Is it ethical for these researchers to pay hackers for access to malware before it’s unleashed?

Two researchers are raising money to buy malware
Two researchers are raising money to buy malware
Image: Patreon
We may earn a commission from links on this page.

After nine months of failing to get rich by selling the hacking tools it claims to have stolen from the US National Security Agency (NSA), the Shadow Brokers have a new plan. They want to start a “Monthly Dump Service,” the group said in a post on Tuesday (May 30). The service is a sort of malware-of-the-month club, where the Shadow Brokers will release new malicious software and hacking tools to anyone who pays them roughly $22,500 per month.

Tools previously released by the Shadow Brokers were used in the WannaCry ransomware attack on May 12, which locked up files on hundreds of thousands of computers around the world and forced emergency rooms in Britain to turn away patients. Concerned that the upcoming malware release could have a similar impact, two security researchers want to be among the first to get copies of it, and have started a crowd-funding campaign to raise the money required. Calling themselves the Shadow Brokers Response Team, their goal is to assess the malware quickly and alert the makers of the products it targets.

Update 2017-06-01: Following intense debate in the security community, the researchers have now ended their campaign on the advice of attorneys and law enforcement. Below is a philosophical and practical examination of the ethics involved in paying money to the Shadow Brokers with the goal of limiting the danger of their efforts.

“We will release any and all information obtained from this once we have assessed and notified vendors of any potential 0days,” the researchers wrote on their crowdfunding page on Patreon. (A zero-day exploit targets vulnerabilities manufacturers were previously unaware of, or otherwise haven’t released patches for.)

Contributors who pitch in $500 or more to the campaign, according to the page, will also be given copies of the malware once it’s released. On Twitter, one of the researchers clarified that they will only give the data to other security experts who are well known.

The researchers, Matthew Hickey and a security expert who goes by the pseudonym x0rz, have been wrestling with the ethics of their endeavor on Twitter. (Neither responded to requests for comment.)

The ethics of the situation are difficult to parse, so we asked two leading technology ethicists to weigh in. Should these researchers give money to a criminal enterprise? Would that act be justified by the end result, which is to mitigate the risk that the malware release poses?

The deontological perspective

Deontology, or non-consequentialism, is a philosophical framework that judges actions without considering the outcomes of those actions. It suggests that everyone has a duty to do the right, moral thing, even if doing so will create harm. The philosopher Immanuel Kant believed, for example, that it would be immoral to tell a lie, even if doing so could save a friend from certain death.

Wendell Wallach, the technology and ethics chair at Yale University’s Center for Bioethics, said that what Hickey and x0rz are doing is wrong from this perspective.

“Here’s an example of a situation where it’s clearly wrong to purchase this data to reward people for their wrongdoing,” Wallach said. He added that although this framework treats the moral duty to do the right thing as an absolute, there are some limited exceptions.

“For example, ‘thou shalt not kill’ is a basic principle and most people think it’s an absolute. But there are the exceptions. The defense of your country, the defense of your family. There are situations where you can violate that. But they’re few, far between, and they’re very explicit when they come into play.”

The researchers’ plan to buy exploits from the Shadow Brokers is probably not one of those situations.

There’s also Immanuel Kant’s categorical imperative to consider, which is central to his deontological moral philosophy. It says that one should “act only according to that maxim whereby you can, at the same time, will that it should become a universal law.”

That is, what if everyone, not just these researchers, gave $22,500 to the Shadow Brokers? Patrick Lin, a philosophy professor at California Polytechnic State University, said it’s also worth considering what would happen if a third outside group crowd-funded money to limit the effectiveness of the researchers themselves. How would that turn out?

“Of course, it matters how you formulate the deontological rule and apply it to your situation; and this is a known problem for deontology,” Lin said. “If you interpret the Golden Rule as having an exception for malicious actors—that we can do things to them that they should not do to us, which doesn’t seem unreasonable—then that could raise further questions.”

Deontology kind of spins out of control at that point, so we won’t get into those further questions. To put it simply, though, giving money to the Shadow Brokers, who’ve demonstrated themselves as wrongdoers, is not a moral action where a deontologist is concerned.

The utilitarian perspective

Unlike deontology, utilitarianism does consider the outcomes of actions. “Utilitarianism says right or wrong is not determined by following the rules,” Wallach said. “Right or wrong is determined by figuring out the consequences of various courses of action. Calculating the benefits and the risks of each of those courses of actions. In other words, doing the mathematics, or at least doing the calculation to the best of your ability, and picking the course of action which is the greatest good for the greatest number.”

According to Lin, this approach could go in Hickey and x0rz’s favor.

“If you were a utilitarian—focused on maximizing overall happiness—then it’s possible that the math would work out for the Shadow Brokers Response Team (SBRT), concluding that their plan will lead to more happiness, as compared to other options such as doing nothing,” Lin said in an email. “Of course,” he added, “utilitarianism could also justify all manner of evil, such as torturing innocent people as long as it maximizes overall happiness.”

Still, to a utilitarian, Hickey and x0rz’s endeavor would likely be a moral one, because its outcome stands to serve the greater good, at least in the short term. However, Wallach pointed out, in the longer term, the decision to pay the Shadow Brokers could have the consequence of causing further harm.

“In the case of, let’s say, paying somebody for kidnapping, it’s permissible from the utilitarian perspective without any question,” Wallach said. “And then the broader issue is, well, what are the long-term consequences versus the short-term consequences?”

In the short term, paying a kidnapper could save the life of the kidnapped person. In the longer term, Wallach said, it “gets to be much more complicated because you are encouraging these people then to go back and kidnap a bunch of other people.” In the long run, giving money to the Shadow Brokers is complicated as well, as it rewards their wrongdoing and funds their criminal enterprise

All in all, from the utilitarian perspective, the morality of buying these hacking tools from the Shadow Brokers is moral if it serves the greater good, but not if it later causes more harm.

Weighing the facts

If we back away from the abstract and look at the facts, we have to take a few things into consideration. One is that we don’t know how many NSA-caliber tools the Shadow Brokers have left, if any. We don’t know how dangerous the tools they may release will be. We also don’t know whether they’ll actually give the tools to the people who pay. In their public post about the dump service, the Shadow Brokers even said as much.

“If you caring about loosing $20k+ Euro then not being for you,” the group wrote. “Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments.” (The group has previously said it obfuscates the text in its public posts to avoid detection by language analysis.)

That proclamation is not very reassuring, and indicates that even if the researchers manage to raise the money and send it to the Shadow Brokers, there may not be any malware for them to protect us from.