- Image via Wikipedia
In America there is a saying “guns don’t kill people.” Some wits add “people with guns kill people.” While this saying is just that, a saying, it does put a handy slogan on a view about moral responsibility. On the face of it, the sayings are dead on: while a gun can be used to kill a person, guns are not themselves moral agents. As such, a gun bears no moral responsibility for any deaths that it might be used to bring about.
The gun debate has been done to death in America, so I thought it would be interesting to switch the focus a bit while still sticking with the general issue of responsibility for harm. To be specific, I will be looking at a hacking program called Firesheep (not to be confused with the browser Firefox or the emulator Sheepshaver).
Firesheep was written by Eric Butler and adds easy to use hacking functions to the Firefox web browser. The add on lets users view information in internet cookies at sites such as Twitter, Facebook. Flickr, Tumblr and Yelp. Fortunately (or unfortunately, depending on your view of the matter) Firesheep is limited in what it can do. It can allow a user to get usernames and session number IDs but it cannot be used to get passwords. In effect, it allows users to view information (such as person’s Facebook or Amazon account) but does not let users do anything that would require a password. It is also limited to hacking on the same network. However, this means that if you are reading this blog on a public wi-fi, then someone with Firesheep could be reading through your darkest Facebook secrets. Like that time you…well, you know what you did. And so does that creepy fellow sitting two tables down.
Butler makes it clear that he sees himself as a white hat: he is hacking to expose vulnerabilities so that they will be fixed. Interestingly, he does directly address the moral issue at hand: “The attack that Firesheep demonstrates is easy to do using tools that have been available for years. Criminals already knew this, and I reject the notion that something like Firesheep turns otherwise innocent people evil.”
On the face of it, Butler is quite right. Firesheep, like other tools, is not some sort of cursed weapon that can possess the mind of potential victims and compel them to do evil (unlike television which does just that). The same is, obviously enough, true of other potential harmful pieces of technology, such as guns and junk food. As such, Butler and the other folks who make such tools available are not directly accountable for what people do with the tools. As the arms dealers probably say, “I just provide the weapons, the customer does the actual killing.” I do not, however, mean to suggest that Butler had any malign intent in creating and releasing Firesheep. Rather, he seems to be like Dr. Gatling-hoping that his creation will do good rather than further evil.
There is, however, a somewhat deeper concern. Namely that providing the tools that makes misdeeds easier makes a person accountable to a degree. While the person who invents or distributes such tools or weapons does not make people evil or make them do misdeeds, the person does make such misdeeds easier. As such, the person providing the tool does play a causal role in the misdeeds-especially if the tool or weapon serves as a “but for” cause. For example, if someone would have been unable to track down and start stalking an ex without using Firesheep, the ex would have not been stalked but for Firesheep. As such, making misdeeds easier does seem to bring with it a degree of moral accountability.
Butler does. of course, anticipate this sort of criticism. As he notes, the tools already exist to do just what Firesheep does. Firesheep is just better known and easier to use. To use an analogy, Butler is not inventing the gun. He is merely making the gun easier to use.
Other folks, myself included, are helping make Firesheep famous. Following the above logic, this would also make me and the others folks contributors in some cases. For example, if somebody (not you, of course) reads this post, learns of Firesheep and then hacks an ex’s Facebook account to find and stalk the ex, then I have contributed to that misdeed. Of course, my contribution is extremely limited and hence so is my moral accountability.
“Firesheep doesn’t hack. People hack with Firesheep.”
Thoughts?
If Mr Butler is wearing such a large white hat, why did he not go directly to Mozilla Corporation to alert them as to what he was able to accomplish? Wouldn’t that have been the ‘white hat’ thing to do rather than publishing it to the world for every black hat to see? I smell a wolf in sheep’s clothing.
The problem is not with Mozilla Firefox: it is with the end sites, like Facebook, Flickr, Google etc. The guy has just written his hack to work as a Firefox extension.
I’m grateful to the publicity: it has forced me to address and (mostly) solve the problem.
In a way, we can equate what Butler has done with civil disobedience. The web sites at fault have been warned for years that their security measures are ineffective and that they are putting their customers at risk of having their private data revealed. Butler’s act, even if it were illegal, might be seen as morally valid if you argue that he is perpetrating one evil (making hacking easier) in order to rectify a greater evil (stealing people’s data).
“As such, making misdeeds easier does seem to bring with it a degree of moral accountability.”
I don’t follow. How does making misdeeds easier bring with it a degree of moral accountability? Does that mean a parent bears some responsibility to every misdeed their adult child does, simply because the misdeeds wouldn’t have been possible if they weren’t born?
If you want to look at the philosophy of accountability, here’s a better situation:
Let’s say there’s a thief waiting to get into my house. My house has no windows, and the only way the thief can get into the house is through the front door, which is secure by 10 locks. The thief does not know how to pick locks.
So the thief hires a (less than moral) lockpick to pick the locks. Unfortunately the second lock is not at easy to pick as the first, and the thief must hire a better lockpick. This continues until the thief has hired 10 different lockpicks, who each picked a different lock, and he is able to get into my house and steal my watch. Who is more responsible for my watch being stolen? The first lockpick? The last? Only the thief himself?
I haven’t quite figured out accountability yet, but I’m sure the Firesheep developer has zero accountability for someone being stalked.
By the way, if you know of a better situation or can come up with one, I’d love to hear it. I’m really terrible at coming up with these sort of situations. Maybe 4 leashes tethering a single dog, removed one at a time?
If you accept that killing is not always wrong (self-defense, for example), then killing with a gun is not always wrong. That gives us a morally acceptable use of guns. However, I don’t quite see the analogy gun/Firesheep as fit, because I can’t find a morally acceptable use of Firesheep.
Maybe the civil desobedience argument posted by Tony provides us a better analogy. However, in order to fit the analogy integrally, Mr Butler should present himself more willing and ready to face public criticism and possible civil penalties. It doesn’t seem to be the case.
Resorting to background processes: it feels wrong — I tend to defend that Mr Butler is accountable. I just don’t know why.
Andre,
Well, the argument I have seen floated is that releasing Firesheep exposes the vulnerability in a way that will require the companies to fix it. They were, so the argument goes, under no real pressure to fix it when the problem was not well known to the general population and when it required at least some minor skills to hack.
Of course, it could be argued that this is like trying to get companies to fix a vulnerability in door locks by handing out free automatic lock picks. Sure, the companies will need to fix the locks, but it would seem that there would be a better way to do this than exposing people to a significantly increased number of potential intruders.
In the case of parents, the question would be this: how much did the way the parents raised the child impact his behavior as an adult? For example, if the parents raise a child to be a racist and encourage him to engage in violence, then they would seem to get some of the blame if the child engages in such violence.
In the case of making things that make misdeeds easier, the responsibility seems to be present based on the principle of “but for.” So, if people who could not hack before can now do so with Firesheep and commit misdeeds using the software, then the creator has some slight role in the misdeed. Of course, this responsibility would be rather slight since the creator did not commit the act. The obvious reply to this is “well, does that mean that the people who made computers easier to use are also responsible because people misuse them who would not have been able to before?”
However, I would point out that Firesheep is not a general purpose tool that can be misused. Its function is to hack. To use an analogy, it is a bit like handing out easy to use hotwiring kits. True, they could be used to start a car when you lose your key, but the main purpose would not be benign. So, I would say that the function of Firesheep is such that it comes with more responsibility than making a general purpose tool available.
I don’t understand how the purpose of the tool factors into the equation. If I sell a murder weapon to a murderer, why should it matter if it was an assault rifle or a cheese grater?
I also think we need to define accountability. I don’t think it is useful to think of someone as accountable if we can’t punish them for it. For instance, if I sold someone a gun under the table, and they killed someone with it, I should not be punished for the murder, but the murder would not have happened if I hadn’t sold them the gun. In this sense if would be meaningless to say that I held some accountability.
Certainly the way a child is raised has some bearing on how they act when they are an adult, but we cannot punish a parent for it. To say the parent is accountable is too strong of a statement, in my opinion.
Also, people could use the same method that Firesheep employs before Firesheep existed. Firesheep simply makes it easier. Should we also factor in how easy it is? Let’s say that there was another program before Firesheep called Icelamb. If the jealous ex would have used Icelamb to stalk his ex, does the author of Firesheep still bear the same responsibility if the guy uses Firesheep instead?
What if the murderer whom I’m selling a gun to already owns one? Do I still bear the same responsibility if he chooses to use my gun instead of the one he already had?
How do we know that the jealous ex would not have used Icelamb, or that the murder would not have used his own gun?
Mike, you say “it would seem that there would be a better way to do this than exposing people to a significantly increased number of potential intruders”. I agree it would seem that there should be – but where or what is it? There’s a long history behind the Full Disclosure culture in computing. Notifying the vendor first is an obvious first ethical step, but in this case, as Firesheep’s author says, “This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users.”
When you’re an officer of a large organisation, and a deep vulnerability is found in your systems such that a small percentage of your customers or product can be ripped off, it’s cheaper, and therefore better for the shareholders, to stonewall until/unless the cost to the company of the ripoff exceeds the cost of fixing the system. It therefore makes sense, and could be argued to be your fiduciary duty, to keep a lid on the problem until it becomes cost-effective, at the time of some major overhaul, to replace the whole system.
Wide exposure of the vulnerability lifts the lid and costs the company money, tipping the balance. After that, the company’s interests and its users’ interests become aligned.
From Wikipedia http://en.wikipedia.org/wiki/Kryptonite_lock
“Until 2004, Kryptonite locks used the tubular pin tumbler locking mechanism. In 2004, videos circulating on the Internet demonstrated that some tubular pin tumbler locks of the diameter used on Kryptonite locks could be easily opened with the shaft of an inexpensive Bic ballpoint pen of matching diameter. Trade website BikeBiz.com revealed that the weaknesses of the tubular pin tumbler mechanism had first been described in 1992 by UK journalist John Stuart Clark.[3] For an article in New Cyclist magazine, he teamed up with a bike thief to show how easy it was to break in to the majority of bicycle locks then on the market. One of the methods he revealed was the ballpoint pen method. His article led to follow-ups in bigger circulation bicycle magazines and a BBC TV consumer rights programme also carried a feature on the pen method. Some UK trade distributors of bicycle locks using the tumbler mechanism withdrew the products from the marketplace and introduced locks which were more pick-proof. Following BikeBiz.com’s report about this 1992 knowledge of the pen method, the lock-picking video received widespread attention by the mainstream media, and after a few days of negative publicity, the company responded with a lock exchange offer.”
The Kryptonite video was quite clear. After I watched it, I could immediately open my own lock. Naturally, I got a new one post-haste!
The similarities are striking. Both problems were known to the companies for quite a while, but it was not in the companies’ interest to fix them until the faults became widely known.
Going all consequentialist for a minute, is it better to allow a small percentage of bad guys to operate undisturbed indefinitely, or splash it open to all for the time it takes for the company to fix the problem? What is foreseeable here?
Now, is there necessarily an ethical distinction between providing the information as an easy-to-follow set of instructions and providing the same information as a program? If there is, I don’t see it. If there was a secret way to wiggle your fingers to kill a person unprotected by an amulet, would writing a blog post about it really be ethically different from selling guns?
I just want to say… the fact that FireSheep is getting so much publicity means its creator has accomplished what he set out to do. The name FireSheep is all over the net, and has even been seen on TV News channels. He is bringing a serious vulnerability into the light, and exposing the blatant laziness of the site admins! When enough people in high places have made complaints to the right people, this problem will cease to exist. If you don’t understand what’s going on here, allow me to explain:
Any website that involves proof of identity (login) should use one of the https secure protocols — not just during login, but the entire time you’re using the site. The thing is, https uses encryption, so the webserver has to spend extra processing power to encrypt and decrypt the packets. Extra processing translates into extra $$ in the minds of the site admins because the server has to work a little harder. For this reason, they try to use https as little as possible.
The same goes for using WPA at public hotspots. If those wifi packets were encrypted, FireSheep would not be able to “listen in” on them to begin with. Again, this is laziness on the side of both parties. The people that run the hotspot don’t want to take the time to set up the WPA and explain how to use it to people, and the customers are too lazy to learn how to use WPA.
Want a good analogy? I saw plenty of posts above that almost hit the mark, but none of them were quite right. Going with the home security one, theft of property isn’t exactly what’s going on here. This is about privacy. Think about it like this: would you leave your curtains wide open while you’re getting undressed? The curtains are the https protocol of course. What is FireSheep in this analogy? Maybe you live on the fourth floor of an apartment building and normally people on the street can’t watch you undress. FireSheep is the new telephoto lens of the peeping tom on the fourth floor of *his* apartment across the street. Telephoto lenses have been around for years, but this one was on sale (easy to acquire) and is magically able to attach to the cameras that people already own (Firefox) and know how to use (addons). Using WPA at hotspots might be compared to not standing in front of the window in the first place…
If you already have blinds on your windows (https), why not close them when you’re doing something you don’t want everyone to see?
If you want to go with the lock analogy, FireSheep is like a magic device that detects homes of people that leave their doors unlocked. You see, FireSheep isn’t a lockpick. It doesn’t defeat any kind of security. It waits for you to unlock your door (log in) and then just follows you inside your house because you left the door unlocked.
I salute the efforts of Mr. Butler in exposing this laziness.
I agree that this is finally calling attention to a longstanding problem.
Just because the problem wasn’t visible to most people didn’t mean the problem didn’t exist.
To carry on with the gun analogy, he’s saying, “Hey! Look! Be careful there’s a gun here!” Does he then bear the responsibility for the next person to pick up that metaphorical gun?
I don’t think so.
On the contrary, I think this will cause the public to pressure sites to offer HTTPS for all data, where they now demure. They do so because encryption is expensive on the server side.
They will continue to not provide secure connections until the public demands it.