Hacktivism raises all kinds of ethical issues. In an unusual move, hackers responsible for the hack of the Salt Lake City Police Department have deleted their copies of some of the files they had acquired from the PD’s web site.
In announcing the hack on Tuesday, the hackers known as Kahuna and CabinCr3w indicated that their motivation was a bill proposed in the Utah legislature by Sen. Karen Mayne that would have criminalized possession of graffiti tools with the intent to deface property.
Although they acquired files containing citizens’ personal information, the hackers did not dump any of those data on the Internet, repeatedly asserting that they would not dump it and had no desire to do anything that would harm “innocents.” A paste with over 1,000 officers’ names, usernames, titles, e-mail addresses, and hashed passwords was publicly dumped, however.
The bill, SB 107, was defeated in the Utah Senate yesterday by a vote of 11-17.
This morning, this blogger asked Kahuna whether they would consider deleting the files in light of the Senate’s action. Shortly thereafter, the hackers agreed to delete the files they held that contained information from those providing crime tips or other information. Their decision was announced on Twitter:
Due to privacy concerns of innocents, all files taken from the SLCPD have been deleted. We no longer have the files in our possession
— Kahuna (@ItsKahuna) February 3, 2012
I contacted the Salt Lake City Police Department to ask for a response to this latest development but have received no response by the time of this publication.
Although one of the hackers indicated to DataBreaches.net that they realize that the press and others may not believe their statement that they have deleted files, they reiterated to this blogger that they would not have dumped the data under any circumstances.
DataBreaches.net commends them for not needlessly exposing personal information and for not retaining data that they no longer need as proof of hack.
I realize that there are many who will say that their ethical action doesn’t matter and that they engaged in criminal activity by hacking the SLCPD, but I think it’s important for hacktivists to consider whether they, too, should be showing the kind of restraint Kahuna and CabinCr3w displayed by not needlessly exposing uninvolved individuals’ personal information and by deleting it when it is no longer needed as proof of hack.
Image credit: © Karin Hildebrand Lau | Dreamstime.com
True, but part of the reason for exposing customer/client information must be to get as many people upset and suing as possible.
There is no GOOD in hacking; just because they rip something down, does not mean they wont sell it or, use it at a later time. If you believe in what they say by the means they obtain it, well, something is seriously wrong.
Hackin is illegal, period. They do it for the thrill, to have that unknown, whether some one will come get them sooner or later. With these piss poor excuses they come up with, it seems like it’s a no brainer to hack into these places. With that being said, the blame is half on the hacker.
The problem isn’t always the hacker, its the corporations inability to keep the data secure. There is this ” Its not if your going to get hacked, it’s when” attitude. That means to me – that peoples’ guards are down and they can willing accept defeat.
Getting hacked is free publicity but its not a positive thing. Some companies like SAIC with the TRICARE issue are a true testiment that a poisoned company can prosper right in front of the governments nose and get away with it. As far as I can tell, they are still bidding on government contracts doing what they do best, open the door for issues. That isn’t the only company out there that doesn’t seem to care, there are many others.
Until these corporations start working together, it will be the Bozo ride to doomsville. They concentrate on the almighty bottom line and purely forget – or don’t even care about the people that have brought them this far – the customer and the data the entrusted with them.
I wouldn’t presume to speculate about the hackers’ motives. First, as a licensed mental health professional, I am ethically prohibited from diagnosing or making such statements about individuals I haven’t assessed or evaluated. Second, having spent a lot of time chatting with hackers over more than a decade now, the differences among them are as striking to me as the similarities. So… do I believe all hackers’ claims? Absolutely not. Do I tend to believe a few individuals’ claims such as data destruction? Yes. Could I be wrong? Sure. But I do want to encourage all hackers to give more consideration to not dumping personally identifiable information.
On some level, this is comparable to parenting a teen. Do you insist your teen abstain from sex, knowing they will not listen to you, or do you say, “Look, I am not happy about this at all, but if you’re going to be sexually active, at least protect yourself from unwanted STDs or pregnancy?” I do not and would not encourage anyone to hack. But if they are going to hack, I hope they hear me and not do collateral damage to individuals. Indeed, the more collateral damage they do, the less public support they will generate and the greater the likelihood their hacking will backfire and engender sympathy for the hacked entity. Sadly, so far their hacking does not appear to translate into the public demanding greater security protections by those who collect and store our personal information.
Great example of SAIC. I’ve been covering their breaches for a number of years. After the most recent breach, a few members of Congress started asking questions. What happened after that, though?
According to the congressional letter, they gave SAIC until Feb 2 2012 to respond. I am sure they had lawyers sewing in responses that are cryptic in order to make the issue more complex than it needs to be.
How long will Congress take to decipher and come up with an action? The people in office may be out of office by then, and the issue will be swept under the rug and ignored once again. If they manage to get some sort of action imposed against SAIC, I am sure the method will have to show some sort of metrics/measurement/threshold and reasonable cause.
In my heart I feel SAIC and its affliates deserve a semi-lengthy time away from government contracting. Its the way they have handled the situation in general thats disturbing. In the letter it was like, Yep, we’ve been hacked, heres a form to fill out, call them if you need anything. No point of contact info from SAIC at all.
I totally understand what you are saying in respects to the parenting. But its a two way street. On one side you have the views of the hacker; the other side is the way of the corporation in respects of being able to “handle” the hacker.
It seems the company will gladly take the hackers money, and void the underlying statements and actions that a hacker has taken against the competition. The hacker may intend to embarass the company so it loses revenue and a customer base. People are forgiving, and when they tend to like a corporation, they tend to return, if the corporation approaches the general public in the right marketing scheme. Unless the hack happens on an alarming scale, affecting many, many people all at once, the company will continue to pursue capital over compliance.