Every week seems to bring a new hacking story — the massive hacking attack on the U.S. government’s databases and the attacks on the U.S. health care system are just two of the bigger stories — so it’s perhaps no surprise that the knee-jerk reaction is to take the fight directly to the hackers. By making the penalties tougher, by expanding the scope of federal anti-hacking statutes and making it easier to prosecute wrongdoers, it’ll convince hackers that it’s just not worth the risk, right?
The problem is that simply toughening the laws on hackers by extending their scope and reach or extending the prison sentences of hackers is not going to help catch the real hackers — the criminalized, anonymous hackers who operate in places such as China. Instead, they’re more likely to ensnare the likes of hacktivist heroes such as Aaron Swartz.
Getting tough on hackers by extending the definition of what a hacker is would theoretically mean that people who even so much as retweet or click on a link with unauthorized information could be committing a felony. Moreover, the white hat hackers (the “good guys”) could be ensnared as well, since their work, at its core, is indistinguishable from that of the black hat hackers (the “bad guys”).
And that could have a chilling effect on innovation.
Laws and regulations can’t keep up with the pace of technological change, and end up either prosecuting the wrong people or prosecuting the right people, but on charges that far exceed the scope of the crime. Consider that the current anti-hacking federal statute, the Computer Fraud and Abuse Act (CFAA), was enacted back in 1986, well before most politicians had ever heard of the Internet.
If tough hacking laws had been around 20 years ago, it might have stopped Google from launching its method of indexing Web pages or Apple from launching many of its innovative consumer gadgets. As Rob Graham, chief executive of Errata Security, points out, “Had hacking laws been around in the 1980s, the founders of Apple might’ve still been in jail today, serving out long sentences for trafficking in illegal access devices.”
And there’s another reason why tougher laws on hacking would have a chilling effect on innovation — it would not require corporations to do more on their end to correct fatal security flaws before they are found by hackers. As we already know from experience, the last thing corporations want to do is to add an extra cost layer to their products by taking action to correct security flaws — even when they know the potential implications of a major security breach. If they know that the law will make it easier to recoup damages from hackers, they could have fewer incentives to find all possible security flaws.
In the case of Ashley Madison, the current hacking case du jour, the company didn’t even bother to encrypt the underlying data, which means that once a hacker got into the company, it was a simple task of scooping up names, addresses and credit card information. You could argue that the hackers who broke into Ashley Madison are criminals, but you could just as easily argue that the company itself was criminally negligent.
If anything, the race to punish similar types of hackers would encourage corporations to deepen their intelligence and security sharing with each other and the government, and that means, you guessed it, even more security surveillance on the Internet. And the more that the tech sector becomes infected with a security surveillance mind-set, the worse it is for innovation.
To see how all this might play out, consider President Obama’s proposed crackdown on hacking, first announced during the 2015 State of the Union address after the high-profile hacking case of Sony Pictures. The proposals, as the Electronic Frontier Foundation pointed out in January, are a “mishmash of old, outdated policy solutions.” The concern is that overzealous application of new laws could be used to prosecute hackers for anything as minor as violating the terms of service of a website.
In many ways, the U.S. crackdown on hackers is our new “war on drugs.” Just as the U.S. sought to win the war on drugs by adding aggressive charges and excessive punishment to round up all of the drug dealers, it’s now trying to win the “war on hackers” by stiffening up the federal anti-hacking statutes to round up all of the hackers. By toughening the laws on hacking, you might catch the Internet equivalent of low-level drug dealers and mules, but it won’t get to the core of the problem — the high-level, anonymous kingpins who live beyond our borders.
Maybe tougher hacker laws will scare off the youngest generation from a life of crime to know that they could earn jail time for clicking on a single unauthorized link or sharing a single password. It could scare them off a life of computers, and that would be the greatest shame, because it would shut down the innovation pipeline of the nation.
Dominic Basulto is a futurist and blogger. He wrote this article for the Washington Post.