SETUP.EXE Civil disobedience has long been an integral part of the democratic process in the United States. Those dissenters in Boston who disrupted trade in 1773 as a protest against unfair laws and business practices could not have imagined the modern­day equivalent: computer "hacktivists" (hacker + activist) leveraging exploits against digital networks to accomplish more or less the same thing. This case study explores the ways in which the general public, news media, lawmakers, and law enforcement have reacted to the more contentious hacktivist incidents that have transpired in the United States since 2009. The impact of these attacks has ranged from minor to catastrophic, and the most clever perpetrators have been able to evade apprehension. In response, the United States judicial system has strategically given severe punishments to the few hacktivists it can manage to catch. As other forms of disruptive activism are being punished with slaps on the wrist, these hacktivists and their allies are pleading their case to the public that these incommensurate punishments are cause for concern.
Command Prompt Through a discussion about the facts and the positions of the actors involved with regard to hacktivism, it will become clear that the lack of a plain and fair legal doctrine is indeed to blame for the pervasive confusion among plaintiffs and defendants alike. The goal of this study is to show just that: to highlight the ambiguity of the law through examples, to discuss the stiff legal repercussions these hacktivists have faced, and to consider the dialogue between the news media and the general public about the appropriateness of criminal sentencing and the nature and motives of hacking incidents. For those wishing to reform the law, there are several points worth considering. If, for the sake of free speech, an exception clause is enacted where disrupting online services becomes permissible, it must also take into account the potential for abuse. Business owners may fund clandestine hacktivist "protests" to hurt their competition, or hate groups may use this clause to advance oppression. If the punishments for breaking the law are lowered so as to allow for more moderate sentences in activist cases, then the more malicious hackers would simply plead "activist" to avoid long prison terms. This burgeoning phenomenon of hacktivism remains considerably unfamiliar to many people, and lacks definition. These incidents involve actors (hacktivists) working to disrupt the digital operations of a company or government body as a way of pushing a political agenda or drawing attention to perceived malfeasance. There is a debate over which methods are ethically permissible in pursuit of such a cause, and this discourse has shaped the semantic definition.
Technical Information A hacker group known as The Cult of the Dead Cow coined the term "hacktivism" in 1996 (Casserly, 2012), although it has only recently entered common parlance. A portmanteau of the words "hack" and "activism," dictionary.com defines it as "the practice of gaining unauthorized access to a computer system and carrying out various disruptive actions as a means of achieving political or social goals" (hacktivism, 2014). The term "hacking" has come to connote unauthorized digital activity, though it originally did not signify criminality. "Activism" on the other hand, is a term that acquired a positive connotation­­as a kind of civic duty when done within the confines of the law, the public generally smiles upon it. Hacktivism, consequently, is the grey area where these endeavors overlap. Whenever actors are willing to break the law in pursuit of what they claim to be a noble cause, their actions demand higher scrutiny, and this is precisely such a case. According to Julian Assange, the Editor­in­Chief of the influential and notorious Wikileaks website, the first hacktivist act occurred in October of 1989. At that time, protesters concerned with the hazards of nuclear power may have been responsible for developing the computer worm known as WANK (Worms Against Nuclear Killers) that infected machines at NASA and the US Department of Energy (Assange, 2006). The WANK worm was traced back to New Zealand but never to any individual or group. It was not particularly destructive; a computer infected with the worm would occasionally interrupt the user with a diverting political message before spreading itself. In the Internet age, those computer networks that were once recondite have become ubiquitous. The viral media phenomenon provides a natural fuel for hacktivism, even as the nuanced methods and justifications of these endeavors become lost in the buzz. There can be said to be two "schools" of hacktivist methods: orthodox and direct. Orthodox hacktivism is concerned with technologically novel approaches to provoke political or cultural change through the wider distribution of information, e.g. WikiLeaks. Direct protest hacktivists espouse more intrusive methods epitomized by the Distributed Denial of Service. This kind of massive “virtual sit­in” is a high­profile attack against an ideological foe's network service that renders it unusable to everyone (Rouse, 2013). The challenges are ethically significant: not only are such acts illegal, but the means to accomplish them obviously contradict the very free speech ideals these groups claim to tout. Furthermore, the wide distribution of secret information may not be the most noble cause if publishing it exposes officials to violent retaliation, endangering their lives. If a large corporation is found to be knowingly mistreating their customer base, is it an ethical act to incite thousands to disrupt an otherwise legitimate service in protest? Though there are many well­known names affiliated with hacktivism, one of the most significant groups is expressly the least well­known. On numerous occasions, the amorphous hacktivist collective known as Anonymous has come together in ad hoc arrangements to launch DDoS attacks on various websites and internet services. These self­styled "operations" include such targets as governments, religious organizations, and corporations. Hacktivists engaging in these acts claim to be doing it for justified reasons, and contend that the outdated laws fail to account for their noble motives and advanced methods. As it stands now, a person publishing the names of undercover agents (which often leads to their murder) has a good case for being protected by the law, while the act of flooding a website with extra traffic (inconveniencing them for a few days) is an offense punishable by decades in a federal prison. It seems likely that the lack of resolution on these ethical and legal matters will only provide more fuel for continued hacktivist attacks.
Usernames The actors involved in this challenging phenomenon can be broadly organized into four primary groups: the hacktivists, the media, the general public, and law enforcement agencies. In order to present an exhaustive discussion of this case, it is necessary to consider the different motives and objectives that these actor groups have, and to highlight the nuanced controversies within their relevant contingents. One goal that hacktivists tend to have in common is to expand access to information; an idea popularly summarized by the saying "Information wants to be free" (Brand, 1987, p. 202). In some cases, like the recent and ongoing attacks against Kenyan government websites, this act of surreptitiously finding and publicising private information serves to expose corruption (Misiko, 2014). Discouragingly, hackers are often motivated by ego (Pipkin, 1997, p.26), and desiring to demonstrate their skill with impunity, they use the cover of hacktivism as a post­hoc justification for their activities (Olson, 2012). Some hacktivists insist that the activity must include strong prohibitions against destructive hacking, arguing that their skills should only be used to amplify voices, not to silence them (Ludlow, 2013). Unscrupulous hacktivists, on the other hand, are perfectly willing to destroy online content, so long as such content is at odds with their broader goals. It's worth noting that the desperate destructive contingent–those willing to deface, delete, or deny access to online information–is typically responsible for drawing the most media attention. The goal of the news media, in this case, is to inform the public about hacktivism and, to a lesser extent, interpret these events (Olson). There is a risk that the owners of these outlets, with their diverse market interests, may be able to leverage their reporting in order to discourage hacktivist criticism and attacks­­a sobering possibility. News outlets such as Time Magazine , CNET , Wired , The Guardian , and Gawker are among those that have reported extensively on the phenomenon. These digital magazines may also find themselves the victims of hacker attacks, as in the 2010 hack of Gawker (Gustin, 2010), when a group of hacktivists became upset at the news site's unfavorable coverage of their exploits. Targeting the media is a risky gambit, since without the attention of the media, hacktivists would have no way to get their message the general public (C­SPAN, 2012, 7:06). To achieve their political or social goals, hacktivists must persuade the masses. The general public's opinion is split at present, but they will ultimately decide the extent to which hacktivists' activities are justified or whether they should remain illegal. The public serves as both the scorekeepers and the score. Individual actors within the public sphere may be enticed to either participate in or to resist hacktivist activities. This actor group is the one most capable of putting pressure on lawmakers and law­enforcers. The general goal of law­enforcers is to uphold the law, protecting citizens and businesses while defending their private property rights. Pertinent entities included in this actor group are the FBI in the US, the SOCA in the UK (now NCA), INTERPOL, as well as several private security companies, including those that have been targeted by hacktivists such as HBGary and Stratfor (Olson). Directing these officials are the lawyers, judges, and lawmakers who create, interpret, and amend the laws that deal with computer related activities. Hacktivism is disruptive by nature–a quality intensified because its technological exploits let it catch conventional institutions flat­footed. These four actor groups (the hacktivists, media, general public, and law­enforcers) are grappling with one another to bring about their goals. In addition to the Internet, the battleground for this struggle is in the courts.
A Program Has Committed an Illegal Action Hacktivism is a global phenomenon, but the scope of this case study is limited to policies pertaining to the United States. Furthermore, even though the individual cyberlaw policies of privately held companies are significant, all of these must conform to federal laws, and will only be referenced as they become applicable. The relevant federal laws, consequently, deserve investigation. Three of those worth mentioning are the Computer Fraud and Abuse Act of 1986 (CFAA), the Electronic Communications Privacy Act of 1986 (ECPA), and the law prohibiting wire fraud. Title 18 § 1343 of the U.S. Code defines wire fraud as any scheme to fraudulently obtain money or property by electronic means, setting a maximum penalty of 20 years for the crime. Through it serves as the foundation for the anti­hacking laws that would come after it, the prohibition against wire fraud is mostly a historical footnote. Hackers have indeed been indicted under this law, but its reach is narrowly defined: the prosecution has the burden of demonstrating how the offender intended to benefit financially or materially. The definition of hacktivism stated previously does not involve any such benefit of money or property. This policy is only indirectly relevant today. In order to address this deficiency, several sections of Title 18 were amended in 1986 with the Electronic Communications Privacy Act of 1986. Title I of the ECPA, known as the “Wiretap Act,” adds guidelines to the law for protecting electronic communication and stored information from government wiretapping without its first obtaining a warrant. Law enforcement officials need to comply with this law in prosecuting lawbreaking hacktivists. What makes it particularly relevant to this case is that, according to Frontline, "under the law, unauthorized access to computer messages, whether in transit or in storage, is a federal crime" ( Who's Responsible?, 2001). Many Hacktivists do commit this crime in reading such messages, but this law deals with only a fraction of the relevant activities. In recent years, the law that has been most applicable to the hacktivism phenomenon is the Computer Fraud and Abuse Act of 1986. It outlaws the better part of the hacktivist playbook: unauthorized use of computer hardware or software, Distributed Denial of Service (DDoS) attacks (Sauter, 2014, p. 12), password cracking, insertion of unauthorized code, and much more. While it is more extensive than previous legislation, much of the law is currently up to individual interpretation, and other virtual acts are not covered by the CFAA at all. Source Code Hacking has been successfully prosecuted under the ECPA and the law prohibiting wire fraud (under Title 18 § 1343 of the U.S. Code), but the Computer Fraud and Abuse Act of 1986 (CFAA) is the most relevant and inclusive law under which hacktivists are charged. Enacted by congress in 1986 (and amended several times since then, as recently as 2008), the CFAA amended and helped to clarify the computer fraud law already in existence ( 18 U.S.C. § 1030 ) and increased the range of offenses that it covered, such as distribution of malicious code, denial of service (DDoS) attacks (Sauter, 2014, p.12), password cracking, insertion of unauthorized code, and many more. It also limits federal jurisdiction in cases involving computers belonging to the federal government or to certain financial institutions, as well as interstate computer crimes. The primary purpose of this law is to deter domestic hacking of government or other institutional computer systems. Specific sections under the CPAA and 18 U.S. Code § 1030 cover seven separate offenses. The first section is not of direct significance to this case, as it deals with computer espionage, and it is written much like the Espionage Act of 1917, adding provisions concerning foreign relations. The second is computer trespassing and stealing government, financial, or commerce information. The third section is concerned with criminals specifically trespassing in a computer owned by the government. The fourth deals with computer fraud. The fifth section prohibits damaging a protected computer using viruses, worms, and other technological weapons of destruction. Finally, the sixth and seventh sections cover trafficking in passwords to government or commerce computers and threatening to damage a protected computer. As of a 2008 amendment, threats to steal data from a computer or publicly disclose said stolen data, or to not repair the damage that a hacker already made on the computer are expressly prohibited. ( 18 U.S.C. § 1030 ) Two of the most widely reported cases prosecuted under the CFAA were those of self­described hacktivists Aaron Swartz (Bilton, 2011) and Jeremy Hammond (Stampler, 2013). Swartz was a renowned entrepreneur and activist whose unauthorized attempt to publicise a collection of academic research journals got him arrested. Faced with 35 years in prison and 13 felony charges, he tragically took his own life in 2013. Hammond had been associated with the hacktivist group Anonymous, and his hack against the security company Stratfor earned him a 10 year prison sentence under this law. Since these occurrences, particularly the suicide of Aaron Swartz, many legislators and members of the public have pushed for reforms to the CFAA stating that, “The government was able to bring such disproportionate charges against Aaron because of the broad scope of the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute.” They argue that interpretations of this law with its vague wording would “criminalize many everyday activities and allow for outlandishly severe penalties” (Reilly, 2013). This lack of specificity opens up a lot of opportunities for legal abuse, so these critiques are convincing. Historically, laws are passed reactively, but ideally legislators should enact laws that take current technology into account and that allow prosecutors to examine motive when considering sentencing. The US government has generally tried to avoid sending its citizens to prison for crimes where the offense is inconsequential and the consequences minimal. Hacking is often a nonviolent crime because the property damage is rarely permanent. The CFAA allows for sentences more severe than those for rapists and murderers. Similar property damage crimes are typically handled with much shorter jail sentences and repayment of monetary damages. There is an obvious need to evaluate actual case and give prosecutors guidance for more appropriate sentencing.

Debugging The vague wording used in the existing law, 18 U.S.C. § 1030, allowed prosecutors to charge Aaron Swartz with so many offenses that he felt the only thing he could do was end his life. The amount of charges were possible because the specifics of the CFAA are not explicitly defined creating many situations where people are breaking the law without any knowledge of actually doing wrong. Ignorance of the law is not an excuse, but even so, does accessing an insecure hot spot from the parking lot of a coffee shop warrant 35 years in prison? The CFAA places many in the cross hairs of the law as hacktivism continues to increase. When the specifics of something as serious as computer fraud are left to the interpretation of those who wrote the law the issues truly affect everyone involved. As the use of technology continues to grow at a rapid pace and the CFAA is sitting idle it seems likely that there will be more inappropriate charges and possibly sentences for otherwise minor incidents. This truly impacts both sides of the table as lawmakers are exploited for their inability to follow the tech trends and unnecessarily seek “hardened criminals.” Aaron’s Law is a cogent demonstration of how disconnected the CFAA is to current technology and its use. The idea behind Aaron’s Law is replacing the vague portion of the CFAA that reads, “exceeds authorized access,” with “circumvention of technological measures designed to prevent unauthorized access” (Murfin, 2014). This clarification would give much­needed guidance to lawyers and judges to assist them in the properly assessing the incident, bringing appropriate charges, and sentencing defendants. The extreme sentences that attempt to make an example out of hackers are more likely to contribute to the animosity people already feel towards the government. This is partly due to the fact that many consider violent crimes to be much worse than non­violent crimes, such as hacking. Therefore violent criminals are the ones that deserve harsh sentences and the full weight of the justice system. In comparison to blood being spilt on the streets, “messing up” someone’s computer hardly fits the hardened criminal criteria. The current status quo has lawmakers seen as overstepping their authority, and regular technology users confused about what use constitutes a crime leading them to unknowingly being classified as "criminals." An overhaul of the CFAA is overdue. While it is true that the damage done by hacking can be detrimental to the common good in addition to organizations targeted in the attack, we must realize that most often the crime does not match the punishment. When hacktivists cause damage, there needs be an appropriate legal punishment available from the justice system. All parties would benefit from a narrower definition of the CFAA, and a broader range of consequences such that the punishment can fit the crime. Breaking the law is certainly not condoned. However, any law written, especially those concerning technology, should appropriately address the incident. While many hacktivists do not intend to harm the general public, it does happen. Because hacktivism exists on so many different levels there needs to be a better way to approach the situation without making examples out of hackers when the crime is far less disruptive in nature. Using an outdated law and using fear as a future deterrent is pure laziness from the lawmakers when it is their job to create appropriate laws for all to abide by and understand.
Clean‐Up It is hard to deny the growing presence of the internet in the lives of citizens both in the United States and globally. As technology has continued to advance, more and more of the daily activities people participate in are occurring online. As businesses, personal identities, and recreation­ and therefore money and information­ flow to an online forum, it is inevitable that some look for a way to cheat the system. While the agenda of these individuals range from moral to selfish, one thing has become abundantly clear: legislation has not advanced at a pace equal to that of technology. Even though non­violent protests of certain types are considered free speech and legal in the real world, activities that many consider the equivalent in an online setting are illegal. Especially in a digital forum, freedom of speech and protection of property are equally as important, and many would consider these to be two of the most primary functions of the internet. Therefore, looking at the conclusions of current cases brought against both hacker and hacktivists alike, it is apparent that current legislature needs clarification and additional laws addressing internet activity need to be decisively made if the internet is going to be a free yet safe environment for everyone. References
Assange, J. (2006, November 25­27). The Curious Origins of Political Hacktivism.
CounterPunch . Retrieved from http://www.counterpunch.org/2006/11/25/the­curious
­origins­of­political­hacktivism/
Bilton, N. (2011, July 19). Internet Activist Charged in M.I.T. Data Theft. The New York Times.
Retrieved from http://bits.blogs.nytimes.com/2011/07/19/reddit­co­founder­charged­with
­data­theft/
Brand, S. (1987). The Media Lab: Inventing the future at MIT . New York, NY: Viking.
Casserly, M. (2012, December 3). What is Hacktivism? A short history of Anonymous, Lulzsec and the Arab Spring. PC Advisor. Retrieved from http://www.pcadvisor.co.uk/features
/internet/3414409/what­is­hacktivism­short­history­anonymous­lulzsec­arab­spring/
Coleman, G. (2014). Hacker, hoaxer, whistleblower, spy: The story of anonymous. Brooklyn,
NY: Verso.
Computer Fraud and Abuse Act of 1986, 18 USC § 1030
C­SPAN. (2012, April 14). Parmy Olson on Internet hacker group 'Anonymous'. [Video File].
Retrieved from: https://www.youtube.com/watch?v=qeSEQpkcYaA
Docherty, N., MacIntyre, L., Canadian Broadcasting Corporation., WGBH Educational
Foundation., & PBS Video. (2001). Frontline: Hackers. Alexandria, VA.
Electronic Communications Privacy Act of 1986, 18 USC § 2510, § 2701 et seq., § 3121 et seq. Firat, B., & Kuryel, A. (2011). Cultural activism: Practices, dilemmas, and possibilities .
Amsterdam: Rodopi B.V.
Gustin, S. (2010, December 13). Gawker media websites hacked, Staff and user passwords leaked. Wired . Retrieved from http://www.wired.com/2010/12/gawker­hacked/ hacktivism. (n.d.). Dictionary.com Unabridged . Retrieved October 08, 2014, from http://dictionary.reference.com/browse/hacktivism Ludlow, P. (2013, January 13). What is a ‘Hacktivist’? The New York Times . Retrieved from http://opinionator.blogs.nytimes.com/2013/01/13/what­is­a­hacktivist/ Mail and wire fraud, 18 USC § 1343.
Manhire, T. (2012, March 1). Kim Dotcom: I'm no piracy king. The Guardian . Retrieved from http://www.theguardian.com/technology/2012/mar/01/kim­dotcom­no­piracy­king Manning, C. (2014, June 14). The fog machine of war. The New York Times . Retrieved from http://www.nytimes.com/2014/06/15/opinion/sunday/chelsea­manning­the­us­militarys ­campaign­against­media­freedom.html
Misiko, H. (2014, July 30). How Anonymous and other hacktivists are waging war on Kenya.
The Washington Post . Retrieved October 20, 2014, from http://www.washingtonpost.com
/blogs/worldviews/wp/2014/07/30/how­anonymous­and­other­hacktivists­are­waging
­war­on­kenya/ Murfin, M. (2014). Aaron's law: Bringing sensibility to the computer fraud and abuse act.
Southern Illinois University Law Journal , 38(3), 469.
Olson, P. (2012). We are Anonymous: Inside the hacker world of Lulzsec, Anonymous, and the global cyber insurgency . New York: Little, Brown and Co.
Pipkin, D. L. (1997). Halting the hacker: A practical guide to computer security . Upper Saddle
River, NJ: Prentice Hall PTR.
Reilly, R. (January 15, 2013). Zoe Lofgren introduces 'Aaron's Law' to honor Swartz on Reddit.
Huffington Post . Retrieved from http://www.huffingtonpost.com/2013/01/15/zoe­lofgren
­aarons­law­swartz_n_2483770.html
Rouse, M. (2013, May). Distributed denial­of­service attack (DDoS). SearchSecurity . Retrieved from http://searchsecurity.techtarget.com/definition/distributed­denial­of­service­attack
Sauter, M. (2014). The coming swarm: DDoS actions, hacktivism, and civil disobedience on the
Internet . New York, NY: Bloomsbury.
Stampler, L. (2013, November 15). Hacktivist Jeremy Hammond sentenced to 10 years in jail.
Time . Retrieved from http://nation.time.com/2013/11/15/hacktivist­jeremy­hammond
­sentenced­to­10­years­in­jail/
Who's Responsible? Computer Crime Laws. (2001). Retrieved October 23, 2014, from http://www.pbs.org/wgbh/pages/frontline/shows/hackers/blame/crimelaws.html