Collaboration

Computer vigilantes: Breaking the law by hitting back at hackers?

Even if you are a victim of computer crime, you don't want to end up in court for taking the law into your own hands against hackers.

The desire to strike back is completely understandable and the suggestion that citizens should be entitled to retaliate may even sound reasonable. Photo: Shutterstock

I've noticed a number of threads in discussions forums suggesting that citizens should turn the tables on hackers. One of the more extreme examples even went so far as to suggest that citizens should be armed with the means to strike back at criminals.

At the start of the millennium, when the internet and ecommerce were seen as being in their infancy, it was common for commentators to talk about a lack of regulation and to compare the internet to the Wild West.

In reality, the internet and ecommerce are both heavily regulated. Most of the real-world rules and regulations, including contractual provisions, did and do apply equally well in an online relationship as they do off-line.

These regulations have also been supplemented subsequently by new rules that have been designed specifically for the internet.

The problem with crime is that it perpetrated by people who are happy to disregard the law. It's in their job description. The advantage of the internet for the criminal is that crime can be conducted anonymously and from a foreign jurisdiction, both of which make it a low-risk activity.

Additionally, it can never have been so easy to industrialise the processes of committing some of these crimes: why rob one person when you can rob millions simultaneously?

Multiple hacking offences

Hackers are motivated by many reasons but what they all have in common is that they are committing crime. This fact may come as a surprise to those hackers who are doing it for fun or curiosity or for other less malevolent reasons. However, in the UK the Computer Misuse Act 1990, which has been updated multiple times, creates a number of offences that cover their activities.

The reason we are not seeing more convictions is an issue of capacity. The law enforcement agencies have limited resources, which is not helped when large companies keep poaching their well-trained staff. The crime-fighters are therefore focused on the priority events where they are most likely to secure a prosecution.

Furthermore, their agenda in investigating computer crime and gathering evidence for a prosecution works on a different timescale to the needs of most businesses when faced with DDOS attacks or shutting down APTs. This difference is frustrating for businesses that have sought to use the criminal law as a solution to being attacked.

The desire to strike back is completely understandable and the suggestion that citizens should be entitled to retaliate may even sound reasonable.

However, to fight back risks breaking the law. The Computer Misuse Act, for example, does not take into consideration the motive behind the criminal activity. Anyway, who do you conduct a retaliatory attack against when the crime was probably perpetrated using a botnet?

Disclosing the hacker's identity

This issue highlights the dilemma of the ISPs. They are contractually bound to protect the privacy of their customers. Otherwise they might be willing to disclose the identity of the attacker.

Identity disclosure creates two risks for the ISP. Contractual breach and a regulatory breach. I doubt a hacker would wish to bring a claim for breach of contract but he or she might be willing to tip off the regulators and the regulatory risk is more problematic.

This situation seems negative but the law can be used legitimately to conduct a proactive defence. The issue is one of cost and motivation on the part of the claimant.

It is quite likely that the hacker will not have the financial means to satisfy a successful claim and therefore the claimant will be left bearing the costs of the action and should not expect to receive compensation for its loss. However, if the aim of the claim is to disrupt and deter attacks, then this may be sufficient reward in itself.

Furthermore, using the same rationale that drives many intellectual property claims, setting out to obtain a reputation that your business will pursue infringements can pay dividends.

Increasing the risk to the criminal will deflect attacks onto softer targets, reducing the cost of disruption. The threat of being labelled as a criminal may also deter more casual hackers, who may not have fully appreciated the seriousness of their actions.

About

Stewart James is a partner in the technology, media and commercial group at law firm DLA Piper's Leeds, UK, office. His areas of expertise include outsourcing and retendering, business process re-engineering, information assurance, data protection, a...

Editor's Picks