The case against Anakata in both Sweden and Denmark is unrelated to copyright law or The Pirate Bay, but has everything to do with useless IT crime laws. So it's a shame that there are lots of misconceptions about that.
Anakata is not (only) on trial for copyright infringement in neither Sweden or Denmark. He's on trial for hacking into important government systems using zero-day exploits and taking data logs. In Sweden the data logs mostly consisted of personal information that would have anyway been public had he asked for it - therefore the government authorities have not found it appropriate to report even to the police the break-in. In Denmark I'm not sure exactly who reported what, or why, and also it's not particularly relevant.
It's anyway good to know, when one is protesting for Anakata's freedoms, which particular type of activity one is defending and which other activities one isn't. If one feels that The Pirate Bay was a worthwhile endeavour for Anakata to engage with, then probably one should not care about the on-going trials against him at all, but rather about the EU copyright consultation.
In my view, unauthorized access to computer systems should not be under criminal law. Rather we should have a positive focus on securing systems, which we can do by setting up liability rules, personal data protection laws, and ensuring transparency in our computer systems - responsible vulnerability disclosure within some time limit would already help a lot, probably. Ensuring the performance of such obligations by corporations and systems maintainers is not best done by the police, or by law enforcement, but by consumer agencies, competition authorities or similar. The criminalization of unauthorized access as such is a particularly flagrant example of the government allocating its scarce resources in such a way that much money is spent on protecting corporations and public authorities from individuals, while virtually no resources are spent on protecting individuals from corporate or public authority malpractice. Furthermore, the focus of government spending is diverted from protecting both companies and individuals from harmful activities to themselves and instead spent on protecting computer systems of corporations from use unintended by the corporation.
Anakata has allegedly unauthorizedly accessed a computer system. The owners of the computer which was unauthorizedly accessed is a private enterprise. This private enterprise is presumed, by law, to be violated by the alleged unauthorized access by Anakata. The private enterprise has been contracted by public authorities. The private enterprise has not been able to deliver a secure service to the public authorities allegedly because of Anakata. The public authorities have not been able to deliver good public services to citizens, allegedly because of Anakata.
Anakata will be sent to jail for this. The private enterprise has no particular obligation to fix their problems. They may or they may not - it depends on what the contracting public authorities give them money to do. The public authorities have no particular obligation to tell citizens what happens with the data that the public authorities collect. As a citizen, I have entered into a contract with my government as a result of me being born on their territory, that allows them to collect lots of data about me and do with it a bit what they want. They have no obligations towards me that they cannot unilaterally decide, and I have no choice but to accept them because we don't shop for citizenships. Normally.
Anakata is the scapegoat that is being punished because no one else is responsible. Our IT crime laws protect computers, public authorities and companies. They do not protect individuals.
But shouldn't we be able to punish people who are doing ill-intentioned stuff to computers?
Simply put, no. We can punish people who do illegal things, like extortion, defamation, threats or the like by means of a computer. But doing ill-intentioned stuff to a computer is a far stretch. Computers are not people, and they should not be protected by criminal law as if they were people.
Example: Most EU member states used to define DDoS-attacks as unlawful if they were used for the purpose of extortion or they caused economic damage. Now it is no longer like this - now the very act of rendering information unavailable that was meant to be available is unlawful. We are protecting the computers' right to be online, or the owners' right to have their computers online. The users of the services of the owners of the computers of course are generally unprotected by law and contract. No computer owner guarantees their users 100% uptime in the service level agreement. And so, we have changed from a model where people were punished if they created a negative effect, into a system where people are punished if they act in a subjectively decided bad way towards a machine.
This is at the base of this problem: when we protect the owners of the computers, and the builders of the system, in criminal law, and accept that citizens and users suffer all the negative consequences without being informed, and without anyone having the obligation to fix this or compensating users for harm to themselves arising from a security breach, it is the government using its violence monopoly - the police - to protect corporations against people. In this case, the police is attempting to protect big corps and government top shots from Anakata.
We can also compare with the extensive debates we've had on penetration testing, a type of security activity where you suddenly try to hack someone else's computer system in order to establish that it is secure or functioning in the agreed way. Who decides when this is malicious, and when it's not? I can imagine quite a few contractual situations when it's not the owner of the victimized computer who decides.
But Anakata seems to have had a lousy personality, and if he wasn't jailed he would have anyway died from health problems.
These are both authentic observations I have heard in different circumstances. There are many people with lousy personalities. There are many people with health problems. We can't jail all of these individuals, nor can we use those criteria as a basis for our criminal law system. Health problems, in theory, can be solved by the Swedish health care system. But any form of illness is a very distinct and separate problem from the problem at hand, which is that Anakata was allegedly accessing a computer without authorization.
There is no straight fix for a lousy personality. It seems also a completely arbitrary measure of man.
But a private individual which is exposed to unauthorized access can't pay the investigation themselves! For social justice, we need to involve the police and have criminal law in place so that the cost doesn't fall on the individual.
This is by far the best argument I have heard for IT crime laws the way they are written. The problem is it's based on a completely false premise, which is that the police by necessity is the public authority that alleviates investigation costs from individuals.
In a liberal democracy, we have many public authorities that are not the police or law enforcement. There is no need to make Anakata responsible for security problems in the Swedish public sector, and it's of little use. The consumer rights ombudsman could protect consumers in cases of security flaws in software solutions marketed to private persons. In the cases of public authorities and IT systems, one would assume that strong privacy laws should help in defining software requirements - in Sweden, it's the competition authority which is responsible for public procurement legislation, although the data protection authority could probably be involved also. Mostly, what would help is actually additional legislation, particularly liability rules, transparency rules and disclosure rules for software manufacturers. That would already help a lot, including for business-to-business interactions.
I had the strangest experience just recently, when someone argued on social justice grounds that the police must carry the cost of hacking investigations because it's otherwise unfair. After two weeks of confusedness I concluded that this is a mix of social democratic equality concerns and technolibertarian night-watch state reasoning. In a night-watch state, since one imagines that the governments' only public authorities should be law enforcement and judiciary, of course one would have to resort to either of those two authorities as soon as one wants a problem to be solved. That makes both the law enforcement and judiciary incredibly powerful entities in the night-watch state since they will be called upon for every type of common problem a society can envisage.
Side-note: in a common law system, perhaps the judiciary would actually get more power because the judiciary in common law systems make law. But in most of the European Union, the United Kingdom and Ireland excepted, that wouldn't be the case. Perhaps there are other people with deeper understanding than me that could explain if and how the night-watch state would function in a germanic/napoleonic legal tradition.
There is much that can be said about this. I find myself at the cross-roads of political philosophy, legal philosophy, legal frameworks, politics, and man-machine cultural studies. Some humanist philosophizing about every individual's perspectives on Commander Data in comparison to their relationship with their smartphone might be useful. There is something rotten in the Kingdom of Denmark.
I mostly agree with you, but I can't agree on the point that DDoS attacks shouldn't be illegal in and of themselves. In my eyes, they fall under the same general area as vandalism - if someone breaks stuff, they should be held accountable for breaking it.
Another way of looking at it is that if you're standing outside a store or someone's home and prevent people from entering, the owner of the store or home has a legitimate beef with you. Similarly, if you prevent people from accessing someone's website, they should have a legitimate case against you, even if no actual economic damage is done. Or do you think the Church of Scientology should be free to DDoS xenu.net?
Lägg till ny kommentar