Categories
Uncategorized

Three criminologists road trip to ElectroMagnetic Field

In this blog we wanted to briefly share with you our experience of attending EMF, how it shaped our understandings, and where we’re going next. In summary, it was GREAT! 

Back in June, Shane, Sarah and Ben bundled into Sarah’s rusting campervan and headed for Electromagnetic Field (EMF). EMF is a volunteer led festival in which a few thousand people gather and camp in a (very) large field to create a village of hackers, thinkers, breakers, creators and general mischief makers. Over three days we enjoyed presentations, installations, games, experiments, workshops, discussion panels, music, raves, light shows, wind and some exceptionally heavy rain. We loved every second of it.  

We planned to set off at 9am, allowing 7-8 hours for the trip. All good research is fuelled by snacks, so we factored in stops. Our first snag emerged about 5 minutes after Sarah set off. Glasgow appeared to be resisting her departure by closing every road that led out of it. In the absence of a GPS, 40 minutes after leaving home Sarah finally left the city centre in her rear view mirror and was enroute to grab Shane and Ben from Edinburgh. The next snag was her realisation that she had skipped breakfast. So, after a brief interlude to consume all the food and play tetris with Sarah’s van, we left Edinburgh together for Eastnor Castle deer park shortly after 12:30. This was our first EMF, although we were lucky to have some lovely guides; special thanks to Bart, Sean and friends at Edinburgh HackLab.

Wandering around the temporary streets of this festival is a brilliant way for any newbie to become enamoured with technological innovation and creativity. It’s also a pilgrimage of geekery and nerding out for everyone else. From a research persepective, it was a key step to really grounding in reality (beyond the literature and ivory tower) our understanding of  what ‘hacking’ really means, in its broadest and funnest sense. Some might say attending an event like EMF is the only way to do so if you aren’t a maker or hacker yourself. Everywhere one looked, people were solving puzzles (there is a maths tent), and making things out of something unexpected. Examples included a giant mechanical spider powered by combustion engine, a giant rubik’s cube, lots of flame throwers, and there was even an orb in Null Sector that was doing something interesting with urine (You can see more by looking at the twitter hashtags: #EMF2022 #emfcamp2022). 

Everyone is passionate and interested in learning how things of all shapes, size, and material work (perhaps even better than those who first created it), and how this evolves with each technological tweak or addition: the talk on the complexities of railway signaling was a firm favourite among us and some of our Edinburgh HackLab friends (not quite what criminology students might imagine of a hacker festival). Shane looks forward to sharing this with students in his module next academic year. At its very essence, developing a masterful knowledge of how a thing works allows you to bend the rules its designers had in mind, get it to work in ways which are unintended, different, and ultimately, suit you better. This of course is not restricted to the technological; it extends to making anything work better for you in the way that you really want it to. In that vein, another favourite talk of ours discussed the diversity of surgical and hormonal options for ‘hacking gender’.  Thanks Ryan! Another notable feature of EMF was the inclusive atmosphere it fostered. Although, as some rightly mentioned verbally  – and with some tactical signage -some groups are still notably under-represented among its speakers. It was good to see the EMF team express a desire to do better here.

On the basis of her previous festival talk experiences, Sarah had been anticipating a small tent on the outskirts of the site, with a handful of half-cut, sleep-deprived and bedraggled people trying to find a quiet spot to shelter from the rain. Instead, the site was dominated by three massive circus tents, filled with engaged, thoughtful, and very-much-awake EMF folk, and it quickly dawned on us that one of these was where we would be giving our talk. The optimists among us saw this as an amazing opportunity to talk about our work to lots of cool people. The panicker panicked.

We got up on stage and talked about our research work more generally and the project so far. We talked about some of the definitional [Our first blog!], ethical and (perhaps especially) bureaucratic challenges [Our second blog!] we have faced in setting up the project. Then we talked about various myths that exist around computer hackers and around cybercrime more generally – like that all computer hackers are technological masterminds, or have autism, or that cybercrime is exciting, glamorous or ‘cool’ (newsflash: most cybercrime is really boring, a lot of infrastructure maintenance and admin). We also began to explore the problematic implications of these myths for policing practices and just trying to get some research done. 

(That’s us, the teeny tiny blurs on stage. Thanks for the photo Sean!)

Luckily the panic was misplaced. The people of EMF seemed to really like the talk and we were touched that lots of people came up to us afterwards to chat more about it. They came up to us in the tent, as we wandered around the site, and in the bar later that evening (The Robot Arms). A number of people shared their experiences with us, where things that we had said resonated: how a conviction, or being targeted by police unfairly or disproportionately had changed their lives, inflicted trauma or caused wider harm. The talk also opened up conversations with people over the next few days and helped us think about how we framed the project. Our experience of recruitment has been that many people don’t see themselves now – or in the past – as taking part in ‘illegal computer hacking’. This is very interesting indeed. But ask them: ‘Well have you ever creatively played around with computers, in ways which (at least sometimes) break/broke the law?’ Then the response is different: ‘Yes, obviously. Hasn’t almost everyone here?’

We are still looking for just those people to tell us their stories, about how their ‘hacking career’ has changed over time, what it means to them, how it fits with their identities and relationships and where it has led them to now. EMF was an amazing experience, and we learned A LOT. So far though, it hasn’t translated into as many new interviews as we would have hoped. So, if this sounds like you or someone you know, check out our github site, and drop us an email.

Next stop Las Vegas! DEFCON here we come…

Categories
Progress Diary

-bash: ssh GoingAFK@researchatlast!

Dr Sarah Anderson and Dr Shane Horgan 

 

GoingAFK:~ ShaneandSarah$ Open

Last week was a big week for us. After years of planning (literally!), the final preparation for our research project into people’s moves away from illegal “hacking” (more on this term later) is in place: we have a computer! It looked as if it might not happen when our enthusiastic team member, Shane, didn’t check the IT desk opening times, but we made it. Getting a computer shouldn’t have been as much of a problem as it has been, but a global pandemic has made relatively easy tasks complicated, in this case leading to an international shortage of IT equipment. This isn’t the only way that the pandemic has thrown a spanner in the works of this project (more on this later as well).

Selfie of smiling researcher carrying laptop bag
The acquisition of the laptop.

We are starting this blog to chart our progress, the ups and downs (of which there is already some catching up to do), and to start a conversation with you about the issues we are grappling with. These issues vary from conceptual and definitional, to methodological, technical and ethical ones. One of the aims of our project is to make ‘open source’ our approach to negotiating and managing these complexities and questions, with the underlying aim being to enable future sources to tackle them more easily. This post represents a first step. 

The Pretext

Some background….The project started with a conversation between two friends in a pub. We have now decided that pubs might just be our most creative work environment. Shane is interested in all things cybercrime-related and has done research into how different groups and organisations routinely (do and don’t) protect themselves from cyber threats. At that time he was designing a new sociological course on cybercrime. Sarah’s recent work had explored something known as ‘desistance’ from crime. Broadly this means the process by which people move away from involvement in criminal offending. There is a lot of research in this area, but so far, most of this research has been with people involved in offending IRL (drug crime, violence, burglary etc). 

We got thinking about whether or not existing theories about this process would stand up when applied in a totally different context, for example, illegal forms of hacking. One theory suggests that important ‘turning points’ in someone’s life, such as getting a job or getting married, help explain why people move away from offending – in part because they are too busy doing other things in other places. But people with IT skills might be sat at their computer at work, so potentially still having the opportunity to keep doing what they were doing. Equally, what might be deemed as illegal hacking in one context might be perfectly legal and encouraged in another. Another theory focuses on shifts in peoples’ identity, where someone starts to see themselves as a law-abiding person committed to ‘pro-social’ values. But from what we knew, many people involved in hacking already have values that could be regarded as pro-social (even if they are not always pro-corporate!). This got us thinking about the extent to which moves away from illegal forms of hacking involve submitting to dominant (neoliberal? political? ideological?) values, and of course whether that’s ultimately what ‘desistance’ means more generally.

Bugs and vulnerabilities 

Since then we have been developing this project. But even basic things have proved to be difficult. To start with, we have kept coming back to one pretty crucial question: what are we even talking about? This is because each of the terms in our research question – ‘desistance’, ‘illegal’, ‘hacking’ – are problematic in their own way. Let’s start with the term ‘hacking’.

‘CVE-Hacking’

‘Hacker’ has become synonymous with ‘criminal’ (no thanks to the media and some criminologists). But as many have been at pains to point out, the term hacking covers a wide range of different activities and ‘craft’ (Steinmetz, 2016). Therefore, how we conceptualise and understand ‘hacking’ from the outset of our project has huge implications for the final image of hacking careers that we will eventually be able to decipher. Hacking, often (but not always), refers to highly skilled work (paid and unpaid), some of which historically has been pretty critical to the development of the Internet, its security, our privacy, and way of life more generally. For now, we have added the term ‘illegal’ in front, to show that it is forms of hacking that are (or at least can be) criminalised that we are interested in. But this still presents problems. 

To start with, some legislation has been pretty poorly defined, and many of those who engage in practices that are ‘illegal’ are still actively working towards improving cyber-security. For example, independent security researchers exploring and cataloguing malware. In other words, some of those who are technically involved in breaking the law might still be termed ‘the good guys’. At the same time, state-led hacking practices that involve the hoarding of 0-day vulnerabilities operate with pseudo-legality, despite presenting a substantial risk to the collective security of society online. Overall, when subjected to more careful scrutiny ‘legal’ and ‘illegal’ are tenuous categories in the context of our research, which introduce as many problems as they solve. We tried adding the term ‘malicious’ in front too, but that term is also pretty subjective. Malicious according to who? People rarely describe their own activities as malicious, and what a company or government views as malicious, another person may view as altruistic (or vice versa). 

‘CVE-Desistance’

Another problem was with ‘desistance’. There are lots of debates in the literature about how you determine whether someone has actually desisted from crime, and when someone counts as having really stopped (one pessimistic perspective is that you can only fully evidence desistance when you are dead!). In addition to these debates, this topic presents additional headaches: e.g. the diverse range of practices covered by the term ‘hacking’, and the fact that the legality (or not) of the practices may rest to a large extent on the contexts in which you are engaged in them, on whose behalf, and how these are viewed by (which) government. So you see our problem. One day we are going to write a paper on just this (One day… the road to hell for academics is paved with half planned semi-drafted papers).

The next step was planning the project and getting someone to fund us. In this project, we want to explore how hacking careers change over time and how hacking practices and hacker communities fit into people’s lives, across their life course. To explore these issues, we want to securely and ethically collect the life stories of people who have been involved in illegal forms of hacking. We managed to persuade the lovely people at the Carnegie Trust to pay for us to fly all over the world to hacker conferences (DEFCON and CCC) where we could try and build relationships and find people who might generously be willing to share their stories with us.

At the end of January 2020, soon after we were awarded funding, Sarah and Shane met to celebrate, and plan the next steps. We even did a risk assessment, where we jokingly included ‘Global pandemic – no international travel – no conferences – total replan necessary’. You know the rest…

methodology> bash -x [Negotiating Risk and Representations]

Since then we have been busy redesigning the project and navigating the University ethics process. We have come a long way, but we are still trying to find and think of new ways to build those relationships, and are always on the lookout for people, forums, and organisations who might be able to provide a way in (ideas welcome!). Our project documents can all be found on our GitHub page: https://github.com/drshanehorgan/Going-AFK-ProjectDocuments/tree/main.* 

The ethics process has also presented multiple hurdles, given the sensitivities of the project, the data being collected, and the fact that the criminal stereotype of the ‘hacker’ (rightly or wrongly) now rings alarm bells with lots of different university departments! We also have a half-written paper on this, which we are hoping to present at the Human Factor in Cybercrime conference later this year. It definitely deserves a blog in itself, so we will come back to this in our next entry….

For now though, thanks for your interest in our project. We are just the right mixture of nervous and excited, and will let you know how we get on. Talk soon. 

*If you are interested in taking part in our project, please do not contact us on our university email addresseses. To help us protect your anonymity, please contact us on our project’s protonmail account: GoingAFK@protonmail.com

GoingAFK:~ ShaneandSarah$  exit 
Logout
Saving session…
…copying shared history…
…saving history…truncating history files…
…completed.
Deleting expired sessions…1 completed.
[Process completed]