Chilling Effect of the Enforcement of Computer Misuse Act: Evidence from Publicly Accessible Hack Forums.

To reduce the availability of hacking tools for use in cybersecurity offenses, many countries have enacted computer misuse acts (CMA) that criminalize the production, distribution, and possession of such tools with criminal intent. Nevertheless, our research illuminates an unintended consequence: the chilling effect of CMA enforcement on legitimate cybersecurity discussions, some of which may be desirable for cybersecurity research, within online hack forums. More importantly, this study uniquely examines the chilling effect stemming from users' fear of legal harm. Drawing on decision-making theories related to choice under uncertainty, we derive new insights into how legal enforcement can suppress lawful acts and reveal the dynamics of social categorization online. Our research offers valuable insights for policymakers and forum administrators. Policymakers can use our findings to mitigate unnecessary uncertainty in legal enforcement such as CMA. This includes developing legal cases to prevent false prosecutions, implementing tailored communication strategies for inexperienced individuals, and considering supplementary measures like licensing and community recognition. A transparent mechanism involving a neutral panel can also be established to ensure legal interpretations align with community norms. Forum administrators, on the other hand, can provide additional information and guidelines, foster responsible online environments, and align resources with professional standards to navigate the uncertain legal landscape and mitigate the chilling effect on knowledge-sharing. To reduce the availability of hacking tools for use in cybersecurity offenses, many countries have enacted computer misuse acts (CMAs) that criminalize the production, distribution, and possession of such tools with criminal intent. However, the dual-use nature of cybersecurity technology complicates the legal process of recognizing such computer misuse tools and of predicting harmful intent based on mere possession. This predicament introduces the possibility of unfounded prosecution that may produce a chilling effect on the provision of techniques otherwise valuable in maintaining cybersecurity and defending against hackers. This study establishes a theoretical foundation for the potentially chilling effect of such legal enforcement by adopting theories about choice under uncertainty. Leveraging an external shock in publicly accessible online hack forums, we examined the impact of CMA enforcement on users' contributions to cybersecurity-relevant topics that are not targeted by the law. We found that CMA enforcement reduces the quantity and the extent of relevance to cybersecurity in discussions in hack forums. We further identified the mechanisms of this chilling effect by delving into users' heterogeneity in responding to the uncertainty of false prosecution imposed by CMA enforcement as well as users' proactivity undertaken to alleviate such uncertainty. Our study reveals this chilling effect is not just about restraining individuals from lawful acts but also about how they refrain from acts not intended as targets of the law. History: Rajiv Kohli, Senior Editor and Associate Editor. Funding: This work was supported by the National Natural Science Foundation of China [Grant 71902152], the Singapore National Research Foundation Grant [Grant NRF2016NCR-NCR001-009], the Youth Talent Promotion Plan of the Xi'an Association for Science and Technology [Grant 095920221339], and the Yonsei University Research Grant of 2022. Supplemental Material: The online appendices are available at https://doi.org/10.1287/isre.2019.0346. [ABSTRACT FROM AUTHOR]