In December 2010, Keith Downey, a self-taught programmer logged into an Anonymous chat room from his home in Jacksonville, Fl. to join a giant attack on PayPal. Anonymous had called for reinforcements in a coordinated protest against the payment provider because it had halted donations to Wikileaks. Speaking to the Times later, Downey likened it to “the college sit-ins of the ’70s” and to Gandhi’s civil disobedience movement against British rule.
But, noted Somini Sengupta, "No one in the chat rooms apparently bothered to explain that Gandhi spent a lot of time in jail, as did antiwar protesters in the 1970s." For using a piece of software on his computer that simply, repeatedly, pinged PayPal's servers, helping to bring the site down for a few hours, prosecutors say Downey was involved in a criminal conspiracy to damage the company. He now faces 15 years in prison and thousands of dollars in fines. Yesterday, a London court sentenced two other Anonymous accomplices to 18 and seven months in jail for the attack.
But several recent events, including the suicide of online activist Aaron Swartz and a new online petition aimed at the White House, are again calling into question the way in which disruptive, politically-motivated hacktivism is interpreted and prosecuted, and whether it should be considered any different from an Occupy-like sit-in.
One of the charges that the Massachusetts' U.S. Attorney's Office had lobbed at Aaron Swartz was that of wilful material damage against a third party--in this case referring to J-STOR’s sluggishness or downtime during Swartz’s mass downloads of academic content via MIT servers. While “lag time” might not immediately seem like a substantive legal claim, when we’re talking about private companies that rely on fast and reliable access by their customers, it’s not difficult to point to tangible, commercial damage by a third party whose services are slowed to a crawl. This same argument is what’s invoked in the prosecution of organizers behind distributed denial-of service attacks (DDoS) campaigns--which, in the case of Anonymous's Operation Payback in 2010, resulted in the arrest of sixteen members of the group, each of whom may face more than ten years in prison and $250,000 in fines. Their alleged crime was a coordinated attack on opponents of torrenting sites, such as the MPAA and RIAA, which eventually morphed into an all-out attack against PayPal, Bank of America and many others for halting payments to Wikileaks.
The facess of Anonymous' Operation Payback. Keith Wilson Downey, 26, is on the bottom right.
In response to the harsh sentences recently levied against DDoS action organizers, hacker defense teams and online activists are making the case that disrupting online should be regarded as a legal form of protest. But is a DDoS--widely considered a kind of hacking--actually a form of civil disobedience, analogous to a sit-in?
The use of DDoS as a tool of political activism is certainly not a new development, nor are the ethical implications. As Molly Sauter, a graduate researcher at MIT, has pointed out, DDoS exploits received notice as early as 1997, when an unpopular Basque website (Euskal Herria Journal) was successfully brought down. In the case of Euskal Herria, it became a lightning rod of criticism in Spain as it sought to present the plight for Basque independence at a time when ETA separatists were conducting a series of violent attacks and deadly kidnappings. As its notoriety spread, Euskal Herria Journal's host server, the Institute for Global Communication (IGC), was subjected to a coordinated mailbombing campaign, organized via Spanish forums, and even a paid advertisement published by the El Periodico newspaper calling for participants.
Aside from the commercial concerns of sites facing severe to no connectivity due to DDoS attacks, there are also issues of free speech. In the case of Euskal Herria Journal, the event was considered by many in Europe as an example of censorship, and IGC appealed for help in creating mirror sites as it considered itself subjected to censorship. So, while it’s unlikely that today PayPal would invoke the case that it was “censored” by Anonymous during Operation Payback, if DDoS were in fact considered an act of civil disobedience this is an ethical question that would inevitably be brought up time and time again.
In the case of groups like Anonymous, there are also concerns raised by academics like Sauter regarding the specific tools and tactics being used by DDoS organizers. For example, while the We the People petition argues that denial-of-service “is not any form of hacking in any way” and “the equivalent of repeatedly hitting the refresh button on a webpage,” it’s difficult if not impossible to make that case if the campaign is making use of massive botnets.
The debate may come down to a matter of agency. That is to say, there are really two forms of politically motivated DDoS attacks: those which are manual -- or, at least those carried with the individual consent of each participant via their computer -- and those which are entirely automated. Botnets literally represent a network of compromised computers that are under the control of malware, the sort of weapon used to launch millions of spam emails a day; to argue that a DDoS operation conducted with the use of robots is equivalent to a group of humans willingly and physically staging a sit-in doesn’t hold up. The use of botnets also raises red flags for any government concerned with cybersecurity in the broadest (and sometimes most superficial) sense, as private business is ultimately coming to demand that laws protect unfettered access to their websites and online services. Are you getting a headache yet? If this all seems murky, that’s because both the definition of “political actions” via DDoS and the legal definitions of “material harm” caused by these exploits are still far from settled. Tools deployed by collectives like Anonymous, such as the Low Orbit Ion Cannon (LOIC) further complicate the discussion, since these form “voluntary,” just-set-it-and-forget-it botnets. But is that legitimate protest? Moreover, the very nature of web traffic disruption dictates that even participatory tools like the Low (and now High) Orbit Ion Cannon will have to keep pace with improved IP filtering, firewalls and other server-side improvements -- it is, in essence, an online arms race, which makes it very different from a physical protest. It’s also possible that the ethical implications of DDoS attacks are a moot point in the face of all-encompassing legislation like the CFAA, as that legislation gives courts jurisdiction to target even "nuisance" DDoS actions as grounds for indictment, and opens the door to a litany of huge fines and prison time. But, if activists truly want a discussion over civil online protest, they might well start asking themselves questions about the difference between voluntary and involuntary, and the ways that tools of political disruption can also be used for threats, theft--see this week's indictments over the Gozi virus--and terrorism, too. Botnet attacks can successfully bring down the front-end of large corporate websites, and with that comes mainstream media recognition. But the lack of consensual agreement seems to undermine any legitimate political message. Is real participation being disregarded over publicity and downtime? And will federal law be able (or willing) to make distinctions between small, voluntary DDoS actions and malicious traffic multipliers? For hacktivists, the question points back at the old dilemma of Internet politics (Malcolm Gladwell's question about slacktivism for instance), and also at new dilemmas for the law (how does "hacktivism" differ from "hacking"?) Even those who support the hack-as-protest idea, like Evgeny Morozov, warn that recognizing DDoS as a form of civil disobedience "is not the same as proclaiming that such attacks are always effective or likely to contribute to the goals of openness and transparency pursued by Anonymous and WikiLeaks."
Still, while hacktivism might sometimes lack the gravitas of traditional protest, researchers like Molly Sauter can still recognize legitimate examples of coordinated DDoS attacks as elements of focused campaigns and "civil" dissent. One example presented by Sauter is a 2001 DDoS campaign conducted in Germany against Lufthansa Airlines. Inspired by the Electronic Disturbance Theater (EDT), which is sometimes credited with coining the term electronic civil disobedience in 1998, when it launched a similar attack against the Mexican government (see image, right), the German attackers were protesting the airline's assistance in deporting immigrants from the country. While the actual DDoS tool used in this case, FloodNet, was able to inflict some downtime on Lufthansa's website, it was ultimately only one portion of a wider action involving press releases and physical demonstrations. Under pressure, Lufthansa eventually halted its deportation flights.
Regardless of intent, however, it’s difficult to imagine any future where government and the law will be willing to look the other way to any type of consistent and wilful disruption to traffic on the superhighway. At the same time, it doesn't seem unreasonable to expect the spirit of the law to recognize at least some distinction between nuisance DDoS actions, and truly malicious botnet attacks. As the We the People petition soars toward the 25,000 signature threshold, the pressure to rethink the meaning of civil disobedience for digital spaces is growing. It's not hard to imagine that the cause will inspire some protest, too.