Hacker vs. Counter-Hacker — a Legal Debate

Freddybear writes "If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated? Over the last couple of years three legal scholars and bloggers have debated the question on The Volokh Conspiracy weblog. The linked webpage collects that debate into a coherent document. 'The debaters are:

• Stewart Baker, a former official at the National Security Agency and the Department of Homeland Security, a partner at Steptoe & Johnson with a large cybersecurity practice. Stewart Baker makes the policy case for counterhacking and challenges the traditional view of what remedies are authorized by the language of the CFAA.
• Orin Kerr, Fred C. Stevenson Research Professor of Law at George Washington School of Law, a former computer crimes prosecutor, and one of the most respected computer crime scholars. Orin Kerr defends the traditional view of the Act against both Stewart Baker and Eugene Volokh.
• Eugene Volokh, Gary T. Schwartz Professor of Law at UCLA School of Law, founder of the Volokh Conspiracy, and a sophisticated technology lawyer, presents a challenge grounded in common law understandings of trespass and tort.'"

Retaliation

[Anonymous Coward]

Is there any way to know if you're retaliating against the correct target?

Vigilante Justice

[Anonymous Coward]

Is vigilante justice legal? No. Is self defense legal? Yes. What is what? Depends on the judge.

The trouble with analogy

[Animats]

The legal arguments are interesting. It's amusing to see lawyers struggle with reasoning through analogy. They're trying to hammer property law, trespass law and assault law into covering this, and it's not working.

In almost all modern online attacks, the immediate source of the the attack is a machine owned by an innocent third party. While this is common online, it is a rare situation in the physical world. It can come up in auto repossessions where the repossession was not legally authorized, the repossession agent reasonably believed that it was, and the vehicle owner resisted. Most states have specific laws in that area, and repossession agents are limited in what they can do. [westcoastbk.com]

Re:Who cares?

[Daniel Dvorkin]

You may not have noticed this (yet) but nerds are not above the law. "Can I do this?" is obviously the first question a nerd should ask in a situation like this. "Will I go to prison for doing this?" should be a close second.

Re:Retaliation

[Freddybear]

At least some of the argument in TFA assumes that the botnet's toolkit has itself been cracked and exploits are available making it possible to turn the tables on the botnet controllers. That may be a rather large assumption, even just for the sake of the argument.

Re:Retaliation

[utkonos]

10 times out of 10, if you hack into the system where the attack is coming from, you will be hacking into a system owned by an innocent third party that was also hacked. You are then violating that party a second time. Lets take a more concerning scenario: You discover an attack that is originating from a competitor. You hack back into their system. This situation can only end badly. First, if they were responsible you have now spoiled evidence. Second, if they are not responsible and were also hacked as a jumping off point, you now have hacked into a competitor's system and compromised them. You should now have to pay damages because they have not way to tell that you didn't steal their corporate secrets while you were there in their system.