Monday, August 26, 2013

On the Ethics of Hacking

My favorite definition of "hacker" comes from golf: i.e., a determined, persistent, and self-taught amateur; an autodidact.  I have never quite trusted them to "call a stroke" on themselves.  

Similarly, I have always been cautious about computer hackers. Too many of them get off on the power.  Hacking is addictive.  Many hackers seem to see the Internet as a playpen where they are engaged in a game of "Gotcha," a game where they score points by exposing or embarrassing others.

I came of age in the fifties, when computers were scarce and dear, when it took a team of us to get them to do anything useful, when one's access was a function of the trust one had earned by contributing to the team.

Last week we had another case of a self-described "ethical hacker" being convicted of a crime.  The man was a member of his country's parliament.  I am sure he thought of himself as a "good guy."  I have met few people in my life, no matter how corrupt, who did not self-identify as good guys.  Most hackers think of themselves as good guys and many good guys think of themselves as hackers. How then to stay out of jail?  I have a few suggestions.

As a judge, here are some of the questions I might ask to distinguish between so called "ethical" and criminal hacking.

Was the hacker engaged in gainful employment?  If no one is willing to pay for an activity,  it is at least questionable.  Professionals do not work without pay. It is unfair competition with other professionals.  It takes food from the mouths of one's children.

Was the activity authorized by the owner of the network, system, application, or data?  Is there a record of this agreement, a letter or a contract?  Does it spell out the content of, and the limits on, the activity?  Such a letter might keep one out of jail.

Was the activity covert?  Is there anyone from whom the hacker might wish to conceal it?  Did it involve fraud or deceit?  If the activity were discovered while it was ongoing, would it surprise, embarrass, or frighten anyone?  Would it trigger alarms?  If one is shamed by one's activity, one has already judged it.

Was the hacker accountable?  Supervised?  Was he acting as part of a team or working with at least one colleague who could act as a check  on, or vouch for the legitimacy of, what was done?  Was a record kept?  Was it attested to by two or more parties? Acts authorized by one's employer are not always ethical; we settled that at Nuremberg. All unauthorized acts are not necessarily unethical. However, unilateral activity is always at least questionable..  

Was data disclosed to anyone not already authorized to see it? While unauthorized disclosure might not be criminal, it is probably not ethical.

Was anything broken?  Did networks, systems, or applications stop working?  Was there a loss of availability?  Was there a loss of data integrity or confidentiality?  Trust?  Reputation?  Did the target, not to say victim, have to reallocate resources to remediation?  Did the target incur liability to others? 
Was there any threat or coercion?  Were the results of the activity used to get someone to do something that they might not otherwise do, or to do something earlier rather than later?  Coercion is rarely ethical and often criminal.

Now, there are special cases.  Almost every hacker claims one or more of these as justification for otherwise anti-social, not to say sociopathic, behavior.   For example, some hackers lie.  Their rationale is that they have an authorization and are being paid to do it, usually by someone else for whom the lie would be unethical.  They claim that they must lie because rogue hackers do "social engineering," and they must test the ability of the target organization to resist it.  As with most ethical dilemmas, one has to decide for oneself.  However, I already know that social engineering works against most organizations.  I do not need to engage in it to satisfy myself on that issue.  

Many rogue hackers excuse their activity as "research."  However, much of it is outside the tradition of science.   Labeling an activity as "science" does not excuse otherwise unethical behavior.  Science is conservative; it does not make things worse.  It does not increase vulnerability, instability, or risk.  While there are destructive experiments, they break things that belong to the scientist, not the property of others.  That the scientist does not own, and cannot buy, a network of his own, does not justify experiments that break the public networks or the private networks of others. 

Another very special case is national security, espionage and sabotage, activity that would fail many of the tests above.  Since few of us are engaged in such activity and fewer still will be called to account for it, can we agree to leave this case for another day? 

Some claim "civil disobedience," appealing to a "higher good," admitting otherwise questionable, even criminal, behavior but claiming that it is justified.  Perhaps.   However the burden of proof and responsibility is on them.  

Professionals are confronted with difficult ethical dilemmas; it goes with the territory.  Even with scrupulous ethical tests, one professional presumes when he undertakesl to judge another.  However, it also goes with the territory that we must be scrupulous in our own behavior.  We may not be slipshod in our own behavior or make cheap excuses for ourselves. 

It is a mark of the immaturity of our profession that we must deal with so much questionable behavior and so many pretenders.  Physicians have separated themselves from"quacks" and lawyers from "shysters."  Not only have we not separated ourselves from our amateurs, hackers, we may secretly admire them and excuse them.  Indeed, I systematically qualify hacker with "rogue" so that I do not have to listen to my colleagues defend questionable activity.  I look forward to the day when hacker is on the same list as quack, shyster, shrink, and other pretenders. 



  1. This comment has been removed by a blog administrator.