The more interconnected the world becomes, the more people (businesses, governments) are exposed to harm generated online. “Cyberthreats”have become a leading source of worry for many knowledgeable people. The Internet is a dangerous place. Hacking that was once the domain of geeks wanting to show off their exploits is now big business, with division of labour (those who collect the information pass it on to those who use it) and serious resources. Tools for most forms of nastiness are readily available for sale at reasonable prices.
Crime has been joined by state and perhaps private espionage in the illicit domain, and some claim that “cyber-war” cannot be far behind, if it has not already made its appearance. (On the other hand, no one has actually died in such an incident yet, compared to millions of dead in the world wars of the 20th century and many thousands in many other “offline” wars. There is a risk of inflation of vocabulary.)
Much publicity was given to a report by Mandiant this year saying that massive numbers of successful online attacks on U.S. businesses originated with a building near Shanghai owned by the Chinese People's Liberation Army. The President of the United States issued an “Executive Order” about cyber-threats to criticial infrastructure, by which components of that infrastructure (a very broad group) would be notified of their status (not likely to be news) and any imminent threats detected by U.S. IT security forces.
Canada's Department of Public Safety has published a national Cyber-Security Strategy. In October, 2012, the Auditor General published a review of Canada's readiness, finding it wanting. We have no right to feel comfortable.
Faced with these very real threats (and some of the perceived ones), people naturally want to know what they can do about them. Will the police protect them? Will government? Will the providers of information technology: the hardware, the communications links, the programs, the apps? While the answer may be “all of the above”to some extent, it is increasingly clear that security begins at home.
But once one has the latest firewall and anti-virus and has installed the latest patches on all one's programs, and has trained oneself and one's staff in good security practices, what happens if one is still compromised? How far does self-help extend?
The right to engage in active self-defence, also known as “hacking back”, is currently the topic of much discussion (including a brief note here at Slaw.) Many presentations at the 2013 RSA Conference on IT Security focused on this topic, including three out of the eight in the”law track” of lectures and panels (and even a mock trial). It may be considered good that the IT people are thinking about legalities; frequently the IT folks deal with cyber-threats without mentioning them to their lawyers.
There are a number of different activities that may be considered to be active defence: intelligence gathering (Where are the attacks coming from? How are they being made? Who is behind them? Who else is being attacked? What are they after?) and aggressive defence: stopping the attack, following and deleting one's data in the adversary's hands, and reducing the adversary's capacity to continue the attack.
Is this legal? The discussion has focused mainly on the criminal risk, with a close reading of the relevant statutes and adapting traditional justifications. The civil risk is starting to draw attention too. Other categories of risk are the practical and the military. These three will be the subject of another column.
There seems to be no concern about intelligence gathering in one's own computer. One can analyse whatever is there, however deeply hidden, and the only question is whether one recognizes what one finds and is able to do anything about it. So I can delete or quarantine any malware I can detect, without liability.
The questions arise when I go outside my computer. For purposes of this discussion we are talking about online computer communications, rather than attacks carried out via mobile hardware (though the Stuxnet attack that some consider the only actual act of cyber-warfare to date was perpetrated through infected USB drives.)
Am I allowed to follow the data in my computer back to the computer it came from? What can I do when I get there – given that 'being there' is a metaphor? What I am doing is sending commands to another computer and causing it to respond by sending me data.
Two provisions of the Criminal Code of Canada may apply. The first is s. 341.1 that prohibits access to a computer or data 'fraudulently and without colour of right'. Usually the term 'fraudulently' requires some kind of undue financial motive, though if one were to guess or crack a password in order to gain access, that element of the offence might be the subject of argument in a prosecution.
The legality of access is more likely to present the issue of 'colour of right'. What right can one claim to be poking about inside someone else's computer? Is the need for information about harm being done sufficient? Is the need to stop the harm sufficient?
One can look for one's colour of right by analogy to the law of trespass on physical property. Can I enter my neighbours' house without their consent to find the source of a loud noise? To find the source of water that is flooding my yard, or basement? To put out a fire that threatens the neighbourhood? These examples presume that the neighbours are not intentionally causing the harm – but suppose that they are? And they might not be at home – but is the neighbours' computer (or one around the world) unoccupied in any meaningful sense?
Trespass analogies do not work very well. One can imagine a flow of electrons having a physical effect on another computer, and there have been efforts in the US to characterize sending unwanted messages to a computer as trespass to chattels. Nevertheless it seems artificial. Is a password the equivalent of a lock on a door or a sign on a lawn? One can trespass by walking through an unlocked door, but perhaps not by walking across an unfenced yard, if there is no sign. What is the computer equivalent of a sign? Avoiding the difficulties of applying such analogies was one of the reasons for the express provisions of the Code. Indeed one of the motivations for the Council of Europe's Cybercrime Convention was to ensure that many countries had basic laws against intrusion on and misuse of computers, following cases in which creation and distribution of malware was held not to be against the law in some countries.
Mischief to data
The second main provision of the Criminal Code is s. 430(1.1) prohibiting mischief to data. This would be relevant if one went beyond investigation to active defence, such as deletion of files or programs that were thought to be causing the damage. The offence includes destruction of data and rendering data inoperative or ineffective – just what one would want to do to malware that was affecting one's computer. Section 429 provides a defence to a charge under this provision, however: one may not be convicted where one 'proves that he acted with legal justification or excuse and with colour of right.'
The reference to 'legal justification or excuse' may provide a broader defence than the absence of fraudulent intent in the access provision. Two legal justifications are most likely to be used: self-defence and necessity.
Self-defence (of property)
It is clear that one can defend one's property against attack, by an act that is 'reasonable in the circumstances' (s. 35 of the Criminal Code.) That includes a reasonable belief that one's property was in fact under threat. Is it reasonable to extend self-defence to acts beyond cutting one's computer off from the source of the attack? If it were not possible to be selective in blocking the attacker, for example without cutting off all online communications, then a more active defence might be allowable. These days the law might not require somebody to do without any Internet connection because of a history of being attacked.
How possible is it to fine-tune one's counter-attack? What are the risks of going too far, of causing collateral damage, of going beyond what is reasonable in the circumstances? Is a certain (or uncertain) amount of collateral damage reasonable in order to achieve the basic defence?
The other main line of argument in the face of criminal charges would be necessity. This is in large part an aspect of self-defence, but it applies at common law, outside the Code. There must be imminent peril to the person who claims necessity. The case law does not appear to have dealt with peril to property, unlike the codified rule on defence of one's property. The courts have been very willing to limit the scope of necessity. One must have no reasonable legal alternative to the illegal action one has taken, and one must act in proportion to the risk.
To succeed, one would certainly have to show that one's own system was as secure as possible, with all safeguards in place, with all patches applied, and so on. If it were possible to block the suspected source of infection or attack, that must be done. When would that not be enough? Is any source of communication so necessary that an infection of that source 'must' be taken down? But why not just inform the people responsible for the other system that it is infected or distributing malware? If they intend to harm you, is it really necessary that you continue to deal with them? If they do not intend to harm you, why would notice to them not be sufficient?
The other serious question that undermines a defence of necessity would be, 'why not tell the police and let them deal with it?' That's what the police are for, to stop criminal activity. They have legal powers beyond those of the general citizen, including – with judicial authority – the right to intercept the flow of information and to require information to be made available to it. (The extent of those powers in the information age continues to be a matter of current debate in the courts and in Parliament.)
There is at least US precedent for private action with judicial authority. Microsoft discovered by its own data flow analysis that malware was coming from a particular address. It applied to the court for authority to disable the source, and was successful. Such an action would certainly meet the Criminal Code requirements for legal justification. It may be noted that not everyone is comfortable with even judicially-controlled self-help.
The American position on hacking back has been extensively debated. The issue there tends to turn on the application of the Computer Fraud and Abuse Act (CFAA), which prohibits 'unauthorized' access to a computer. 'Unauthorized' is not defined, though there are numerous and inconsistent judicial decisions on the term – not generally in the context of self-defence, however. Liability under the CFAA often turns on there being damage of more than $5000. Accessing a computer to investigate the source of communications, or possibly even disabling a malware server, might not meet that standard. Canadian law gives a bit more guidance, but still does not clearly resolve just what one can do and not do.
An important complicating factor in the whole discussion is the likelihood that any attack on one's computer system is an indirect or disguised attack. It is probably not coming from one's neighbour's computer, but from somewhere else. The takeover of innocent (though possibly negligently run) computers by hackers, who use them as 'bots', i.e. automatons to send messages at the hackers' command, is very common. Botnets of a hundred thousand machines are not unknown.
Thus the risk of harming an innocent machine, and its owner, is substantial, as one hacks back against what is harming one's own system. It is not clear how that affects one's colour of right or legal justification for accessing or destroying data on that machine. Generally one's legal rights must be exercised reasonably, which would seem to require at least reasonable care to ensure that one had the right target. An investigation of an innocent (but compromised) computer might be more likely to escape prosecution, or conviction, than doing damage to it.
The debate continues, but in the context of unclear law as well as contentious policy. (If the third party's computer is already compromised, how much additional harm does the counter-attacker do, and should we care?) Should the law encourage a type of vigilante justice, taking the law into one's own hands? Do we trust the usual official hands, whether law enforcement or even military authorities, to do the job? Is it possible to legislate sufficiently specific grounds for active defence that most of the risks will be avoided, and the potential harm from hacking back will be less than the harm caused by the attacks?
The next column will review civil, military and practical elements to the hacking back discussion.