The hackers who dominate news coverage and popular culture --
malicious, adolescent techno-wizards, willing and able to do great harm
to innocent civilians and society at large -- don't exist
The perceived threat landscape is a warped one, which directs
attention and resources to battling phantoms, rather than toward
preventing much more common data-security problems. According to the Privacy Rights Clearinghouse,
the loss or improper disposal of paper records, portable devices like
laptops or memory sticks, and desktop computers have accounted for more
than 1,400 data-breach incidents since 2005 -- almost half of all the
incidents reported. More than 180,000,000 individual records were
compromised in these breaches, which included individuals' names, Social
Security numbers, addresses, credit-card information and more. This is
compared to the 631 incidents from the same period that the
Clearinghouse assigns generically to "hacking or malware." Your private
data is more likely to be put at risk by a factotum leaving a laptop on a
train than by a wired teen with too much time on his hands.
Insider threats, otherwise known as frustrated grown-ups with real
jobs, also constitute a significant challenge for information security. The Wall Street Journal recently reported
on a survey which showed that 71 percent of IT managers and executives
believe insider threats present the greatest risk to their companies.
And the recent high-profile security breach at LinkedIn shows that one of the greatest risks to our personal security is ourselves:
more than two-thirds of the leaked LinkedIn passwords were eight
characters or fewer in length, and only one percent used the mix of
upper- and lower-case characters, numbers, and symbols that makes
passwords difficult to crack.
But these more serious threats don't seem to loom as large as hackers
in the minds of those who make the laws and regulations that shape the
Internet. It is the hacker -- a sort of modern folk devil who
personifies our anxieties about technology -- who gets all the
attention. The result is a set of increasingly paranoid and restrictive
laws and regulations affecting our abilities to communicate freely and
privately online, to use and control our own technology, and which puts
users at risk for overzealous prosecutions and invasive electronic
search and seizure practices. The Computer Fraud and Abuse Act, the
cornerstone of domestic computer-crime legislation, is overly broad and
poorly defined. Since its passage in 1986, it has created a pile of
confused caselaw and overzealous prosecutions. The Departments of
Defense and Homeland Security manipulate fears of techno-disasters to
garner funding and support for laws and initiatives, such as the
recently proposed Cyber Intelligence Sharing and Protection Act, that
could have horrific implications for user rights. In order to
protect our rights to free speech and privacy on the internet, we need
to seriously reconsider those laws and the shadowy figure used to
rationalize them.
* * *
The hacker character in mainstream culture
has evolved as our relationship with the technology has changed. When
Matthew Broderick starred in War Games in 1983, the hacker
character was childish, driven by curiosity and benign self-interest,
and sowed his mayhem largely by accident. Subsequent incarnations, like
those in Hackers, Sneakers, GoldenEye, and Live Free or Die Hard
became more dangerous and more intentional in their actions, gleefully
breaking into protected networks and machines and causing casual
destruction incomprehensible to techno have-nots. The hacker in American
film, almost always white, middle class, and male, is immature,
socially alienated, vindictive, and motivated by selfish goals or
personality problems. The plots of such films are built on apocalyptic
techno-paranoia, reflecting a belief that hackers have supreme control
over the technologies that make the world run.
News coverage parallels the pop culture frame. Basement-dwelling
hackers remain a primary villain on the evening news and the front page,
even at the cost of an accurate and rational portrayal of current
events. "Hacking" is used as a catch-all term to describe almost any
computer-related crime or "bad" action, no matter the skills or
techniques involved. Coverage often confuses what could happen with what
is actually happening, reporting on theoretical exploits of the type
often presented at security conferences as if they were a clear and
present danger. Recent media and government fixation on the
prankster-protesters of Anonymous has stoked the fires of
techno-paranoia and, as Yochai Benkler pointed out in a recent article in Foreign Affairs, has
conflated modes of electronic civil disobedience with outright
cybercriminality in ways that damage the cause of political speech
online.
The hacker lurks in the network, a decentralized threat, able to
cause harm far from his actual location. His relationship with
technology is pathological, he is compulsive in his hacking activities,
and therefore cannot be reformed. Because he is socially alienated, he
lacks the normal social checks on his behavior, and is instead stuck in a
feedback loop with other hackers, each trying to outdo the other in
juvenile mayhem on the public internet. Add to all this the hacker's
superhuman ability to manipulate anything running code, and you have a
terrifying modern boogeyman that society must be protected from at all
costs.
* * *
In the effort to protect society and the state from the ravages of
this imagined hacker, the US government has adopted overbroad, vaguely
worded laws and regulations which severely undermine internet freedom
and threaten the Internet's role as a place of political and creative
expression. In an effort to stay ahead of the wily hacker, laws like the
Computer Fraud and Abuse Act (CFAA) focus on electronic conduct or
actions, rather than the intent of or actual harm caused by those
actions. This leads to a wide range of seemingly innocuous digital
activities potentially being treated as criminal acts. Distrust for the
hacker politics of Internet freedom, privacy, and access abets the
development of ever-stricter copyright regimes, or laws like the
proposed Cyber Intelligence Sharing and Protection Act, which if passed
would have disastrous implications for personal privacy online. The
hacker folk devil as depicted in popular culture and news coverage is
the target of and the justification for these laws and regulations. But
rather than catching that phantom, these laws invite guilt by
association, confusing skill with computers with intent to harm. They
snag individuals involved with non-criminal activities online, as
happened in the case of Bret McDanel, who served 16 months in prison for
sending a few emails, and leave the rest of us with legally crippled
technology and a confused picture of our rights online.
Crafting governmental and corporate policy in reaction to a
stereotyped social ghoul lurking in the tubes is ineffective at best,
and actively malignant at worst. There are real threats in the online
space, from the banal reality of leaving a laptop on the bus and sloppy
personal security habits to the growing reality of inter-state cyberwar.
However, focusing on the boys-in-the-basement hacker threat model
drains attention and resources from discovering what and where the
actual threats are. Taking down file lockers, criminalizing jail
breaking, modding, and terms-of-service violations, and casting legal
aspersions on anonymous and pseudonymous speech online is distracting
fear mongering and wastes governmental and corporate resources. Recent
court decisions, like the opinion handed down by the Ninth Circuit in US
v. Nosal, work to narrow the scope of the CFAA, which gives hope to the
idea that it is possible to regulate the Internet in a more
reality-driven way.
In order to achieve that regulation, though,
we must discard the hacker stereotype as a central social villain and
legal driver. The past few years have seen the internet emerge as a
central haven for political speech, domestically and internationally.
The internet has been used to exchange ideas, organize protests, and
overthrow dictators. We hold the right to free political speech dearly
in this country, and, for better or for worse, the laws we pass
regarding the regulation of the internet have a disproportionally large
impact on the way this international resource operates. The question
that we must ask ourselves is, do we want the next Arab Spring regulated
out of existence by our fear of hackers who don't even exist?
No comments:
Post a Comment