More on the "Hacking Back" Defense:
I wanted to add one more round to the exchange Eugene and I were having about whether a defendant charged with a federal computer intrusion crime can assert a "hacking back" defense. I'm still of the opinion that defendants cannot assert such a defense, and I wanted to respond specifically to Eugene's most recent post about it. Specifically, I want to make two points. First, I'm not entirely sure a general defense of property defense doctrine exists as a default in federal criminal law, and second, if the doctrine exists I don't think it covers computer intrusions.
The reason I'm unsure that the "defense of property" defense exists as a Congressiional default is that the defense seems to be quite rare in federal court, and the cases appear almost entirely in a very specific context. Based on a quick Westlaw check, at least, I could only find about about 30 federal criminal cases that seem to apply it or discuss it at all. Further, those cases arise in almost entirely in a very specific context: a defense raised in a prosecution for physical assault. There's also a bit of homicide and one or other two crimes thrown in, but not much. Perhaps =a lot more cases exist beyond what I could find, but I couldn't find much — and what I found was quite narrow and applied only on in a very small subset of criminal cases. Clearly this doesn't rule out that Congress legislates all criminal offense against a general background norm of a "defense of property" defense being available, but I think it does shed some doubt on it.
Second, when stated as a defense in federal criminal cases, "defense of property" seems to mean only defense of physical property from physical access or removal. For example, in the context of the Model Penal Code's defense of property section, which has been influential in federal court applications of defenses, the provisions are available only "to prevent or terminate an unlawful entry or other trespass upon land or a trespass against or the unlawful carrying away of tangible, movable property . . . , [or] to effect an entry or re-entry upon land or to retake tangible movable property." MPC 3.06. (The MPC seems to treat the kind of interference with property that includes computer intrusions under a separate section, ยง 3.10, Justification in Property Crimes, which seems to foillow a different set of principles. Also, while you might think "entry" includes virtual entry, entry in the context of criminal trespass statutes are generally understood to mean physical entry.) Given that, it seems that whatever "defense of property" doctrine is established as a background norm when Congress creates a new criminal law, it doesn't seem to me to apply to computer attacks.
Anyway, I should stress that we don't yet have any cases on this, so both Eugene and I are guessing as to what courts would or should so based on the legal materials out there. It's a very interesting question. Finally, I'll just add further thoughts in the comment thread in the future, as I'm not sure a lot of readers are interested in this issue.
The reason I'm unsure that the "defense of property" defense exists as a Congressiional default is that the defense seems to be quite rare in federal court, and the cases appear almost entirely in a very specific context. Based on a quick Westlaw check, at least, I could only find about about 30 federal criminal cases that seem to apply it or discuss it at all. Further, those cases arise in almost entirely in a very specific context: a defense raised in a prosecution for physical assault. There's also a bit of homicide and one or other two crimes thrown in, but not much. Perhaps =a lot more cases exist beyond what I could find, but I couldn't find much — and what I found was quite narrow and applied only on in a very small subset of criminal cases. Clearly this doesn't rule out that Congress legislates all criminal offense against a general background norm of a "defense of property" defense being available, but I think it does shed some doubt on it.
Second, when stated as a defense in federal criminal cases, "defense of property" seems to mean only defense of physical property from physical access or removal. For example, in the context of the Model Penal Code's defense of property section, which has been influential in federal court applications of defenses, the provisions are available only "to prevent or terminate an unlawful entry or other trespass upon land or a trespass against or the unlawful carrying away of tangible, movable property . . . , [or] to effect an entry or re-entry upon land or to retake tangible movable property." MPC 3.06. (The MPC seems to treat the kind of interference with property that includes computer intrusions under a separate section, ยง 3.10, Justification in Property Crimes, which seems to foillow a different set of principles. Also, while you might think "entry" includes virtual entry, entry in the context of criminal trespass statutes are generally understood to mean physical entry.) Given that, it seems that whatever "defense of property" doctrine is established as a background norm when Congress creates a new criminal law, it doesn't seem to me to apply to computer attacks.
Anyway, I should stress that we don't yet have any cases on this, so both Eugene and I are guessing as to what courts would or should so based on the legal materials out there. It's a very interesting question. Finally, I'll just add further thoughts in the comment thread in the future, as I'm not sure a lot of readers are interested in this issue.
Related Posts (on one page):
The real thing that the government needs to do is make it a crime, punishable by 50 years in the federal pen, to spoof an e-mail address so that all spam can be returned to sender -- and to actively go after spammers. After all, if you can't locate a spammer, they can't get your money. Aggressive enforcement of a real threat, rather than no-fly lists.
If spam could be returned to sender, it would pretty much automatically clog up its own pathways.
But, you've got me thinking of technical questions about how to "hack back" at the various types of attack.
Through use of nmap or ethereal, the victim admin discovers an exploit on the library's computer that would allow him to quickly take it offline -- crash it -- putting an immediate end to the attack. Doing so would most likely have no effect that wouldn't be cured by a reboot.
It's Easter weekend, and the library is shut down. Responsible parties are unreachable, despite exhaustive efforts.
ORIN: Is it legal to remotely execute a command to crash the club computer?
What if it isn't the weekend, and the library happens to be close by. After an hour of explaining it to a hapless librarian fails, the admin just drives over and unplug the computer, having the exact same effect. Illegal?
(I realize there are millions of possible "what ifs," but this follows a classic DDOS pattern. I went through a similar experience in which ProtestWarrior was attacked. But in that situation, a university club's computer was hacked to serve as a proxy for a non-DDOS attack. We didn't take any action against the computer, but I'm not sure I could say the same if it had been a DDOS we were dealing with.)