A couple weeks ago I was talking to someone about discovering information about hackers. Eventually we came to the approach of counter-hacking (eg. you trace back the attack to IP address X and notice a vulnerability… and then exploit it to find out about the attacker?).
My initial reaction was that it was clearly ethical to counter-hack. Surely, they surrendered any right to protection when they attacked people (there was a fair bit of moral indignation on my part because I was thinking of the, at that time recent, attack on Google that targeted the information of Human Rights activists).
Why, one could even stay within legal bounds by going to another country where hacking isn’t a crime!
It was only later that I realized how this would parallel, for example, the police hacking a suspects computer without a warrant.
There are ways that I tried to separate the two:
- There is no one for me (or anyone else) to appeal to for a warrant or equivalent, given the international nature of hacking.
- It’s not suspicion, it’s practically certainty! We can see that this is where the attack came from, surely?
- I’m not a governmental organisation: there’s no government power concerns.
- In the case of Google-China, the risk to Human Rights activists makes intervention a moral imperative.
But I was clearly deluding myself: the issue is not as simple as I was making it out to be. That doesn’t mean my stance is wrong, just that the issue isn’t simple…
But, given the ethical complications, the question should arise: Is there a way we can side-step the ethical issues? I’d like to propose one: allowing hackers to infect themselves.
Consider: I leave a camera that automatically takes pictures and sends them to me. Not realising what it is, a thief takes it and thus is caught. Have I done anything morally wrong?
I don’t think so. It was the thief’s own decision to take it.
Similarly, if I embed a trojan in a word document and never distribute it, but a hacker takes it and is infected, am I responsible?
I don’t think so.
The obvious concern is that, if the hacker notices anything, the counter-hacker is caught. This can be rectified by making it look like the trojan is due to me myself being hacked. Thus, I, suposedly, remain ignorant.