[logicallee]

This comment contains a policy suggestion. I want it to become law in the United States and elsewhere.

I can't quite use the word "literally" but I almost can so I'll do so anyway: if you pay a ransom, you are literally paying for your party to attack someone else. And you are actually literally (not metaphorically) funding their next attack.

Paying a ransom should be a criminal act that is twenty times worse than asking for one. It should be illegal for the exact same reason that possession of stolen goods is illegal.

On a microeconomic level it might make sense for you personally to buy stolen goods off the street: the existence of the laws making you a criminal if you do no longer makes this true.

[stdbrouw]

If you drive a car you are literally contributing to global warming. If you pay taxes you are literally funding bombs and missiles. If you download big files you are literally taking bandwidth away from your neighbors.

Hyperbole does not a rational argument make.

[logicallee]

You are not drawing any policy conclusions from your statements.

You state that "if you drive a car you are literally contributing to global warming" which implies the policy statement "if it is illegal to drive a car, contribution to global warming decreases" and use this to imply it's not a rational argument to make it illegal to drive cars.

To your great surprise, I will now state that it is actually already illegal to drive cars, and it actually does have the exact effect that you say is not a rational conclusion:

http://www.dmv.org/articles/what-to-do-if-your-car-fails-an-...

Today, today, it is literally illegal to drive a car....which doesn't meet EPA standards! As a direct effect, people do not buy and drive cars which fail emissions standards.

So, yes, the exact policy suggestion that you don't go quite as far as to argue for actually is being enforced and actually demonstrably has the exact effect that you (only imply) doesn't happen.

Since you don't even imply any policy conclusions for the other two points I can't address them, I have no idea why you would mention them.

(If the government made it illegal to collect or pay taxes, obviously its tax base would evaporate overnight, this goes without saying, nobody would illegally pay money to the government out of civic duty despite its now being illegal to do so.)

[hueving]

None of those are hyperbolic, they are just true facts. Understanding the macroeconomic demand you are participating in isn't hyperbolic.

Buying elephant tusks promotes the killing of elephants, regardless of where they came from because the demand you created supports a price in favor of bad actors as well.

[bubo_bubo]

Knowingly buying stolen goods is illegal because they are still not yours even if you 'bought' them.

Paying a ransom to get your own property back because it is yours is not even in the same ballpark.

[logicallee]

we'll agree to disagree on whether it's in the same ballpark. I see the difference you point out, sure.

[tgb]

Anyone down voting this should read Thomas Schilling's Strategy of Conflict. At one point in time in England it was punishable by death to pay ransom to pirates.

[21]

Yet the modern world decided to go back on that.

The principle being that you are not (as) responsible for what you do under duress.

[tgb]

The point of such a law is not to punish ransom payers but to make it so that they never are asked for ransom in the first place.

[logicallee]

This is a good and important point. However is data ransom this kind of duress?

In a sense, paying a ransom is taking the law into your own hands -- rather than say to the FBI, "criminals have asked me for ransom" you are interacting with the criminals directly.

On a literal level you are literally transferring cold hard cash to them.

You make a good argument for why the policy suggestion I made is not a good idea, but I am not entirely convinced by it. As a rule it is not a good idea to engage in vigilante behavior.

Lawmakers and judges would have to use their discretion here and come up with quite nuanced laws.

[bubo_bubo]

Yes, it's duress. I'm sure you having 10 years of your life locked up in an encrypted vault would put a cramp in your style.

>transferring cold hard cash to them

So? If I go to the 7-11 and buy a soda, and the cashier has been skimming the till, I am transferring cold hard cash to a thief.

The difference you keep skipping over is mens rea and I suggest you read up on it before you sound more foolish than you already are.

[logicallee]

That last sentence was really uncalled-for. I think you don't really understand that I was discussing an economic argument.

Regarding putting a cramp in your style - how about if a thief has stolen your phone with valuable something on it that isn't anywhere else, but you have an application that tells you where the phone is and you own a shotgun. Can you go and get your phone back by force if in your calculation it has a higher chance of actually solving your immediate problem, than involving the police? Why or why not? It's your phone. The thief knows what he did. The thief knows that it's yours.

I am not saying that there is no argument on your side of letting people take care of issues directly with criminals (whether by force or transferring ransoms), but there are important arguments on the other side as well. It's certainly not so clear-cut that you can start ending with petty insults (and please check your reply to be substantive if you reply to this.)

[moftz]

But are the police or the FBI going to investigate your ransomware-locked computer when there are thousands of cases of this happening a year? The ransomware is usually running from a script. There is no guy wearing a ski mask on the other end watching the wallet. These groups aren't the same as a sketchy guy on the other side of town with your stolen laptop or phone, ready for the police to find him and recover your goods.

So what option does your average user have when confronted with a situation like this? They could call up the police and report it for statistics sake but the police aren't going to be able to fix the problem nor would they really care (unless you're the mayor or some prominent politician). The bad guy is probably not in the same country and there's no way to identify them anyway. Maybe you could figure out the hacking group but if you knew the actual identities then why aren't you working for Interpol already? Also maybe try using a site like in the link to check if the ransomware is compromised. But most likely, you just have to pay the ransom, get back your stuff, and learn an expensive lesson in how important regular backups, online and offline, can be.

You could just not pay it. The hacking group doesn't get their money but it's not like it cost much to run the attack in the first place. They will have someone's data out there that is much more valuable to the victim that will pay.

I compare this to leaving your bike unattended in a public place. Maybe you did a good job trying to lock it up but the thief hacksawed through your cheap lock. Or maybe you just left it unlocked. Either way, your bike is gone. Maybe buy a much stronger lock or two in the future. In this analogy, you aren't getting your bike back. You just have to spend the cash on a new one, expensive but hey, you need a bike to get to/do your job. You can report it stolen but unless there is some big bust and they find the guy, the thief is going to get away with it. Complaining that someone stole your bike isn't going to solve the issue. It sucks that the thief will profit off your loss but the data/bike is already gone. You aren't getting it back unless you drop the cash on a new bike/decryption key. The lesson is that you are going to either have to never ride a bike again (or use a computer, both unlikely) or you will have to use better security to prevent theft of your valuables.

Crime does pay, a lot. People get away with theft like this all the time and there's not much an individual can do except try harder in the future to defend themselves against theft in the future. Secure your computer better, run backups, don't do dumb stuff (like run unknown software or leave a bike unlocked).