Digital Victim or ‘Vigilante’: Legal and Ethical Limits to Online Self-Defense

Jeffrey H. Matsuura


There is increasing support for “self-help” measures in response to perceived or actual misuse of computer systems. Network operators who recognize that their network is under attack often seek authority to take action to disable the attacker. Owners of copyright protected material ask for permission to act to disable computers that store pirated versions of their works. Some copyright owners also deliberately distribute corrupted versions of their material to frustrate pirates. Internet service providers who receive a high volume of messages from a source sometimes assume it to be unsolicited commercial e-mail, and block the messages, at times resulting in non-delivery of legitimate messages. Commercial vendors of software often seek the right to be able to disable the software they sell if the licensee fails to fulfill its license obligations. Security authorities and researchers commonly make use of “honeypots” to attract computer attacks in order to gather information about such attacks and to identify security suspects.

This paper explores the question: At what point do such aggressive digital actions, taken in the name of defense of established legal rights, cease being legitimate responsive defensive measures, and become unethical (and potentially unlawful) offensive actions? The paper will examine traditional concepts of self-defense and mitigation of harm, and will apply those principles to these active digital defensive schemes.

The paper will examine the interaction between these digital self-help or self-defense initiatives and the increasing number of computer security laws and regulations. Laws such as the Computer Fraud and Abuse Act, in the United States, prohibit unauthorized access to computers and computer networks. Those legal restrictions are primarily aimed at preventing malicious conduct against computer systems. Those same prohibitions, however, could be applied against parties who take action against the computers of another party, based on a claim of self-defense. The issue is one of determining when a victim has become a lawbreaker as a result of damages inflicted by its digital counterattack. Those damages could injure the original attacker or some innocent third party who is affected by the counterattack unintentionally.

The paper will also examine legislative initiatives that encourage these self-help measures. For example, efforts have been made in the United States Congress to pass legislation that would permit copyright owners to take action against peer-to-peer file-sharing networks involved in piracy, without facing full liability for damage they might cause to other computers (the P2P Piracy Protection Act). Although Congress has not yet enacted such legislation, that approach illustrates how far some officials appear to be prepared to go to permit aggressive defensive actions in the name of enforcement of rights or responses to digital attack.

The paper will examine the potential consequences of widespread use of active digital self-defense. Consequences include a potential escalation of conflict as victims of digital attacks unleash counterattacks, as a matter of course. The paper will examine whether such an environment actually makes the entire Internet less stable and less secure than it is today. The paper will also consider whether this is the type of conduct and environment we should accept, from an ethical perspective.

The paper will include a recommendation as to an acceptable approach to the issue of legitimate digital defensive actions. The paper will suggest that parties should not be encouraged to rely on digital counterattacks to defend their rights. The cost of widespread counterattacks, in terms of damage to innocent parties, is likely to be too high. In addition, the environment created in the online community by reliance on digital vigilantism is not an ethically healthy one. That approach would tend to undermine the stability of the online community, making both individuals and organizations reluctant to expand their online activities. Instead, resources should be directed toward digital defensive measures that reduce the opportunities for attacks, and those that increase the costs to the attacker. Appropriate defensive measures would likely include pooling of the effort and cost associated with defense among service providers and users. This type of collective defensive approach appears to be more likely to establish a stable and secure online environment than would rampant self-help activities by individual parties.

Promotion of aggressive digital counterattacks would push the online community toward chaos. A chaotic online environment will be less attractive to casual and commercial users, thus inhibiting the development of the Internet and electronic commerce. No one will be better off in such an unstable community. Aggressive digital self-defense may provide the illusion of order, but it is actually more likely to signal the beginning of a descent into profound disorder for the online community.