Ethical And Legal Analysis Of Mckinnon Case

This assignment I based upon an article published online on the 15th of May 2009 by popular computing Magazine PC Pro (see appendix A). The article discussed Gary McKinnon who has been accused of hacking a number of United States (US) NASA, Army, Navy, Department of Defence, and Air Force systems. His US prosecutors insist he was acting with malicious intent and that he caused damage worth over $700,000. McKinnon denies acting with malicious intent or that he caused that much damage, citing that his motivation was to search for evidence of secret free fuel, anti-gravity and UFO technologies. McKinnon has stated that the network security was weak and he was able to gain access due to network administrators failing to use secure passwords on high level administrative accounts. Once inside, McKinnon used readily available software called RemotelyAnywhere to take control of machines. The case study identifies that his search became an addiction which took over his life.

Rationale

The Gary McKinnon case sprung to the headlines in 2001, the media frenzy surrounding the case would support the tagline of ‘the biggest military hack of all time’. The case has been open for over nine years now and the end is not yet in sight; indicating that the legal issues within the case are both complex and in no way, easy to dissever. The extensive and drawn-out media coverage adds to the complexity of the issues surrounding the case.

This case study has been chosen firstly as it covers a very current issue in hacking. It would seem that hacking cases would only increase in the future as more nations cross the digital divide. Electronic crime is difficult to police and further difficulties arise out of international crimes. The nature of electronic communication and the removal of physical boundaries provide complexities in electronic crime and the control of borderless technologies. This case study has been chosen as it is particularly exposed to ethical questioning as law does not adequately resolve this case.

This case study has been chosen for ethical and legal analysis not just for its high profile. Numerous actors can be identified in this case to provide a solid base to apply a pragmatic analysis of ethical issues though the direction of ethical frameworks. Primary actors in this case are identified as the Gary McKinnon and the network administrators responsible for security. Secondary actors have been identified as the makers of RemotelyAnywhere, the software which allowed McKinnon to control machines so easily and the US military who were the owners of the networks and data stored there. Similarly, these actors provide a basis to identify legal issues inherent within the case study. There are sufficient suggestions to argue that laws have been broken by both primary actors in this case.

Technology strides on through the digital age where the other side of the world is accessible at our fingertips and a mere four billion IP addresses are not fulfilling needs. For this reason, it cannot be helped but to feel that hacking cases will only increase in scale and/or frequency and perhaps the Gary McKinnon case will be surpassed in the future.

At first glance this case appears to be a typical hacking case, where the person committing the offence is acting for purely personal reasons to commit fraud or otherwise take something which isn’t theirs to take. However this case differs in that there is no reason to believe that McKinnon was acting with the intent to take anything which was not his or to gain any personal advantage from his actions. Actors objecting to McKinnon’s actions are those who were responsible for the security of the network and those who owned the network.

Ethical Frameworks

Modern day normative ethical frameworks are broadly divided into two. Deontology, based on moral intention and input, and conversely Teleology which is centred around the output and end result.

Teleological

Teleology is the philosophical stance that an action may be critiqued based upon its consequences. It is commonly thought of with the view that the end may justify the means (Edgar, 2002; Bynum and Rogerson, 2006; Weckert, 2007), therefore teleological frameworks are concerned with the end result of an action. Utilitarianism is a type of teleological theory, which emphasises that the end result is important rather than the intentions of an individual. Its main principle is specifically to seek to maximise happiness through consequences (Spinello, 1995). It therefore claims that an action may be judged based wholly upon its usefulness in bringing about happiness. Speaking on utilitarianism it was observed by Velasquez (1992) that

“the principle assumes all benefits and costs of an action can be measured on a common numerical scale of moral calculus” (p.61). To what constitutes happiness and its worth would largely depend upon the individual critiquing the action. For example McKinnon may argue that his happiness in doing this for so long was far greater than the unhappiness caused for the US Government who has lots of money and resources, yet the utilitarian frame work aims to maximise the “…greatest happiness of all those whose interest is in question.” (Lyons, 2003 p.27). So everyone affected must come into consideration, this includes: the network administrators, the US government, McKinnon and the makers of RemotelyAnywhere. It can be argued that McKinnon was attempting to maximise happiness by uncovering secret technologies. However a utilitarian framework is only concerned with the happiness actually brought about as a result from an action (Spinello, 1995) rather than intent.

Whilst McKinnon is the primary actor and the main benefiter, in the article he is quoted as saying “I think I wanted to be caught, because it was ruining me” (Turton, 2009). This indicates that McKinnon’s happiness was short lived and as a result produced unhappiness from him quitting his job and splitting up with his girlfriend. The makers of the software RemotelyAnywhere subsequently had much publicity, however this is predominantly negative publicity as their software was used to commit crime. A small benefit may be that those wishing to commit crime, would buy their software more, even if this is not its intended purpose. A large amount of unhappiness would come from the owners of the network, the US government. The break-in has caused a large amount of embarrassment for the government, intensified by the claims that the security was weak. Even if the allegations that McKinnon deliberately caused damage are untrue, the cost of finding, tracking and fixing the break-in may be more costly than the actual offense (Baase, 2003). This could be gauged both in terms of money and time.

Utilitarian ethics assumed happiness can be somehow calculated. An action can be deemed correct if the total good minus the total bad is greater than that of an alternative (Sinnott-Armstrong, 2006). It is emphasised that the happiness is calculated based upon everyone who would be affected by the action. This is opposite to egoism, which is only concerned with the happiness of the individual undertaking the action (Johnson, 2001; Spinello, 1995). Based upon egoism, McKinnon’s actions are justified as he was acting purely for his own enjoyment with disregard for anyone else. However as he was caught, the sentence he will most likely receive may outweigh his current happiness.

In weighing up the good verses the bad consequences of an action, the distinction must be made between ‘act utilitarians and ‘rule utilitarians’. Baase (2003) gives the explanation that “rule utilitarianism, applies the utility principle not to individual actions but to general ethical rules.” (p.406). In evaluating this case study, it would be difficult to agree that computer hacking is always okay, as this is an invasion of privacy therefore creates much unhappiness. However an argument for applying this as a general rule may be given, as hacking large, private and ungoverned organisations such as the army navy or NASA would ultimately lead to them being more truthful and open about matters. Being honest and encouraging others to be truthful is something that a rule utilitarian would certainly agree with. This argument is of course independent of the allegations that McKinnon caused damage in his apparent search for secrets. The long term effects, in rule utillitarian’s perspective, could be that hacking prestigious governmental networks may cause panic amongst other network administrators or individuals which wish to have their data kept secure. It could likely lead those responsible in this case to lose their jobs. Knowing that data is not private and may be scrutinised can lead to individuals acting differently than they would otherwise; perhaps to the extent that inhibits them from doing their job as well as they otherwise would (Johnson, 2001). Allowing hacking to be justified in all cases may even lead to questioning if electronic data can be kept securely at all! Alternatively, had McKinnon uncovered evidence of UFO technology, the happiness generated would perhaps be greater than unhappiness, and may then be justifiable.

Rule utilitarianism fails to foresee the inherent difficulties in predicting the consequences of every act of computer hacking, therefore it is difficult to apply from a practical point of view. Although it may be idealist to conclude that this is would only be suitable for a hindsight evaluation, a rule utilitarian would insist all other cases come into consideration. This is unrealistic and inherently flawed.

Act utilitarianism is only concerned with the current action under scrutiny. In applying this to the current case study it was believed by McKinnon that the resulting happiness would far outweigh that of unhappiness. However Johnson (2001) highlights that in making decisions on current actions, the norm or general rules may only be “…abandoned in situations where it is clear more happiness will result from breaking them.” (p.40). McKinnon acknowledges in the case that he gained little in evidence of UFO activity. It is presented that his motivation was to “prove the US was withholding information on technologies including anti-gravity propulsion and free energy” (Turton, 2009). However, McKinnon alluded to his friends that he had found little or no evidence. Bynum and Rogerson (2006) agree that in a utilitarian framework “The risk and probabilities count also…” (p.72). As McKinnon says that there was little previous evidence of UFO technology then surely according to a rule utilitarian he should not have ignored the general rule as it was not clear that his actions would result in greater general happiness, consequently it did not.

It is identified in the case that McKinnon was only able to access the network due to the action of network administrators in leaving accounts without passwords. The actions of the network administrators would seem unethical under a utilitarian framework when considering the alterative of setting a strong password, which would have had a more desirable effect. Whilst it was not known in this case study if setting passwords would have denied McKinnon unauthorised access, the risk of not setting passwords, as identified by Bynum and Rogerson (2006), would have been extremely high, and the probability that someone would eventually exploit this also high. Whilst it is likely that this error was made due to carelessness rather than a conscious decision, the assumption is made that this was an action that could have been avoided. However this negligence does not automatically justify unauthorised access, under the utilitarian framework the total happiness must be weighed against unhappiness. The happiness generated by this negligent behaviour would primarily be for network administrators who would have been able to log on to machines without having to type passwords. Happiness would have been given to potential hackers too who were more easily able to access the network. Even though allowing hackers in may not have been intended, a utilitarian framework is purely concerned with consequences (Baase, 2003; Bynum and Rogerson, 2006; Spafford, 2006; Sinnott-Armstrong, 2006). As all affected individuals are judged equal (Bynum and Rogerson, 2006) the happiness of terrorists or other hackers must count as a positive consequence: “Regardless of a person’s station in life, each person is counts the same when the benefits and harms are added up” (Bynum and Rogerson, p.71). Alternatively the US government may argue that the unhappiness was far greater from McKinnon’s actions due to the number of people that would have been affected by shutting down a network of computers. To take this stance the long term view must be disregard, that McKinnon’s action highlighted a serious security flaw that could have been exploited by a far more astute hacker. To delve even deeper into the realm of possibilities, by McKinnon hacking and getting caught on this occasion, he could have removed any chance of someone being able to hack US government computers ever again, perhaps at a time when hacking US computers would allow millions of lives to be saved.

A common criticism of the utilitarian framework is the assumption that huge unhappiness could be justified upon one person for the sake of ten others. This argument could be countered by forcing the acknowledgement of long term consequences as well as the short term consequences (Johnson, 2001). For example, the case study (appendix A) must try and foresee the long term effects of the action. The majority of these long term effects are known as the act was committed back in 2001. Nether the less the unknown unknowns severely limit the reasoning behind making a decision on utilitarian principles. Even if it is believed all the alternatives, consequences and all individuals which will be affected by the consequences have been identified, how can these be verified? A posteriori knowledge may be useful in identifying these, that is, a decision that has been arrived at after the event or perhaps by applying what has happened before. A large issue arising from utilitarianism is that without the benefit of hindsight, it is difficult to apply practical reasoning to identify the outcome of an action.

Deontological

Deontology was first coined by C. D. Broad when he used it in a term to contrast that of Teleological theories based on outcome. However, a deontological approach could be best personified by the earlier work of Immanuel Kant (1785) in saying “The moral worth of an action does not lie in the effect expected from it” (p.13). Deontologists argue the morality of an argument is based entirely on intentions of one’s actions.

Immanuel Kant is often presented as the prime example of a deontologist (Baase, 2003). Kantian ethics argues that it is not the consequence that makes an action right or wrong; it is the intentions of the individual carrying out the action. Kant (1785) argues that “It is not necessary that whilst I live I live happily; but it is necessary that so long as I live I should live honourably.” (p.13). This statement suggests that upon making an honourable decision, this will be the correct thing to do and therefore Kant must assume that this will likely have good consequences. Deciding upon what is ‘honourable’ and therefore what would be the right thing to do, is largely dictated by law. However other influences may come from upbringing, social characteristics or religious beliefs; for example, McKinnon may have been influenced by his own background in belief of UFOs. It would appear that McKinnons belief in UFOs influenced his actions.

McKinnon hacked military machines in an effort to discover secret UFO technology, which would appear to be in conflict with a deontological framework as he is using the action as a mere means to an end. However, as Johnson (2001) points out, a deontological framework dictates that a decision is not used as just a means to an end; it may be justified if that end is moral. In applying this to the current case study we can define that the end result was to discover hidden UFO technologies; McKinnon’s means of doing this was through hacking. Even though McKinnon states he did not intend to cause harm, but merely look. This perhaps is justifiable if the end result was intended to give the world knowledge of these technologies. The stumbling block in this case is that McKinnon did not have authorisation to do this. Alternatively if the US Government had agreed that McKinnon may hack their computer system on the condition of not causing any damage and just to look, this would have been entirely ethical on accordance to a deontological framework. It is difficulty to define McKinnon’s intent as he did not appear to find such evidence and secondly because he was caught. Kant’s specific class of deontology states “I should never act except in such a way that I can also will that my maxim should become universal law” (p.14). This again is similar to that of a rule utilitarian, in that if an action cannot be justified on every occasion, if is unethical.

In leaving admin accounts without passwords, the professionalism of network administrators may certainly be placed into question, yet it is difficult to identify a motive behind doing so. The key issue driving deontological ethics is the notion of motives. There does not appear to be a motive being this action just negligence. Johnson describes negligence as “a failure to do something that a reasonable and prudent person would have done” (Johnson, 2001 p.184). Johnson’s definition quite adequately describes the system administrators who may have been responsible for leaving high level administrative accounts without adequate security. Therefore under a deontological framework, the actions of the network administrators was unethical.

Apposition to Kantian ethics is largely twofold. Firstly, that Kant’s philosophy is grounded on a universal duty or maxim that can be accepted across the board, which begs the question of what should be adhered to if an action divides two moral maxims. In hacking military machines, McKinnon can only be acting upon his personal duty to find out the truth about UFO existence, but in doing so, ignored the duty to respect others’ personal property. This highlights the second major issue with Kant’s philosophy, which is, which maxim should take priority.

The ethical principles outlined by Kant rely upon the basis of moral absolutism. This is contrasted by the views of W.D Ross. Ross defined seven initial or prima facie duties:

Duty of beneficence: A duty to help other people (increase pleasure, improve character)

Duty of non-maleficence: A duty to avoid harming other people.

Duty of justice: A duty to ensure people get what they deserve.

Duty of self-improvement: A duty to improve ourselves.

Duty of reparation: A duty to recompense someone if you have acted wrongly towards them.

Duty of gratitude: A duty to benefit people who have benefited us.

Duty of promise-keeping: A duty to act according to explicit and implicit promises, including the implicit promise to tell the truth. (Johnson, 2001)

Ross defines these as common duties (but in no way absolute) to be upheld regardless of the situation. For example the duty of promise-keeping may be ignored for the duty of beneficence. In light of Ross’s variation of deontological ethics, McKinnon’s hacking of military machines may only be justified under the reason that he was acting upon his personal duty to find out the truth about UFO existence (the duty of beneficence). But in doing so, ignoring the duty to respect other’s personal property (the duty of non-maleficence). The predominant issue with applying a deontological framework is identifying the intent of an action, this is also somewhat marred by the fact that McKinnon has not yet been charged. McKinnon’s truthfulness may be contested because he is bias; he would likely say anything to get out of facing a possible extradition and prison sentence. There are suggestions brought forward from his prosecutors that insist McKinnon caused $700,000 worth of damage. The consequences of his action are disregarded under this framework (Kant, 1785), yet this may suggest that his intentions were not simply to find UFO technology. McKinnon’s actions would not be justifiable if his intentions were to cause damage. If it can be assumed that McKinnon’s actions were only to search for evidence then a deontological frame would dictate this is ethically justifiable. However, if Kants view is taken into consideration then is cannot be judged that hacking to search for secret technologies is universally justified.

Virtue ethics

Virtue ethics dates back to the ancient Greek philosopher Aristotle. Aristotle believed in excellence in human character though upholding virtues (Tavani, 2007; Bynum and Rogerson, 2006). Virtues promote positive character although the list may be very long, such virtues include: responsibility, reliability, self-discipline, modesty, courage and integrity (Bynum and Rogerson, 2006; Johnson, 2001). Whereas utilitarian and deontological frameworks are centred on rules to apply, virtue ethics is about building moral character.

In this case study McKinnon displays dishonesty by hacking the network without permission. As “virtue ethics ignores the special roles of consequences, duties and social contracts” (Tavani, 2007 p.65) therefore McKinnon and the US government must be seen as equals. This exposes McKinnon for acting without due consideration of his actions, and perhaps even foolhardiness to continue breaking in without authorization. Perhaps McKinnon could be seen as courageous for hacking such a powerful establishment, yet acknowledging the roles of the two actors (ibid) removes any hierarchy between the two. The case study beings to light accusations that McKinnon left threatening messages on desktops such as: ‘I am SOLO. I will continue to disrupt at the highest levels’. Threatening behaviour is not considered virtuous in Aristolean ideas. Presumably when McKinnon downloaded RemotelyAnywhere, there would have been an end user licence that he would have to agree to before he could use the software. This agreement dictates that the software be used for its intended purpose. McKinnon has showed dishonesty by disobeying this and using the software for hacking. Respect and quality is a key thought in virtue ethics (Bynum and Rogerson, 2006).

The network administrators in this case study would not have acted responsibly or with integrity as it is alleged that they failed to take basic measures to ensure the network stayed secure. The US military who owns the network and data held on it, although not directly responsible, would not display reliability as they have been hacked at a time when they should have been on high alert.

Rights-based

Johnson (2001) described that in a rights-based framework “the categorical imperative requires that each person be treated as an end in himself or herself…” (p.47). This statement exemplifies the common parallels between deontological and rights-based ethics.

Rights are heavily intertwined with law. For example the Data Protection Act gives individuals the right to know what information is being kept on them. Yet regardless of law, some philosophers argued that all humans possess some natural inherent rights. These rights can be seen as universal or human rights such as the right to life; Spinello (1995) gives the example of how these rights are universal in saying “everyone equally shares the right to free speech regardless of nationality or status in society” (p.31). Natural or universal rights are derived from the nature of humanity (Baase, 2003). Under rights-based ethics, legal rights come second to natural rights. The values of rights based ethics are similar to the principle for nonmaleficence. Baase (2003) states that, under rights based ethics an act is “…likely to be ethical if they involve voluntary interactions and freely made exchanges, where parties are not coerced or deceived.” (p.407). In the case study there is evidence which suggests that the exchange of data was not done voluntarily. Therefore the action of McKinnon cannot be justified on that principle.

Natural or human rights are seen as inherent and must be respected; this implies that an individual has the right not to be interfered with (Johnson, 2001). Therefore the right to privacy is not diminished by the poor security displayed within the case study. Although the network administrators did not set passwords, this does not automatically negate the right not to be interfered with. Similarly if someone forgets to lock their car this does not give someone else the right to take the car. Lax security would not matter if the right to privacy was upheld.

The distinction between positive and negative rights must be given in applying a rights-based ethical framework to this case study. A negative right will free an actor from outside intervention, whereas a positive right would give the actor whatever is needed to fulfil an interest (Spinello, 1995). Negative rights are much more common than positive rights as it is difficult to draw the line as to where a positive right is limited. Johnson (2001) highlighted that whereas duty-based ethics is largely seen a deontological framework, it may be derived from a utilitarian principles on occasion. From a utilitarian perspective, in search of the greatest happiness, Mill argued that intellectual happiness was greater than sensual (Spinello, 1995). On the basis of this, it can be argued that McKinnon may have been over exerting his right to further educate himself, but intellectual happiness is greater in Mills brand of teleology, so his actions would be justified. Rights-based ethics derived from intent would argue that McKinnon has gone against the legal right prohibiting him from unauthorised access to the network and that he has also gone against the moral right to respect others’ privacy. From a rights-based ethical framework, moral rights take prescience over other duties or action people might have (Baase, 2003) therefore McKinnons actiosn cannot be justified.

Legal Issues

In applying ethical frameworks to any case study, personal morals are heavily intertwined. Law often overrides these morals. For example, ownership of what someone creates may be negated to that of the company which that person works for if that is in their terms of employment. Alternatively something which is viewed as ethically acceptable may also be against the law. At the very least, law influences moral judgement.

There is much dispute over which country McKinnon should be tried. In analysing legal issues inherent within the case study it is firstly assumed that only UK laws apply to this case.

It is apparent within the case study that Gary McKinnon did not have authorization to access the US networks. Immediately this is in violation of the Computer Misuse Act 1990, which states that an offence is committed if:

“(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer [or to enable any such access to be secured] ;

(b) the access he intends to secure [or to enable to be secured,] is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case.” (Computer Misuse Act 1990, 1990)

Clearly McKinnon was in breach of the Computer Misuse Act 1990. The case study acknowledges that McKinnon does not have authorisation and that he intended to access data regarding the existence of UFO technology. The maximum sentence for unauthorised access without intent to commit further offences is 5 years in prison. A more serious offence is committed when unauthorised access is gained “… with intent to impair, or with recklessness as to impairing, operation of computer, etc” (Computer Misuse Act 1990, 1990) this holds a maximum imprisonment of 10 years. It is unknown and very difficult to determine what the intention of Gary McKinnon was; to date there is no evidence to suggest he intended to commit further crimes with the data he accessed. But claimed from his United States prosecutors indicate that he did intent to cause damage as he left a message on machines stating: “…I am SOLO. I will continue to disrupt at the highest levels.” (Turton, 2009).

There are additional legal issues with regards to protecting data held on the network, and the professional requirements expected. It is indicated within the case that no personal information was accessed. This information is given by the US Military, which may be questioned as it would be to their advantage to deny that any personal information was accessed. The Data Protection Act (1998) dictates that the data controller must provide adequate security to protect personal information (Data Protection Act 1998, 1998).

Failure to provide adequate security even though an accident is not an excuse as Cambridgeshire County Council most recently found out (du Preez, 2011). A member of staff lost a memory stick by accident; however the memory stick did not have encryption software installed as it should have when it contained sensitive data on it. Similarly the network administrators did not intend for McKinnon to access the network, yet they failed to provide security in the chance of this happening

As McKinnon was able to access computer systems easily due to lax security, it is likely that the US and the network administrators would be in breach of this legislation.