Dr Sarah Anderson and Dr Shane Horgan
GoingAFK:~ ShaneandSarah$ Open
Last week was a big week for us. After years of planning (literally!), the final preparation for our research project into people’s moves away from illegal “hacking” (more on this term later) is in place: we have a computer! It looked as if it might not happen when our enthusiastic team member, Shane, didn’t check the IT desk opening times, but we made it. Getting a computer shouldn’t have been as much of a problem as it has been, but a global pandemic has made relatively easy tasks complicated, in this case leading to an international shortage of IT equipment. This isn’t the only way that the pandemic has thrown a spanner in the works of this project (more on this later as well).
We are starting this blog to chart our progress, the ups and downs (of which there is already some catching up to do), and to start a conversation with you about the issues we are grappling with. These issues vary from conceptual and definitional, to methodological, technical and ethical ones. One of the aims of our project is to make ‘open source’ our approach to negotiating and managing these complexities and questions, with the underlying aim being to enable future sources to tackle them more easily. This post represents a first step.
Some background….The project started with a conversation between two friends in a pub. We have now decided that pubs might just be our most creative work environment. Shane is interested in all things cybercrime-related and has done research into how different groups and organisations routinely (do and don’t) protect themselves from cyber threats. At that time he was designing a new sociological course on cybercrime. Sarah’s recent work had explored something known as ‘desistance’ from crime. Broadly this means the process by which people move away from involvement in criminal offending. There is a lot of research in this area, but so far, most of this research has been with people involved in offending IRL (drug crime, violence, burglary etc).
We got thinking about whether or not existing theories about this process would stand up when applied in a totally different context, for example, illegal forms of hacking. One theory suggests that important ‘turning points’ in someone’s life, such as getting a job or getting married, help explain why people move away from offending – in part because they are too busy doing other things in other places. But people with IT skills might be sat at their computer at work, so potentially still having the opportunity to keep doing what they were doing. Equally, what might be deemed as illegal hacking in one context might be perfectly legal and encouraged in another. Another theory focuses on shifts in peoples’ identity, where someone starts to see themselves as a law-abiding person committed to ‘pro-social’ values. But from what we knew, many people involved in hacking already have values that could be regarded as pro-social (even if they are not always pro-corporate!). This got us thinking about the extent to which moves away from illegal forms of hacking involve submitting to dominant (neoliberal? political? ideological?) values, and of course whether that’s ultimately what ‘desistance’ means more generally.
Bugs and vulnerabilities
Since then we have been developing this project. But even basic things have proved to be difficult. To start with, we have kept coming back to one pretty crucial question: what are we even talking about? This is because each of the terms in our research question – ‘desistance’, ‘illegal’, ‘hacking’ – are problematic in their own way. Let’s start with the term ‘hacking’.
‘Hacker’ has become synonymous with ‘criminal’ (no thanks to the media and some criminologists). But as many have been at pains to point out, the term hacking covers a wide range of different activities and ‘craft’ (Steinmetz, 2016). Therefore, how we conceptualise and understand ‘hacking’ from the outset of our project has huge implications for the final image of hacking careers that we will eventually be able to decipher. Hacking, often (but not always), refers to highly skilled work (paid and unpaid), some of which historically has been pretty critical to the development of the Internet, its security, our privacy, and way of life more generally. For now, we have added the term ‘illegal’ in front, to show that it is forms of hacking that are (or at least can be) criminalised that we are interested in. But this still presents problems.
To start with, some legislation has been pretty poorly defined, and many of those who engage in practices that are ‘illegal’ are still actively working towards improving cyber-security. For example, independent security researchers exploring and cataloguing malware. In other words, some of those who are technically involved in breaking the law might still be termed ‘the good guys’. At the same time, state-led hacking practices that involve the hoarding of 0-day vulnerabilities operate with pseudo-legality, despite presenting a substantial risk to the collective security of society online. Overall, when subjected to more careful scrutiny ‘legal’ and ‘illegal’ are tenuous categories in the context of our research, which introduce as many problems as they solve. We tried adding the term ‘malicious’ in front too, but that term is also pretty subjective. Malicious according to who? People rarely describe their own activities as malicious, and what a company or government views as malicious, another person may view as altruistic (or vice versa).
Another problem was with ‘desistance’. There are lots of debates in the literature about how you determine whether someone has actually desisted from crime, and when someone counts as having really stopped (one pessimistic perspective is that you can only fully evidence desistance when you are dead!). In addition to these debates, this topic presents additional headaches: e.g. the diverse range of practices covered by the term ‘hacking’, and the fact that the legality (or not) of the practices may rest to a large extent on the contexts in which you are engaged in them, on whose behalf, and how these are viewed by (which) government. So you see our problem. One day we are going to write a paper on just this (One day… the road to hell for academics is paved with half planned semi-drafted papers).
The next step was planning the project and getting someone to fund us. In this project, we want to explore how hacking careers change over time and how hacking practices and hacker communities fit into people’s lives, across their life course. To explore these issues, we want to securely and ethically collect the life stories of people who have been involved in illegal forms of hacking. We managed to persuade the lovely people at the Carnegie Trust to pay for us to fly all over the world to hacker conferences (DEFCON and CCC) where we could try and build relationships and find people who might generously be willing to share their stories with us.
At the end of January 2020, soon after we were awarded funding, Sarah and Shane met to celebrate, and plan the next steps. We even did a risk assessment, where we jokingly included ‘Global pandemic – no international travel – no conferences – total replan necessary’. You know the rest…
methodology> bash -x [Negotiating Risk and Representations]
Since then we have been busy redesigning the project and navigating the University ethics process. We have come a long way, but we are still trying to find and think of new ways to build those relationships, and are always on the lookout for people, forums, and organisations who might be able to provide a way in (ideas welcome!). Our project documents can all be found on our GitHub page: https://github.com/drshanehorgan/Going-AFK-ProjectDocuments/tree/main.*
The ethics process has also presented multiple hurdles, given the sensitivities of the project, the data being collected, and the fact that the criminal stereotype of the ‘hacker’ (rightly or wrongly) now rings alarm bells with lots of different university departments! We also have a half-written paper on this, which we are hoping to present at the Human Factor in Cybercrime conference later this year. It definitely deserves a blog in itself, so we will come back to this in our next entry….
For now though, thanks for your interest in our project. We are just the right mixture of nervous and excited, and will let you know how we get on. Talk soon.
*If you are interested in taking part in our project, please do not contact us on our university email addresseses. To help us protect your anonymity, please contact us on our project’s protonmail account: GoingAFK@protonmail.com