On August 28, 2019 Paige Thompson was indicted for her intrusion into Capital One’s data. She had taken advantage of a “configuration vulnerability” in the bank’s security software, which enabled her to download a host of personal information. The breach went apparently unnoticed by Capital One’s security team. Ultimately, Ms. Thompson's downfall came at her own hand after she posted the ill-begotten information on a GitHub account that shared a moniker with her social media persona: “erratic.” Another GitHub user alerted Capital One to the file, and in perhaps another dig at the savviness of the bank’s cyber defenses, graciously offered to help locate the hacker.
For decades, media has explored the impact of an increasingly wired world and how humans interface with it. From movies like War Games and Bladerunner to books like Neuromancer and Snow Crash, characters must orient themselves in a landscape where technology and business have an inertia all their own. For board gamers who want to duel in cyberspace without risking federal charges, though, Android: Netrunner provides a tabletop analog and explores how far some businesses might go to protect their intellectual property.
As usual, this article first explores specific game mechanics, here the various permutations of cyber defense corporations might employ. For those already familiar with the game, feel free to head to the discussion of some of the legal principles in play. Readers can always just jump to the analysis section.
Development of Android: Netrunner (A:NR) ended in 2018, and was itself a reboot of Richard Garfield’s original 1996 Netrunner game. A:NR pits two players against each other in an asymmetric competition to acquire seven agenda points. One player represents a corporation (Corp) seeking to score such agendas by building “servers” and investing resources into advancing the assets/agendas housed within them. The other player is a hacker (Runner) who attempts unauthorized intrusions to steal the data from without. As the game progresses, both players deploy increasingly complex systems to achieve their ends.
The Corp always has at least three servers the Runner can attack: “HQ,” which is represented by the Corp player’s hand; “R&D,” which is the deck of undrawn cards; and “Archives,” which is the Corp’s discard pile. The Corp may create additional “remote” servers, which is the main way they seed agendas and attempt to develop them. To protect themselves, Corps can also deploy “ice” (the term is never explained by the game, but was coined by author William Gibson to mean “Intrusion Countermeasures Electronics”), various cyber defenses that can slow or disrupt the Runner’s attempt to gain access. Corps might also install assets in the “root” of their servers, like network security administrators or interns, as well as play events. Time is limited, though. At the start of their turn the Corp must draw a card from R&D, and will trigger an alternate lose condition if they cannot because their deck is exhausted.
Meanwhile Runner builds up their “rig” (playspace) with a variety of hardware, software, and resources (both physical and virtual) to navigate the sprawling corporate architecture. Runners use programs called “icebreakers” to defuse ice, hardware to increase their available memory to run additional or more complex programs, and can also play events. For Runners, though, their hand (“grip”) also represents their health, which leads to a particularly grim aspect of the game. While Corps can lose because their R&D is empty, Runners can lose by taking more damage than cards they have in hand; a process known as flatlining.
Ice comes in broadly three flavors, although later expansions added categories:
Barriers, which are often straightforward obstacles that will terminate the Runner’s intrusion if not circumvented (they typically have at least one subroutine called “end the run.”)
Code Gates, which are frequently utility programs that support other ice or trigger conditions that benefit the Corp.
Sentries, which damage the Runner, destroy parts of their rig, or attempt to "tag" the Runner via a tracing protocol. A Sentry's goal is to directly punish the Runner.
Corps also have traps, which might be lurking as ice or assets. Corps players typically play their cards face down, in an inactive (“unrezzed”) state. As a Runner encounters these cards, the Corp can choose to flip over ice and pay its activation cost to “rez” the defense. The Runner must contend with all rezzed ice on a server before he or she can access the asset/agenda stored at the heart of it.
There are four basic Corp identities:
Jinteki, a business that heavily invests in cloning and uses traps and mind games to repel Runners;
Hass-Bioroid, which focuses on androids equipped with artificial intelligence and robust ice to stall Runners;
Weyland, who has turned its eyes to the stars and does not hesitate to use its considerable wealth to physically confront Runners; and
NBN, the media conglomerate that specializes in outpacing the Runner while identifying them with “tags.”
Meanwhile, Runners are loosely organized under three tribes:
Shapers, explorers that remake the virtual landscape to grant them passage;
Criminals, who are fiscally motivated and often seek to simply bypass countermeasures; and
Anarchs, whose chaotic aim is to erode corporate hegemony, even if their exploits cost them, as well.
"The cause is hidden. The effect is visible to all."
Whatever their motivations, the Runner’s attempts to intrude into the Corp’s servers likely run afoul of the Computer Fraud and Abuse Act (CFAA). 18 U.S.C. § 1030. Amongst other conduct, the CFAA prohibits intentionally accessing, either without authorization or by exceeding already-granted authorization, information from any “protected computer.” “Protected computer” is a broad term and includes a computer that is used in or affects interstate or foreign commerce or communication.
Cyber defense, to including the practice of “hacking back” those who have accessed your computers without authorization, is more uncertain. By its own words, the CFAA seems to criminalize such retribution as the putative victim would then be the one seeking unauthorized access to a potentially protected computer. Yet waiting for state authorities to be alerted, investigate, and (hopefully) prosecute a hacker is often not fiscally viable for companies. On September 16, 2019 a U.S. congressman reintroduced the Active Cyber Defense Certainty Act (ACDCA), which would amend the CFAA to allow private entities, under certain conditions, to engage in specified defensive measures. Analysts suggest such self-help resembles allowing private individuals to engage in "self-defense" in the cyberworld. This post continues the analogy and examines the legality of some cyber defenses in A:NR by reviewing how American law treats private individuals utilizing “self-help” to exclude would-be intruders.
The below touches upon two disparate areas of the law: (1) the duty of care owed by property possessors to others on the property in a civil context; and (2) self-defense in criminal law. Regarding the former, the duty a property possessor has to protect other people from hazards on the property depends on the relationship between the possessor and third party. A trespasser is one who enters or remains upon another’s land without privilege, Restat 2d of Torts, § 239, and I treat Runners as "trespassers" into the virtual landscape/electronic domain of the Corp’s network.1 Property possessors are normally not liable to trespassers for physical harm that occurs as a result of not using reasonable care, but there are several exceptions. Restat 2d of Torts, § 333. One exception is: when a possessor of property has created or maintained an artificial condition that is likely to cause death or serious bodily harm; that condition is such that a known trespasser will not discover it; and the possessors has failed to exercise reasonable care or warn the trespasser. In those circumstances, the property possessor may be liable for the harm that befalls the trespasser. Restat 2d of Torts, § 337.
Static barriers like walls and fences, even when equipped with broken glass or barbed wire, have long been customary tools to exclude uninvited persons from real property. See, e.g., Francis H. Bohlen and John J. Burns, The Privilege to Protect Property By Dangerous Barriers and Mechanical Devices, 35 Yale Law Journal 525 (1926). For example, in Baecher v. McFarland a 5 year-old girl climbed up a fence so she might better view a horse on a neighboring lot. 31 S.E.2d 279 (Va. 1944). Her grandmother called, and as the child jumped down she came in contact with barbed wire strewn across the top of the fence, “which tore an ugly scar in her face.” Id. at 280. The court determined the use of barbed wire was not against city ordnance, but even if it was, that would not render the owner of the fence liable for the little girl’s injuries because the “use of barbed wire as a material in the construction of fences is so common and universal that we cannot classify it as a dangerous instrumentality.” Id. at 281. Similarly, a Georgia court of appeal denied a widow’s claim when her husband, on a dirt bike, collided with a half-inch cable stretched approximately three feet above a dirt trail. Harrison v. Plant Improvement Co., 616 S.E.2d 123 (Ga. Ct. App. 2005). The husband and not been invited onto the property. The court determined that the cable was a "static or passive" condition and the property owner had not "intended" to inflict harm on a trespasser, even though injury was foreseeable, and thus there was no liability. Id. at 126.
However, some property owners go beyond passive conditions and set actual traps. A common example is the “spring gun,” a firearm set to discharge when tripped. The Ohio Supreme Court provided a brief review of the legality of such traps in State v. Childers. 14 N.E.2d 767 (Ohio 1938). The court concluded that while spring guns were not unlawful under early common law, "[b]y the overwhelming weight of authority, a person is not justified in taking human life or inflicting bodily harm upon the person of another by means of traps, spring guns, or other instruments of destruction, unless, as a matter of law, he would have been justified had he been personally present and had taken the life or inflicted the bodily harm with his own hands." Id. at 770. Childers was a farmer and had a watermelon patch that incurred "considerable damage" by neighborhood boys. Childers set spring guns, one at each end of the patch, and averred he placed multiple notices reading "Dangerous, don’t go in this patch. Go back out." Fourteen year-old Daniel Wagoner entered the patch, was wounded by one of the traps, and required eighteen days in the hospital. Wagoner testified he did not see any notices and thought the watermelons belonged to his grandfather, a neighbor to Childers. In affirming Childers’s responsibility for injuring Wagoner, the court noted "[n]o one should be permitted to do indirectly what he may not do directly. Defendant’s absence from the scene of the shooting should not enlarge his rights." Id.
Such cases demonstrate that while property owners and possessors may use reasonable force to repel intruders, "only in extreme cases can one endanger human life or do great bodily harm in defense of property." 40 Am Jur 2d Homicide § 164.2 Courts tend to find traps that pose a threat of death or serious bodily injury to intruders unacceptable for two reasons.
First, trespassers do not always pose a threat of death or serious bodily injury to the possessor, even trespassers who admit to engaging in burglaries. In such circumstances, using deadly force, were the property possessor present in lieu of the trap, would not be excusable. The South Carolina Supreme Court noted the “preservation of human life and of limb and member from grievous harm is of more importance to society than the protection of property. Compensation may be made for injuries to or the destruction of property; but for the deprivation of life, there is no recompense; and for grievous bodily harm, at most, but a poor equivalent.” State v. Green, 110 S.E. 145, 147 (S.C. 1921) (affirming conviction for manslaughter when owner installed a spring gun in a house that was subject to burglary and vandalism). See People v. Quesada, 169 Cal. Rptr. 881, 885 (Cal. Ct. App. 1980) (“And since a burglary committed when no one is on the premises is not a crime which threatens death or serious bodily harm so as to justify the use of deadly force in preventing its occurrence, it would seem to follow that it is not, or at least not per se, the sort of crime which justifies the use of deadly force by a citizen in apprehending the criminal.”); Katko v. Briney 183 N.2. 2d 657 (Iowa 1971) (defendant liable for a spring gun placed in a bedroom of a residence he did not inhabit when said firearm discharged and struck a would-be thief who was searching for antiques); State v. Plumlee, 177 La. 687 (1933) (manslaughter conviction upheld for farmer who set a spring gun to prevent his chickens from being stolen, and the trap killed a thief).
Second, even if deadly force were sometimes authorized in self-defense, perhaps in a case of a violent robbery, the trap is incapable of discerning such circumstances. See People v. Ceballos, 526 P.2d 241, 244 (Cal. 1974) ("Allowing persons, at their own risk, to employ deadly mechanical devices imperils the lives of children, firemen and policemen acting within the scope of their employment, and others. Where the actor is present, there is always the possibility he will realize that deadly force is not necessary, but deadly mechanical devices are without mercy or discretion."); Falco v. State, 407 So. 2d 203, 208 (Fla. 1981) ("A trap gun or spring gun is absolutely incapable of exercising discretion or reason. Rather, it sentences its victim to death or great bodily injury in a split second explosion of deadly force. Such arbitrary brutality should necessarily be prohibited under any circumstance.").
Just as the above property possessors are accountable for spring guns hidden in uninhabited buildings or merely near dwellings, so too are individuals responsible for similar traps set in commercial spaces. In State v. Beckham, the Missouri Supreme Court affirmed a chili stand owner’s liability after he placed a spring gun near a window to "scare" intruders and it killed a teenager. 267 S.W. 817, 818 (Mo. 1924). Similarly in McKinsey v. Wade, a Georgia court of appeal affirmed a defendant’s liability for setting dynamite in a cigarette vending machine in his store, which then killed a thief. 220 S.E.2d 30, 33 (Ga. Ct. App. 1975) (“But let us set forth one additional principle of law which leaves it beyond peradventure that defendant had no right to defend his wrongful, unconscionable, and destructive conduct by showing that the minor son of plaintiff was engaged in theft of his vending machine. What negligence did the minor son commit? He was a trespasser and engaged in petty theft. What wrong did the defendant commit? He had an abandoned and malignant heart; he set a deathtrap with dynamite, never testing it to determine how many innocent persons might be killed if within 100 to 200 yards of it, and thus sought to protect his several dollars in the vending machine. He had a conscious indifference to consequences, and by all the tried-and-tested rules of our laws, he was guilty of wilful and wanton negligence.”)
"Laws are sand, customs are rock."
The legality of the Corp’s defenses, both as proposed by the ACDCA and extrapolated from existing tort and criminal liability, depends on its consequences on the Runner.
To the extent a Corp’s ice merely seeks to prevent intrusion, as is the case for many barriers in A:NR, such use is already widely accepted as a firewall. So long as the ice’s only function is to frustrate a Runner’s attempt to intrude into the server by ending the run, the ice’s specific type does not appear to have any legal significance. In A:NR, a Corp often seeks to further disincentive runs by having its barriers do incidental damage to the Runner’s grip or rig. That runs afoul of the existing CFAA and the proposed ACDCA, since such acts constitute unauthorized access into a “protected computer” – the Runner’s – and deletes information. However, the use of broken glass on walls and barbed wire on fences appears to be tolerated due to its widespread, customary application. As private cyber defense norms develop and evolve, it is possible the legal system would also grow to tolerate some immediate, negative repercussions for individuals who persevere in trying to access a corporation’s servers.
If the ice collects additional information or otherwise provides utility strictly within the confines of the Corp’s network, such as many Code Gates do, then that too would likely be permissible. See Active Cyber Defense and Interpreting the Computer Fraud and Abuse Act.
However, a defense mechanism whose primary effect is to destroy the trespasser’s equipment or outright harm them is likely unlawful, rendering many Sentry ice and traps illegal. The ACDCA seeks to explicitly criminalize destroying or rendering "inoperable information that does not belong to the victim that is stored on another person or entity’s computer" during a hack-back. § (4)(1)(3)(B)(ii)(I). There are at least two reasons why the state would not want to sanction the destruction of non-victim information held by hackers.
First, because the hacker may be the sole custodian of evidence of other crimes, the government will likely want to preserve the integrity of the hacker’s system. For example, while it was the Capital One intrusion that initially led to Ms. Thompson’s arrest, once her equipment was seized authorities discovered files from previously unknown victims.
Second, even if the information of other victims is not present, preserving the hacker’s equipment could enable investigators to determine how the crimes were committed and either identify existing system vulnerabilities or attribute other intrusions to the hacker.
Should the Corp utilize dangerous ploys in their servers, it would likely be just as liable for any resulting harm as though it employed spring guns around their buildings. The manner in which that damage is done to a Runner–be it via ice, an asset, or event–appears immaterial. Because the Corp keeps its cards hidden until utilized, all such ploys constitute obscured hazards. The Corp player also builds their deck and chooses whether to include tools that have the express purpose of harming the Runner. In that way, such cards represent artificial conditions that the Corp has created and are unlikely to be discovered. Therefore, under civil tort liability the Corp has a duty to warn the Runner, even though the Runner is a trespasser. Warning someone of a trap, though, defeats the purpose of including such tools.
Furthermore, because a Corp can easily build a network security structure without incorporating such deadly instruments, it could be liable for any consequential harm even if did provide notice to the Runner, since the execution of the defenses would be unreasonable. Nor would the Corp be justified in their strategy just because the Runner is demosntrably a data thief; as discussed above, society values life and limb more than property.
Lastly, defense mechanisms that merely operate to "tag" a Runner in A:NR’s terms would likely be legal as "beaconing" under the ACDCA. However, what the Corp subsequently does with that information would still be subject to legal review.
One indication of the breakdown in social order within many cyberpunk landscapes is that multinational business appear to operate extralegally, either because the state is unwilling or unable to reign in corporate actors. So it is unsurprising that not all tactics employed by a dystopian Corp are authorized today. However, even Corps that engage in so-called "black ops" and "gray ops" against runners still seem concerned with public appearance,3 so social norms may prove a more powerful force than law in such circumstances.
1. The other categories of persons being licensees and invitees. See Eliot T. Tracz, Holmes, Doctrinal Evolution, and Premises Liability: A Perspective on Abolishing the Invitee-Licensee Distinction, 42 T. Marshall L. Rev. 97 (2017) for a discussion on how useful the distinction between invitees and licensees is.
2. While, for historical reasons, there is sometimes greater leeway for householders to act in self-defense of their dwellings, the issue for many corporate offices is that they do not constitute “inhabited” structures, although some jurisdictions have stretched even this broader concept of self-defense to a commercial area in order to protect the persons therein. See 40 Am Jur 2d Homicide § 161.
3. The flavor text for cards like “Scorched Earth” and the “bad publicity” mechanic in A:NR seem to demonstrate businesses still value at least appearing ethical.