Is Trafficking in Hacking Information a Crime?
Quincy Compton of Concord, North Carolina, had a wife and a pregnant girlfriend and wrote to a doctor in Washington, D.C. for information about terminating a pregnancy. The doctor, Thomas Kemp, wrote back that “[I]t would cost about two hundred [dollars] and the woman would have to stay in DC for a week.” Quincy Compton did not exist – he was a fiction made up by the postal inspector, and Dr. Kemp was prosecuted for violation of a law that made it a crime to provide information about how Compton could secure the abortion procedure. So, is providing information—or tools, techniques, etc.—that others might use to commit a violation of the law itself a crime? How does this impact the sharing of information about vulnerabilities, exploits, hacker tools, pen testing techniques, etc? Is information itself a crime? Should it be?
Magic eight ball says: Reply hazy; try again later.
Ultimately, whether or not sharing information about hacking is a crime may depend on the nature of the information, the persons (or countries) with which the information is shared and both the intent of the person doing the sharing and/or the intent of the person receiving the information. If the person “trafficking” in the data—whether mere information, hacker tools, exploits, vulnerabilities, passwords, etc.—has an intent that they be used unlawfully (or knowledge that they will be), then the transfer may be a crime. But the law is not always so clear. What if the person knows that the tools “can be” but not that they “will be” used for unlawful purposes? What if the person is “trafficking” in tools that are “primarily useful” for or “designed for” obtaining unauthorized access to systems, but does not know how the recipient will use the data? What if the hacking tools—like the stolen NSA toolset including Buckeye, APT3, Gothic Panda, UPS Team and TG-0110—are simply posted online for anyone—regardless of their motive or intent—to use for whatever purpose they desire? What if they are “publicly” posted on a dark web forum? Is sharing “information” alone a crime?
Magic eight ball says: Reply hazy; try again later.
United States Law
Clearly, hacking—unauthorized access to, alteration of or destruction of computers or data is a crime. This is a crime, whether done directly or indirectly. Aiding and abetting, counseling, procuring, commanding or inducing someone else to hack is a crime. Comforting or assisting a hacker after the fact to hinder or prevent their apprehension, trial or punishment is a crime. Concealing the fact that the hack occurred, as Uber’s former CISO Joe Sullivan learned, is a crime. Conspiring or agreeing with someone else to hack is a crime.
In addition, it is a crime to traffic in or use “unauthorized access devices.” Other statutes make it a crime to, with fraudulent intent, traffic in information or technology that can be used to get unauthorized access to telecommunications facilities or to send in interstate commerce “any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications.”
Federal copyright law also makes it a crime to traffic in any technology, product, service, device, component, or part thereof, that is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a copyrighted work.
In addition, U.S. export control laws can be used to prevent the “export” of data or information—including cybersecurity information or hacker tools to prohibited persons, countries or regimes.
The problem is not the statutes so much as the application of the statutes. Sharing a stolen password or PIN is trafficking in counterfeit access devices. Sharing a tool for guessing a password or PIN—not so much. Sharing a vulnerability with the infosec community is not a crime. Telling a co-conspirator how to exploit a vulnerability at Silicon Valley Bank to break into the bank (if there is a bank) is a crime. In a real-world analogy, when Home Depot sells you a sledgehammer, it’s not a crime. When they sell you a sledgehammer that is “specially designed to break into your neighbor’s home,” that may (or may not) be a crime. When you run into a Home Depot and ask, “What’s a good tool for bashing in my neighbor’s skull?” and the clerk recommends a specific sledgehammer, that may be a crime. Just kidding. That would never happen. It’s impossible to find a clerk at Home Depot, of course.
On one end of the spectrum are those threat actors who are intending to commit or facilitate specific criminal activity. On the other are those who share the same data with the intent to help entities protect themselves. Same data. Same sharing. Different purposes. Add to the confusion the fact that threat intelligence companies (and law enforcement agencies which are likely exempt from prosecution) often pose as genuine threat actors to either find out what the latest threats or vulnerabilities are or to find out the possible intentions and motivations of threat actors.
Information is power. Hacker information is powerful. Adding to the confusion is the fact that code—malware, viruses, Trojans, exploits, etc.—is amorphous and is both a “thing” and information about a thing. A screwdriver is a thing, and under some circumstances it could be a “burglar’s tool.” An article about how to use a screwdriver to force open a casement window is “information.” Hacking involves both tools and information.
So, at the end of the day, is trafficking in hacking information legal or not? Let me see that magic eight ball again.
