Schneier on Security
A blog covering security and security technology.
« Surveillance and the Internet of Things |
| "The Global Cyber Game" »
May 22, 2013
DDOS as Civil Disobedience
For a while now, I have been thinking about what civil disobedience looks like in the Internet Age. Certainly DDOS attacks, and politically motivated hacking in general, is a part of that. This is one of the reasons I found Molly Sauter's recent thesis, "Distributed Denial of Service Actions and the Challenge of Civil Disobedience on the Internet," so interesting:
Abstract: This thesis examines the history, development, theory, and practice of distributed denial of service actions as a tactic of political activism. DDOS actions have been used in online political activism since the early 1990s, though the tactic has recently attracted significant public attention with the actions of Anonymous and Operation Payback in December 2010. Guiding this work is the overarching question of how civil disobedience and disruptive activism can be practiced in the current online space. The internet acts as a vital arena of communication, self expression, and interpersonal organizing. When there is a message to convey, words to get out, people to organize, many will turn to the internet as the zone of that activity. Online, people sign petitions, investigate stories and rumors, amplify links and videos, donate money, and show their support for causes in a variety of ways. But as familiar and widely accepted activist tools -- petitions, fundraisers, mass letter-writing, call-in campaigns and others -- find equivalent practices in the online space, is there also room for the tactics of disruption and civil disobedience that are equally familiar from the realm of street marches, occupations, and sit-ins? This thesis grounds activist DDOS historically, focusing on early deployments of the tactic as well as modern instances to trace its development over time, both in theory and in practice. Through that examination, as well as tool design and development, participant identity, and state and corporate responses, this thesis presents an account of the development and current state of activist DDOS actions. It ends by presenting an analytical framework for the analysis of activist DDOS actions.
One of the problems with the legal system is that it doesn't make any differentiation between civil disobedience and "normal" criminal activity on the Internet, though it does in the real world.
Posted on May 22, 2013 at 6:24 AM
• 50 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
DDoS attacks are not like civil disobedience. They cause collateral damage and should be classified as crime.
When activists chain themselves to the front doors of, say, Monsanto's corporate headquarters, their action is deliberately and specifically targeted to affect only Monsanto and those doing business with Monsanto. This restraint on the effects of action is a crucial element of civil disobedience--third parties must not be affected.
But when activists target Monsanto's website with a DDoS attack, that not only disrupts Monsanto and those doing business with Monsanto, but also indiscriminately disrupts other customers of the hosting service which hosts Monsanto's website, regardless of whether or not those other customers have any relationship to Monsanto. So if, say, UNICEF's website is located in the same hosting facility, UNICEF can also suffer from the DDoS attack's effects. This negligence disqualifies the DDoS as civil disobedience.
Even assuming one wanted to find some ethical justification for DDOS attacks, "Civil Disobedience" seems like the wrong category, for a couple of reasons:
(1) Unlike perpetrators of meatspace acts of civil disobedience, DDOS-ers hide their identity, and actively try to avoid prosecution and prison. A key part of the symbolism of civil disobedience is thus left out;
(2) DDOS-ers hurt bystanders, by creating (or even just availing themselves) of botnets constructed by firing malware at machines belonging to people not in any way associated with what they are protesting, or even the country in which they are protesting. It's as if someone took over your home without permission so as to use a convenient window to hurl slogans with a bullhorn.
The thing about civil disobedience is that its power comes from the fact that specific obnoxious laws are being broken by people above ethical reproach. That seems so far from the case with DDOS that usage of the term "Civil Disobedience" in this connection is a corruption of its meaning.
DDoS attacks are indeed like civil disobedience.
DDoS don't cause any serious collateral damage and shouldn't be classified as crime.
DDoS have been and still are a legit tactic of political activism.
Playing devils advocate, what about the deli next door to Monsanto's corporate headquarters who cannot get any business because activists have flooded the streets?
James here raises a good point but I don't agree with his example. Staying on the same example, chaining yourself to the front door of Monsanto could create collateral damage as well, if other companies have offices in the same building. Collateral damage should not stop your protest, otherwise it would be too easy for any company subject to popular protests to open their offices in the same building of Red Cross and feel safe from protests. ;-)
The problem I see is whether we want to consider DDoS as a form of protest like, say, an "Occupy"-like sit-in, or as a form of vandalism like, say, throwing a brick in your store's window. The same question could be raised for website defacements, and other "hacking" activities that do not involve stealing information or permanently damaging infrastructure.
You can also imagine third party businesses being affected by traditional protests. How many businesses that have nothing to do with banking or finance suffered due to occupy Wall Street movement because non-protesters were wary of going there during the protests? In this sense, political DDoS attacks are not that much different from traditional protests.
Point (1) is also true in some traditional protests. Also, how many more would try to conceal their identities if protesting on streets was punished as harshly as protesting in the internet (i.e. DDoSing)?
I really had not thought of DDoSing as analogous to protesting on streets before this post, but somehow this idea immediately made a lot of sense to me.
...and more questions: should we consider voluntary-based, Anonymous-style, attacks at the same level as botnet-based attacks? Is gathering a hundred friends to start a ddos attack from our PCs different from renting a botnet for a few hours to do the exact same thing?
This is a very interesting theme.
In the past, I have also worked on research on this topic (http://blog.digitalliberalism.eu/2012/06/15/hacktivists-cyberterrorists-or-online-activists/), which actually ended up in a Dutch legal scholars' journal.
I am wondering what others here think of our approach, which is more based upon the right to protest than civil disobedience.
Others have mentioned it, but...
The thing with most DDoS attacks is many are NOT done by the people, but by bot-nets. People doing civil disobedience are willing to put their names to things and go to jail. If you want to take down a credit card site in support of WikiLeaks, then do so, but put your name to it - if there are really thousands, the FBI will have trouble getting to them.
Ordering a dozen pizzas to be delivered to someone who hasn't ordered them would be a real-world example. It only hurts a third-party.
One warning though - things could escalate. I'm thinking of the Komen - PP controversy. Do we have both sides of the abortion debate constantly DDoSing each other's sites?
There used to be some respect - the Freedom Riders didn't vandalize. Not infrequently anarchists do. The former were witnessing to evil, the latter wanted revenge or simply to cause harm to whom they considered evil.
James, civil disobedience in the real world in the form of street marches, occupations, and sit-ins also causes collateral damage and by definition involves criminal acts. It is simply false that third parties are not affected by civil disobedience in the real space. Chaining onesself to the doors of a corporate headquarters can impede pedestrian traffic, indiscriminately disrupting other users of that walkway which hosts Monsanto's front door. It can serve as a distraction of law enforcement as cops will almost certainly be called in to, at a minimum, monitor the situation. There are clear secondary and tertiary effects to any kind of civil disobedience. So this standard you've set where there must be none because there are none in real space? It's a fallacy because they do exist in real space just as they do in the digital space.
DDOS *can* cause collateral damage. It depends entirely on how the target website is structured.
One reason why the people who do acts of civil disobedience in the digital realm, say hacking and defacing a website, are more likely to try to hide their identity is because they can potentially get years in a federal prison for doing so. On the other hand, chaining yourself to the front doors of a business may land you in jail, but usually just for a few hours or overnight at most.
The French have been using DDOS for years in the physical world - blocking highways with tractors etc. when unhappy.
I've long felt copyright infringement can be used as civil disobedience. The obvious example is spreading around copies of [banned title here] in an oppressive regime, but even here in the US with robust free speech protections, there's also room for copyright infringement as disobedience.
Consider the possibility that you violently disagree with politics of MM, and MM publishes yet another hardcover polemical screed. Now you don't any money to go to MM, and in the elder days, if you were at all interested in the respected opposition's viewpoint, you could check it out of the library, or buy a secondhand copy. And now, illicitly download it.
This doesn't hold quite as true for genre fiction, but there is a scale, where genre fiction can be a polemic at the one end, The Turner Diaries, ranging up through merely distasteful (for suitably varied definitions of taste), Gor, Atlas Shrugged, to authors who hold opinions you may vehemently disagree with, but whose work remains untainted by their noxious personal beliefs.
Whenever the discussion of civil disobedience comes up, there are always people looking to discredit someone else's form of protest by making up their own set of arbitrary rules. This one is pretty common, already multiple people have expressed it here:
> People doing civil disobedience are willing to put their names to things and go to jail.
That is simply not true, the people in two of the most famous cases of American civil disobedience deliberately worked to avoid arrest for their actions. The protesters in the Boston Tea Party of 1773 disguised their faces, and the underground railroad was a very publicized movement where the individuals involved made every effort to stay hidden from law enforcement.
It seems to me that there's a willingness to conflate and confuse "Civil Disobedience" with "protest" among some of the comments above.
There is a difference, which is important: an act of civil disobedience is an act of courage, by someone who is so devoted to a cause that they are willing to court certain legal sanction from authorities. It derives its power as a source of political transformation precisely from that courage. The difference between protest and civil disobedience is the difference between participating in a rally and lying down in front of a tank.
It is a cheapening of language to describe DDOS as civil disobedience, because for the vast majority of DDOS attacks, there are no consequences for the perpetrators, by their own anonymous design. No doubt they would like to profit from this terminological confusion, but they lack the basic ethical qualification for the status they'd like to claim.
Language matters. Civil disobedience is an important concept. We shouldn't be willing to allow the concept to be diluted, cheapened, and discredited by making it a hostage to self-congratulating bullshit artists. The guy who actually lay down in front of that tank deserves better.
Your neighboring deli analogy is flawed. To physically approximate a DDoS attack's collateral effects in meatspace, your deli-blocking activists would need to:
1. Actively prevent anyone from entering and leaving the deli (in cyberspace, inbound and outbound traffic is often not merely obstructed, but outright dropped by overloaded networking equipment).
2. Block all phone reception in the deli (if a server administrator isn't on-premises they may be left with no immediate means to get an inside assessment of the situation, much less a chance to take remedial action).
3. Cut the deli's power (depending on the hosting technology being used, shared CPU, memory, and storage can be overloaded, causing software or hardware crashes).
By this point--and if you had any doubts before these additional actions--you have to admit that your activists are no longer engaged in simple civil disobedience against Monsanto's corporate offices.
Is "civil disobedience" really about denial of service?
Is the question really, on "civil disobedience", or on moral, just causes? Like Gandhi and India,
or Martin Luther King Jr and America.
If you deny people what they can read, what they can say, where they can shop, what press they
can read... is that not closer to tyranny? Are there not better ways to make one's point?
And we have seen many of these movements that are supposedly "for the poor" and "righteous",
really being cults of personalities, vies for power. When these "freedom fighters" (and so many
other names they take) actually get into power: they sure perform denial of service. All over
the place. And it then is clear to everyone outside their cults who and what they really are.
Some teenager who has read some books and is rebelling against Mommy and Daddy... they have
watched some documentaries. Maybe they use pot. Maybe they skip school. They are rebels and
feel they are on the other side. They do not have power, they do not have authority, they
do not have money. They want to see the big banks go down. The big industry. The big corporations.
They want a fight against dragons to save the damsels. They want to be right and have power
to do something.
The poor? Evil? Other people? They do not give a damned.
It is about a lot of friends engaged in exciting adventures. They are at the stage in their
life when the concept of play and pretend is finally truly dying. They take themselves way
too seriously. They have not read much, nor felt much.
So, those guys DDoS sites. Just to say to the world, "I am, I exist".
I think that is a crime. Whether it is those kinds of suburban kids or Islamist Muhommad
or Communist Jane. (Or Iran sponsered "fuck you America" team.)
I can not see a valid reason to DoS or DDoS, especially not as protest. Boycotting, sure.
Protests that by their size cause problems, but try not to, okay. Strikes sometimes should
happen. But wielding doors shut. Blocking others from their free right to choose? No.
Of course they're crimes!
Advocates would have you think it's like a lunch counter sit-in, but the people who engage in that are there to be arrested as part of the action of civil disobedience.
As a political act against someone else's property by an anonymous actor, a DDOS is more a minor act of terrorism than civil disobedience. People who engage in civil disobedience and try to escape the legal consequences are just criminals trying to beat the rap.
@ Carlo Graziani,
It seems to me that there's a willingness to conflate and confuse "Civi Disobedience" with "protest" among some of the comments above.
That is because of two effects the first can be sumed up by Shakespears "Would a Rose..." and the political advantage of so conflating which we have seenwith "terrorist", "insurgent", "WMD" and all manner of other terms.
Even legal definitions are often (deliberatly?) Contradictory.
The lack of precise Lor any) definition benifits those who wish to gain political advantage.
> There is a difference, which is important: an act of civil disobedience is an act of courage,
> by someone who is so devoted to a cause that they are willing to court certain legal
> sanction from authorities.
That is pretty much what I meant by people making up arbitrary rules in order to discredit other people's efforts. The examples of the anonymous members of boston tea party and the underground railroad are widely considered to be civil disobedience, it is not just some misguided minority who feel that way.
Martin Luther King himself called the Boston Tea Party a "massive act of civil disobedience."
> Some teenager who has read some books and is rebelling against Mommy and Daddy...
Youth are frequently at the vanguard of change because they have not been as well co-opted by the status quo. Similar charges are always levied at them and are rarely more than simple ad hominem. There is no such thing as the perfect act of civil disobedience. Being human the practitioners will always be flawed and focusing on their flaws is just a way to avoid addressing their issues.
I worked in the DDoS mitigation space for a number of years until very recently.
DDoS attacks look like different meatspace activities depending on context.
Suppose a commerce site is threatened by an attacker and asked to pay extortion money or an attack will be started in exactly one hour (yes this actually happens). In this example, DDoS looks like the baseball bat that neighborhood protection racket thugs once used to smash up the place. The entire act is a digital form of the protection racket. Definitely criminal.
When DDoS is used in advance of a breach (like with Sony), it's a smokescreen to help the thieves break in and steal invisibly. Definitely criminal.
When DDoS is used by an online retailer to take their competition offline for a period of time and knock their search rank down, this is dirty business that is most definitely criminal.
Even if we could all agree to sanction this behavior as a kind of digital protest, there's still a big problem. The problem is that we can't determine the intent of the attacker. It's simply not possible. Even if a victim site is purely political or owned by the government, the act of DDoS could be providing a smokescreen for data theft or other crimes that go far beyond protest.
Botnet-mediated DDoS-attacks are in my mind an entirely unacceptable form of protest. If you want to protest, buy/use your own infrastructure and identify yourself. Then take the rap.
Hijacking someone-else's infrastructure and using it to launch your protest (and conceal your identity and possibly get the real owner of the infrastructure into trouble) is to my way of thinking like stealing someone's car to use as a getaway-car in a bank raid.
The owners of the systems in a botnet probably don't share the aims of the DDoSser.
I don't think it makes sense to equate DDOS with civil disobedience because in a DDOS attack the number of people are unknown and there is no easy way of having a counter-protest. You "win" by civil disobedience if most people are on your side, but you can "lose" if it turns out that the other side ends up with more demonstrators.
I've actually had to deal with protesters outside my place of business and the protesters are very, very careful not to block traffic, and surrounding the protesters are usually a reasonable number of police looking over the protesters. Sometimes the protest are directed at my company. However, my office happens to be located near another protest target. On occasion, we get a bunch of protesters that are protesting the former occupant of the building that moved away years and years ago.
As long as they don't keep me from getting to my office and block access to clients, I support their right to free speech (i.e. sticks and stones may break my bones but names will merely annoy me), but the moment they try to DDOS me, you are going to have me, my coworkers, and clients of my business being quite upset, and we'll be holding a counter-demonstration to support any action that the police take to allow access to the building, and there are more of us than they are of them.
Most professional protesters know the rules, and are in fact quite nice about this. If you hold signs and shout slogans, you will be allowed to protest. The moment you block access to a building or chain yourself to the doors, you will be removed very, very quickly (hint: doors can be removed from their frames, chains can be cut, and large offices have more than one entrance). If it is a large protest, the police will have set up police lines and crossing a police line will get you arrested.
Also mass numbers will not work. The police can quickly call up more police than protesters.
Something interesting about the Occupy movement is that for the most part they were stuck in Zuccotti Park and did nothing really to "occupy" Wall Street. One funny irony was that the OWS movement actually reduced the number of office demonstrations. There's very little finance on Wall Street and none in Zuccotti Park, so having all of the professional demonstrators there, gave people some peace and quiet.
If you really wanted to physically DDOS Wall Street, it wouldn't be that hard. What you would need to do is to block the subway exits at Grand Central Terminal, and this would be trivial to do with about 50 people.
The reason OWS didn't do this is that you'd very quickly be removed by police with the annoyed crowds cheering them on. This is not something that looks good on the news.
One reason civil disobedience is relatively rare in the United States since the 1960's is that if you had a large enough and will organized group that could overwhelm the police, then you would find it easier to hire lobbyists and work within the system. Civil disobedience becomes important when you have a large number of people that are being denied access to the political system, but that's not an issue that is a huge problem in the United States. Conversely if you have people that are too disorganized or lazy to vote or call their congressmen, they aren't going to be joining protests.
I agree insomuch as I believe the lack of distinction is an issue. Many police officers don't know the difference between civil disobedience and breaking the law, with the latest famous faux pas being the mistake by Chief Lanier...
“There’s a difference between civil disobedience, which I think this is being portrayed as, as civil disobedience, and actual violation of the law. There’s two different things here. Civil disobedience, people come to D.C. to protest policies and government policy all the time—it’s no problem. But when you cross into the District of Columbia with a firearm and you’re not in compliance with the law, now you’re talking about a criminal offense and there’s going to be some action by police.”
Unless we want civil disobedience to be punishable by death (obvious hyperbole), we should at least teach our police what it means.
@Adam Davies - civil disobedience _is_ breaking the law. That's where the "disobedience" part comes in. The key is to choose _which_ laws to disobey as ones that will only get you (at worst) put in jail rather than killed.
> Some teenager who has read some books and is rebelling against Mommy and Daddy...
Youth are frequently at the vanguard of change because they have not been as well co-opted by the status quo. Similar charges are always levied at them and are rarely more than simple ad hominem. There is no such thing as the perfect act of civil disobedience. Being human the practitioners will always be flawed and focusing on their flaws is just a way to avoid addressing their issues."
I contrasted the selfish teenager who really has no idea of what is going on in the world,
with Gandhi and Martin Luther King Jr for this very reason.
You can not equate the two.
Yes, I am not making global, absolute statements. I think there are a lot of valid issues
some of the western youth have taken on. But there are also an immense number of completely
bullshit causes they have taken on.
Just because someone does a DDoS by no means state the cause is valid.
That would justify the effective societal DDoS tyrannical regimes impose. Denial of service
for basic food. Denial of service for journalist. Denial of service for people's right to
believe as they wish or speak as they wish.
I can address "the problem". But this is a sensible audience. We have all shaken our heads
at some of these causes put on by some of these youth. Others, maybe we have cheered for.
I can not think of a case where I cheered for them when it involved DDoS, even when I have
agreed that their cause may be valid.
I am not, either, opposed to "black" methods. I thought it was great when some teenagers
hacked some rapists and posted their dark secrets online. They deeply deserved that and
the law was not delivering. Who did not cheer at that?
The truth is, this is not just an American or Western issue. Plenty of Pakistani youth
out there hacking for their causes. Plenty of youth through out the world doing this.
Plenty of youth also murdering others, blowing up mosques and churches for their causes.
I can aim at the people behind that. I can aim at their work. Either way, it hits target.
I do appreciate your statement, however to help me clarify my stance.
I'm wondering how many people here have actually either participated or been the target of a physical real-world protest. The reason that I'm asking is that there are some ideas about how protests work that I think are odd.
Most corporate headquarters are set up as suburban campuses making it pretty much impossible to set up a protest. You have to bus people miles to the HQ, and the guard at the gate is not going to let you in. You might protest at the gate, but no one is going to see you, and you are going to be a half mile away from the main buildings of the campus. Also it gets a bit silly since you are in the middle of nowhere, with no cameras, and nowhere to either go to the bathroom or take shelter from the hot sun.
Corporate protests are more common in large cities, because you can get people on the subway, and then you can exercise your First Amendment rights on the sidewalk right outside of the HQ. However, in that situation, there is a line between the sidewalk and the private property which you are not allowed to cross. You are also not allowed to block traffic or block the sidewalk or access to the building.
Activists in the NYC area are very careful to follow the law. The law protects public protests, and as long as they follow the law, the police will just stand there. The moment someone breaks the law, the protest ends. Also, there will be people from corporate security who will check access to the building. One thing about professional activists is that they are usually on good terms with the police, since the police guard their right to protest, and the police are referees that make sure that no one gets out of line.
Also the laws concerning protest are widely considered by most people to be reasonable and legitimate, and if you break the law, you lose public support. One of the worst things you can do to a New Yorker is to block their way.
Also, protests are difficult to carry out because, people have to work. I've seen a lot of "lunch time" protests or protests that happen on specific days. However, it is difficult to have a long term protest, because people have to work, and students have to go to class. This is also why people avoid breaking the law, because not showing up for work because you were in jail, even for very short periods of time, can cause you a lot of problems.
Conversely, because protests are difficult, people take notice of them. If you can convince 200 people that they are angry enough to take lunch off to hold signs, then means that you are worth being paid attention to. Conversely getting 200 people to sign an e-mail petition isn't going to get you very far, because that is easy.
>>Activists in the NYC area are very careful to follow the law.
Clearly this wasn't true of OWS.
The concept of civil disobedience, I believe, is probably not applicable in the circumstances Bruce describes.
What is more pertinent, I think, is the part of the Constitution's First Amendment that says "Congress shall make no law ... abridging the freedom of speech, or of the press; ..."
Attacking a web site actually restricts the freedom of electronic speech and electronic press of the organization so attacked. Those freedoms must not ever be one-sided, where I can speak but you can't -- or vice-versa. Yet one-sidedness is exactly what the attackers hope to accomplish.
If Congress does not treat such internet-based attacks as a crime, it in effect _has_ made a law that allows for the abridgment of freedom of speech and of the press, and has violated its Constitutional mandate.
In comparison to the legality of real-world sit-ins, I think that allowing a pre-determined and individual use-proportional amount of traffic consumption to public and government websites could be considered a legal analog to real life protest, but the user should be ready to show that their computer is being used for nothing else during that time, and that they are using no other personal computers, or multitasking in any way, in order to symbolize a unified and democratic commitment to demonstrating a belief, rather than just being allowed to casually deploy a loitering app on a spare computer, without engaging the meaningful self-sacrifice historically associated with demonstrating.
In such cases where people can meet these requirements, I believe they should not be prosecuted for traffic consumption. For instance, if 150,000 people want to occupy cia.gov in this manner because they dislike some recent abuse, then the CIA should be forced to deal with these people as a democratic entity and should seek to make reparations as needed. Because the CIA is funded by taxes.
And prolonged traffic consumption to private websites should be treated as loitering, like in the real world. Excess consumption of either is pretty much straight-forward vandalism. On election day, you get 1 vote, not 1,000.
We can rationalize our actions all day long, and name-drop the Rothschilds or whatever conspiracy theory, but there is no legal, mature excuse for attacking the property of other citizens based on our own rationalizations, and there should always be consequences.
Of course this doesn't even address the conundrum of foreign DDOS protest of domestic organizations. I'm not even sure how I feel about a "fair" way to treat that sort of protest. Maybe this is the genius behind the great firewalls of China.
I'm curious how the legal legal system differentiates between civil disobedience and "normal" criminal activity in normal space. I'm trying to think of some examples that I know of and can't think of any. I suspect these would have come about through case law and not statutes. In fact currently a hot item in my state is a law allowing for INCREASED penalties for trespassing if your purpose is to obtain video of farm treatment of animals. So we'll probably have to wait for the courts to carve out exceptions for "civil disobedience".
Someone mention contradictory legal definitions of "civil disobedience" I'd like to see any of those definitions, again they are probably from case law not statute so if they are contradictory the highest court in the system with the most recent ruling, is the current definition, but ya the legal system is "squishy".
@James et al.
The distinction of 'collateral damage' vs. damage to an intended target is not one the law should make in determination of the criminality of an act. Many 'real world' disruptive actions result in material harm to the intended target (e.g. blocking offices in a way that makes normal, legal business operations sufficiently difficult that the targeted business suffers an economic loss), and the law should not give a pass to them simply because the target is unpopular or the perpetrators believed what they were doing was justified. Collateral damage isn't the sole measure of doing harm, though it is an important additional consideration when assessing the severity of the crime.
Normally, considerations of motive (as well as youthful naivete) can be taken into account during sentencing, and similarity or analogy to previous court sentences are used as a basis for matching the sentence to the specific case.
There's also a substantial difference between 'civil disobedience' that is protesting a law itself, usually by breaking it (underground railroad, Ghandi's Salt March, etc.), and protesters that violate laws because doing so will garner more attention than legal methods would have. In the latter case, no one is saying that causing material harm is supposed to be okay in general, they just want to have a special license to cause harm because they've decided the harm is small compared to the importance of their cause.
@umum, Jenny Juno
The above seems to bear on your comments in some fashion, but I'm not sure if it expands on them or contradicts them.
Many commenters seem to have a particularly narrow view on the concept of civil disobedience, or civil resistance if you like. Clive correctly points out that there is no such thing as a precise definition, thus giving rise to all sorts of different interpretations.
Although examples of civil disobedience go back to the book of Exodus, modern interpretation most often is based on Henry Thoreau's 1849 essay "Resistance to Civil Government" and Gandhi's non-violent satyagraha. In this context, it is important to differentiate between the definition, and the means through which it is executed. The late Ronald Dworkin, a 20th century American philosopher and scholar of constitutional law held that there are three types of civil disobedience:
- "Integrity-based" civil disobedience, i.e. when a citizen disobeys a law she or he feels is immoral.
- "Justice-based" civil disobedience, i.e. when a citizen disobeys laws in order to lay claim to some right denied to her or him.
- "Policy-based" civil disobedience, i.e. when a person breaks the law in order to change a policy believed to be dangerously wrong.
Even when for argument's sake - and in honour of the Mahatma - excluding physical "ad hominem" violence, there is no compelling reason - either academic or practical - to restrict the definition with regards to the means used, the way in which they're used, side-effects thereof or the entity it is directed against. A benefit of such a broad definition is that it removes any political bias out of the equation.
This means that for me civil disobedience can be directed against governments as well as non-governmental entities (e.g. banks, corporations). Whether it is done in public or covert does not matter. Whether or not it is threading on rights accorded by law to the entity it's aimed against is completely irrelevant, especially when that same law offers recourse only to the rich and powerful in a context where political and legal system are broken, or are perceived to be so.
Precluding any acts causing collateral damage is another interpretative constraint. Very often, it is exactly the collateral damage that is offering more leverage than the act itself. I can imagine the stockholders and traders of the British East India Company were not too happy with Gandhi's salt satyagraha. Or slave owners suffering financial losses over people refusing to rat out runaway slaves. Remember that in the end - and just like Apple et al setting up complex constructions to avoid taxes - neither were doing anything wrong under the then law. Under the same argumentation, most strikes could be outlawed.
In my opinion, several commenters are suffering from a specific form of hindsight bias with regards to civil disobedience, acknowledging as such only those instances that went down in history as morally justified under today's interpretation thereof.
There is however little doubt in my mind that a person like Mohandas Gandhi in the US today by many would be labeled a dangerous terrorist. Chances are fair that he would be keeping Bradley Manning company, be haunted into suicide by overzealous prosecutors or taken out by a drone if operating from abroad.
Clearly there is a disagreement here. The harm caused by a DDOS is proportionate to the value of the target site's uptime during the DDOS, not including extraneous factors such as someone hosting a critical service on the same IP as the front page of their website.
The vast majority of websites are unquestionably low value in this regard. Most websites, even those for high-profile entities, do not have an absolutely vital need for their front page to be available nor would they suffer a notable loss of business were their website to remain down for a relatively short period of time. See https://xkcd.com/932/
I am heartened to read the comments on this thread.
I find the pro-hacking, pro-DDoS scholars to be pushing the limits of credibility, and advancing an agenda whose purposes they themselves seem not to acknowledge.
On the one hand, they promote and defend the right to absolute anonymity of their favorite heroes.
On the other, they want government to actually carve out an exception for "activist" DDoS, and this determination of "activist" is often accompanied by their own insistence that one must "know" the actual perpetrators, do ethnographies of them, even, to know what they are up to. Then, when "bad" actors self-identify as part of these groups, these scholars disavow those actions as not being "authentic." But how would anyone know? The scholars themselves insist that nobody (but them) knows who's actually "in" the group.
The problem with focusing on DDoS as a form of activism is that it misidentifies a method with a commitment. Suppose someone had written a parallel thesis that focused on other actions that (as the author of this thesis admits) are typically understood as criminal: brick-throwing as activism; punching people as activism; stealing money as activism; and so on.
Yes, you could, in the right circumstances, find cases where each of these might be justified as activism.
But the means aren't the point. The point is to understand how we determine which commitments function as "activism" within any given political body. Martin Luther King's actions were clearly able to be understood as civil disobedience. So was the (original) tea party. So was Rosa Parks. So was Occupy Wall Street.
The problem with DDoS, especially from anonymous sources, is that nobody can be sure why it's being done or who is doing it, and it is amidst a sea of clearly violative acts. The scholars who defend it admit that authorities have no way of knowing who is actually behind the attacks; how in the world are they to determine which are "free speech" and which are not? Further, the actual DDoS attacks claimed to be "activist" are themselves often in very murky territory, unless one has already decided that the Lulz and Anonymous folks are inherently "good guys," which seems by no means clear to me.
DDoS can and has taken down vital services to which people need access. #OpIsrael hit several medical facilities, whose connection to the political cause anonymous advocated was tenuous at best. In the US anonymous has hit government and law enforcement sites, which again could actually be needed by citizens right at that moment. Even the Swartz protest took down parts of MIT's systems when students needed that access to study.
The whole thing is BS. Yes, if the Federal government actually swooped in and mass arrested everyone in New York City on false charges, you might have a case for DDoSing some websites. But unless there are direct, clear, understandable, public actions for which DDoS is an appropriate and reasonable last resort after other methods have failed, it's BS. And it's BS because what this thesis author is actually doing is celebrating the raw power these groups enjoy getting their hands on, replicating the very thing they claim to hate--raw, unregulated, antidemocratic power in the hands of the unaccountable.
We know what online protest looks like--it happens all the time. Bringing down websites is not protest, it's not civil disobedience, it's a raw exercise of power, something much closer to an act of violence, and the idea that it should be protected as "free speech" is one of the most ludicrous and offensive things I've ever heard (and can only be uttered by people who have not read deeply in the history of free speech).
Also, because it's come up here: despite what a certain book is telling us now, code is not speech.
Or to be more precise, the execution of code is not speech; it's action.
There are no words in world I can utter to kill a person, except in specialized circumstances like the following:
If I attach the trigger of a pistol to a sound-activated device, and utter a word that causes the pistol to fire at the person at whom the pistol is aimed, the fact that I can be prosecuted for murder completely obviates the idea that what I have done is "speak." I've taken action. I've made something happen.
You are, yes, free to write any goddamned code you please--that's speech. You are not free to execute that code--that is action, not speech.
Executed code directly causes actions in the real world. "Robot move forward" would be illegal to execute if there was a person standing in front of the robot and I knew it. DDoS is not speech: it is directly acting to stop other actions in the world (namely, the provision of online services). Code, when executed, is not speech. Code, when executed, is action. It deserves none of the protections accorded to expression, and the recent attempts by some writers to conflate the two--chiefly by writing as if the creation/execution distinction did not exist--are extremely disturbing. They should know better.
As I have pointed out and Dirk Praet has nicely amplified we need commanality in our definitions befor meaningful argument can be made.
However this presuposes another less obvious consideration of commonality that is largely ignored by people especialy politicians, legislators and our legal bretherin.
To understand this there is a question people should be considering with regards Civil Disobediance, which is what is the purpose of "protest" that under lies it and how it differs in the tangible physical and intangible information worlds.
The usual purpose of a "protest" is to make a view point known to others in the case of civil disobediance it is in a manner and place of the protestors chosing that will provoke a response either in the form of embaresment for the entity been protested against or by action by the civil authorities thus making a message significantly more visable via some medium. The intent is usually to keep the protest below the point where the various government military forces become involved simply because at that point it is nolonger civil disobediance but civil war (a point that has sofar not been commented upon).
At the lowest level of civil disobediance there is the puting up of posters and handing out of leaflets in public places usually adjacent to a place significant to the entity being protested against. Both posting and leafleting are in most juresdictions transgretions against legislation be it local bylaws or more general civil (tort) or criminal law. The usual ones being some form of fairly ancient legislation such as tresspass or blocking of the highway or activities that might cause a breach of the peace, the actuall legislation depends not just on the juresdiction, type of legal process but also on the general type of society be it permiso or non permiso.
In almost all such legislation is the implicit idea of a place or location at which the offence has taken place.
Whilst in the tangible world it is possible for people to see posters and be handed leaflets at a place of protest in a public area adjacent to the entity being protested against the same is far from true in the intangible world, where there is in effect no sense of locality or public space for a protest. Further the tangible electrons that convey the information impressed upon them have neither eyes to see with or ears to hear the message of the protestor, nor hands to carry the message to a human for consideration.
Thus in the intangible information world you have to either "trespass on the entity" or "block access to the entity" as a minimum as there is no locality to have an adjacent public space in which to protest peacfully or otherwise.
This means that unlike the tangible world where it is possible to peacefully protest with minimal disruption, in the intangible information world to protest you have to as a minimum commit a series of criminal acts. Which in some juresdictions carry very very significant penalties (fifty years in jail was the anti levied on Aaron by the federal prosecutor).
It is important when making comparisons to ensure that you have sufficient cominality for the comparisons to be valid. Often we make basic assumptions of parity based simply on our everyday perceptions of one case -- in the tangible physical world-- without actually testing or even attempting to test the validity of our perceptions in the comparison case -- in the intangible information world-- which is problematic at best.
Not doing so causes confused reasoning and often untenible argument based on assumption atop assumption atop an invalid perception.
Our human perception of the physical world is axiomatic on location, distance, forces and energy/matter as limiting action (work). As I've indicated before information has no energy or matter component and thus forces, distance and location do not have meaning thus constraint to information. The only time information gets constrained is when it is impressed onto a physical entity for either communication or storage.
Thus care must be taken to view the information on a case by case basis by the medium it is impressed onto. As many will apreciate a photon traveling down an optical fiber convaying information at a sizable fraction of the speed of light is not directly perceivable by a human being unlike the ink upon the paper of a poster or flyer. Nor for that matter is it that much more comparable to the compressive wave movment in air that results from the spoken word. Each media has its own attributes and a listing of the differences of attributes would be considerably more extensive than the commonalities thus to try to transfer atributes from one medium to another will fail in many if not most cases. Therefore you likewise cannot expect legislation which is based on the attributes to transfer unless they have reliably comparable attributes as their sole axioms.
Engaging in a DDoS means you are spending other people's resources (network, IT staff, computer uptime, etc.) on the target site, on all the bot machines you've taken over, and in any network bottlenecks in between. Very different than the XKCD comic about defacing a website.
If the total damage of the DDoS is very small, then the crime is arguably small, possibly just a misdemeanor. If all a prosecutor is likely to get is conviction on a misdemeanor charge, it probably won't be worth making an arrest, let alone bringing it to court.
The point is that the law should be written so punishment scales according to things like the amount of harm done (and 10000 small injuries can be construed to be 1 big one), how intentional the harm was, and whether it's a repeat offender and likely to commit the crime again.
The law as written, and as enforced by the courts and police, should NOT make something illegal in general and then turn around and make the act legal if it's done as part of 'political activism', or if done to someone who is sufficiently unpopular.
Opportunity cost. Most network resources are otherwise unutilized.
And no, the act is not a misdemeanor because a computer was used. When you have cases like what happened with Aaron Schwartz for something that caused less damage than DDOS where no one wanted to prosecute except for Carmen Ortiz's office.
And I agree on the last two points, although the matter of attribution is still a tricky one to solve before you can even get into things like intent.
Isn't a consequence of a civil disobedience the possibility of being judge? If not, what's the point?
I'm getting tired of the fallacy that DDOS is not "real activism" because the activists don't risk anything. Besides this statement being factually wrong (there are people being prosecuted for this), it completely misses the point. A cause does not become more justified because it has martyrs. It has to stand for itself, no matter how much sacrifice people make for it. There's nothing inherently noble about sacrifice; it just means that your tactics suck.
For the same reason, it doesn't matter whether people show their face, or whether the people protesting are loud youths, old grandmas or top managers in their 40s.
@ Bruce Schneier
Many of these points were made in a TV episode in 2002. Secret, Strange and True Season 1, Episode 6 "Hackers: Knowledge is Power." It was about hackers in general, but the last segment was the relevant part.
They interviewed political activists in Mexico. They had teamed up with a hacker to make a Java applet that DDOS'd a site via refreshes. The "hacktivist" leader called it a "form of electronic civil disobedience" where they could do a "sit in" and "the weight of a community could be felt." It was inherently democratic, he said, because it was only effective when large numbers of people were participating. (They cited a failed attempt by a guy to get geeks to DDOS Starbucks, noting that "coffee was the hacker drink of choice." haha)
He supported his view with eToys vs eToy case. eToy was a netart group, eToys a big company. According to the show, eToys saw great value in eToy domain (people leaving off the 's' accidentally) and used the legal system to force them out of the domain.
Hacktivists, including the Mexican guy & his hacker friend, staged an "electronic sitin" using the technology. They warned eToys they'd bring their stock to zero during an important business period. They went through with their plan, causing eToys plenty of damage. eToys relented, gave eToy back their domain name, and "promised not to bother another netart group again."
A fine case study in electronic civil disobedience, using all the same jargon, long before Sauter's paper was written. Although, good to see someone continuing research in this area.
"For a while now, I have been thinking about what civil disobedience looks like in the Internet Age. " (Bruce)
I've just described it. You can watch the episode i mentioned if you want to see it and a few other aspects in action visually. Had some nice interviews with people, too. Probably cheap on ebay by now.
I think the premise here is mistaken. Depending on the action and just how civilly disobedient it is, prosecutors are perfectly willing to label protestors as dangerous criminals (see e.g. http://www.huffingtonpost.com/2013/05/20/... where the protestors face decades in prison for cutting through fences at Oak Ridge and spraypainting a building).
A friend who spent years as an activist in the 80s and 90s used to talk about the days of negotiations that went on with police and prosecutors before major protests, detailing exactly what acts people would be arrested for, where they would be arrested and so forth. That kind of negotiation apparently no longer takes place either in the physcial world or in cyberspace.
To paraphrase : if I agree the activists are protesters; if I disagree they are criminals. The half a dozen who escape that summary are obvious.
"A friend who spent years as an activist in the 80s and 90s used to talk about the days [...]". The activists of the 80s and 90s, and 60s and 70s, made a few disasterous mistakes : they sometimes succeeded. Whereupon whatever they did was criminalized, and wherever they did it was fenced off. DDOS is rarely a successful tactic, but it is one of the few protests possible.
Wikileaks is a successful tactic. Look at the response.
Activist activity can be distilled down into 2 parties:
Parties of government regimes:
Parties of non-government actors: individuals and ideological or corporate action
The parties of government regimes seek to defend themselves from dissidents. Challenges to government actions and policy are good for democratic societies, though are contrary to the interests of those who hold or have harnessed government power, especially in areas where companies have achieved regulatory capture.
Non-government actors may be motivated by any number of factors, good or bad. However the friction created by these parties serve a necessary role. They keep the honest in-line, and can expose wrong doing. Companies that use these capabilities for evil such as corporate espionage or sabotage, or to conduct predatory pump and dump or stock manipulation.
Activists provide a critical and necessary role to the development of society. In addition to providing societal guidance, they also provide a safety valve to reduce violent outcomes. Stomping on activists at the protest stage simply increases the stakes. As President Kennedy said:
Those who make peaceful revolution impossible will make violent revolution inevitable.
Let me first say with some hesitation, a DDoS attack goes beyond civil disobedience. With everyone depending upon the internet today, including hospitals, government, consumers, and business, taking out innocent bystanders along the way puts people's lives in danger by taking out the core infrastructure we all depend upon.
Case in point: I was an innocent bystander of a DDoS attack on someone else who used the same internet carrier a couple of years ago. Apparently >200Mbps of DDoS attacks streaming in on that carrier's local node. I do have multiple carriers at my office, but because the link didn't "fail", I had to manually force the re-routing to another carrier. Fortunately our VoIP PBX noticed the dropped packets and was able to re-route to another carrier, BUT I don't know off too many businesses which go to the extreme & expense of having multiple carriers. FWIW, some of the local hospitals here were taken out when CenturyLink's network had a nationwide failure a few weeks back. They had NO other carriers at their facilities. A couple of aging T1s + 2-way radios is all they had. No ability to receive test results from labs, no way to order supplies, etc.
For a more classical definition of civil disobedience, I'd say sit-ins at universities, or even the original Boston Tea Party (even though private goods were destroyed) were more appropriate. They only affected the targeted parties and didn't disrupt the entire operations of a town/city or put people's lives in danger.
Opportunity cost. Most network resources are otherwise unutilized.
Most network resources, most of the time, are not operating at full capacity, since they are overdesigned to support uncommon traffic peaks. A DDoS attack produces sufficient traffic that it can exceed spec and interfere with intermediate nodes. Simply bringing traffic close to this mark can engage emergency procedures and force additional expenses on the part of businesses that do nothing except provide infrastructure.
Note that I'm talking about 'distributed denial of service' attacks, not the more general category 'denial of service'.
And no, the act is not a misdemeanor...
I was trying to describe a well-designed legal framework, not the existing one (my choice of language was poor). Current copyright law is an obvious case of a poorly designed legal framework, in that it both overestimates the harm done by copyright violations, and improperly extends the definition of the crime. Extensive expert analysis of this is present on the "Freedom to Tinker" blog.
Computer/network-related crimes have had the same problem, with arguably minor infractions being treated as serious crimes, and with artificially inflated assessments of the cost or harm done. In contrast, people engaged in such practices have minimized or dismissed altogether the cost or harm done. The most reasonable answer is arguably in between.
I was addressing Bruce Schneier's statement that
One of the problems with the legal system is that it doesn't make any differentiation between civil disobedience and "normal" criminal activity on the Internet, though it does in the real world.
My argument is that this is a problem, in the sense that neither the written law nor the courts or police should make this distinction (you don't get a free pass because you imagined you were doing the right thing when identifiable harm is done), though the distinction could reasonably influence the choices of public and private leadership or decision-making bodies.
I agree with James. DDoS attacks cause collateral damage and should be classified as crime.
They should adapt the legal system asap.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..