pageok
pageok
pageok
The "Defense of Property" Defense:

I much appreciate Orin's posts on the subject, and I should note again what I noted at the outset — there are quite plausible policy arguments for barring "hacking back" even when it's done to defend property against an ongoing attack, and Orin has expressed some of them in the past. That an action falls generally within the ambit of an existing defense, or is closely analogous to an existing defense, doesn't preclude the conclusion that we should nonetheless bar the action because of special problems associated with it.

Nonetheless, I do disagree with two parts of Orin's analysis. First, it seems to me that the defense-of-property defense has indeed been recognized as part of a general class of common-law defenses — including justifications such as self-defense and defense of others, and excuses such as duress or insanity — that are by default accepted in all jurisdictions, or at least all jurisdictions that have not expressly codified their defenses. (I say "by default"; they may be expressly statutorily precluded, as a few states have done as to insanity.) Robinson's treatise on Criminal Law Defenses describes it well, I think,

Every American jurisdiction recognizes a justification for the defense of property. The principle of the defense of property is analogous to that of all defensive force justifications and may be stated as follows: ... Conduct constituting an offense is justified if:

(1) an aggressor unjustifiazbly threatens the property of another; and

(2) the actor engages in conduct harmful to the aggressor

(a) when and to the extent necessary to protect the property,

(b) that is reasonable in relation to the harm threatened.

More generally, defense of property, self-defense, and defense of others are generally treated by the law more or less similarly, though subject to the general principle that defense of property will generally not justify the use of lethal force. I have never seen in any case, treatise, or other reference any indication that federal law differs from this, and rejects the notion that defense-of-property is a general default.

I agree with Orin that the defense has been rare. But I suspect that it is rare because defense of property generally doesn't authorize the use of deadly force, and because use of supposedly defensive nondeadly force is less likely to draw a federal prosecutor's attention than the use of supposedly defensive deadly force. The typical nonlethal defense of property scenario — someone says I punched him, and I claim I did this in order to keep him from stealing my briefcase — just isn't likely to end up prosecuted by the local U.S. Attorney's office, even if there's some reason to doubt my side of the story.

Second, Orin points to the Model Penal Code as evidence that "when stated as a defense in federal criminal cases, 'defense of property' seems to mean only defense of physical property from physical access or removal"; and the MPC does define defense of property as limited to "use of force upon or toward the person of another ... to prevent or terminate an unlawful entry or other trespass upon land or a trespass against or the unlawful carrying away of tangible, movable property ..., [or] to effect an entry or re-entry upon land or to retake tangible movable property" (plus provides for a related but different defense in § 3.10).

But the MPC seems to define defenses in a way that's focused on those crimes that the MPC covers. For instance, the MPC's self-defense provision literally covers only "the use of force upon or toward another person"; it would not cover imminent self-defense as a defense to a charge of being a felon in possession of a firearm (though no such crime is defined by the MPC in the first place). Yet federal law does recognize this. Likewise, state cases recognize self-defense as a defense to the use of force against an animal, when the use would otherwise be illegal (I could find no federal prosecutions involving the question).

Now perhaps the answer is that federal law would reject even self-defense as a defense to non-physical-force crimes, and that the defense in felon-in-possession cases is actually a species of the necessity defense. But if that's true (which isn't clear, since it's not even clear that federal law recognizes a general necessity defense), then one could equally argue for digital self-defense under the rubric of necessity.

Likewise, while Orin brackets § 3.10, that might very well be the defense-of-property provision (though labeled by the MPC under the more general rubric of "justification in property crimes") that an MPC-following federal court might adopt, if it chooses to take a narrow view of the common-law defense-of-property defense. Section 3.10 generally allows "intrusion on or interference with property [when tort law would recognize] a defense of privilege in a civil action based [on the conduct]," unless the relevant criminal statute "deals with the specific situation involved" or a "legislative purpose to exclude the justification claimed otherwise plainly appears." And the common law has generally recognized defense of property as a privilege in civil actions. (See, e.g., Restatement (Second) of Torts § 79, which allows even nonlethal physical force against a person when necessary to terminate the person's intrusion on your possession of chattels. That doesn't literally cover use of nonlethal electronic actions against a computer, but the point of common-law defenses is that they are applicable by analogy; the Restatement is thus a guide, not a detailed code to be followed only according to its literal terms even in novel situations.)

So we have to remember, it seems to me, that the federal law of criminal defenses is common law, borrowing from both the substance of the traditionally recognized common-law defenses, and from the common-law method, which involves reasoning by analogy. The common-law method also allows analogies to be resisted, if the new situation is vastly different from the old; and of course Congress can trump common-law defenses by statute. But the background remains that there's a common-law defense of defense of property (buttressed, where necessary, by the necessity defense, and to the extent one is influenced by the Model Penal Code, by § 3.10's borrowing from the common-law tort defenses), and that there's no reason to think that federal law takes a narrow view of this defense.

OrinKerr:
Eugene,

Can you point me to caselaw that reflects your view that "the federal law of criminal defenses is common law, borrowing from both the substance of the traditionally recognized common-law defenses, and from the common-law method, which involves reasoning by analogy"? I see your view as contrary to the Supreme Court's teachings in both Dixon in 2006 and Oakland Cannabis in 2001. Can you point me to the cases that have informed your different view?
4.13.2007 6:39pm
Bill Poser (mail) (www):
I'm curious about the case in which what one does is not retaliate but terminate the source of the problem. Suppose, for example, that an attacker is using zombies to carry out a distributed denial of service attack and that I have the ability to hack into the zombies and remove them from the attacker's control. This does not damage them, but it would under other circumstances at least constitute unlawful entry.

Here's a comparable case involving tangible property. Suppose that my neighbor leaves the water running in his stoppered sink and goes away for the weekend, and suppose we live in an area in which the ground is not very absorbent, so that eventually the water flows out of his house and threatens to flood mine. Suppose further that his house has no external water shutoff. Am I justified in breaking and entering for the purpose of shutting off the tap so as to prevent damage to my own property? (To make this a matter of federal law, I suppose we have to locate this on a military base, Indian reservation, or national park.)
4.13.2007 6:50pm
OrinKerr:
Eugene,

Here's the passage from the Cannabis Buyers' Cooperative case, on applying the necessity defense to medical marijuana usage. The Court states:
As an initial matter, we note that it is an open question whether federal courts ever have authority to recognize a necessity defense not provided by statute. A necessity defense "traditionally covered the situation where physical forces beyond the actor's control rendered illegal conduct the lesser of two evils." United States v. Bailey, 444 U.S. 394, 410 (1980). Even at common law, the defense of necessity was somewhat controversial. See, e.g., Queen v. Dudley &Stephens, 14 Q. B. 273 (1884). And under our constitutional system, in which federal crimes are defined by statute rather than by common law, see United States v. Hudson, 7 Cranch 32, 34 (1812), it is especially so.
The Court went on to conclude that even if there is a necessity defense, it doesn't apply in that case. As I see it, this passage seems in considerable tension with your view of federal defenses.
4.13.2007 7:38pm
Jake (Guest):
I don't think section 3.10 gets you where you want to go. Tort law is overwhelmingly state law. It makes sense for the MPC to import state law where it fits, since the MPC is suppposed to be implemented by state legislatures. It makes less sense for an "MPC-respecting" federal court to import tort law, since it doesn't have any tort law to import. Should the court pick a particular state's tort law, or are we back to the pre-Erie days of a general common law of torts?

Even if the court does import tort defenses, doesn't that just move the question to whether one is liable in tort for digital self-defense? Have any state cases turned on this? The MPC move may put us in a more common law-ish area, but I'm not sure it changes the outcome.
4.13.2007 7:50pm
frankcross (mail):
I don't know the law of the area but suspect that this explains a lot:

I agree with Orin that the defense has been rare. But I suspect that it is rare because defense of property generally doesn't authorize the use of deadly force, and because use of supposedly defensive nondeadly force is less likely to draw a federal prosecutor's attention than the use of supposedly defensive deadly force. The typical nonlethal defense of property scenario -- someone says I punched him, and I claim I did this in order to keep him from stealing my briefcase -- just isn't likely to end up prosecuted by the local U.S. Attorney's office, even if there's some reason to doubt my side of the story.

You can't always discern the state of the law "on the ground" from the published opinions.
4.13.2007 8:06pm
Tom Holsinger (mail):
Shopkeepers in federal territories will be thrilled to learn that they cannot brandish firearms to deter thieves, let alone point those at thieves and order them to stand still until the police arrive, lest they be charged with federal criminal violations.

This looks mighty like the sort of "What if?" abstract theorizing, with common sense carefully excluded, found only in law schools.

Consider limiting this to civil torts.
4.13.2007 8:23pm
OrinKerr:
Frank,

I completely agree that the absence of cases from 99.9% of Congress's statutes doesn't mean the defense doesn't exist in some or all of those statutes. But Dixon calls for an inquiry into what Congress was likely thinking at the time the statute was enacted, which I think makes the absence of cases relevant. My thinking is that the presence or absence of cases is relevant under Dixon as an indicator of the albeit-largely-fictional Congressional intent, not whether the defense actually exists in those other statutes.
4.13.2007 8:24pm
OrinKerr:
Tom,

No one here is arguing the position you are imagining. Both Eugene and I agree that defense of property is available in that context, as courts have held.
4.13.2007 8:26pm
fffff:
Orin, Eugene,

There's a simpler, vastly more entertaining way to resolve this conundrum. Thunderdrome: two law professors enter, one law professor leaves.
4.13.2007 9:47pm
Eugene Volokh (www):
More entertaining for you, maybe.
4.13.2007 10:29pm
fffff:
Well, duh -- it IS a service economy, after all.
4.13.2007 10:48pm
k parker (mail):
subject to the general principle that defense of property will generally allow the use of lethal force
Eugene, isn't there a "NOT" missing from this sentence? [EV: D'oh! Thanks, fixed it.]
4.13.2007 11:18pm
Tom Holsinger (mail):
My court had a manslaughter jury trial involving the defense of property issue which was resolved when I pointed out the related "defense of another" doctrine. Lethal force can be used in defense of another, just as it can in self-defense.

A retired sheriff's deputy operated a motorcycle shop which had a wide clientele, including doctors, lawyers and a judge. His son was operating it when two dangerous looking dudes came in and seemed to be casing it. He called his father and told him of this, and was ordered to call 911 immediately. The father rushed to the store and walked in just as one of the two seemed to be pulling a weapon.

The proprietor pulled his own gun and yelled "Freeze!", but the dude kept pulling and was promptly shot and killed. Then the proprietor put his gun on the other guy and told him to "Freeze!", which order was obeyed. Then local law enforcement arrived. The recently deceased was found to be indeed holding a gun in his rapidly cooling hand, and blood tests showed he was tanked out of what little mind he had by methamphetamines. The survivor admitted that a robbery had been planned.

The local DA, now retired, ordered that the storeowner be prosecuted for manslaughter. The reasoning was that he, as a retired officer, had a duty not to shoot until the perpetrator's gun had clearly appeared, and that the doctrine of defense of property did not apply.

I have minimal criminal law experience. But I was at Hastings during Larry Eldredge's last year there, and remembered the defense of another doctrine from his Trials of a Philadelphia Lawyer - its anecdote mentioned a black serviceman winning acquittal after knifing several men to death who had attacked a friend.

So, upon discovering the trial of this retired officer in progress in a law &motion department I was covering, I asked the judge if the defense of another doctrine had been raised concerning the defendant's fear that his son might be killed by the armed robbers. It hadn't, so I did some quick research on it and got off a memo to the judge with a copy of the pertinent jury instruction. He then raised the issue in conference, and the defense counsel, Kirk McAllister of Modesto, California, won the jury with it.
4.14.2007 1:27am
Fub:
Tom Holsinger wrote:
The local DA, now retired, ordered that the storeowner be prosecuted for manslaughter. The reasoning was that he, as a retired officer, had a duty not to shoot until the perpetrator's gun had clearly appeared, ...
What is the California case or statutory authority for a special duty for retired peace officers?
4.14.2007 1:56am
Tom Holsinger (mail):
Fub,

There isn't any. This was prosecutor discretion, exercised to punish this shopowner for using a gun in defense of his property, and to deter others from doing so.

We'll never know if the DA would have prosecuted given knowledge of the defense of another doctrine, because the experienced criminal defense attorney as well as the elected and deputy DA's had never thought of the possibility that the defendant might have been protecting his son. Until I pointed it out.
4.14.2007 2:07am
Fub:
Tom Holsinger wrote:
There isn't any. This was prosecutor discretion, exercised to punish this shopowner for using a gun in defense of his property, and to deter others from doing so.
Thanks! I was beginning to wonder if I'd slipped a cog, as I couldn't recall ever hearing of such a special duty.

Going out of your way to point out the defense to the trial court is a level of professionalism to which all should aspire.
4.14.2007 5:48am
18 USC 1030 (mail):
I don't see the utility in attempting to "hack back." I have some knowledge of Computer Crime law (could explain the handle) and whether the defense exists, from a practical standpoint I'd say forget it. The reason defense of property exists for the store operator, or the guy stealing a truck is that there is an immediate physical threat. The treat cannot be terminated by the owner doing something, other than fight back. For computer attacks, the owner can take many courses of action which would be much more productive.

First of all, if this was an attack to the degree that it'd be worth doing something, chances are systems would be facing SERIOUSLY diminished resources. Those resources better be used to protect data, protect the systems, end the attack, figure out what happened, and preserve evidence. Hacking back does not assist in any of these goals, except maybe stopping the attack. However, I'd argue stopping the attack is NOT the most important step--protecting information is. No matter the attack, if an admin is nearby, it can be easily stopped.

Even if if it is a DDOS, a firewall rule can be set up to kill the packets. Firewalls do not have to be set up to block ip addresses, they can be set up to block types of packets. Presumably, one would be able to use the attacking packets to form a rule to stop the attack. If the attack was bad enough, one could pull the system offline. Sure, at first glance, no admin wants to take this suggestion to his boss--especially if you are an admin for Amazon. But, this may be the best way to prevent the least amount of damage. Then use a dedicated box to figure out where the attack is originating, do a whois, and start contacting Service Providers.

There is also a huge difference in the time and effort necessary for the shopkeeper from pulling a gun from behind the counter and ordering the would-be shop theif to the ground and the network admin creating a counter attack. I'd much rather be ensuring my data integrity and stopping an attack than trying to start a counter attack.

I am not saying one should, before using force to protect property, make sure he has no other options. But, for this situation, no property is really in danger.
4.14.2007 9:22am
Fub:
18 USC 1030 wrote at 4.14.2007 8:22am:
No matter the attack, if an admin is nearby, it can be easily stopped.

Even if if it is a DDOS, a firewall rule can be set up to kill the packets. Firewalls do not have to be set up to block ip addresses, they can be set up to block types of packets. Presumably, one would be able to use the attacking packets to form a rule to stop the attack. If the attack was bad enough, one could pull the system offline. Sure, at first glance, no admin wants to take this suggestion to his boss--especially if you are an admin for Amazon. But, this may be the best way to prevent the least amount of damage. Then use a dedicated box to figure out where the attack is originating, do a whois, and start contacting Service Providers.
While that may be true for domestic script kiddie attackers, the situation is very different if an experienced extortionist in Eastern Europe with a five figure botnet is flooding your pipe with several gigabytes per minute. This article describes how such an attack was overcome a few years ago. It wasn't easy, cheap or fast. A Slashdot discussion of the article is here.
4.14.2007 12:41pm
18 USC 1030 (mail):
Fub,

First of all, this is not a regular attack. Most attacks are not brought with extortion and communication from the attacker. With that said, I'm sorry, I am going to have to disagree with the way in which they handled it. First of all, their security was less than great. You cannot expect off the shelf products to secure a system that people want to attack. Prevention is the best bet. Also, the better your prevention, the better the chance you will have to stop an attack in progress.

Second, they contacted their ISP and admittedly didn't give much credibility to threat. A definite no-no in info.sec. Even after the attack started, they attempted to get their own ISP to assist--yet there is no mention of attempting to determine who the attacker was, and trying to get them shut down. It was days before they attempted the attack back approach, and from the looks of it, they lost a lot of money anyway.

Especially since they had communications from the attackers, they should have been trying to locate the attacker and get it stopped. I understand the reasons why a company may not want to involve LE, but in this case they absolutly should have. Those emails could have been traced. Would it have been difficult? Absolutly. But it could be done, and they could have gotten the attacker's ISP shut down.

Just because there IS a way to do something, doesn't mean that it should or is legal to be done that way. I know one has the ability to fight back, but it seems to me there are other (read better) solutions. Of course it also depends on what kind of system you are protecting. I was thinking more a data-bank rather than disrupting E-Commerce, but vigilantism is rarely the most efficient solution.
4.14.2007 1:26pm
gasman (mail):
The inability to use deadly force can lead to some odd scenarios. A police office draws on a man leaving an electronics store through a smashed window. The theif knows that deadly force cannot be used for a property crime, raises his hands (holding the stolen goods) and slowly backs away in a non-threatening manner, ignoring the officer's command to stop; a bizarre slow speed foot chase/standoff ensues.
As a society interested in maintaining the rule of law how can we tollerate such a situation? Is the officer really supposed to holster his weopon so that he can increase the danger to himself attempting to effect physical restraint? The purpose of arming our police is so that they have an advantage over many criminals (who too might be armed, but are usually less adept at weopons usage).
If we want to live like the europeans, where property theft is rampant, criminals are rarely caught, if caught, rarely suffer significant penalty, then this is the way to go. Theft of my property is an incredible invasion of my privacy, right to ownership, and sense of security. I damn well expect the police to use all necessary force, including lethal force, in protecting my property. And if the police are unavailable, then I'm sure he was lunging toward me, reaching for a weopon, and swinging whatever was in his hands.
If we allow property crime to be a risk free career then we must expect much more of it in the future.
4.14.2007 1:55pm
logicnazi (mail) (www):



gasman: Yes. I would much prefer to let criminals go (until tracked down) in the extremely rare situation (no partner, no backup, lawyer criminal with faith in police ethics) you describe than to institute a death penalty for stealing a car stereo. Or even worse giving the police great discrescion in who to kill. Especially given the possibility for error (say you have a deaf thief).

What's the justification for making property crime special? Why not let the police shoot the individual they find deleting child porn, shredding evidence or refusing to comply with lawful police orders? Even if for some reason you restrict the rule to just ongoing thefts this still gives the police a troublingly broad discretion about when to use potentially lethal force. Discretion which, like many split second decisions, will likely be influenced by racial prejudices and cultural stereotypes.

Not only would this sort of discretion result in the deaths of more criminals (plus any mistakes) it would radicly increase the resentment of the police in poor and minority communities which in turn would stunt the ability of the police to catch criminals. Also more police will be killed by people (reasonably) angry that their brother was shot to save a TV.

Ultimately balancing the badness of a crime against the severity of the punishment and the powers we give law enforcement to catch the bad guy is at the heart of making a legal system. We pay people to be in a professional police force exactly so they will take risks to enforce the laws in a professional and humane fashion. Of course this means the police must take greater risks, if we didn't demand they behave humanely we could do away with undercover agents and simply pick up a low level mobster/drug cartel member and torture them until they gave us the information we want.

I don't know why i spent so many electrons replying to this absurd suggestion (unless of course it was very subtle sarcasm about taking property rights too seriously). I mean the fact that we don't let police behave this way now and never did and our crime rate isn't as high as Europe's immediately shows your argument to be invalid.
4.14.2007 3:07pm
Fub:
18 USC 1030 wrote at 4.14.2007 12:26pm:
First of all, this is not a regular attack. Most attacks are not brought with extortion and communication from the attacker.
Agreed that most are not, but many apparently are. From the first page of the article:
Anecdotally, experts from law enforcement and information security consultants believe that perhaps one in 10 companies has been threatened with online extortion; in one survey by Carnegie Mellon University researchers, 17 out of 100 small and midsize businesses reported being targeted. Interviews with security consultants and industry players suggest that as many as three out of four cases of online extortion are never reported.
18 USC 1030 wrote:
It was days before they attempted the attack back approach, and from the looks of it, they lost a lot of money anyway.
I'm not sure what you mean by "attempted the attack back approach". It appears to me that they just rented a bigger pipe in another geographical location and developed infrastructure capable of handling and selectively dropping the attack packets.

18 USC 1030 wrote:

Especially since they had communications from the attackers, they should have been trying to locate the attacker and get it stopped. I understand the reasons why a company may not want to involve LE, but in this case they absolutly should have.
When they initially contacted LE, after the first "demonstration" attack, LE advised them to pay the extortionist. They did. It didn't really help. The attacks continued after a brief interlude, and LE couldn't trace the attacker even with a controlled payment drop.

As to trying to locate the attackers, they maintained contact with the extortionist through ICQ, logged and traced them, and identified the attacker to LE.

Three things seem apparent in the article:

First, the attackee definitely was not prepared for such attacks before they occurred.

Second, LE couldn't locate the extortionist even after the attackee made payments to the extortionist at LE's request. Only after the attackee did LE's work for them by tracking down the extortionist, did LE apparently do anything useful.

Third, the attackee didn't "attack back", but quickly built infrastructure capable of absorbing the attacks.

I agree that most attacks are probably less sophisticated and/or less intense, and many may just be done to probe a site's vulnerabilities. But it also seems reasonable to conclude that LE would have even less interest in those.

The question for anyone subject to a digital attack becomes analogous to the old gun self defense question: Would I rather take my chances of being judged by twelve or almost certainly be carried by six?
4.14.2007 3:23pm
Fub:
logicnazi replied to gasman at 4.14.2007 2:07pm:
I don't know why i spent so many electrons replying to this absurd suggestion (unless of course it was very subtle sarcasm about taking property rights too seriously). I mean the fact that we don't let police behave this way now and never did and our crime rate isn't as high as Europe's immediately shows your argument to be invalid.
Is there a readily available source for the per capita theft rates in comparable USA and European SMSAs or equivalents? Some reasonably reliable numbers might shed some light on the discussion.
4.14.2007 3:38pm
logicnazi (mail) (www):
Back to the real topic:

Eugene,

I'm a bit worried about what property is supposedly being defended. Most computer attacks that seem to be under consideration aren't even going to destroy any data on your computer. They will merely interfere with your communication or overload your processor so it will be too busy to do anything else (DOS attacks). Even if it deletes data on your hard drive it is going to be a stretch to count this as defense of property.

Exactly what property is being defended? Is it intellectual property? If so that would be very problematic. Surely you don't believe that the RIAA can raid any home it's investigations on bittorrent suggest is violating their copyright and receive the protection of the property-defense rule.

The situation becomes clearly problematic for your position if all the hacker is doing to you is denying you use of your Internet connection by saturating it with bandwidth. Nothing at all is stolen or damaged when your bandwidth is saturated. I believe the only reason this sort of DOS attack is even a crime is because of various statutes congress has passed, i.e., the 'abuse' part of the act. Since no property will be harmed if the attack continues clearly the defense of property rule can't come into play. In any case I think you need be more explicit about what property is being defended.

In short the physical property analogy seems flawed in this situation. I think a better analogy is someone trying to talk on their cell phone in their back yard (reception) only to have their neighbor play (illegally) loud music to prevent them from hearing. While this surely interferes with the person's ability to enjoy their property and may even cost them a massive amount of money (the call is a job interview) surely this situation is not included in the property defense rule.

This analogy can even be extended to the computer hacking attack (data deletion) as well. Suppose the town in question also has a law against lights being too bright or being flashed on and off in a annoying fashion. In the evening you are out with your friends in the back yard and are attempting to take photos. However, your evil neighbor has set up a system that detects the flash of your camera and response with it's own, overwhelmingly strong, burst of light washing out all of your pictures. In this case data has actually been lost (photo content) but surely it doesn't qualify under the property defense rule.
4.14.2007 3:49pm
18 USC 1030 (mail):
Fub

This is a case of bad cases make bad law. Just because you think it's necessary to do something, does not make it legal to do it--nor does it mean that the acts should be legal. Consider Regina v Dudley and stephens.
4.14.2007 4:00pm
Fub:
18 USC 1030 wrote at 4.14.2007 3:00pm:
This is a case of bad cases make bad law. Just because you think it's necessary to do something, does not make it legal to do it--nor does it mean that the acts should be legal. Consider Regina v Dudley and stephens.
I don't understand your comment. I cited a description of a DDOS attack in which the target:

1. Suffered serious economic damage.
2. Successfully discouraged the attacker extortionist by entirely legal means of changing infrastructure to weather the traffic.
3. Tracked down the extortionist by entirely legal means.
4. Cooperated with law enforcement agencies, and in fact did their work (ferreting out and identifying the attacker) for them.

On this basis you seem to suggest that I think retaliatory cyberattack is legal. I merely pointed out the obvious dilemma for the target, by analogy to the old gun rights advocates' point: would you rather be judged by twelve or carried by six? That is all I said.

Do I think retaliatory attack should be legal? That depends on the circumstance. Do I think it is legal? No.

But the lifeboat case you cite is wholly inapposite on the facts. Parker was not attacking Dudley and Stephens.
4.14.2007 5:49pm
anotherbob (mail):
logicnazi 4.14.2007 2:49pm
In short the physical property analogy seems flawed in this situation. I think a better analogy is someone trying to talk on their cell phone in their back yard (reception) only to have their neighbor play (illegally) loud music to prevent them from hearing.
A cell phone is so dissimilar to an Internet service that your analogy can't be intended seriously.

What could be under attack? Well, use and access to the physical property, intellectual property, private information (such as customers' home addresses, CC#'s, etc), the right to express oneself. The physical property could be at risk under limited circumstances -- perhaps a power grid coming under attack. Probably a few other things that don't immediately come to mind.

"Exactly what property is being defended?" If none of the above qualifies, then no crime is being committed. But the law disagrees.

If defense of physical property allows for offensive physical actions, then your demand is for a special exception that disallows offensive Internet-based responses to attacks that are carried out over the Internet. Obvious question: why would you consider it reasonable to impose that unique disadvantage on Internet-accessible systems?

Perhaps new laws are necessary. It is a situation that's not quite like what we've had to deal with before. Obviously, we don't want any of the undoubtedly imaginative worst-case scenarios you could imagine.

Do you believe that there are no circumstances in which a site could be reasonably defended through counter-attack?
4.14.2007 5:52pm
anotherbob (mail):
Fub 4.14.2007 4:49pm
Do I think retaliatory attack should be legal? That depends on the circumstance. Do I think it is legal? No.

By retaliatory, do you mean to halt an attack, or to exact revenge for an attack that's already been ended? If the first, I agree that it should be legal in some circumstances.

Let's say a library's computer is compromised. It's intended to provide Internet access to patrons. The computer is then used to remotely direct a DDOS against joeblow.com during Easter weekend.

Joe Blow analyzes the offender packets and identifies the coordinating library machine. He nmaps the machine and discovers the same flaw the hackers used to turn it against him. He can immediately end the attack by exploiting that flaw to crash the library computer (render it inaccessible to the intruders).

I believe it should be legal for him to do so.

There are many reasons that it shouldn't always be legal to do so. But should it always be illegal? I don't believe so.
4.14.2007 6:07pm
dick thompson (mail):
Logicnazi,

Most of the attacks by computer I have heard of are for the purpose of ID theft, whether it be of SSN or credit card info or other info. Jamming the system is also used but the theft of ID is far more prevalent. I think that taking action against whoever is trying to steal your ID is or should be allowable in every case. All you have to do is think of what the theft of your ID could result in, whether you know of it or worse if you don't know of it. Imagine having to replace your passport, credit card, and all your ID with new numbers. Then imagine having to replace this info where you had it placed before and do it in such a timely fashion that it does not result in a denial of service. Jamming the system is piddling by comparison.
4.14.2007 9:57pm
Fub:
anotherbob wrote at4.14.2007 5:07pm:
By retaliatory, do you mean to halt an attack, ...>
Yes. To disable the attacker, which often means disabling the attacker's weapon, regardless of the weapon's actual owner.

My choice of words, "retaliatory", was lousy. I should have written "responsive" or "defensive".
4.14.2007 10:33pm
Fub:
dick thompson wrote at 4.14.2007 8:57pm:
Logicnazi,

Most of the attacks by computer I have heard of are for the purpose of ID theft, whether it be of SSN or credit card info or other info.
I'm not Logicnazi and I don't speak for him, but I will add that some of the more common purposes for attacks are attempts to hijack mail servers for use by spammers, and attempts to hijack general purpose home computers for use in botnets (which are often used as mailservers for spam, as well as for further DDOS attacks or probes).
4.14.2007 10:56pm
logicnazi (mail) (www):
dick thompson,

Well actually many computer attacks are either to shut down a site out of pure maliciousness (how it started) and more often now to blackmail businesses into paying protection. For instance they will flood a internet gambling site with traffic so it's customer's can't get through and then demand a payment to stop. When talking about 'hacking back' there were the primary examples that came up and are the only plausible ones where it really is the best defense. If you are only worried about someone hacking in and stealing records then hacking back is pretty much never the best defense. You are a lot better off pulling the plug on the server or, if you can't do that, shutting down whatever access you think the hacker is using than trying to hack back while leaving him to root around on your system (if he goes away you are no longer defending against an imminent attack).

anotherbob, dick thompson:

The question is not whether computer crime is bad or causes bad effects. The question is whether it is property that is being defended. For instance blackmail is very bad and illegal yet breaking into the blackmailer's house to retrieve the incriminating information that the blackmailer legitametly owns is not defense of property because it was your reputation not your property that you are defending.

The rule is not defense against bad acts but defense of property. The objection I have is that I don't believe there is any sufficiently broad way to define property so that it will work in this situation and will not cause problems throughout the rest of the law, e.g., counting IP as property for this purpose would both be a divergence from the common law rule (IP is a legislatively created right not a basic common law premise) and allow things like private raids by the RIAA to stop suspect file sharers.

The question is not about what I believe is the correct policy. Maybe congress should create a special exemption here. The question is what the correct interpretation of the existing law is.
4.16.2007 6:38pm
anotherbob (mail):
logicnazi,

My knowledge is in computer security, not the law. So please accept my earnest apologies for the abundant ignorance undoubtedly displayed throughout my posts. I can't speak to what the law is, and I agree that the primary question is one of what the law is, not what it should be. I tried to acknowledge that in my earlier post and perhaps failed in the effort.


That said, I think your RIAA analogy is inappropriate. It suggests a physical raid, which has some similarity to an electronic counter-intrusion, but is different enough that I think it stretches the analogy beyond reason. More importantly, the raid you're proposing is aimed not at defending against a theft of intellectual property, but at recovering it after it's already been stolen. That just isn't a defense. Finally, it still only addresses IP, and I don't believe it's been agreed that IP is the only property in question.


Does the law consider private customer information to be nothing more than intellectual property? Names, addresses, CC information, etc? Is defense of this information limited in the same way that defense of IP would be?

Would the server qualify as property? It is physical, and whether the physical item is damaged, a hacker is still attacking it. (Similarly, use of an electronic device to thwart a home's security might cause no physical damage, but the attempted intrusion is still genuine.) If physical damage could be effected, is it then defense of property?

Do the pipelines to the server qualify as property? If not, it seems reasonable to say that a DDOS (that takes up the bandwidth) qualifies as denying access to the server. Sure, you could say that electronic denial of access doesn't equate to denial of physical access. But if the server is 500 miles away, it limits the only available means of access.

Further, if that server manages property -- store software that handles customer transactions -- wouldn't defense of that property qualify?

It seems like there are a number of means by which you could argue defense of property. Obviously, I don't know whether any of these qualifies.


On a tactical note, it's very rare that an admin will be able to glean the the motives of the attacker with enough certainty that he can reasonably rule out a motive like theft. A blackmail notice identifying a different motive doesn't help. The attacker could be lying to obscure his true motives. No motive, especially theft of data, can be safely excluded while an attack is in progress. Per your argument, the only reasonable defense is to shut down.

I'll give you a few reasons why it is often a very bad idea to shut down in response to an attack.

First, shutting down isn't cost-free. You may break a link in a larger management or production environment that causes extensive losses. Shutting down a student reservation system could result in all sorts of nightmares for students and classes. Shutting down ticket booking could send a small airline into bankruptcy. Shutting down a server that manages a power grid? Oh boy.

Second, shutting down sends most attackers into scram mode. As soon as an attacker believes he's been thwarted or successful, he will start deleting traces of their attack from secondary machines. I can count a specific instance in which a very paranoid hacker would have gotten away if he'd realized he was detected. (In that case, he was convicted and is in prison right now.)

Third, attack patterns will be cut short if the first response is to shut down. It may be impossible to determine how a hack is being perpetrated if the immediate response is to shut down. Security doesn't stop once an intrusion is detected, but continues through forensic investigation.

Finally, if the attacker's goal is to cause the site to shut down, you're guaranteeing future attacks by doing just that. Talk about sending a bad message.


That said, I can't imagine many circumstances in which hacking back would be a good idea. Most often, the only effect of hacking back would be felt by innocent third parties whose machines were compromised by the hacker. In fact, it's not at all unheard of for an attacker to try to implicate a third party in order to cause the initial victim to target a second intended victim.

Still, if "pulling the plug" can help to thwart an attack, I'd rather it be the attacker's plug I was pulling.
4.17.2007 1:44am