FYI.

This story is over 5 years old.

Tech

A Bipartisan Commission Recommends Allowing Corporations to Legally Hack Whomever They Want

Privacy and, now, protection of your physical property is only guaranteed if you're the government or corporation.
Image via the Ohio Department of Technology Services

Intellectual property theft is such a grave threat online that corporations should be able to legally attack individual people deemed guilty (without due process or legal oversight) with malware, spying tools, and physical computer destruction, argues a new report from a bipartisan commission on IP theft. Rights? If you're online, you've got none.

There's a persistent belief in law enforcement and copyright protection circles that the Internet refuses to be tamed. Listen to officials whinge on Capitol Hill about the supposed "going dark" problem and you'd that the Internet is nothing but criminals, thieves, and hackers that authorities have literally no recourse against. It's all bunk, but that hasn't stopped everyone from the FBI to RIAA and MPAA-supported trade groups from trying to eliminate the concept of online privacy.

Advertisement

Now, things have taken an even farther turn: a newly-published report from the Commission on the Theft of American Intellectual Property—with a name like that, it must be an epidemic, right?—advocates for restructuring of US law in order to make aggressive cyberattacks fully legal for private entities with IP interests, as Lauren Weinstein found. In other words, because hackers out there do lots of bad things, the Commission argues that US firms should be able to attack anyone they suspect of stealing intellectual property, including destroying their computers, without due process or oversight.

It's fucking insane. From page 81 of the report, in the section titled "Cyber Solutions":

When theft of valuable information, including intellectual property, occurs at network speed, sometimes merely containing a situation until law enforcement can become involved is not an entirely satisfactory course of action. While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense…

Translation: Data moves across the internet at internet speeds, which means that unless IP holders can actively lay down internet justice in real time—and completely at their own discretion, because poor old law enforcement is too slow—then the hackers win. Of course, the only problem is that this is all currently very illegal. What illegal capabilities is the Commission advocating? Well, everything that hackers do:

Advertisement

…that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.

Here's what the Commission is advocating for: Because bad guy hackers can, in theory, attack anyone on the internet, and because passive security is apparently garbage, the Commission suggests rewriting US law to make hacking totally legal, as long as you're on the side of the lobbying dollars. I can't reiterate how insane this is enough: this Commission is using the threat of stolen trade secrets to completely dismantle security laws online and give corporations extrajudicial vigilante power that includes physically destroying the computers of private citizens without due process.

This is where I think it's time to dispel the biggest problem with this report: the Commission is arguing for an eye-for-an-eye approach; it's only advocating for extreme—and incredibly illegal—measures because the darn hackers are so sophisticated. Here's the problem, however: the overwhelming majority of hack attacks are unsophisticated, and require little more to defend against than adding two-step authentication and teaching people not to click on shady emails. That's not to mention the common trick of warping filesharing data to inflate cybercrime data.

Advertisement

Here's the actual truth: Most of hacking problem on the web is low-tech because people are stupid with passwords and phishing attacks. Stopping that is as easy as forcing people to use better authentication systems. But that reality has been blown into a massive evil specter of national security and terrorism that's now being used to advocate to allow corporations the ability to remotely spy on random people and destroy their computers without oversight. It makes the FBI's own attempts to get backdoors into every major communication system appear downright levelheaded (which, of course, they are not).

Comically, the Commission goes on to admit that the legal framework for such unprecedented powers doesn't actually exist. That's largely because no agency, including the embarrassing Justice Department, has been so shameless as to advocate to completely legalize destructive hacking—although they're getting close. From the report:

The legal underpinnings of such actions taken at network speed within the networks of hackers, even when undertaken by governments, have not yet been developed. Further, the de facto sanctioning of corporate cyber retribution is not supported by established legal precedents and norms. Part of the basis for this bias against “offensive cyber” in the law includes the potential for collateral damage on the Internet. An action against a hacker designed to recover a stolen information file or to degrade or damage the computer system of a hacker might degrade or damage the computer or network systems of an innocent third party. The challenges are compounded if the hacker is in one country and the victim in another.

So yes, the Commission admits that it's advocating for something that no one in the US, sane or otherwise, has tried to set up. And therefore, "the Commission does not recommend specific revised laws under present circumstances," despite it having advocated to dismantle civil privacy and property protections just two paragraphs earlier. By no means should you take that as the Commission saying it's not actually advocating for action, as it assuredly is. It's just hoping that a legislator somewhere will figure out the task of railroading such an unconstitutional set of laws through for it.

This is life online in these United States these days: Privacy and, now, protection of your physical property is only guaranteed if you're the government or corporation. Anyone else is watching their legal protections erode as fast as regulators and corporate interests can dream up insanely misguided policy suggestions based on half-truths and outright lies.

I wish it was an isolated thing, but the wave of cybersecurity insanity is building to the point that a future in which corporations spy on you through your laptop camera while the FBI secretly trolls through your email and your hard drive could be wiped at any moment isn't as far-fetched as it once seemed.

@derektmead