Law in the Internet Society

The Right to Hack

-- By NelsonHua - 23 Oct 2014

The First Amendment protects our rights of speech and expression as private citizens of the United States from abridgement by the government. Non-violent protest, especially dear to the national ethos, has been an effective vehicle for social and political change. As our social patterns become increasingly interconnected by technology, it is critically important to recognize and protect valid forms of such expression in this medium. Distributed denial-of-service (DDoS? ) “attacks,” deserve such protection as is afforded to other forms of expression if a “free, public internet” is anything more than just empty rhetoric.

Servers under “Attack”: What is a DDoS? “Attack?”

A DDoS? “attack,” is a denial-of-service method employing multiple systems in order to flood a server with requests for data. Typically, computers are co-opted into a “botnet,” either through malware or voluntarily, and an operating server instructs the machines to act so as to “attack” a particular server.

Although personal computers may be forcibly conscripted into a botnet through malware, voluntary participation has emerged as a form of cyber-protest. Notable examples include the “hacker collective” Anonymous’s efforts against the Church of Scientology in 2008, their efforts in September 2010 against the RIAA and the MPAA, their efforts in November 2010 against firms such as PayPal? for cutting off service to WikiLeaks? , and their most recent endeavor in 2014, a smaller operation against the city of Ferguson in protest of the events surrounding the Michael Brown shooting.

Non-Violent Protest or Acts of Cyberterrorism?

The U.S. government treats DDoS? “attacks” as no trivial matter. Although most of them eventually agreed to plea bargains, fourteen suspects were arrested in July 2011 over their November 2010 actions against PayPal? . In October 2013, thirteen offenders were indicted in the Eastern District of Virginia in connection with the MPAA and RIAA matter. Under Section 1030 of the Computer Fraud and Abuse Act, such offenses amount to a felony and are punishable by a maximum sentence of ten or five years, respectively, and up to a $250,000 fine. The “PayPal 14” prosecution has had a chilling effect on protests of such scale.

What’s the Difference?

First “hacking” in the sense of “hacktivism” must be distinguished from other, illegitimate cyber-crimes. Richard Stallman, founder of the Free Software Foundation, suggests a distinction between “cracking” and “hacking.” The former involves “breaking computer security,” whereas the latter is essentially the equivalent of protesting in the street in front of a place of business. DDoS? , at least when absent an accompanying crime like extortion, cleanly fits into the latter category. Operators send requests, through a botnet, to a server that is designed precisely to receive requests and handle traffic.

Although the matter has not been meaningfully litigated, DDoS? “attacks” should not be held to violate Section 1030 of the Computer Fraud and Abuse Act (CFAA). In 2006, a German Court held that such operations lacked the requisite force to constitute coercion. Likewise, DDoS? “attacks” in this sense do not cause the statutorily required damage to web servers. Servers may lack the adequate hardware to answer the slew of information requests and slow down or even temporarily shut down, but no permanent damage is done.

Clearly, the CFAA is a defective statute that is especially ill-suited to addressing hacktivism. Setting the statute aside, DDoS? should be protected as a public demonstration under the First Amendment. DDoS? allows for the sort of public demonstration that has no other digital analogue. As more and more of the corporations that influence our politics through lobbying diminish their physical presence in favor of their digital presence, what other answers do we have? Nonetheless, even without the CFAA, DDoS? may be regulated. However, as with other forms of protected expression, a careful analysis of time, place, and manner is critical in determining the appropriate regulation or lack thereof that should be extended to DDoS? .

Time, Place, and Manner

As an exercise of the Police Power, a "State may .... enforce regulations of the time, place, and manner of expression which are content-neutral, are narrowly tailored to serve a significant government interest, and leave open ample alternative channels of communication."

There is not a significant government interest in heavily regulating the time and manner of DDoS? “attacks”. Although there are times of typically high and low traffic, servers are not sensitive to the timing of an “attack” in the same way that 4:00AM blow-horns in a residential would be disruptive. Also, as previously noted, the manner of a voluntary DDoS? attack is not problematic - in its most basic sense, a DDoS? “attack” is no different than times of high traffic. It might be argued that the intent and effect of DDoS? is to disrupt and that it is typically in the Police Power to regulate activities that more directly disrupt private businesses. That being said, the absence of any, let alone ample, "alternative channels of communication" to DDoS? in an increasingly digitized reality implies only very thin regulation. Perhaps, similarly to the practice of parade permitting, parties may be required to submit notice of when a denial is to occur, giving businesses a chance to prepare accordingly.

At the heart of the discussion of DDoS? is a more pervasive issue: that of place and a truly “free, public internet.” Our understanding of what a DDoS? “attack” really is depends on whether the “Internet” is a collection of privately-owned web servers that we have the privilege to “visit,” or a greater social experience that is conceptually open to everyone. This marks the difference between a DDoS? “attack” as trespass and a real “attack” on property, and as a demonstration in a public space.

Activist Molly Sauter characterizes the “Internet” as a “melded commercial/military space” where users face surveillance from government and corporation alike, a far-cry from a “discursive democracy.” Although Sauter suggests that it may be too late and “that the online space is being or has already been abdicated to a capitalist-commercial governance structure,” there are still fights to be fought in the social and legal arenas, like that over DDoS? , and it would not be imprudent to sleep on our right to hack.


Webs Webs

r4 - 04 Nov 2015 - 18:06:10 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM