The problem is that simply toughening the laws on hackers by extending their scope and reach or extending the prison sentences of hackers is not going to help catch the real hackers — the criminalized, anonymous hackers who operate in places such as China. Instead, they’re more likely to ensnare the likes of hacktivist heroes such as Aaron Swartz.
Getting tough on hackers by extending the definition of what a hacker is would theoretically mean that people who even so much as retweet or click on a link with unauthorized information could be committing a felony. Moreover, the white hat hackers (the “good guys”) could be ensnared as well, since their work, at its core, is indistinguishable from that of the black hat hackers (the “bad guys”).
And that could have a chilling effect on innovation.
That’s because laws and regulations can’t keep up with the pace of technological change and end up either prosecuting the wrong people or prosecuting the right people, but on charges that far exceed the scope of the crime. Consider that the current anti-hacking federal statute, the Computer Fraud and Abuse Act (CFAA), was enacted back in 1986, well before most politicians had ever heard of the Internet.
As a result, you get odd rulings where it’s obvious the law hasn’t kept up with the technology: “In a case that began in 1993, the U.S. State Department ruled that Daniel Bernstein, then a graduate student at the University of California at Berkeley, would have to register as an international weapons dealer if he wanted to post an encryption program online.”
If tough hacking laws had been around 20 years ago, it might have stopped Google from launching its method of indexing web pages or Apple from launching many of its innovative consumer gadgets. As Rob Graham, chief executive of Errata Security, points out, “Had hacking laws been around in the 1980s, the founders of Apple might’ve still been in jail today, serving out long sentences for trafficking in illegal access devices.”
And there’s another reason why tougher laws on hacking would have a chilling effect on innovation, and that’s because it would not require corporations to do more on their end to correct fatal security flaws before they are found by hackers. As we already know from experience, the last thing corporations want to do is to add an extra cost layer to their products by taking action to correct security flaws – even when they know the potential implications of a major security breach. If they know that the law will make it easier to recoup damages from hackers, they could have fewer incentives to find all possible security flaws.
In the case of Ashley Madison, the current hacking case du jour, the company didn’t even bother to encrypt the underlying data, which means that once a hacker got into the company, it was a simple task of scooping up names, addresses and credit card information. You could argue that the hackers who broke into Ashley Madison are criminals, but you could just as easily argue that the company itself was criminally negligent in allowing the security breach to happen in the first place.
If anything, the race to punish similar types of hackers would encourage corporations to deepen their intelligence and security sharing with each other and the government, and that means, you guessed it, even more security surveillance on the Internet. And the more that the tech sector becomes infected with a security surveillance mind-set, the worse it is for innovation.
To see how all this might play out, consider President Obama’s proposed crackdown on hacking, first announced during the 2015 State of the Union after the high-profile hacking case of Sony Pictures. The proposals, as the Electronic Frontier Foundation pointed out in January, is a “mishmash of old, outdated policy solutions.” The concern is that overzealous application of new laws could be used to prosecute hackers for anything as minor as violating the terms of service of a Web site.
In many ways, the U.S. crackdown on hackers is our new war on drugs. Just as the United States sought to win the “war on drugs” by adding aggressive charges and excessive punishment to round up all the drug dealers, it’s now trying to win the “war on hackers” by stiffening up the federal anti-hacking statutes to round up all the hackers. By toughening the laws on hacking, you might catch the Internet equivalent of all the low-level drug dealers and mules, but it won’t get to the core of the problem – the high-level, anonymous kingpins who live beyond our borders.
And just as massively criminalizing the war on drugs led to a spike in prison terms and a negative economic drag on society, we could see the same thing with tech culture. Any coder, hacker or technology activist would be at risk of running afoul of the government and its stepped-up campaign against hackers, much as Aaron Swartz ran afoul of the government.
Maybe tougher hacker laws will scare off the youngest generation from a life of crime to know that they could earn jail time and felony charges for clicking on a single unauthorized link or sharing a single password. It could scare them off a life of computers, and that would be the greatest shame, because it would shut down the innovation pipeline of the nation. As we’ve seen before with other cyber legislation, whenever the government thinks it’s doing what’s best for business, it’s not necessarily doing what’s best for innovation.