LawMeme LawMeme Yale Law School  
LawMeme
Search LawMeme [ Advanced Search ]
 
 
 
 
Death Penalty for Hackers
Posted by Rebecca Bolin on Tuesday, July 12 @ 17:50:24 EDT Governance
As a mathemetician, I enjoy law and economics, and I have been dealing a great deal with hackers lately, but I was still shocked to see this op-ed, "Worse Than Death," in the New York Times this morning lobbying for harsher punishments for hackers. I am not even sure if his call for the death penalty for a German worm writer is a joke. (more...)

Tierney’s article draws its thesis from this article by Steven Landsburg, an Economics Professor at the University of Rochester. In this article, he compares the economic damage of murderers and virus, worm, and Trojan writers and concludes that the death penalty would deter even more and the justice system would be able to “supply protections that, for one reason or another, we can't purchase in the marketplace. Those governments perform best when they supply the protections we value most.” I will ignore the bait of the moral argument from the end of the article and stick the important issue at hand: the economics of hacking.

Problem is we can buy protection from viruses and worms. It may even be more effective than buying protection against murder. It is certainly cheaper than living in a nice neighborhood or hiring a bodyguard. Make no mistake, it is being bought by all kinds of people. Maybe we should just let the market fix it and buy better software.

Better yet, isn’t the least cost avoider the one who made the security hole in the first place? Why not just impose product liability on software vendors? Why isn’t Sasser Microsoft’s fault? If they have to pay me, they’ll clean up their act real quick! Caveat: I am in no way actually supportive of strict product liability for software (though perhaps liability for failing to patch within a reasonable time in some circumstances, but that is an entirely different issue). I offer this alternative to wonder why an economist would look to the virus-writing kids for rational economic behavior and not the corporations of responsible people.

Lovebug, a nasty email virus traced to the Phillippines that sent itself to everyone in your Outlook address book, is still around. Its author was never charged and never apologized. I doubt that his lack of punishment inspired future virus writers around the globe to continue without care in their endeavors. In fact this story echoes that of the very first worm, unleashed in 1988 by Robert T. Morris. It was an accident. Regardless, Morris was convicted of violating the Computer Fraud and Abuse Act, and sentenced to three years of probation, 400 hours of community service, and a fine of $10,050.

Tierney transforms the worm, virus, and Trojan writers into "hackers." This category is far too broad. It includes some people much, much nastier than our young worm writer, like "the Russian hackers," Gorshkov and Ivanov (sentenced to 36 and 48 months in jail, respectively) who exploited security holes to steal credit card numbers and blackmail businesses. It includes some people much less nasty, like Robert Lyttle, who exploited a Department of Defense security hole to help, to let them know about it. It includes anyone accessing his New York Times op-ed with a stolen password. All hackers the US has charged in the last seven years are on this page. Yes, that’s all.

I suggest that Sven Jaschan, the German teenager who admitted to writing the Sasser worm, was thinking of none of these people when he discovered a Windows security flaw and wrote a few lines of code. People like Gorshkov and Ivanov, who are just criminal fraudsters using a new medium, can be deterred. Their actions are more economic; they actually have a cost-benefit analysis. Deterring hackers with no financial gain is trickier.

First, the economics scale poorly. Jaschan happened to be a phenomenal virus writer who was responsible for over 70% of viruses in the first half of 2004. However, the person deterred by his execution might have been a petty virus writer. That is, to deter less than one percent of viruses doesn't make much sense because virtually all damage comes from a handful of viruses. Do you stop one percent of virus writers, ending up with radically different results? Or do you stop a weak virus? Do you keep a writer like Jaschan from sending out one variation?

Second, the drive to do these things is not in numbers. It is not an equation so easily written out by Professor Landsburg. The rage Tierney expresses in "man-years I've spent running virus scans and reformatting hard drives," something no self-respecting elite would say, only adds to how cool this behavior is. Think of Mitnick. He went to jail for years. And his plea agreement kept him from using computers for another three. And his plea agreement still blocks him from making money off his crimes, hence no book deal just yet. Does that matter? Mitnick’s name lives on, and people are still hiring him to do things with their systems.

It is frustrating that ex-hackers can gain fame and lucrative employment. Unethical lawyers and doctors never practice again. Hackers have job security and notoriety. I am not sure whether the solution would have been to never let Mitnick use a computer again. It probably wouldn't have changed his behavior, but I suppose it might have changed someone else's. I certainly don’t think the answer would have been executing Mitnick. Even if Mitnick had been put to death, he would still be an icon of cool. In fact, then he would have been a cool martyr. The punishment will not change the culture, the strange sub-culture of elite computer experts who admire having the kind of power Mitnick once did.

As for Sasser worm, law enforcement seems to have done amazingly. They caught the right guy quickly and charged him with relevant laws, things that would have been much more difficult if not impossible a few years ago. That shows investigations and law have both come a long way. Microsoft was doing well too, having released a patch for the security problem months before. The problem was lazy, ill-prepared businesses who refused to police their own systems and a group of kids who thought it was cool to use their power for evil. Should we execute all of them too?

 
Related Links
· More about Governance
· News by Rebecca Bolin


Most read story about Governance:
How Not to Shutter a Service: Weblogs.com Goes Dark

Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend

Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Leges humanae nascuntur, vivunt, moriuntur
Human laws are born, live, and die
grotesque-variorum

LawMeme articles published after May 1, 2005 are subject to the Creative Commons Attribution-Noncommercial 2.0 License.

Contributors retain copyright interests in all comments and stories or submissions on or before May 1, 2005.
Access to material before May 1, 2005 is subject to the terms and conditions
set forth in the Open Publication License, v1.0. grotesque-variorum

The PHP-Nuke engine on which LawMeme runs is copyright by PHP-Nuke, and is freely available under the GNU GPL.
Everything else is copyright copyright 2002-05 by the Information Society Project.

You can syndicate our news with backend.php



Page Generation: 0.218 Seconds