A Site Where Hackers Are Welcome: Using Hack-In Contests to Shape Preferences and Deter Computer Crime
Wible, Brent, The Yale Law Journal
While the Internet has revolutionized communication and commerce, it has also created the conditions for a type of crime that can be committed anonymously, from anywhere in the world, and with consequences that are unprecedented in scope. With the failure of traditional law enforcement methods to deal with these challenges, (1) computer crime requires a new approach to thinking about deterrence. Focusing on a particular type of computer crime, unwarranted intrusions into private computer networks, this Note argues that "tailoring the punishment to fit the crime" might mean focusing on something besides punishment. It proposes a regulated system of privately sponsored "hack-in" contests to supplement the criminal law, which has proved inadequate at deterring computer crime.
Computer crime comes in many varieties, including online theft and fraud, vandalism, and politically motivated activities. (2) Other hackers simply try to break code, seeking challenge, competition, and bragging rights. (3) Whatever the motivation, intrusions have serious costs. (4) At the very least, a violated site must patch the security hole. Even a nonmalicious trespass disrupts the victim's online services while the breach is fixed. Not knowing whether or not a breach was malicious, companies generally expend resources investigating the matter, often hiring private investigators so that they do not suffer reputational loss. (5) If other hackers become aware of the site's vulnerability, a nonmalicious hack may be the precursor to more malicious attacks. (6) Finally, considering the gravity of the risk, attack victims may change their behavior, becoming reluctant to put valuable information online. (7)
How can private actors, alongside government, deter such activity? Two basic approaches have been suggested. First, some scholars have imagined creative ways of reinforcing the criminal law with other kinds of constraints on behavior. (8) Second, others have suggested that the least dangerous kinds of hacking should be decriminalized in ways that demarginalize the hacking community and actually increase Internet security. (9)
Those in the first group have expanded on the Beckerian framework, long dominant in thinking about deterrence, which limits policymakers to manipulation of two factors in deterring crime--probability of detection and severity of sentence. (10) Scholars looking beyond this framework have incorporated social norms, (11) architecture, (12) and monetary costs (13) as additional constraints on crime. Neal Katyal, for example, argues that monetary costs should supplement criminal sanctions because they constrain all actors, whereas legal sanction is only probabilistic. (14) The insight is well taken. Criminal constraints alone will not effectively deter computer crime. Law must help second and third parties--victims of computer crime and Internet users--deter crime themselves. (15)
Even this most recent scholarship at the vanguard of deterrence theory, however, approaches deterrence from a cost perspective. Departing from this tradition, this Note argues that, just as the "law should strive to channel crime into outlets that are more costly," (16) it should also encourage mechanisms that channel criminal behavior into legal outlets.
The second group of scholars argues that "look-and-see" hacking, where hackers only explore systems without damaging them, and perhaps report that they have breached security, is victimless and should be decriminalized. They argue that decriminalization would result in a number of social benefits, including an increase in Internet security as hackers identify latent vulnerabilities, a better allocation of law enforcement resources, and the development of creative people with technological skills. (17) The arguments do not satisfy opponents of decriminalization, however, who emphasize that decriminalization fails to signal clearly that hacking is a proscribed activity. …