Featured Article: Hacktivism and the First Amendment: Drawing the Line Between Cyber Protests and Crime

Volume 27 of the Harvard Journal of Law & Technology features a student Note by Xiang Li that addresses some of the First Amendment implications of "hacktivism," which Li broadly defined as the “combination of grassroots political protest with computer hacking through the nonviolent use of illegal or legally ambiguous digital tools [to pursue] political ends."

Li's Note, Hacktivism and the First Amendment: Drawing the Line Between Cyber Protests and Crime, argues that while hacktivist activities my not squarely fit within the purview of the First Amendment currently, over time these activities may evolve to a point in which a "categorical prohibition on all forms of hacktivism may sweep up socially productive uses of cyberattacks as a form of protest."

A portion of the Note, with footnotes redacted, appears below:

Does hacktivism constitute a legitimate instrument of protest in twenty-first century America? This Note examines the viability of invoking the First Amendment as a defense to the prosecution of  hacktivism, specifically in the form of cyberattacks, under the Computer Fraud and Abuse Act (“CFAA”). Although existing forms of cyberattacks are unlikely to merit First Amendment protection, this Note argues that hacktivism may evolve over time to fall within the purview of First Amendment protection. A categorical prohibition on all forms of hacktivism may sweep up socially productive uses of cyberattacks as a form of protest.

The argument proceeds in four parts. Section II describes the various forms of cyberattacks currently used by hacktivists, as well as the potential criminal liability for hacktivism under the CFAA. Section III examines the primary obstacle to, and secondary arguments against, invoking First Amendment protections for hacktivism as free speech. Section IV presents two of the central premises underlying the rise of hacktivism and discusses the need to reconceptualize what is currently a privatized cyberspace to make room for public forums that can provide specific access to a target’s online property. Additionally, Section IV discusses the possible evolution of hacktivism to include cyberattacks that generate pop-up windows to communicate protest messages. Such a mechanism could raise the possibility of First Amendment protection whereby the cyberattack constitutes protected speech and the pop-up window qualifies as a public forum, akin to a “cyber sidewalk” adjacent to the target’s online property. Section V concludes.

Read More

Featured Article: The Internet and the Constitution: A Selective Retrospective

The Honorable M. Margaret McKeown of the United States Court of Appeals for the Ninth Circuit has a rather interesting article appearing in volume 9 of the Washington Journal of Law, Technology & Arts.

In her article, The Internet and the Constitution: A Selective Retrospective, Judge McKeown examines the complexities of the Internet and its associated innovations from a legal perspective, from the many jurisdictional and due process challenges, to the implications on the First Amendment and free speech. Judge McKeown's story of "institutional stability in the face of change," however, is one she believes has been lost in the all-to-common narrative: "the Internet is changing all the rules and the system can’t keep up."

I found the entire article fascinating, but for those looking for a cybercrime hook, the article's discussion on “The Fourth Amendment and Privacy,” beginning on page 161, may be of particular interest.

The abstract appears below

Over the last two decades, the Internet and its associated innovations have rapidly altered the way people around the world communicate, distribute and access information, and live their daily lives. Courts have grappled with the legal implications of these changes, often struggling with the contours and characterization of the technology as well as the application of constitutional provisions and principles. Judge M. Margaret McKeown of the United States Court of Appeals for the Ninth Circuit has had a close-up view of many of these Internet-era innovations and the ways the courts have addressed them. In this Article, adapted from her October 2013 Roger L. Shidler Lecture at the University of Washington School of Law, Judge McKeown offers her retrospective thoughts on the ways courts have handled constitutional issues in Internet cases. She also discusses some of the challenges currently facing courts and legislators alike as the U.S. legal system incorporates and accommodates Internet- based technologies and the societal, commercial, governmental, and relational changes they spawn.

Read More

Recent Journal of Criminal Law & Criminology issue focuses on cybercrime

Volume 103, Issue 3 of the Journal of Criminal Law & Criminology, a student-run publication at Northwestern University School of Law, features a variety of articles tackling the complexities of cybercrime. The issue is the culmination of a Symposium held at Northwestern University on February 1, 2013. As the Symposium Editor, Lily Katz, states in her Forward, the Symposium intended to address the "important conceptual, doctrinal, and empirical legal questions" raised by cybercrime.

The issue features a great line-up of authors addressing a variety of topics. For instance, Professor David Thaw, a visiting Assistant Professor at the University of Connecticut School of Law, "examines the tension" between the two differing viewpoints on "whether private contracts, such as website terms of use or organizational acceptable use policies should be able to define the limits of authorization and access for purposes of criminal sanctions under the CFAA." The piece authored by Professor Derek Bambauer, an Associate Professor at the University of Arizona James E. Rogers College of Law, takes a somewhat broad look at the interests of privacy and security. Professor Bambauer argues that "security and privacy can, and should, be treated as distinct concerns" and that "separating privacy from security has important practical consequences."

The recent issue of the Journal of Criminal Law & Criminology provides some great articles worth checking out. Here are the links to the articles

Lily Katz, Foreword, 103 J. Crim. L. & Criminology 663 (2013) 

Derek E. Bambauer, Privacy Versus Security, 103 J. Crim. L. & Criminology 667 (2013)

Thomas P. Crocker, Order, Technology, and the Constitutional Meanings of Criminal Procedure, 103 J. Crim. L. & Criminology 685 (2013)

David Gray, Danielle Keats Citron, & Liz Clark Rinehart, Fighting Cybercrime After United States v. Jones, 103 J. Crim. L. & Criminology 745 (2013)

Stephen E. Henderson, Real-Time and Historic Location Surveillance After United States v. Jones: An Administrable, Mildly Mosiac Approach, 103 J. Crim. L. & Criminology 803 (2013)

Andrew E. Taslitz, Cybersurveillance Without Restraint? The Meaning and Social Value of the Probable Cause and Reasonable Suspicion Standards in Governmental Access to Third-Party Electronic Records, 103 J. Crim. L. & Criminology 839 (2013)

David Thaw, Criminalizing Hacking, not Dating: Reconstructing the CFAA Intent Requirement, 103 J. Crim. L. & Criminology 907 (2013)

Jessica E. Notebaert, Comment, The Search For a Constitutional Justification For The Noncommercial Prong of 18 U.S.C. § 2423(C), 103 J. Crim. L. & Criminology 949 (2013)

John A. Stratford, Comment, Adventures on the Autobahn and Infobahn: United States v. Jones, Mandatory Data Retention, and a More Reasonable “Reasonable Expectation of Privacy”, 103 J. Crim. L. & Criminology 985 (2013)

Read More

Featured Paper: Adequate Attribution: A Framework For Developing A National Policy For Private Sector Use of Active Defense

Volume 8, Issue 1 of the University of Maryland Journal of Business & Technology Law published a rather interesting article on active defense policy. Adequate Attribution: A Framework For Developing A National Policy For Private Sector Use of Active Defense was authored by Shane McGee, General Counsel and Vice President of Legal Affairs at Mandiant, Randy V. Sabett, Counsel with ZwillGen PLLC, and Anand Shah, Staff Attorney at Mandiant and Technology Fellow at ZwillGen PLLC.

The article is very timely, as it follows on the heels of a recent IP Commission Report  that recommended the government investigate how active defense measures might be appropriately utilized by the private sector. Specifically,  the IP Commission Report recommended that "new laws might be considered for corporations and individuals to protect themselves in an environment where law enforcement is very limited." The Report suggested that "[s]tatutes should be formulated that protect companies seeking to deter entry into their networks and prevent exploitation of their own network information while properly empowered law-enforcement authorities are mobilized in a timely way against attackers."

With momentum gaining in support of active defense strategies, McGee, Sabett, and Shah argue that national policy in active defense should avoid the "unrealistic" goal of "absolute identification of a cyber attacker" and should instead begin with a "national dialog" on what would define "adequate attribution."

This is a great read for those interested in the concept of active defense.  An excerpt appears below, with footnotes redacted (follow the link above for the full article):

Once primarily the domain of the federal government and a few specialized defense contractors, “active defense” has become an increasingly common topic even in unclassified circles due to (a) much more media exposure, (b) a general relaxing of attitudes toward offensive cyber behavior and, to some extent, (c) a frustration with the ability for companies to protect themselves with a purely defensive posture. Whether called active defense, standing your cyber ground, or hacking back, the notion of offensive use of cyber capability continues to gain considerable attention. As we ponder the implications of publicly-reported cyberattacks with a kinetic component (e.g., America’s alleged involvement in Stuxnet and the appearance of Flame), we also need to determine if other broad attacks (e.g., Duqu and Shamoon) should be viewed as significant steps forward in attack vectors or simply more annoying distractions in the cyber landscape. In any event, no one can deny that offensive operations must be considered as a possible device in the cyber toolkit. The logic seems valid — the right of self-defense has existed for hundreds of years in the physical realm; it should have a corresponding construct in the cyber world. Unfortunately, a lack of clarity in current law and policy has not allowed that to happen.
. . . .
The nagging question involves picking the level of certainty required by a victim of cyberattack in the identity of the attacker before responding. At one extreme would be absolute knowledge of the identity of the attacker. However, several scholars agree that significant difficulty exists in attaining 100% certainty of an attacker’s identity and that even identifying an attacker beyond a reasonable doubt is “bordering on impossible.” At the other extreme would be a policy where little, if any, diligence would be required prior to attacking back. Richard Clarke provides perhaps the most accurate answer by stating that it will “depend upon the real-world circumstances at the time.” In this paper, we will lay out an argument that, since absolute identification of a cyber attacker is unrealistic, a national dialog should occur around what constitutes adequate attribution.We will then provide a normative framework for use by the private sector when contemplating the use of active cyber defense.

Read More