The case against Anakata in both Sweden and Denmark is unrelated to copyright law or The Pirate Bay, but has everything to do with useless IT crime laws. So it's a shame that there are lots of misconceptions about that.
Anakata is not (only) on trial for copyright infringement in neither Sweden or Denmark. He's on trial for hacking into important government systems using zero-day exploits and taking data logs. In Sweden the data logs mostly consisted of personal information that would have anyway been public had he asked for it - therefore the government authorities have not found it appropriate to report even to the police the break-in. In Denmark I'm not sure exactly who reported what, or why, and also it's not particularly relevant.
It's anyway good to know, when one is protesting for Anakata's freedoms, which particular type of activity one is defending and which other activities one isn't. If one feels that The Pirate Bay was a worthwhile endeavour for Anakata to engage with, then probably one should not care about the on-going trials against him at all, but rather about the EU copyright consultation.
In my view, unauthorized access to computer systems should not be under criminal law. Rather we should have a positive focus on securing systems, which we can do by setting up liability rules, personal data protection laws, and ensuring transparency in our computer systems - responsible vulnerability disclosure within some time limit would already help a lot, probably. Ensuring the performance of such obligations by corporations and systems maintainers is not best done by the police, or by law enforcement, but by consumer agencies, competition authorities or similar. The criminalization of unauthorized access as such is a particularly flagrant example of the government allocating its scarce resources in such a way that much money is spent on protecting corporations and public authorities from individuals, while virtually no resources are spent on protecting individuals from corporate or public authority malpractice. Furthermore, the focus of government spending is diverted from protecting both companies and individuals from harmful activities to themselves and instead spent on protecting computer systems of corporations from use unintended by the corporation.
Anakata has allegedly unauthorizedly accessed a computer system. The owners of the computer which was unauthorizedly accessed is a private enterprise. This private enterprise is presumed, by law, to be violated by the alleged unauthorized access by Anakata. The private enterprise has been contracted by public authorities. The private enterprise has not been able to deliver a secure service to the public authorities allegedly because of Anakata. The public authorities have not been able to deliver good public services to citizens, allegedly because of Anakata.
Anakata will be sent to jail for this. The private enterprise has no particular obligation to fix their problems. They may or they may not - it depends on what the contracting public authorities give them money to do. The public authorities have no particular obligation to tell citizens what happens with the data that the public authorities collect. As a citizen, I have entered into a contract with my government as a result of me being born on their territory, that allows them to collect lots of data about me and do with it a bit what they want. They have no obligations towards me that they cannot unilaterally decide, and I have no choice but to accept them because we don't shop for citizenships. Normally.
Anakata is the scapegoat that is being punished because no one else is responsible. Our IT crime laws protect computers, public authorities and companies. They do not protect individuals.
But shouldn't we be able to punish people who are doing ill-intentioned stuff to computers?
Simply put, no. We can punish people who do illegal things, like extortion, defamation, threats or the like by means of a computer. But doing ill-intentioned stuff to a computer is a far stretch. Computers are not people, and they should not be protected by criminal law as if they were people.
Example: Most EU member states used to define DDoS-attacks as unlawful if they were used for the purpose of extortion or they caused economic damage. Now it is no longer like this - now the very act of rendering information unavailable that was meant to be available is unlawful. We are protecting the computers' right to be online, or the owners' right to have their computers online. The users of the services of the owners of the computers of course are generally unprotected by law and contract. No computer owner guarantees their users 100% uptime in the service level agreement. And so, we have changed from a model where people were punished if they created a negative effect, into a system where people are punished if they act in a subjectively decided bad way towards a machine.
This is at the base of this problem: when we protect the owners of the computers, and the builders of the system, in criminal law, and accept that citizens and users suffer all the negative consequences without being informed, and without anyone having the obligation to fix this or compensating users for harm to themselves arising from a security breach, it is the government using its violence monopoly - the police - to protect corporations against people. In this case, the police is attempting to protect big corps and government top shots from Anakata.
We can also compare with the extensive debates we've had on penetration testing, a type of security activity where you suddenly try to hack someone else's computer system in order to establish that it is secure or functioning in the agreed way. Who decides when this is malicious, and when it's not? I can imagine quite a few contractual situations when it's not the owner of the victimized computer who decides.
But Anakata seems to have had a lousy personality, and if he wasn't jailed he would have anyway died from health problems.
These are both authentic observations I have heard in different circumstances. There are many people with lousy personalities. There are many people with health problems. We can't jail all of these individuals, nor can we use those criteria as a basis for our criminal law system. Health problems, in theory, can be solved by the Swedish health care system. But any form of illness is a very distinct and separate problem from the problem at hand, which is that Anakata was allegedly accessing a computer without authorization.
There is no straight fix for a lousy personality. It seems also a completely arbitrary measure of man.
But a private individual which is exposed to unauthorized access can't pay the investigation themselves! For social justice, we need to involve the police and have criminal law in place so that the cost doesn't fall on the individual.
This is by far the best argument I have heard for IT crime laws the way they are written. The problem is it's based on a completely false premise, which is that the police by necessity is the public authority that alleviates investigation costs from individuals.
In a liberal democracy, we have many public authorities that are not the police or law enforcement. There is no need to make Anakata responsible for security problems in the Swedish public sector, and it's of little use. The consumer rights ombudsman could protect consumers in cases of security flaws in software solutions marketed to private persons. In the cases of public authorities and IT systems, one would assume that strong privacy laws should help in defining software requirements - in Sweden, it's the competition authority which is responsible for public procurement legislation, although the data protection authority could probably be involved also. Mostly, what would help is actually additional legislation, particularly liability rules, transparency rules and disclosure rules for software manufacturers. That would already help a lot, including for business-to-business interactions.
I had the strangest experience just recently, when someone argued on social justice grounds that the police must carry the cost of hacking investigations because it's otherwise unfair. After two weeks of confusedness I concluded that this is a mix of social democratic equality concerns and technolibertarian night-watch state reasoning. In a night-watch state, since one imagines that the governments' only public authorities should be law enforcement and judiciary, of course one would have to resort to either of those two authorities as soon as one wants a problem to be solved. That makes both the law enforcement and judiciary incredibly powerful entities in the night-watch state since they will be called upon for every type of common problem a society can envisage.
Side-note: in a common law system, perhaps the judiciary would actually get more power because the judiciary in common law systems make law. But in most of the European Union, the United Kingdom and Ireland excepted, that wouldn't be the case. Perhaps there are other people with deeper understanding than me that could explain if and how the night-watch state would function in a germanic/napoleonic legal tradition.
There is much that can be said about this. I find myself at the cross-roads of political philosophy, legal philosophy, legal frameworks, politics, and man-machine cultural studies. Some humanist philosophizing about every individual's perspectives on Commander Data in comparison to their relationship with their smartphone might be useful. There is something rotten in the Kingdom of Denmark.
I mostly agree with you, but I can't agree on the point that DDoS attacks shouldn't be illegal in and of themselves. In my eyes, they fall under the same general area as vandalism - if someone breaks stuff, they should be held accountable for breaking it.
Another way of looking at it is that if you're standing outside a store or someone's home and prevent people from entering, the owner of the store or home has a legitimate beef with you. Similarly, if you prevent people from accessing someone's website, they should have a legitimate case against you, even if no actual economic damage is done. Or do you think the Church of Scientology should be free to DDoS xenu.net?
I have previously criticized the copyright industry for employing DDoS providers to take down file-sharing websites.
I however disagree with the assumption that anyone is free to DDoS anyone else for any purpose only because the DDoS as such is not a criminal activity. This is my point about liberal democracies: we have many ways in which we steer and govern society and markets, most of which are completely unrelated to law enforcement and rather take aim at providing appropriate incentives for different society actors to act in the commonly agreed correct way in as many circumstances as possible.
This is also reflected in my point about the night-watch state. If one assumes that law enforcement and judiciary are the only two authorities which can be called upon to correct errors in society, then of course it would have to be law enforcement carrying the task of sorting out DDoS problems in the Western European democracies (UK and Ireland excepted), since the judiciary is not capable of solving ad hoc problems in the same way it can in common law based systems (US, UK, Ireland).
For various reasons, however, it's impractical to mix up these systems. I'm not entirely sure that the Germanic and Napoleonic legal traditions can effectively adopt a night-watch state approach, because they are by now too grounded in liberal philosophy (interdependencies, et c et c).
In the second paragraph.. "In Denmark I'm not sure exactly who reported what, or why, .." - it was actually the Swedish police who knocked on Denmark's door and informed them about their own case because they supposedly found data which originated from Danish computer systems. Prior to that, both the company CSC and Danish authorities, were unaware of the alledged intrusion into CSC's systems. Sources: http://www.b.dk/nationalt/kaempe-hacker-sag-opdaget-ved-et-tilfaelde and http://www.b.dk/politiko/rigspolitiet-noelede-med-undersoegelse-af-hacke...
On the DDoS topic, I must agree with @Staffan Johansson. DDoS is a form a vandalism and the effects it has should probably be punishable in my opinion. It may cause economic damage to the attacked organisation and neighbouring networks, in terms of loss of advertising revenue or missed out customer purchases. It may also cause problems for innocent third parties, for instance when public transportation and/or administration sites are attacked. Or even media sites, which is not unheard of.
With that said, I do not feel the act of DDoS should fall under computer hacking laws. It's not hacking just because a computer is involved, just as computer assisted fraud is not hacking because someone used a computer when commiting the crime.
- -
Keep up the good work in EU. You rock.
OK, if this was not sufficiently clear, I of course agree that when DDoS causes provable economic harm or is used as a tool for extortion, this should be punishable since we don't normally allow - in any circumstances - for individuals, enterprises or organisations in society to cause each other arbitrary economic harm or for them to extort each other.
What I have an issue with is when DDoS as such is criminalized, regardless of its intentions or effects. But please read also my reply to Staffan which was more elaborated.
I´m really glad you published this article. Even though I believe anakata did not engage in this hack and this information should have been more clear on your piece, it is good to see some people like you are committed to a free, democratic internet. I particularly liked your comments on the State´s monopoly and it (mis)use of police and the judiciary system. Jacob Appelbaum said that anakata´s Swedish trial was important for people to understand "computers are not people" and I could understand better his point of view after reading your article. With regads to the comment above, by Staffan Johansson and the Church of Scientology, whereas they may have not DDoS the xenu.net, they did take some of its links off google search, as can be seen here: http://www.xenu.net/google_censoring.html
But that´s legal, right, and it´s not like legal matters are ever illegitimate!
The issue of notice and action, and generally internet take down requests, is one that I have worked with in other circumstances and inside of other legal frameworks.
It is true that we have a strong advancements of particular private interests and law enforcement interests in the internet filtering and take-down discussions, and I have strongly criticized the European Commission for not endeavouring to resolve this problem more quickly.
The problem seems to be that we define all of the internet as a law enforcement and military domain, and therefore lack the impetus to regulate effectively and properly the market for it to provide services that we need (or don't really need, as it were).
@Staffan Johansson
However much i praise car analogies as they can be very useful for explaining less qualified people what the gist of the matter is. Something i deem to be a good thing. The use of such analogies however doubles as a open invitation for mass deceit as your vandalism comparison points out.
This debate requires nuance, something that is totally gone as soon as you numb it down to cheap analogies. Vandalism can't be compared to unauthorized access without absurd conclusions to be drawn. Yet, let's be kind and follow your narrative - which is the status quo one.
An even better car analogy in this particular case would someone breaking into your house.
Unauthorized access to your house to be exact.
In order to achieve this unauthorized access to your house - several modus operandi could be used.
(1) Open Doors. ( No Damage at all. )
(2) Lockpicks. ( No Damage at all. )
(3) Copied keys ( No damage at all. )
(4) Bump Keys. ( Damage visible for experts. )
(5) Kicking the door with bruteforce. ( Visible damage. )
(6) Crowbars. ( Clearly visible. )
(7) Small shaped Explosive charges. ( Much damage. )
(8) A hijacked public transport bus. ( Excessive damage with collateral. )
Note: _Only_ mentioning MO directed at the physical "security" mechanism.
The unauthorized access to your house could have been committed with various motives.
Where i live, even the ( Church of dutch ) Police does unauthorized access to private homes in order to persuade people into securing their houses better.
The unauthorized access could have been committed by someone who;
A: Is hungry, and was able to see your food in the kitchen.
B: Was payed to scare you.
C: Noticed that your house if full of luxury due to your bragging in the pub.
D Is a professional burglar who found out that you were on vacation via social media scanners.
E: Noticed a fire on your second floor, and desires to see if he could save children, animals or you.
F: Knows you, and decides you deserve it for whatever reason.
G: Has the legal right to acquire your goods because you did not pay your bills.
H: Was simply tempted because of curiosity
I: Simply lost his or her keys and shares the front door.
J: Is a political activist for proper house security policy.
I could list a _plethora_ of things that could happen after a combination of 1 to 8 and A to J.
All of it would most probably be judged differently unless someone using copied keys for saving the children would be just as bad as someone using a public transport bus for unauthorized accessing your house with the aims to simply scare you for money.
There is NO victim, therefore there is nothing CRIMINAL that shouldbe applied to him
I disagree that there is not a possibility for victims, but the question is what they are victims of, and who is making them victims of that thing.
One of the side-effects of that which happened in Sweden were that many people with protected identities - people whom the government had promised to protect in order to ensure that they did not suffer negative consequences from externalities in their lives - were revealed. They could certainly come to suffer problems from the fact that public authorities are unable to perform the tasks that they have obliged themselves to perform.
But the victim aspect is problematic: normally, leakage of personal information (whether it's a protected identity or Disqus user account information) causes only "secondary" effects which are uncomfortable and undesirable for private persons. Normally, a private person would not associate neither the discomfort nor their fear with the party that leaks the data. If a person had a protected identity because you have previously suffered domestic abuse, that person is more likely to be scared of their abusive partner than the tax authority if their identity is revealed. What that person will, most likely, not be concerned with is whether the tax authority had procured networking services from a company which configures its databases correctly and performs timely patching.
I have actually heard people arguing about this particular case as if the people affected by public authority data breaches would somehow be particularly concerned with the latter: of course they are not. Only security engineers become angry when stuff is ill configured and badly patched.
This is another reason for why I believe that individuals, companies and public authorities alike are much better served by proper market oversight with regulations such as transparency and disclosure requirements and liability rules than by the criminal law framework that we currently have.
I honestly can't agree with the author on the point that Anakata had done no wrong to people, only to computers (please, if I undertood it wrong, correct me). I don't know the laws about personal info in Denmark or Sweden, but according to my country laws access and publicity of personal data and even net browsing logs can be given only on grounds of legal charges brought to court concerning serious transgressions (of course, as we all know, the state's government can access any private data on need; but that is secondary to my point). I really hope Anakata is not guilty of all those charges brought against him (A pity to see a co-founder of TPB in jail), but if he really is guilty, he should answer for his crimes, just like anyone of us in his place would do (God forbid any of us be in his place though). In my openion, it is not strictly the matter of law and crime, but also a moral issue e.g. why would Anakata even have an idea to hack someones database and/or steal personal info logs? And if he really did this, how can he morally judje himself in the right to do this? I can't imagine any valid justification for such action. P.S. Data security level is not to blame, it's rather some people's nature which is responsible for crimes like that
My point is not that he may or may not have harmed the interests of private persons, but that the law doesn't take that into account. IT crime law takes into account the harm that he has subjected the computer to - it defines the computer, or perhaps the computer's owner, as the violated party. Users, customers or affiliates of the computer's owner are not protected or considered violated by the law.
I completely agree that we need a more user centric and individual centered perspective on computer security.
Thank you for clarification. It really complicates the issue, I haven't though of it at this angle
Aha. And I completely disagree that unauthorized access to computer systems, or use of devices in ways not intended by the corporation making or owning the devices, would by definition be a sign of weak, bad or evil character on behalf of the user.
I agree on the moral issue, and I've heard other people propose that he simply has a lousy personality. While people with lousy personalities are indeed a nuisance, and we all wish from time to time that they would simply disappear, it's not a good way of addressing the problem of the Swedish tax authority being unable to fulfill its public task with respect to citizens.
And again, my citing Anakata as an example just came ready. I meant not strictly him, but wider class of people who make morally wrong deeds, clearly comprehending that they are morally wrong and would be judged as such by the community (and knowing they could be held responible for their actions). And while I agree that use of devices in ways not intended by manufacturer or owner is not a sign of evil character, I can't so readily agree on the matter of unauthorised access to computer systems (if I understand it right, the most obvious example would be hacking a person's socialweb personal page with the purposes of stealing some info or simply spamming others with ads). I had some experiense on that matter as a victim, it wasn't very pleasant, though I try not to store private sensitive info online
For each of those two special cases you cite, there is probably more adequate legislation than IT crime law that should be put to work:
- data protection laws or privacy laws would normally create larger obligations on providers of social network services not to be unnecessarily sloppy with security. They would also effectively put an end to mass-hacking of social web personal pages for the purpose of using personal information in a way which was not approved by the private person.
But it is a big difference if the law incentivises Twitter to make it difficult to misappropriate my account because I should be in control over my data/my identity and makes any collection or use of the data illicit if not done with my permission, or if the law penalises people who are acting immorally against Twitter. IT crime laws do the latter - the EU GDRP for instance attempts to do the former, although the text is rather watered down.
On spamming problem, there are really two types of legislation that deal with that problem that are already outside of IT crime laws: the laws on direct marketing and in particular unsolicited marketing (in the EU, we have defined which types of electronic advertisements by e-mail or similar (if I remember) are permissible and therefore, by exclusion, exempted other types of electronic advertisements from being legit). In theory, one could probably have specific spamming enterprises investigated at least by consumer authorities in Europe.
But also, the personal data protection laws would still apply, and as in the case above.
I'm just a commoner, not a law-student so I tend to get lost in all those matters. It's all only my openion I stated. A little on the matter of Anakata - I didn't know him before and just yesterday morning I went to TPB main page and here he was. I thought: Wow, the man suffers for just trying to help people share infiormation and media via TPB, and it obscured the matter in my mind (for, as it always is in such cases, the defence stresses the unimportant details which have no connection to the actual charges brought upon Anakata - it boils down to a deliberate logical error). I had my doubts though, and when I saw the beginning of your article, I realized my doubts. I rather prefer to investigate the matter and form my own openion, rather then mindlessly spamming in FB "Free Anakata" like some do. Once more, thank you for your illuminating article and your attention and time, spend answering my comments :) This case seems interesting and important. Let's just wait and see what it will come to
Dear madam Andersdotter. You are putting the emphasis is very true when you talk about the imperfection of the existing legal system. After all, we know that none of the NSA did not suffer criminal punishment for the same acts for which now pursue Anakata. However, the question arises: how much really exists now an opportunity to change existing legislation to remedy this injustice? Thank you.
Normally we want relative risk to be relatively judged. Network and information security risks are always relative and therefore more appropriate for an insurance policy or the insurance industry to deal with than the police.
I had reason to ponder this at greater length once when I was asked if I would not want to punish someone who hacks my own computer - the problem is, I guess, that my computer's hackedness would depend entirely on how skillfully I protected it.
Unauthorized computer access is probably the only crime which is only a crime when it is performed by a sufficiently skilled perpetrator against a sufficiently skilled victim. If you are too dumb of a victim - for instance, you have forgotten to lock the screen on your computer - you aren't even a victim of unauthorized access, even though of course the access could have taken placed anyway, unauthorized or not. I think most people would also intuitively understand why it's not meriting 2 years in jail to have opened the lid of an unlocked laptop or phone.
In the insurance industry all of these things would be kind of cost-dependent risk assessments - we would do relative compensation for relative risk.
So I guess what needs to be done is for more people to feel more happy about insurance companies :P
Lägg till ny kommentar