As I blogged about several months ago, as well as numerous other anti-spam bloggers, David Ritz was sued by Jeffrey Reynolds and a judge in North Dakota agreed with Reynolds. At the heart of the case was that Ritz engaged in anti-spam activities using techniques known only to a small subset of advanced computer users, and used these techniques maliciously against Reynolds.
A couple of years ago, I reviewed the book Spam Kings. Back in the olden days of spam fighting, some anti-spammers used to use malicious techniques against spammers in order to shut them down. Maybe they'd break into their web servers and disable them, maybe they'd flood the spammers' email addresses with unsolicited mail or cripple their operations with DOS attacks. Regardless, the point is that they would use illegal techniques to shut down spammers. The idea was to fight fire with fire. Spammers are annoying? Then you have to get your hands dirty to shut them down. Some people on anti-spam discussion forums cheered the moves; others said that spam fighters could not resort to the level of the spammers themselves.
So today, I'm currently watching the premiere of 24, Season 7. In the opening scenes, Jack Bauer is brought to Washington and is being interrogated by a Senate subcommittee on charges that he tortured various terror suspects and therefore broke United States law banning torture. Bauer even admits that he broke the Geneva Conventions. To escalate the tension, the Senator asks Bauer if he thinks he is above the law.
24 is all about drama. Bauer looks at the Senator, and says (and I paraphrase) "Don't give me that smug look. These people who try to attack us don't play by your rules. I did what I had to do in order to protect the people of this nation and I will answer to them." Bauer is quite unrepentant in his beliefs that while he did break the law, he did it to protect the citizens of the country and he does not apologize for it. Bauer gets results (the Senator did not watch the previous six seasons of the show).
Spam fighting would never be the focus of an episode of 24. It's not quite that glamorous. But the philosophical issues Bauer brings up are valid -- if anti-spam fighters start engaging in dubious tactics to shut down nefarious spam operations, how apologetic should they be? Should they (we) even sink to a level of questionable ethics?
Let's say that a web site is discovered that is selling counterfeit pharmaceutical products, an activity that is quite illegal. Some hackers can take down the site in a matter of minutes using a DOS attack. Should we do it?
A spam operation is sending out stock spam, illegally pumping and dumping a penny stock traded on the pink sheets. An anti-spam operation can break into their servers used to send email and shut it down. Should we do it?
There are plenty of examples of spam, botnets and viruses used for illegal activity, from fake university degrees (fraud) to porn operations. In some of these cases, these types of activities can be reverse engineered and shut down. Obviously, by approaching the proper authorities, many of them can be deactivated. However, sometimes the proper authorities lack the knowledge or the willpower to stop supporting all of this stuff. The McColo incident is a prime example; if we knew for so long that McColo could have taken have the spam world off-line, why did it take so long? Could somebody just have gone and cut off the power to the building?
It's a philosophical problem -- how much are we willing to put up with when it comes to spam, and what levels should we sink to? And who should we answer to? The security industry? Or the end users we are acting in the name of to protect?