I saw an interesting article in the WSJ today on the idea of hacking victims “hacking back.” The concept is that if you’re hacked, you might hack the computer that hacked you to recover your property or identify the hacker and pass that info to authorities.
The concept isn’t crazy (the article’s warning that hacking back at the Chinese Army might be trouble notwithstanding) — there is a general common law right to self-defense (you don’t have to let someone hit you), to defense of property (you don’t have to let someone steal your stuff), to defense of others (you can stop someone snatching another’s purse), and to peaceably reclaim property (you can walk down the block and take your bike back off the front lawn of the kid who took it). The rub with hacking back is that it is made illegal by the same law that makes the hacking illegal — that is, hacking, without regard to the underlying crime of theft of property or IP, is itself illegal. Half the point is that it gives prosecutors a way to get around the idea of whether copying data is crime and to cut off snooping before it turns into a more destructive hack.
But that’s not what I’m writing about. Here are two sentences from the article:
Hackers who have stolen corporate data should have limited expectations of a right to privacy.
Orin Kerr, a law professor at George Washington University, said that because it is so easy to disguise cyberattacks, there is a real risk that retaliatory measures could affect innocent bystanders, which raises a range of privacy concerns.
Oh my god. I expect better from the writers at the WSJ. “Right to privacy” is not a phrase we tend to utter in connection with hacking. It’s generally a fourth amendment issue when we’re talking about the government intruding on a person’s “reasonable expectation of privacy.” In the private domain, it’s the paparazzi shooting Princess Kate from a half-mile away because she’s sunbathing.
No one thinking about this issue is really thinking about the “right to privacy.” They’re thinking that the law shouldn’t protect these people who have, by definition, already violated it. (Interesting aside: the law gives everyone a right to reasonable self-defense. If you punch someone, they can defend themselves and stop the fight with a reasonable level of force. If they go beyond, however, such as picking up a knife to try to kill you, you get to defend yourself and that privilege of self-defense still applies, even though you were the original aggressor.)
But “right to privacy” is a good buzzword, so who cares if it actually makes sense.
The second example is the sort of vague general negative statement that is intended to voice disapproval without any actual specific, claims, or suggestions. What is the significance of a “range of privacy concerns?” Unless that’s your bland introduction to a longer talk, you’ve signaled you have nothing useful to contribute — you’re a talker, not a fixer. Go get a commenting gig on CNN to fill up some otherwise dead air.
I don’t know Professor Kerr. I assume that there’s a bit more specificity there that just got lost in this paraphrase. That’s a shame.
Privacy is a nebulous concept. We use it in all sorts of situations where it seems to apply or doesn’t, in part because it’s vague. We don’t really know what we mean in any particular instances. Speaking plainly puts the matters at issue right in front of us so we can actually decide.
Take the second quote: if the person that is hacked back isn’t the actual hacker, then their information is exposed through no fault of their own and the original victim has now compounded the damage. That’s an actual concern, not some vague notion that is readily dismissed. It’s got a nice real-world parallel: if someone steals your bike, and you go to take it back but take the bike from someone who owns the same one and didn’t steal yours, that’s bad. We all understand that. Imagine: allowing people to reclaim property creates a range of ownership concerns.
I know: I’m a lawyer and lawyers don’t have a good record over the last couple millennia of making things clearer and easier to understand. (I just had a jargon talk, comparing doctors and lawyers, the other night in fact.) But from a policy perspective, from comparing costs and benefits, from tallying up the risks and the rewards, vague language can’t be tolerated because it isn’t helpful. Please, think of the children.