Online Activism and the Computer Fraud and Abuse Act

Good essay by Molly Sauter: basically, there is no legal avenue for activism and protest on the Internet.

Also note Sauter's new book, The Coming Swarm.

Posted on October 10, 2014 at 12:31 PM • 32 Comments

Comments

WinterOctober 10, 2014 12:48 PM

What is the difference with the good old times when the police was used to break strikes. And the anti-globalization protests, and the occupy movement?

You might have a right to free speech. But not you have no right to make yourself heard.

GrauhutOctober 10, 2014 12:56 PM

Big.gov and big.data say the internet is their toy.

Is there someone strong enough to say No! without asking big.govs servant justice for help? A real grasroots movement? The hacktivist scene is too small and even the NSA story meant nothing to most of the people out there. If they see a cam in the streets they think of a recorder, not of face recognition. The digital revolution has left behind 90% of the people. Our "elites" win. It will imho take some generations for a chance to get rid of this.

Larry SeltzerOctober 10, 2014 1:12 PM

Since when did DDOS attacks become a legitimate form of protest? Of course they're illegal. If someone doesn't like what Bruce Schneier says should it be a legitimate form of protest to crash his web site?

Matt PostiffOctober 10, 2014 1:51 PM

Coming from a Christian perspective here...it seems that what Sauter is calling for is a way to do no-consequence activism. But why should people have a legal right to do damage to someone else's property (bandwidth, servers) and not have to pay for it? Should it be legal to block access to a business, trespass on its property, shut down its loading docks, and the like? It sounds like stealing to me. Furthermore, aren't there other effective means of activism? I believe there is plenty of legal avenue for activism and protest on the Internet and elsewhere. For instance, use your freedom of speech and persuasive powers to convince people to boycott a company for what you believe to be questionable activity and use the 'net to do that; or, sue the company in court if its activities call for such; or use the 'net to help elect representatives that share your ideas so they can put appropriate legislation in place. Sauter's complaint really is that there is not legal avenue for harmful or damaging or disruptive activism and protest. I suspect many of the hoi polloi disagree with her.

Larry SeltzerOctober 10, 2014 1:57 PM

Sauter's argument would work perfectly for anti-abortion activists blocking access to a clinic.

Nick POctober 10, 2014 2:12 PM

@ Bruce

He's wrong. There are legal venues. They're just not the same as the old ones. The main venue of activism on the Internet is publishing one's claims in such a way as they go viral. This happens especially on Facebook, Twitter, blogs, etc. A key difference is that one can't just rush in and stop the business activity like a sit-in. (original concept for hacktivists DDOS) One has to be into the various social and information networks on the Internet. They need followers. Then, the followers do the work for them after they merely post their opinion piece.

That's the current model. It's done really good things, really bad things, and often nothing but waste resources. Hey, that's a lot like real world protests! My biggest concern is it's more subject to tyranny by the majority than ever. The Web's denizens have destroyed many innocent people for fun or over false claims. It's become in some ways more effective than mainstream media for smear campaigns. Something we should work to fix. And asking them to stop (common solution) won't work.

Erich SchmidtOctober 10, 2014 2:14 PM

Perhaps this has been discussed here before, hopefully by those of you smarter than me.
Some of you certainly remember the once common occurrence of a site being "slashdotted." (I think a recent comment even mentioned it). A site would be essentially rendered non-responsive because everyone on slashdot was visiting the same link at nearly the same time. Would/should that make users visiting that site criminally liable in the same way as is being discussed here? If not, why not? Is it the tools? The intent? Is the poster of the link responsible?

Chris UpchurchOctober 10, 2014 2:35 PM

"basically, there is no legal avenue for activism and protest on the Internet."

Complete BS. Remember the protests against SOPA where hundreds of websites blacked out their home pages for a day? Completely legal (and in that case, highly effective).

Saying that there is no legal avenue for protest on the internet because DDOS attacks are illegal is like saying there is no legal avenue for protest IRL because it's illegal to smash the windows of business you don't like.

Fred POctober 10, 2014 2:47 PM

My reading of the article is more that the punishments are wildly disproportionate to the crimes than that, say, a DDOS attack should be condoned. Supporting text from the article:
"Potential sentences for DDoS actions in the United States are high compared to other crimes and especially compared to other types of traditionally recognized activist activities...
In Rosol’s case, the $183,000 figure came not from the actual financial losses the company reported to the court, which amounted to less than $5,000...
the liability structure created by the CFAA, coupled with joint and several liability, creates a system by which the targets of protest and dissent can impose direct costs for that dissent on activists, creating a massive chilling effect on digital activism as a whole."

AlanSOctober 10, 2014 2:57 PM

Molly Sauter: "...the result has been a collision of corporate and state efforts to lockdown nontraditional uses of technology and to heavily discourage vocal and visible displays of disruption and dissent."

Yes, but this is the way the system works. Laissez-faire capitalism and legal despotism are the two sides of a coin. We are free to be part of the economic game. Try disrupting it or too poor to play, and you get whacked.

Quesnay: The Despotism of Natural Law

"It is a common misconception, though one that abounds in American politics, that laissez-faire capitalism supposes less law and less regulation. In fact, it supposes a legal regime that advances the interests of the entrepreneurial class, which at length is what evolved in America."

Also see The Illusion of Free Markets: Six Questions for Bernard Harcourt

"....I demonstrate instead how neoliberal ideas were born — and remain today — joined at the hip with the Big Brother state. The idea that the government is incompetent except when it comes to policing has facilitated the slide to mass incarceration. That mindset makes it difficult to pass economic regulation, but easy to multiply criminal offenses and increase the severity of punishment. Or, as Posner has written, to send only the poor to prison (the wealthy can be fined) and provide only “a bare-bones system” of indigent defense (anything more would be inefficient)."

Also see Harcourt's book, The Illusion of Free Markets. And in this interview he discusses America's 'Gulag archipelago':

"Although it’s hard to get an accurate count of the prison population in the Gulag at its height under Stalin, the more reliable sources place it between two and five million people by 1953. As Adam
Gopnik recently suggested in the New Yorker, there are far more people under correctional supervision in this country today—over seven million people in prison or jail, or actively on probation or parole."

His essay on Digital Security in the Expository Society: Spectacle, Surveillance, and Exhibition in the Neoliberal Age of Big Data is also an enlightening read for anyone interested in 21st Century capitalism and modern surveillance.

older than himOctober 10, 2014 3:00 PM

A DDOS can be just liuke ye olde "sit-in" of venerable pedigree. Sit-ins (and the NVA and Viet Cong) stopped the war in Nam. So yes, DDOS is kewl, like the VC!

MelanderOctober 10, 2014 3:07 PM

@AlanS

"Although it’s hard to get an accurate count of the prison population in the Gulag at its height under Stalin, the more reliable sources place it between two and five million people by 1953. As Adam Gopnik recently suggested in the New Yorker, there are far more people under correctional supervision in this country today—over seven million people in prison or jail, or actively on probation or parole."


I do not want to belittle the incarceration rate in Amerika today, but I would still think that far more prisoners were KILLED under Stalin than what happens in US?

On another hand I have to admit that when I first saw the book name "The Coming Swarm" in Bruce's post, I thought that it was about a drone swarm (released by US government against its own population).

older than her tooOctober 10, 2014 3:10 PM

What Fred P said. In olden times, if you were a hippy of good middle-class stock, a sit-in would probably result in a night in the cells and a good telling off from a judge who golfed with your pop. Nowadays the terrorism and high-tech laws mean your DDOS = years of jail time and so-called "compensation" clasims that would bankrupt a great many countries! 9/11 + War Games (the movie) = omg those kids can launch atomic apocalypse by hacking my paypal or something! Too many people don't understand the technology (evenj though they use the technology every day!) and the press is only too happy to stoke the flames. You need to be careful Bruce, questioning the consensus can be seen as witchcraft/heresy, which can make one hot under the collar!

altjiraOctober 10, 2014 3:11 PM

This article appears to be specifically about confrontational activism. So what if it's illegal? It always has been in the real world. PETA raiding laboratories to free animals or people chaining themselves to trees are breaking the law. Nonviolent civil disobedience does, too, and so do people who DDOS. This goes at least as far back as union organizing and strikes in the early industrial age, but probably a sometime effective tool throughout history. Confrontational activists are betting that history will sympathize. Let them win historical favor and face the consequences now, if they're so sure.

TimLOctober 10, 2014 3:35 PM

@AlanS "Laissez-faire capitalism and legal despotism are the two sides of a coin."

There are several things wrong with that sentence.

"Legal despotism" as such is contradiction in terms.

Either there is the rule of law, in which case there is no despotism, or there is the arbitrary rule of a despot, and then there is no rule of law.

It may be in particular circumstances that a despot takes power in a system which still appears to have a functioning legal system, but that doesn't make despotism legal.

The other error you make is a simple matter of fact. It is not true that the US has laissez-faire capitalism.

Since 1913 the Federal Reserve has manipulated interest rates and the money supply to control the economy. That's fascism. The New Deal extended and made fascism more visible.

If you read history, you can learn how FDR revalued gold to transfer 40% of borrowed wealth from lenders to debtors. And the Social Security system was formed to feed the lives of some people into the mouths of others.

Hardly capitalism.

AlanSOctober 10, 2014 3:58 PM

@Melander

I should have qualified that comparison. Harcourt does if you read him. The point of the comparison is to underline the scale of current US incarceration. In nearly all other respects it is different.

The more important general point is that laissez-faire economics is closely tied to ideas of police, security and law. Many key economic thinkers also wrote about law and order and the need for a strong state.

Clive RobinsonOctober 10, 2014 3:58 PM

There are a number of reasons why the clamp down on Direct Action on the Internet is dealt with so harshly.

Firstly poorly drafted and to wide of scope legislation, that turns what in the real world would be a civil case of trespass into a criminal case of virtualy unboundliability for which a defense is realistically not possible.

Secondly the politicos are genuinely frightened by the Internet for a whole host of reasons, mainly to do with a loss of status. It is also the reason for "sound bite politics", there is always going to be someone out there who remembers when a politico had a different view point or one that is nolonger PC etc and will dig it up, and with the power of the Internet widely diseminate it in a way that news papers and other traditional news outlets the politicos had a degree of control on, have to pick up the story, they might in times past have dropped with a "friendly phone call to the editor" from a senior political figure.

Thirdly big business like politicos don't like out of the woodwork surprises, especialy when they have paid lobbyists very large sums to get things such as political votes and thus legislation the way they want then.

There are other reasons but it all basicaly boils down to "burn the witch" where their justice has to be seen to be done rather than actually done, such that others get the message. You only have to look at the Aaron case to see that as far as Obama and co were concerned his death was great publicity. With idiots like those calling the shots is it any wonder that those that whistle blow find it safer to be in what is in effect enemy territory.

In the UK we have something called RIPA and in the news currently is how the various UK Police forces are using it against journalists phone and other recorded to find their sources, and then go after the sources. Various figures have been issued but it apoears that just in the past year over half a million requests for what are in effect non crime related requests like those against the journalists have been made from UK Police forces. To put that in perspective against the UK population that's as much as one person in one hundred and fifty having their records pulled...

MelanderOctober 10, 2014 4:20 PM

@AlanS

The more important general point is that laissez-faire economics is closely tied to ideas of police, security and law. Many key economic thinkers also wrote about law and order and the need for a strong state.

This mentality has been very much present in American society for some time (probably at least since Reagan).

DanielOctober 10, 2014 4:48 PM

@Larry S.

100% agree. There may be a core way in which her point is valid but a DDoS is NOT a good example of that. The same DDoS that can be used to protest can be used to shut down legitimate sites. The bits have no color. If I jam someone's wifi it's jammed regardless of whether it is spewing hate or love.

SmokingHotOctober 10, 2014 5:13 PM

DDoS attacks can cause severe damage and definitely do have a collateral damage effect.

Not to mention many of the causes it has been used for have been frivolous.

DDoS attacks are used as an extortion attack against businesses. Not exactly something that is legitimate. Nations performing these attacks are easily and rightly condemning as well, just as when they are hacked. When they do this on other nations, including to individuals in other nations, they are setting a precedent. It is a type of act of war, though usually simply one that requires 'response in kind'.

If you don't like someone's politics hack them, or DDoS them? What about if you don't like their religion or lack thereof?

Is it noble to take away choice, isn't that reducing liberty? That is what totalitarianists, tyrants do. It is not what people should do while claiming to be for rights, for choice, for liberty.

AnuraOctober 10, 2014 5:53 PM

I think the main parallel that people want to draw is that DDOS is the equivalent of standing in front of a business, picketing. The reality is that is nowhere near the case. If you have large numbers of activists routinely refreshing thier pages, maybe, but in the most part the parcipants are not volunteers, they are compromised machines. It doesn't take the support of dozens or hundreds of people, it only takes one person.

JacobOctober 10, 2014 7:29 PM

My most troubling take from the article is this:

"A state of active cyberwarfare existing anywhere on the network could substantially increase levels of surveillance, while expansive definitions of what counts as “weaponized code” or “cyberweapons” could result in the widespread classification of civilians as “cyberterrorists” or enemy combatants. "

Wesley ParishOctober 10, 2014 7:56 PM

“Special skills” and “sophisticated means” sentencing enhancements exacerbate the lack of technical knowledge among members of the judiciary and can easily result in substantially more severe sentences for defendants.

Or in other words, We are passing judgement on you not for the things you have done, but for the things that we are too stupid to understand.

It looks increasingly as though the United States wishes to join pre-Glasnost and pre-Perestroika Soviet Union in holding fast to the right of the freedom of speech, but not freedom after speech.

Stephen HOctober 10, 2014 9:45 PM

Sure DDOS is a legitimate form of political protest, with a few caveats.

1. If you perform a DDOS without naming yourself, you're just a common criminal who is not prepared to stand by your beliefs. Any DDOS that attempts to hide the origin of the attack is politically illegitimate, as the attacker is not prepared to stand behind their beliefs and actions. Physical protesters are sending a message, and are risking jail because of their actions. That is part of the deal.

2. (This makes the DDOS pretty much impractical). You must not have a negative impact on the innocent bystander. If you want to conduct a DDOS, do it with your own resources, don't make a mess of someone else's network/servers just because you have a point to make against a specific target.

Once you comply with these basic principles, then yes DDOS is a reasonable method of protest. Just remember that it goes both ways - you may find yourself knocked off the web.

AlanSOctober 10, 2014 10:09 PM

@TimL

"Legal despotism" as such is contradiction in terms."

That may be so but it's not my term. Like laissez-faire, it originates with the a group of French 18th C. economists known as the Physiocrats. The doctrine of "legal despotism" comes from François Quesnay.

As far as contradiction goes, yes of course liberal economic and legal theory is full of contradictions. That's the point. The biggest contradiction of all, one that runs through all liberal economic theory from the 18th C. to the present is the belief that government is incompetent in the realm of economics but very competent in the realm of discipline and security.

There's a line runs from Quesnay through Bentham (of Panopticon fame) to Hayek, Posner, and the Chicago School. They all believe in the importance of a strong state coupled to 'free' markets.

"The other error you make is a simple matter of fact. It is not true that the US has laissez-faire capitalism. Since 1913 the Federal Reserve has manipulated interest rates and the money supply to control the economy."

There is a difference between ideology and practice. If you read Harcourt's book one of his main points is that the idea of unregulated markets and the notions of market equilibrium, market efficiency, etc. are ridiculous. Markets have always been regulated and always will be. And a lot of what happens when there is de-regulation is actually re-regulation that favors some over others but this is hidden behind the notion of markets being natural phenomenon. That's also where the theory of punishment comes from. The object of discipline and punishment are those that that violate, by-pass or threaten the 'natural law' of the market.

Also, the Federal Reserve is only a quasi-governmental organization. It's really controlled by the big banks and was set up that way. It's the perfect type of regulation, self-regulation! There are appointees but in practice they are drawn from insiders. For a discussion on the Fed and how it operates see Mirowski's analysis in Never Let a Serious Crisis go to Waste.

And to bring it back to the original post, all this is important to understand. Without the history and connections that tie economics, politics, the state and surveillance together you have no idea what you are resisting or how to resist, or any conception of an alternative structures of power, or even if there are better alternatives. The system is very flexible and adaptable. Liberal thinking, with all its contradictions and inequalities, survives because its categories and practices dominate our thinking. It is hard to think in different categories and escape its practices. DDoS may be protest about something but it isn't resistance to anything.

SkepticalOctober 10, 2014 10:34 PM


Larry Seltzer devastates the essay with his two examples.

Bottom line:

DDoS attacks are about shutting someone else up or shutting someone else down. That's not freedom of speech - it's little more than a heckler's veto dressed up as "cyber activism."

And those who wish to legitimize it ought consider well the consequences of succeeding in doing so, for their weapon of choice would soon be turned against them.

BelieverOctober 10, 2014 11:12 PM

There are three separate issues. Is there a legal avenue for protest on internet? In USA the answer is yes, of course, anybody can start a website to share their point of view.

BelieverOctober 10, 2014 11:27 PM

...and if you are a operator of one of these websites. Wouldn't you welcome virtual sit-in's? I'm talking about a large group of people visiting your website, and some of whom might actually read what you have to say, not of the computer program DDOS variety.

SmokingHotOctober 11, 2014 10:36 AM

@Jacob

"A state of active cyberwarfare existing anywhere on the network could substantially increase levels of surveillance, while expansive definitions of what counts as “weaponized code” or “cyberweapons” could result in the widespread classification of civilians as “cyberterrorists” or enemy combatants. "


This is the most concerning part, and it is true, that while annoying and potentially very troublesome DDoS attacks are not "terrorism". This is not, at all, new language, however from the US Government which has a strong trait of speaking as if they are instinctual animals without reasoning and speaking to instinctual animals without reasoning.

I would like to say this behavior is new, but it has been ongoing through the entire Cold War.

It is difficult to search within myself and actually see where I find any act of cyber sabotage or surveillance "terrorism", but it definitely is far closer to totalitarian, illegal surveillance for malicious purposes then some fool hardy, arrogant protester.

But, you are talking about a country, as with many, where there is a religion of cold blooded behavior under the guise of "righteousness".

Being strong and anti-criminal is equated with being sociopathic, being as hard hearted as criminals, and moreso.

This level of approach has some tactical merit, but on the strategic view, the long term, wider picture it merely turns the policing units into criminal units.


tzOctober 12, 2014 4:08 AM

Two meatspace examples. Environmentalists are charged with terrorism for freeing lab or commercial animals (It was on Democracy Now a month ago).

Also, try DoSing an abortion clinic. Joan Andrews got 6 years for unplugging a suction machine. Certain issues are also treated like the CFAA. Think of it as FACE (freedom of access to clinic entrances) for cyberspace. Few are calling for the repeal of FACE, which makes even intimidation illegal - Even on the web - see the nuremburg.org case where a website was fined 100 million for drawing an X on a picture of a dead abortionist. This happened years ago, but the same people talking about censorship lauded the decision.

Or try a campus where there are hate speech codes.

There are more examples.

qbOctober 13, 2014 6:15 AM

DDOS effect is not limited to its immediate target.

DDOS is also disruptive to the online entities that share the infrastructure with the target (e.g. other sites hosted in the same datacenter) and to the owner of that infrastructure.

Depending on the DDOS magnitude, it can negatively affect the performance of the entire Internet by displacing traffic from the affected IX.

It has negative consequences for the owners of zombie PCs that participate in DDOS.

"Businesses" that rent out zombies for money create additional demand for such zombies and thus indirectly increase the "viral danger" of the online environment.

Also, DDOS does not convey any information to the uninformed visitors of the targeted site. All they see is "damn they have technical problems, again". There is no way to convey the arguments for why the attacking side deems the attack necessary.

So how come DDOS is even for a moment considered to be a form of protest?

It's more like dumping a dirty bomb in the downtown of a city as a form of protest against one of the businesses located there. Sure, it disrupts that business. It also disrupts all other businesses there and causes the whole city to be evacuated. And unlike a proper protest, the people affected don't even know why someone thought dropping that bomb was the right thing to do, at least not until much later.

JefferOctober 15, 2014 6:10 PM

If you perform a DDOS without naming yourself, you're just a common criminal who is not prepared to stand by your beliefs. Any DDOS that attempts to hide the origin of the attack is politically illegitimate, as the attacker is not prepared to stand behind their beliefs and actions. Physical protesters are sending a message, and are risking jail because of their actions. That is part of the deal.

http://www.worldcomputing.it/

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.