More on the "Hacking Back" Defense:
I wanted to add one more round to the exchange Eugene and I were having about whether a defendant charged with a federal computer intrusion crime can assert a "hacking back" defense. I'm still of the opinion that defendants cannot assert such a defense, and I wanted to respond specifically to Eugene's most recent post about it. Specifically, I want to make two points. First, I'm not entirely sure a general defense of property defense doctrine exists as a default in federal criminal law, and second, if the doctrine exists I don't think it covers computer intrusions.

  The reason I'm unsure that the "defense of property" defense exists as a Congressiional default is that the defense seems to be quite rare in federal court, and the cases appear almost entirely in a very specific context. Based on a quick Westlaw check, at least, I could only find about about 30 federal criminal cases that seem to apply it or discuss it at all. Further, those cases arise in almost entirely in a very specific context: a defense raised in a prosecution for physical assault. There's also a bit of homicide and one or other two crimes thrown in, but not much. Perhaps =a lot more cases exist beyond what I could find, but I couldn't find much — and what I found was quite narrow and applied only on in a very small subset of criminal cases. Clearly this doesn't rule out that Congress legislates all criminal offense against a general background norm of a "defense of property" defense being available, but I think it does shed some doubt on it.

  Second, when stated as a defense in federal criminal cases, "defense of property" seems to mean only defense of physical property from physical access or removal. For example, in the context of the Model Penal Code's defense of property section, which has been influential in federal court applications of defenses, the provisions are available only "to prevent or terminate an unlawful entry or other trespass upon land or a trespass against or the unlawful carrying away of tangible, movable property . . . , [or] to effect an entry or re-entry upon land or to retake tangible movable property." MPC 3.06. (The MPC seems to treat the kind of interference with property that includes computer intrusions under a separate section, ยง 3.10, Justification in Property Crimes, which seems to foillow a different set of principles. Also, while you might think "entry" includes virtual entry, entry in the context of criminal trespass statutes are generally understood to mean physical entry.) Given that, it seems that whatever "defense of property" doctrine is established as a background norm when Congress creates a new criminal law, it doesn't seem to me to apply to computer attacks.

  Anyway, I should stress that we don't yet have any cases on this, so both Eugene and I are guessing as to what courts would or should so based on the legal materials out there. It's a very interesting question. Finally, I'll just add further thoughts in the comment thread in the future, as I'm not sure a lot of readers are interested in this issue.
Rick Wilcox (www):
Strangely enough, I'm interested. I've often thought of the "hacking back" defense as a bit weak, usually because the analogy runs a little flat to my ears. Running protective tools can be likened to having a lock on your front door. Intrusion detection measures can be analogized to having a security alarm. Reactive measures, however, seem analogous at best to booby traps, and at worst to attempting to destroy a potential thief's house in retribution.
4.13.2007 5:38pm
Eugene Volokh (www):
I should stress that I am not speaking of retribution, but of defensive action taking during the attack -- to quote (with emphasis added) my original post, the issue is "whether organizations that are under cyberattack should be free to (and are free to) fight back against attacking sites by trying to bring those sites down, by hacking into the sites, and so on." And if a potential thief is in the middle of trying to destroy property using his own property, you may use nonlethal force against his property as well as his person in order to block him from continuing.
4.13.2007 6:29pm
visitor from Texas (mail) (www):
I have to note that you aren't going to "hack back" at a web site, though you might attempt to take down a server that is a source of an attack. The problem with that is that most attacks are now distributed attacks using zombies -- virus infected machines that are being used to launch parts of a distributed attack.

The real thing that the government needs to do is make it a crime, punishable by 50 years in the federal pen, to spoof an e-mail address so that all spam can be returned to sender -- and to actively go after spammers. After all, if you can't locate a spammer, they can't get your money. Aggressive enforcement of a real threat, rather than no-fly lists.

If spam could be returned to sender, it would pretty much automatically clog up its own pathways.

But, you've got me thinking of technical questions about how to "hack back" at the various types of attack.
4.13.2007 6:53pm
anotherbob (mail):
Let's say that a website is the victim of a DDOS. The website's administrator examines the offending packets to determine that while the attack is distributed, it originates from a library's computer, one that's devoted to giving patrons access to the Internet. Using a firewall to block the offender system would not prevent the attack, because it's just being used to orchestrate the DDOS through control of other hacked machines (home computers and the such).

Through use of nmap or ethereal, the victim admin discovers an exploit on the library's computer that would allow him to quickly take it offline -- crash it -- putting an immediate end to the attack. Doing so would most likely have no effect that wouldn't be cured by a reboot.

It's Easter weekend, and the library is shut down. Responsible parties are unreachable, despite exhaustive efforts.

ORIN: Is it legal to remotely execute a command to crash the club computer?

What if it isn't the weekend, and the library happens to be close by. After an hour of explaining it to a hapless librarian fails, the admin just drives over and unplug the computer, having the exact same effect. Illegal?

(I realize there are millions of possible "what ifs," but this follows a classic DDOS pattern. I went through a similar experience in which ProtestWarrior was attacked. But in that situation, a university club's computer was hacked to serve as a proxy for a non-DDOS attack. We didn't take any action against the computer, but I'm not sure I could say the same if it had been a DDOS we were dealing with.)
4.14.2007 7:46am