The myth of malicious adolescents out to wreak havoc on our technology spurs Internet regulations that are far more stringent than is reasonable.
The hackers who dominate news coverage and popular culture -- malicious, adolescent techno-wizards, willing and able to do great harm to innocent civilians and society at large -- don't exist
The perceived threat landscape is a warped one, which directs attention and resources to battling phantoms, rather than toward preventing much more common data-security problems. According to the Privacy Rights Clearinghouse, the loss or improper disposal of paper records, portable devices like laptops or memory sticks, and desktop computers have accounted for more than 1,400 data-breach incidents since 2005 -- almost half of all the incidents reported. More than 180,000,000 individual records were compromised in these breaches, which included individuals' names, Social Security numbers, addresses, credit-card information and more. This is compared to the 631 incidents from the same period that the Clearinghouse assigns generically to "hacking or malware." Your private data is more likely to be put at risk by a factotum leaving a laptop on a train than by a wired teen with too much time on his hands.
Insider threats, otherwise known as frustrated grown-ups with real jobs, also constitute a significant challenge for information security. The Wall Street Journal recently reported on a survey which showed that 71 percent of IT managers and executives believe insider threats present the greatest risk to their companies.
And the recent high-profile security breach at LinkedIn shows that one of the greatest risks to our personal security is ourselves: more than two-thirds of the leaked LinkedIn passwords were eight characters or fewer in length, and only one percent used the mix of upper- and lower-case characters, numbers, and symbols that makes passwords difficult to crack.
But these more serious threats don't seem to loom as large as hackers in the minds of those who make the laws and regulations that shape the Internet. It is the hacker -- a sort of modern folk devil who personifies our anxieties about technology -- who gets all the attention. The result is a set of increasingly paranoid and restrictive laws and regulations affecting our abilities to communicate freely and privately online, to use and control our own technology, and which puts users at risk for overzealous prosecutions and invasive electronic search and seizure practices. The Computer Fraud and Abuse Act, the cornerstone of domestic computer-crime legislation, is overly broad and poorly defined. Since its passage in 1986, it has created a pile of confused caselaw and overzealous prosecutions. The Departments of Defense and Homeland Security manipulate fears of techno-disasters to garner funding and support for laws and initiatives, such as the recently proposed Cyber Intelligence Sharing and Protection Act, that could have horrific implications for user rights. In order to protect our rights to free speech and privacy on the internet, we need to seriously reconsider those laws and the shadowy figure used to rationalize them.
* * *
The hacker character in mainstream culture has evolved as our relationship with the technology has changed. When Matthew Broderick starred in War Games in 1983, the hacker character was childish, driven by curiosity and benign self-interest, and sowed his mayhem largely by accident. Subsequent incarnations, like those in Hackers, Sneakers, GoldenEye, and Live Free or Die Hard became more dangerous and more intentional in their actions, gleefully breaking into protected networks and machines and causing casual destruction incomprehensible to techno have-nots. The hacker in American film, almost always white, middle class, and male, is immature, socially alienated, vindictive, and motivated by selfish goals or personality problems. The plots of such films are built on apocalyptic techno-paranoia, reflecting a belief that hackers have supreme control over the technologies that make the world run.
News coverage parallels the pop culture frame. Basement-dwelling hackers remain a primary villain on the evening news and the front page, even at the cost of an accurate and rational portrayal of current events. "Hacking" is used as a catch-all term to describe almost any computer-related crime or "bad" action, no matter the skills or techniques involved. Coverage often confuses what could happen with what is actually happening, reporting on theoretical exploits of the type often presented at security conferences as if they were a clear and present danger. Recent media and government fixation on the prankster-protesters of Anonymous has stoked the fires of techno-paranoia and, as Yochai Benkler pointed out in a recent article in Foreign Affairs,
The hacker lurks in the network, a decentralized threat, able to cause harm far from his actual location. His relationship with technology is pathological, he is compulsive in his hacking activities, and therefore cannot be reformed. Because he is socially alienated, he lacks the normal social checks on his behavior, and is instead stuck in a feedback loop with other hackers, each trying to outdo the other in juvenile mayhem on the public internet. Add to all this the hacker's superhuman ability to manipulate anything running code, and you have a terrifying modern boogeyman that society must be protected from at all costs.
* * *
In the effort to protect society and the state from the ravages of this imagined hacker, the US government has adopted overbroad, vaguely worded laws and regulations which severely undermine internet freedom and threaten the Internet's role as a place of political and creative expression. In an effort to stay ahead of the wily hacker, laws like the Computer Fraud and Abuse Act (CFAA) focus on electronic conduct or actions, rather than the intent of or actual harm caused by those actions. This leads to a wide range of seemingly innocuous digital activities potentially being treated as criminal acts. Distrust for the hacker politics of Internet freedom, privacy, and access abets the development of ever-stricter copyright regimes, or laws like the proposed Cyber Intelligence Sharing and Protection Act, which if passed would have disastrous implications for personal privacy online. The hacker folk devil as depicted in popular culture and news coverage is the target of and the justification for these laws and regulations. But rather than catching that phantom, these laws invite guilt by association, confusing skill with computers with intent to harm. They snag individuals involved with non-criminal activities online, as happened in the case of Bret McDanel, who served 16 months in prison for sending a few emails, and leave the rest of us with legally crippled technology and a confused picture of our rights online.
Crafting governmental and corporate policy in reaction to a stereotyped social ghoul lurking in the tubes is ineffective at best, and actively malignant at worst. There are real threats in the online space, from the banal reality of leaving a laptop on the bus and sloppy personal security habits to the growing reality of inter-state cyberwar. However, focusing on the boys-in-the-basement hacker threat model drains attention and resources from discovering what and where the actual threats are. Taking down file lockers, criminalizing jail breaking, modding, and terms-of-service violations, and casting legal aspersions on anonymous and pseudonymous speech online is distracting fear mongering and wastes governmental and corporate resources. Recent court decisions, like the opinion handed down by the Ninth Circuit in US v. Nosal, work to narrow the scope of the CFAA, which gives hope to the idea that it is possible to regulate the Internet in a more reality-driven way.
In order to achieve that regulation, though, we must discard the hacker stereotype as a central social villain and legal driver. The past few years have seen the internet emerge as a central haven for political speech, domestically and internationally. The internet has been used to exchange ideas, organize protests, and overthrow dictators. We hold the right to free political speech dearly in this country, and, for better or for worse, the laws we pass regarding the regulation of the internet have a disproportionally large impact on the way this international resource operates. The question that we must ask ourselves is, do we want the next Arab Spring regulated out of existence by our fear of hackers who don't even exist?