Will DDoS attacks ever be more than just a criminal act?
Anyone trying to visit Brazil’s official government website for the 2014 World Cup may be in for a shock. Rather than seeing a whirligig of images and slogans celebrating the most popular sporting tournament on the planet, there is silence.
“Server not found,” reads the text plastered on the otherwise blank white screen.
The error is not simply some technical glitch. Instead, it’s the result of hacktivists’ #OpHackingCup. Members of the collective Anonymous took down the site, along with dozens of other Brazilian government sites, using a distributed-denial-of-service attack, or DDoS. A DDoS attack involves bombarding a website with so many requests that it slows down or stops responding all together.
The reasoning behind #OpHackingCup is to protest the financial waste associated with the World Cup, according to an Anonymous press release: “The online actions, just as the protests on the streets, are part of a resistance against this model that has become so evident to ordain and dis-ordain of this mega corporation which is FIFA on this country.”
But unlike the protests on the streets, and despite a colorful two-decade history, DDoS has never been formally recognized as a form of free speech. Unlike peaceful demonstrations in public spaces, which are largely tolerated, DDoS is viewed by law enforcement as serious cyberattacks, and their perpetrators face hefty prison sentences.
It may already be accepted as a form of protest by groups such as Anonymous, but in order for those that use it to receive the same rights as those taking part in physical protests, the movement has some monumental obstacles to overcome.
Jay Leiderman is a criminal defense lawyer who specializes in cases of cybercrime. One of his clients, Christopher Doyon, better known as “Commander X,” was demonstrating in the physical world against new laws aimed at homeless people that essentially criminalized sleeping on the streets. When the police started clamping down on the protest, he took his fight online and conducted a DDoS attack on the Santa Cruz Country government website, bringing it down for 30 minutes.
After Doyon was subsequently arrested, Leiderman prepared a defense on the premise that DDoS could be categorized as legitimate political protest in a court of law, drawing the analogy to physical sit-ins.
This comparison goes back to some of the pioneers of political DDoS. Towards the end of the 1990s and the beginning of the 2000s, a group called the Electronic Disturbance Theater (EDT)—a collective that used the Internet to supplement more traditional forms of protest—carried out what they described as “virtual sit-ins,”, using their self-built DDoS tool, FloodNet. Use of the program even triggered the rollout of a counter tool from the Pentagon, which released its own attack that would crash any browser running FloodNet. In recent years, members of Anonymous have also used the occupation analogy and have petitioned for DDoS to be considered as such.
“The circumstances are going to be narrow where DDoS is protected protest speech,” said Leiderman, but he feels that Doyan’s case fits: It was a non-violent demonstration that lasted for a set amount of time, with a political motivation, just like a physical protest.
Leiderman also says that Doyan’s case is conceptually the same as the PayPal14‘s—albeit on a smaller scale. The group took part in Anonymous’s Operation Payback, a series of DDoS attacks that targeted PayPal in response to the company’s suffocation of funds to the whistleblower site WikiLeaks. In December 2013, the majority of the 14 accepted a plea deal, meaning that they will likely avoid jail time.
But in the fight for legitimacy, it is not as simple as comparing DDoS to a physical sit-in. The Internet, despite being a tool for the spread of information, is a different political arena than public parks or sidewalks, the spaces that benefit from free-speech protections.
“There are no public spaces online. Everything is owned by someone,” said Molly Sauter, author of upcoming book The Coming Swarm: DDoS Actions, Hacktivism and Civil Disobedience. It may appear that the Internet is a free-space, but in reality each website is hosted on a physical server somewhere and is owned and run by a company.
“You don’t have any speech rights on private property,” Sauter added. “You have whatever speech rights are enforced by the person who owns that property.”
In the same way that Facebook may not be partial to hosting your nude pictures on its servers, another site is not required to serve as a platform for your political views. An alternative to the sit-in analogy might be someone raising a protest banner on private property—something that is not going to be welcomed.
DDoS protests’ property problem extends to government websites—such as the ones commonly targeted by Anonymous. As Sauter pointed out, “not all government-owned spaces are considered ‘traditional public forums’ for the purposes of free speech activities. You wouldn’t be able to do a sit-in in the Oval Office and claim that it is a traditional public forum, for example.”
She continued, “Essentially, what we’ve done is create an entire major zone of human interaction in which we have no free speech rights.”
Now, this isn’t to say that we shouldn’t have free speech rights on the Internet, just that these rights don’t include DDoSing—at least not yet.
Another issue distances DDoS from the sit-in analogy even further. Thanks to high-bandwidth, always-on connections, DDoS attacks can now last for days or weeks, with no need to designate a specific time for the protest to start and end. Bearing this in mind, DDoS looks less like an orchestrated protest and more like a digital riot.
In sum, Sauter feels that the sit-in analogy isn’t helpful. “A DDoS is like a DDoS,” she said, and it should be treated as its own, new form of protest.
Leaving the debate of the analogy behind, there is great disparity between how each form of protest is punished.
Typically, when a someone is prosecuted in the U.S. for a DDoS attack, the individual is charged under the Computer Fraud and Abuse Act (CFAA), a law that often equates anything vaguely to do with computers as a high-powered cyberattack. Because it is technically a fraud statute, the recommended sentence for a perpetrator goes up depending on the number of victims.
So, if a company at the receiving end of a DDoS says that a million people—a conservative number considering the traffic many popular sites generate—couldn’t access their website due to an attack, then the court will often consider those million would-be visitors as victims. And if law enforcement only catch one person out of the hundreds or thousands that may have participated in the attack, then that individual—according to the CFAA—is liable for all damages. This can lead to those carrying out DDoS attacks being threatened with 10-year prison sentences and $250,000 fines.
That’s the reason that Doyan ultimately decided to flee to Canada, meaning that Leiderman never got a chance to fight his case in court. Reforms to the CFAA have been proposed by the Electronic Frontier Foundation (EFF) and other digital rights groups, though they don’t specifically address the use of DDoS.
So, why are DDoS protesters punished so heavily? One problem is that the practice is used for a whole slew of other things that certainly aren’t peaceful protest.
Just last week, for example, Evernote was DDoS’d, or “pounded by an aggressive cyberattack”, as Forbes described it. In this context, DDoS was a weapon—criminals using the technique in order to extort funds from a business. In fact, the DDoS warhammer is so popular that an entire industry of DDoS mitigation and protection has emerged, comprising of technicians and consultants advising businesses how to minimize the effect of attacks on their systems.
DDoS attacks are also used as a means of censorship, silencing independent media and human rights websites. A 2010 report from Harvard University’s Berkman Center for Internet and Society states that of the over 100 DDoS attacks picked up by the media in that year alone, they included targets as diverse as a human rights group in Israel and an independent news site in Malawi. The report suggests that “DDoS attacks against independent media and human rights sites have been common in the past year, even outside of elections, protests, and military operations.” The report’s authors believe DDoS-imposed censorship will likely become more popular in years to come.
This wholly negative conception is carried over to the courts, where, judging by how those who carry out digital protests are treated, DDoS is seen as something closer to a machine gun than a protest banner. Because of its connotation with criminals and censorship, DDoS—even when used for explicit political purposes—looks “very scary” to prosecutors, Leiderman said.
Due to the hugely disproportionate punishments associated with the CFAA, no DDoSer has—perhaps understandably—decided to fight it. To this day, the defense that DDoS is a form of protected political speech “hasn’t been tested at all,” Leiderman said, leaving no precedent for future cases and possibly dissuading others for using it to voice their discontent.
Despite the variety of nefarious uses, DDoS as a form of protest has a number of advantages over analog or even other forms of digital political action. Because the technical know-how needed to join a DDoS is relatively low—participants can simply log onto a site or download a piece of software—thousands of activists can participant, no matter where they are in the world, all at the same time. This digital transnational protest also produces a more visible result than a strongly worded letter or petition to a government.
Combining this lack of legal precedent with the other ways that DDoS is used, Sauter doesn’t see it being formally recognized as protected speech anytime soon.
“The political legitimacy comes from the press. It comes from interactions from law enforcement—good and bad,” she said. “It comes from the podiums [of those carrying out the actions].”
Sauter believes that “the fight for legitimacy is one that [the political DDoS movement] will ultimately loose, because of the sheer volume of people engaging in illegitimate DDoS actions that have no political salience.” Those criminals and censors, it seems, have more influence over how DDoS is viewed by the law than by those protesting corruption, free speech, or the inequalities of a World Cup host country.
Leiderman has a rosier outlook for DDoS protests. Eventually political DDoS cases will get litigated, and he’s optimistic that the courts will eventually appreciate it, as a greater understanding of computers and the Internet comes about.
Until the idea that DDoS is political protest is debated in a court of law, however, activists, such as those participating in #OpHackingCup, will continue to risk decades in prison and bankrupting fines.
Photo by extraketchup/Flickr (CC BY-SA 2.0) | Remix by Fernando Alfonso III