A new breed of hacker is afoot. Having moved beyond targeting and shutting down websites, this hacker doesn’t do it for glory or money, but for political purposes.
Info-hacktivists like LulzSec, Antisec or the more widely known WikiLeaks and Anonymous are raising new questions about the legal issues applicable to publishing hacked information. Are there limits on the type of information that can be published? How do we balance the tension between freedom of speech and national (or even personal) security? What are the legal tools that can protect individuals and organizations from info-hacktivists?
A panel of experts addressed these issues last month at the USC Gould School of Law during a lunchtime event sponsored by the Cyberspace Law Committee of the California State Bar Association.
“Info-hacktivism is not for glory or money, but rather to make a political point and provide more transparency, with a presumed political end,” said USC Gould professor Jack Lerner, director of the USC Intellectual Property and Technology Law Clinic, which hosted the event. “This raises a lot of issues related to the security of information [and] related to the future of sensitive information.”
Lerner was joined by panelists Doug Thomas, a professor at the USC Annenberg School for Communication & Journalism and author of Hacker Culture (University of Minnesota Press, 2003); Chris Ridder, partner at Ridder, Costa & Johnstone LLP and fellow at Stanford Law School’s Center for Internet and Society; David Sarno, technology reporter for the Los Angeles Times; and Nathan Hochman, partner at Bingham McCutchen LLP and former assistant attorney general for the tax division of the U.S. Department of Justice.
Info-hacktivists delight in embarrassing people who have power, Thomas said, and in showing people in positions of authority that they are unable to keep their own information safe.
“There’s a way in which relating it to social issues gives it a kind of textured importance and depth that may have been missing from the prankster generation of 20 years ago,” he said. “Technology has become such a deep, embedded part of our lives that our reliance on it gives hackers something more meaningful to exploit.”
These hackers are not necessarily more skilled than their predecessors. In fact, some recent high-profile attacks were the result of someone accidentally or unknowingly handing over passwords.
“Another sort of trend that I see developing is attempts to intimidate or dis-incentivize people from stopping the hackers – a sort of self-preserving mechanism,” Ridder said.
This type of attack is seen in Anonymous’ hack of HBGary as the technology security firm prepared to reveal the identity of some of the group’s members.
Anonymous also recently committed a cyberattack on San Francisco’s Bay Area Rapid Transit website and released personal information on its riders and employees, an example that distills part of the discussion, Sarno said. On one side is the debate over when it is OK to suppress information or communication. On the other is the question of the harm caused by distributing information.
“You can see that on both sides of these questions, there are problems with holding back information and problems with disseminating information,” Sarno said.
While info-hackers only need one successful attack to achieve their objectives, the government must “get it right thousands of times” to identify and eradicate threats, Hochman said. The government can use tools like the Foreign Intelligence Surveillance Act, the Electronic Communications Privacy Act, the Wiretap Act, the Telecommunications Act of 1996, trade secret and copyright law, and the Espionage Act, although very few cases are actually brought under it.
“All these acts have a balance between the government trying to do what probably it’s primary function is, which is to protect public safety, and balance what we cherish the most, which is our First Amendment rights,” Hochman said.
One danger of info-hacktivism is that it can put people’s physical safety at risk by exposing their personal information to people who might wish them harm.
“It [goes] from [being] an interesting intellectual discussion that we’re having here, to real harm to real people that the government is obligated to try to prevent,” Hochman said. “How do you allow as much political speech to exist and create laws that allow that, but then draw the line somewhere and say we’re not going that far?”
In discussing the government’s checks on its own system, Hochman described the high level of scrutiny given to Foreign Intelligence Surveillance Act warrants sought by the government when agents want to access private information, calling the process “difficult” and “expensive” and acknowledging that citizens don’t hear “99 percent of what goes on in this country.”
“The biggest protection that the common citizen has is that the system is basically set up to do the checks,” Hochman said. “If the government wants to … use this evidence in a court of law or arrest someone or anything like that, at that moment it becomes public, at that moment the investigation comes out, and it can get tested.”
Sarno argued that there is a place in journalism for some leaked information and explained that, for legitimate publications, it is a gray area that requires analysis of the information and a long process of verification to find the truth without relying on leaks.
“If we’re in a world where 99 percent of the stuff that’s going on we don’t know about – which I agree [with] – there has to be more outlets than just the government prosecutors trying to find the truth, and the media is one of them,” Sarno said. “And one of the media’s tools is tipsters and leaksters, and so … our constant job is to evaluate the people that are giving us info and to be able to parse through what is good information, what are the harms of the information that is given to us.”
Info-hacktivists are causing a “dangerous” kind of erasure of the distinction between private information that one has the right to selectively reveal to the world and secret information that other parties may have a vested interest in knowing, Thomas said.
“Where security butts up against freedom, that’s where things get really messy,” Thomas said. “Free speech and secrecy, or free speech and privacy. I think those are spaces that tell us a lot about ourselves.”