Computer Hacking and Ethics

Brian Harvey

University of California, Berkeley

[A slightly different version of this paper was written for the ``Panel on Hacking'' held by the Association for Computing Machinery in April, 1985. Thanks to Batya Friedman, Donn Parker, and Carter Sanders for their comments on early drafts.]

[Neal Patrick] said he and his friends, who named themselves the ``414s'' after the Milwaukee area code, did not intend to do any damage and did not realize they were doing anything unethical or illegal. In fact, when asked [at a Congressional subcommittee hearing] at what point he questioned the ethics of his actions, he answered, ``Once the FBI knocked on the door.'' -- "`Common Sense' Urged on Computer Break-Ins," 26 Sept 83; Copyright 1983 New York Times News Service

It's no secret that a mature sense of ethics is something a person develops over time. Parents are supposed to exercise authority over their children because the children are not expected to know how to make certain decisions for themselves. We have a juvenile court system separate from the adult criminal court system because we believe that a young person is not capable of criminal intent in the same sense that an adult is capable of it.

Within this century, the obvious idea that the ethical sense of an adolescent isn't the same as that of an adult has become the focus of scientific research. Psychologists have entered a field once left to philosophers: moral development. The best-known attempt to formalize this development is probably the six-stage theory of Harvard psychologist Lawrence Kohlberg. Here is his description of Stage 3, the Interpersonal Concordance or ``Good Boy-Nice Girl'' Orientation:

Good behavior is that which pleases or helps others and is approved by them. There is much conformity to stereotypical images of what is majority or ``natural'' behavior. Behavior is frequently judged by intention--the judgment ``he means well'' becomes important for the first time. One earns approval by being ``nice.'' [Kohlberg, p. 18]

Is Neal Patrick at this third stage of moral development? He seems to judge his own actions in terms of intention. From the perspective of the stage theory, we can see this as an improvement over ``Our mistake was to get caught'' or ``What have those computer companies done for me,'' responses that would be typical of the earlier stages.

I don't mean to give too much weight to the specifics of the third stage. It's not scientifically valid to assign Patrick to a developmental stage on the basis of one quoted sentence. Also, not every researcher accepts Kohlberg's stages. But the important point is that Patrick is roughly at the stage of moral development appropriate to his age. He is not some new kind of monster spawned by computer technology; he's a kid with all the strengths and weaknesses we expect from kids in other situations.

Compare a bunch of adolescents breaking into a computer system with another bunch of kids hot-wiring a car for a joyride. The latter would probably argue, with complete sincerity, that they were doing no harm, because the owner of the car recovered his property afterward. They didn't keep or sell it. It's a ``naughty'' prank to borrow someone's property in that way, but not really serious.

These hypothetical car thieves would be wrong, of course, in making that argument. They might lack the sensitivity needed to give weight to the victim's feelings of manipulation, of fear, of anger. They may not understand how the experience of such a random attack can leave a person feeling a profound loss of order and safety in the world--the feeling that leads half our population to hail Bernhard Goetz as a hero to be emulated. Some adolescents don't have the empathy to see beyond the issue of loss of property. Some may show empathy in certain situations but not in others.

The point is that the computer raises no new issue, ethical or pragmatic. The password hacker who says ``we aren't hurting anything by looking around'' is exactly analogous to the joyrider saying ``we aren't stealing the car permanently.''

(The two cases need not seem analogous to an adolescent. There may be many computer abusers who would never break into a car for a joyride, but who don't understand that breaking into a computer account raises the same ethical issues. But the analogy still holds for us as adults.)

The professional car thief and the teenaged joyrider are both social problems, but they're different problems. To confuse the two--to treat the teenager like a career criminal--would be a disastrously self-fulfilling prophecy.

In the context of computer systems, there is a similar dichotomy. There are some career criminals who steal by electronic means. This small group poses a large problem for society, but it's not a new one. Thieves are thieves. Just as banks use special armored cars, they must also develop special armored computer systems. But the rest of us don't use armored cars for routine transportation, and we don't need armored computer systems for routine communication either. (Of course there is a large middle ground between heavy security and no security at all. My purpose here is not to decide exactly what security measures are appropriate for any particular computer system. Instead, I just want to make it clear that, while in this paper I'm not trying to address the problem of professional criminals, I'm not trying to deny that there is such a problem either.)

There is also a middle ground between the young person who happens to break unimportant rules in the innocent exercise of intellectual curiosity and the hardened criminal. Consider the hypothetical case of a young man whose girlfriend moves to Australia for a year, and so he builds himself a blue box (a device used to place long distance telephone calls without paying for them) and uses it to chat with her for an hour every other day. This is not intellectual curiosity, nor is it a deliberate, long-term choice of a life of crime. Instead, this hypothetical adolescent, probably normally honest, has stepped over a line without really noticing it, because his mind is focused on something else. It would be inappropriate, I think, to pat him on the head and tell him how clever he is, and equally inappropriate to throw him in prison. What we must do is call his attention to the inconsistency between his activities and, most likely, his own moral standards.

Two Models for Moral Direction

What to do about it? Saying that the problems of computer ethics are like other ethical problems doesn't solve them. Many approaches are possible. We are starting to hear among computer experts the same debates we've heard for centuries among criminologists: prevention, deterrence, retribution, cure?

Among all the possible approaches, it may be instructive to consider two strongly opposed ones: first, control of the technology, and second, moral training. As examples of these approaches, compare the registration of automobiles with instruction in karate.

Automobile registration is certainly a good idea in helping the police control professional crime. As thieves have learned to steal cars for their parts, rather than to sell whole, the technology of registration has had to grow more sophisticated: we now see serial numbers on each major component, not just on the door frame. But registration doesn't help against joyriders.

Other technological security measures can help. Steering column locks have made joyriding harder, but not impossible. Many adolescents are expert locksmiths, not because they're dishonest but because locks and keys pose a technical challenge much like that of passwords in a computer system. Also, increased security has made the consequences of juvenile car theft more serious, because the easiest way to defeat a steering column lock is to destroy it by brute force.

The example of karate instruction shows a very different approach to the problem of adolescent moral limitations. Instead of using technology to limit the power of young people, this second approach deliberately empowers them. Skill in karate is a deadly weapon; to give that weapon to a young person is an affirmation of trust rather than suspicion.

Why do karate classes for kids work? Why don't they lead to an epidemic of juvenile murders? This paper can't present a definitive answer. But I want to suggest some possibilities and use them to draw analogies for computer education.

One probable reason is that every person responds to his or her situation. If I know you're trusting me with something important, I'll try to live up to your trust. If I sense that you consider me untrustworthy, I may decide that I might as well live up to your low expectations.

Another vital reason, though, is that the technical instruction in karate techniques is part of a larger initiation into a certain culture and its rules. Karate schools don't begin by telling novices, ``Here's how to kill someone.'' They begin with simple, less dangerous techniques; the criteria for advancement include control and self-discipline as well as knowledge of particular moves. Instructors emphasize that karate is an art that should not be abused. Students learn to demonstrate punches and kicks without injury by stopping just short of contact with the opponent's body.

Empowerment in Computer Education

How can we teach young computer enthusiasts to be responsible members of the electronic community, without defining them as criminals? The analogy of karate instruction suggests that the answer is to combine ethical training with real empowerment. To turn this broad slogan into a practical program requires several changes in our approach to educational computing and to computing in general.

Growth, like any ongoing function, requires adequate objects in the environment to meet the needs and capacities of the growing child, boy, youth, and young man, until he can better choose and make his own environment. It is not a ``psychological'' question of poor influences and bad attitudes, but an objective question of real opportunities for worthwhile experience.... Thwarted, or starved, in the important objects proper to young capacities, the boys and young men naturally find or invent deviant objects for themselves; this is the beautiful shaping power of our human nature. Their choices and inventions are rarely charming, usually stupid, and often disastrous; we cannot expect average kids to deviate with genius. [Goodman, pp. 12-13]

Paul Goodman was discussing traditional juvenile delinquents, not password hackers. But the problem is fundamentally the same. How can we provide a worthwhile culture for young computer enthusiasts to grow into?

1. Serious adult models. In karate instruction, discipline is not only for novices. The adult instructors follow the same discipline themselves. The ethical principles taught to beginners are taken seriously in the adult community. As a result, young students don't see the discipline of karate as an arbitrary imposition on them; they see it as part of what it means to be a full member of the community.

In the computer culture, adults rarely take seriously the idea of belonging to a community. The social ideal is the self-serving entrepreneur. Our heros are the ones who become millionaires by doing a slick marketing job on yet another spreadsheet program. (When my high school programming students discovered that I actually knew how to program a computer, many of them decided I was crazy. Why should anyone want to teach when he could make more money programming?) In this context, why should any young person listen to our moral lecturing?

Fundamentally what is needed is personal action by each individual computer professional. But we can act as a society to encourage this individual commitment. We can urge our colleagues to devote part of their time to pro bono publico activities, like other professionals. We can give special public recognition to computer professionals who choose a life of disinterested public service over the quest for personal gain. Some corporations allow their employees paid sabbatical leave for public service work; we should encourage this policy.

2. Access to real power. Another important part of the karate analogy is that there are not two kinds of karate, one for adults and one for kids. What beginners learn may be elementary, but it's a start down the same road traveled by experts. The community into which young karate students are welcomed is the real, adult community. That's not how things work with computers. How many adult computer scientists put up with CP/M, BASIC, and floppy disks? The technology available to most young people is not a simpler version of what experts use; it's a completely separate, more arcane, fundamentally less powerful medium. That medium--the programming languages, the file storage, the editing tools, and so on--is simply inadequate to challenging intellectual work.

The community of computer professionals has come to take for granted easy access to electronic communication with colleagues anywhere in the world. Those of us lucky enough to be on the Arpanet have instantaneous communication supported by taxpayers. Even the less fortunate who communicate over dialup networks like uucp, though, have the cost of their mail supported by computing facilities other than their own; the general agreement among even competing private businesses to forward one another's mail is a remarkable example of disinterested cooperation. Some of this mail traffic is serious business. But some of it is also ``junk mail'' like sf-lovers (for science fiction enthusiasts) and human-nets. Is it surprising that young computer enthusiasts want a slice of the pie too?

Adolescents are excluded not only from access to equipment but also from access to ideas. The password hackers' preoccupation with magic words and magic numbers is harmful to themselves as well as to the rest of us; it's an intellectual dead end that gives them no real insight into computer science. They learn a bag of isolated tricks rather than powerful ideas that extend to solving other kinds of problems. Instead of just telling them what's forbidden, we would do better to show them the path to our own understanding of algorithms, formal theory of computation, and so on. We all know you can't program well in BASIC; why do we allow manufacturers to inflict it on children?

To take positive steps toward this goal requires action on two fronts, access to technology and access to ideas. The latter requires training high school teachers who are themselves qualified computer programmers. In the long run, this means paying teachers salaries competitive with industry standards. That's a matter for government action. Another approach may be to promote active cooperation between university computer science departments and high schools. Perhaps college faculty and graduate students could contribute some of their time to the local high schools. (This is not a new idea; outside experts are donating time to secondary schools to help teach other areas of science. Such partnership brings its own problems, because both the goals and the techniques of college teaching are different from those of high school teaching. Still, this collaboration has sometimes been fruitful.)

The problem of access to equipment is economically more difficult, but it's getting easier. The availability of 32-bit microprocessors means that serious computational power should be affordable in the near future. Equipment manufacturers should take the high school market seriously, as an investment in future technical workers. Another approach is for interested educators to establish regional computing centers for adolescents, not part of a particular school, where kids can come on their own time. Economies of scale may allow such centers to provide state-of-the-art equipment that a single high school couldn't justify economically.

3. Apprenticeship: challenging problems and access to expertise. The karate student is given not only access to a body of knowledge, but also the personal attention of a master in the field. The instructor is responsible for the moral development of his students as well as their technical skill. He steers them in the direction of challenges appropriate to each one's progress, and his own expertise is available to help the learner.

For many years, the MIT Artificial Intelligence Laboratory ran a computer system with no passwords and no file protection at all. (It was pressure from their Defense Department funding agency, not internal needs, that forced them to implement a password scheme.) Even now, the laboratory has a liberal ``tourist'' policy: anyone can have an account, provided that someone at the laboratory is willing to be his or her mentor. The philosophy behind this policy is that most ``malicious'' computer abuse is the result of ignorance, misunderstanding, and thoughtlessness, rather than truly malign intent. With a particular person responsible for each new user, tourists learn to share the values of the community. They are taught that the vulnerability of MIT's system is a price researchers pay willingly for the open exchange of information that that vulnerability allows. Treated as legitimate members of the community, even young tourists quickly learn to act responsibly toward the group.

Not every computer facility can be expected to share the vision of MIT-AI. Certainly the computers that control the missiles and the banking transactions should not be so open to visitors. But a typical large company has several computers, not all equally sensitive. Many could allow access to young people in their communities in the evenings, especially if some of their professional staff members are interested in serving as volunteer mentors. It's the mentor/apprentice relationship that makes all the difference. Just giving a kid an account on your machine may be asking for trouble, but making a friend of the kid is a good investment.

In particular, universities often treat their undergraduate student users like irresponsible children. Undergraduates are generally second-class citizens, with limited access to the school's computing resources, including human resources (faculty). Universities should allow undergraduates to function as true members of serious research teams, as graduate students do. This policy would provide both access to faculty mentors and challenging, useful tasks.

For secondary schools, the issue is partly one of curriculum. Too many teenagers are taught (not only in the schools but also in the magazines) that true computer expertise means knowing what number to POKE into what address in order to change the color of the screen on some brand of microcomputer. Such learning is not intellectually challenging. It does not lead to a feeling of fruitful apprenticeship.

4. A safe arena for moral experimentation. The beginning karate student might be afraid to try his or her skill with a fellow student, lest he or she injure or be injured. But it's safe to fight a match with a black belt instructor. ``I won't hurt you,'' says the instructor, ``and I won't let you hurt me.'' To allow for safe sparring between students, classes begin with half-speed motions and no body contact allowed. Later they may progress to rules that allow light body contact but no contact to the opponent's head. These rules allow students to feel safe as they experiment and develop their skills.

Young people have a similar need for safety in moral experimentation. One of the reasons for the appeal of role-playing games like Dungeons and Dragons is that a player can say ``I'm going to be a thief,'' or ``I'm going to be evil,'' trying on these roles without actually harming anyone. Similarly, a good school should be a place where students feel safe, a kind of ``ethics laboratory.''

Neal Patrick's first exposure to an ethical dilemma should not have involved the FBI. He should have confronted the issue of information privacy while using a computer system in his school. He could have learned how his antisocial acts hurt and angered the legitimate users of the system, without risking really serious trouble for himself or for anyone else. For one thing, it's hard for a young person to understand the chain of reasoning from the abstract corporate owner of a computer system to the actual human beings whose lives are affected when that system breaks down. It's easier to understand the issues when the users are one's friends and classmates, and the social effects of malicious password hacking are immediately apparent.

(None of this is meant to excuse Patrick or the other 414s. Neither ignorance of the law nor misunderstanding the ethical issues is accepted in our culture as an excuse for lawbreaking. But I am not writing for a court of law meeting to settle Patrick's guilt or innocence. The question for us is how, as a society, we can act to make the next generation of teenagers less likely to paint themselves into this particular corner.)

As a practical matter, what's needed to build an ethics laboratory for computing students has already been recommended in another context: adequate computing power to support a user community, as opposed to a bunch of isolated, independent microcomputer users. Whether this means timesharing or a network of personal computers with a shared file server is a technical question beyond the scope of this paper. But sharing is essential. The ethical issues of a living community don't arise in the context of isolated individuals using microcomputers separately with no communication among them. (If we do not fill this need, we leave a void that in practice is filled by ``pirate'' bulletin boards that build a sort of outlaw community around illegal computing activities.)

Appendix B: A Case Study

References

Goodman, Paul. Growing Up Absurd . New York: Random House, 1960.