pageok
pageok
pageok
Does a "Cyber Self-Help" Defense Exist, and Would It Be A Good Idea?:
I enjoyed Eugene's post below about "digital self-help," although I have a very different take on the question.

  First, I highly doubt that a defendant can assert a "digital self-help" claim in a prosecution brought under the Computer Fraud and Abuse Act, 18 U.S.C. 1030. Eugene is right that federal criminal statutes generally do not mention self-defense and other defenses, and yet courts sometimes have recognized those defenses for some crimes. But I don't think it's accurate to say, as Eugene does, that "federal criminal law already includes judicially recognized and generally available self-defense and defense of property defenses." Some commentators have said this, but I believe it clashes with the Supreme Court's most recent take on such questions in Dixon v. United States, 126 S.Ct. 2437 (2006).

  As I read Dixon, it seems that whether a federal defense exists is a question of Congressional intent. Specifically, the question is whether and how Congress meant to incorporate the common law defenses when it enacted that particular crime. Where Congress was silent, courts are supposed to reconstruct what Congress probably wanted or would have wanted "in an offense-specific context." Id. at 2447. (It's true that Dixon was a duress case, not a self-defense case, but it cited the Cannabis opinion, which was a necessity case; to me that suggests that the Court sees all the common law defenses together.)

  This is pretty straightforward when considering a federal criminal law that closely tracks a traditional criminal prohibition, such as homicide. As Justice Kennedy put it in his concurrence in Dixon, "When issues of congressional intent with respect to the nature, extent, and definition of federal crimes arise, we assume Congress acted against certain background understandings set forth in judicial decisions in the Anglo-American legal tradition." It's hard to imagine Congress enacting a homicide statute without meaning to incorporate a self-defense provision. So in that context, courts have readily applied self-defense even though it's not technically written into the statute.

  I think the Computer Fraud and Abuse Act is quite different. I don't know of any evidence that anyone in Congress had ever even heard about "hacking back" when Congress passed the Computer Fraud and Abuse Act in 1986. Congress did consider whether there were some kind of computer intrusions that would be okay based on the context; specifically, it created an exception in 1030(f) exempting "any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency." But it didn't create an exception for self-defense, and I don't know of any reason to think that there was a background sense that those defenses would apply as seems to be required under Dixon. Given that, I would tend to doubt that a federal "cyber self-defense" doctrine exists.

  Although it's not directly contrary to Eugene's post, I'll also add my 2 cents that I think such a defense would be a really, really, really bad idea. Here's an excerpt of what I wrote on the topic in a 2005 article, Virtual Crime, Virtual Deterrence: A Skeptical View of Self-Help, Architecture, and Civil Liability:
  It is very easy to disguise the source of an Internet attack. Internet packets do not indicate their original source. Rather, they indicate the source of their most immediate hop. Imagine I have an account from computer A, and that I want to attack computer D. I will direct my attack from computer A to computer B, from B to computer C, and from C to computer D. The victim at computer D will have no idea that the attack is originating at A. He will see an attack coming from computer C. Further, the use of a proxy server or anonymizer can easily disguise the actual source of attack. These services route traffic for other computers, and make it appear to a downstream victim as if the attack were coming from a different source.
  As a result, the chance that a victim of a cyber attack can quickly and accurately identify where the attack originates is quite small. By corollary, the chance that an initial attacker would be identified by his victim and could be attacked back successfully is also quite small. Further, if the law actually encouraged victims of computer crime to attack back at their attackers, it would create an obvious incentive for attackers to be extra careful to disguise their location or use someone else's computer to launch the attack. In this environment, rules encouraging offensive self-help will not deter online attacks. A reasonably knowledgeable cracker can be confident that he can attack all day with little chance of being hit back. The assumption that an attacker can be identified and targeted may have been true in the Wild West, but tends not to be true for an Internet attack.
  Legalizing self-help would also encourage foul play designed to harness the new privileges. One possibility is the bankshot attack: If I want a computer to be attacked, I can route attacks through that one computer towards a series of victims, and then wait for the victims to attack back at that computer because they believe the computer is the source of the attack. By harnessing the ability to disguise the origin of attack, a wrongdoer can get one innocent party to attack another. Indeed, any wrongdoer can act as a catalyst to a chain reaction of hacking back and forth among innocent parties. Imagine that I don't like two businesses, A and B. I can launch a denial-of-service attack at the computers of A disguised to look like it originates from the computers at B. The incentives of self-help will do the rest. A will defend itself by launching a counterattack at B's computers. B, thinking it is under attack from A, will then launch an attack back at A. A will respond back at B; B back at A; and so on. As these examples suggest, basing a self-help strategy on the virtual model of the Wild West does not reflect a realistic picture of the Internet. Self-help in cyberspace would almost certainly lead to more computer misuse, not less.
  More in the article itself (unfortunately, the version on SSRN is only an early draft, but the final is on Westlaw and Lexis.)
Jake (Guest):
Let's just skip the intervening steps in this discussion. Professor Kerr, surely you acknowledge that, however unwise it might be as a policy matter, a right of digital self defense is required by Roe v. Wade?
4.11.2007 7:03pm
Fub:
Orin Kerr, April 11, 2007 at 5:32pm posted:
Legalizing self-help would also encourage foul play designed to harness the new privileges. One possibility is the bankshot attack: If I want a computer to be attacked, I can route attacks through that one computer towards a series of victims, and then wait for the victims to attack back at that computer because they believe the computer is the source of the attack.
In anti-spam circles (and spammer circles too for all I know), this is called a Joe Job.

Another spam-related self defense technique is the anti-spam "blacklist". These have been subject of litigation, and I believe spammers have lost these suits. Various organizations maintain lists of IP addresses from which spam has been known to originate. They regularly provide these to subscribing ISPs or other email providers, who use them to automatically ignore SMTP connections from the listed IP addresses. In practice, usually the list contains entire netblocks, or ranges of IP addresses, which might result in subscribers ignoring all SMTP packets from an entire ISP. Furthermore, the list maintainers can be very slow about removing even erroneously listed IPs or entire netblocks from their lists. This has caused a great deal of friction from innocent users whose IPs have been blocked through no apparent fault of their own except their choice of ISP.

The anti-spam list compilers argue (to synopsize) that punishing the many customers of some ISP for the wrongdoing of one customer is perfectly fair. The innocent customers can find a new ISP and/or the blacklisted ISP will be more careful in its self-policing in the future. The fact is that they are correct insofar as some ISPs are entirely too lax about letting spammers use their facilities. They make money by selling access to spammers. The blacklist is believed, whether accurately or not, to encourage innocents to leave such rogue ISPs.

Spammers have sued such blacklist providers for this self-defense. A fairly well known case was against Spamhaus, a list compiler in Great Britain which was sued in the USA. The procedural issues in that case complicated it tremendously, but as I recall the suit did go forward although I think it was finally resolved in Spamhaus' favor.

As for other attacks that aren't joe jobs, spammers and other malicious hackers often control entire botnets of home or even business computers compromised by a virus or similar malware. These are often controlled through IRC channels. They can be used to distribute spam, or for attacks on other systems. There have been a number of self-defense actions taken against these. There was once talk on SlashDot of someone circulating an "anti-virus virus" that specifically targeted oompromised machines and cleaned them up.

Botnets of comporomised machines are considered to be a major source of spam and other attacks now. The owners of the machines are usually unaware (because they are typically clueless to begin with). As a moral matter, I have no issue with someone circulating a virus that would disable such machines, but I the law certainly doesn't see it that way. An attack on such a compromised machine could be charged as a crime under unauthorized access laws. But I'd bet that a reasonable jury would acquit if a necessity defense were raised.

There are plenty other VC readers who know tons more about this stuff than I do. Maybe they will elaborate some details here.
4.11.2007 7:27pm