Support may be growing for allowing cybertheft victims to “hack back.” What are the privacy concerns of allowing hackbacks?
The concept isn’t crazy (the article’s warning that hacking back at the Chinese Army might be trouble notwithstanding) — there is a general common law right to self-defense (you don’t have to let someone hit you), to defense of property (you don’t have to let someone steal your stuff), to defense of others (you can stop someone snatching another’s purse), and to peaceably reclaim property (you can walk down the block and take your bike back off the front lawn of the kid who took it). The rub with hacking back is that it is made illegal by the same law that makes the hacking illegal — that is, hacking, without regard to the underlying crime of theft of property or IP, is itself illegal. Half the point is that it gives prosecutors a way to get around the idea of whether copying data is crime and to cut off snooping before it turns into a more destructive hack.
Later, discussing Professor Orin Kerr’s statment that “because it is so easy to disguise cyberattacks, there is a real risk that retaliatory measures could affect innocent bystanders, which raises a range of privacy concerns,” Rick writes:
If the person that is hacked back isn’t the actual hacker, then their information is exposed through no fault of their own and the original victim has now compounded the damage. That’s an actual concern, not some vague notion that is readily dismissed. It’s got a nice real-world parallel: if someone steals your bike, and you go to take it back but take the bike from someone who owns the same one and didn’t steal yours, that’s bad. We all understand that. Imagine: allowing people to reclaim property creates a range of ownership concerns.
You can read the whole post here.