Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Crime The Internet Your Rights Online IT

Hacker vs. Counter-Hacker — a Legal Debate 182

Freddybear writes "If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated? Over the last couple of years three legal scholars and bloggers have debated the question on The Volokh Conspiracy weblog. The linked webpage collects that debate into a coherent document. 'The debaters are:
  • Stewart Baker, a former official at the National Security Agency and the Department of Homeland Security, a partner at Steptoe & Johnson with a large cybersecurity practice. Stewart Baker makes the policy case for counterhacking and challenges the traditional view of what remedies are authorized by the language of the CFAA.
  • Orin Kerr, Fred C. Stevenson Research Professor of Law at George Washington School of Law, a former computer crimes prosecutor, and one of the most respected computer crime scholars. Orin Kerr defends the traditional view of the Act against both Stewart Baker and Eugene Volokh.
  • Eugene Volokh, Gary T. Schwartz Professor of Law at UCLA School of Law, founder of the Volokh Conspiracy, and a sophisticated technology lawyer, presents a challenge grounded in common law understandings of trespass and tort.'"
This discussion has been archived. No new comments can be posted.

Hacker vs. Counter-Hacker — a Legal Debate

Comments Filter:
  • Retaliation (Score:5, Interesting)

    by Anonymous Coward on Sunday November 18, 2012 @03:24PM (#42021049)

    Is there any way to know if you're retaliating against the correct target?

    • Is there any way to know if you're retaliating against the correct target?

      Does "hack back into the system from which the attack originated" == "retaliating against" or is it merely investigation into the perpetrators?

      Considering many bot nets are state run (think wikileaks take-downs) Id venture that the answer official will always be "No, do not investigate [our possible] botnet activity"

      • Does "hack back into the system from which the attack originated" == "retaliating against" or is it merely investigation into the perpetrators?

        If going into another's system is intruding on someone's privacy (regardless if it's a "guilty" party) it is not investigation without impact.

      • Is there any way to know if you're retaliating against the correct target?

        Does "hack back into the system from which the attack originated" == "retaliating against" or is it merely investigation into the perpetrators?

        That depends. Are you only looking?

    • This concern is one of the fundamental issues to consider in discussing philosophy of "violence". Another is what degree of force is appropriate.

      Thinking on these things and recognizing that people make mistakes in both action and perception, and that people often have a tendency to perceive malice from others, it seems that there's a positive bias for violence. That is, "violence begets violence".

      Similarly to how servers on the net should be conservative in what they do, liberal in what they accept [], and

    • Re:Retaliation (Score:4, Interesting)

      by utkonos ( 2104836 ) on Sunday November 18, 2012 @08:35PM (#42023043)
      10 times out of 10, if you hack into the system where the attack is coming from, you will be hacking into a system owned by an innocent third party that was also hacked. You are then violating that party a second time. Lets take a more concerning scenario: You discover an attack that is originating from a competitor. You hack back into their system. This situation can only end badly. First, if they were responsible you have now spoiled evidence. Second, if they are not responsible and were also hacked as a jumping off point, you now have hacked into a competitor's system and compromised them. You should now have to pay damages because they have not way to tell that you didn't steal their corporate secrets while you were there in their system.
    • Better question, does "correct target" have any meaning when the jury has not yet convicted anyone of hacking you?

      As far as I am aware, most first world countries' legal systems do not allow the offended party to act as judge and jury.

  • Vigilante Justice (Score:5, Interesting)

    by Anonymous Coward on Sunday November 18, 2012 @03:27PM (#42021085)

    Is vigilante justice legal? No. Is self defense legal? Yes. What is what? Depends on the judge.

    • by hobarrera ( 2008506 ) on Sunday November 18, 2012 @07:36PM (#42022645) Homepage

      This isn't really self defense; your actions didn't PREVENT harm from ocurring to you, this was rather vendetta: he did X to me, I did it back.
      I don't think this should be legal, because it could escalate into cyber-wars. Much like you can't steal something that was stolen from you in the first place - you can't take justice into your own hands.

      • If the retaliation occurs after the fact, this is correct; however, if the retaliation occurs while the instigating attack is ongoing, you are preventing [further] harm by putting an end to the offending party's ability to attack. That's textbook self defense [which does allow for use of nonlethal force and destruction of the means used to carry out the attack in cases where one is defending their property].
        • Yes, but closing the port is enough to stop him.
          This is akin to shooting someone's head of, when you notice he's walking towards an open window - closing the window would have been enough.

          • So if I'm hosting a service for others (who are authorized) to access, please explain how closing the port is an option?
            • In retrospect, I realize the above reply might not make my point effectively. Let's roleplay:

              I'm hacking Slashdot's servers right now. I'm doing so by exploiting the HTTPd they are using. Let's just have them close port 80 to stop me, right? If that was the correct and reasonable response, I could take out half the internet in a day.
          • by AmiMoJo ( 196126 ) *

            Depends. If they are DDOS'ing your connection by shear volume of traffic merely closing the port will do nothing. That data is still going to come down your pipe and choke you connection, even if your firewall drops the packets.

            You also have to consider that closing the port might be expensive for you. What if it is running some vital service your company needs, like email?

  • by ryanmc1 ( 682957 ) on Sunday November 18, 2012 @03:28PM (#42021093) Homepage
    Just change it to this
    ""If your house has been robbed, is it legal for you to break into the other persons house and steal your stuff back?"
    • Just change it to this
      ""If your house has been robbed, is it legal for you to break into the other persons house and steal your stuff back?"

      Doesn't help; that's not a simple question either. The answer is sometimes and in some places yes, other times and in other places no.

      Personally I'm all for self-help because the courts are useless for actual redress of small grievances; by the time you've gotten through the process, you'll have cost yourself more than letting the issue pass, and likely have lost anywa

    • A question of legality depends heavily on the location, time, and far more other circumstances... let's reduce it to morality, instead.

      On the one hand, you have "an eye for an eye", where it's allowed to return in kind any grievance, such as a hack's damage to one's reputation and possible loss of control over one's identity. On the other hand, you have "two wrongs don't make a right", where it's best to let society's authorities deal appropriate punishments to serve justice, and everyone leaves unhappy, bu

      • by Fnord666 ( 889225 ) on Sunday November 18, 2012 @05:36PM (#42021963) Journal

        Throwing a computer into the mix and using new words doesn't change the underlying philosophical debate, and certainly won't ever bring it to an end.

        True, but apparently it does mean that I can patent it!

    • by Bengie ( 1121981 )
      A house is just property, a computer can be a proxy of one's self and actually do actions on your behalf. It's more like a person attacking you and fighting back at that person that someone breaking into your house then you breaking into their house.
    • ""If your house has been robbed, is it legal for you to break into the other persons house and steal your stuff back?"

      As long as you do not cause damage, it is probably not a criminal offence under English law; it is more likely to amount to trespass, which is a tort. If the thief wishes to sue you, he /she is welcome, and I doubt a court would look favourably on it.

    • Oooh! Analogy refinement! I like this!

      He's my first improvement:

      "If you detect someone robbing your home, is it legal for you to follow them back to where they came from and place a bad-luck curse on it that residence/business that causes all kinds of things there to go wrong?"

      [assuming such curses are possible]

      • by AK Marc ( 707885 )
        If someone is breaking into your house and you see their car parked outside, and it's otherwise illegal to place a GPS transmitter on someone else's car, can you place a GPS transmitter on their car to help determine their identity and contact information so you can help enforcement against them?
    • by Zadaz ( 950521 )

      An alternate analogy with a completely different answer:

      If you're being physically attacked, is it legal for you to use physical force to defend yourself?

      (Or should you only be allowed to use purely defensive measures and call the cops, who will do nothing.)

  • I look at it as using "reasonable force" to end an attack. If someone is hacking your computer, you have the right to get in there a mess up their computer, to protect yours.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      That's not reasonable force when the alternative is to block the act through some other non-aggressive means. And as the AC poster above suggests, you don't know you are retaliating against the correct target.

    • by AK Marc ( 707885 )
      You can end the attack at any time by pulling the plug on your computer (Ethernet or power, either works). So attacking someone else is not required to end the attack.
      • This is too extreme. That's like saying "I can prevent people from stealing my golden watch by leaving it at home".
        Closing the appropiate ports may be saner.

      • And when you come back online? You need to make them stop or, well, they're not gonna stop.
    • Closing the port they're using to access your computer(s) is way easier. Attacking them is actually aggressive.

  • by russotto ( 537200 ) on Sunday November 18, 2012 @03:30PM (#42021119) Journal

    How can I possibly be responsible if conflicting botnets are duking it out through my thoroughly pwned computer? That's my story and I'm sticking to it.

  • Moral? An argument could be made.

  • by dcollins117 ( 1267462 ) on Sunday November 18, 2012 @04:01PM (#42021363)

    "If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated?"

    Heavens, no. It is not. Next question.

  • by Animats ( 122034 ) on Sunday November 18, 2012 @04:16PM (#42021475) Homepage

    The legal arguments are interesting. It's amusing to see lawyers struggle with reasoning through analogy. They're trying to hammer property law, trespass law and assault law into covering this, and it's not working.

    In almost all modern online attacks, the immediate source of the the attack is a machine owned by an innocent third party. While this is common online, it is a rare situation in the physical world. It can come up in auto repossessions where the repossession was not legally authorized, the repossession agent reasonably believed that it was, and the vehicle owner resisted. Most states have specific laws in that area, and repossession agents are limited in what they can do. []

  • If someone steals your car and drive it to land they own, do you have the right to trespass onto it to get your car back? If you see them driving it away in a tow truck, do you have the right to shoot out the tires of the tow truck if you can do so without causing losses to third parties? Do you have the right to shoot the driver of the tow truck? If the car thief is driving your car away, do you have the right to shoot out the tires if it won't damage third parties? Do you have the right to shoot the d

    • If someone steals your car and drive it to land they own, do you have the right to trespass onto it to get your car back?

      Perhaps a fussy point but, if you have a right to be on the land, you cannot be trespassing. Even if you did trespass on the land, what is the likelihood of a court finding that you were trespassing and, even if it did, what would the likely measure of damages be?

      • ok. If you force a gate to recover your illegally taken vehicle, you could be done for trespass, which would be mitigated by your intent to recover "your" property. I used quotes because you don't actually own that vehicle, the DVLA does (in the UK). When you register that vehicle, you get a form back (registration document) describing the vehicle, and describing you as the "RESIGTERED KEEPER". You do not own the vehicle, you just signed over title and ownership to a corporation; you are responsible for mak

        • Even if you force the gate, it is not trespass. They invited you onto their property by acquiring and stowing your property on it without your permission. In order to recover your property, you obviously have to gain entry to that property.
          • sorry, you are incorrect; it is trespass. That your property is on their land is incidental but may be a mitigation.

            • Well, I wasn't speaking from a legal perspective. From a legal perspective of course it is trespass because you are a normal law abiding citizen and they would much rather arrest you for a crime than the possibly armed bad guy who stole your stuff. But from a moral perspective, it is definitely justified to thwart whatever barriers they have put up between you and your property.
        • For a trespass claim to work there HAS TO BE a PHYSICAL barrier to entry.

          That's not my recollection of things, but I can't find anything to help either way — do you happen to have a link / citation?

    • thats when you flag down the nearest Disco Car and explain things quickly then they can have more Disco Cars help as needed so the guy can be fitted for nice Shiny Bracelets.

  • by bistromath007 ( 1253428 ) on Sunday November 18, 2012 @04:33PM (#42021621)
    Of course it isn't. The only time something that's normally a crime isn't is when violence is self-defense. Absolutely nothing else in our system of law has a "he started it" defense. Leaving aside that no judge is going to accept that hacking is violence without legislative action that will never happen, the normal standards of self-defense could still never apply. Given that you can't know you've been hacked until after it's done, it would instead be retaliatory, which is naughty.

    Some people above are debating whether stealing stolen stuff is a crime. The answer is: it's not stealing. That is still your stuff. If somebody grabs your shit right off your person, that's also assault, so you're free to tackle them to get it back. If they steal it off a table or something, you might have more of a problem; you're still not stealing, but depending on where you live and whether the prosecutor's got a bug up his ass, using force to retrieve your stuff might get you in trouble. Same for carjacking your stolen car, and if you don't somehow do it the same time it happens to you, I imagine using a gun like that would at least get you arrested anywhere, in court anywhere but Texas, and convicted anywhere north of the Mason-Dixon line.

    The larger point here: hacking is not exactly the same as assault, theft, or trespass, and applying the same logic to it is something almost any good judge would refuse to do for fear of unintended consequences. For instance: since you don't know who's hacking you until you've checked them out, if you counter-hack them, you might wind up hacking the police. That's kind of a good thing from a civil rights standpoint, as it means they are on the same level as us, bound by the same natural consequences of their actions, but hacking the police would only be legal in a goddamn utopia. Furthermore, counter-hacking might theoretically lead you to the wrong person if you're not as skilled as your attacker. While this is not the reason trespass is illegal, one can easily imagine trying to steal your stuff back and getting the wrong house, and that's when you're looking for a physical location which you know is associated with a specific person. With counter-hacking, you're looking for a computer somewhere which may or may not belong to your attacker which may or may not have PID stored that is legitimately associated with said bastard.

    So, the whole argument boils down to this: hacking is hacking. It is not other activities, and cannot be usefully treated as similar to other crimes. The closest other thing is wiretapping, and nobody asks if it's okay to do that in a retaliatory fashion. Because of historical computer culture stuff, it might be argued that hacking shouldn't always be illegal, but currently it is, so that is the very obvious answer to the original question of this article. They should've been asking "should counter-hacking be legal," and because of the potential for harm to uninvolved third parties, I am kind of surprised to find myself saying that it should definitely not be. Counter-hacking should never happen without a warrant, and evidence gathered by it needs to be scrutinized very closely to make sure the right guy is caught.
  • "If someone breaks into my computer system, is it legal for me to break into his?". OK, rephrase it: "If someone breaks into my house, it is legal for me to break into his?". Answer the second, you've answered the first.

    • If someone breaks into my house, it is legal for me to break into his?

      Illegal, no, but potentially something for which the aggrieved party could sue you if s/he could prove damage? (From an English law point of view.)

    • by AK Marc ( 707885 )
      The fuzzy issue is that his break-in into your house was burglary, but your break-in is not. Why not? Because part of the definition is that you must be doing something otherwise illegal, or else it's just simple trespass. And simple trespass isn't so simple if you remove the breaking-in component to clarify the situation.

      If you followed the burglar home and he placed all your stolen items in his back yard, behind an unlocked gate with a "no trespassing" sign on it, is it illegal for you to enter the ya
      • if you have to move the gate to gain entry then it's trespass. If you are trespassing to recover your own property then it's still only trespass. The only burden on you is to prove a: that the gate was ajar if you are going the whole hog, and/or b: that the stolen property is yours. If you can do b to the criminal standard (produce receipts, photographs and/or insurance documents), then chances are that the trespass charge against you would be dropped anyway.

        • by AK Marc ( 707885 )
          Looking at the law in TX and AK, moving a gate is irrelevant to whether it's trespass.
          • I refer to the Common Law definition of trespass, which is to gain entry by moving a barrier or forcing a barrier.

            • by AK Marc ( 707885 )
              I referred to the actual law definition of trespass, which is being where you know you aren't allowed.
  • by allo ( 1728082 ) on Sunday November 18, 2012 @04:47PM (#42021713)

    in most cases you do not have a chance to successfully "hack back" anyway. The typical hacker victim is much more vulnerable than the typical hacker himself.

  • by gmuslera ( 3436 )

    The one in the middle with no clue on security will be used by the bad ones and destroyed by the good ones? Odds are high that you will hit an innocent (or at least, clueless) bystander. From his point of view, both sides are evil ones.

    In the other hand, **AA may not hack, but instead sue those people serving as proxy, maybe attacking them will prevent far bigger economical damages if they get sued (and that, without going to the "intelligence" agencies that could attribute to such proxies as originators

  • Back when highspeed internet wasn't as ubiquitous as it is today, I remember a friend on IRC who owned a computer shop telling me some stories of counter hacking. I have no idea how legit the following story is since I wasn't actually there for any of it, and I'm fuzzy on a lot of the details since it was related to me nearly 10 years ago. Despite all that, I think it has some relevance in that it's an easy target to pick specifics from and discuss them, rather than having to rely on sketchy car analogies


"No, no, I don't mind being called the smartest man in the world. I just wish it wasn't this one." -- Adrian Veidt/Ozymandias, WATCHMEN