The suicide of a cyber activist this week has made big waves in the American news media, and around the world.
Aaron Swartz was an idealistic young man who helped develop the specifications for RSS at the tender age of 14, helped build the popular bookmarking site Reddit, and became a leading figure in tech activism. But after hacking into a commercial academic database and releasing large parts of it into the public sphere Swartz found himself under investigation by the FBI, and facing a federal trial on serious criminal charges. Where he convicted Swartz could have faced up to a $4 million fine and 35 year in jail. But rather than facing these charges, Swartz chose to take his own life.
Most seem to agree that Swartz’s actions were neither malicious or harmful. He was an idealist trying to make the world a better place – and even MIT whose databases he hacked did not wish to pursue a civil case against him, and have now launched an investigation into their actions leading up to the hacktivists suicide.
This case raises some serious issues. Hacktivism is still a relatively new phenomenon, and there has been no serious debate about how governments, law enforcement agencies, and courts should deal with it. I do not have the answers myself, but I think the debate is an important one and would like to contribute in my own small way. The aim of this article is to take a broad look as some of the issues – and then ask for your opinions. At the end of the day, there are no right or wrong answers to the questions raised by this case, only our own preferences and opinions. So please do leave a comment at the bottom of the page, I beg you, because it is your opinions which count.
Hacktivism – or hacking into networks and computers without permission in the name of activism – is currently treated as a crime. It can be prosecuted under a range of different laws relating to computer abuse, information theft, invasion of privacy and so on. Many hacktivism attacks target private companies or individuals, and they often involve the theft of information which is then released into the public domain. There is no ‘robin hood’ defense when it comes to other forms of crime – ie if you steal $100 and give it all away, you should still be prosecuted as a thief. So there is a strong argument that the current situation is appropriate.
Even if that were the case, however, there is urgent need for guidelines to help law enforcement decide whether to follow a prosecution, and to distinguish between hacktivism and more malicious computer abuse when it comes to sentencing. There are few who would agree that a potential sentence of 35 years would have been justified in the case of Aaron Swartz.
Hacktivism as Terrorism
Private companies are not the only ones who have been targeted by hacktivists; governments have been targeted too. The most famous hacker group in the world – Anonymous – have ‘declared war’ on the state of Israel and Syria. Political campaigns such as these risk moving beyond normal crime, into the realms of treason and terrorism.
Cyber war is playing an increasingly large role in national security, and this is only likely to increase further. If hackers present a serious threat to critical government infrastructure, then then they could increasingly be seen within the same bracket as physical terrorists. The anonymous nature of these things means that it is not possible to distinguish between an idealist in his bedroom with altruistic motives, and a raid by a foreign state or attack by a terrorist organisation. So perhaps all serious cyvber attacks should be treated as terrorism?
The Public Interest Defense
In the United Kingdom there is a well established legal defense called the ‘public interest’ defense. This law was formulated to protect journalists from being prosecuted for carrying out investigations into the government or public figures. It provide media organisations with a potential exemption from certain laws and regulations (such as slander, or freedom of information rules) if they can demonstrate to a judge that they were acting in the public interest.
Perhaps it is time to expand the public interest defense to hacktivists? Perhaps it is also time for other countries, such as the United States, to start recognising the public interest defense in their laws? If a hacker is sharing the information which they take with the public via the internet, then they are effectively becoming news publishers. This means that there would be no great distance between the current use of the public defense law in the UK and its potential use by hacktivists.
Of course this would not be without problems, however. You just need to look at the scandals which have hit the UK news media in recent years. The biggest of these were actually hacking related – journalists started using phone hacking so routinely that it became standard practice in some quarters of the press to hack the phones of every celebrity and public figure that they could get into. Of course very few of these cases would have been able to successfully use the public interest defense – but that is not the point. The point is that this law led to a culture amongst the press in which many felt they were above the law, and could act as they pleased. Encouraging the same culture amongst hackers would be a very dangerous thing indeed. But does that mean it shouldn’t even be considered?
Please do share your opinion in the comments below.