Online activism and why the Computer Fraud and Abuse Act must die
Courts have appreciated that even distributed denial of service attacks can be legitimate form of public protest. Molly Sauter on the insane U.S. law used to criminalize them and other forms of online activism.
Confrontational activism is a conversation with power. Activists take a stand, and the response of the state or corporate target impacts the perceived success—and legitimacy—of the activist action. In at least one case, the case of Andreas Vogel, a court of law has declared DDoS actions to be valid forms of activism and condoned their use as a tool of collective action. In others, though, the judicial response has not been nearly so sympathetic, with participants hit with high fines and significant jail time.
Recently, regulatory efforts in support of the business community (both in the United States and abroad) have been augmented by attempts to make the internet “surveillance-friendly” on a technological level, turning the online space into a zone open to monitoring by state organizations looking to root out terrorism, as well as those with in an interest in turning the online space into a legitimate field of warfare. These interests have melded with those of the pro-business sector, and the result has been a collision of corporate and state efforts to lockdown nontraditional uses of technology and to heavily discourage vocal and visible displays of disruption and dissent.
This, combined with the issues of politically legitimating media coverage covered earlier, result in a legal, cultural, and technical environment that chills the development of innovative technological outlets for political action and speech.
DDoS Actions and the CFAA
There have been several cases of activist DDoS actions that have gone to trial or been pleaded out, in the United States and internationally. A significant case is that of Andreas-Thomas Vogel, a German national who ran the libertad.de website during the 2001 Deportation Class action against Lufthansa Airlines. Vogel had posted a call to action on libertad.de and was arrested on charges on coercion. Initially in 2005, a lower court in Frankfurt found Vogel guilty of using force against Lufthansa, based predominantly on the economic losses the airline had suffered during the campaign, both in terms of lost sales and the costs of acquiring additional bandwidth to soak the protesters’ traffic. Vogel was sentenced to either pay a fine or serve 90 days in jail. However, the next year, a higher court overturned the verdict, finding, “. . . the online demonstration did not constitute a show of force but was intended to influence public opinion.” Libertad responded to the ruling with a statement: “Although it is virtual in nature, the Internet is still a real public space. Wherever dirty deals go down, protests also have to be possible.”
The Vogel case was the first international precedent to recognize the legal and philosophical arguments put forth by supporters of DDoS activist actions. The court decision pivots on the point that these actions were oriented to influence the public, and through that avenue, influence the actions of the Lufthansa corporation, rather than badgering the airline into conceding to a set of demands. Specifically, the judge ruled that the protest was not an action of force intended to compel an action from Lufthansa; the action’s intention was to impact public opinion first.
Potential sentences for DDoS actions in the United States are high compared to other crimes and especially compared to other types of traditionally recognized activist activities. For example, in the United States a sit-in would typically result in charges of trespass, if anything. In the state of Massachusetts, the punishment for criminal trespass is “a fine of not more than one hundred dollars or imprisonment for not more than thirty days or both such fine and imprisonment,” substantially lower than the terms agreed to by the PayPal14 deal. Resisting arrest, another typical charge, results in a term of imprisonment of up to “two and one-half years or a fine of not more than five hundred dollars, or both.” DDoS actions are prosecuted under Title 18, Section 1030 (a)(5) of the US Code, otherwise known as the CFAA. DDoS actions, along with other computer crimes, and are classified as fraud. US sentencing guidelines, laid out yearly in the United States Sentencing Commission Guidelines Manual, which are used as recommendations regarding federal cases within the US legal system, contain a series of adjustments that can be applied to a “base offense level” according to a number of factors. The resultant “offense level” is then used to determine the recommended sentence. Particularly relevant to the case of DDoS actions are those adjustments that involve the amount of financial losses suffered  and the number of victims. PayPal claimed in a British court that the Operation Payback action cost them £3.5 million in losses, or roughly $5.5 million. That loss figure would add 18 levels to the base offense level for fraud of 7. PayPal did not disclose in court the number of victims it believes was impacted by Operation Payback, but we can assume it was probably higher than 250, which is the maximum listed in the US Sentencing Guidelines, for an additional 6 offense levels, giving us a total offense level of 31. For an individual with no previous criminal record, the recommended sentence for an offense level of 31 is 135 months, or more than 11 years. This is without the “special skills” or “sophisticated means” adjustments, both of which would add several more offense levels.
A “special skill” is defined by the US Sentencing Guidelines as “a skill not possessed by members of the general public.” “Sophisticated means” is defined as “complex” or “intricate offense conduct pertaining to the execution or concealment of an offense.” Whether or not these enhancements are applied depends heavily on the discretion, and the technical sophistication, of the judge handing down the sentence. To someone with little experience with computers or the internet, directing your web traffic through a proxy may count as “sophisticated means” of concealment, and running an IRC channel or even just running LOIC may constitute a “special skill.” This means that, for now, individuals arrested for crimes involving computers are at particular risk for being sentenced based not on what they actually did, but based on how little the arbiters of justice know. In instances where those individuals know and understand little about the technical specifics of the actions before them, they are more likely to fall back on cultural stereotypes and media depictions to make their judgment. Though internally Anonymous may delight in the bad-boy-hacker and Internet Hate Machine images the media uses to describe them, in a court of law the hacker-as-folk-devil figure makes it more likely that activists, mischief-makers, and even researchers will be treated as dangerous members of a criminal elite.
There are no established requirements for determining the figures for losses or number of victims in these cases. PayPal and the prosecution stated during the UK trial of Christopher Weatherhead that they included the “considerable damage to its reputation and loss of trade” that resulted from the actions in their calculations.iii In Rosol’s case, the $183,000 figure came not from the actual financial losses the company reported to the court, which amounted to less than $5,000. Rather, Koch Industries claimed the DDoS action resulted directly in their hiring a consulting firm to improve their web infrastructure, at a cost of $183,000.
The CFAA is a bad law for many reasons, but there are specific aspects to it that make it particularly ill-suited to handle collective online political actions. The lack of oversight in the calculation of damages and the low maximum number of victims mean that the judicial system is predisposed to come down hard on the participants and organizers of these actions. Threats of long prison terms and extreme fines lead to most individuals pleading out before trial, which could delay a precedent-setting court decision such as the Vogel decision in Germany, which could legitimate disruptive civil disobedience online in the United States. “Special skills” and “sophisticated means” sentencing enhancements exacerbate the lack of technical knowledge among members of the judiciary and can easily result in substantially more severe sentences for defendants. Finally, the liability structure created by the CFAA, coupled with joint and several liability, creates a system by which the targets of protest and dissent can impose direct costs for that dissent on activists, creating a massive chilling effect on digital activism as a whole.
GCHQ’s rolling thunder and the (re)militarization of the internet
That DDoS actions are widely considered illegal has not stopped states from using the tactic as a tool of harassment, censorship, or cyberwarfare. In breathtaking displays of hypocrisy, states have been known to target DDoS actions against those groups that have faced prosecution for running their own activist DDoS actions.
In February 2014, journalist Glenn Greenwald and others at NBC released a story based on some of the files released by NSA leaker, Edward Snowden. The story revealed that the GCHQ, the British signals intelligence and information assurance agency, had launched a series of exploit-based DoS actionsiv against Anonymous IRC servers and engaged in other attacks against the online resources of hacktivist groups. The operation, known as Rolling Thunder, targeted the IRC channels used by Anonymous with the intention of disrupting communication and potentially scaring away participants. By some estimates, the server disruption lasted for over 30 hours.
This is not the first time state forces have explicitly launched “hack back” attacks against digital activists. In September of 1998, the Pentagon responded to an EDT FloodNet action by unleashing a piece of countermeasure code called “Hostile Applet,” which causes any browser running the FloodNet program to crash. A Wired article quoted a Defense Department spokesperson as saying, “Our support personnel were aware of this planned electronic civil disobedience attack and were able to take appropriate countermeasures. . . . Measures were taken to send the countless demands [from the attacker’s servers] into the great beyond.” The appropriateness of the Pentagon’s response was questioned at the time. There were questions as to whether the US military should be deploying “cyber-attacks” within the United States even as a “defensive measure,” or against civilians. The “hostile applet” was arguably the first use of military-grade “cyberweapons” against civilians, but it comes in a long line of military technology being deployed to control protest and dissent in the US. This history includes the use of barbed wire for human containment in the 1800s, tear gas for crowd control in the 1920s, rubber bullets and beanbag projectiles in the 1970s, and military-grade pepper spray being adopted for regular police use in the 1990s.v More recently, the Long Range Acoustic Device (LRAD) sonic weapon was deployed at the 2009 G20 meeting in Pittsburgh, Pennsylvania to control and suppress street demonstrations. The LRAD creates a focused beam of sound that can reach up to 150 decibels, and can cause instant, incapacitating headaches and permanent hearing loss at a range of 100 meters. While the use of military technology like the “hostile applet” to stifle a political protest was hardly new, it signaled an intention on the part of the US Department of Defense to extend the military- style policing of dissent from the streets to the internet.
The revelations about GCHQ’s Rolling Thunder operation have met with strong criticism as well. As Gabriella Coleman wrote in Wired, one doesn’t have to agree with the political goals or tactics of Anonymous to conclude that it is a deeply hypocritical abuse of power for states to attempt to disrupt the activities of activists using tactics that the state itself has declare illegal and worthy of prosecution. Coleman writes, “When Anonymous engages in lawbreaking, they are always taking a huge risk in doing so. But with unlimited resources and no oversight, organizations such as the GCHQ (and theoretically the NSA) can do as they please. And it’s this power differential that makes all the difference.” Coleman points out that the Rolling Thunder denial of service actions disrupted the activities of thousands of Anonymous participants, many of whom were not even involved in the Operation Payback DDoS actions. The GCHQ specifically and intentionally disrupted the rights to speech and assembly of thousands of individuals.
The use of these tactics, declared illegal for use by any other type of actor, is deliberate. I argue that the use of these tactics in the name of law enforcement and national security is a deliberate move to extend the Hobbesian state monopoly on force to include code that states see as “offensive” or “weaponized.” This could include DDoS tools, DoS exploits such as the SYN flood used by the GCHQ, scripts to scrape large amounts of data from a website or server, or any other chunk of code that could be used for a disruptive, destructive, or perhaps simply nontraditional purpose. As more bits of code and uses of technology can be removed from the public domain and monopolized by the state as part of its war-fighting domain stable, online actions that were previously innocuous, irritating or even criminal can be reclassified as the tools and tactics of war. The internet can be progressively classified as a valid war-making space, or even as an active battlefield. Where the electrohippies, in their worst case scenario, saw a creeping marketplace mind-frame ready to transform the internet into a capitalistic wonderland, the use of SYN flood DoS actions by the GCHQ, and the Pentagon’s “Hostile Applet” before that, could portend the establishment of a semipermanent state of cyberwar, with any potentially disruptive code held by states as monopolized “cyberweapons.” A state of active cyberwarfare existing anywhere on the network could substantially increase levels of surveillance, while expansive definitions of what counts as “weaponized code” or “cyberweapons” could result in the widespread classification of civilians as “cyberterrorists” or enemy combatants.
The Internet as melded commercial/military space
The dual forces of commercialization and the defense interests of states have combined to foster an online environment that is increasingly hostile to innovative or disruptive modes of political engagement and dissent. State security and commerce have become blended concerns, each supporting the other both in furtherance of their goals and in the construction of their mutual enemies. Anna Feigenbaum has traced what she calls an “elision . . . in which social welfare and the protection of commerce become joint enterprises—solvable only through integrated alliances between government and business.” This elision of goals also combines means and targets: “. . . the conflation of cybercriminals and cyberterrorists works to legitimate forms of surveillance, policing and prosecution that infringe individuals’ civil liberties and apply terrorism legislation against a wide range of the population, particularly political protesters.” Feigenbaum goes on to note examples of corporate executives, such as Sony’s Kaz Hirai, offering a view of the world which conflates crimes against individuals and actions which rock the infrastructural stability that online commerce relies on. “Under this logic,” Feigenbaum concludes, “the anti-capitalist protester can be easily understood as a criminal, and at times, a ‘domestic extremist’ or ‘domestic terrorist’ . . .”
Beyond the ways in which corporate and state security interests have been conflated lies the very real manner in which corporations and other commercial entities have taken a strong, some might say primary role, in governing the online space, both through influence over traditional, state level regulatory agencies and multinational organizations and agreements, but also through direct, “ground level” tools such as terms of service user agreements and more subtle choices at the levels of code and interface design. Because of this, many corporations, most of which provide services that are “invisible” to the user, such as content delivery networks, operate as de facto governance entities in the online space. But these are not governance entities for which the public’s rights of participation, protest, or dissent are fully legally or even culturally established. Rather, it would appear that the online space is being or has already been abdicated to a capitalist-commercial governance structure, which happily merges the interests of corporate capitalism with those of the post-9/11 security state while eliding democratic values of political participation and protest, all in the name of “stability.” The manner in which the public may engage discursively, productively, and politically with entities that disclaim status as governmental entities yet whose actions and policies clearly have distinct governmental impact in the online space has not yet been settled. We are left with a collection of corporately structured governmental entities that cannot be meaningfully talked to, using the language of a discursive democracy.
This has left us with a catch-22. There are no meaningfully accessible democratic channels through which to communicate dissent or protest to these entities, as they have functionally used the structures of corporate capitalism to opt out of the processes of discursive democracy. But attempts to express dissent and protest through disruptive activism or other innovative digitally based tactics are attacked as not belonging to the stable of popularly acceptable protest tactics, or condemned as criminal or terroristic departures from democracy. The functional advantage of a DDoS in this de-democratized context lies in how it serves a translation function, turning the democratic language of a collective action into the loss/gain, signal/silence, on/off language of these techno-capitalist governance entities.
 “Higher Regional Court says online demonstration is not force,” Heise Online, June 2, 2006. Originally published at http://www.heise.de/english/newsticker/news/73827, currently archived at http://post.thing.net/node/1370. Last accessed February 27, 2014.
 Hans-Peter Kartenberg, quoted in Heise Online, “Higher Regional Court.”
 Dan Goodin, “US teen admits to ‘Anonymous’ DDoS attack on Scientology,” The Register, October 17, 2008. Last accessed February 27, 2014, http://www.theregister.co.uk/2008/10/17/ scientology_DDoS_guilty_plea/; John Leyden, “Second man jailed over Scientology DDoS attacks,” The Register, May 25, 2010. Last accessed February 27, 2014, http://www.theregister. co.uk/2010/05/25/second_scientology_DDoSer_jailed/.
 Associated Press, “Dmitriy Guzner: Teen Sentenced in Scientology Cyber Attack,” Huffington Post, November 18, 2009. Last accessed February 27, 2014, http://www. huffingtonpost.com/2009/11/18/dmitriy-guzner-teen- sente_n_362713.html.
 Ryan J. Reilly, “Loading Koch Industries Website Too Many Times In 1 Minute Just Cost This Truck Driver $183,000,” Huffington Post, December 2, 2013. Last accessed February 2014, http://www.huffingtonpost.com/2013/12/02/anonymous- koch-attack_n_4374365.html.
 Curt Hopkins, “Anonymous to show up in person for ‘PayPal 14’ trial,” The Daily Dot, February 28, 2013. Last accessed February 27, 2014, http://www.dailydot.com/news/anonymous-rally-paypal-14-court-trial/.
 Chloe Albanesius, “Anonymous Hacker Gets 14 Months for PayPal, MasterCard Attacks,” PC Magazine, January 24, 2013. Last accessed February 27, 2014, http://www.pcmag.com/ article2/0,2817,2414674,00.asp.
 Massachusetts General Laws, Part IV, Title 1, Chapter 266, Section 120: “Entry upon private property after being forbidden as trespass; prima facie evidence; penalties; arrests; tenants or occupants excepted. Retrieved from http://www.malegislature. gov/Laws/GeneralLaws/PartIV/TitleI/Chapter266/Section120.
 Massachusetts General Laws, Part IV, Title 1, Chapter 268, Section 32B: “Resisting arrest.” Retrieved from http://www. malegislature.gov/Laws/GeneralLaws/PartIV/TitleI/Chapter268/ Section32b.
 United States Sentencing Commission Guidelines Manual, 2B1.1.b.1, (2012).
 United States Sentencing Commission Guidelines Manual, 2B1.1.b.2 A-C, (2012).
 Sandra Laville, “Anonymous cyber-attack cost PayPal £3.5m, court told,” The Guardian, November 22, 2012. Last accessed February 27, 2014, http://www.theguardian.com/ technology/2012/nov/22/anonymous-cyber-attacks-paypal-court.
 US Sentences Commission Guidelines, 354.
 Ibid., 94.
 Mark Schone, Richard Esposito, Matthew Cole, and Glenn Greenwald. “War on Anonymous: British Spies Attacked Hackers, Snowden Docs Show,” NBC News, February 4, 2014. Last accessed February 27, 2014, http://www.nbcnews.com/ news/investigations/war-anonymous-british-spies-attacked- hackers-snowden-docs-show-n21361.
 Schone et al., “War on Anonymous.”
 Graham Meikle, FutureActive (New York, NY: Routledge, 2002), 153.
 Niall McKay, “Pentagon Deflects Web Assault,” WIRED, September 10, 1998. Last accessed February 27, 2014, http://www.wired.com/politics/law/news/1998/09/14931.
 Meikle, FutureActive, 154.
 “The future of crowd control,” The Economist, December 2, 2004. Last accessed February 27, 2014, http://www.economist.com/node/3423036.
 Gabriella Coleman, “The New Snowden Revelation Is Dangerous for Anonymous—And For All of US,” WIRED, February 4, 2014. Last accessed February 27, 2014, http://www. wired.com/opinion/2014/02/comes-around-goes-around-latest- snowden-revelation-isnt-just-dangerous-anonymous-us/.
 Anna Feigenbaum, “Security for Sale! The visual rhetoric of marketing counter-terrorism technologies,” The Poster 2 (2011): 85.
 Feigenbaum, “Security for Sale!” 85.
 Ibid., 86.
Image credits: Cover design: Jesse Holborn
Coming after improvements to Firefox and continued unease at Google’s life-pervading insight, this image is outperforming the ███████ ████ Virality Control Group today (via). It got me thinking about all the promises that were made. Here’s the earliest article in Google News to contain “Big browser” in its headline, published by Time Magazine on Nov. […]
The WiFi232 is a traditional old-timey old-schooley Hayes-compatible 300-115200 baud modem, no wider than its own parallel DB25 port. Automatically responds with a customizable busy message when already in a call. The killer app seems to be using it to get internet onto ancient retro portables like the TRS-80 Model 102, but it’s been put […]
Most tech-media takes on the iPhone’s 10th anniversary are bland and self-congratulatory, but I like Tom Warren’s at The Verge. He laments how Apple’s pocket computer killed his inner nerd. As a youngster, he’d be constantly tearing down and building computers, even in the sweltering heat of summer. But now… …All of that tinkering and […]
Whether you’re a seasoned entertainment industry veteran or a student working on your first spec script, having the right tool for the job will make a huge difference in your focus and productivity.Final Draft 10 is far and away the world’s best screenwriting software, used extensively by professional film and TV writers at top production […]
Web content creators who don’t have a solid SEO strategy should take note of Webtexttool. It’s a service that pulls in anonymous data from their entire user base to offer crowdsourced guidance that increases your search page ranks. By analyzing prior user successes, it helps you better gauge how your posts will perform at a […]
Just because English has become the common global tongue doesn’t mean it’s the easiest language to write—even for native speakers. If you’re looking to improve your written communication skills, especially on your smartphone, take a look at Ginger Page.Ginger is a cross-platform app that offers corrections for phrasing as well as grammar. It’s powered by […]