Column

Hacking Back: The Next Big Thing? I: Criminal Considerations

The more interconnected the world becomes, the more people (businesses, governments) are exposed to harm generated online. “Cyberthreats”have become a leading source of worry for many knowledgeable people. The Internet is a dangerous place. Hacking that was once the domain of geeks wanting to show off their exploits is now big business, with division of labour (those who collect the information pass it on to those who use it) and serious resources. Tools for most forms of nastiness are readily available for sale at reasonable prices.

Crime has been joined by state and perhaps private espionage in the illicit domain, and some claim that “cyber-war” cannot be far behind, if it has not already made its appearance. (On the other hand, no one has actually died in such an incident yet, compared to millions of dead in the world wars of the 20th century and many thousands in many other “offline” wars. There is a risk of inflation of vocabulary.)

Much publicity was given to a report by Mandiant this year saying that massive numbers of successful online attacks on U.S. businesses originated with a building near Shanghai owned by the Chinese People’s Liberation Army. The President of the United States issued an “Executive Order” about cyber-threats to criticial infrastructure, by which components of that infrastructure (a very broad group) would be notified of their status (not likely to be news) and any imminent threats detected by U.S. IT security forces.

Canada’s Department of Public Safety has published a national Cyber-Security Strategy. In October, 2012, the Auditor General published a review of Canada’s readiness, finding it wanting. We have no right to feel comfortable.

Faced with these very real threats (and some of the perceived ones), people naturally want to know what they can do about them. Will the police protect them? Will government? Will the providers of information technology: the hardware, the communications links, the programs, the apps? While the answer may be “all of the above”to some extent, it is increasingly clear that security begins at home.

But once one has the latest firewall and anti-virus and has installed the latest patches on all one’s programs, and has trained oneself and one’s staff in good security practices, what happens if one is still compromised? How far does self-help extend?

The right to engage in active self-defence, also known as “hacking back”, is currently the topic of much discussion (including a brief note here at Slaw.) Many presentations at the 2013 RSA Conference on IT Security focused on this topic, including three out of the eight in the”law track” of lectures and panels (and even a mock trial). It may be considered good that the IT people are thinking about legalities; frequently the IT folks deal with cyber-threats without mentioning them to their lawyers.

There are a number of different activities that may be considered to be active defence: intelligence gathering (Where are the attacks coming from? How are they being made? Who is behind them? Who else is being attacked? What are they after?) and aggressive defence: stopping the attack, following and deleting one’s data in the adversary’s hands, and reducing the adversary’s capacity to continue the attack.

Is this legal? The discussion has focused mainly on the criminal risk, with a close reading of the relevant statutes and adapting traditional justifications. The civil risk is starting to draw attention too. Other categories of risk are the practical and the military. These three will be the subject of another column.

Criminal risk

There seems to be no concern about intelligence gathering in one’s own computer. One can analyse whatever is there, however deeply hidden, and the only question is whether one recognizes what one finds and is able to do anything about it. So I can delete or quarantine any malware I can detect, without liability.

The questions arise when I go outside my computer. For purposes of this discussion we are talking about online computer communications, rather than attacks carried out via mobile hardware (though the Stuxnet attack that some consider the only actual act of cyber-warfare to date was perpetrated through infected USB drives.)

Am I allowed to follow the data in my computer back to the computer it came from? What can I do when I get there – given that ‘being there’ is a metaphor? What I am doing is sending commands to another computer and causing it to respond by sending me data.

Unauthorized access

Two provisions of the Criminal Code of Canada may apply. The first is s. 341.1 that prohibits access to a computer or data ‘fraudulently and without colour of right’. Usually the term ‘fraudulently’ requires some kind of undue financial motive, though if one were to guess or crack a password in order to gain access, that element of the offence might be the subject of argument in a prosecution.

The legality of access is more likely to present the issue of ‘colour of right’. What right can one claim to be poking about inside someone else’s computer? Is the need for information about harm being done sufficient? Is the need to stop the harm sufficient?

One can look for one’s colour of right by analogy to the law of trespass on physical property. Can I enter my neighbours’ house without their consent to find the source of a loud noise? To find the source of water that is flooding my yard, or basement? To put out a fire that threatens the neighbourhood? These examples presume that the neighbours are not intentionally causing the harm – but suppose that they are? And they might not be at home – but is the neighbours’ computer (or one around the world) unoccupied in any meaningful sense?

Trespass analogies do not work very well. One can imagine a flow of electrons having a physical effect on another computer, and there have been efforts in the US to characterize sending unwanted messages to a computer as trespass to chattels. Nevertheless it seems artificial. Is a password the equivalent of a lock on a door or a sign on a lawn? One can trespass by walking through an unlocked door, but perhaps not by walking across an unfenced yard, if there is no sign. What is the computer equivalent of a sign? Avoiding the difficulties of applying such analogies was one of the reasons for the express provisions of the Code. Indeed one of the motivations for the Council of Europe’s Cybercrime Convention was to ensure that many countries had basic laws against intrusion on and misuse of computers, following cases in which creation and distribution of malware was held not to be against the law in some countries.

A more thorough review of the use of analogy in applying criminal laws to computer investigations is found in the works of Orin Kerr.

Mischief to data 

The second main provision of the Criminal Code is s. 430(1.1) prohibiting mischief to data. This would be relevant if one went beyond investigation to active defence, such as deletion of files or programs that were thought to be causing the damage. The offence includes destruction of data and rendering data inoperative or ineffective – just what one would want to do to malware that was affecting one’s computer. Section 429 provides a defence to a charge under this provision, however: one may not be convicted where one ‘proves that he acted with legal justification or excuse and with colour of right.’

The reference to ‘legal justification or excuse’ may provide a broader defence than the absence of fraudulent intent in the access provision. Two legal justifications are most likely to be used: self-defence and necessity.

Self-defence (of property) 

It is clear that one can defend one’s property against attack, by an act that is ‘reasonable in the circumstances’ (s. 35 of the Criminal Code.) That includes a reasonable belief that one’s property was in fact under threat. Is it reasonable to extend self-defence to acts beyond cutting one’s computer off from the source of the attack? If it were not possible to be selective in blocking the attacker, for example without cutting off all online communications, then a more active defence might be allowable. These days the law might not require somebody to do without any Internet connection because of a history of being attacked.

How possible is it to fine-tune one’s counter-attack? What are the risks of going too far, of causing collateral damage, of going beyond what is reasonable in the circumstances? Is a certain (or uncertain) amount of collateral damage reasonable in order to achieve the basic defence?

Necessity

The other main line of argument in the face of criminal charges would be necessity. This is in large part an aspect of self-defence, but it applies at common law, outside the Code. There must be imminent peril to the person who claims necessity. The case law does not appear to have dealt with peril to property, unlike the codified rule on defence of one’s property. The courts have been very willing to limit the scope of necessity. One must have no reasonable legal alternative to the illegal action one has taken, and one must act in proportion to the risk.

To succeed, one would certainly have to show that one’s own system was as secure as possible, with all safeguards in place, with all patches applied, and so on. If it were possible to block the suspected source of infection or attack, that must be done. When would that not be enough? Is any source of communication so necessary that an infection of that source ‘must’ be taken down? But why not just inform the people responsible for the other system that it is infected or distributing malware? If they intend to harm you, is it really necessary that you continue to deal with them? If they do not intend to harm you, why would notice to them not be sufficient?

The other serious question that undermines a defence of necessity would be, ‘why not tell the police and let them deal with it?’ That’s what the police are for, to stop criminal activity. They have legal powers beyond those of the general citizen, including – with judicial authority – the right to intercept the flow of information and to require information to be made available to it. (The extent of those powers in the information age continues to be a matter of current debate in the courts and in Parliament.)

There is at least US precedent for private action with judicial authority. Microsoft discovered by its own data flow analysis that malware was coming from a particular address. It applied to the court for authority to disable the source, and was successful. Such an action would certainly meet the Criminal Code requirements for legal justification. It may be noted that not everyone is comfortable with even judicially-controlled self-help.

The American position on hacking back has been extensively debated. The issue there tends to turn on the application of the Computer Fraud and Abuse Act (CFAA), which prohibits ‘unauthorized’ access to a computer. ‘Unauthorized’ is not defined, though there are numerous and inconsistent judicial decisions on the term – not generally in the context of self-defence, however. Liability under the CFAA often turns on there being damage of more than $5000. Accessing a computer to investigate the source of communications, or possibly even disabling a malware server, might not meet that standard. Canadian law gives a bit more guidance, but still does not clearly resolve just what one can do and not do.

Intermediary computers

An important complicating factor in the whole discussion is the likelihood that any attack on one’s computer system is an indirect or disguised attack. It is probably not coming from one’s neighbour’s computer, but from somewhere else. The takeover of innocent (though possibly negligently run) computers by hackers, who use them as ‘bots’, i.e. automatons to send messages at the hackers’ command, is very common. Botnets of a hundred thousand machines are not unknown.

Thus the risk of harming an innocent machine, and its owner, is substantial, as one hacks back against what is harming one’s own system. It is not clear how that affects one’s colour of right or legal justification for accessing or destroying data on that machine. Generally one’s legal rights must be exercised reasonably, which would seem to require at least reasonable care to ensure that one had the right target. An investigation of an innocent (but compromised) computer might be more likely to escape prosecution, or conviction, than doing damage to it.

Conclusion (continuation)

The debate continues, but in the context of unclear law as well as contentious policy. (If the third party’s computer is already compromised, how much additional harm does the counter-attacker do, and should we care?) Should the law encourage a type of vigilante justice, taking the law into one’s own hands? Do we trust the usual official hands, whether law enforcement or even military authorities, to do the job? Is it possible to legislate sufficiently specific grounds for active defence that most of the risks will be avoided, and the potential harm from hacking back will be less than the harm caused by the attacks?

The next column will review civil, military and practical elements to the hacking back discussion.

Retweet information »

Comments

  1. David Collier-Brown

    Interestingly, many attacks are done using the computers of innocent third parties, similar to the described neighbours: “Can I enter my neighbours’ house without their consent to find the source of a loud noise? To find the source of water that is flooding my yard, or basement? To put out a fire that threatens the neighbourhood?”

    In practice, an attacker usually has a “command and control” computer which controls a cloud of “bots”, which are other people’s computers subverted by viruses. These “bots” carry out the attacks, without the knowledge or approval of their owners.

    This raises the possibility of looking at the virus-infected machines as a kind of public-health problem. What actions can a private person, a police officer or a medical professional take against someone who has a physical virus? What are their computer analogs? And what are the laws that apply to them?

    In some cases, competing viruses and hack-back practitioners run antiviruses on the infected machines, or apply the Microsoft patches that will stop the infection. Can one make a public-health case for requiring someone to run a particular antivirus?

    –dave

  2. John:

    Indeed interesting stuff you’ve written on hacking-back. Here are some added “defence” thoughts:

    1. If there were evidence making reasonable, a belief that the “hack attacker” would persist and do it again if action were not taken by immediate “hacking back,” I’d argue, (in addition to the arguments that you’ve suggested), Criminal Code s. 27, “Use of Force to Prevent Commission of Offence.” Counter-arguments that such hacking back action should be left to the police, would be answerable by the need to follow the attack back immediately, being the time when finding the attacker was most opportune–like shooting back at the spot whereat the intended victim sees the flash of the attacker’s gun before the attacker is gone or shoots again. “Do before you’re done to.”

    — see: Foley, [2000] O.J. No 5204 (S.C.J.): a belief in the need for retaliation may be mistaken but reasonable, and, “a person defending against an attack reasonably apprehended cannot be expected to weigh to a nicety the exact measure of defensive action required.” (This is a “Baxter instruction” to jury or judge alone, in relation to the extent of necessary force: Baxter, [1975] O.J. No. 1053 (C.A.). And see also Scotney, [2011] O.J. No. 1444, 277 C.C.C. (3d) 186, 280 O.A.C. 262. Such cases being applicable to s. 27 even though they deal with assaults upon the person re. s. 34: Foley, supra.)

    2. Necessity: As you point out, hacking would be mischief as per Cr. Code s. 430(1.1), as it would be by way of the type of mischief called, “the unauthorized use of a computer” under Cr. Code s. 342.1. Although the, “in immediate peril,” “imminent risk,” and, “moral involuntariness,” requirements of the necessity defence (see Perka, [1984] S.C.J. No. 40, [1984] 2 S.C.R. 232; and see the “necessity defence availability” summary below) greatly restrict its use in relation to the defence of property, it has been considered in relation to property offences. Even though the defence failed in most of the following cases, it did not fail because necessity isn’t available in regard to property offences, offences such as:

    – mischief: Stevenson, [1986] 5 W.W.R. 737, 42 Man.R. (2d) 133 (Man. Q.B.), leave to appeal refused, [1987] 1 W.W.R. 767 (Man. C.A.), necessity defence failed because there were other alternatives available; accused burning bridge on a highway that ran through an Indian reserve; bridge in poor repair, accused claiming this was the only way they could draw attention to the need for repairs and conditions on the reserve.

    - break and enter: John Doe, [2007] B.C.J. B.C.J. No. 2111, 228 C.C.C. (3d) 302 (B.C.C.A.), acquittal set aside, new trial ordered; accused testified that he had been fasting in the woods for 60 days when he entered the house to be warm and to eat; the trial judge erred by not correctly applying the modified objective test to the first two components of the defence of necessity – the existence of an imminent peril or danger and the absence of any reasonable legal alternative, had to be assessed on a modified objective standard; the trial judge erred by failing to determine whether the accused’s perception of his situation, and the absence of any lawful alternatives, had an objectively reasonable foundation; the verdict would not necessarily have been the same had the trial judge properly applied the law on the defence of necessity.

    - false pretences: Deveau [1993] N.B.J. No. 332 (N.B. Provl. Ct.), passing bad cheques because of economic necessity; defence failed because accused had other legal options open to her.

    - fraud: Lalonde, [1995] O.J. No. 160, 22 O.R. (3d) 275 (Ont. Ct., Gen. Div.), accused suffering from battered wife syndrome, charged with defrauding Ministry of Community and Social Services by failing to report that she was living with a man while collecting family benefits; accused fearing the man and believing that she had no other choice; she was eligible for general welfare benefits in any event; agents of the Ministry aware of the circumstances but overlooking them; accused acquitted. (Lavallee, [1990] 1 S.C.R. 852, [1990] S.C.J. No. 36, on “battered woman defence” considered.)

    Stephen, [2008] N.S.J. No. 43 (N.S.S.C.), battered wife syndrome defence failed re possession and laundering proceeds of crime for her husband, a drug trafficker, because the court found beyond a reasonable doubt that she was in the relationship with her husband out of choice.

    And, there are a large number of, “compelled to take my drugs” cases, too numerous to summarize by email.

    I did find the following summary as to the availability and scope of the necessity defence:

    1. The defence of necessity is an excuse, operative by virtue of s.8 (3) of the Criminal Code.

    2. It is available to excuse conduct which is normatively involuntary.

    3. To be involuntary, there must be circumstances of imminent and urgent peril where the action taken is unavoidable (measured according to a modified objective standard).

    4. The action must similarly be unavoidable in that there is no reasonable opportunity for an alternative course of action that does not involve a breach of the law (measured according to a modified objective standard).

    5. The defence applies only where the action meets the proportionality test; the harm avoided must be more serious than the harm caused by the act in question (measured according to an objective standard).

    6. There must be an “air of reality” to all three criteria set out in points 3 to 5 above.

    7. Negligence or involvement in criminal or immoral activity does not disentitle the actor to the excuse of necessity although actions or circumstances which indicate that the wrongful deed was not truly involuntary do disentitle.

    8. Mere dissatisfaction with the current state of the law does not provide a basis for the defence of necessity.

    9. The presence of law enforcement agencies who are available to take matters under control if necessary will deprive the accused of the defence of necessity.

    ———

    John, I look forward to your next piece on this subject.

    — Ken (Ken Chasse, Toronto).