112 Yale L.J. 1577 (2003)
While the Internet has revolutionized communication and commerce, it has also created the conditions for a type of crime that can be committed anonymously, from anywhere in the world, and with consequences that are unprecedented in scope. With the failure of traditional law enforcement methods to deal with these challenges, computer crime requires a new approach to thinking about deterrence. Focusing on a particular type of computer crime, unwarranted intrusions into private computer networks, this Note argues that "tailoring the punishment to fit the crime" might mean focusing on something besides punishment. It proposes a regulated system of privately sponsored "hack-in" contests to supplement the criminal law, which has proved inadequate at deterring computer crime.
Computer crime comes in many varieties, including online theft and fraud, vandalism, and politically motivated activities. Other hackers simply try to break code, seeking challenge, competition, and bragging rights. Whatever the motivation, intrusions have serious costs. At the very least, a violated site must patch the security hole. Even a nonmalicious trespass disrupts the victim's online services while the breach is fixed. Not knowing whether or not a breach was malicious, companies generally expend resources investigating the matter, often hiring private investigators so that they do not suffer reputational loss. If other hackers become aware of the site's vulnerability, a nonmalicious hack may be the precursor to more malicious attacks. Finally, considering the gravity of the risk, attack victims may change their behavior, becoming reluctant to put valuable information online.
How can private actors, alongside government, deter such activity? Two basic approaches have been suggested. First, some scholars have imagined creative ways of reinforcing the criminal law with other kinds of constraints on behavior. Second, others have suggested that the least dangerous kinds of hacking should be decriminalized in ways that demarginalize the hacking community and actually increase Internet security.
Those in the first group have expanded on the Beckerian framework, long dominant in thinking about deterrence, which limits policymakers to manipulation of two factors in deterring crime--probability of detection and severity of sentence. Scholars looking beyond this framework have incorporated social norms, architecture, and monetary costs as additional constraints on crime. Neal Katyal, for example, argues that monetary costs should supplement criminal sanctions because they constrain all actors, whereas legal sanction is only probabilistic. The insight is well taken. Criminal constraints alone will not effectively deter computer crime. Law must help second and third parties--victims of computer crime and Internet users--deter crime themselves.
Even this most recent scholarship at the vanguard of deterrence theory, however, approaches deterrence from a cost perspective. Departing from this tradition, this Note argues that, just as the "law should strive to channel crime into outlets that are more costly," it should also encourage mechanisms that channel criminal behavior into legal outlets.
The second group of scholars argues that "look-and-see" hacking, where hackers only explore systems without damaging them, and perhaps report that they have breached security, is victimless and should be decriminalized. They argue that decriminalization would result in a number of social benefits, including an increase in Internet security as hackers identify latent vulnerabilities, a better allocation of law enforcement resources, and the development of creative people with technological skills. The arguments do not satisfy opponents of decriminalization, however, who emphasize that decriminalization fails to signal clearly that hacking is a proscribed activity.
This Note seeks to develop a proposal--the "hack-in contest"--that appeals to both proponents and opponents of decriminalization. First, contests can capture the benefits of decriminalization without sacrificing the expressive and preference-shaping functions of the criminal law. Second, contests provide positive incentives for law-abiding hacking, an important approach given a hacking subculture that may be unreceptive to sanctions. Seeking to introduce positive reinforcement and "channeling structures" into the toolbox of criminal deterrence, this Note argues that a system of structured hack-in days will channel behavior away from illegal hacking toward approved activities. An effective system of contests may even strengthen positive norms among hackers, shaping preferences for law-abiding behavior. While privately sponsored hack-in contests are already prevalent, these contests lack regularity and fail to distinguish between approved and illegal hacking. Unlike these private contests, a regulated system of competitions should be designed to deter computer crime.
Part I of this Note outlines the current responses and proposals concerning computer crime and their general failure to prevent unwarranted intrusions. It contends that raising costs may not effectively deter hacking and that decriminalization undermines the expressive function of the criminal law. Part II begins by examining the preference-shaping function of the criminal law, arguing that "positive reinforcement" may be as effective at preference shaping as criminal sanctions. It then argues that the social norms latent in hacker culture may be more effectively harnessed by positive incentives than by sanctions. Part III proposes a hack-in contest framework that encourages law-abiding norms and shapes preferences for legal hacking. Part IV compares the contest proposal to broader decriminalization models and anticipates several objections to the proposal.
|
