Recent high-profile cases of hacking include the breach of Target’s customer databases, the acquisition and dissemination of nude celebrity photos, and the publication of confidential information from Sony Pictures. If these are the paradigm cases that inform our conception of hacking and hackers, then the very idea of hackers for hire may be frightening. So, it’s not surprising that a website designed to help ordinary people hire hackers would get some attention.
Hacker’s List is a website modeled after likes of oDesk and Elance, websites that match freelance workers with clients that need their help. The business model for all these sites is the same: A client posts an ad describing the sort of service desired. The freelancers or hackers apply for the job. Then the client chooses one among the bids. Hacker’s List differs from the other sites primarily in the type of service sought by clients. Instead of looking for writers, graphic designers, translators, data analysts, etc., people posting on Hacker’s List want people who can access, bypass, disable, or alter computer systems or the data they contain.
The buzz around Hacker’s List began with an article in the New York Times, which declared, “The business of hacking is no longer just the domain of intelligence agencies, international criminal gangs, shadowy political operatives and disgruntled ‘hacktivists’ taking aim at big targets. Rather, it is an increasingly personal enterprise.” I think the comparison here is potentially misleading. Likening small-scale hacking to familiar, high-profile cases obscures some of the distinctive and interesting reasons some people may have for hiring hackers. I think that, as digital technology becomes ubiquitous, our evolving relationship with technology gives rise to a distinctive set of reasons that favor hacking and hiring hackers.
Disruptive vs. constructive hacking
As a preliminary point, it is worth noting that hacking is not necessarily destructive or even disruptive. Preoccupation with the most high-profile cases—Target, nude photos, Sony, etc.—can cause us to forget this.
Historically, a hacker is a technologist who has a particular sort of adventuresome and enthusiastic orientation to the creation and improvement of technology, especially (nowadays) computer systems. The term ‘hack’ gained currency at MIT in the 1950s and 1960s among members of the Tech Model Railroad Club. Describing this group’s terminology in his book Hackers, Steven Levy explains that a hack was “a project undertaken or a product built not solely to fulfill some constructive goal, but with some wild pleasure taken in mere involvement.” Along the same lines, legendary hacker Richard Stallman says that a hacker is “someone who enjoys playful cleverness, especially in programming, but other media are also possible.”
Hacking in this traditional sense is constructive rather than disruptive. As things stand right now, jobs for constructive hackers do not seem to be the standard fare of Hacker’s List. However, we should not overlook the potential need for constructive hacking. Perhaps you want to build and install an unusual kind of intercom system for your home. Or maybe you need some custom software to automate a part of your eccentric record-keeping system. For these sorts of projects, it would be totally reasonable (and, of course, ethically unproblematic) to try hiring a hacker.
I expect that nothing I’ve said so far will be particularly controversial. Constructive hacking was never the worrisome sort of hacking. The worry comes with disruptive hacking. Indeed there are many instances of disruptive hacking—both at the small, personal scale and at the large, organizational scale—that are highly unethical. What I am keen to show, though, is that not all instances of disruptive hacking ought to be evaluated the same way.
Circumstantially motivated hacking
Focusing now just on disruptive hacking, we can draw a distinction between hacking that is motivated by some functionality of the to-be-hacked technology itself and hacking that is motivated by circumstances external to the technology. I think it is the latter that most people have in mind when they think of disruptive hacking. For example, the hackers responsible for the breach of Target’s customer database were motivated by monetary profit. It is doubtful that anything besides opportunism led the hackers to specifically zoom in on Target’s technological infrastructure. If there had been a copy of the data in a pile of disks sitting on a park bench, presumably the would-be hackers would have preferred to swing by and snatch the disks instead of perpetrating an elaborate hack. Thus, we can think of the hack as circumstantially motivated, not motivated by the to-be-hacked technology itself.
Assessments of circumstantially motivated hacking can typically proceed relatively straightforwardly according to usual methods of moral evaluation. This is the case whether we are talking about the large-scale, high-profile cases of hacking, or the smaller, more personally motivated cases we are likely to find advertised on Hacker’s List. It is natural to begin assessment by looking at the effect of the hacking on the organizations and individuals involved. In many cases, the disruptive effect will involve some sort of harm, and harm is usually morally undesirable. And, so, on the assumption that the hacking itself has no intrinsic value and no morally beneficial effects, the hacking will be morally impermissible. No big surprise here. Exceptions to this general pattern will be cases in which the disruptive effect of hacking is somehow desirable. For example, we might have a situation in which invading someone’s privacy would allow us to prevent some greater harm from befalling her. Or, in a very different sort of situation, it is conceivable that some harmful effects may themselves be valuable. Arguably, harms, which constitute retribution for past wrongs, may have positive moral value in this way. When the goals of hacking are positive in one of these ways, we can reach a reasonable ethical evaluation by asking whether those positive ends justify the means (i.e., any additional costs or drawbacks of the hacking itself).
Technologically motivated hacking
Sometimes the goal of a hacker or the hacker’s client is the disruption of the technology itself. We can say that this hacking is technologically motivated. Here are a few examples.
Suppose your native language is one that is not well supported on some device you own. And suppose your device restricts what software you can install on it. And, finally, suppose it is possible for a hacker to unencumber your device so that you can add the desired functionality. This was the situation a few years ago with iPhones and Chinese language input. Since Apple controls that distribution of software for the iOS platform, iPhone users have to hack (“jailbreak”) their phones in order to use certain software. Hacking of this nature is very common, but note that it is not hacking aimed directly at Apple or, for that matter, at any goal other than the alteration of the user’s own electronic device. So it counts as technologically motivated hacking.
We find a somewhat similar situation in the relationship between drivers and the computer systems in their automobiles. Practically everything in new cars—from the ignition to the brakes to the entertainment system—is computer controlled. One part of the computer system in modern cars is the event data recorder (EDR). An EDR collects a variety of data about the operation of a car. Much of the data collected—things like speed, acceleration, steering wheel angle, braking, whether the driver was wearing a seatbelt, etc.—is particularly useful for investigating the causes of accidents. But these data are just the tip of the iceberg. EDRs can keep track of any information from a car’s computers. For instance, the EDR in newer BMWs monitors the vehicle’s mechanical status and contacts the local dealership when the computer has determined, for instance, that you need an oil change. Now suppose you wanted to find out exactly what data your car was collecting about you. Or suppose you wanted your car not to collect so much data about you. It may make sense for you to hire a hacker for help.
It is not just for purposes of manipulating our personal electronic devices that a person might want to hire a hacker. Suppose you have an old e-mail account that contains thousands of important messages. And suppose you wish to discontinue using this account and cut ties with the organization that provides it. If the interface you’re given does not allow you to export the messages in bulk, then downloading and filing all that old e-mail is likely to be quite a burdensome task. However, you might be able to hire a hacker to find a way to bypass the usual interface and download all the e-mail messages at once. And this might be the most reasonable course of action for you.
How do these cases of technologically motivated hacking differ from the sort of circumstantially motivated hacking discussed earlier? The clearest difference is, of course, the motive. The intended outcome of technologically motivated hacking does not essentially involve some sort of disruptive effect on persons or organizations, but rather just on the technology itself. Of course, computer systems do not pop into existence unbidden; there is always some party that designed, operates, or owns the system in question. But it’s not clear that this is always relevant from the moral perspective. That’s simply because the effect on that party, even if the hacking is successful, may be negligible.
Adding a better input method for your phone, finding out what your car knows about you, exporting e-mails from an account before closing it—the effects of these things on the technology providers has a level of significance that rounds down to zero. But, to the users, these things may matter a lot. And as digital technology becomes ubiquitous, playing a more and more pervasive role in our lives, we can expect to find ourselves in many more situations like these.
The issues here are complicated. I am not claiming that all, or even most, cases of technologically motivated hacking are morally justifiable (though I am tempted to think that many are). Instead, I simply want to guard against a certain sort of systematic mistake we could be making in our evaluations of these cases. If we fail to distinguish technologically motivated hacking from hacking that is circumstantially motivated, we run the risk of assuming that the entity that owns or operates the relevant computer system is more important than it is. In many cases of hired hacking, the decisive factor in the ethical evaluation is not the relationship between the user (who hired the hacker) and the technology provider, but rather the relationship between the user and the technology itself. In many cases, this latter relationship may constitute sufficient grounds to justify hiring a hacker.