White hat or black hat? Firefox hacking tool Firesheep raises ethical concerns

Editor’s Note: Was the release of the drop-dead easy hacking tool Firesheep, an extension for the Firefox browser that lets users hijack passwords from others on wireless networks, ethically sound? Philosophy professor Mike LaBossiere tackles the question:

In America there is a saying “guns don’t kill people.” Some wits add “people with  guns kill people.” While this saying is just that, a saying, it does put a handy slogan on a view about moral responsibility. On the face of it, the sayings are dead on: while a gun can be used to kill a person, guns are not themselves moral agents. As such, a gun bears no moral responsibility for any deaths that it might be used to bring about.

The gun debate has been done to death in America, so I thought it would be interesting to switch the focus a bit while still sticking with the general issue of responsibility for harm. To be specific, I will be looking at a hacking program called Firesheep (not to be confused with the browser Firefox or the emulator Sheepshaver).

Firesheep was written by Eric Butler and adds easy to use hacking functions to the Firefox web browser. The add-on lets users view information in internet cookies at sites such as Twitter, Facebook. Flickr, Tumblr and Yelp.  Fortunately (or unfortunately, depending on your view of the matter) Firesheep is limited in what it can do. It can allow a user to get usernames and session number IDs but it cannot be used to get passwords. In effect, it allows users to view information (such as person’s Facebook or Amazon account) but does not let users do anything that would require a password. It is also limited to hacking on the same network. However, this means that if you are reading this blog on a public wi-fi, then someone with Firesheep could be reading through your darkest Facebook secrets. Like that time you…well, you know what you did. And so does that creepy fellow sitting two tables down.

Butler makes it clear that he sees himself as a white hat: he is hacking to expose vulnerabilities so that they will be fixed.  Interestingly, he does directly address the moral issue at hand:  “The attack that Firesheep demonstrates is easy to do using tools that have been available for years. Criminals already knew this, and I reject the notion that something like Firesheep turns otherwise innocent people evil.”

On the face of it, Butler is quite right. Firesheep, like other tools, is not some sort of cursed weapon that can possess the mind of potential victims and compel them to do evil (unlike television which does just that). The same is, obviously enough, true of other potential harmful pieces of technology, such as guns and junk food. As such, Butler and the other folks who make such tools available are not directly accountable for what people do with the tools. As the arms dealers probably say, “I just provide the weapons, the customer does the actual killing.” I do not, however, mean to suggest that Butler had any malign intent in creating and releasing Firesheep. Rather, he seems to be like Dr. Gatling-hoping that his creation will do good rather than further evil.

There is, however, a somewhat deeper concern. Namely that providing the tools that makes misdeeds easier makes a person accountable to a degree. While the person who invents or distributes such tools or weapons does not make people evil or make them do misdeeds, the person does make such misdeeds easier. As such, the person providing the tool does play a causal role in the misdeeds-especially if the tool or weapon serves as a “but for” cause. For example, if someone would have been unable to track down and start stalking an ex without using Firesheep, the ex would have not been stalked but for Firesheep. As such, making misdeeds easier does seem to bring with it a degree of moral accountability.

Butler does. of course, anticipate this sort of criticism. As he notes, the tools already exist to do just what Firesheep does. Firesheep is just better known and easier to use. To use an analogy, Butler is not inventing the gun. He is merely making the gun easier to use.

Other folks, myself included, are helping make Firesheep famous. Following the above logic, this would also make me and the others folks contributors in some cases. For example, if somebody (not you, of course) reads this post, learns of Firesheep and then hacks an ex’s Facebook account to find and stalk the ex, then I have contributed to that misdeed. Of course, my contribution is extremely limited and hence so is my moral accountability.

“Firesheep doesn’t hack. People hack with Firesheep.”

Thoughts?

Mike LaBossiere is a philosophy professor at Florida A&M University and contributor to Talking Philosophy, the Philosophers’ Magazine blog, where this post first appeared.

Photo via John Haslam