Last week, shortly before Amazon took the Parler social network offline by terminating the latter’s hosting services, a hacker allegedly facilitated a download of the social media site’s data. Many media outlets soon published stories effectively celebrating the hacker’s accomplishment – at least one outlet even referred to her as a “security researcher,” and another as a “benevolent hacker.” A subsequent piece published by Gizmodo even referred to the data as having been “obtained by a computer hacker through legal means.”
Such an approach is not only inappropriate, but also dangerous and inconsistent with the rule of law.
When evaluating your own thoughts on the matter, please consider the following three points. I write not as a lawyer – I am not giving legal advice or citing specific rulings – but as a long-time participant in the field of cybersecurity who has been involved in addressing more than one or two “cyber-incidents.”
Vigilantism undermines the rule of law
Let’s start with the basics: Exploiting poor programming, the failure to rate-limit access, or any other vulnerability in order to download a business’s data en masse with the intent of releasing that data in an effort to act against the business and its users is not benevolent, nor is it a form of security research.
If we want to live in a stable, civilized, and just world, we cannot allow vigilante tactics to become commendable, or even merely acceptable, simply because large groups of people, rightfully or wrongfully, find the target “worthy of having its data leaked” or otherwise reprehensible. Parler is, and remains, an American business, with owners, investors, employees, and users. At least as of now, it has not been charged with any crimes related to incitement or to the Capitol riots, never mind convicted of anything of the like; its employees, owners, investors, and users are all entitled to the same rights as anyone else.
Furthermore, the task of delivering justice belongs to appropriately designated, empowered, and overseen officials and departments operating as part of our democratically-elected government, that, itself, is subject to checks and balances, not to self-appointed hackers with no oversight; civilized society simply cannot endure if it is allowed to operate as a “Wild West.”
While today’s target was Parler, one person’s hero is another’s villain; to many of the billions of people who live in societies more conservative than the West, there may be plenty of justification for attacking sites whose values both I, myself, and those who targeted Parler, likely hold dear. It is also not hard to imagine how many of today’s popular sites would have considered “worthy of targeting” had they existed a generation or two ago.
In short, vigilantism is inconsistent with the rule of law, and celebrating it opens a dangerous Pandora’s Box.
Hacker vigilantism may help criminals escape justice more than it helps law enforcement
The FBI is a competent law enforcement agency. If it (or other law enforcement agencies) found probable cause, it could likely have obtained with a warrant all of the data that the hackers obtained – but done so directly from Parler, or from Parler’s hosting provider, Amazon. Considering that Amazon itself was the party that effectively took Parler offline (at least for the time being) it seems unlikely that Amazon would have dedicated tremendous resources to fighting such a warrant. Perhaps law enforcement, in fact, did obtain the data in such a fashion – the public might never even find out, especially if those involved found legitimate reason to go the FISA route.
Likewise, the government can (and, I expect, did) obtain from the relevant telecom providers, Google, and/or Apple a far more complete set of data than hackers could have possibly garnered from Parler about which devices were on inside the Capitol during the riots.
Perhaps more importantly, though, is the reality that any and all data obtained by hackers is inherently subject to severe chain of custody problems, a deficiency from which data obtained by law enforcement through proper channels obviously does not suffer.
Worse yet, by demonstrating to the world that Parler was utilizing code and systems in a manner that allowed for easy exploitation in at least one significant fashion, the hackers may have effectively notified anyone accused of making problematic posts that the door is open to assert a far more plausible claim of deniability than Parler users might otherwise have thought possible. Furthermore, should any criminal charges emerge in whole or in part as a result of posts made on Parler, accused parties are now more likely than before to assert that the Parler network was insecure, its content vulnerable to hacker manipulation, and its users known to be disliked by multiple hackers. Remember, the burden of proof of wrongdoing is on prosecutors – all a defense needs to do is establish reasonable doubt.
As such, regardless of their intentions, even well-meaning digital vigilantes can sometimes do more to harm the efforts of law enforcement than to help them.
Vigilante scraping potentially creates risks of criminal and/or civil actions
Many folks who have defended the hackers’ actions have claimed that what was done was simply “scraping” of “public information” – automating the capture of data that was publicly available – even comparing the hackers’ actions to those of a search engine spider or The Wayback Machine. Such a defense is problematic for multiple reasons, ethical and otherwise, and the comparison of the Parler download to actions of technology that delivers to site owners valuable and desired improved accessibility, and which obeys site owner instructions not to scan or republish particular items, is nothing short of ridiculous.
And, of course, the data copied from Parler seems to include plenty of data that was not “public information;” public information is information that originated from the work of a public sector body, is possessed by that body, is related to that body’s work, and is preserved in a material form. Data does not become public property simply by being shared online.
While courts have returned mixed verdicts about the legality of scraping in general, the cases considered do not appear to be situations in which the primary goal of the scrapers was to copy and disseminate all of the targeted site’s data en masse in order to adversely impact the data’s custodian and/or owners. Likewise, those cases did not necessarily address all of the potential issues of copyright infringement that exist in the case of the Parler download, nor the potential criminal and/or civil liability created by bombarding a target system with so many requests so as to consume resources at a level similar to some modern DDoS attacks.
Intent matters, as does scale. Many actions that are perfectly acceptable – sometimes even desirable – when performed a small scale, may be extremely problematic and unethical – if not illegal – when conducted on a large scale, or as part of a large-scale concerted effort.
Can one reasonably argue that scraping and distributing en masse a large portion of a social media provider’s content database – or of the entire database – is “authorized” access vis-à-vis any posts intended by their makers to be private and which the owners thought was password-protected? That such scraping and republishing is truly “fair use” vis-à-vis the plethora of privately created mixed-media content contained within, whose creators/owners may have consented to publication only on a specific platform, in a specific format, and through specific interfaces? That scraping at an intensity of over 50 gigabits per second – as the Parler downloaders claim to have done, and, which, may have contributed to the slow down of the Parler service on the day in question – is not an example of trespass to chattels, if not worse? (I wonder if Gizmodo would have used the word “legal” to describe an identical bandwidth-intensive mass download of publicly-accessible data had the target been the Gizmodo site and not Parler…)
In short, there are certainly reasons to question the propriety of the hackers’ behavior with regard to Parler.
And, in any case, we must strongly discourage digital vigilantism. Even in the case of Parler.