I much appreciate Orin's posts on the subject, and I should note again what I noted at the outset — there are quite plausible policy arguments for barring "hacking back" even when it's done to defend property against an ongoing attack, and Orin has expressed some of them in the past. That an action falls generally within the ambit of an existing defense, or is closely analogous to an existing defense, doesn't preclude the conclusion that we should nonetheless bar the action because of special problems associated with it.
Nonetheless, I do disagree with two parts of Orin's analysis. First, it seems to me that the defense-of-property defense has indeed been recognized as part of a general class of common-law defenses — including justifications such as self-defense and defense of others, and excuses such as duress or insanity — that are by default accepted in all jurisdictions, or at least all jurisdictions that have not expressly codified their defenses. (I say "by default"; they may be expressly statutorily precluded, as a few states have done as to insanity.) Robinson's treatise on Criminal Law Defenses describes it well, I think,
Every American jurisdiction recognizes a justification for the defense of property. The principle of the defense of property is analogous to that of all defensive force justifications and may be stated as follows: ... Conduct constituting an offense is justified if:
(1) an aggressor unjustifiazbly threatens the property of another; and
(2) the actor engages in conduct harmful to the aggressor
(a) when and to the extent necessary to protect the property,
(b) that is reasonable in relation to the harm threatened.
More generally, defense of property, self-defense, and defense of others are generally treated by the law more or less similarly, though subject to the general principle that defense of property will generally not justify the use of lethal force. I have never seen in any case, treatise, or other reference any indication that federal law differs from this, and rejects the notion that defense-of-property is a general default.
I agree with Orin that the defense has been rare. But I suspect that it is rare because defense of property generally doesn't authorize the use of deadly force, and because use of supposedly defensive nondeadly force is less likely to draw a federal prosecutor's attention than the use of supposedly defensive deadly force. The typical nonlethal defense of property scenario — someone says I punched him, and I claim I did this in order to keep him from stealing my briefcase — just isn't likely to end up prosecuted by the local U.S. Attorney's office, even if there's some reason to doubt my side of the story.
Second, Orin points to the Model Penal Code as evidence that "when stated as a defense in federal criminal cases, 'defense of property' seems to mean only defense of physical property from physical access or removal"; and the MPC does define defense of property as limited to "use of force upon or toward the person of another ... to prevent or terminate an unlawful entry or other trespass upon land or a trespass against or the unlawful carrying away of tangible, movable property ..., [or] to effect an entry or re-entry upon land or to retake tangible movable property" (plus provides for a related but different defense in § 3.10).
But the MPC seems to define defenses in a way that's focused on those crimes that the MPC covers. For instance, the MPC's self-defense provision literally covers only "the use of force upon or toward another person"; it would not cover imminent self-defense as a defense to a charge of being a felon in possession of a firearm (though no such crime is defined by the MPC in the first place). Yet federal law does recognize this. Likewise, state cases recognize self-defense as a defense to the use of force against an animal, when the use would otherwise be illegal (I could find no federal prosecutions involving the question).
Now perhaps the answer is that federal law would reject even self-defense as a defense to non-physical-force crimes, and that the defense in felon-in-possession cases is actually a species of the necessity defense. But if that's true (which isn't clear, since it's not even clear that federal law recognizes a general necessity defense), then one could equally argue for digital self-defense under the rubric of necessity.
Likewise, while Orin brackets § 3.10, that might very well be the defense-of-property provision (though labeled by the MPC under the more general rubric of "justification in property crimes") that an MPC-following federal court might adopt, if it chooses to take a narrow view of the common-law defense-of-property defense. Section 3.10 generally allows "intrusion on or interference with property [when tort law would recognize] a defense of privilege in a civil action based [on the conduct]," unless the relevant criminal statute "deals with the specific situation involved" or a "legislative purpose to exclude the justification claimed otherwise plainly appears." And the common law has generally recognized defense of property as a privilege in civil actions. (See, e.g., Restatement (Second) of Torts § 79, which allows even nonlethal physical force against a person when necessary to terminate the person's intrusion on your possession of chattels. That doesn't literally cover use of nonlethal electronic actions against a computer, but the point of common-law defenses is that they are applicable by analogy; the Restatement is thus a guide, not a detailed code to be followed only according to its literal terms even in novel situations.)
So we have to remember, it seems to me, that the federal law of criminal defenses is common law, borrowing from both the substance of the traditionally recognized common-law defenses, and from the common-law method, which involves reasoning by analogy. The common-law method also allows analogies to be resisted, if the new situation is vastly different from the old; and of course Congress can trump common-law defenses by statute. But the background remains that there's a common-law defense of defense of property (buttressed, where necessary, by the necessity defense, and to the extent one is influenced by the Model Penal Code, by § 3.10's borrowing from the common-law tort defenses), and that there's no reason to think that federal law takes a narrow view of this defense.
Related Posts (on one page):
Can you point me to caselaw that reflects your view that "the federal law of criminal defenses is common law, borrowing from both the substance of the traditionally recognized common-law defenses, and from the common-law method, which involves reasoning by analogy"? I see your view as contrary to the Supreme Court's teachings in both Dixon in 2006 and Oakland Cannabis in 2001. Can you point me to the cases that have informed your different view?
Here's a comparable case involving tangible property. Suppose that my neighbor leaves the water running in his stoppered sink and goes away for the weekend, and suppose we live in an area in which the ground is not very absorbent, so that eventually the water flows out of his house and threatens to flood mine. Suppose further that his house has no external water shutoff. Am I justified in breaking and entering for the purpose of shutting off the tap so as to prevent damage to my own property? (To make this a matter of federal law, I suppose we have to locate this on a military base, Indian reservation, or national park.)
Here's the passage from the Cannabis Buyers' Cooperative case, on applying the necessity defense to medical marijuana usage. The Court states:The Court went on to conclude that even if there is a necessity defense, it doesn't apply in that case. As I see it, this passage seems in considerable tension with your view of federal defenses.
Even if the court does import tort defenses, doesn't that just move the question to whether one is liable in tort for digital self-defense? Have any state cases turned on this? The MPC move may put us in a more common law-ish area, but I'm not sure it changes the outcome.
I agree with Orin that the defense has been rare. But I suspect that it is rare because defense of property generally doesn't authorize the use of deadly force, and because use of supposedly defensive nondeadly force is less likely to draw a federal prosecutor's attention than the use of supposedly defensive deadly force. The typical nonlethal defense of property scenario -- someone says I punched him, and I claim I did this in order to keep him from stealing my briefcase -- just isn't likely to end up prosecuted by the local U.S. Attorney's office, even if there's some reason to doubt my side of the story.
You can't always discern the state of the law "on the ground" from the published opinions.
This looks mighty like the sort of "What if?" abstract theorizing, with common sense carefully excluded, found only in law schools.
Consider limiting this to civil torts.
I completely agree that the absence of cases from 99.9% of Congress's statutes doesn't mean the defense doesn't exist in some or all of those statutes. But Dixon calls for an inquiry into what Congress was likely thinking at the time the statute was enacted, which I think makes the absence of cases relevant. My thinking is that the presence or absence of cases is relevant under Dixon as an indicator of the albeit-largely-fictional Congressional intent, not whether the defense actually exists in those other statutes.
No one here is arguing the position you are imagining. Both Eugene and I agree that defense of property is available in that context, as courts have held.
There's a simpler, vastly more entertaining way to resolve this conundrum. Thunderdrome: two law professors enter, one law professor leaves.
A retired sheriff's deputy operated a motorcycle shop which had a wide clientele, including doctors, lawyers and a judge. His son was operating it when two dangerous looking dudes came in and seemed to be casing it. He called his father and told him of this, and was ordered to call 911 immediately. The father rushed to the store and walked in just as one of the two seemed to be pulling a weapon.
The proprietor pulled his own gun and yelled "Freeze!", but the dude kept pulling and was promptly shot and killed. Then the proprietor put his gun on the other guy and told him to "Freeze!", which order was obeyed. Then local law enforcement arrived. The recently deceased was found to be indeed holding a gun in his rapidly cooling hand, and blood tests showed he was tanked out of what little mind he had by methamphetamines. The survivor admitted that a robbery had been planned.
The local DA, now retired, ordered that the storeowner be prosecuted for manslaughter. The reasoning was that he, as a retired officer, had a duty not to shoot until the perpetrator's gun had clearly appeared, and that the doctrine of defense of property did not apply.
I have minimal criminal law experience. But I was at Hastings during Larry Eldredge's last year there, and remembered the defense of another doctrine from his Trials of a Philadelphia Lawyer - its anecdote mentioned a black serviceman winning acquittal after knifing several men to death who had attacked a friend.
So, upon discovering the trial of this retired officer in progress in a law &motion department I was covering, I asked the judge if the defense of another doctrine had been raised concerning the defendant's fear that his son might be killed by the armed robbers. It hadn't, so I did some quick research on it and got off a memo to the judge with a copy of the pertinent jury instruction. He then raised the issue in conference, and the defense counsel, Kirk McAllister of Modesto, California, won the jury with it.
There isn't any. This was prosecutor discretion, exercised to punish this shopowner for using a gun in defense of his property, and to deter others from doing so.
We'll never know if the DA would have prosecuted given knowledge of the defense of another doctrine, because the experienced criminal defense attorney as well as the elected and deputy DA's had never thought of the possibility that the defendant might have been protecting his son. Until I pointed it out.
Going out of your way to point out the defense to the trial court is a level of professionalism to which all should aspire.
First of all, if this was an attack to the degree that it'd be worth doing something, chances are systems would be facing SERIOUSLY diminished resources. Those resources better be used to protect data, protect the systems, end the attack, figure out what happened, and preserve evidence. Hacking back does not assist in any of these goals, except maybe stopping the attack. However, I'd argue stopping the attack is NOT the most important step--protecting information is. No matter the attack, if an admin is nearby, it can be easily stopped.
Even if if it is a DDOS, a firewall rule can be set up to kill the packets. Firewalls do not have to be set up to block ip addresses, they can be set up to block types of packets. Presumably, one would be able to use the attacking packets to form a rule to stop the attack. If the attack was bad enough, one could pull the system offline. Sure, at first glance, no admin wants to take this suggestion to his boss--especially if you are an admin for Amazon. But, this may be the best way to prevent the least amount of damage. Then use a dedicated box to figure out where the attack is originating, do a whois, and start contacting Service Providers.
There is also a huge difference in the time and effort necessary for the shopkeeper from pulling a gun from behind the counter and ordering the would-be shop theif to the ground and the network admin creating a counter attack. I'd much rather be ensuring my data integrity and stopping an attack than trying to start a counter attack.
I am not saying one should, before using force to protect property, make sure he has no other options. But, for this situation, no property is really in danger.
First of all, this is not a regular attack. Most attacks are not brought with extortion and communication from the attacker. With that said, I'm sorry, I am going to have to disagree with the way in which they handled it. First of all, their security was less than great. You cannot expect off the shelf products to secure a system that people want to attack. Prevention is the best bet. Also, the better your prevention, the better the chance you will have to stop an attack in progress.
Second, they contacted their ISP and admittedly didn't give much credibility to threat. A definite no-no in info.sec. Even after the attack started, they attempted to get their own ISP to assist--yet there is no mention of attempting to determine who the attacker was, and trying to get them shut down. It was days before they attempted the attack back approach, and from the looks of it, they lost a lot of money anyway.
Especially since they had communications from the attackers, they should have been trying to locate the attacker and get it stopped. I understand the reasons why a company may not want to involve LE, but in this case they absolutly should have. Those emails could have been traced. Would it have been difficult? Absolutly. But it could be done, and they could have gotten the attacker's ISP shut down.
Just because there IS a way to do something, doesn't mean that it should or is legal to be done that way. I know one has the ability to fight back, but it seems to me there are other (read better) solutions. Of course it also depends on what kind of system you are protecting. I was thinking more a data-bank rather than disrupting E-Commerce, but vigilantism is rarely the most efficient solution.
As a society interested in maintaining the rule of law how can we tollerate such a situation? Is the officer really supposed to holster his weopon so that he can increase the danger to himself attempting to effect physical restraint? The purpose of arming our police is so that they have an advantage over many criminals (who too might be armed, but are usually less adept at weopons usage).
If we want to live like the europeans, where property theft is rampant, criminals are rarely caught, if caught, rarely suffer significant penalty, then this is the way to go. Theft of my property is an incredible invasion of my privacy, right to ownership, and sense of security. I damn well expect the police to use all necessary force, including lethal force, in protecting my property. And if the police are unavailable, then I'm sure he was lunging toward me, reaching for a weopon, and swinging whatever was in his hands.
If we allow property crime to be a risk free career then we must expect much more of it in the future.
gasman: Yes. I would much prefer to let criminals go (until tracked down) in the extremely rare situation (no partner, no backup, lawyer criminal with faith in police ethics) you describe than to institute a death penalty for stealing a car stereo. Or even worse giving the police great discrescion in who to kill. Especially given the possibility for error (say you have a deaf thief).
What's the justification for making property crime special? Why not let the police shoot the individual they find deleting child porn, shredding evidence or refusing to comply with lawful police orders? Even if for some reason you restrict the rule to just ongoing thefts this still gives the police a troublingly broad discretion about when to use potentially lethal force. Discretion which, like many split second decisions, will likely be influenced by racial prejudices and cultural stereotypes.
Not only would this sort of discretion result in the deaths of more criminals (plus any mistakes) it would radicly increase the resentment of the police in poor and minority communities which in turn would stunt the ability of the police to catch criminals. Also more police will be killed by people (reasonably) angry that their brother was shot to save a TV.
Ultimately balancing the badness of a crime against the severity of the punishment and the powers we give law enforcement to catch the bad guy is at the heart of making a legal system. We pay people to be in a professional police force exactly so they will take risks to enforce the laws in a professional and humane fashion. Of course this means the police must take greater risks, if we didn't demand they behave humanely we could do away with undercover agents and simply pick up a low level mobster/drug cartel member and torture them until they gave us the information we want.
I don't know why i spent so many electrons replying to this absurd suggestion (unless of course it was very subtle sarcasm about taking property rights too seriously). I mean the fact that we don't let police behave this way now and never did and our crime rate isn't as high as Europe's immediately shows your argument to be invalid.
18 USC 1030 wrote:When they initially contacted LE, after the first "demonstration" attack, LE advised them to pay the extortionist. They did. It didn't really help. The attacks continued after a brief interlude, and LE couldn't trace the attacker even with a controlled payment drop.
As to trying to locate the attackers, they maintained contact with the extortionist through ICQ, logged and traced them, and identified the attacker to LE.
Three things seem apparent in the article:
First, the attackee definitely was not prepared for such attacks before they occurred.
Second, LE couldn't locate the extortionist even after the attackee made payments to the extortionist at LE's request. Only after the attackee did LE's work for them by tracking down the extortionist, did LE apparently do anything useful.
Third, the attackee didn't "attack back", but quickly built infrastructure capable of absorbing the attacks.
I agree that most attacks are probably less sophisticated and/or less intense, and many may just be done to probe a site's vulnerabilities. But it also seems reasonable to conclude that LE would have even less interest in those.
The question for anyone subject to a digital attack becomes analogous to the old gun self defense question: Would I rather take my chances of being judged by twelve or almost certainly be carried by six?
Eugene,
I'm a bit worried about what property is supposedly being defended. Most computer attacks that seem to be under consideration aren't even going to destroy any data on your computer. They will merely interfere with your communication or overload your processor so it will be too busy to do anything else (DOS attacks). Even if it deletes data on your hard drive it is going to be a stretch to count this as defense of property.
Exactly what property is being defended? Is it intellectual property? If so that would be very problematic. Surely you don't believe that the RIAA can raid any home it's investigations on bittorrent suggest is violating their copyright and receive the protection of the property-defense rule.
The situation becomes clearly problematic for your position if all the hacker is doing to you is denying you use of your Internet connection by saturating it with bandwidth. Nothing at all is stolen or damaged when your bandwidth is saturated. I believe the only reason this sort of DOS attack is even a crime is because of various statutes congress has passed, i.e., the 'abuse' part of the act. Since no property will be harmed if the attack continues clearly the defense of property rule can't come into play. In any case I think you need be more explicit about what property is being defended.
In short the physical property analogy seems flawed in this situation. I think a better analogy is someone trying to talk on their cell phone in their back yard (reception) only to have their neighbor play (illegally) loud music to prevent them from hearing. While this surely interferes with the person's ability to enjoy their property and may even cost them a massive amount of money (the call is a job interview) surely this situation is not included in the property defense rule.
This analogy can even be extended to the computer hacking attack (data deletion) as well. Suppose the town in question also has a law against lights being too bright or being flashed on and off in a annoying fashion. In the evening you are out with your friends in the back yard and are attempting to take photos. However, your evil neighbor has set up a system that detects the flash of your camera and response with it's own, overwhelmingly strong, burst of light washing out all of your pictures. In this case data has actually been lost (photo content) but surely it doesn't qualify under the property defense rule.
This is a case of bad cases make bad law. Just because you think it's necessary to do something, does not make it legal to do it--nor does it mean that the acts should be legal. Consider Regina v Dudley and stephens.
I don't understand your comment. I cited a description of a DDOS attack in which the target:
1. Suffered serious economic damage.
2. Successfully discouraged the attacker extortionist by entirely legal means of changing infrastructure to weather the traffic.
3. Tracked down the extortionist by entirely legal means.
4. Cooperated with law enforcement agencies, and in fact did their work (ferreting out and identifying the attacker) for them.
On this basis you seem to suggest that I think retaliatory cyberattack is legal. I merely pointed out the obvious dilemma for the target, by analogy to the old gun rights advocates' point: would you rather be judged by twelve or carried by six? That is all I said.
Do I think retaliatory attack should be legal? That depends on the circumstance. Do I think it is legal? No.
But the lifeboat case you cite is wholly inapposite on the facts. Parker was not attacking Dudley and Stephens.
What could be under attack? Well, use and access to the physical property, intellectual property, private information (such as customers' home addresses, CC#'s, etc), the right to express oneself. The physical property could be at risk under limited circumstances -- perhaps a power grid coming under attack. Probably a few other things that don't immediately come to mind.
"Exactly what property is being defended?" If none of the above qualifies, then no crime is being committed. But the law disagrees.
If defense of physical property allows for offensive physical actions, then your demand is for a special exception that disallows offensive Internet-based responses to attacks that are carried out over the Internet. Obvious question: why would you consider it reasonable to impose that unique disadvantage on Internet-accessible systems?
Perhaps new laws are necessary. It is a situation that's not quite like what we've had to deal with before. Obviously, we don't want any of the undoubtedly imaginative worst-case scenarios you could imagine.
Do you believe that there are no circumstances in which a site could be reasonably defended through counter-attack?
By retaliatory, do you mean to halt an attack, or to exact revenge for an attack that's already been ended? If the first, I agree that it should be legal in some circumstances.
Let's say a library's computer is compromised. It's intended to provide Internet access to patrons. The computer is then used to remotely direct a DDOS against joeblow.com during Easter weekend.
Joe Blow analyzes the offender packets and identifies the coordinating library machine. He nmaps the machine and discovers the same flaw the hackers used to turn it against him. He can immediately end the attack by exploiting that flaw to crash the library computer (render it inaccessible to the intruders).
I believe it should be legal for him to do so.
There are many reasons that it shouldn't always be legal to do so. But should it always be illegal? I don't believe so.
Most of the attacks by computer I have heard of are for the purpose of ID theft, whether it be of SSN or credit card info or other info. Jamming the system is also used but the theft of ID is far more prevalent. I think that taking action against whoever is trying to steal your ID is or should be allowable in every case. All you have to do is think of what the theft of your ID could result in, whether you know of it or worse if you don't know of it. Imagine having to replace your passport, credit card, and all your ID with new numbers. Then imagine having to replace this info where you had it placed before and do it in such a timely fashion that it does not result in a denial of service. Jamming the system is piddling by comparison.
My choice of words, "retaliatory", was lousy. I should have written "responsive" or "defensive".
I'm not Logicnazi and I don't speak for him, but I will add that some of the more common purposes for attacks are attempts to hijack mail servers for use by spammers, and attempts to hijack general purpose home computers for use in botnets (which are often used as mailservers for spam, as well as for further DDOS attacks or probes).
Well actually many computer attacks are either to shut down a site out of pure maliciousness (how it started) and more often now to blackmail businesses into paying protection. For instance they will flood a internet gambling site with traffic so it's customer's can't get through and then demand a payment to stop. When talking about 'hacking back' there were the primary examples that came up and are the only plausible ones where it really is the best defense. If you are only worried about someone hacking in and stealing records then hacking back is pretty much never the best defense. You are a lot better off pulling the plug on the server or, if you can't do that, shutting down whatever access you think the hacker is using than trying to hack back while leaving him to root around on your system (if he goes away you are no longer defending against an imminent attack).
anotherbob, dick thompson:
The question is not whether computer crime is bad or causes bad effects. The question is whether it is property that is being defended. For instance blackmail is very bad and illegal yet breaking into the blackmailer's house to retrieve the incriminating information that the blackmailer legitametly owns is not defense of property because it was your reputation not your property that you are defending.
The rule is not defense against bad acts but defense of property. The objection I have is that I don't believe there is any sufficiently broad way to define property so that it will work in this situation and will not cause problems throughout the rest of the law, e.g., counting IP as property for this purpose would both be a divergence from the common law rule (IP is a legislatively created right not a basic common law premise) and allow things like private raids by the RIAA to stop suspect file sharers.
The question is not about what I believe is the correct policy. Maybe congress should create a special exemption here. The question is what the correct interpretation of the existing law is.
My knowledge is in computer security, not the law. So please accept my earnest apologies for the abundant ignorance undoubtedly displayed throughout my posts. I can't speak to what the law is, and I agree that the primary question is one of what the law is, not what it should be. I tried to acknowledge that in my earlier post and perhaps failed in the effort.
That said, I think your RIAA analogy is inappropriate. It suggests a physical raid, which has some similarity to an electronic counter-intrusion, but is different enough that I think it stretches the analogy beyond reason. More importantly, the raid you're proposing is aimed not at defending against a theft of intellectual property, but at recovering it after it's already been stolen. That just isn't a defense. Finally, it still only addresses IP, and I don't believe it's been agreed that IP is the only property in question.
Does the law consider private customer information to be nothing more than intellectual property? Names, addresses, CC information, etc? Is defense of this information limited in the same way that defense of IP would be?
Would the server qualify as property? It is physical, and whether the physical item is damaged, a hacker is still attacking it. (Similarly, use of an electronic device to thwart a home's security might cause no physical damage, but the attempted intrusion is still genuine.) If physical damage could be effected, is it then defense of property?
Do the pipelines to the server qualify as property? If not, it seems reasonable to say that a DDOS (that takes up the bandwidth) qualifies as denying access to the server. Sure, you could say that electronic denial of access doesn't equate to denial of physical access. But if the server is 500 miles away, it limits the only available means of access.
Further, if that server manages property -- store software that handles customer transactions -- wouldn't defense of that property qualify?
It seems like there are a number of means by which you could argue defense of property. Obviously, I don't know whether any of these qualifies.
On a tactical note, it's very rare that an admin will be able to glean the the motives of the attacker with enough certainty that he can reasonably rule out a motive like theft. A blackmail notice identifying a different motive doesn't help. The attacker could be lying to obscure his true motives. No motive, especially theft of data, can be safely excluded while an attack is in progress. Per your argument, the only reasonable defense is to shut down.
I'll give you a few reasons why it is often a very bad idea to shut down in response to an attack.
First, shutting down isn't cost-free. You may break a link in a larger management or production environment that causes extensive losses. Shutting down a student reservation system could result in all sorts of nightmares for students and classes. Shutting down ticket booking could send a small airline into bankruptcy. Shutting down a server that manages a power grid? Oh boy.
Second, shutting down sends most attackers into scram mode. As soon as an attacker believes he's been thwarted or successful, he will start deleting traces of their attack from secondary machines. I can count a specific instance in which a very paranoid hacker would have gotten away if he'd realized he was detected. (In that case, he was convicted and is in prison right now.)
Third, attack patterns will be cut short if the first response is to shut down. It may be impossible to determine how a hack is being perpetrated if the immediate response is to shut down. Security doesn't stop once an intrusion is detected, but continues through forensic investigation.
Finally, if the attacker's goal is to cause the site to shut down, you're guaranteeing future attacks by doing just that. Talk about sending a bad message.
That said, I can't imagine many circumstances in which hacking back would be a good idea. Most often, the only effect of hacking back would be felt by innocent third parties whose machines were compromised by the hacker. In fact, it's not at all unheard of for an attacker to try to implicate a third party in order to cause the initial victim to target a second intended victim.
Still, if "pulling the plug" can help to thwart an attack, I'd rather it be the attacker's plug I was pulling.