I was just talking to some people recently about the question of "digital self-defense" — whether organizations that are under cyberattack should be free to (and are free to) fight back against attacking sites by trying to bring those sites down, by hacking into the sites, and so on.
I don't claim to know the definitive answer to this question; but I did want to say a few words about some common anti-self-help rhetorical tropes, which are sometimes heard both in this context and other contexts.
1. Vigilantism: Allowing digital self-defense (or, to be precise, digital defense of property), the argument goes, would mean sanctioning vigilantism; the nonvigilante right solution is to leave matters to law enforcement.
Yet the law has never treated defense of property as improper "vigilantism." American law bars you from punishing those who attack you or your property, but it has always allowed you to use force to stop the attack, or prevent an imminent attack. There are limits on the use of force, such as the principle that generally (though not always) property may be defended only with nonlethal force. But generally speaking the use of force is allowed, and shouldn't be tainted with the pejorative term of "vigilantism," which connotes illegality. (Black's Law Dictionary echoes this, defining vigilantism as "The act of a citizen who takes the law into his or her own hands by apprehending and punishing suspected criminals.")
2. Taking the Law Into Your Own Hands: Critics of self-defense and defense of property also sometimes characterize it as "taking the law into your own hands." This too implies, it seems to me, extralegal action, through which someone unlawfully taking into his own hands power that the law leaves only in law enforcement's hands.
Yet the law has always placed in your own hands — or, if you prefer, has never taken away from your own hands — the right to defend yourself and your property (subject to certain limits). By using this right, you aren't taking the law into your own hands. You're using the law that has always been in your hands.
There are many reasons the law has allowed such self-defense and defense of property: It's generally more immediate than what law enforcement can do; even after the fact, law enforcement is often stretched too thin even to investigate all crimes; sometimes law enforcement may be biased against certain people, and may not take their requests for help seriously, so self-help is the only game in town. There are also reasons to limit self-defense and defense of property (I'll note a few below). But let's not assume that self-defense and defense of property somehow involve unlawful arrogation of legal authority on the defenders' part. Rather, they generally involve legally authorized exercise of legal authority.
3. But the Statute Has No Self-Defense Exceptions: Ah, some may say, perhaps in the physical world you have the right to defend yourself and your property — but the Computer Fraud and Abuse Act secures no such right, so whatever one's views on self-help, the fact is that self-help is illegal.
Yet, surprising as it may seem to many, self-defense and defense of property may be allowed even without express statutory authorization. These defenses were generally recognized by judges, back when the criminal law was generally judge-made; and many jurisdictions don't expressly codify them even now. Federal law, for instance, has no express "self-defense" or "defense of property" statute. The federal statute governing assaults within federal maritime and territorial jurisdiction simply says, in part,
Whoever, within the special maritime and territorial jurisdiction of the United States, is guilty of an assault shall be punished as follows ....Assault is generally defined (more or less) as "any intentional attempt or threat to inflict injury upon someone else, when coupled with an apparent present ability to do so, and includes any intentional display of force that would give a reasonable person cause to expect immediate bodily harm, whether or not the threat or attempt is actually carried out or the victim is injured." The federal criminal code thus on its face prohibits all assaults, including ones done to defend one's life. Yet self-defense is a perfectly sound defense under federal law — because federal courts recognize self-defense as a general criminal defense, available even when the statute doesn't specifically mention it.
(4) Assault by striking, beating, or wounding, by a fine under this title or imprisonment for not more than six months, or both.
(5) Simple assault, by a fine under this title or imprisonment for not more than six months, or both, or if the victim of the assault is an individual who has not attained the age of 16 years, by fine under this title or imprisonment for not more than 1 year, or both.
(6) Assault resulting in serious bodily injury, by a fine under this title or imprisonment for not more than ten years, or both.
(7) Assault resulting in substantial bodily injury to an individual who has not attained the age of 16 years, by fine under this title or imprisonment for not more than 5 years, or both.
Likewise, federal law generally bans possession of firearms by felons, with no mention of self-defense as a defense. Yet federal courts have recognized an exception for felons' picking up a gun in self-defense against an imminent deadly threat, again because self-defense is a common-law defense available in federal prosecutions generally.
Given this, a federal statute's general prohibition on breaking into another's computer doesn't dispose of breakins done in defense of property against imminent threat — just as federal statutes' general prohibitions on assault or on possession of a firearm by a felon don't dispose of assault or possession done in defense of life (or sometimes property) against imminent threat. Federal criminal law already includes judicially recognized and generally available self-defense and defense of property defenses, even when the defendant is prosecuted under a statute that doesn't expressly mention such defenses.
There still remains a good deal of uncertainty about how the defense of property defense would play out in any particular digital strikeback situation, and I suppose it's possible that courts might even decide that it's categorically unavailable as a matter of law in computer breakin cases (though it would be unusual, given the general availability of self-defense and defense of property defenses). But it is a mistake to simply assert that such a defense is unavailable simply because the statute doesn't mention it.
All this having been said, I want to stress that there are plausible arguments in favor of prohibiting digital self-defense (either criminalizing it or making it tortious), and reasons to be skeptical about easy analogies between digital self-defense (or, more precisely, defense of property) and physical self-defense. It may be, for instance, that there's more of a risk of error in digital self-defense cases, in that you might disable, directly or indirectly, a computer that's not actually attacking you. (Say, for instance, you're defending against a worm by launching a counterworm; there's more risk of massive damage to many third parties from an error in the counterworm than there is in a typical situation where you're confronting someone who's trying to run off with your bicycle.) It's also not obvious what should be allowed when you're going after a computer that is attacking you but only because it's been hijacked. Should that turn, for instance, on whether the computer's owner was negligent in allowing the computer to be hijacked?
It's also not clear how the general principle that defense of property must generally be nonlethal should play out — what if you're under attack using a hijacked computer that belongs to a hospital, an airport, a 911 center, or some other life-critical application? Is disabling that computer potentially lethal force, because it may have lethal consequences? How can you tell whether the computer is indeed running some application on which lives turn?
It's therefore not obvious whether the law should criminalize most or all forms of digital self-defense, criminalize some and make others tortious, leave it entirely to the tort system so long as the actor sincerely believed (or perhaps reasonably believed) the actions were necessary to defend his property, or whatever else. Some limits on digital defense of property may well be proper, especially if we think that on balance allowing such defense would lead to too much harm to the property of third parties. But we need to analyze things carefully, by asking some of the questions I noted in the last few paragraphs — not just by condemning digital self-defense as vigilantism, as taking the law into one's own hands, or as clearly illegal under current computer crime law.
Thanks to Warren Stramiello, a student whose paper first alerted me to the defense of property analogy; and note this Journal of Law, Economics & Policy symposium on the subject, which is available in volume 1, issue 1 of the Journal, but unfortunately not on the Web. (Participants included our very own Orin Kerr, as well as my incoming colleague Doug Lichtman.)
Related Posts (on one page):
It seems like the sort of counter-hacking discussed here is a little more proactive that most defense of property cases.
If you are suffering from a digital attack and have figured out the (real) IP address the attack is originating from the most effective means of defense is to block that IP address. The only reason you might want to counterattack is to get revenge or to deter future attacks. On the other hand if you aren't sure it is the real IP address the counterattack is likely to hit an innocent individual.
I think you got it right on about the risk of misidentification. Forging packets and making the receiver think they came from the location you wish to have attacked are a common trick used in computer hacking. As a pure policy matter we should not allow computer counterattack by unaccredited private parties since it is more likely to aid computer hackers than to deter them.
Ultimately I think the answer is no at least and until we have some sort of compelling certification program for computer experts. I think it would be good and reasonable to let the real experts counterattack, provided they are diligent and careful, but at the moment there is no way to distinguish these individuals from script kiddies or pseudo-experts in the law.
I should note, though, that the typical digital self-defense scenario I've heard discussed involves an attempt to stop an ongoing attack, not an attempt to somehow recapture property taken in a just-finished attack.
This point is reinforced by EV's acknowledgment that "digital defense" is very different from other sorts of defense, because the consequences of aggressively shutting down another computer are unknown. If someone is running off with your bike, and you somehow catch them before they get going, throwing them off the bike, you can be pretty sure that they are probably not going to be seriously injured, or, if they are somewhat injured, those injuries are foreseeable -- in general, you are in a reasonable position to judge whether the force you plan to use is reasonable, given the threat. You can be even more sure that a third party will not be harmed. Digital defense, as EV acknowledge, is different. In the case of attacking and shutting down an unknown computer, it is completely unknown who will be harmed and what the extent of the harm will be. Indeed, it even possible that the computer you attack could be performing a life saving function. (Maybe the person using the computer uses it as their phone and is calling 9-11. Maybe they have been hacked into, and are unaware that there computer is a problem for others. Maybe the computer in question is in a hospital, and shutting it down will prevent access to life-saving medical records.)
From a policy perspective, there might be some partial fixes to such a problem. For example, reserving certain IPs to certain critical computers, where digital defense is not allowed. But clearly, such a policy mitigating the harm from "digital defense" should be made in a legislature, not by a court. Without such mitigating policies, maybe "digital defense" is not desirable. Maybe even with such policies, it is not desirable. But one thing is for certain, this is precisely the sort of decision that should be made by a legislature.
In light of the massive difference between "digital defense" and self-defense, for the judiciary to read a right to "digital defense" into the statute would be serious judicial activism. Common sense would allow a court to infer that a legislature would not want to punish assaults in self-defense, given the common law's long recognition of self-defense and absent an overwhelming cultural shift. In contrast, no such inference can be reasonably made about legislative intent concerning the desirability of a new-fangled "digital defense" provision. Especially where, as EV acknowledges, the desirability of such a defense is much more questionable.
I agree with EV that "digital defense" is complicated, and that reasonable policy decisions could go either way. Precisely for this reasons, courts should leave the decision to the legislature. Absence should be taken as lack of authorization in this case, since "digital defense" has no common law history.
Such cases arise relatively rarely under federal-law, compared to self-defense cases, I suspect because defense of property generally doesn't authorize the use of deadly force, and because use of supposedly defensive nondeadly force is less likely to draw a federal prosecutor's attention than the use of supposedly defensive deadly force. But there's no doubt that defense of property is a well-established defense in all American jurisdictions, including in federal court, and that it operates even in those jurisdictions that have not codified the criminal defenses.
Viscus: As to leaving the matter to the legislature, it's hard to see what this means. When Congress enacts federal criminal law, it enacts it against a background legal regime in which common-law defenses are available. Given this background legal regime, it's hard to see why Congressional silence should be interpreted as a rejection of the defenses, as opposed to their acceptance. Nor is it clear that defense of property using computers is a completely "different animal" than defense of property using one's hands, using a stick, or whatever else. It's defense of property; we might conclude that it should be forbidden for some public policy reasons, but defense of property is what it is.
The equivalent to most digital anecdotes would be seeing someone trying to open my steel reinforced medeco lock door with a Fisher-Price crowbar that I know will never work and taking that as license to launch an aerial bombardment of his home.
If someone does try to open my door with a working skeleton key then my defense systems will of course never notice it. They're only going to notice failed attacks.
The interesting case that might be relevant would be the DDOS attacks using massive bandwidth to take down sites. If you could hack into the control channel and shut down their attack then surely that would be self-defense.
Gotcha. I didn't realize you were only talking about fighting ongoing attacks. I guess the analytical question would be what the term "ongoing attack" means in the digital context. For example, if you are able to locate the source of the attack and block it, is it still ongoing?
I don't see how you can say it is the same. The person doing the "defending" cannot know the consequences of their actions nor who will suffer consequences.
There is no conceivable scenario where society would reject reasonable self-defense against assault or battery. Not absent a massive cultural shift. Liberals and conservatives agree, there should be self-defense (there might be arguments on the margins about whether their should be a duty to retreat when it is safe to do so, but no one questions the basic idea that there should be a right to self-defense). All 50 states, from the most liberal to the most conservative recognize self-defense.
It might be regrettable that Congress did not put self-defense explicitly into the Federal statute regarding assault, precisely because it leads some to confusedly think that because the courts have made the only reasonable decision they could interpreting this statute (recognizing self-defense) in the absence of statutory language, that in other different situations, they have a license to read any defense they want.
Merely reducing this animal, called "digital defense" to a defense of property, is inaccurate. Digital defense might be employed to protect property (among other motives), but that is not all it is. But this isn't considered self-defense. Think of it as (defense of property)+. Because it is more than the mere defense of property. It is also an action where unknown harm is inflicted upon unknown third parties. It is thus very different.
I just don't see how you could equate these two very different things. You already acknowledged that they are different. Is your argument that the differences don't really make a difference? That it is okay for courts to make these important policy decisions? I don't think so.
Here is but one proof that they are different.
(1) You (and most everyone else) do not question the wisdom of self-defense.
(2) You (and many others) do question the wisdom of "digital defense."
Is there a common law history of digital defense? Definitely not. Not when articulated at that level of generality. Why, in your view, is "defense of property" the right level of generality, rather than "digital defense?" Digital defense has the advantage of being more precise and accurate, and the term acknowledges that it is different from the sorts of "defense" that have occurred before. Which, in fact, is something that you acknowledge in your original post.
I don't buy your argument. In fact, in my view, any judge that bought your argument would be nothing more than a judicial activist. This sort of complicated technical decision that demands the sort of fact-finding best employed by legislatures, rather than courts. It doesn't take much expertise to determine whether "reasonable force" has been used in self-defense against, say, bike theft or battery. This decision about when "digital defense" is reasonable and should be allowed, in contrast, does take deep technical expertise. Any judge who thinks they know what is best in this area should consider resigning their post and running for the legislature. But what they shouldn't do, is become judicial activists.
I suppose what this disagreement dissolves to is whether "digital defense" and "defense of property" are different enough. You acknowledge that digital defense is different, after all. But I do not think this difference is just a matter of degree. I think it matters that the harm is unknown and the person who it is inflicted upon is unknown. (i.e. Tell the family of a person who dies because their medical record cannot be accessed due to a "digital defense" -- and who had nothing to do with the digital attack preceding this offensive "defense" -- that attacking the computer containing such vital information is no different than chasing down some guy who snatches your wallet.)
These two things are just obviously different. With self-defense, a known amount of force is used, with foreseeable consequences to the aggressor and third parties, against a known threat. With digital "defense" an attack is made with foreseeable consequences to a computer system, but unforeseeable consequences to both the aggressor and, most importantly, innocent third parties.
I am perfectly willing to recognize the reasonable use of force in defense of property. If someone snatches my wallet, they had better run fast. But, force is unreasonable when the consequences for third parties (which can be dire) and the number of third parties harmed are completely unknown. If "digital defense" is considered mere defense of property rather than another animal altogether, it should be considered unreasonable per se.
Imagine this. Someone continually hacks into my computer system. In fact, they are doing it right now. Not knowing how to perform a digital attack, I am sort of stuck. I have my computer expert friend come over, and he is able to determine the house that he believes is responsible for the attack. Alas, my computer expert friend thinks digital defense is unethical, does not know how to block ip addresses or do anything else to prevent the ongoing attack. The police are unavailable, having all gone to a donut convention. To prevent this continuing harm, which continues right up to this moment, I decide to go to the house where I believe the attack originates. I take a random weapon out of a bag without looking (it might be a nerf bat or it might be a machete). I ring the bell and the first person who happens to answer the door, well, I hit them with my randomly selected weapon, reasonably believing this will end the attack. Self-defense? Even when I randomly and unintentionally selected the machete? Or does it matter that I am inflicting an unknown harm on an unknown individual?
Obviously, there are great difficulties with any analogies, because we are equating what are essentially unlike things. The typical self-defense scenario is unlike what I have described above. In fact, I think that the difficulty with making analogies goes to why a court should leave this area to a legislature -- digital defense is not the same as chasing down a guy who has just snatched your wallet.
By "us" do you mean the courts? Why are the courts the proper venue to make this decision? If you really believe "digital defense" is more like "self-defense" such that courts should read digital defense into a statute that is silent on the same, how should courts go about making the complex policy decisions concerning when the defense should apply and when it shouldn't?? Isn't this decision just a little more complex than judging the reasonableness of using assault or battery in self-defense? How is a criminal defendant to know the difference between reasonable and unreasonable digital defense?
Prof. Volokh mentioned three common arguments against self-help. Regarding the specific case of lethal self-defense, I would add a fourth one (based on a misconception, mind you, but one that still gets bandied about a lot): It violates the attacker's Fifth and Eighth Amendment rights by depriving him of his life without due process, and also amounts to cruel and unusual punishment.
The Eighth Amendment portion of this argument relates to the notion of self-defense as vigilantism. I think the reason this notion has persisted as long as it has is because, from the dead assailant's perspective, it makes no difference at all whether you killed him in the heat of combat, or in cold blood after the fact. Either way, he's still dead, without so much as having been charged with, much less tried for, his crime, which may or may not have yet even risen to the capital level (since he obviously never succeeded in killing you). Furthermore, death is such a severe consequence that it's tantamount to a punishment, regardless of whether it was intended as such.
Of course, as I mentioned, this is all based upon a misconception, namely that private citizens are bound by the Fifth and Eighth Amendments. What I wonder is, are states whose laws sanction lethal self-defense still on the hook for constitutional rights deprivations committed by its citizens under said laws? Has this even been tested in court before? (Indeed, given the states' sovereign immunity, can it even be tested?)
If this case is about "digital self defense" it of a different kind than discussed elsewhere on the thread. It should be kept in mind that the US Court in question did not reach the merits of the claim, but rather awarded a default judgment based on the acused spammer's claim that they were doing business in Illinois. Thus, in no way have Spamhaus's activities been declared illegal on the merits.
Very interesting case. Thanks for the link.
So how does that apply to the hypothetical where a guy stole a pack of gum from me and is inside his house chewing it one stick at a time? That sounds very much like an imminent or ongoing attack to me.
The ultimate cause of the destruction of the car is not my action in self-defense, but the theft of the car by the one attacking me. The same would apply to counterattacks at zombies. Those who subverted them for the illegal use would be also responsible for any damage that resulted from that use, whether it occurred in a "self-defense" reaction to attacks originating (or passing through) there, or directly from the subversion. The owner might also bear some liability if they did not hew to best practices in defending those assests, I don't think there's much precedent here though (if any).
All this said, as one who does work in IT security, I can't see many situations (outside national security) where a counterattack would be the most sensible reaction. Taking out a nexus through which an attack passes in another country might make sense, expecially if that country's government is believed to be complicit.
But shooting the driver of a hijacked bus trying to run me down with 100 innocent passengers still aboard is a lot more problematical than doing it to a car with a driver and no visible passengers. Unless the bus was trying to run me down in the process of crashing into a depot with 10 more buses loaded with passengers to kill all of them. The compsec situation is far more apt to resemble the crowded bus than the single driver in the car situation. It may, however, be even closer to the bus with passengers used as a tool to destroy more buses with passengers. Except we don't usually have real life-or-death situations, just destruction of property (real or intangible). So that would mean something more like UPS or FedEx delivery trucks as weapons to destroy more to cause harm to a lot of individuals and businesses.
The very nature of computers as tools and the fanout resulting from the interconnectivity resulting from networking them make it something hard to compare to "real world" situations. And that means that it's hard for legislators to get a mental grasp on. And judges and juries.