The Conversation: "Hacktivism"
Editor’s Note: Due to unforeseen circumstances involving scheduling, this volume “The Conversation” is several days late. Dartbeat regrets the delay.
Today’s conversation focuses on the issue of “hacktivism.” I spoke with engineering professor George Cybenko, computer science professor Sergey Bratus and language theorist and software engineer Meredith Patterson. Cybenko’s work over the past decade has focused on the mathematical aspects of security and privacy and Bratus is a self-described “white hat hacker” who is interested in hacking as a form of engineering and conducts research with Patterson.
I posed the question of whether activists who use computer hacking to further their goals, such as Reddit developer Aaron Swartz, are committing civil disobedience or cyber crime.
Meredith Patterson:
George Cybenko: Whether it’s Anonymous or Telecomix, one big difference between, say, Rosa Parks and civil disobedience of that type is photogenics. When people are protesting in Tahrir Square, it’s a news story and there’s something to see and you can show peoples’ faces. The cyber equivalent of that is not a good news story.
MP: I know people who have certainly compared DDoSes [distributed denials of service] to sit-ins, for example. Back in 2010 and 2011, when PayPal stopped processing payments for WikiLeaks, a lot of people started running this program to send so much traffic to a server that it just goes, ‘I give up,’ and falls over. And that prevents other people from accessing the site. And people have compared this to more traditional forms of peaceful protest like a sit-in. I'm not sold on that.
Sergey Bratus: So it’s an approximate way of basically aligning skill with ethics. So a “white hat” hacker typically would not use their skills for personal gain —
MP: — or for rampant destruction —
SB: — or for harming people or for breaking laws. “Black hat” hackers are those who would, and they typically don’t share their skills. A white hat hacker is generally interested in making computers more trustworthy, making technology more trustworthy, in disseminating information. Your white hat hacker follows a philosophy that computers are here, we depend on them, we want to be able to trust them. And if there are weaknesses, they need to be talked about. The skill set needs to be taught and spread. Your black hat hacker typically doesn’t talk about what they do, they do it for personal gain.
Dartbeat: Financial gain?
MP: Sometimes. Sometimes social gain. There’s a certain amount of street cred to be gained by being known as the person who took Bank of America down.
Dartbeat: But then there’s a gray area in the middle, is that right?
SB: Yes. Gray hats are — I think of them as people who are mostly white hat in what they do, but sometimes they transgress.
Dartbeat: So would Swartz fall under that category?
MP: Swartz is an interesting case because it was very clearly a deliberate act of civil disobedience on his part.
SB: I would say that Swartz was definitely a white hat in that he did not set out to harm anyone. He set out to do what he believed was right, freeing information.
GC: There are people who sort of don’t think publication or music or movies should be copyrighted and held as closely as they are now. So, I don’t think a lot of people necessarily understand the legal implications of doing things. We do have this Digital Millennium Copyright Act. It’s pretty strict — it criminalizes, it’s not civil.
MP: But Swartz was charged under the CFAA — the Computer Fraud and Abuse Act — and the “abuse” was abusing [the Massachusetts Institute of Technology] and was using MIT’s network to download as much of [the digital library] JSTOR as he possibly could.
Dartbeat: Why wasn’t the offense against JSTOR?
MP: As it turned out, JSTOR was one of the original parties, but they very quickly said, ‘We want no part of this.’
SB: First of all, it was a reputational thing. Second of all, they were not actually harmed. If they went to court and had to show harm, it would be hard for them to do so.
GC: Because he didn’t actually publish them.
Dartbeat: But if he did, would that constitute harm?
SB: The prosecution would say that.
GC: People who have the same philosophy. People like us will write articles for free. And the publishers get this free information, and if it’s a book we might get royalties, but then they charge people for it. There’s a handling fee, editorial costs and stuff, so some people are actually working on open publication. Getting rid of the middle man and having a review process, trying to maintain standards, having an archival value, an archival mechanism so that someone 100 years from now could still read these publications. That’s why the library’s got journalism going back 100 years. The digital stuff, we don’t know how long that’s going to last.
MP: But the [non-profit digital library organization] Internet Archive is working pretty hard on that.
GC: Yeah. So the problem is the current publication model, and so on. What’s the solution? Some people think the solution is to build an alternative that bypasses the middleman. I think Swartz’s attitude — and I don’t know the guy, I don’t know him at all — but I think definitely he thought it was an act of civil disobedience. But if he actually did it, it would have been a serious criminal case. The government actually prosecutes that stuff. The other aspect is when media reports on this thing, it’s all sort of virtual, it’s all digital, all abstract. You can’t show a picture of what he was doing, and I think that’s why it doesn’t have as much impact right now as other forms of disobedience. If the lights went out in Manhattan for a week, or all the traffic lights went off, because somebody hacked into that system, then that’s something you could take a picture of.
MP: But all sorts of people now are doing this kind of citizen journalism.
SB: You see this capability to do what ISPs and big media organizations do with much fewer resources. This has become possible because people accumulated enough technological capability, enough understanding of how things work under the hood.
GC: But a lot of these things are illegal in the United States. Other countries have been — maybe not encouraging, but certainly not discouraging — certain types of skills in their population, and at some point that’s going to be useful and we’re not going to be as prepared.
Dartbeat: What types of policies would have to change in order to encourage people to develop those skills?
MP: We’re going to have to overhaul the CFAA for one thing. That’s the law that defines computer crime in the United States, and the last time it was revised was before the Internet was a common thing. 1997 is when I remember e-commerce becoming a big thing. And that was really the first explosion of the internet, when people would start buying things from Amazon and not have to worry about their credit card number getting stolen. And 1996 was the last time the CFAA was revised.
SB: I would like to stress the point that you brought up, George. It’s extremely important to me to allow the proliferation of useful technological skills, of skills we could fall back on in an emergency when things go really badly for a natural reason or a technological reason, and it’s important to me that the transmission of these skills, and the exercise of these skills, and the learning of these skills, remains as legal as ham radios, as aviation, and similar.