Adelaide Law & Technology Review

(2012) 2 distance between the perpetrator and the victim. Furthermore, to the online world belongs the impossibility to determine the scale of damages. However, the irrelevance of cybercrimes locus is not absolute. Through the examination of the architectonics features of internet, the ecological approaches aims to determine whether could be conceivable putting into practice a communitarian model of intervention instead of the currently reactive model, which presupposes a new understanding of the cooperative behaviors and its advantages in cyberspace and especially in the field of cyber security. Consistent with the internets landscape, Brenner explains that there are two classes of activities regarding the locus where they occur, which have been called fluid and fixed activities. In accordance with Brenners distinction, the so -called fixed activities occur at a fixed point in cyberspace, for example: a web site, where crimes like fundraising, money laundry, or distribution of propaganda could be committed and at the same this kind of fixed sites time exposes the users and internet server providers to become a target of reactive measures like denial of services attacks, i.e. reactive measures2. For instance, it could be mentioned the so-called take down procedure, which is the basis of the procedures embodied in the SOPA Law in the USA, to adopt preventive and reactive measures, after the identification of surveillance measures gaps by the so-called internet service providers3. It could be also mentioned the procedure enacted in the German Law of 2009 and the Guidelines E-Commerce of 2001, which are focused on enabling an especial kind of responsibility to the internet providers as far as they make own illegal content enable into the storing domain under 725 their supervision4 in order to avoid the inconveniences aroused by the Compu-Serve and Telekiosk cases5. As a consequence this kind of reactive measure could be launched not only by the government, but also by the private users, which carries out the likely inherent risk of retaliation. In contrast, in the arena of the fluid activities, there is not a single or fixed point where the crime has been committed. Subsequently, under this category, usually the crime is being committed from far away by anonymous on the internet i.e. without a fixed point in the cyberspace. This kind of criminal activity throughout the internet predominantly constitutes a substantial challenge for any explanation belonging to the ecological perspective6.
2

Advantages of hacking?
Daro Nicols RolnUniversity of Munich
University of Buenos Aires Munich, Germany
Abstract Self-government and open source software policy have several points of contact, by which is possible to define new strategies for implementing communitarian responses and a new understanding of liability on the internet. In contrast, the current model based on a reactive response experiments several failures in order to determine the scale of damage and to take advantage of the communitarian factors on the internet. Keywords-component. Ethical Hacking. Open source software. Selfgovernment. Risk managment. Criminal liability.

I.

INTRODUCTION

Issues related to the development of internet acquire progressively importance around the world not only in order to take strategic decisions in political, cultural, industrial, and economic fields but also in the surveillance arena. However, the development of internet has no proportion with the lacks of minimal agreement around the definition of cybercrime in the academic field. The current responses against cybercrime adopt the same reactive model of intervention, which rely on the intervention on fixed point in the cyberspace. If we take seriously this kind of response, under a reactive policy in cyber-space there is no place to tolerate the intervention of a no centralized instance of surveillance and therefore is not surprising to find several cases of risk-profiles on the internet and the deploy of surveillance mechanisms in order to force the users and companies in internet to give explanations and to deliver information about the behaviors of users, as shows the experience in Germany and USA, especially since 2001. II. COMMUNITARIAN APPROACHING TO CYBERCRIME?

The traditional models of law enforcement rely on the distance between author and victim, and on the discernible scale damage. According to a widespread understanding coming from the so-called reactive model of intervention and forensic investigation, is possible to increase the chances of success, by identifying the crimes locus. In other words, the crimes locus constitutes the starting point to investigate an offline crime1. Likewise, in the online-world, the locus of cybercrime does not play a significant role, and presupposes usually a long

University of Buenos Aires, PhD candidate, (Universidad of Buenos Aires, Argentina, in cooperation with the German Academic Exchange Service for the Ludwig Maximilian Universitt Mnchen, Germany). 1 Jones, Benjamin R., Comment: Virtual Neighborhood Watch: Open Source Software and Community Policing against Cybercrime, The Journal of Criminal Law and Criminology (1973), Vol. 97, No. 2 (Winter, 2007), p. 603

Brenner, W. Susan, Why the Law Enforcement Model Is a Problematic Strategy for Dealing with Terrorist Activity Online, in Proceedings of the Annual Meeting (American Society of International Law) , Vol. 99, (March 30- April 2, 2005), p. 111 3 Sections 103 and 104 of the U.S Law To promote prosperity, creativity, entrepreneurship, and innovation by combating the theft of U.S. property, and for other purposes (SOPA H.R.3261.IH). German telecommunications law, paragraphs 7-10. E-Commerce Electronic Guidelines, Arts. 12-14. 4 See Hilgendorf, Eric, Frank, Thomas, Valerius, Brian, Computer und Internetstrafrecht. Ein Grundriss, Springer Verlag, Berlin-Heidelberg, 2005, p. 82, n 293; Spindler, Gerald, Das Gesetz zum elektronischen Geschftverkehr-Verantwortlichkeit der Diensteanbieter und Herkunftlandprinzip, Neue Juristische Wochenschrift (NJW), C.H. Beck, Mnchen, 2002, p. 922 5 Sieber, Ulrich, Strafrechtliche Verantwortlichkeit fr den Datenverkehr in internationalen Computernetzen, Neue Herausforderungen des InternetsFortsetzung und Schluss, Juristischen Zeitung, Mohr Sieben Tbingen, 1996, p. 503. 6 Jones, op. cit., p. 612

Adelaide Law & Technology Review In order to face the challenges represented by the fluid activities, it is indispensable to crystallize the linking-notion behind the proposals of communitarian intervention against cybercrime and the ecological perspectives. In other words, establishing whether the linking notion of cooperation would be reflected on the notion of liability, and whether open source software could play a role in order to determine the damages and the proportionality of the intervention. III. ETHICAL ACCESS?

(2012) 2 sentences guidelines manual of the US contains is a similar provision9. As a consequence of this, several commentators had also claimed that the standard of any reasonable cost to characterize the damage caused by an illegal access is a victim-centric rule, which has predictable economic and theoretical implications. In fact, on the one hand, the current loss definition may allow any reasonable cost, including response costs, damage assessments, restoration cost, lost revenue, incurred cost or interruption of service cost, to aggregate to reach the statutory minimum and on the other hand this measure is heavily dependent upon the victims response, and given such broad categories of reasonable costs, the current damage and loss requirement serves no culpability-sorting function10. Regarding the dual use of technological tools, some proposals for dealing with ethical hacking assumes the impossibility to embrace by criminal law the ethical and unethical hacking, and as a measure against illegal access imposes the duty to report successful hacking episodes. As an example of this peculiar way to define the subjective requirements of the illegal access, it has been quoted the decision of the Second Circuit Court of Appeals in the United States v. Morris (US v. Morris, 928 F. 2d 504 - Court of Appeals, 2nd Circuit 1991), by which the intentional access was punished irrespective of the intent to cause damage11. As a consequence, if we take seriously the provisions of the American anti-hacking legislation there is no way to exclude any behavior of getting access from the illegal access clause. Furthermore, the decriminalization undermines the 726 signaling aspect of the criminal law and causes significant social harm simply by allowing unauthorized access to a private computer or network. This harm manifest in two ways both the social weight placed on privacy and the chilling effects that may ensue from that loss or privacy12. In addition, it has been argued that there are different tolerance levels between targets; some computer systems are unable to perform vital functions while undergoing attacks and others may differentially value privacy, and that there are monitoring and reporting costs associated with hacking attempts, which may differentially affect large businesses from small businesses or individual users 13. Finally, there are several problems regarding the registration of attempts or acts of ethical hacking, also the implementation of this kind of institutionalization of the behaviors involved in the ethical challenges the second step of this proposal14. Considering the hackers purposes as a source to circumscribe the competencies between hackers is also being reflected on the arguments related to the participative model of surveillance and open-source-software, by pointing out the advantages of a participative model over the disadvantages of the so-called current closed model, so then the underlying arguments premise is based on the positive effects of
9

To begin with the discussion on the communitarian intervention, commentators allude to the hackers activity and to the so-called ethical hacking, i.e. getting access to a system without victims agreement for filling security gaps. This kind of activities has been defined as ethical hacking and resumes certain particularities, according to which the communitarian model is based on. In order to define the meaning of ethical hacking, it has been proposed distinguishing between hackers with white hat and with black hat7. On the one hand, the first one refers to accessing into a system in order to examine its functions, by implementing technical measures with or without the users agreement, and on the other hand the second one, i.e. hackers with black hat, refers to getting illegally access to an informatics system. Considering both definitions, the victims or users agreement doesnt constitute a helping word in order to determine the limits of ethical hacking. Due to this fact, it has been proposed to distinguish between ethical and unethical hacking regarding the authors purposes. The hackers purpose as starting point for defining illegal access has been enacted in several rules, as an example of this it could be mentioned the American anti-hacking legislation, whose provisions on illegal access have been strongly criticized due to the extremely ambiguity of the subjective requirements then the rules on illegal access require an illegal access committed with mere intention and the requirements of damages8. In other words, the ambiguous definition of illegal access goes hand in hand with the notion of damage, i.e. the criteria for determining the scale of damage because frequently the illegal access is being differentiated of the ethical hacking by amplifying the damages criteria. In doing so, the discussion about the users or victims agreement is being avoided and replaced by the criteria of damage. Regarding the criteria of damage and its enacted definition in the American anti-hacking legislation a relevant damage is any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service, it was also emphasized that the

Thompson, Trevor, A., Comment. Terrorizing the technological neighborhood watch. The alienation and deterrence of the white hats under the CFAA, Florida state university of law review, Vol 36:537, 2009, p. 541 8 Idem, p. 561

Idem, p. 564 Idem, p. 565 Idem, pp. 561/574 12 Idem, p. 575 13 Thompson, op. cit., p. 575 14 Idem, p. 582
10 11

Adelaide Law & Technology Review cooperation on the internet, and on rejecting or at least reducing the impact of the arguments associated with the disseminations risk of malware and intrude programs. In that way, recognizing that the limits between the ethical and unethical hacking are feasible only when one considers the authors intention, and facing the legislations ambiguity in order to accurate the subjective requirements involved in the meaning of illegal access, some researchers have no doubt in proposing decriminalization of the illegal access and in emphasizing the advantages of the ethical hackings values. In other words, this proposal incorporates the advantages of sharing information especially for resolving gaps by users. Despite the fact that these proposal doesnt say anything about tailoring risk on the Internet, it could be a practical consequence, as show the experience of Linux or other opensource-software (OSS) systems. IV. BALANCING ETHICAL ENTHUSIASM?

(2012) 2 promote basic regulation, competition and location policy, as well as for democratic reasons18. In France, in August 2001 the French Premier Minister Lionel Jospin handed down a decree creating the Agency for Technologies of Information and Communication in Administration, whose mission is to encourage administrations to use free software and open standards. The U.S. government has provided substantial support for R&D efforts that create OSS that must be released under the GPL and the same occurs in several Italian municipalities, and the provinces of Florence and Pavia. The Norwegian Statskonsult has prepared a report on the usability of Linux in the Norwegian public sector as well. In Asia the Taiwanese government through the National Open Source Plan requires all schools and public agencies to switch OSS within the next three years19 and China, which has one of the worlds fastest growing information technology markets, plans to create a domestic software industry centered on Linux20. In South America, the government of Peru has recently enacted on open source software, which becomes compulsory for all public bodies to use only free software 21. The argument related to the users motivation in taking part into the process of systems restoration is based on the interconnectivity that is considered a powerful tool for creating awareness and restoring the failures and is motivated by the users interest, i.e. the well-functioning of internet22. In fact, by opening the codes of the most used software, in short programmers, connected via the internet, will be able to freely and cheaply exchange information 23. Furthermore, a relevant number of participants in an open source project could 727 make possible the reduction of the shortcomings and amount of time required to search and find solutions, especially due to the minimal effort involved in the requested tasks 24. The so-called Peer production does not operate like the market or hierarchy-based production25. According to Benkler, the Peer production is reflecting on two dimensions. The first by considering all approaches to organizing production as mechanisms by which individual agents reduce uncertainty as to the likely value of various courses of productive action. The second dimension takes places when one considers the allocation efficiencies gained from the absence of property 26. Respectively, it has been argued that a particular strategy that firms, and to a lesser extent markets, use to reduce uncertainty is securing access to a limited sets of agents and resources through contract and property27. Subsequently, Benkler argues that this strategy entails a systematic loss of allocation efficiency relative to peer production because there are increasing returns to scale for the
18 19

The Linux, Firefox, OpenOffice, and Wikipedias projects become a progressive importance around the world due to their cooperative advantages. In fact, the Linuxs case arises additionally a new way of setting up management into collective projects, as additional argument supporting the communitarian intervention in order to fill the gaps in internet, by opening the softwares sources. For this reason, in many different countries, there are some political initiatives trying to get public support for open source such as direct subsidies to open-source projects, standards for use of open-source software in government agencies, and replacement of some proprietary software with open-source software in schools and universities15. The policy of open source software involves the users participation by allowing them to take control in the systems functions by sharing experiences and making visible its failures. The open software is a software for which the source code is open and freely available, to the public: everybody has the right not only to use the software, but also to extend it, to adapt it to his or her own needs, and to redistribute the original or modified software to others16. In recent years there have been many political initiatives trying to foster the open-source movement and to spread the use of OSS in public administration and at schools and universities. For example, the Presidents Information Technology Advisory Committee recommended that the federal government support open source software as a strategic national choice to sustain the U.S. lead in critical software development17, also should be mentioned the German initiative called Bundestux by which members of parliament from all major political parties declared that the introduction of a free operation system in the Bundestag would be necessary to

15

Schmidt, Klaus M. and Schnitzer, Monika, Public subsidies for open source? Some economic policy issues of the software market, Harvard Journal of Law & Technology, Volume 16, Number 2 Spring 2003, p. 474 16 Idem, p. 475 17 Benkler, Yochai, Coases Penguin, or, Linux and The Nature of the Firm, The Yale Law Journal, Vol. 112: 369 (2002), p. 371

Schmidt and Schnitzer, op. cit., p. 493 Ibd. 20 Rodriguez, Kenneth J., Closing the Door on Open Source: Can the General Public License Save Linux and Other Open Source Software?, 5 J. High Tech. L. 403 (2005), p. 404 21 Schmidt, and Schnitzer, op. cit., p. 493 22 Jones, op.cit., p. 622 23 Idem, p. 623 24 Ibd. 25 Benkler, Yochai, Coases Penguin, or, Linux and The Nature of the Firm, The Yale Law Journal, Vol. 112: 369, (2002) p. 399 26 Benkler, op. cit., p. 406 27 Idem, p. 407

Adelaide Law & Technology Review size of the sets of agents and resources available to be applied to projects and peer production relies on unbounded access of agents to resources and projects28. In contrast, in the closed software, programmers who work together within a firm may develop groupthink and miss vulnerabilities while having an incentive to hide their mistakes from the outside world if they think they wont get caught29. V. MANAGING RISK ON THE INTERNET?

(2012) 2

VI.

CONCLUSIONS

In October 2007, leading commercial copyright owners, including CBS and Disney, and You Tube like user-generated content (UGC) services that display and distribute useruploaded and user-generated audio and video content announced that they had agreed on the principles of coordination between self-governance and traditional regulation30. Using filtering software and displaying information about the importance of intellectual property rights-copyright companies try to limit their liability for the services users for the copyright violations by providing content on the web31. Although this kind of agreement is not legally enforceable. As a consequence we have arrived at the following situation: on the one hand the companies encourage their users for using creative available tools, and on the other hand, they try to limit their responsibility. Restraining liability represents a self-governance at a secondary level, considering that the agreements are not legally enforceable. However, these privately agreements indicate how and why the law should be followed and which are the risk of breaking law32. It was also argued that the self-government explains itself through the no existence of a reliable statistics of crimes committed on the internet, and in the copyrights arena through the settlements occurred in the shadow of litigation, which also shows the continued vitality of cooperation and selfregulation as drivers of online behavior 33. Despite this kind of agreement, to allow the users to take part into the surveillance process by policy of open source, not only it could be possible to define the scale of damages, but also to concentrate the public resources for pursuing complex maneuvers, instead simple cases of illegal access. To define the scale of damage and the maneuvers complexity could play an important role the users intervention and also to locate dangerous codes. Therefore, this kind of managing risk on the internet, which currently takes place at a second level throughout informal agreements and negotiations between the internet providers and users, could emerge as alternative of the current system of liability enacted into the rules related exclusively with a fixed understanding of the cyberspace.

Despite the fact that the open source software policy could have negative impact into the software companies, (however, this profit-argument tacked seriously could have several weak points from a close approach) as James proposes its possible to find an intermediate solution regarding the fluid activities by establishing a balance between the interest in implementing an open source software policy and the propriety of the software companies at the same time. One such solution could be for Microsoft, for example, by giving the programmers and developers more access to the source code for internet explorer, which is currently bundled with its Windows operating system34. Without revealing the source code for Windows the company could give greater transparency to its internet browser, allowing developers to scour the source code for security flaws before they were exploited by potential criminals35. The implementation of the open code software policy doesnt mean that by opening access to the sources there is no possibility to increase the chances of being victim of illegal behaviors. In fact, it could simplify the hackers maneuvers for getting access. After all, the main argument reposes on incrementing the response against the hackers attacks by enabling the capabilities of the systems restoration, as it happens with for example Wikipedia or Firefox36. Whether the government should support the development of OSS to promote alternatives to the current software and whether it should encourage schools to adopt Linux37 involves 728 a further discussion about the government role in the cyberspace. The argument related with the economic impact of the government into the economic arena should be applicable as well to the reactive model of intervention because the governmental interventions by enacting rules like the articles 12 to 14 of the E-commerce guidelines regarding the internet server providers implicates the same (or may be worse) kind of intervention.

REFERENCES
[1] Brenner, W. Susan, Why the Law Enforcement Model Is a

28 29

Ibd. Katyal, Neal K., Digital Architecture as Crime Control, 112 Yale L.J. 2261, 2265 (2003), p. 2265 30 Notes, The principles for User Generated Content Services: A MiddleGround Approach to Cyber-Governance, Harvard Law Review , Vol. 121, No. 5, Mar., 2008, p. 1387 31 Ibd. 32 Idem, p. 1388 33 Ibd.

Problematic Strategy for Dealing with Terrorist Activity Online, in Proceedings of the Annual Meeting (American Society of International Law), Vol. 99, (March 30- April 2, 2005). [2] Jones, Benjamin R., Comment: Virtual Neighborhood Watch: Open Source Software and Community Policing against Cybercrime, The Journal of Criminal Law and Criminology (1973), Vol. 97, No. 2 (Winter, 2007). [3] Thompson, Trevor, A., Comment. Terrorizing the technological neighborhood watch. The alienation and deterrence of the white hats under the CFAA, Florida state university of law review, Vol 36:537, 2009.

34 35

Jones, op. cit., p. 627 Ibd. 36 Ibd. 37 Schmidt and Schnitzer, op.cit., p. 493

Adelaide Law & Technology Review

[4] Schmidt, Klaus M. and Schnitzer, Monika, Public subsidies for

(2012) 2

open source? Some economic policy issues of the software market, Harvard Journal of Law & Technology, Vol. 16, Nr. 2 Spring 2003. [5] Benkler, Yochai, Coases Penguin, or, Linux and The Nature of the Firm, The Yale Law Journal, Vol. 112: 369 (2002). [6] Notes, The principles for User Generated Content Services: A Middle-Ground Approach to Cyber-Governance, Harvard Law Review , Vol. 121, No. 5, Mar., 2008. [7] Rodriguez, Kenneth J., Closing the Door on Open Source: Can the General Public License Save Linux and Other Open Source Software? 5 J. High Tech. L. 403 (2005). [8] Hilgendorf, Eric, Frank, Thomas, Valerius, Brian, Computer und Internetstrafrecht. Ein Grundriss, Springer Verlag, Berlin-Heidelberg, 2005 [9] Spindler, Gerald, Das Gesetz zum elektronischen GeschftverkehrVerantwortlichkeit der Diensteanbieter und Herkunftlandprinzip, Neue Juristische Wochenschrift (NJW), C.H. Beck, Mnchen, 2002 [10] Sieber, Ulrich, Strafrechtliche Verantwortlichkeit fr den Datenverkehr in internationalen Computernetzen, Neue Herausforderungen des Internets- Fortsetzung und Schluss, Juristischen Zeitung, Mohr Sieben, Tbingen, 1996.

729