The Post That May Never Be Seen – Legality of Hacking [Updated 9/11 with video]
As I write this, GoDaddy is having some problems causing several websites to experience problems. The problem, according to some reports, is that GoDaddy has been attacked by the infamous “social hacking” group known as Anonymous.
A pro-Anonymous Twitter account wrote: “By using / supporting GoDaddy, you are supporting censorship of the Internet,” @AnonOpsLegion. The animosity is based on GoDaddy’s support of SOPA and PIPA and other proposed legislation that is considered anti-free Internet.
For those with short attention spans, here is the video of my interview with LXBN TV.
There is a debate as to whether the Anonymous folks are modern day Robin Hoods/activists or terrorists. I’ll leave that for you to decide with a concession that there is no need for me to give anyone motivation to target this measly blog. Here’s a good article from the Washington Post on the group and a video interview with Harvard Adjunct Professor Nico Mele on the debate.
The point of this post is to simply explain just some of the existing laws on the book for the non-controversial position that hacking is illegal.
The Computer Fraud and Abuse Act
The CFAA (18 U.S.C. § 1030) makes it illegal to access a data base without proper authority or to exceed one’s authority impairing the computer system or data accessed. It is the most obvious of statutes and was passed to address hacking. Liability is premised on there being at least $5,000 in losses in any one-year period. The CFAA is primarily a criminal statute.
A plaintiff could make a civil claim under the CFAA to recover actual damages, injunctions or other equitable relief. A criminal conviction can result in fines and imprisonment.
ECPA and the SCA
The Electronic Communications Privacy Act (18 U.S.C. § 2510) and the Stored Communications Act (18 U.S.C. §§ 2701-12) are equally important sister statutes. Generally speaking, the ECPA applies to electronic communications in transit and the SCA applies to communications stored on servers. Assuming they do more than shut down a site by overloading it and actually gain access to the information, there is also a likely violation of these two statutes.
A plaintiff under the ECPA can recover a minimum award of $10,000 or $100 per day of violation — whichever is greater, or, actual damages, plus punitive damages, attorneys’ fees and costs. Criminal violations can result in up to five years and fines up to $250,000 for individuals and $500,000 for organizations.
The SCA meanwhile, which is technically part of the ECPA, makes it illegal for anyone to “intentionally access without authorization a facility through which an electronic communication service is provided or . . . intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorize access to a wire or electronic communication while it is in electronic storage in such system.”
In plain English, it is illegal to access someone’s Hotmail account without their authorization and read their emails because those emails are stored on Hotmail’s servers and not yours. The SCA covers “electronic communication services” which is defined as “…any service which provides to users thereof the ability to send or receive wire or electronic communications.”
Denial of Service Attacks
News reports indicate, this was a denial of service attack (or direct denial of service attack) where users don’t actually “hack” into a network to access private information, but simply bombard a network with fake requests so it won’t function properly. Pro-Anonymous supporters say it is really no different than a sit-in at a bank that prohibits real customers from accessing the bank.
In the U.S., the CFAA is still likely to apply. The law says you can not “knowingly cause the transmission of a program, information code, or command, and as a result of such conduct, intentionally causes damages without authorization to a protected computer.” “Damage” under the CFAA is “any impairment to the integrity or availability of data, a program, a system, or information.” The ringleaders knowingly transmit and cause others to transmit commands to intentionally cause damage.
Furthermore, most website terms of service prohibit these types of attacks. By engaging in them, the users have “exceeded their authorization” and thereby possibly violated the CFAA.
As explained in the video above, at least one criminal defendant is claiming the conduct is protected by the First Amendment and therefore not a criminal violation. We’ll see if that defense works if the prosecution continues against the man who has now fled to Canada based on my research on the web.
There could be additional claims like RICO, breaches of contracts (with your ISP which prohibits using their service for attacks or the target website’s terms of service), trespassing and a myriad of state law claims, but why pile on when you simply want to point out major statutes and don’t want to attract the attention of the hackers.