Hacking the Future

By Andrea Matwyshyn

Posted on August 8, 2011

During the past weekend, a key information security event was underway in Las Vegas – DEF CON. Self-described as “one of the oldest continuous running hacker conventions around, and also one of the largest,”1 DEF CON brings together a motley crew of code breaking enthusiasts, information security professionals, criminals, technology policy advocates, academics, and federal agents.2 Although this event has existed for almost twenty years, this year marked the first time that a special section devoted to children was included as part of DEF CON.3 DEF CON Kids, a program intended for “beginning hackers age 8-16,”4 offered classroom and workshop instruction on topics such as “Hardware Hacking” and “Google Hacking.” It also included sessions where the attendees could “Meet the Feds” from agencies such as DHS and NSA.5

Although minors have been visible at prior DEF CONs, the launch of a DefCon Kids program highlights an important shift in our culture around children and their relationship to breaking and building code. DEF CON Kids and another conference called HacKid6 are a call to those of us working in technology policy and legal circles to recognize that something basic has changed for children. Children’s development is now inexorably bound up with code and technology, and today’s children no longer remember a world without the internet. In the words of my colleague’s teenager, “Google and Gmail are for old people.”

The work of developmental psychologists7 teaches us that children do not develop in a vacuum. Instead, children’s development happens when a child is embedded in a particular context, and the child interacts with the tools that the environment provides. In other words, interacting with the internet and code will make children develop in ways that are fundamentally different from children of prior generations. Just as diagramming sentences was deemed important to children’s education by many educators in the last century, so too it can be argued that understanding the building and breaking of code will be essential to children’s education in this century. Guiding children in productive rather than destructive paths with their code breaking and building needs to be a proactive educational enterprise; but, this is a daunting enterprise when many parents lack sophisticated technology skills. 

From a legal standpoint, the increased participation of children in code breaking and building makes it even more essential to revise the language (or at least clarify interpretation) of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq.(“CFAA”) in the United States. A statute passed in 1986, the CFAA has been the subject of much uncertainty and critique in both legal and technology circles. Particularly when we consider a future where children will be continuously experimenting with code, legal uncertainty regarding the definition of computer intrusion and “exceeding authorized access” may result in children’s lives being unnecessarily harmed for innocent mistakes. For example, a circuit split exists in the courts about whether a mere breach of contract can be used as the basis for a felony prosecution for computer intrusion under the CFAA.8 If a child makes her cat a social networking profile in violation of terms of use of a website, should she be deemed to have “hacked” the site?  Would she properly be found to be a felon?

Similarly, the technology policy community must return to the long intractable debate about what the term “responsible disclosure” of vulnerabilities exactly means. Children are already finding vulnerabilities in companies’ products,9 and their participation in the breaking and (re)building cycle will likely increase. Creating clearer standards for best practices in vulnerability disclosure will offer an important piece of guidance that will help children to use their code breaking skills constructively and share their findings appropriately. Though the term “responsible disclosure” sounds cohesive in theory, in practice, the term means very different things to different people. Depending on the specifics of a particular vulnerability and the personalities of the people involved on both sides of the disclosure conversation, “responsible disclosure” dynamics currently play out in varied ways and with mixed success.10 
Finally, the presence of DHS, NSA and other government agencies at DEF CON Kids reminds us that training the next generation of digital defenders is essential to national security. At least two recent major hacks may indicate that other countries already possess sophisticated divisions of military focused on internet espionage and, potentially, cyberwarfare.11 Identifying and training an elite corps of soldiers and technology experts for purposes of national defense is growing in importance.

Dr. Andrea M. Matwyshyn is an Assistant Professor of Legal Studies and Business Ethics at the Wharton School at the University of Pennsylvania. 

 1 https://www.defcon.org/html/links/dc-faq/dc-faq.html
 2 From the DEF CON FAQ: “Do criminals go to DEF CON? Yes. They also go to high school, college, work in your workplace, and the government. There are also lawyers, law enforcement agents, civil libertarians, cryptographers, and hackers in attendance.”  https://www.defcon.org/html/links/dc-faq/dc-faq.html
 3 http://www.defconkids.org/
 4 http://www.defconkids.org/?page_id=4
 5 http://www.defconkids.org/?page_id=10#sat15
 6 “[A] new kind of conference…for the entire family — kids aged 5-17 & their parents — in order to raise awareness, excitement and understanding of technology,…security and engineering and their impact on society and culture,” http://www.hackid.org/Drupal/faq
 7 This insight comes from work of such theorists as Vygotsky, Bandura and Bronfenbrenner.
 8 See e.g. U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. Dec. 27, 2010) ; Int’l Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009); U.S. v. Lori Drew, 259 F.R.D. 449 C.D.Cal.,2009. 
 9 http://www.zdnet.com/blog/security/12-year-old-finds-critical-firefox-flaw-earns-3000-bounty/7524 
10 For example, one person’s “responsible disclosure” is sometimes perceived by others as a competitor’s employee seeking to gain commercial advantage.  Recent vulnerability disclosure conversations between a Google employee and Microsoft have demonstrated this tension. http://nakedsecurity.sophos.com/2010/06/15/tavis-ormandy-pleased-website-exploits-microsoft-zeroday/
11 http://www.computerworld.com/s/article/9198198/Leaked_U.S._document_links_China_to_Google_attack; http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109

About the Author

  • Andrea Matwyshyn
  • Penn State University
  • Lewis Katz Building
    University Park, PA 16802

Recent TAP Bloggers