Does a "Cyber Self-Help" Defense Exist, and Would It Be A Good Idea?:
I enjoyed Eugene's post below about "digital self-help," although I have a very different take on the question.
First, I highly doubt that a defendant can assert a "digital self-help" claim in a prosecution brought under the Computer Fraud and Abuse Act, 18 U.S.C. 1030. Eugene is right that federal criminal statutes generally do not mention self-defense and other defenses, and yet courts sometimes have recognized those defenses for some crimes. But I don't think it's accurate to say, as Eugene does, that "federal criminal law already includes judicially recognized and generally available self-defense and defense of property defenses." Some commentators have said this, but I believe it clashes with the Supreme Court's most recent take on such questions in Dixon v. United States, 126 S.Ct. 2437 (2006).
As I read Dixon, it seems that whether a federal defense exists is a question of Congressional intent. Specifically, the question is whether and how Congress meant to incorporate the common law defenses when it enacted that particular crime. Where Congress was silent, courts are supposed to reconstruct what Congress probably wanted or would have wanted "in an offense-specific context." Id. at 2447. (It's true that Dixon was a duress case, not a self-defense case, but it cited the Cannabis opinion, which was a necessity case; to me that suggests that the Court sees all the common law defenses together.)
This is pretty straightforward when considering a federal criminal law that closely tracks a traditional criminal prohibition, such as homicide. As Justice Kennedy put it in his concurrence in Dixon, "When issues of congressional intent with respect to the nature, extent, and definition of federal crimes arise, we assume Congress acted against certain background understandings set forth in judicial decisions in the Anglo-American legal tradition." It's hard to imagine Congress enacting a homicide statute without meaning to incorporate a self-defense provision. So in that context, courts have readily applied self-defense even though it's not technically written into the statute.
I think the Computer Fraud and Abuse Act is quite different. I don't know of any evidence that anyone in Congress had ever even heard about "hacking back" when Congress passed the Computer Fraud and Abuse Act in 1986. Congress did consider whether there were some kind of computer intrusions that would be okay based on the context; specifically, it created an exception in 1030(f) exempting "any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency." But it didn't create an exception for self-defense, and I don't know of any reason to think that there was a background sense that those defenses would apply as seems to be required under Dixon. Given that, I would tend to doubt that a federal "cyber self-defense" doctrine exists.
Although it's not directly contrary to Eugene's post, I'll also add my 2 cents that I think such a defense would be a really, really, really bad idea. Here's an excerpt of what I wrote on the topic in a 2005 article, Virtual Crime, Virtual Deterrence: A Skeptical View of Self-Help, Architecture, and Civil Liability:
First, I highly doubt that a defendant can assert a "digital self-help" claim in a prosecution brought under the Computer Fraud and Abuse Act, 18 U.S.C. 1030. Eugene is right that federal criminal statutes generally do not mention self-defense and other defenses, and yet courts sometimes have recognized those defenses for some crimes. But I don't think it's accurate to say, as Eugene does, that "federal criminal law already includes judicially recognized and generally available self-defense and defense of property defenses." Some commentators have said this, but I believe it clashes with the Supreme Court's most recent take on such questions in Dixon v. United States, 126 S.Ct. 2437 (2006).
As I read Dixon, it seems that whether a federal defense exists is a question of Congressional intent. Specifically, the question is whether and how Congress meant to incorporate the common law defenses when it enacted that particular crime. Where Congress was silent, courts are supposed to reconstruct what Congress probably wanted or would have wanted "in an offense-specific context." Id. at 2447. (It's true that Dixon was a duress case, not a self-defense case, but it cited the Cannabis opinion, which was a necessity case; to me that suggests that the Court sees all the common law defenses together.)
This is pretty straightforward when considering a federal criminal law that closely tracks a traditional criminal prohibition, such as homicide. As Justice Kennedy put it in his concurrence in Dixon, "When issues of congressional intent with respect to the nature, extent, and definition of federal crimes arise, we assume Congress acted against certain background understandings set forth in judicial decisions in the Anglo-American legal tradition." It's hard to imagine Congress enacting a homicide statute without meaning to incorporate a self-defense provision. So in that context, courts have readily applied self-defense even though it's not technically written into the statute.
I think the Computer Fraud and Abuse Act is quite different. I don't know of any evidence that anyone in Congress had ever even heard about "hacking back" when Congress passed the Computer Fraud and Abuse Act in 1986. Congress did consider whether there were some kind of computer intrusions that would be okay based on the context; specifically, it created an exception in 1030(f) exempting "any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency." But it didn't create an exception for self-defense, and I don't know of any reason to think that there was a background sense that those defenses would apply as seems to be required under Dixon. Given that, I would tend to doubt that a federal "cyber self-defense" doctrine exists.
Although it's not directly contrary to Eugene's post, I'll also add my 2 cents that I think such a defense would be a really, really, really bad idea. Here's an excerpt of what I wrote on the topic in a 2005 article, Virtual Crime, Virtual Deterrence: A Skeptical View of Self-Help, Architecture, and Civil Liability:
It is very easy to disguise the source of an Internet attack. Internet packets do not indicate their original source. Rather, they indicate the source of their most immediate hop. Imagine I have an account from computer A, and that I want to attack computer D. I will direct my attack from computer A to computer B, from B to computer C, and from C to computer D. The victim at computer D will have no idea that the attack is originating at A. He will see an attack coming from computer C. Further, the use of a proxy server or anonymizer can easily disguise the actual source of attack. These services route traffic for other computers, and make it appear to a downstream victim as if the attack were coming from a different source.More in the article itself (unfortunately, the version on SSRN is only an early draft, but the final is on Westlaw and Lexis.)
As a result, the chance that a victim of a cyber attack can quickly and accurately identify where the attack originates is quite small. By corollary, the chance that an initial attacker would be identified by his victim and could be attacked back successfully is also quite small. Further, if the law actually encouraged victims of computer crime to attack back at their attackers, it would create an obvious incentive for attackers to be extra careful to disguise their location or use someone else's computer to launch the attack. In this environment, rules encouraging offensive self-help will not deter online attacks. A reasonably knowledgeable cracker can be confident that he can attack all day with little chance of being hit back. The assumption that an attacker can be identified and targeted may have been true in the Wild West, but tends not to be true for an Internet attack.
Legalizing self-help would also encourage foul play designed to harness the new privileges. One possibility is the bankshot attack: If I want a computer to be attacked, I can route attacks through that one computer towards a series of victims, and then wait for the victims to attack back at that computer because they believe the computer is the source of the attack. By harnessing the ability to disguise the origin of attack, a wrongdoer can get one innocent party to attack another. Indeed, any wrongdoer can act as a catalyst to a chain reaction of hacking back and forth among innocent parties. Imagine that I don't like two businesses, A and B. I can launch a denial-of-service attack at the computers of A disguised to look like it originates from the computers at B. The incentives of self-help will do the rest. A will defend itself by launching a counterattack at B's computers. B, thinking it is under attack from A, will then launch an attack back at A. A will respond back at B; B back at A; and so on. As these examples suggest, basing a self-help strategy on the virtual model of the Wild West does not reflect a realistic picture of the Internet. Self-help in cyberspace would almost certainly lead to more computer misuse, not less.
Related Posts (on one page):
- The "Defense of Property" Defense:
- More on the "Hacking Back" Defense:
- Common-Law Federal Criminal Defenses:
- Does a "Cyber Self-Help" Defense Exist, and Would It Be A Good Idea?:
- The Rhetoric of Opposition to Self-Help: