A Final Post on Hacking Back

Thanks to Stewart for the interesting exchange on the (un)lawfulness of hacking back. Here are my concluding thoughts.

First, Stewart repeatedly draws analogies to the law of physical trespass that are faulty because they misunderstand the law of physical trespass. Stewart seems to think that it is legal to break into someone else’s house to retrieve your property stored inside. He also assumes that it is always okay for “rescuers, people in hot pursuit of thieves, easement holders, and government officials” to enter private property. From these assumptions, Stewart guesses that trespass law doesn’t apply to such cases because the conduct is authorized and thus can’t be a trespass. He builds his proposal on that assumption. Just treat electronic trespass like physical trespass, he says: Hack back is authorized just like analogous physical entries are authorized.

But trespass law doesn’t work that way. First, you don’t have a right to break into someone else’s house to retrieve your stuff. That’s a trespass. The issue comes up most often in criminal cases when a party who entered someone else’s home and took property is charged with trespass and burglary. It’s common for the defense to claim that that they entered to retrieve their own property: They thus concede liability for a criminal trespass but deny liability for the more serious crime of burglary. Cf. Auman v. People, 109 P.3d 647 (Colo. 2005). Similarly, those who are rescuers or police officers or those in hot pursuit don’t have a general exemption from trespass liability. Instead, they have to invoke an affirmative defense. Rescuers must invoke the necessity defense. See, e.g., City of Wichita v. Tilson, 253 Kan. 285 (1993). Police officers must invoke the affirmative defense of the Fourth Amendment. Either they have to produce a valid warrant or they have to identify an applicable exception to the warrant clause (one of which is hot pursuit). See, e.g., Entick v. Carrington, 95 Eng. Rep. 807 (K.B. 1765); Warden v. Hayden, 387 U.S. 294 (1967). Easement holders can’t trespass, but that’s because easements limit the property owner’s usual right to exclude.

What’s the lesson from physical trespass laws? It’s that trespass liability is actually pretty broad, and the kinds of exceptions that Stewart is using for purposes of analogy are a lot more limited than Stewart thinks. They’re affirmative defenses, not elements of the crime itself. So while I agree that we should treat physical trespass and cybertrespass the same way, that means recognizing that hacking back violates 18 U.S.C. 1030 and that the only way to get out of liability is to fit the case into an affirmative defense.

What about the affirmative defense of necessity? It seems to respond to Stewart’s concerns. If any existing criminal law doctrine fits Stewart’s argument, that’s it. Stewart says it is isn’t very helpful, though, because it “isn’t likely to offer much comfort for companies that want to gather information about their attackers.” It’s too doctrinally uncertain and vague for companies to rely on safely. I’ll concede that’s true. But how is it relevant? We’re just debating what the law is. What companies feel about that law is irrelevant to the question.

Anyway, I’m happy to keep discussing this in the comment threads. Thanks again to Stewart for the debate.