Calling for a spectrum of intent in prosecuting hackers


Not having a spectrum of intent for prosecuting and even pursuing hackers--that ranges from the innocuous to the most malicious--is like having only one murder charge that doesn't take into account manslaughter or self-defense. Christina Gagnier, a lawyer leading the Intellectual Property, Internet & Technology practice at Gagnier Margossian LLP, says it is time we created such a spectrum.

In a talk hosted by O'Reilly Strata this week called "Sex. Drugs. Rock. And CODE: Hacking Cybersecurity," which was part of O'Reilly's Data Warfare webinar, Gagnier said cyber security is an area of the law with few rules, one driven by social norms rather than good law and policy. And that needs to change.

Gagnier specializes in social media, copyright and information privacy. She is a self-described practitioner of nerd law and currently working on a book about hacker rights, as well as one on California politics. Despite being the home of Silicon Valley, the problem of law for cyber security and hacking go far beyond California and is an international problem that hasn't kept up with technology, largely because legislators and lawyers know so very little about it.

Focusing her talk on the United States, Gagnier said because technology trends run so far ahead of law and members of Congress and people in most federal agencies don't understand the technology and the different uses of it, they try too quickly to legislate and solve problems based on insufficient information.

"When it comes to hacking and cyber security, these solutions are very reactionary. I find that scary because we tend to view the law as sacrosanct, something that has been well thought out and deliberated," Gagnier said.  When it comes to hacking, in particular, she said thoughtful deliberation is far from reality. She called it irresponsible.

Instances of hacking and compromised systems get splayed out in media and create a panic, she said. It creates a storm that ends up in legislation that hasn't been thought out. Not all breeches are created equally. Some are innocuous and result in little harm and intent, yet all instances are either prosecuted the same way or at prosecutors' discretion.

Most people's view of hacking hasn't evolved since the 1980's movie "WarGames," Gagnier said. It automatically gets associated with national security and the law responds accordingly, regardless of whether the hacking was done by a high school kid changing attendance records or the criminal stealing money from a financial institution   

"People are always in crisis [mode] when a system gets compromised. Immediately they want to take the most harsh approach in dealing with it," Gagnier said. Her focus is establishing, codifying, then protecting the rights of those who compromise systems.

"It is not a very popular topic because over the last couple of years, several instances of malicious hacking have occurred," Gagnier said.

Wiki leaks may be the most public example, but there was also the case referred to above regarding the innocuous hacking by 50 Berkeley high-school students who hacked into attendance records. "Although it was a joke, the school responded the way I feel the government is responding, which is taking a harsh response. Instead of educating the students on why that was a bad idea or taking a more rehabilitative response, it was suspension and expulsions," Gagnier said.

In the Wiki leaks case, the government response was to create panic by immediately putting it into a national security context, and a context where criminal penalties were being discussed. "By framing the conversation that way, everything that has happened since has had that same element whether it is a civil case where the Department of Justice is prosecuting or it is a criminal case: the harshest penalties are sought and the harshest penalties exacted," she said. "This is scary because if you are going to prosecute, you have to have an appreciation for when the instance is non-controversial or not. But the government associates hacking with Wiki leaks and acts disproportionately."

Rather than having its own laws, hacking is being prosecuted under a variety of laws depending on the institution being compromised. Despite a court ruling that says code is not physical property, people are being prosecuted under legislation such as the Economic Espionage Act or the Computer Fraud and Abuse Act, or a patchwork of state-level regulations.

"You would think with Internet being around so long we would have at least somewhat of a corpus of laws to deal with these issues, but in fact our cyber security legislation and frameworks are paltry," Gagnier said. "When you frame everything as national security the government has to be involved and we are prosecuting in a criminal context versus dealing with things in a civil environment where there are less harsh penalties."

The Computer Fraud and Abuse Act is the federal law under which popular Internet activist Aaron Swartz was being prosecuted before he took his own life. Gagnier said his case was an example of why it is necessary to match the spectrum of innocuous versus malicious intent that is recognized by social norms if not prosecutors with the same spectrum embedded in law. "After what happened to Aaron Swartz, if [that spectrum] had been in the law in the first place, perhaps that wouldn't have happened. Right now, intent is not a factor. Even if you are pranking, you will be treated the same as if you hacked into a bank and shared everyone's account information."

For more:
- see O'Reilly Strata Webcast

Related Articles:
Beware: The Black Hats are coming to data science
Getting out in front of the Black Hats
Server-based botnets used in attacks against US banks