From: mnemonic@eff.org (Mike Godwin) Subject: File 3--Re: Hackers - Clamp Down NOW! Date: 16 Jul 91 23:41:11 GMT I am astonished both at the moral simplicity and the factual inaccuracy of Tom Forester's newspaper column. For details, see below. In article <2118@limbo.Intuitive.Com> geo@manta.mel.dit.csiro.au (George Bray) writes [posting for Tom Forester]: >It's about time we got tough with hackers and exposed them for >the irresponsible electronic vandals they really are. It certainly is time we got tough on "vandals." But it is well-established, in Tom Forester's own book COMPUTER ETHICS among other places, that there is more than one motivation for computer trespass. A "vandal," according to my dictionary at hand, is one who "willfully or maliciously defaces or destroys public or private property." Few if any of the particular cases Forester cites below are cases that a native speaker of the English language would normally call "vandalism" ... unless his intent were to provoke an emotional reaction rather than a reasoned assessment of a problem. But the use of this term is among the smallest of the faults in Forester's piece. >Breaking into a computer is no different from breaking into your >neighbour's house. It is burglary plain and simple - though often >accompanied by malicious damage and theft of information. Nothing is "plain" or "simple" about analogizing computer trespass to burglary. The English common law that informs the British, American, and Australian legal systems has always treated burglary harshly, primarily because it involves a threat to the victim's *residence* and to his *person*. But computer intrusion in general, and the cases Forester discusses in particular, pose neither threat. A mainframe computer at a university or business, while it clearly ought to be protected "space" under the law, is not a house "plain and simple." The kind of invasion and the potential threat to traditional property interests is not the same. Consider this: anyone who has your phone number can dial your home-- can cause an electronic event to happen *inside your house*. That "intruder" can even learn things about you from the attempt (especially if you happen to answer, in which case he learns your whereabouts). Do we call this attempted burglary? Do we call it spying or information theft? Of course not--because we're so comfortable with telephone technology that we no longer rely on metaphors to do our thinking for us. Whenever anyone glibly asserts that computer intrusion is just like burglary ("plain and simple"), he is showing that he knows very little, if anything, about the history and character of the concept of burglary. This is not a semantic quibble. It is a dispute about metaphors. The metaphor you choose dictates your emotional response. Is computer intrusion *truly* like burglary "plain and simple"? Or is it like trespass--the kind in which the neighborhood kid leaps your fence to swim in your private pool at midnight. Both acts should be illegal, but one is taken far more seriously than the other. This is not to say that all computer intrusion is innocuous. Some of it is quite harmful--as when a true "vandal" runs programs that damage or delete important information. But it is important to continue to make moral and legal distinctions, based on the intent of the actor and the character of the damage. Tom Forester seems to want to turn his back on making such distinctions. This, to me, is a shameful position to take. So much for the moral argument--let's look at Forester's factual errors. There are many egregious ones. >Last year, the so-called 'Legion of Doom' managed to completely >stuff up the 911 emergency phone system in nine US states, thus >endangering human life. They were also later charged with trading >in stolen credit card numbers, long-distance phone card numbers >and information about how to break into computers. Only a person who is willfully ignorant of the record could make these statements. The so-called Legion of Doom never damaged or threatened to damage the E911 system. If Forester had done even minimal research, he could have discovered this. What they did, of course, was copy a bureaucratic memo from an insecure Bell South computer and show it to each other. At the trial of Craig Neidorf, who was charged along with Legion of Doom members, it was revealed that the information in that memo was publicly available in print. Thus, there was no proprietary information involved, much less a threat to the E911 system. Forester is simply inventing facts in order to support his thesis. For an academic, this is the gravest of sins. >Leonard Rose Jr. was charged with selling illegal >copies of a US $77,000 AT&T operating system. Len Rose was never charged with "selling" anything. >Robert Morris, who launched the disastrous Internet worm, got a >mere slap on the wrist in the form of a US $10,000 fine and 400 >hours' community service. If Forester had investigated the case, he might have discovered an explanation for the lightness of Robert Morris Jr.'s sentence: that Morris never intended to cause any damage to the networks. In any case, Morris hardly qualifies as a "hacker" in the sense that Forester uses the word; by all accounts, he was interested neither in "theft" nor "burglary" nor "vandalism." The interference with the functioning of the network was (again, by all accounts) accidental. Of course, making such subtle distinctions would only blunt the force of Forester's thesis, so he chooses to ignore them. >Instead, he tends to spend his time with the computer, rising at >2pm, then working right through to 6am,, consuming mountains of >delivered pizza and gallons of soft drink. This is the kind of stereotyping that Forester should be embarrassed to parrot in a public forum. >Some suffer from what Danish doctors are now calling "computer >psychosis" - an inability to distinguish between the real world >and the world inside the screen. > >For the hacker, the machine becomes a substitute for human >contact, because it responds in rational manner, uncomplicated by >feelings and emotions. And here Forester diagnoses people whom he has never met. One is forced to wonder where Forester acquired his medical or psychiatric training. Of the people whose names he blithely cites above, I have met or spoken to half a dozen. None of them has been confused about the difference between computers and reality, although it may be understandable that they prefer working with computers to working with people who prejudge them out of hatred, ignorance, or fear. >One day, these meddlers will hack into a vital military, utility >or comms system and cause a human and social catastrophe. It's >time we put a stop to their adolescent games right now. History suggests that we have far more to fear from badly designed or overcomplex software than from hackers. Recent failures of phone networks in the United States, for example, have been traced to software failures. Even if we grant that there are some hackers with the ability to damage critical systems, the question Forester fails to ask is this: Why hasn't it happened already? The answer seems to be that few hackers want to damage or destroy the very thing they are interested in exploring. Of course, there are some "vandals" out there, and they should be dealt with harshly. But there are far more "hackers" interested in exploring and understanding systems. While they may well violate the law now and then, the punishments they earn should take into account both their intentions and their youth. It has been noted many times that each generation faces the challenge of socializing a wave of barbarians--its own children. We will do our society little good if we decide to classify all our half-socialized children into criminals. For an ethicist, Forester seems to have given little thought to the ethics of lumping all computer trespass into one category of serious crime. Mike Godwin is staff counsel for the Electronic Frontier Foundation and has written on the topic of law and cyberspace. ------------------------------