On June 16, the criminal trial of Jeronimo Yanez in the matter of Philando Castile concluded with the jury finding Yanez not guilty on all counts. Members of the Minnesota community reacted, staging protests at City Hall and stopping traffic on Interstate 94. “Vigilance,” a hacktivist, decided to take matters into his own hands. In what could have been a scene from the USA Network’s hacker drama “Mr. Robot,” Vigilance gained broad access to state of Minnesota government databases containing system logon information and publicly posted it in an act of civil disobedience. If identified, Vigilance could face a fine and imprisonment.
Hacktivism, or civil advocacy and disobedience via digital means, has become increasingly popular as a means to communicate dissatisfaction and highlight social or technical issues. Hacktivists compromised the controversial dating site Ashley Madison because they disagreed with the moral underpinnings of the site. Hackers compromised Sony Pictures to embarrass executives, leaking confidential e-mails that disparaged employees and Hollywood actors. Digital whistle-blowing continues to occur, beginning with Edward Snowden and extending to the recent arrest of Reality Winner, a government contractor charged with leaking information about Russian election meddling. Most commonly, security research hacktivists access systems to identify security issues and protect consumers.
The federal Computer Fraud and Abuse Act (CFAA), passed in 1986, introduced the concept of “unauthorized access” as a means for tightening restrictions on access to systems maintained by public and private institutions. “Unauthorized access,” or any means of accessing systems without explicit approval to do so, grants federal criminal action for any unauthorized access, be it for advocacy, research or nefarious purposes. Hacktivism poses an interesting dichotomy for Americans: Although we have cultivated institutional distrust, propelled by a perceived lack of transparency that fuels hacktivism, hacking is illegal. Hacking has become the digital equivalent of trespassing, except that every digital trespass involves criminal sanctions including a fine and imprisonment.
However, data stored by public and private organizations does not have legal status as personal property, real property or intellectual property, except where a special designation of trade secrecy or copyright protection applies. Federal laws protect specific data types, but only under certain circumstances, such as nonpublic financial or investment data within a financial institution or protected health information collected by most health care providers. Because no legal status for data exists, organizations collect, process, exchange and sell data without gathering consent, compensating consumers or adequately protecting consumer data, in most cases. Yet, hacktivists’ accessing the same data is deemed criminal behavior, regardless of motivation or injury.
Hacktivists have increasingly become more active, not just in advocacy, but also in research interests improving cybersecurity. In 2015, a security researcher, Chris Roberts, was detained after tweeting about security vulnerabilities he was researching on a United Airlines flight. In 2017, the FBI raided the home of a security researcher, Justin Shafer, who had reported the presence of an unsecured server with 22,000 patient records. Although the Department of Justice has some discretion regarding who is charged, hacktivists cannot predict when or to what extent criminal sanctions may apply to their actions.
Organizations, of course, deserve some recourse to recover from injury. However, questions remain: Should recourse be uniformly criminal in nature, and should hacktivists be penalized regardless of whether and to what extent injury actually occurred? American citizens have an important opportunity to define how hacktivism will be handled in the future, including distinguishing among motives, actions and damages with respect to criminal status. As digital activities increasingly reflect the multifaceted nature of our physical life, our community must re-evaluate our understanding of digital crime and proportionate punishment.
Charlotte A. Tschider is an affiliated professor in the Cybersecurity and Privacy Law Program at the Mitchell Hamline School of Law.