|
|
Do hacker how-to guides constitute aiding and abetting a criminal?
Because you have
the right to my opinion |
The world of
cyberspace is fraught with criminals, and many law abiding
citizens are struggling to apply existing laws to the web.
For example, we see
SQL Injection Hacking
Attacks on video all published under the guise of helping
the security administrator understand the methods used by
criminals to steal data, but with complete disregard for the
criminals who will use the instructions to commit crimes.
Many of these "researchers" hide behind the DMCA (Digital
Millennium Copyright Act), saying that it gives them the right
to reverse engineer software, find vulnerabilities and broadcast
them to the public at-large.
However, the DMCA was designed to
protect web hosting services and ISP's and not specific web
publishers. In
this article, a retired judge Fadeley notes that offering
DMCA protection to bloggers and web authors is a serious
loophole in the DMCA, and that new legislation is required to
make bloggers and "cyber bullies" responsible for damage to
people. See Time
for DMCA reform for details.
Irresponsible or illegal?
But not everyone
agrees. Oracle Corporation recently
chided some security experts as being "selfish",
"irresponsible" and "dangerous" for openly publishing
instruction on how-to hack into Oracle databases:
"A few hours after
Litchfield went public with a technical description of the
flaw, including a blow-by-blow demonstration of ease in
which an attack could occur, Oracle lashed back, accusing
the British researcher of putting its customers at severe
risk for selfish, irresponsible reasons...
Even as he downplayed the
severity of the flaw, Harris said Litchfield's decision to
go the way of "irresponsible disclosure" was a "dangerous
thing to do.""
These types of
detailed hacking directions clearly provide criminals with a
recipe for hacking into internet databases.
So, is advising a
criminal illegal?
It's clearly
irresponsible to publish these guides knowing that criminals
will use the techniques, and it shows a clear disregard for the
safety of confidential data. But is it illegal?
The US has
felony laws prohibiting aiding and abetting criminal
activities, but it is not clear whether these laws extend to
aiding cyber criminals, computer fraud, and computer forgery.
According to the FindLaw entry on criminal aiding and abetting a
criminal (emphasis added):
"A criminal charge
of aiding and abetting or accessory can usually be brought
against anyone who helps in the commission of a crime,
though legal distinctions vary by state.
A person charged
with aiding and abetting or accessory is usually not
present when the crime itself is committed, but he or
she has knowledge of the crime before or after the fact,
and may assist in its commission through advice..."
The larger question is
whether giving advice that might be used by criminals
constitutes aiding and abetting? It appears that
fore-knowledge that the advice could be used to commit a crime
is required to sustain charges of criminal aiding and abetting.
Aiding and abetting a
criminal is a serious crime
An argument could be
made that someone who publishes step-by-step instructions for
hacking into a database could reasonably expect that their
instructions will be used by criminals, thereby making them an
accessory to the crime.
But what about the "white hat"
hacker sites that publishes useful information for criminals
under the guise of helping the good guys? Do they have any
culpability when the criminal testifies that they used the
instructions to commit their crime, and they could not have done
it without the step-by-step directions?
With today's internet technology
it's relatively easy to restrict access to hacking how-to guides
by simply verifying the "need to know" of readers and verifying
the job title of the security administrator who wishes to see
the information.
Obvious there is no simple answer
to this question. Free speech advocates strongly believe
that people should have the right to publish instruction on how
to commit mass murder by tainting consumer products, how to
build a hidden bomb, how to embezzle money and other detailed
how-to instructions that are of no value to anyone except
criminals.
On the other hand,
courts have upheld that publishers are completely responsible
for their works, and there is clear culpability when someone
publishes information that hurts others.
See my related notes on internet
publishing: