The Ethics of Hacking

It looks like I missed the 1960s, but I’ve read that there were plenty of free drugs and free sex to go around. One thing that apparently wasn’t free, though, was telephone equipment. And behind all of the groovy things to do back then, the one thing nerds seemed to be more into than panty raids was having fun with the telephone networks. The digital telephone network was brand new, and so consumer ignorance was at an all-time high. This made for easy profiting – AT&T had made a killing by charging their customers not only for telephone service, but to pay usage and equipment rental fees for telephones, answering machines, and anything else you wanted to plug into your phone jack.

Legislation had somehow been called into existence making it illegal to plug any non-AT&T equipment into your jack, for reasons Ma’ Bell cited as “security”. The moral effects of this would be long lasting. Scams like this are still used to pad profits, and the practice of extortion in service fees has become so commonplace that it took one 82-year old woman until 2006 to realize that she didn’t need to keep paying rent on her rotary phone – she had paid over $14,000.

Our legal system is always dragging behind technology, but today’s corporations don’t need legislation to force such draconian restrictions any more. Higher profits can now be made by technologically restricting products. Devices can now be restricted with DRM, allowing a company to lock down features that compete with their own. This has given birth to a new ecosystem to balance out corporate greed – mobile device hackers. In this capitalist society, hackers have become the anti-greed of the telecommunications industry, helping to keep manufacturers in check.

If, instead of legislation, technology had been used in the 60s to lock down phone jacks, some of the most well known public telecommunications hackers would have likely had a field day in hacking the telecom networks to accept third-party rotary phones. Of course, today we would have looked at these individuals as the great equalizers of the early telecom industry – back in the day, though, they would have been deemed thieves and accused of “helping consumers steal revenue” from companies, who would have otherwise kept the market restricted. Perception leaves us, at best, with a blurry line to discern just who is stealing from whom. And if the business is the one with their hands in the consumer’s pocket, is it ethical for the consumer to slap it? As has been predicted by some, and ignored by many, ethical hacking in this field seems to have served to only benefit the product being sold, the consumer, and the free market – all while helping to keep corporate greed from running rampant.

Capitalism

Interestingly enough, the federal government seems to have become more capitalistic lately. The smaller phone companies have long since been gobbled up, and the great telecom humpty dumpty is now put back together. Much to the chagrin of the few remaining corporations, modern-day legislation almost refuses to cater to their private agendas to extort the consumer. The Digital Millennium Copyright Act (DMCA), while berated for its many flaws in copyright protection, also makes many special concessions to protect the rights of consumers to unlock their mobile phones, fix security holes in technology, and conduct technical research without violating the law. If one good thing came out of the DMCA, it’s likely this: what the government refused to regulate in corporate legislation, it made up for in a free market – namely, providing the freedom of a capitalist society to “regulate” herself, through hacking and full access to devices.

Unlocking is a good example of hacking at its very best. Unlocking techniques are the holy grail of corporate trade secrets, especially when a new product is launched. This is because subsidizing mobile devices not only generates more sales, but three times or more the amount of profit from service contracts. That two or three year contract is worth its entire value in revenue to the shareholders. Naturally, manufacturers and providers both have a heavily vested interest in keeping device unlocks a trade secret, meaning that unlocks are almost guaranteed to be the result of ingenious hacking efforts from the ground up. While many other countries have regulated subsidy locks, the United States approached this form of corporate greed a little differently. As the DMCA exempts unlockers, the US has ensured that the market remains a free one, and has (for once) provided a capitalistic solution to a capitalist problem – corporate greed in locking down products is offset by the consumer’s freedom to pick these locks. The ethical question about unlocking seems to have been answered – by governments, at least – as to say that it is the corporations’ hands that need slapping, and not the consumers. The DMCA seems to conclude that if it’s acceptable for a corporation to restrict a device, it’s also acceptable that consumers be allowed to hack those restrictions, provided the intention isn’t related to theft of intellectual property.

The Quest for Truth

Hacking is the ultimate quest for truth and information. If I had to define what a “hacker” was, I’d say it’s someone who possesses a rare technical discipline to alter the function of another work, and the ethical discipline to do it without lying, cheating, or stealing. “Honorable” hacking has a long history of being a noble task, set forth for the technical equivalent of investigative journalism. But unlike journalism, hacking also involves taking forcible action to set right things that are wrong. So the real ethical challenge to a hacker is identifying the difference between corporate greed and theft of services.

While involved in the hacking of many mobile devices, I’ve found the same corporate greed from the 60s quietly sitting in the NVRAM of modern-day cell phones. Instead of draconian laws, greed manifests in the form of tiny little bits that prevent the consumer from performing simple tasks, like transferring photos to their computer. This was very obviously a deliberate limitation in the Motorola V710/E815 handsets sold through Verizon, as all of the functionality was present in the firmware to do so. Verizon didn’t originally mention that, and instead offered their own “PixPlace” service for 0.25c a photo to replace the features they had disabled. Ironically, the DMCA is all about protecting copyright, and yet it seemed that Verizon had more control over the consumer’s copyrighted photos than the person who took them – at least until I came along and wrote my SMIL(e) gateway.

With corporate greed finding new ways to rob consumers, the ethics behind hacking seem to insist the manufacturer be able to make a legitimate case for device limitations. If no justification is seen, then the hacker has the opportunity (and perhaps the right) to forcibly re-enable features that were otherwise crippled only to rob the consumer. More important than individual features is what kind of story can be told by the sum total of a device’s restrictions. In the case of the V710/E815, the story was pretty clear: any feature that competed with Verizon’s “PixPlace” service was shut down.

The question ultimately facing the hacker is whether companies are profiting by providing functionality, or instead are profiting by restricting functionality. Without this information, it’s unclear who’s stealing from whom. And who can answer this question? Certainly not the manufacturer or the network provider – they’re responsible to their shareholders, and not to altruism. Certainly not the law, as the law is at least a decade behind technology. The hacker himself can only really answer questions like this.

Hacking and Competition

Hackers provide two important vehicles which maintain the balance of capitalism. They have the unique fusion of both technical insight and consumer platform to be able to see past all of the spin and expose a device for what it really is, and what has been done to it for profit. It’s also within every hacker’s nature to innovate and improve on a device that they find to be worthy. Therefore, not only does the hacker have the ability to upset the selfish ambitions of companies seeking to cripple products, but also can add a sense of hype and endorsement to devices they deem as deserving by providing instructions on improving it.

Part of the problem between consumers and corporations are that some future plans for a device might actually rub against the innovations that the consumer base has already learned to make on their own. A great example of this is the iPhone, and Apple’s upcoming AppStore. The iPhone was an immediate success since its release in June 2007, and many in the open hacking community sought to expand the functionality of the device to include third-party applications. Within a short time, an open source compiler was built and hundreds of great freeware or shareware applications were available through community distribution channels. This built up an open source market to an estimated some 40% penetration into the iPhone market. Apple woke up to the realization that there was a significant opportunity for revenue in this – a demand that was, by and large, made visible by these hacking efforts. With that, Apple appears to have been embarrassingly trying to duplicate what the open source community has had for nearly a year now – an adopted compiler for the iPhone, a large developer base, and a distribution chain where applications can be easily installed over the air. This ecosystem has already proven to bolster the iPhone’s sales, but the problem (for Apple, anyway) is that people seem to like the free ecosystem much better.

Does Apple’s vision for revenue invalidate or make unethical the community that had gone before them to improve on the device? Absolutely not! Quite the contrary, competition is at the very heart of what makes a capitalist society tick. The problem Apple is struggling with is not one of ethics, but of competition – they cannot compete with both their own enterprise developer base and the free distribution channel’s developers at the same time. The Apple SDK was very quickly criticized for restricting developers from using the same set of feature-rich tools that Apple’s own applications clearly use. Low-level frameworks and even basic functionality (such as running in the background) are unavailable to AppStore developers, and the SDK license agreement seems to hint at the possibility that Apple could take your ideas and write competing products for the iPhone. What Apple wasn’t expecting, however, was for the open source community to build something too. By the time Apple got to the scene, others had already built their own iPhone software development kit, and a better one at that – one that allowed developers to use the same APIs as Apple, and without any encumbrances. This amazing feat, as made by the open community, now presents a dilemma for Apple: either compete with the open source development community (and give enterprise developers better tools), or compete with enterprise developers, and let the open source community write better apps than they can.

Regardless of how it all pans out, the end result seems to have greatly benefitted the consumer by providing two different channels of software distribution and an overwhelming abundance of good quality freeware. But hackers have also benefitted Apple, as evidenced by their strong sales figures and estimates that two million of the iPhones sold are running a third-party software installer.

Security

In addition to this, the hacking community benefitted both parties by uncovering and fixing several vulnerabilities in the iPhone, resulting in more secure firmware and better privacy. For example, the release of firmware 1.1.1 suffered some of the most horrible security holes ever seen on a mobile device – image processing vulnerabilities which could (and were) exploited to install and run arbitrary malware simply by visiting the wrong website. This was demonstrated at Black Hat and other conferences, and made available to every script kiddie through Metasploit. Hackers rose to the occasion and immediately fixed the problems. The vulnerability was used in the solution itself – by creating a hacking website that would let people hijack their own iPhones and then proceeded to automatically patch the security hole for them. Over one million people did this within the first few weeks, before any official update was available from the manufacturer.

EULAs

There is much strong evidence to support the theory that hacking on the iPhone has served to make the device stronger, sell more units, and provide an overall happier consumer base. The question remains – does this make it ethical? One of the most notable arguments against hacking are concerning EULAs. End-User License Agreements are implied restrictions on use imposed on a product, where it is (often erroneously) assumed that if you are using the device (such as an iPhone) that you’ve agreed to be bound by the agreement. This challenges the claim that the consumer “owns” the device they pay for, insisting that it is really the manufacturer or the carrier who owns it.

It has been debated in many courtrooms whether EULAs are enforceable, and many courts have ruled on both sides of the issue. Some see EULAs as unfair contracts of adhesion, while others openly support the concept of licensed and not sold. Regardless of trial history, the concept is very difficult to justify once you get outside of the realm of “abstract” software and into the realm of a physical device. Many companies have sought to claim that the consumer owns the device but not the software. One being useless without the other, that’s much like selling a toaster with “licensed and not sold” heating elements. In other words, the piece of the product you paid for and own is now rendered useless should you reject the manufacturer’s EULA for the piece they claim ownership to.

The real question is whether it is ethical to force the consumer into the position of unknowingly being a licensee instead of an owner, or pushing them into such a position at all when they’ve paid for a physical commodity. If GM applied the same philosophy to their vehicles, it would be similar to selling a sports car and restricting the owner from adding a turbo onto the engine or making other improvements to the vehicle to increase performance. Moreover, if the manufacturer forced you to agree to these terms by “licensing” the keys to the vehicle you’ve already purchased, you would have no choice but to accept them if you wanted to get home. Clearly, this would be considered nothing short of unfair consumer abuse, sparking many anti-trust suits in the process. EULAs are an attempt to add secondary conditions onto a contract that has already been executed. When you purchase the car, the terms of purchase are the terms you agreed to. EULAs may be unenforcable simply for this reason: they attempt to add further conditions to a sale that already took place.

EULAs are largely accepted due to ignorance, rather than on merit, and seem to fall from the same tree as the original AT&T equipment scam did back in the 60s. The goal is still to convince the consumer that they must pay, while having no rights to own. This seems almost demoralizing in that it treats the consumers themselves as a form of “property”. Many would argue that once a physical product is paid for, the consumer owns the product – and, in fact, this is how retail has worked for centuries. If you’re allowed to leave the store with it, it must belong to you. Whatever the answer, it has got to be mutually exclusive – you can’t have products running around that belong to both the consumer and the manufacturer / distributor.

Dear World: Here – This is Confidential

I’ve attended many academic conferences and had a good laugh over presenters who sometimes use the “stock” corporate PowerPoint template containing the words “confidential information”. It’s naturally difficult to label information as confidential when you’re giving a talk to a thousand people, being videotaped, and submitting papers for publishing.

There have been some new and suspicious confidentiality agreements arising lately using the same technique as pertaining to freely available software. Here, Apple is another excellent example. The official “Apple SDK” may be downloaded by virtually anyone with an Internet connection. Apple insists, in spite of its global availability, that the SDK is considered a trade secret. Moreover, the SDK license agreement demands that the user exercise more confidentiality in their remarks and creations based on the SDK than Apple has shown with the SDK itself. I once heard a similar analogy: a coal burning plant that released toxic chemicals into the air, calling the air a trade secret.

Once again, the question arises: who is stealing from whom? Is the consumer stealing from Apple by sharing details about an SDK that is available publicly, or is Apple stealing from the consumer by attempting to limit their ability to criticize SDK components? Can confidentially be simultaneously required and then wrecklessly abandoned? What if Apple decided that all information about their products are considered trade secrets, and sued anyone who wrote a review or consumer report about a notebook computer? Thi seems to rub against the very fabric of free speech and free press. It seems almost an aversion to basic rights (and possibly fair-use) to take a product that is freely available and censor criticism or public discussion.

Bootlegging

Fortunately, not all ethical qualm are difficult to solve. One easy ethical litmus test is the bootlegging test. This is directly related to the more general litmus test that speaks to the level of respect and genuine appreciation for the previous work of others – when that respect is there, warez generally aren’t.

At the beginning of this essay, my definition of a hacker included the ability to perform rare technological feats without lying, cheating, or stealing. There is an unspoken set of guidelines one must adhere to if they’re to be considered a respected hacker, as opposed to a devolved warez puppy. Bootlegging (or warezing) has in fact served to greatly damage the original hacker ethic of “free information”. While releasing patches to copyrighted work is a great (and usually legal) way to share knowledge, including the copyrighted work can easily become ethical suicide, and criminally actionable.

Many individuals I’ve worked with in the past have been faced with such an ethical challenge and failed miserably. Nate True is an individual I once respected greatly for his natural curiosity about devices and his intelligence in getting into them. Unfortunately, while working on a proper “jail break” for one particular version of iPhone software, Nate became impatient and decided to release a set of hacks that amounted to mere software piracy. The release included an overwhelming amount of intellectual property owned by Apple, where his only real hack was applying patches. Rather than writing a patch tool, and obtaining the necessary software from the target device, the release was essentially a hacked copy of Apple software.

I didn’t lose respect for Nate because he released copyrighted software, though – I lost respect for him because he was lazy. With a little more work, he could have written a patch program in 50 lines of code, and without risking legal action from Apple. Unfortunately, this practice is all too common among those who have little respect for others’ work

Similar to the problem of redistribution, another common problem is outright intellectual property theft in stealing pre-release or otherwise restricted software. Apple’s v2.0 firmware had already been leaked to many, even though it’s not scheduled for general release until June. Still considered a genuine trade secret (and is restricted as such, unlike the SDK), the 2.0 software is only available to registered Apple developers who have paid to enter the program, and agreed to an even stricter NDA.

If there’s one thing worse than stealing intellectual property to develop a hack, it’s trafficking in stolen trade secrets. Neither are very wise, nor legal.

Conclusion

The curiosity and quest for knowledge is engrained in all of us as humans, and it is a noble task to want to explore and build on the ingenuity of others. Hackers are the great equalizer of a capitalist society, and when conducted ethically, hacking can be of great benefit to both the consumer and the manufacturer. They have the power to balance out corporate greed and further improve on otherwise great products.

My best advice is to keep your nose clean and don’t get involved in activity that you know involves lying, cheating, or stealing. Be steadfast in whatever ethical position you take, so that you are entirely convinced that you are making the right decision before you act. If your motivation is to improve a device or to benefit the average consumer, then chances are you’re on the right track. I’ve steered clear of what I consider the less ethical paths myself, and have a fairly good conscience about the contributions I’ve made personally to the mobile hacking community.

There is much to consider when making decisions about hacking. If done in some countries, certain actions could be construed as criminal acts. At the very least, no matter how ethical of a hacker you are, there is always the risk of civil action. If possible, maintain a positive relationship with both consumers and publicly when referencing the product. Hacking should be motivated out of love for a product, and a genuine desire to see it flourish.