|
The Rhetoric of Opposition to Self-Help:
I was just talking to some people recently about the question of "digital self-defense" — whether organizations that are under cyberattack should be free to (and are free to) fight back against attacking sites by trying to bring those sites down, by hacking into the sites, and so on.
I don't claim to know the definitive answer to this question; but I did want to say a few words about some common anti-self-help rhetorical tropes, which are sometimes heard both in this context and other contexts.
1. Vigilantism: Allowing digital self-defense (or, to be precise, digital defense of property), the argument goes, would mean sanctioning vigilantism; the nonvigilante right solution is to leave matters to law enforcement.
Yet the law has never treated defense of property as improper "vigilantism." American law bars you from punishing those who attack you or your property, but it has always allowed you to use force to stop the attack, or prevent an imminent attack. There are limits on the use of force, such as the principle that generally (though not always) property may be defended only with nonlethal force. But generally speaking the use of force is allowed, and shouldn't be tainted with the pejorative term of "vigilantism," which connotes illegality. (Black's Law Dictionary echoes this, defining vigilantism as "The act of a citizen who takes the law into his or her own hands by apprehending and punishing suspected criminals.")
2. Taking the Law Into Your Own Hands: Critics of self-defense and defense of property also sometimes characterize it as "taking the law into your own hands." This too implies, it seems to me, extralegal action, through which someone unlawfully taking into his own hands power that the law leaves only in law enforcement's hands.
Yet the law has always placed in your own hands — or, if you prefer, has never taken away from your own hands — the right to defend yourself and your property (subject to certain limits). By using this right, you aren't taking the law into your own hands. You're using the law that has always been in your hands.
There are many reasons the law has allowed such self-defense and defense of property: It's generally more immediate than what law enforcement can do; even after the fact, law enforcement is often stretched too thin even to investigate all crimes; sometimes law enforcement may be biased against certain people, and may not take their requests for help seriously, so self-help is the only game in town. There are also reasons to limit self-defense and defense of property (I'll note a few below). But let's not assume that self-defense and defense of property somehow involve unlawful arrogation of legal authority on the defenders' part. Rather, they generally involve legally authorized exercise of legal authority.
3. But the Statute Has No Self-Defense Exceptions: Ah, some may say, perhaps in the physical world you have the right to defend yourself and your property — but the Computer Fraud and Abuse Act secures no such right, so whatever one's views on self-help, the fact is that self-help is illegal.
Yet, surprising as it may seem to many, self-defense and defense of property may be allowed even without express statutory authorization. These defenses were generally recognized by judges, back when the criminal law was generally judge-made; and many jurisdictions don't expressly codify them even now. Federal law, for instance, has no express "self-defense" or "defense of property" statute. The federal statute governing assaults within federal maritime and territorial jurisdiction simply says, in part, Whoever, within the special maritime and territorial jurisdiction of the United States, is guilty of an assault shall be punished as follows ....
(4) Assault by striking, beating, or wounding, by a fine under this title or imprisonment for not more than six months, or both.
(5) Simple assault, by a fine under this title or imprisonment for not more than six months, or both, or if the victim of the assault is an individual who has not attained the age of 16 years, by fine under this title or imprisonment for not more than 1 year, or both.
(6) Assault resulting in serious bodily injury, by a fine under this title or imprisonment for not more than ten years, or both.
(7) Assault resulting in substantial bodily injury to an individual who has not attained the age of 16 years, by fine under this title or imprisonment for not more than 5 years, or both. Assault is generally defined (more or less) as "any intentional attempt or threat to inflict injury upon someone else, when coupled with an apparent present ability to do so, and includes any intentional display of force that would give a reasonable person cause to expect immediate bodily harm, whether or not the threat or attempt is actually carried out or the victim is injured." The federal criminal code thus on its face prohibits all assaults, including ones done to defend one's life. Yet self-defense is a perfectly sound defense under federal law — because federal courts recognize self-defense as a general criminal defense, available even when the statute doesn't specifically mention it.
Likewise, federal law generally bans possession of firearms by felons, with no mention of self-defense as a defense. Yet federal courts have recognized an exception for felons' picking up a gun in self-defense against an imminent deadly threat, again because self-defense is a common-law defense available in federal prosecutions generally.
Given this, a federal statute's general prohibition on breaking into another's computer doesn't dispose of breakins done in defense of property against imminent threat — just as federal statutes' general prohibitions on assault or on possession of a firearm by a felon don't dispose of assault or possession done in defense of life (or sometimes property) against imminent threat. Federal criminal law already includes judicially recognized and generally available self-defense and defense of property defenses, even when the defendant is prosecuted under a statute that doesn't expressly mention such defenses.
There still remains a good deal of uncertainty about how the defense of property defense would play out in any particular digital strikeback situation, and I suppose it's possible that courts might even decide that it's categorically unavailable as a matter of law in computer breakin cases (though it would be unusual, given the general availability of self-defense and defense of property defenses). But it is a mistake to simply assert that such a defense is unavailable simply because the statute doesn't mention it.
* * *
All this having been said, I want to stress that there are plausible arguments in favor of prohibiting digital self-defense (either criminalizing it or making it tortious), and reasons to be skeptical about easy analogies between digital self-defense (or, more precisely, defense of property) and physical self-defense. It may be, for instance, that there's more of a risk of error in digital self-defense cases, in that you might disable, directly or indirectly, a computer that's not actually attacking you. (Say, for instance, you're defending against a worm by launching a counterworm; there's more risk of massive damage to many third parties from an error in the counterworm than there is in a typical situation where you're confronting someone who's trying to run off with your bicycle.) It's also not obvious what should be allowed when you're going after a computer that is attacking you but only because it's been hijacked. Should that turn, for instance, on whether the computer's owner was negligent in allowing the computer to be hijacked?
It's also not clear how the general principle that defense of property must generally be nonlethal should play out — what if you're under attack using a hijacked computer that belongs to a hospital, an airport, a 911 center, or some other life-critical application? Is disabling that computer potentially lethal force, because it may have lethal consequences? How can you tell whether the computer is indeed running some application on which lives turn?
It's therefore not obvious whether the law should criminalize most or all forms of digital self-defense, criminalize some and make others tortious, leave it entirely to the tort system so long as the actor sincerely believed (or perhaps reasonably believed) the actions were necessary to defend his property, or whatever else. Some limits on digital defense of property may well be proper, especially if we think that on balance allowing such defense would lead to too much harm to the property of third parties. But we need to analyze things carefully, by asking some of the questions I noted in the last few paragraphs — not just by condemning digital self-defense as vigilantism, as taking the law into one's own hands, or as clearly illegal under current computer crime law.
Thanks to Warren Stramiello, a student whose paper first alerted me to the defense of property analogy; and note this Journal of Law, Economics & Policy symposium on the subject, which is available in volume 1, issue 1 of the Journal, but unfortunately not on the Web. (Participants included our very own Orin Kerr, as well as my incoming colleague Doug Lichtman.)
Does a "Cyber Self-Help" Defense Exist, and Would It Be A Good Idea?:
I enjoyed Eugene's post below about "digital self-help," although I have a very different take on the question. First, I highly doubt that a defendant can assert a "digital self-help" claim in a prosecution brought under the Computer Fraud and Abuse Act, 18 U.S.C. 1030. Eugene is right that federal criminal statutes generally do not mention self-defense and other defenses, and yet courts sometimes have recognized those defenses for some crimes. But I don't think it's accurate to say, as Eugene does, that "federal criminal law already includes judicially recognized and generally available self-defense and defense of property defenses." Some commentators have said this, but I believe it clashes with the Supreme Court's most recent take on such questions in Dixon v. United States, 126 S.Ct. 2437 (2006). As I read Dixon, it seems that whether a federal defense exists is a question of Congressional intent. Specifically, the question is whether and how Congress meant to incorporate the common law defenses when it enacted that particular crime. Where Congress was silent, courts are supposed to reconstruct what Congress probably wanted or would have wanted "in an offense-specific context." Id. at 2447. (It's true that Dixon was a duress case, not a self-defense case, but it cited the Cannabis opinion, which was a necessity case; to me that suggests that the Court sees all the common law defenses together.) This is pretty straightforward when considering a federal criminal law that closely tracks a traditional criminal prohibition, such as homicide. As Justice Kennedy put it in his concurrence in Dixon, "When issues of congressional intent with respect to the nature, extent, and definition of federal crimes arise, we assume Congress acted against certain background understandings set forth in judicial decisions in the Anglo-American legal tradition." It's hard to imagine Congress enacting a homicide statute without meaning to incorporate a self-defense provision. So in that context, courts have readily applied self-defense even though it's not technically written into the statute. I think the Computer Fraud and Abuse Act is quite different. I don't know of any evidence that anyone in Congress had ever even heard about "hacking back" when Congress passed the Computer Fraud and Abuse Act in 1986. Congress did consider whether there were some kind of computer intrusions that would be okay based on the context; specifically, it created an exception in 1030(f) exempting "any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency." But it didn't create an exception for self-defense, and I don't know of any reason to think that there was a background sense that those defenses would apply as seems to be required under Dixon. Given that, I would tend to doubt that a federal "cyber self-defense" doctrine exists. Although it's not directly contrary to Eugene's post, I'll also add my 2 cents that I think such a defense would be a really, really, really bad idea. Here's an excerpt of what I wrote on the topic in a 2005 article, Virtual Crime, Virtual Deterrence: A Skeptical View of Self-Help, Architecture, and Civil Liability: It is very easy to disguise the source of an Internet attack. Internet packets do not indicate their original source. Rather, they indicate the source of their most immediate hop. Imagine I have an account from computer A, and that I want to attack computer D. I will direct my attack from computer A to computer B, from B to computer C, and from C to computer D. The victim at computer D will have no idea that the attack is originating at A. He will see an attack coming from computer C. Further, the use of a proxy server or anonymizer can easily disguise the actual source of attack. These services route traffic for other computers, and make it appear to a downstream victim as if the attack were coming from a different source.
As a result, the chance that a victim of a cyber attack can quickly and accurately identify where the attack originates is quite small. By corollary, the chance that an initial attacker would be identified by his victim and could be attacked back successfully is also quite small. Further, if the law actually encouraged victims of computer crime to attack back at their attackers, it would create an obvious incentive for attackers to be extra careful to disguise their location or use someone else's computer to launch the attack. In this environment, rules encouraging offensive self-help will not deter online attacks. A reasonably knowledgeable cracker can be confident that he can attack all day with little chance of being hit back. The assumption that an attacker can be identified and targeted may have been true in the Wild West, but tends not to be true for an Internet attack.
Legalizing self-help would also encourage foul play designed to harness the new privileges. One possibility is the bankshot attack: If I want a computer to be attacked, I can route attacks through that one computer towards a series of victims, and then wait for the victims to attack back at that computer because they believe the computer is the source of the attack. By harnessing the ability to disguise the origin of attack, a wrongdoer can get one innocent party to attack another. Indeed, any wrongdoer can act as a catalyst to a chain reaction of hacking back and forth among innocent parties. Imagine that I don't like two businesses, A and B. I can launch a denial-of-service attack at the computers of A disguised to look like it originates from the computers at B. The incentives of self-help will do the rest. A will defend itself by launching a counterattack at B's computers. B, thinking it is under attack from A, will then launch an attack back at A. A will respond back at B; B back at A; and so on. As these examples suggest, basing a self-help strategy on the virtual model of the Wild West does not reflect a realistic picture of the Internet. Self-help in cyberspace would almost certainly lead to more computer misuse, not less. More in the article itself (unfortunately, the version on SSRN is only an early draft, but the final is on Westlaw and Lexis.)
Common-Law Federal Criminal Defenses:
I just wanted to very briefly comment on Orin's post on the subject. Dixon v. United States involved the question of who is to bear the burden of proof as to a duress defense. The "long-established common-law rule" had been that the defendant must prove duress by a preponderance of the evidence, and the Court held that Congress did not intend to displace this rule. This is where the "offense-specific context" language comes up (citation omitted):
Congress can, if it chooses, enact a duress defense that places the burden on the Government to disprove duress beyond a reasonable doubt. In light of Congress' silence on the issue, however, it is up to the federal courts to effectuate the affirmative defense of duress as Congress "may have contemplated" it in an offense-specific context. In the context of the firearms offenses at issue -- as will usually be the case, given the long-established common-law rule -- we presume that Congress intended the petitioner to bear the burden of proving the defense of duress by a preponderance of the evidence.
It seems to me that this common-law tradition is the most important factor here, and the longstanding common-law acceptance of the defense-of-property defense should lead federal courts to assume that Congress didn't mean to preempt it, at least absence a statement from Congress to the contrary.
It's true that Congress likely didn't think much about the defense when enacting computer crime laws; but the point of the common-law criminal defenses is precisely that the legislature often doesn't think much about defenses, which often (as with duress, for instance) involve relatively rare circumstances. The defenses are out there to be used when the triggering circumstances arise, and Congress doesn't need to think much about them when enacting specific statutes.
So it seems to me that Dixon is quite consistent with my position: Congress legislates against the background of various common-law rules related to criminal law defenses, and the general presumption is that Congress doesn't mean to displace these background rules.
More on the "Hacking Back" Defense:
I wanted to add one more round to the exchange Eugene and I were having about whether a defendant charged with a federal computer intrusion crime can assert a "hacking back" defense. I'm still of the opinion that defendants cannot assert such a defense, and I wanted to respond specifically to Eugene's most recent post about it. Specifically, I want to make two points. First, I'm not entirely sure a general defense of property defense doctrine exists as a default in federal criminal law, and second, if the doctrine exists I don't think it covers computer intrusions. The reason I'm unsure that the "defense of property" defense exists as a Congressiional default is that the defense seems to be quite rare in federal court, and the cases appear almost entirely in a very specific context. Based on a quick Westlaw check, at least, I could only find about about 30 federal criminal cases that seem to apply it or discuss it at all. Further, those cases arise in almost entirely in a very specific context: a defense raised in a prosecution for physical assault. There's also a bit of homicide and one or other two crimes thrown in, but not much. Perhaps =a lot more cases exist beyond what I could find, but I couldn't find much — and what I found was quite narrow and applied only on in a very small subset of criminal cases. Clearly this doesn't rule out that Congress legislates all criminal offense against a general background norm of a "defense of property" defense being available, but I think it does shed some doubt on it. Second, when stated as a defense in federal criminal cases, "defense of property" seems to mean only defense of physical property from physical access or removal. For example, in the context of the Model Penal Code's defense of property section, which has been influential in federal court applications of defenses, the provisions are available only "to prevent or terminate an unlawful entry or other trespass upon land or a trespass against or the unlawful carrying away of tangible, movable property . . . , [or] to effect an entry or re-entry upon land or to retake tangible movable property." MPC 3.06. (The MPC seems to treat the kind of interference with property that includes computer intrusions under a separate section, ยง 3.10, Justification in Property Crimes, which seems to foillow a different set of principles. Also, while you might think "entry" includes virtual entry, entry in the context of criminal trespass statutes are generally understood to mean physical entry.) Given that, it seems that whatever "defense of property" doctrine is established as a background norm when Congress creates a new criminal law, it doesn't seem to me to apply to computer attacks. Anyway, I should stress that we don't yet have any cases on this, so both Eugene and I are guessing as to what courts would or should so based on the legal materials out there. It's a very interesting question. Finally, I'll just add further thoughts in the comment thread in the future, as I'm not sure a lot of readers are interested in this issue.
The "Defense of Property" Defense:
I much appreciate Orin's posts on the subject, and I should note again what I noted at the outset — there are quite plausible policy arguments for barring "hacking back" even when it's done to defend property against an ongoing attack, and Orin has expressed some of them in the past. That an action falls generally within the ambit of an existing defense, or is closely analogous to an existing defense, doesn't preclude the conclusion that we should nonetheless bar the action because of special problems associated with it.
Nonetheless, I do disagree with two parts of Orin's analysis. First, it seems to me that the defense-of-property defense has indeed been recognized as part of a general class of common-law defenses — including justifications such as self-defense and defense of others, and excuses such as duress or insanity — that are by default accepted in all jurisdictions, or at least all jurisdictions that have not expressly codified their defenses. (I say "by default"; they may be expressly statutorily precluded, as a few states have done as to insanity.) Robinson's treatise on Criminal Law Defenses describes it well, I think,
Every American jurisdiction recognizes a justification for the defense of property. The principle of the defense of property is analogous to that of all defensive force justifications and may be stated as follows: ... Conduct constituting an offense is justified if:
(1) an aggressor unjustifiazbly threatens the property of another; and
(2) the actor engages in conduct harmful to the aggressor
(a) when and to the extent necessary to protect the property,
(b) that is reasonable in relation to the harm threatened.
More generally, defense of property, self-defense, and defense of others are generally treated by the law more or less similarly, though subject to the general principle that defense of property will generally not justify the use of lethal force. I have never seen in any case, treatise, or other reference any indication that federal law differs from this, and rejects the notion that defense-of-property is a general default.
I agree with Orin that the defense has been rare. But I suspect that it is rare because defense of property generally doesn't authorize the use of deadly force, and because use of supposedly defensive nondeadly force is less likely to draw a federal prosecutor's attention than the use of supposedly defensive deadly force. The typical nonlethal defense of property scenario — someone says I punched him, and I claim I did this in order to keep him from stealing my briefcase — just isn't likely to end up prosecuted by the local U.S. Attorney's office, even if there's some reason to doubt my side of the story.
Second, Orin points to the Model Penal Code as evidence that "when stated as a defense in federal criminal cases, 'defense of property' seems to mean only defense of physical property from physical access or removal"; and the MPC does define defense of property as limited to "use of force upon or toward the person of another ... to prevent or terminate an unlawful entry or other trespass upon land or a trespass against or the unlawful carrying away of tangible, movable property ..., [or] to effect an entry or re-entry upon land or to retake tangible movable property" (plus provides for a related but different defense in § 3.10).
But the MPC seems to define defenses in a way that's focused on those crimes that the MPC covers. For instance, the MPC's self-defense provision literally covers only "the use of force upon or toward another person"; it would not cover imminent self-defense as a defense to a charge of being a felon in possession of a firearm (though no such crime is defined by the MPC in the first place). Yet federal law does recognize this. Likewise, state cases recognize self-defense as a defense to the use of force against an animal, when the use would otherwise be illegal (I could find no federal prosecutions involving the question).
Now perhaps the answer is that federal law would reject even self-defense as a defense to non-physical-force crimes, and that the defense in felon-in-possession cases is actually a species of the necessity defense. But if that's true (which isn't clear, since it's not even clear that federal law recognizes a general necessity defense), then one could equally argue for digital self-defense under the rubric of necessity.
Likewise, while Orin brackets § 3.10, that might very well be the defense-of-property provision (though labeled by the MPC under the more general rubric of "justification in property crimes") that an MPC-following federal court might adopt, if it chooses to take a narrow view of the common-law defense-of-property defense. Section 3.10 generally allows "intrusion on or interference with property [when tort law would recognize] a defense of privilege in a civil action based [on the conduct]," unless the relevant criminal statute "deals with the specific situation involved" or a "legislative purpose to exclude the justification claimed otherwise plainly appears." And the common law has generally recognized defense of property as a privilege in civil actions. (See, e.g., Restatement (Second) of Torts § 79, which allows even nonlethal physical force against a person when necessary to terminate the person's intrusion on your possession of chattels. That doesn't literally cover use of nonlethal electronic actions against a computer, but the point of common-law defenses is that they are applicable by analogy; the Restatement is thus a guide, not a detailed code to be followed only according to its literal terms even in novel situations.)
So we have to remember, it seems to me, that the federal law of criminal defenses is common law, borrowing from both the substance of the traditionally recognized common-law defenses, and from the common-law method, which involves reasoning by analogy. The common-law method also allows analogies to be resisted, if the new situation is vastly different from the old; and of course Congress can trump common-law defenses by statute. But the background remains that there's a common-law defense of defense of property (buttressed, where necessary, by the necessity defense, and to the extent one is influenced by the Model Penal Code, by § 3.10's borrowing from the common-law tort defenses), and that there's no reason to think that federal law takes a narrow view of this defense.
|
|