February 2008

Cain's punishment for his offense against his Biblical brother Abel was to be forever recognized as the criminal he was. Maybe the Bible can teach some modern employers and crime fighters a lesson.

Rather than the enduring ignominy they deserve, today's hackers enjoy enduring obscurity. Once exposed for data violations, the hacker is simply discharged. His tale is hushed up and goes no further. But he does-straight to the bank across the street, where he flaunts his brilliant resume while making no mention of his recent escapade. Since the hackers who actually steal data or modify records are so lightly dealt with, it's hard to prosecute them, even if someone wished to. Victims--who need the image of security more than security itself--opt to cover up an event that would expose their lax security. They reach a pact with their data rapist, and pretend that all is well.

One could argue it's their own business. But when China was exposed as hiding the "private fact" that so many people died of SARS, the world community was outraged, and the Chinese eventually apologized without arguing that it was a private affair. Hackers, and the thievery of data they propagate, present the same sort of predicament as communicable diseases. For that reason alone, hiding data violations and covering up for data violators should be a criminal offense.

But even more could be done about the problem. The FBI should organize a data-crime center, much like the initiatives they organize to fight child pornography and pedophiles. If neighbors have the right to know that a convicted child rapist lives among them, data dealers should have the right to be aware that the person who logged onto their site is a convicted hacker. Convicted identity thieves should have their mug shots posted and their crimes exposed on the same Internet they so deftly use for their villainous purposes.

But how could we be sure to identify a convicted data offender in any interaction? He could be forced to surf the Internet with an e-mail address that instantly exposes his past in an unmistakeable way. Offenders could do anything online, but their address would say something like John.Doe@fraudlist.gov. That would put anyone on alert. Exposure and permanent tagging as a punishment is very cost-effective. The criminals would work and roam free, but their shame would stain them wherever they go.

It might just be a real deterrent. A kid realizing that, if he fools around with his father's bank data, he may have to use such an e-mail address for the next, say, 10 years, would hesitate before going forward with his prank. Hackers who count on their employers' eagerness to hush things up would face mandatory exposure, by law. The shame stain would identify hackers no matter which state they relocate to. And, if successful with this, the U.S. could initiate a global database for international fraudsters, seriously limiting their playground.

Today, Web sites and literature glorify the ace hacker who penetrates walls built by legions of security experts. Only a few are prosecuted, and even fewer suffer lasting consequences. Is it any wonder that, instead of writing a more efficient peer-to-peer protocol, the talented hacker writes some code for pilferage-and-prowl? What's needed is a mark of Cain. When the headlines of the hacker's exploits fade, this shame stain will be there, day in and day out. Every time he shops for a book, buys an airline ticket, asks for information, the domain name of his e-mail address will alert the public.

Violators of this tagging system should be treated harshly. If a convicted hacker uses a normal address instead of the one assigned to him, he should go to jail. Convicted hackers should have to go the extra mile to get a job, especially one with intensive data access. Yes, the tales of the first wave of shame-stain criminals will be real sob stories, but society might just be spared the pain of thousands of would-be hackers who were deterred.

Data crimes are proven through the records; they don't rely on witnesses. Ever-improving data-mining programs can flush out old data crimes nobody discovered. Imagine the fear in the hearts of hackers who realize a hacking offense they successfully accomplished, with no one the wiser, will in due course be exposed and haunt them for years, forcing them to write to their growing children: Here is Your_Dad@fraudlist.gov.