The term “hacker” is often used to describe a person with sophisticated computer skills and a certain lack of regard for laws and other norms of conduct. The term has its probable origin in student slang at the Massachusetts Institute of Technology. The media and popular fiction have invested the term with a certain outlaw mystique; however, the application of the term “hacking” to illegal activities has aroused resentment among hackers who are careful to keep their activities within the bounds of the law, or to step outside those bounds only to make calculated statements. According to these “white hat” and sometimes “gray hat” hackers, outlaw hackers should properly be referred to as “crackers” or “black hat hackers.”
Early computer networks, such as ARPANET and NSFNet, did not support a community of for-profit businesses. Most users were scientists and computer programmers—many, perhaps most, were or aspired to be hackers themselves. Mischievous hacking served a useful purpose; it identified weaknesses and security flaws (Lessig 1999, 194). As a result, legislators and law enforcement ignored it. But as businesses and ordinary people came to rely upon the Internet, the potential for hacking to do harm increased while its usefulness decreased: users whose sites or computers were hacked lacked the technical sophistication to understand which security flaws had been exposed by the hack. The spread of the Internet also gave rise to a generation of “script kiddies”—hackers who in many cases do not actually understand the systems and programs they were hacking, but download and use hacking programs written by others.
The criminalization of hacking coincided with the transformation of the Internet from an experimental network for sophisticated users to a universal information resource. In 1988, hacking was brought to an unprecedented level of public attention by a worm created by Robert Morris, Jr., a graduate student at Cornell University in New York State and the son of National Security Agency data security expert Robert Morris Sr. (Lessig 1999, 282, n. 18). The worm spread across the Internet, shutting down hundreds or perhaps thousands of computers and causing millions of dollars in damage. Morris, in creating the worm, was acting as an old-school hacker: he was pointing out a security flaw in the open-source program Sendmail, which is used to transfer most of the email on the Internet. Because Sendmail is an open-source program, there is no one person responsible for fixing flaws such as the one discovered by Morris; in a world in which all users were also capable of understanding and rewriting code, the logical way to point out a flaw in Sendmail would be to exploit that flaw in an obvious but harmless way, thus calling it to everyone’s attention (Lessig 1999, 195).
Morris used a worm—a self-replicating program—to expose the flaw in Sendmail and another program, Fingerdaemon, as well as in computers’ “trusted hosts” and password features (Morris, 928 F.2d at 506). He committed two errors of judgment, however: the worm replicated too quickly and most of the new users of the Internet were not technically sophisticated enough to figure out what to do about it. Morris tried to stop the worm after he had released it, but was unable to do so. The worm and its consequences attracted considerable media attention; at the time the Internet was a new and unfamiliar medium, so much so that the appellate opinion in Morris’s case referred to it throughout not as “the Internet” or “the internet” but as “INTERNET,” in capital letters and without the definite article (Morris, 928 F.2d at 504–511). Morris was arrested and charged with violation of what was then a recently enacted statute, the Computer Fraud and Abuse Act (18 U.S.C. § 1030). Section 1030(a)(5)(A) as it then read (it has since been amended) provided for the imposition of penalties on anyone who:
(5) intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby (A) causes loss to one or more others of a value aggregating $1,000 or more during any one year period (quoted in Morris, 928 F.2d at 506).
Morris was convicted of violating § 1030(a)(5)(A) and “sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision” (Morris, 928 F.2d at 506).