A couple weeks ago, ahead of her appearance at the Aspen Ideas Festival, Josephine Wolff, a professor at the Rochester Institute of Technology, wondered when it might be appropriate to punish careless computer users for their unwitting role in enabling hackers and their attacks on cybersecurity. “Very rarely do we grapple with the question of whether, perhaps, the only way to get individuals to take this seriously and actually change their behavior––to be more attentive to issues of security––is if there are concrete penalties and consequences associated with participating in bots, falling for phishing attacks, failing to install security updates, and other basics of computer hygiene,” Wolff wrote.
Many readers begged to differ. Vincent Williams has moral and practical objections to the proposal:
If you punish people for getting hacked, sure, over time you may force botnets to shrink on average or see positive results by whatever the selected metric is, but almost assuredly you will first see a contraction in the number of Internet users in the world. People use the Internet because it is convenient. People own Internet connected devices because they are the most convenient method of harnessing the convenience of the Internet. When you fine people because they have been deemed negligent in their use of something they use because it is convenient, it loses its value. Once it has lost its value, people will abandon those devices and the Internet itself in many ways.
If the Internet is intended to connect people, how are we aiding in the fulfillment of that goal when we take actions that have a high likelihood of leading to people disconnecting? How is that good for businesses that generate large percentages of their revenue via the Internet?
Beyond the economic and philosophical reasons this is a terrible idea, there are ethical reasons this is untenable. To punish people for getting hacked is just plain unethical.