Cybercrime terminology and the evolution of language

My last column inadvertently stirred up a small storm of dissent. I got email advising me that I had insulted or offended the entire TR membership (from someone who apparently felt comfortable speaking for that entire membership but didn't feel comfortable signing a name). Some people got a little nasty; others seemed hurt. What did I do that was so offensive? I used the word "hacker" in its current common context - to refer to people who break into computers or networks.

One of the more reasonable and less emotional responses came from Chad Perrin, who wrote a nice post as a "lesson in etymology and clear communication."

I understand Chad's point of view, but I disagree with his charge that the current popular usage is "hyped-up" and "sensationalistic." It's simply the term that the majority of people today use to describe someone who uses his or her technical skills to gain unauthorized access to computers and networks. No amount of explaining how the word first came into being or lamenting the loss of that original meaning will change that.

The evolution of language

Etymology is not just the study of the origins of words, but also the study of how they change over time. I'm well aware of the origins of the term "hacker," but whether we like it or not, language evolves. Personally, I hate the current accepted use of "they" as a singular pronoun - but it's used that way now by almost everyone.

Once upon a time, the word "gay" meant "cheerful, merry, happy or joyous" but now it means something very different. There were traditionalists who protested that the word had been "hijacked," but society adopted the new usage and the world moved on. Another word that has completed changed in meaning over time is the word "counterfeit." It originally meant "a perfect copy" and to say something was a counterfeit was a compliment. Today it's almost exclusively used to refer to a fake, often one of low quality.

The word "hack" when applied to writers is another that has evolved in meaning from a mere description to a pejorative term. In the 1700s, it just meant a writer who could produce content "to order" and came from the word hackney, which described a horse that was available for hire. Over the years, it came to mean a writer who writes sensationalistic, low quality "pulp fiction" type work and cares more about money than the quality of the writing.

I could provide many more examples, but the point is obvious: a word's meaning is determined by how it's used by most people at a given point in time.

Technology-related words don't get any special dispensation exempting them from this evolutionary process. When broadband came on the scene, many purists protested the use of the term "DSL modem," arguing that a modem modulates analog signals to encode them as digital and vice versa, and since DSL was already using a digital signal, it didn't use a modem; the device that connects a computer or network to DSL should be called a transceiver or an ATU-R (ADSL Terminal Unit - Remote). They lost that battle; "DSL modem" is now the standard name used for the device.

As for "hacker," Oxford Dictionaries online shows as its first definition: "1. a person who uses computers to gain unauthorized access to data," with the secondary definition of "an enthusiastic and skillful computer programmer or user" being designated as informal usage.

However, even that older definition wasn't the original one. At M.I.T., before the word evolved to mean someone who lives and breathes computers and programming, it was used to describe students who skipped classes, slept all day, and pursued their hobbies (which could be but weren't necessarily computer-related) at night.

And no, it's not just the mainstream media and non-technical people who use "hacker" in the way I used it. I did a quick, informal survey of a number of IT pros and found that most of those who didn't start out as programmers see the term with the same negative connotation. The use of "hacker" in this context has also become standard in tech-related publications. A search of CNET's web site for the word turns up such articles as:

A quick search of Computerworld.com reveals the following titles:

These are only a few of hundreds of examples. The usage is so common that, in the words of my favorite Star Trek bad guys, resistance is futile.

The need for specificity

In the law enforcement world, "hacker" is almost universally used to refer to criminal activity. Chad suggested that instead of using the word "hacker," we substitute "cybercriminal." The problem with that is that the latter term describes a much broader concept with a less specific meaning. A cybercriminal can be a pedophile who posts pictures of child porn on a website, a con man who sends out variations on the old Nigerian scam letter via email, a corporate employee who downloads sensitive company memos to a USB stick to sell them to a competitor, or an ex-spouse who uses the computer to stalk his or her former love via instant message.

The "cybercriminal" appellation is appropriate when referring to the whole body of persons who use a computer in the commission of illegal acts. But it doesn't tell us anything about how that person commits crimes with a computer, and it gives us no clue as to whether the person is using technical skills to do so.

I've also heard the suggestion that we use "cracker" in place of "hacker" - and those who call themselves hackers often do use that term. But again, the former word doesn't have the same precise meaning to the rest of the world, and to law enforcement personnel. They use it more specifically to describe a subset of hackers - those who crack passwords to get into systems or networks.

The big picture

Something that the staunch defenders of hackers as upstanding citizens seem to ignore is that even those early hackers at M.I.T. often (although not always) used their hacking skills to indulge in illegal or questionable activities. Hacking was often associated with phreaking - which referred to unauthorized access and use of the telephone network. One of the oldest and most revered hacker publications, 2600, was named after the 2600 hertz tone used by phreakers to gain unauthorized access to the telephone network. Another such publication, Phrack, derived its name from combining "phreak" and "hack." Groups that self-identified as hacker clubs, such as the Warelords and the 414s, were frequently involved with software piracy or breaking into systems belonging to government entities or other established institutions.

Let's get real: the majority of those who think of themselves as hackers do use their talents to do things that are either criminal offenses or at least breach civil contracts and Terms of Service agreements - or at least have done so, at some time in the past. Most "white hat hackers" originally developed their skills in that way and then crossed over to become security specialists and/or work with law enforcement.

It's all about attitude

The thing that so many of my readers seem to have taken offense to was the idea that hackers commit crimes. I'm going to go way out on a limb here, and say that yes, most of them do - and so do most of the rest of us who live and function in today's world. In the U.S. and most other countries, the legal system has become more bloated than the most feature laden software, with so many laws that even attorneys and cops can't keep up with them and with many of those laws so all-encompassing that it's impossible to keep from breaking them.

In addition, many who call themselves "hackers" have an attitude problem - they don't like authority, they believe "information wants to be free," even when it's the product of someone else's creation, and they don't respect the law. The last part may be understandable, given some of the laws that have been enacted over the last couple of decades by people who don't understand technology at all. And those who make and enforce the laws may have attitude problems of their own, exacerbating the adversarial nature of the relationship.

The hard truth is that calling yourself a hacker won't endear you to them, and will make you a target and a suspect. In a society where the average legislator, business person, and ordinary computer user is angry at those it perceives to be responsible for computer security breaches, viruses and the cost of protecting against malware, that doesn't seem like a good idea.

The bottom line

There are indeed ethical hackers - there's even a certification program for it, but let's face it: if you really want to be taken seriously in the corporate network security field, you'd do yourself a favor by calling yourself a security analyst, security specialist, security consultant - anything but a hacker (note that you might want to stay away from "security engineer," as well - since some states actually have laws forbidding anyone who doesn't hold an engineering license from calling him/herself an engineer). As I mentioned in the original column that started this discussion, Hiring Hackers, companies are now shying away from anyone who fits that description - even those with clean criminal records. They'll just figure you haven't been caught yet.

Words matter. A person who calls himself a "motorcycle enthusiast" creates a far different image from one who refers to himself as a "biker." If we care what others think about us, we have to be cognizant of what words mean to them, even if we believe those meanings are wrong. And those who don't care what others think won't bother to protest that they've been misrepresented.

Calling yourself a hacker doesn't mean you are a bad guy - but it does mean that you'll be perceived as one by almost everyone who isn't also a hacker. You don't have to use the word that way yourself, but at this point in its evolution, it's really pointless to make big deal of it when others do. For a long time, I protested each time I heard someone say something like "A person can call themself whatever they want." Now I just sigh and let it go. The grammatical Truth that I learned in elementary school and followed faithfully over decades as a writer is no longer relevant. The English language has moved on - and I have to do the same.


Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

Editor's Picks