A site where hackers are welcome: using hack-in contests to shape preferences and deter computer crime.

• Author: Wible, Brent

INTRODUCTION

While the Internet has revolutionized communication and commerce, it has also created the conditions for a type of crime that can be committed anonymously, from anywhere in the world, and with consequences that are unprecedented in scope. With the failure of traditional law enforcement methods to deal with these challenges, (1) computer crime requires a new approach to thinking about deterrence. Focusing on a particular type of computer crime, unwarranted intrusions into private computer networks, this Note argues that "tailoring the punishment to fit the crime" might mean focusing on something besides punishment. It proposes a regulated system of privately sponsored "hack-in" contests to supplement the criminal law, which has proved inadequate at deterring computer crime.

Computer crime comes in many varieties, including online theft and fraud, vandalism, and politically motivated activities. (2) Other hackers simply try to break code, seeking challenge, competition, and bragging rights. (3) Whatever the motivation, intrusions have serious costs. (4) At the very least, a violated site must patch the security hole. Even a nonmalicious trespass disrupts the victim's online services while the breach is fixed. Not knowing whether or not a breach was malicious, companies generally expend resources investigating the matter, often hiring private investigators so that they do not suffer reputational loss. (5) If other hackers become aware of the site's vulnerability, a nonmalicious hack may be the precursor to more malicious attacks. (6) Finally, considering the gravity of the risk, attack victims may change their behavior, becoming reluctant to put valuable information online. (7)

How can private actors, alongside government, deter such activity? Two basic approaches have been suggested. First, some scholars have imagined creative ways of reinforcing the criminal law with other kinds of constraints on behavior. (8) Second, others have suggested that the least dangerous kinds of hacking should be decriminalized in ways that demarginalize the hacking community and actually increase Internet security. (9)

Those in the first group have expanded on the Beckerian framework, long dominant in thinking about deterrence, which limits policymakers to manipulation of two factors in deterring crime--probability of detection and severity of sentence. (10) Scholars looking beyond this framework have incorporated social norms, (11) architecture, (12) and monetary costs (13) as additional constraints on crime. Neal Katyal, for example, argues that monetary costs should supplement criminal sanctions because they constrain all actors, whereas legal sanction is only probabilistic. (14) The insight is well taken. Criminal constraints alone will not effectively deter computer crime. Law must help second and third parties--victims of computer crime and Internet users--deter crime themselves. (15)

Even this most recent scholarship at the vanguard of deterrence theory, however, approaches deterrence from a cost perspective. Departing from this tradition, this Note argues that, just as the "law should strive to channel crime into outlets that are more costly," (16) it should also encourage mechanisms that channel criminal behavior into legal outlets.

The second group of scholars argues that "look-and-see" hacking, where hackers only explore systems without damaging them, and perhaps report that they have breached security, is victimless and should be decriminalized. They argue that decriminalization would result in a number of social benefits, including an increase in Internet security as hackers identify latent vulnerabilities, a better allocation of law enforcement resources, and the development of creative people with technological skills. (17) The arguments do not satisfy opponents of decriminalization, however, who emphasize that decriminalization fails to signal clearly that hacking is a proscribed activity. (18)

This Note seeks to develop a proposal--the "hack-in contest"--that appeals to both proponents and opponents of decriminalization. First, contests can capture the benefits of decriminalization without sacrificing the expressive and preference-shaping functions of the criminal law. Second, contests provide positive incentives for law-abiding hacking, an important approach given a hacking subculture that may be unreceptive to sanctions. (19) Seeking to introduce positive reinforcement and "channeling structures" into the toolbox of criminal deterrence, (20) this Note argues that a system of structured hack-in days will channel behavior away from illegal hacking toward approved activities. An effective system of contests may even strengthen positive norms among hackers, shaping preferences for law-abiding behavior. (21) While privately sponsored hack-in contests are already prevalent, (22) these contests lack regularity and fail to distinguish between approved and illegal hacking. Unlike these private contests, a regulated system of competitions should be designed to deter computer crime.

Part I of this Note outlines the current responses and proposals concerning computer crime and their general failure to prevent unwarranted intrusions. It contends that raising costs may not effectively deter hacking and that decriminalization undermines the expressive function of the criminal law. Part II begins by examining the preference-shaping function of the criminal law, arguing that "positive reinforcement" may be as effective at preference shaping as criminal sanctions. It then argues that the social norms latent in hacker culture may be more effectively harnessed by positive incentives than by sanctions. Part III proposes a hack-in contest framework that encourages law-abiding norms and shapes preferences for legal hacking. Part IV compares the contest proposal to broader decriminalization models and anticipates several objections to the proposal.

1. PREVIOUS RESPONSES AND PROPOSALS CONCERNING COMPUTER CRIME

   1. Law, Code, and the Market

      The first cases of computer crime were heralded as an unprecedented phenomenon that law was not equipped to handle. (23) Scholars and policymakers have since proposed a number of deterrence strategies, from criminal sanctions to tort law and the architecture of the web itself, but none of these methods has proved successful at deterring criminal hacking.

      Congress prohibited unwarranted intrusions in the Computer Fraud and Abuse Act of 1984 (CFAA). (24) Among other problems, prosecutorial difficulties have minimized the CFAA's deterrent effect. Shortly after criminalization, the low number of prosecutions prompted some to suggest that antihacking laws were largely symbolic. (25) Enforcement remains difficult, especially given the near impossibility of prosecuting attempts under 18 U.S.C. [section] 1030(b), (26) and the need for a great investment of time, resources, and skill--even assuming that local law enforcement agents have the requisite training. (27) Digital anonymity, encryption technologies, and the circuitous process of electronic tracing give cybercriminals an advantage over law enforcement. (28) With jurisdictional uncertainties looming in cases that are expensive to investigate and that require sophisticated tracking capabilities, state prosecution is almost impossible. (29)

      Proponents of tort liability for computer crime argue that, as compared to the criminal law, civil actions give targets control over the litigation. (30) The possibility of obtaining damages gives targets, otherwise unwilling to admit electronic vulnerabilities to consumers, an incentive to report. (31) While Internet Service Provider (ISP) liability has received the most attention as a serious proposal, (32) four varieties of tort liability are possible in the computer-crime context--(1) hacker liability, (2) ISP liability, (3) security company liability, and (4) liability for victims who fail to take private precautions. A general but significant critique of these proposals is that tort liability does not carry a strong symbolic message condemning illegal hacking. The various tort proposals are unlikely to succeed for specific reasons, too: hackers tend to be judgment proof, (33) holding ISPs liable may actually increase hacking, (34) holding security companies to a high standard of liability may make their products prohibitively expensive and may be less effective than providing incentives to good practice, (35) and making victims bear the cost evinces an overly optimistic faith in the ability of potential targets to safeguard their materials through technological solutions. (36)

      Just as tort law fails to provide a practical response to computer crime, reliance on market solutions would lead many firms to take extreme measures to protect themselves from vulnerability, potentially resulting in undesirable architectural rules. (37) Alternatively, one may discern a "broken windows" effect if companies rely too heavily on self-help. (38) While visible self-help measures like protective software are essential and instill confidence in the technological infrastructure, paradoxically, they may lead to more crime. (39) Hackers may interpret the flowering of private security measures as an indication of profligate hacking or lackluster monitoring and as an invitation to hack. (40)

      Security software is not the only technology that could be used to deter hacking. Lawrence Lessig has been the most original and vocal proponent of the idea that while behavioral constraints are modified by changing law in real space, in cyberspace, constraints are more effectively altered by changing code. (41) While his approach is meta-architectural and does not focus on individual security measures like security software, code is inadequate to constrain hackers. Dorothy and Peter Denning have argued that "the solutions ... cannot be achieved solely by technological means. The answers will involve a complex interplay...