I get a lot of press enquiries currently about hacktivism, usually in the context of certain groups who have had more than enough publicity already. While discussing some related issues with my colleagues at ESET UK, it occurred to me that what we're lacking here is a clear differentiation between types of "hacktivist" or, indeed, "activist": much of the commentary that's around at the moment seems to assume that all hacktivists are the same.

My blog for SC Magazine's Cybercrime Corner on Rebels with a cause? is certainly not an exhaustive taxonomy, but it does make the point that there are many shades of activism and that most of those shades are reflected among various groups currently enjoying the oxygen of publicity. I have a feeling I'll back to that topic.

It seems that law enforcement agencies in the UK are also concerned about the tendency to see all groups claiming a political agenda as somehow (literally) legitimized: the Metropolitan police - the authority primarily responsible for policing in the Greater London area - has put up a warning on its official Twitter account warning that one man's Robin Hood is another man's highwayman. More specifically, it warns that the "hacking" (if we must use that word in its pejorative sense, as is all too usual nowadays) normally associated with CyberHood activity (sorry!) is very likely to contravene the UK's Computer Misuse Act. In fact, it includes quite a neat summary of most of the contexts in which a fairly lengthy and complex piece of legislation may be brought to bear:

  • Unauthorized access
  • Unauthorized modification
  • Impairment of the operation of a computer
  • Preventing or hindering access to programs or data
  • Impairing operation of programs
  • Impairing reliability of data
  • Unauthorized access to personal accounts
  • DDoS

One thing it doesn't mention is the provision in Section 2 of the CMA that not only does intent to commit one of these acts constitute culpable behaviour, but so does the intention to "facilitate the commission of such an offence (whether by himself or by any other person)". That sounds to me like a provision that should give pause for thought to anyone who makes public someone else's authentication data, in a Torrent, for example: still more so anyone who actively incites blackhat activity.

On the other hand, actual deployment of the Computer Misuse Act (and other security-related legislation) is never a foregone conclusion. There have certainly been occasions where possible breaches of the CMA may have been seen as mitigated or legitimized by journalistic privilege and/or a "public interest" argument. But recent events seem to prove that journalism isn't a licence to hack, either.

(In view of recent comments on my blogs, I suppose I can expect another deluge of accusations of pursuing some sort of authoritarian agenda, but I think it's worth pointing out that even if you think you're victimized by an unjust law, breaking that law is not necessarily the only way of changing it...)

Tip of the hat to Graham Cluley for flagging the Met tweet. And another hat tip to Kurt Wismer for flagging an XKCD cartoon that may not be directly relevant to the Computer Misuse Act, but does go some way to explaining why the public, the media and the security community may have very different views of the same incident.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow