Notes on cybersecurity vigilantism and data protection risks
This post discusses the emergence of cybersecurity vigilantism, or the social phenomenon associated with non-State response to cyber threats. It explores the case of BricketBot and expands on the potential risks that this form of vigilantism can bring to data protection.
1.BrickerBot: a new form of countermeasure
The spread of Mirai, the first large-scale IoT botnet made public, spawned a turmoil in the cybersecurity community in 2016. IoT devices had long been reported as a ticking bomb: the level of security embodied in the technology was questionable. Even then, the repercussion and strength of Mirai was greater than envisioned; in less than a year, Mirai had already compromised a total of 5 million devices (Costello, et al. 2016). Mirai emerged as a powerful, remote network affecting cameras and routers, causing massive disruptions worldwide. The insufficient security mechanisms deployed in mass IoT devices were captured by botherders and used to perpetrate potent DDoS attacks. But in April 2017 an interesting development was spotted. Security researchers at Radware identified a PDoS (permanent denial of service attack) aimed at corrupting the storage of specific IoT devices and therefore incapacitating their functioning permanently (Radware 2017). Four versions of BrickerBot were released in the wild (BricketBot.1, BrickerBot.2, BrickerBot.3, BrickerBot.4) in a short interval, disabling close to 2 million devices according to their creator (Cimpanu 2017). Described as a grey hat (Radware 2017), vigilante hacker Janit0r was allegedly motivated by the idea that unsafe IoT devices should be removed from the Internet (Millman 2017). The events that follow are a de facto technical remedy to the issue of product unsafety: the unleash of BrickerBot disabled the use of poorly secured IoT devices prone to botnet infections, permanently. Such form of interference is normally a privilege of the State, whose delegated authorities can use force to protect society from danger.
The main problem behind BrickerBot is its permanent character, in that it simply made IoT devices unusable. Was irreversibly disabling the unsafe devices absolutely necessary for preventing the spread of Mirai? That is a question that only security experts would be capable to firmly answer. In using force, less aggravating and interfering means are always preferable as an alternative to disproportionately strong interventions. From a non-technical lens, the dissemination of a patch could have been equally effective in shutting down the vulnerability and therefore preventing Mirai-like infections without permanently disrupting the targeted devices. To that extent, there seems to be an excess in the use of force by Janit0r that would escape the shield of defense of other and subject the agent to liability in relation to the excess. Furthermore, the actions of Janit0r show elements of a cybercrime offence, more specifically of illegal interference with information systems (Art. 4, CoE Convention on Cybercrime, Art. 4, Directive 2013/40/EU). From a broader social perspective, the activities of Janit0r could exemplify the emergence of a new cybersecurity trend: cybersecurity vigilantism.
2.The emergence of cybersecurity vigilantes
By Johnston (1996, 221), vigilantism is a “social movement giving rise to premeditated acts of force—or threatened force—by autonomous citizens. It arises as a reaction to the transgression of institutionalized norms by individuals or groups—or to their potential or imputed transgression.” In this model, vigilantism is a compound concept built upon six key elements: 1. Planning, premeditation, and organization, 2. Private voluntary agency, 3. Autonomous citizenship, 4. The use or threatened use of force, 5. Reaction to crime and social deviance, and 6. Personal and collective security. The following paragraphs expose the scope of these elements as imagined by Johnston and the reason why they are essential to the idea of vigilantism.
The emergence of the Internet was accompanied by the surge of a new category of vigilantes. Cyber vigilantism, perceived as the variation of vigilantism as a phenomenon, takes place in the Internet and through information systems, and is often associated with mass retaliation and collective efforts (Smallridge, Wagner and Crowl 2016, 59). Cyber vigilantism takes varying forms; hacktivism, scam baiting, crowdsourcing, and citizen-led intervention (Smallridge, Wagner and Crowl 2016, 59) are examples of how vigilantism is transmuting. This sub-group, here referred to as cybersecurity vigilantes, can be defined as active citizens who, voluntarily and without the sanction of the State, launch attacks against cyber threats and cybercriminals with the goal of reestablishing justice and cybersecurity. In sum, cybersecurity vigilantism is a social movement composed by individuals or collective groups who respond via technical means to a perceived and repercussive criminal act against the security of the Internet and information systems. Paraphrasing Dumstay (2009, 55), cybersecurity vigilantes are upholders of the functioning and the future of the Internet. But what risks arise when cyber vigilantes attempt to restore cybersecurity and trust in digital environments?
3.Data protection concerns
While vigilantism is a typical expression of the use of force, the results of vigilantes’ activities in cybersecurity may fall out of the scope of criminal law and inside the realm of civil liability. One clear example is the potential interference with the right to data protection, seen that various cybersecurity techniques imply the observation and analysis of information that can be regarded as personal data under the GDPR (EU General Data Protection Regulation). IP and email addresses, as well as other sources of data that can serve to single-out users fall within the notion of personal data and their use in cybersecurity vigilantism calls for the application of the GDPR, therefore, limiting the lawful processing that these forms of data may undergo in the EU.
For the discussion at hand, the most important aspects of the GDPR revolve around the provision of lawfulness of processing (art. 6(1)), which defines the grounds in which personal data can be deployed in compliance with EU data protection law. The appropriation by cybersecurity vigilantes of information concerning the whereabouts and identity of cybercriminals, as well as victims of a cybercrime, may be a problem from a data protection perspective. To avoid incurring in a data protection violation, cybersecurity vigilantes must ensure their activities are covered by at least one of the circumstances where processing of personal data is regarded as lawful under the GDPR.
This is particularly complicated, since the actions of cybersecurity vigilantes are unbeknownst to data subjects. One possible solution for this issue is exploring whether subparagraph (e) of art. 6(1), which authorizes the processing of personal data for the carrying out of a task in the public interest, could serve as a justifiable ground for the actions of cybersecurity vigilantes. Looking back at the cases examined before, if Janit0r and Hutchins are capable of demonstrating to a reasonable degree that the actions undertaken have been motivated by the purpose of protecting the integrity of information systems, the functioning of the Internet, and users themselves, their activities could be presumed as a processing conducted in the public interest. However, the main obstacle to the use of subparagraph (e) is the lack of legal certainty around the application of this provision to the realm of cybercrime and, more specifically, vigilantism by ethically-motivated third parties. Recital 45 of the GDPR determines that the scope and reach of art. 6(1)(e) is a task for the national or EU legislator, what creates substantial blur over the application of the provision EU-wide – and the opportunity for uneven levels of protection and regulatory standards at national level, what was one of the issues that supposedly motivated the repeal of the Data Protection Directive. In conclusion, while there is room to believe the activities of cybersecurity vigilantes could be in line with data protection regulation, the case is to be further analyzed following national legislation or future EU law regulating the matter. Failure to comply with the GDPR subjects the agent to penalties established at the national level – which are often established in the form of fines.
Aside the potential threat to the right to data protection, the actions of vigilantes could also be examined from a substantive criminal law perspective. It could be of relevance to consider whether the actions of vigilantes in fact mounted to crimes against the information systems and the data they intended to protect. These considerations could lead to a deeper investigation of whether vigilantism in the case of Brickerbot constituted illegal access to information systems (Art. 2, CoE Convention on Cybercrime, Art. 3, Directive 2013/40/EU), illegal interference with information systems (Art. 4, CoE Convention on Cybercrime, Art. 4, Directive 2013/40/EU) or illegal interference with data (Art. 5, CoE Convention on Cybercrime, Art. 5, Directive 2013/40/EU).
The theory of cybersecurity is marked by the concept of shared responsibility. In cybersecurity literature, multistakeholderism is a grounding precept of successful and holistic operations. This concept is grounded on the fact that the architecture of the Internet and information systems permeates public and private infrastructures managed by a diversity of actors. These actors, each at their own stance, can influence the outcome of a security threat based on the decisions made at their control level. In the realm of regulation, the concepts of network models and nodal regulation have been largely discussed, exposing the intricate relationship between operational control and regulatory power exercised by the broad spectrum of agents involved in the functioning of the Internet and information systems. In digital environments, multiple actors perform a dual regulator-regulatee role, as the decisions made at given control level reverberate through other circles of the web. Harnessing this unique interplay seems not only strategic but absolutely necessary for regulatory success.
Cybersecurity vigilantism has gained distinguished attention because of the nature of expert knowledge in the hands of this particular group of vigilantes. The experiences of BrickerBot and other similar events reveal the valuable input citizens may have in halting cybercrime and supporting the activities of law enforcement. In the mentioned case, intervention arising from society, namely from individuals ethically imbued with the sense of participative citizenship, delivered a positive, desirable result which was influential in promoting and preserving cybersecurity. The main lesson drawn from these recent episodes of vigilantism is that the goal of enforcing the law in digital environments can be partly assisted by the help of cybersecurity vigilantes. A purist would rule out the participation of non-State agents in law enforcement, based on the tenet of the monopoly of the use of force. A pragmatic would consider what the potential perks of allowing for this form of contributory justice are. I embrace the second viewpoint and defend not only that social movements should be understood as legitimate expressions of society for criminal justice, but also that a path to legality of cybersecurity vigilantism should be considered by the legislator.
Cimpanu, Catalin. 2017. BrickerBot Author Claims He Bricked Two Million Devices. April 21. Accessed August 31, 2017. https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/.
Costello, John, Allison Nixon, Brian Hein, Ronnie Tokazowski, and Zach Wilkhom. 2016. New Mirai Variant Leaves 5 Million Devices Worldwide Vulnerable. November 29. Accessed August 31, 2017. https://www.flashpoint-intel.com/blog/cybercrime/new-mirai-variant-involved-latest-deutsche-telekom-outage/.
Dumsday, Travis. 2009. "On Cheering Charles Bronson: The Ethics of Vigilantism." The Southern Journal of Philosophy (University of Calgary) XVII: 49-67.
Haas, Nicole Evelin. 2010. Public Support for Vigilantism. Leiden: Leiden University.
Johnston, Les. 1996. "What is Vigilantism." The British Journal of Criminology 36 (2): 220–236.
Millman, Rene. 2017. BrickerBot ‘creator’ claims two million IoT devices have been destroyed. April 25. Accessed August 31, 2017. https://internetofbusiness.com/brickerbot-iot-devices-destroyed/.
Radware. 2017. BrickerBot PDoS Attack: Back With A Vengeance. April 21. Accessed August 31, 2017. https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-back-with-vengeance/.
Smallridge, J, P. Wagner, and J. Crowl. 2016. "Understanding Cyber Vigilantism." Journal of Theoretical & Philosophical Criminology 8 (1): 57-70.