I was just talking to some people recently about the question of "digital self-defense" — whether organizations that are under cyberattack should be free to (and are free to) fight back against attacking sites by trying to bring those sites down, by hacking into the sites, and so on.
I don't claim to know the definitive answer to this question; but I did want to say a few words about some common anti-self-help rhetorical tropes, which are sometimes heard both in this context and other contexts.
1. Vigilantism: Allowing digital self-defense (or, to be precise, digital defense of property), the argument goes, would mean sanctioning vigilantism; the nonvigilante right solution is to leave matters to law enforcement.
Yet the law has never treated defense of property as improper "vigilantism." American law bars you from punishing those who attack you or your property, but it has always allowed you to use force to stop the attack, or prevent an imminent attack. There are limits on the use of force, such as the principle that generally (though not always) property may be defended only with nonlethal force. But generally speaking the use of force is allowed, and shouldn't be tainted with the pejorative term of "vigilantism," which connotes illegality. (Black's Law Dictionary echoes this, defining vigilantism as "The act of a citizen who takes the law into his or her own hands by apprehending and punishing suspected criminals.")
2. Taking the Law Into Your Own Hands: Critics of self-defense and defense of property also sometimes characterize it as "taking the law into your own hands." This too implies, it seems to me, extralegal action, through which someone unlawfully taking into his own hands power that the law leaves only in law enforcement's hands.
Yet the law has always placed in your own hands — or, if you prefer, has never taken away from your own hands — the right to defend yourself and your property (subject to certain limits). By using this right, you aren't taking the law into your own hands. You're using the law that has always been in your hands.
There are many reasons the law has allowed such self-defense and defense of property: It's generally more immediate than what law enforcement can do; even after the fact, law enforcement is often stretched too thin even to investigate all crimes; sometimes law enforcement may be biased against certain people, and may not take their requests for help seriously, so self-help is the only game in town. There are also reasons to limit self-defense and defense of property (I'll note a few below). But let's not assume that self-defense and defense of property somehow involve unlawful arrogation of legal authority on the defenders' part. Rather, they generally involve legally authorized exercise of legal authority.
3. But the Statute Has No Self-Defense Exceptions: Ah, some may say, perhaps in the physical world you have the right to defend yourself and your property — but the Computer Fraud and Abuse Act secures no such right, so whatever one's views on self-help, the fact is that self-help is illegal.
Yet, surprising as it may seem to many, self-defense and defense of property may be allowed even without express statutory authorization. These defenses were generally recognized by judges, back when the criminal law was generally judge-made; and many jurisdictions don't expressly codify them even now. Federal law, for instance, has no express "self-defense" or "defense of property" statute. The federal statute governing assaults within federal maritime and territorial jurisdiction simply says, in part,
Whoever, within the special maritime and territorial jurisdiction of the United States, is guilty of an assault shall be punished as follows ....Assault is generally defined (more or less) as "any intentional attempt or threat to inflict injury upon someone else, when coupled with an apparent present ability to do so, and includes any intentional display of force that would give a reasonable person cause to expect immediate bodily harm, whether or not the threat or attempt is actually carried out or the victim is injured." The federal criminal code thus on its face prohibits all assaults, including ones done to defend one's life. Yet self-defense is a perfectly sound defense under federal law — because federal courts recognize self-defense as a general criminal defense, available even when the statute doesn't specifically mention it.
(4) Assault by striking, beating, or wounding, by a fine under this title or imprisonment for not more than six months, or both.
(5) Simple assault, by a fine under this title or imprisonment for not more than six months, or both, or if the victim of the assault is an individual who has not attained the age of 16 years, by fine under this title or imprisonment for not more than 1 year, or both.
(6) Assault resulting in serious bodily injury, by a fine under this title or imprisonment for not more than ten years, or both.
(7) Assault resulting in substantial bodily injury to an individual who has not attained the age of 16 years, by fine under this title or imprisonment for not more than 5 years, or both.
Likewise, federal law generally bans possession of firearms by felons, with no mention of self-defense as a defense. Yet federal courts have recognized an exception for felons' picking up a gun in self-defense against an imminent deadly threat, again because self-defense is a common-law defense available in federal prosecutions generally.
Given this, a federal statute's general prohibition on breaking into another's computer doesn't dispose of breakins done in defense of property against imminent threat — just as federal statutes' general prohibitions on assault or on possession of a firearm by a felon don't dispose of assault or possession done in defense of life (or sometimes property) against imminent threat. Federal criminal law already includes judicially recognized and generally available self-defense and defense of property defenses, even when the defendant is prosecuted under a statute that doesn't expressly mention such defenses.
There still remains a good deal of uncertainty about how the defense of property defense would play out in any particular digital strikeback situation, and I suppose it's possible that courts might even decide that it's categorically unavailable as a matter of law in computer breakin cases (though it would be unusual, given the general availability of self-defense and defense of property defenses). But it is a mistake to simply assert that such a defense is unavailable simply because the statute doesn't mention it.
All this having been said, I want to stress that there are plausible arguments in favor of prohibiting digital self-defense (either criminalizing it or making it tortious), and reasons to be skeptical about easy analogies between digital self-defense (or, more precisely, defense of property) and physical self-defense. It may be, for instance, that there's more of a risk of error in digital self-defense cases, in that you might disable, directly or indirectly, a computer that's not actually attacking you. (Say, for instance, you're defending against a worm by launching a counterworm; there's more risk of massive damage to many third parties from an error in the counterworm than there is in a typical situation where you're confronting someone who's trying to run off with your bicycle.) It's also not obvious what should be allowed when you're going after a computer that is attacking you but only because it's been hijacked. Should that turn, for instance, on whether the computer's owner was negligent in allowing the computer to be hijacked?
It's also not clear how the general principle that defense of property must generally be nonlethal should play out — what if you're under attack using a hijacked computer that belongs to a hospital, an airport, a 911 center, or some other life-critical application? Is disabling that computer potentially lethal force, because it may have lethal consequences? How can you tell whether the computer is indeed running some application on which lives turn?
It's therefore not obvious whether the law should criminalize most or all forms of digital self-defense, criminalize some and make others tortious, leave it entirely to the tort system so long as the actor sincerely believed (or perhaps reasonably believed) the actions were necessary to defend his property, or whatever else. Some limits on digital defense of property may well be proper, especially if we think that on balance allowing such defense would lead to too much harm to the property of third parties. But we need to analyze things carefully, by asking some of the questions I noted in the last few paragraphs — not just by condemning digital self-defense as vigilantism, as taking the law into one's own hands, or as clearly illegal under current computer crime law.
Thanks to Warren Stramiello, a student whose paper first alerted me to the defense of property analogy; and note this Journal of Law, Economics & Policy symposium on the subject, which is available in volume 1, issue 1 of the Journal, but unfortunately not on the Web. (Participants included our very own Orin Kerr, as well as my incoming colleague Doug Lichtman.)
Related Posts (on one page):