Inspired by the work of Richard Thieme, and in light of the Anonymous/LulzSec activity, coupled with the Protection of State Information Bill our government is attempting to push through and numerous corruption scandals, I've been doing much thinking on the role of hacktavism in a democracy.
To be clear, hacktavism, as I see it, would be the use of illegal hacking (penetrating computer or other systems) to bring to light crimes by either the government or private entities. I'm not claiming that to be the sole definition, just the one I'd like to discuss. In this piece, I'd like to speak about the pre-conditions necessary for such vigilantism, the risks associated with it, and some approaches that could be used.
To be clear, I have neither engaged in hactavism, nor do I speak for any group, or control any group. These are my opinions, and, as with most things in life, people tend to do what they like, whether I feel strongly about it or not :)
Preconditions
To be clear, engaging in the sort of hacking described would be illegal, thus making this a form of Vigilantism. I'm going to posit that "vigilante justice", where the vigilante punishes the target, is rarely justified, and focus on the preconditions for hacktavism where, once exposed, the target is prosecuted under normal judicial mechanisms.
Just because one can do a thing, does not mean one should. The move from law abiding member of society to "criminal" (as you would be should you engage in hacktavism) is a significant one, and requires an equally significant loss of faith in the system. If there is a functioning democracy, with a majority elected party in power, a functioning legal system (independant judiciary), functioning fourth estate (the media) and functioning civil society. Then, it is my belief that hacktavism is rarely justified. The reason is that there are already, several, legally protected mechanisms for engaging in the exposure and prosecution of criminals. When threats to this careful balance of power arise, then they should be fought using all legal means available.
If, despite the above, a hacker still feels the desire to engage in hacktavism, first, question your motivations.
Ego
The first motivation will be whatever injustice is perceived to have occurred, but digging deeper, I posit, that there are two primary drivers. The first, and most dangerous, is ego, the second, is a sense or morality or justice. This is something Thieme talks extensively about. Could it be that your primary motivation is the idea that *you* could bring about change, that *your* name is somehow stamped on the outcome? If so, think long and hard, because in the dark days to come, will that be enough? I'm not saying ego should preclude the act, just that it may blind you to the consequences or alternatives. Alternatives such as working for an investigative journalism outfit (you'd get your name in a by line).
Relative Morality
The second motivation, that of morality or justice, can be a tough one. On the one hand, the dangers of relative morality are there. For example, if you think abortion is bad and target (deface or burn down suffice as examples) the Marie Stopes Clinic, you're putting yourself at odds with much more than just the "pro-choice" movement, you're undermining a social contract by which society exists. If each person was allowed to punish those they disagreed with, we'd have little usable institutions left. In fairness, I am branching into "vigilante justice" for this example, something I said I'd leave out, but for the purposes of the example, it works. The precondition here is that the hacktavist think carefully about whether the justice they are pursuing aligns with the generally constructed sense or morality in which they live, or better yet, the laws of their society. Even then, question whether there are not other "more moral" activities that could be engaged in; everything from volunteering at a charity to starting an NGO are alternative options available.
Access to Information
The last justification I'll discuss here, is the access to information in the first place. The argument goes: "How can our existing democratic structures perform their work, if the crime occurs unnoticed and unreported." This is exactly the sort of thing the Protection of State Information Bill is seeking to limit. Thus, the hacktavists job would be to gain access to the information, then feed it to an existing structure. If we continue with the example above, a more charitable interpretation, where the Clinic is hacked in search of proof of criminal activity, we run into another stumbling block; right to privacy. In this example, the right to privacy of both the doctors and the patients, but in general, the right to privacy of any entity the hacktavist may target. Law enforcement deal with this regularly, they need some sort of cause or reason to suspect that a crime has occurred to gain access to otherwise private material. If, as a hacktavist, you arbitrarily grant yourself the right to access people's e-mail, documents or other information, there is a strong danger that the lack of oversight could lead you to violating people's fundamental rights. If you do so, more frequently than you out any crimes, do you not end up the worse criminal?
Risks
If, as a hacktavist, you feel the conditions are right or justified to continue. Then be aware of the risks. The first, and most obvious, is the risk of arrest, prosecution and jail time. Jails, and South African jail in particular, are not nice places. I haven't been, but I don't imagine it's the sort of place people would enjoy spending their time.
The second risk, particularly if you target private entities (criminal organisations, businesses or government employees engaged in illegal activity) is a threat to your life. The story of Mzilikazi wa Afrika, an investigative reporter at the Sunday Times, where he has had his cell phone tapped, been violently arrested on trumped up charges and held without cause, and supposedly placed on a hit list is a public outing of both the capability and reach of criminals within our society. Other half-truths I've heard whispered are of businessmen exchanging details on hitmen (the Lolly Jackson and Brett Kebble murders point to this capability).
While hacktavism does not imply one of the above as guaranteed, it is worth bearing in mind as a potential consequence.
Methodologies
Preconditions and risks aside. Now follows a discussion on techniques that should be born in mind.
Legal Protection - whistleblower, journalistic source, acting in public interest
Alternative Paths to Info - how to leak
Stealth - clensing logs, hiding IP, communicate securely
Segmentation - don't talk publicly, don't claim credit