yhtomit 4
abcity84
Wk4-PeepingintoaHacker_sMind.pdf
Electronic copy available at: http://ssrn.com/abstract=1000446
Peeping Into A Hacker’s Mind: Can Criminological
Theories Explain Hacking?
I. INTRODUCTION
If you know the enemy and know yourself, you need not fear the result of a hundred
battles. If you know yourself but not the enemy, for every victory gained you will also
suffer a defeat.
-Sun Tzu, Chapter III, The Art of War
1
Sun Tzu’s exposition about knowing one’s enemy has emerged as a recondite problem
for legal scholars in the face of lack of efficient rules concerning hacking and continues
to haunt them due to lack of understanding of the operating criminal mind and its
underlying designs and motivations. The information revolution has lead to creation of
‘information highways’ operating across the globe through interconnected computer
networks. The change has been unprecedented but surely not without pitfalls. The rapid
metamorphosis of social values and structures is resulting into a control deficit and the
consequent emergence of new computer crimes like hacking which have transgressed
national boundaries through a burgeoning interconnected cyberspace (which has
amplified opportunities for crimes like privacy violation and the information theft). Given
the presence of the networked computers in almost every aspect of modern life, the
amount of sensitive information stored on networks, and the relative ease with which
computer crimes may be committed, the study of computer crime demands greater
attention from researchers, law enforcement agencies and legislators. Law codes
throughout the world have proved ineffective in curbing the expanding domain of
hacking behaviour and hence a need has arisen to re-look at the strategies for containing
this emergent menace. This paper seeks to make a modest attempt to peep into the
hacker’s mind i.e. to understand the criminal behaviour of hackers and locate the source
of the rot. I seek to deploy the traditional criminological theories based on psychology,
social learning and rational choice to examine how they may be applied to develop an
Electronic copy available at: http://ssrn.com/abstract=1000446
understanding of this new deviant behaviour. However, this paper is only a modest
attempt to understand the explanations that these theories may provide for hacking and
thus does not seek to delve into the empirical verifications and other abstract theoretical
or logical contradictions that have been offered by the critics.
II. “HACKER”: THE CLASSICAL CONUNDRUM OF CLASSIFICATION
In order to explore the working of the criminal mind, it is required to develop an
understanding of different hacking-types so that there can be systematic deduction and
analysis of behavioural differences with varied underlying motivations. Rogers (2002)
argues that hackers are not a homogenous group and granulization and classification is
essential to pin up researches on understanding their behaviour. Generally speaking,
hacking is a successful or unsuccessful attempt to gain unauthorized use or unauthorized
access to a computer system.1 However, a lack of consensus over the connotation of the
term ‘hacker’ has been evident over the years. Originally, the term denoted outstanding
and radical programmers in the computer science fields who hailed usually from Berkley,
Stanford or MIT.2 Later, the concept underwent radical metamorphosis. Hollinger (1988),
based on a progression ranging from less skilled to technically elite computer crimes,
divided hackers into three categories: pirates, browsers, and crackers. Pirates, the least
technically proficient hackers, confine their activities to copyright violations through
software piracy. The browsers, with a moderate technical ability, gain unauthorized
access to other people’s files but do not usually damage or copy the files. The crackers,
the most proficient hackers, abuse their technical abilities by copying files or damaging
programs and systems. McAfee Corporation adopts the classification of hackers into
White Hats and Black Hats.3 White Hats tend to find flaws in security networks for
security corporations and thus contribute to the beneficial improvement of computer
1 Under Section 66 of the Information Technology Act, 2002, a person is said to have committed hacking if he, with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person, destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means. 2 Peter T. Leeson & Christopher J. Coyne, The Economics Of Computer Hacking, 1 J.L. Econ. & Pol'y 511 (2005), at 513.
2
3 See Cynthia Fitch, Crime and Punishment: The Psychology of Hacking in New Millenium, (Dec 16, 2003), retrieved from <http://www.giac.org/practical/GSEC/Cynthia_Fitch_GSEC.pdf> (Last accessed on July 10, 2007).
services for the users. Black Hats, the ill-intentioned hackers who abuse their skills, can
be further subdivided into angry hackers, script kiddies, and agenda hackers. Angry
hackers, motivated by hatred for a particular company or group, dedicate their resources
to harm them. Script kiddies create mischief on the internet for fun and use hacking tools
made by others. Agenda hackers include those disillusioned by political or economic
agendas or engaging in terrorist activities through large scale disruption of computer
networks. Lemos (2002) refers to a third group of hackers called Gray Hats who are
independent security experts, consultants or corporate security researchers and are
essentially reformed Black Hats like Kevin Mitnick.4 Finally, Rogers (2002), using the
findings from works of the computer security industry has categorized hackers into seven
distinct groups on a continuum of lowest to highest technical ability5 viz. Tool
kit/Newbies (NT), cyberpunks (CP), internals (IT), coders (CD), old guard hackers (OG),
professional criminals (PC) and cyber-terrorists (CT). The NTs are at initial stages of
hacking with limited programming skills and use tools and information provided on
internet by experienced hackers. CPs, skilled enough to write their own programs,
maliciously deface web pages and send viruses, worms and junk mails. Disgruntled
employees or ex-employees who hack into or attack their employer’s computer systems
either by abusing their privileges or special knowledge constitute the internal group and
conduct a formidable 70% of all hacking activity. OG hackers have high levels of skill
and understanding of computer systems and programming but are not malicious in their
intent and look upon hacking as an intellectual endeavour. Lastly, the PCs and CTs, the
most dangerous hackers, are highly skilled, use the latest technology and may act as
mercenaries for corporate or political purposes.
III. A PSYCHODYNAMIC PERSPECTIVE ON HACKING
Psychodynamic theories of crime were built on the ashes of Cessare Lombroso’s famous
biological theory of crime which had conjured up a ‘predestined actor model’ for the 4 Mitnick had been convicted for a four year term for his hacking spree in US and is presently acting as a security advisor forming his own security company. He is being hired by companies to break into their computer networks, reveal their security system weaknesses, and teach them how to better protect themselves at high pay packages. See Talya Halkin, Legendary hacker Mitnick turns legit, The Jerusalem Post (Feb. 24, 2006). 5 See also Cynthia Fitch, supra note 3.
3
criminal and explained criminal activity as an outcome of factors internal to human body
creating inherent ‘criminal dispositions’. They brought forth the ‘criminal mind’ as the
force behind crime, operating free from differences of social milieu.6 There seems to be a
natural link between hacking activities and hacker’s psychology as they indicate
premeditated and learnt patterns of behaviour. I propose to discuss three prominent
psychological theories viz. Sigmund Freud’s psychoanalytic theory, B.F. Skinner’s
Operant Conditioning and Hans Eysenck’s EPN theory.
(A) The New Age Hacker & Freud’s Psychoanalysis
Psychoanalytic theory, as developed by Sigmund Freud, relies on the hypothetical
fragmentation of human personality into unconscious and conscious forces.7 Freud
proposed that human conduct is governed by three forces viz. Id, Ego and Superego. Id
represents the unconscious impulsive force which includes primitive biological needs like
thirst, hunger and sex etc. He proposed a conflict of Id with Superego, which according to
him, represented the inner moral agency, whose development depends primarily on
satisfying parent-child relationships. The formation of superego depends on the norms
and moral values learnt by the child from his parents and guardians. In this paradigm, ego
represents the conscious part of personality which seeks to balance the above two
opposing forces. Behaviour depends on the balance of the psychic energy system and any
disturbance in this system may produce maladaptive development.8 Thus, he highlighted
two causes of deviant behaviour (1) an inadequate superego formation and functioning
due to impaired parent-infant relationships whereby the individual fails to control the
impulse of Id, and (2) repressed unconscious desires stemming from a failure to express
strong emotional ties with another person, often the parent. August Aichhorn, another
renowned psychoanalyst, stated that there was some underlying predisposition termed
“latent delinquency” which causes the later criminal behaviour. A failure in
psychological development accentuates the initial asocial tendency (latent delinquency)
with which every child is born and thus results in deviant behaviour. Other
6 See Roger Hopkins Burke, An Introduction to Criminological Theory (Lawman Pvt. Ltd., New Delhi, 2001) p. 77. 7See Larry J. Seigel, Criminology (Wadsworth, 7th ed., 2000) p.163.
4
8Burke, supra note 6, at pp.78-79.
psychoanalytic theorists felt that the inability to postpone immediate gratification in order
to achieve greater long-term gains was a key factor in criminal behaviour.9
Strictly, psychoanalytic theories are more suited for crimes that result from unconscious
conflicts like sexual offences or kleptomania. They are not well equipped to explain pre-
meditated and planned computer crimes. The psychoanalytic theories concentrate mainly
on unconscious factors and the child-parent interactions. A failed bond with a parent is
unlikely to lead a child to acquire computer knowledge and practice hacking. Rogers
(2000) argues that although several of the more infamous hackers had associations with
dysfunctional families, this is not sufficient to explain their choice of the criminal activity
to engage in as hacking does not seem to fit in the traditional view of “repressed desires”
in the unconscious. Hacking is a conscious activity dependent on specific technical skills,
operational knowledge of computers, networks and advanced technological
understanding. To be successful at hacking the individual also has to plan the attack in
some detail i.e. choose victim system or networks based on their security levels or other
interests of the hacker. Thus, Freudian psychoanalytical theory fails to account for the
emergent hacking behaviour due to its inherent structural constraints.
(B) Is Hacking a Conditioned Behaviour?
B.F. Skinner’s has argued that human behaviour is determined by the environmental
consequences it produces for the individual involved. A behaviour that produces
beneficial and desirable consequences multiplies in frequency; which is called
reinforcement of the said behaviour. On the other hand, behaviour, which produces
undesirable consequences, decreases in frequency due to punishment. Behaviour
therefore operates on the environment to produce results that are either reinforcing or
punishing.10 Thus, a rewarding criminal activity leading to increase in prestige, money, or
feelings of adequacy makes the person more likely to engage in further criminal activity.
If the consequences are negative viz. arrest or ostracisation, then the frequency of future
criminal behaviour should be reduced. Operant conditioning can be used to explain
general delinquency as opposed to focusing on specific offences where its application is
structurally constrained due to uncertainty in determination of offence-specific levels of 9 Id, at p.79.
5
10 Id, at pp.83-84.
rewards and punishments. Penalties for computer crime may have minimal effect as
hackers constitute a counterculture and operate in a world of anonymity where chances of
being caught are miniscule. In such a scenario, penalties might serve more as a challenge
to boast about eluding them. Wible (2003) also argues that punishment alone may not be
the best preference-shaping model in the computer-crime context. Moreover, hackers
who have been caught and repeatedly punished, with no obvious reinforcement, still
continue to engage in the activity as if it was an ‘addiction’.
(C) Hans Eysenck’s Theory: The EPN Criteria
Focussing on influence of both social and biological factors on individual personality,
this theory is based on the notion that through heredity some individuals are born with
certain learning abilities which are conditioned by environmental stimuli. The theory is
premised on two dimensions of personality viz. extraversion (E) and neuroticism (N)
existing on a continuum. The extraversion dimension ranges from high (extravert) to low
(intravert) and neuroticism dimension from high (neurotic) to low (stable). There is a
separate third dimension called ‘psychoticism’ (P) which seeks to measure attributes such
as aggression, preference for solitude, and lack of feelings for others.11 According to the
theory, children learn to control antisocial behaviour through the development of a
conscience which is a set of conditioned emotional responses to environmental stimuli
associated with antisocial behaviour e.g. an act of punishment from a parent for some
antisocial act. The conditioning socializes the child but its nature is integrally connected
with the EPN parameters of an individual’s personality. High E and high N scores
indicate poor conditionability and poor socialization producing an inclination towards
criminal behaviour. On the other hand, low E and low N scores lead to good
conditionability and effective socialization resulting in better internalisation of social
norms and reduced deviancy. High scores on the third dimension psychoticism (P) would
indicate hostility towards others and an inclination to more aggressive, violent criminal
behaviour.
11 Id, at pp. 84-85.
6
Rogers (2000) points out that Eysenck’s theory is “geared more toward anti-social
behaviour, and has had mixed results in predicting general deviancy”. The development
of conscience in relation to hacking activity becomes irrelevant as parents are unaware of
basics of computers and thus fail to condition the children in the right direction. There are
hardly any crystallised social norms or morals governing use of the new computer
technology. Thus, the proposition that a conditioned moral reflex against hacking can
develop in such a state of absolute moral ambiguity is untenable. Moreover, the theory
would predict that hackers should be high on the extraversion scale i.e. having unstable
personalities. However, Rogers (2000) argues that the majority of the arrested hackers
and those, which have responded to surveys, indicate they are withdrawn, uncomfortable
with other people and are intraverts. The theory fails on certain major behavioural
explanations concerning hackers’ personalities.
IV. I HAVE LEARNT TO HACK: APPLYING SOCIAL LEARNING THEORIES
Social learning, as Seigel (2000) puts it, looks upon crime as a product of learning the
‘norms, values and behaviours’ associated with the criminal activity. This may involve
the acquisition of knowledge concerning the techniques of crime commission and
achieving moral disengagement by discovering appropriate rational justifications for the
deviant behaviour. Prima facie, hacking appears to be a learnt and acquired behaviour and
thus it becomes a moot question: how the hacker learns to hack? Learning theories may
help in discovering the agencies and social processes (based on interaction through the
internet) through which a predilection for hacking and the knowledge to implement it
may be acquired. In this respect, I propose to examine the Differential Association theory
proposed by Sutherland, the Differential Reinforcement theory propounded by Ronald
Akers and the Neutralization theory of David Matza and Gresham Sykes.
(A) Differential Association and Differential Reinforcement
7
The explanation of hacking through social learning theory approach is inextricably linked
to one of the core sociological theories of crime i.e. Sutherland’s differential association
theory. Differential association is premised on the notion that modern society contains
conflicting structures of norms and behaviours giving rise to crime which is a learnt
behaviour. Normative conflict at the individual level is translated into individual acts of
delinquency through differential association learnt through communication usually in
intimate groups. In other words peer pressure and peer attitudes influence behaviour. 12
Contact with persons who have favourable definitions towards crime, leads to an
individual learning similar definitions. The theory does not indicate that the group of
association has to be one of criminals; rather the group should express favourable
attitudes toward crime. When criminal behaviour is learnt, the learning includes
techniques of committing the crime, which are sometimes very complicated, sometimes
simple and the specific direction of motives, drives, rationalizations, and attitudes. When
the criminal contacts outweigh the non-criminal contacts of a person depending on the
frequency, duration, priority, and intensity, he resorts to crime. Ronald Aker’s theory of
Differential Reinforcement stems from Sutherland’s idea that learning is a component of
criminal behaviour and Skinner’s theory of operant conditioning. The theory agrees that
criminal behaviour is learnt through the various groups and associations which an
individual maintains. It goes further to state that the behaviour then continues or is
maintained directly by the consequences of the act i.e. operant conditioning. It states that
a criminal act occurs in an environment if the individual has been reinforced for behaving
in a similar fashion in the past, and the negative consequences of the behaviour are very
weak to produce deterrence. However, the learning becomes complex due to differential
schedules of reinforcement and punishment involved in a criminal activity. This may
result in crystallisation of such deviancy into a personality trait or habit.13 The use of
differential reinforcement theory has been historically focussed on stealing and property
related offences as they fit nicely into the theory due to assured positive gains unless the
individual is arrested.
Sutherland’s theory easily applies to hacking as a person learns hacking through online
communities which share such information. However, after the simple learning process is
over Aker’s theory comes into play in a big way to help the individual maintain his
deviancy. It is evident that the hackers are learning their respective criminal behaviour,
12 Sutherland & Cressey, Principles of Criminology (Times of India Press, Bombay, 6th edn., 1968) pp.75- 80.
8
13 See Burke, supra note 6, pp. 93-94.
and are doing so amongst individuals who hold positive attitudes toward such behaviour.
The continuation of hacking may be due to several reinforcing factors viz. increase in
knowledge, prestige within the hacking community or overall fame by focussed media
attention.14 In some rare cases, prestigious companies have hired hackers who have
penetrated their systems e.g. the legendary Kevin Mitnick which has created an
impression that hackers can acquire good jobs in the computer security industry. Rogers
(2002) gives an example of an Israeli youth charged with attacking US Military networks
who was given a lucrative promotional contract with a European computer manufacturer,
and was praised by the Prime Minister of Israel for his ingenuity. He illustrates the
serious undermining of punitive elements in anti-hacking laws by the lack of stiff
sentences e.g. in Canada, the average sentence for the offence is an alternative measures
for a youth and a conditional discharge for an adult.
The core concepts of differential reinforcement, learned behaviour through various
groups, and maintenance of the behaviour via reinforcement appear to be especially
relevant to hacking. Adamski (1999) has pointed out the existence of popular hacker
cultures and sub cultures through data gathered on internet search engines across 14
countries. Although hackers are thought to be solitary with less developed social skills,
social skills, they still have an empirically proved desire for affiliation and recognition by
peers. Hackers tend to associate with other individuals who also engage in hacking
behaviour in the form of purely electronic associations e.g. online chat sessions, or more
intimately through hacking clubs like Cult of the Dead Cow CDC, Legion of Doom etc.
Adamski (1999) points out how hackers even hold conventions such as the Defcon in Las
Vegas to share their skills, ideas and technical information. Thus, both Sutherland’s and
Aker’s theories provide a highly useful insight to the dynamics behind hacking activities.
(B) Albert Bandura’s Social Learning Theory
Albert Bandura's social learning theory states that both deviant and normative human
behaviour is learned through a mix of observed behaviour, communication with others,
9
14 See Peter T. Leeson & Christopher J. Coyne, supra note 2, at 524, report that hackers may generate instant ‘stardom’ through participation and peer recognition in online communities.
encounters with disciplinary action and cognitive modelling.15 The learning at cognitive
level occurs in the family, subcultures and the social environment through observation
whereby people imagine themselves in similar situations with similar outcomes. The
learnt behaviour may be reinforced or punished. In this respect, Bandura subscribes to
several essential concepts of the operant conditioning theory viz. reinforcement,
punishment, and motivation. He enumerates three aspects to motivation viz. external
reinforcement, vicarious reinforcement, and self-reinforcement. External reinforcement is
similar to Skinner’s concept of reinforcement. Vicarious reinforcement is derived from
observing other people’s behaviour being either reinforced or punished. Self-
reinforcement refers to one’s sense of pride or self image or self expected standards of
behaviour. Criminal behaviour is maintained through a complex schedule of
reinforcement and punishment throughout the life of the individual. If criminal behaviour
has been reinforced in the past, there is expectancy that it will be reinforced in the future.
The theory has primarily been used to understand aggressive behaviour and violent
criminal offences such as assaults or robbery.16
This theory can be successfully used to understand the behaviour of hacking. The theory
states that criminal behaviour is acquired through observational learning, and the
reinforcement from the behaviour comes from external and internal sources. As
previously stated, hacking is a behaviour where imitation and modelling seem to play an
important role. It has been likened to a subculture, which reinforces adherence to its own
moral code. In case of computer activity, the peer group or social circles which influence
the deviant behaviour of hackers are virtual. Hacking is a matter of expertise as it
involves knowledge of inter-connected cyber information highways and their functioning
which cannot be within the exclusive domain of anyone individual. The new age
computer culture has changed the nature of physical association and interaction to cyber-
interaction which is not limited by boundaries of physical locations. Thus, hackers learn
and improve their skills through exchange of information mainly on the Internet Relay
Charts and special forums. Cynthia Fitch (2003) points out that the lengthy existence of 15 Alfred L. Mcalister & Albert Bandura, Mechanisms Of Moral Disengagement In Support Of Military Force: The Impact Of Sept. 11 , Journal Of Social And Clinical Psychology, Vol. 25, No. 2, 2006, p.141, at 142-147. 16 Ibid.
10
hacker groups like cDc (Cult of the Dead Cow) and L0ph for many decades and closely
knit work culture points out to a more personal relation between elite hackers. The
existence of hacker subcultures justifies the application of social learning theory.
Bandura’s social learning constructs have also been successfully applied to music piracy
through peer-to-peer networks.17
(C) Neutralization Theory & Hacking
David Matza’s and Gresham Sykes’s Neutralization Theory regards process of becoming
criminal as a learning experience.18 They argue that all criminals have conventional
values and attitudes like normal people but what distinguishes them is their uncanny
ability to drift from the normal life to existing parallel subterranean values19 through
certain neutralization techniques like denial of responsibility, denial of injury and denial
of victim.20 This helps criminals to cleanse their moral conscience and remove the feeling
of guilt. Spafford (1990) lists three major ethical justifications for hacking as
improvement in security by discovering loopholes, knowledge acquisition by students
and protection of society against corporations by ensuring free access to information. The
peer groups contribute in such moral disengagement by lavishing praise on the hacking
exploits of individuals and creating an impression that the activities are justified. Rogers
(2001) has reported that:
“Self censure can be disengaged or weakened by stripping the victim of
human attributes, or shifting the blame onto the victim…Blaming the
victim or circumstances allows the perpetrators to view themselves as
victims who were provoked. The perpetrator’s actions now become
17 Nathan W. Fisk, Social Learning Theory as a Model for Illegitimate Peer-to-Peer Use and the Effects of Implementing a Legal Music Downloading Service on Peer-to-Peer Music Piracy, A Thesis Presented to The Faculty of the Department of Communication (September 14, 2006), retrieved from <https://ritdml.rit.edu/dspace/bitstream/1850/2737/1/NFiskThesis09-14-2006.pdf> (Last accessed on July 10, 2007). 18 See Seigel, supra note 7, at p.232. 19 Matza and Sykes define ‘subterranean values’ as the morally tinged influences that have become entrenched in the culture and are privately practiced and admired but are publicly condemned.
11
20 Matza and Sykes offer five such techniques (viz. condemnation of the condemned and appeal to higher loyalties) out of which only three may correctly apply to hacking behaviour.
construed as defensive. The victims are blamed and accused of bringing
the actions upon themselves.”21
Hackers often blame the system administrator for improperly securing his system or for
denying access to sites that they legitimately think they should be allowed to access e.g.
university’s system administrator denying access to movie download sites is used as a
pretext to hack the administrator as low cost entertainment is considered as an essential
ingredient of student life by the hackers. Hackers also blame software vendors for
restricting access to free flow of information and thus morally justify their activity as
being conducive to ensure information to everyone acting as self proclaimed knight-
errants. This behaviour reflects the popular ‘Robin Hood’ syndrome by which individuals
neutralize their ethical judgments.22 Hacking sub-cultures entrenched on the internet offer
examples of the parallel subterranean culture which appreciates the publicly illegal
hacking activities. Thus, it is safe to conclude that Matza’s and Sykes’s Neutralization
theory succeeds in explaining hacker behaviour to a certain extent.
V. HACKING & COGNITIVE THEORIES
Cognitive theories, though a subset of psychological theories, have a basis different from
psychodynamic theories. They focus on the dynamics of mental process and the cognitive
schemes through which people perceive and represent the world. In this section, I propose
to utilise the major theory falling in the moral development branch viz. Kohlberg’s Moral
Development Theory.
Kohlberg’s Moral Development Theory
Grounded in the belief of an indispensable link between social and moral development,
Kohlberg’s theory of moral development postulates that moral reasoning develops in a
sequential manner as the person matures. Broadly, Kohlberg divides the moral
development of a person into three stages. The lowest stage is called the preconventional
stage which typifies criminals i.e. stage where people put their desires first and obey law 21 Marcus Rogers, A Social Learning Theory and Moral Disengagement Analysis of Criminal Computer Behavior: An Exploratory Study (2001), University of Manitoba, Canada, p.40.
12
22 See Susan J. Harrington, Software Piracy: Are Robin Hood & Responsibility Denial at Work?, cited from Ali Salehnia, Ethical Issues of Information Systems ( IRM Press, Hershey, USA, 2002) p.179.
only for the fear of punishment. Beyond this lies the convention stage where people learn
to obey law and accept it from the viewpoint that it ought to be followed and finally the
post conventional stage of a fully morally developed character where individual can test
the law against abstract concepts such as justice, fairness and respect for human beings
and their rights. Criminal behaviour arises when an opportunity to offend occurs and
there is a delay in the development of moral reasoning in the individual. The individual
cannot control the temptation to engage in the activity and commits the crime. Siegel
argues that the structural constraints of the theory limit its application to understanding of
general delinquency and possibly white-collar and corporate crime.23 Rogers (2001)
proposes that moral development theory is useful only in understanding a subset of
hackers. He points out that documented anecdotal accounts of the lack of concern by
hackers over the systems they have attacked and written interviews with convicted
hackers portray them as being more concerned with fulfilling their own material needs
regardless of the consequences and Kohlberg’s lower pre-morality stage of hedonism
perfectly explains this behaviour. Contrary to this, there is a strongly held view that
hacker cultures are governed by certain universal ‘ethical norms’ like (a) access to
computers should be unlimited and total, (b) all information should be free, and (c) No
intentional damage to any system. The internet is replete with hacker manifestos claiming
that they subscribe to a higher moral code wherein the authors claim that hacking is
actually benefiting mainstream society by exposing the weaknesses of the multinational
corporations which is positive social behaviour. Himma (2005) calls this ‘hacktivism’ or
value based hacking. However, it is believed that hacker ethics are never followed and
are only put forward as pretensions to present hacking as a socially beneficial activity.
Spafford (1990) describes all hacking activity as unethical, immoral and disruptive
despite its contribution to security improvements. Wible (2003) believes that while a
cohesive hacker community bound by ethical guidelines is no longer dominant, remnants
of the old hacker ethic remain and emphasizes on an effort to help rebuild a community
of hackers, through rewarding contests, in which a body of positive social norms can be
sustained. Still (2006), however, portrays the motivations ‘hacktivism’ in a positive light
23 See Siegel, supra note 7, at p.167.
13
and states that all hackers are not merely thrill or fame seekers; rather hacktivists are an
“organized, technically skilled, politically conscious and socially aware individuals who
seek to challenge the authority of oppressive nation states” like China which are engaged
in providing state-sponsored information to citizens and curbing the freedom of speech
and expression. Thus, the moral development theory provides mixed results.
VI. RATIONAL CHOICE THEORY OF HACKING
The rational choice theory gives primacy to opportunity of crime commission and the
willingness of the individual to flout legal norms when he views the outcome as
beneficial. However, it is distinct from Akers’s reinforcement theory in portraying crime
as a ‘seduction’ i.e. activity capable of producing a natural ‘high’ like drugs in certain
individuals. Ferrell (1997) describes it as the “exhilarating, momentary integration of
danger, risk and skill” which motivates a person towards criminal behaviour.
Hacking as Entertainment: Does Crime Really Seduce?
Professor Jack Katz (1988), in his revolutionary work Seductions of Crime, transgressed
the normal social constructs used in formulation of learning and psychological theories to
portray crime as the ‘forbidden fruit’. Katz argues that individuals involved in criminal
activities actually are engaged in broader efforts to transcend their social environments
and though the ‘transcendence’ may be transitory yet it produces a strong seduction for
evil.24 A scintillating example is proffered by the account of the well known hacker
Kevin Mitnick, presently the CEO of Mitnick Security Consulting.25 Graobsky (2000)
describes the seduction for hacking, from the hacker’s perspective, ‘as an act of power, be
gratifying in and of itself’ and beset by the adventure of the ‘exploration of unknown’.
Foster (2004) offers anecdotal evidence of computer crime offenders suggesting that the
typical computer offender is “almost always male, aged from mid-teens to mid-20s,
lacking in social skills, fascinated with technology, an underachiever in other areas (e.g.
education)- who sees the computer as a means of being important or powerful”. He also
24 John Hagan, The Pleasures Of Predation And Disrepute, 24 Law & Soc'y Rev. 165 (1990).
14
25 Mitnick once said “I guess I was curious. I was a very curious kid. I was into like magic. When I was young I was fascinated by magic. I always liked to learn how to do particular illusions and how all these tricks worked.”, retrieved from <http://www.carteblanche.co.za/Display/Display.asp?Id=3020> (Last accessed on July 10, 2007).
proffers evidence that such offenders are generally “unusually bright, eager, highly
motivated, courageous, adventuresome and qualified people willing to accept a technical
challenge.” Leeson & Coyne (2005) argue that economics of fame-driven hacking is a
reality and operates as a “market”; one side of which has the producers of hacks who
desire fame. When hackers are better known within the hacker community, they tend to
supply a greater quantity of hacking and thus notoriety acts as a prime driving force. An
empirically informed study conducted by Orly Turgeman-Goldschimdt(2005) presents
the positive attractions of hacking through hackers’ own accounts. She concludes that
hackers do not live in a vacuum and equates hacking to a “play”. After an analysis of
primary accounts of hacker motivation, she notes:
“For the hackers, then, hacking is a new form of entertainment based on
the play-like quality that characterizes the use of digital technology and is
a new form of social activity. Hacking can be considered a new form of
entertainment that could not have existed before the development of an
adequate technology.”
Goldschimdt stresses on the values of individualism viz. individual choice, freedom, and
happiness, and argues that being a part of the Western civilization, hackers seek pleasure,
fulfilment, and knowledge. The study seems too culture specific and takes a myopic view
limited to western civilization only. However, the following salient conclusions from the
accounts are noteworthy:
(I) Economic Accounts: Goldschimdt’s accounts, as a rule, focus more on
ideology and sideline profit motive which patently is a lopsided conclusion as
the desire to make money is associated with specific software piracy offences
like trading protected software for profits and such financial motivations are
far from hidden.26
(II) Deterrent Factor: The probability of being caught and the severity of
punishment, if high, may act as effective deterrents. However, she finds that in
case of computer related offences both components are low and thus
deterrence is negligible.
15
26 See Peter T. Leeson & Christopher J. Coyne, supra note 2.
(III) Lack of Malicious or Harmful Intentions: One of the recurring accounts
among the hackers is that they did not have any malicious intent or no harm
was actually done. Goldschimdt concludes that many hackers pretend to be
morally justified and absolve themselves of harbouring any harmful
intentions.
(IV) Intangible Offences: Computer related offences are part of the new breed of
offences which are intangible i.e. there is a lack of physical sense of their
commission. Thus, the offender cannot feel that the damage has been done, in
the physical sense, as the electronic information in computer systems can be
stolen without physical interaction. This weighs against the probability of
guilt generation.
(V) Nosy Curiosity and Voyeurism: The hackers’ accounts point to a voyeuristic
curiosity i.e. one driven by seduction of the unknown, the desirable secrets or
the confidential. This account is mostly given for offences involving
unauthorized browsing through other’s files, and justifies Katz hypothesis to a
certain extent.
(VI) Revenge: This is a common excuse for offences of virus spreading and
crashing computer systems. Revenge is explained, as pointed out below, by
Gottfredson and Hirschi (1990) in terms of lower degree of self control in
crime-conducive situations.
(VII) Ease of Execution: Hackers, bent on presenting their genius, ability and
proficiency, sideline the ease of execution as an explanatory account as it
negates their uniqueness. However, the advantage of digital pseudonymity of
offender surely reduces the chances of detection.27
Thus, a range of multifarious factors is involved in triggering hacker motivations. Lastly,
Gottfredson and Hirschi (1990) have linked crime with offender’s personality and
resultant degree of self control. According to the self-control hypothesis, persons with
low self-control are driven away by opportunity of crime commission. Criminal
behaviour is therefore mediated on an individual level by the presence of criminal
16
27 See Neal Kumar Katyal, Criminal Law In Cyberspace, 149 U. Pa. L. Rev. 1003 (2001).
opportunity. Individuals low in self-control have a tendency to ignore the long-term
consequences of their actions in their decision-making process as well as to be reckless
and impulsive, which leads to a greater likelihood of engaging in crime when presented
with the opportunity as they cannot resist the seduction of crime. This hypothesis differs
from Katz’s proposition of commission of crime offering positive rewards like fame and
certainly seems applicable in cases of hacking by internal groups.
VII. CONCLUSION
17
There can never be a perfect ‘accounting for all reasons’ theory for a new unconventional
crime like hacking. As Katsh (1995) puts it, the emerging legal landscape in relation to
cyberspace is not very easy to see and thus to understand the changes, it is necessary to
“look beyond the surface of law” to recognize “so much that is hidden from view”. These
latent elements may contribute in structuring the laws and increase their efficacy by
providing the missing policy links. A common thread running through all theoretical
explanations is the system of ‘rewards’, both pecuniary and non-pecuniary, to the
hackers. It is necessary to efface this system by limiting the ability of big corporations to
hire notorious hackers for hefty benefits. Secondly, there is an urgent need to somehow
regulate hacker communities operating on the internet. A separate online world has come
into existence and governments need to divert their resources to check the growth of
hacker cultures through prohibition of hacker magazines and websites. Though such a
step may be accused of overreach but ultimately the social benefit will far outweigh the
minimal inconvenience caused and in fact, right to speech and expression is subject to the
need for social order and classes like ‘hacktivists’ who claim to represent the voice of
subalterns in majoritarian societies cannot claim immunity from general law on moral
grounds. Social learning theories emphasize on proper law enforcement as learning
essentially takes place through imitation and reinforcements through rewards. Thirdly,
there is a need to shed the ‘one-size-fits-all’ approach in devising punishment schedules
as hacker motivations differ over a wide spectrum. Legal responses to crime are
ineffective or prove to be worse if they do not account for the social context in which
they are applied and are not careful about the social meaning that a particular penalty
may convey in that context. A differential targeting of hacker classes, as Leeson & Coyne
(2005) put it, will make the punitive law more effective and rationalized. Lastly, we live
in an age of absolute moral uncertainty where no consensus exists about the definitions of
right or wrong and the judgmental criteria to place any behaviour in either of the
categories. Hacking produces rewards and seduces the youth and the lack of internal
controls in form of ethical standards facilitates the commission. Thus, a suggested
alternative strategy may include education concerning computer ethics at early stages of
school to condition young minds. Active teaching through proper channels induces
‘differentiation’ capabilities paving way for responsible behaviour. On the whole, there is
a need for behavioural sciences to focus more attention on hacking and uncover the
distinct motivations for hacking through empirically verified propositions, which
traditional criminological theories may not completely explain, and thus contribute
towards increasing the efficacy of existing legal regime.
18
Selective References
Articles
1) Adamski, A. (1999), “Crimes Related to the Computer Network, Threats and
Opportunities. A criminological perspective”, retrieved from <http://www.ulapla
nd.fi/home/oiffi/enlist/resources/HeuniWeb.htm> (Last accessed on July 10,
2007).
2) Ferrell, Jeff (1997), “Criminological Versthen: Inside the Immediacy of Crime”,
Justice Quarterly 14(1997), pp.3-23 at 12.
3) Fitch, Cynthia (2003), “Crime and Punishment: The Psychology of Hacking in
New Millenium”, retrieved from <http://www.giac.org /practical/GSEC/Cynthia_
Fitch_GSEC.pdf> (Last accessed on July 10, 2007).
4) Foster, David Robert (2004), “Can The General Theory Of Crime Account For
Computer Offenders: Testing Low Self-Control As A Predictor Of Computer
Crime Offending”, retrieved from <https://drum.umd.edu/dspace/handle/1903
/1536> (Last accessed on July 10, 2007).
5) Grabosky, Peter (2000), “Computer Crime: A Criminological Overview”, p.19,
retrieved from <http://www.aic.gov.au/conferences/other/grabosky_peter/2000-
04-vienna.pdf> (Last accessed on July 10, 2007).
6) Himma, Kenneth (2005), "Hacking as Politically Motivated Digital Civil
Disobedience: Is Hacktivism Morally Justified?”, retrieved from <http://ssrn.com
/abstract=799545> (Last accessed on July 10, 2007).
7) Hollinger, R. (1988), "Computer hackers follow a guttman-like progression",
Social Sciences Review, Vol. 72, pp.199-200.
8) Leeson, Peter T. & Coyne, Christopher J., “The Economics Of Computer
Hacking”, 1 J.L. Econ. & Pol'y 511(2005).
19
9) Lemos, Robert (2002), “New Laws Making Hacking a Black and White Choice”,
CNET News, retrieved from <http://news.com.com/2009-1001-958129.html>
(Last accessed on July 10, 2007).
10) Rogers, Marcus (2000), “Psychological Theories of Crime and Hacking”,
retrieved from <http://homes.cerias.purdue.edu/~mkr/> (Last accessed on July 10,
2007).
11) Rogers, Marcus (2001), “A Social Learning Theory and Moral Disengagement
Analysis of Criminal Computer Behavior: An Exploratory Study”, University of
Manitoba, Canada.
12) Rogers, Marcus (2002), “A New Hacker Taxonomy”, retrieved from <http://homes
.cerias.purdue.edu/~mkr/hacker.doc> (Last accessed on July 10, 2007).
13) Spafford, Eugene H. (1992), “Are computer hacker break-ins ethical?” Journal of
Systems and Software, 17(1), pp.41–48.
14) Still, Brian (2006), “Hacking for a Cause”, ICFAI Journal of Cyber Law, Vol V,
No.1, February, 2006, p.22.
15) Turgeman-Goldschmidt, Orly (2005), “Hackers' Accounts: Hacking as a Social
Entertainment”, Social Science Computer Review, Vol. 23, No. 1, pp.8-23,
retrieved from <http://ssc.sagepub.com/cgi/content/abstract/23/1/8> (Last
accessed on July 10, 2007).
16) Wible, Brent (2003), “A Site Where Hackers Are Welcome: Using Hack-In
Contests To Shape Preferences And Deter Computer Crime”, 112 Yale L.J. 1577
(2003).
Books
1) Gottfredson, M. R. & Hirschi, T. (1990), A General Theory of Crime, Stanford:
USA.
2) Katsh, M. Ethan (1995), Law in a Digital World, Oxford University Press: New
York.
20
3) Katz, Jack (1988), Seductions of Crime: Moral and Sensual Attractions in Doing
Evil, New York: Basic Books.
