Hacking: Ethical Issues of the Internet Revolution
By Mikkkeee
http://blacksun.box.sk

This paper was originally written for my cyberspace ethics class, but instead of keeping it stored on my HD I thought it would be more useful being published online for everyone to read. The ethical issues behind hacking are nothing new to the security world, so I hope this paper enlightens many of you not familiar with the topic.  Greetz goes out to the Blacksun team and BOX Network, enjoy!

           Society currently understands hacking to be a form of unlawful behavior and a medium for creative innovation.  Hacking has become an activity that holds two positions and is therefore both solemnized for its insightful inventiveness and defamed for its devious acts.  The ethics behind hacking and the actions taken by hackers constitute a philosophical manifesto that transcends our understanding of this art.  Hackers argue that their actions promote a means for tighter security by way of detecting flaws and patches for systems and software. However, these very actions are viewed as violations of the rights to privacy and security for both individuals and organizations.  Consequently, this establishes a cautionary attitude toward ethical issues such as, privacy, security and the future of the World Wide Web.

            In order to comprehend the ethical and the moral principles underlying the meaning of hacking, one has to understand has to the root of hacking.  In Hackers: Heroes of the Computer Revolution, Steven Levy traces the roots of hacking to MIT in the late 1950s, where students devoted much time and effort to building and programming MIT’s early mainframes. These formidable programmers, who later became known as “Hackers,” produced and debugged computer code at an astonishing rate. They developed hardware and software for existing computer functions and invented novel applications and algorithms that were later incorporated into subsequent generations of computers (Nissenbaum, 1).  The code written by hackers came to symbolize their freedom and their love for programming, which was distributed freely across Bulletin Board Systems (BBS) and across the unconquered terrain of the Internet. Eventually, this freedom of code gave rise to the concept that software should be free (Granger, 7).

            The fundamental doctrine or ethic that hackers use in order to justify their behavior is the idea that hacking offers a mode of investigation, which allows an individual to gain knowledge necessary to infiltrate systems that contain vulnerabilities. Acquiring this knowledge allows one to develop strategies that facilitate exploration of their functions and the inner components of the systems.  The “hacker ethic” states in part that all information belongs to everyone and there should be no boundaries or restraints to prevent disclosure of this information (Baird, 471). This philosophy that is upheld by the hacker community introduces ethical questions regarding the freedom of information and the loss of privacy.  

            From a hacker’s perspective, freedom of information includes the right to source codes and the programs themselves. This freedom also includes the right to access information stored on a computer network. At times, hackers argue that the freedom of information doctrine gives them the right to have unrestricted access to computer accounts, passwords and email. At this point, the ethical position of hacking has become “system cracking” (Granger 7).

            However, the problem with unfettered access to data is that once information becomes free to the public and individuals, it cannot be claimed as property.   Consequently, anyone can access and alter the information as they please. Items such as medical records, credit histories and employment records will cease to be private. If the private information is controlled, it is obviously not free, but once control over this information is lost, we can no longer trust the accuracy of this information. 

            In an ideal society, freedom of information with a lack of privacy may be of little concern, but in the real world however, this privacy loss will ultimately damage the infrastructure of society.  As argued by Charles Fried, “we have to have personal privacy to have relationships of intimacy and trust. In a society where people are always being observed, trust and intimacy could not develop. If we want such private relationships, we must create domains of privacy” (Johnson, 120).  Treating information that we consider “private” as “free,” would be highly unethical, especially if careless individuals with little ethical consideration can control and manipulate this information for their own benefit.

            Economic arguments are also debated because the accuracy of information needs to be both private and controlled.  Information may be considered private if there is never any intention of it being released to the public. This may be the case if the information is collected and developed at great costs. The development of a new algorithm or a specialized database that took years to program is considered private because it involved a vast expenditure of time, money, and effort. To assume this information is free is violating the ethical principles and notions of conduct accepted by our society. Even though not all information currently treated as property needs such protection, unauthorized release of such classified information by no means should be justified.  If this information is released freely without the consent of the software company, then this freedom would be unethical and unjustified by our ethical standards (Ermann, 81).

            Another argument supported by the hacker ethic is that break-ins elucidate security problems to those who can do something about them.  Hacker intrusions into systems surpass the traditional understanding of violating the laws of trespassing. Hacking involves the exploitation, or as discussed by members of the computer hacker underground, the manipulation of a bug, or a backdoor that is inherently present within the system.  Emmanuel Goldstein, editor of 2600, a magazine recognized as the “Hacker’s quarterly,” states, “Hackers have become scapegoats: We discover the gaping holes in the system and then get blamed for the flaws” (Harper’s Forum 130).  This statement suggests that cracking down on hacking activity is simply a way of putting blame on the messenger. In this view, hacking is not a threat against the integrity of the system being exploited, but instead is a means of implementing corrections and enforcing tighter security. 

            Hacking not only informs the administrator of system flaws, but also encourages users to install security fixes to safeguard their systems.  Should it be acceptable that computer burglars engage in these activities on the grounds that they might expose further security flaws? This argument loses sight of the purpose of the computer in the first place, that is, to serve as a resource tool, not as an exercise in security flaws. 

The argument of “blowing the whistle,” as argued by Spafford, suggests that people wishing to report a problem with the security of a system need not exploit it to report it. This situation is analogous to someone setting fire to a neighborhood shopping center to bring attention to a fire hazard in one of the stores, and then try to justify the act by claiming that firemen would otherwise never listen to hazard reports (Spafford 5). This would never be an acceptable argument in the arsonist’s defense.  In the same way, hacking into a system to expose a flaw should not be an exception.

            Hackers believe that when they compromise a system they are in effect introducing fixes that force the system administrator to take the necessary precautions in patching up the hole, thereby tightening the security of the system.  From this position, the hacker is actually doing a service to the system administrator who is unfamiliar with the bugs that can lead to a system compromise.  If there is any criminal intent on the part of the hacker, then they should be held legally accountable for violating the security of the system and their actions should be punishable by law.          

Security requires much more than designing a secure technical infrastructure that resembles an impenetrable fortress. The key to a secure network is the development of real time enforceable policies that take advantage of security bulletins and published security holes.  It is ethically wrong to wait until systems under protection are compromised in order to begin patching up the holes. Securing a network doesn’t begin with high cost software and security firewalls aimed at halting the intruders, but begins with utilizing available knowledge that calls for improvements made by ethical hacking.

            Hackers also argue that they have the right to penetrate systems because these systems tend to be idle and they are only making use of idle resources. Idle systems can be found in schools, hospitals and companies where computers have been left on overnight.  The hackers argument suggests that these resources can be utilized during the night in order to learn more about the internal mechanisms of the system.  This is a faulty argument because usually these systems are not in service to provide a general - purpose user environment.  These systems are often used in medicine, commerce, and public safety and might suddenly be accessed by their owners even during night hours.  On the contrary, a hacker whose system is idle during the night will never allow other hackers or Internet surfers to use his system simply because it is idle. This argument is similar to someone coming to a house whose owners are at work and throwing a party in it, simply because it is otherwise not being used.  Society would never condone such activities. Thus, breaking into systems simply because they are idle is clearly unethical.

            In addition, hackers also claim they ethically have the right to gain unauthorized access to computer systems as long as they cause no harm and only delete logs to cover their tracks. This intrusion by ethical standards is justified from the hacker’s position, because the hacker can learn more about the way the system functions with no harm resulting from the intrusion.  Careful scrutiny of this argument suggests that individuals might not be harmed physically by this intrusion, but individuals can nonetheless be harmed psychologically.  Individuals have proprietary rights and rights to privacy.  Once these rights are violated, the intrusion has in effect caused harm to them by violating their rights. The “harmless” intrusion by hackers into a computer system in reality can potentially cause physical harm.   If a hospital network holding information regarding organ donations is compromised, the possibility of a delay in the system due to hacker activity can mean the difference between life and death for patients. 

            Furthermore, hackers learning about a system are often times unaware if their activities eventually lead to system problems. Many compromised systems have been damaged by careless hackers running untested exploits and worms that can potentially cause unexpected interactions between programs running on the system. Such damage might be done to significant systems housing medical records or factory controls, thereby causing long term damage, economic loss and possibly, death.  These intrusions cannot be assumed to stem out of curiosity, because they eventually lead to system problems. 

Because of these intrusions, a cautious system administrator noticing such activities will be forced to eventually format the compromised system to efface any backdoors or bugs left behind by the hacker, a process culminating in loss of time and money.  The argument fails to justify system intrusion by educational motivation as “harmless,” because there is always the possibility of harm occurring.

            In European nations, it is argued that hackers break into systems to keep “Big Brother at Bay,” a reference made to government that tends to watch over every move of every citizen (Johnson, 101).  This activity is usually vindicated on hacker terms as watching for occasions of data abuse and notifying the public of such occurrences. This argument presumes hackers are protectors rather than criminals who will utilize their knowledge to protect the unsophisticated public from abuse by the higher authority.

            Hackers, like the public, have a general idea that there is misuse of personal data by corporations and the government. Much of our personal information is stored in databases that we have no knowledge or control over, which could be used to sell our private information and to create potential means of abuse. However, hacker intrusion into the systems controlled by “Big Brother” will lead the government and corporations to become more secretive and will use the intrusion as a means to justify more restricted access. Such hacker activity into government databases has not led to the release of information, but have led the government to institute criminal laws that will halt such activities (Spafford 9).

            Another potential problem stemming from the intrusions into systems controlled by government is the concept of relying on hackers as trusted vigilantes.  This argument suggests that the public needs to be more aware of possible abuse by the government and large corporations.  It is questionable whether it is acceptable to employ hackers as agents for this task. Society can instead create a national data protection commission that would monitor information, propose legislation, and maintain a vigilant eye on possible abuse.

            The ethical stand supporting hacker activities are proven by this discussion to be mainly unethical.  Even though hacking undoubtedly has led to productive improvement in computers and software security, it has in effect created many disruptive problems online and offline.  Hacking is an activity that introduces a method of analysis that targets and works on various components. Hacking has the potential to cause harm and to violate legitimate privacy and property rights. By ethical standards hacking does introduce crucial security fixes, but does so at the expense of violating privacy and the security of individuals.  Furthermore, hacking activities lead to disruptive and dangerous problems for society, which tend to be difficult to eradicate.  As The Mentor warns in the conclusion to his manifesto, “I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all” (Mentor, 1). Even if the authorities catch a hacker, as long as there is a motivation, hacking will persist. 

References: