Exploit: Zero Day is a game about hacktivism. We cast players into the role of hacktivists fighting for justice against monolithic corporations and governments. In doing so, we portray hacktivism as necessary, effective, and even (to some extent) glamorous. But to treat it too lightly would be to ignore the fraught and troubled nature of the beast. As game designers, we have a responsibility to make our works as enriching as is practical. In this case, to do so we must provide an honest and complete portrayal of hacktivism.
Hacktivism is the practice of using computer skills for social change. The term was coined by members of the Cult of the Dead Cow, a hacker group also responsible for the term "31337" ("elite") and the Back Orifice tool used by many a script kiddie. Common tactics include publishing suppressed documents, spreading encryption technology to avoid surveillance, silencing speech through DDoS (distributed denial of service), creating digital graffiti, and carrying out digitally-enabled harassment campaigns.
Hacktivism is a tactic, not a philosophy. One group's actions might be perfectly acceptable to most people, while another group's activities could be considered cyberterrorism. The nature of hacktivism—anti-status-quo, populist, and depending on relatively esoteric skills—means that it usually seems disruptive and at least somewhat illegal. Indeed, like all activism, it won't be effective if it's entirely inoffensive. To change the status quo requires some amount of discomfort, or it would simply happen on its own.
Hacktivism, then, is a tactic that can be applied to further an agenda. For hacktivism to be moral, the hacktivists' motives must be moral. Additionally, their actions must be proportional with the harm stopped or the benefit gained. If you take down a hospital's computer system to protest their billing practices and cause its patients to go without care for an hour, the damage you've caused probably exceeds the harm prevented. Finally, any hacktivist should be aware of the personal consequences of their behavior and prepared to accept them.
Let's examine two examples of prominent hacktivists and weigh them against these moral requirements.
Example: Edward Snowden
Edward Snowden barely counts as a hacktivist. He didn't break any computer security or attack any computer systems. He collected a large number of classified US government documents that he had permission to access and distributed them to journalists. However, because he performed in a tech-savvy way and gained his access through his technical skills, he's often considered a hacktivist like other digital whistleblowers.
Snowden's philisophy is fairly consistent: he's stated that he values privacy and was motivated by a desire to make the public aware of the privacy violations committed by US intelligence agencies. He didn't simply publish the documents to the public internet, but gave them to recognized journalists and claims he reviewed their contents first to minimize harm.
Despite his efforts, however, the US government has claimed that his exposures hurt the nation's safety and he has admitted that in at least one case the journalists failed to properly redact documents, resulting in accidental exposure of important secrets. While his actions have resulted in an increased awareness of government surveillance, some of which has been ruled illegal, it's not obvious whether these results are worth the risk to national security.
As for personal risk, Snowden now lives in effective exile in Russia and can't return home to the US without facing prosecution under unclear circumstances that is likely to result, at the least, in decades of prison.
As another example, we have LulzSec. This small group of hackers carried out a wide array of website defacements, denial of service attacks, and data exposures. They targeted mostly governments and large corporations. Eventually, beginning in 2011, its members were arrested, prosecuted, and convicted of various computer crimes.
LulzSec was associated with the vague community called Anonymous, which arose out of the general population of the internet forum 4chan. One of the reasons Anonymous is a dangerous group is that it does not have a consistent ethos. They tend to value freedom of information, but sometimes they fight to expose abuses by organizations while other times they engage in harassment campaigns. Their efficacy and consistency is unclear in part because anyone can claim to be part of the group and the only way to gain legitimacy to sway the mob to one's opinion.
LulzSec was typical for a Anonymous-associated group in that it showed a great deal of passion and little appreciation for risk or consequences. It took down government websites, published thousands of private passwords, posted pranks on newspaper websites, and temporarily shut down video game servers. It made little effort to minimize collateral damage.
The basic morality of LulzSec might be best demonstrated by a response when co-founder "Sabu" was released on probation after informing on others in the group for the FBI. "The tech conference 'Suits and Spooks' will be holding a discussion with none other than infamous snitch Sabu..." reads an announcement of an anti-Sabu protest. "No room for snitches and informants!" Preoccupation with "snitches" doesn't seem like the perspective of a considered protest against oppression.
Takeaways for Zero Day
So how do we present hacktivism in our fictional video game? There are a few things: first, we must portray hacktivism as something you do for moral reasons, not just for fun. Second, we must show a variety of hacktivist groups, to make it clear that these tactics can be misused. Finally, we have to encourage players to think about their choices and make deliberate decisions to accurately depict how fraught the morality of hacktivism is.
Most of the jobs that we assign to players in Exploit: Zero Day have moral motivations. For example, the big instigating event in our free storyline, Black Echoes, occurs when you're asked to hack into a police server to gain access to bodycam footage that may have been suppressed to cover up a crime. This channels the anti-authoritarian, information-freedom values of hacktivist movements while also clearly being a case where information is being inappropriately concealed. You're not just acting out in frustration: you're seeking to expose truth and create change.
We also portray a variety of hacktivist groups in order to provide a contrast to moral behavior. The job "Fearsome Aspect" introduces a recurring antagonist, Chamunda. In this job, she recruits you to infiltrate a darknet server of a group that "doxxes" people (exposes their personal information, including home addresses and phone numbers). While the group's victim is unsympathetic, he has a family. The doxxing group is portrayed as immature, impulsive, and vindictive. Players are given the opportunity to stop them, but if the victim is doxxed, the job encourages them to realize the negative effects of their choice.
The presence of choice is important to the moral character of the game. The choices the players make often affect the story, but they also serve the purpose of framing their activities as complex and as actions requiring scrutiny. By presenting players with morally gray choices, we make the statement that hacktivism is complicated and must be approached carefully. For example, the conclusion of the Black Echoes storyline has players make a decision about another character's fate. If we decided for the player, the consequences would feel less significant. As it is, some players felt that the decision was so important that they actually contacted the character through our forums to ask her about her preference.
Our goal with Exploit: Zero Day is to explore hacktivism as fun and effective, but also morally complex and potentially harmful. If we've done our jobs right, players will come away with a greater appreciation for the complications and power of hacktivism.
Exploit: Zero Day is our browser-based puzzle game about hacktivism. It's in closed alpha for the moment, but you can get access by joining the mailing list. You'll receive an access code in the next monthly newsletter. YouTubers, streamers, and press, request a copy from distribute().