running chainsaw and then bemoaning the resulting damage and injuries. Internet access can be a powerful tool for both good and ill. To use it responsibly and ethically requires education. As adults, it's our job, and our responsibility, to see that this learning process takes place.

Regardless of whether we're dealing with children or adults, we need to reestablish proportion and balance in how we deal with Internet hacking. The truly serious Internet-related crimes must be treated as such. But the ones that, when realistically appraised, are really more minor need to be treated differently--especially when dealing with youngsters. It is morally wrong to put such children in the same felony categories, and in some cases the same chains and cells, as violent criminals and persons who have personally enriched themselves through serious crimes. To do so is to destroy lives that could likely be easily redeemed, and to foster a tremendous waste for society at large.

--Lauren--
Lauren Weinstein
lauren@vortex.com
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy