Law in the Internet Society

The Right to Hack

-- By NelsonHua - 23 Oct 2014

The First Amendment protects our rights of speech and expression as private citizens of the United States from abridgement by the government. Non-violent protest, especially dear to the national ethos, has been an effective vehicle for social and political change. As our social patterns become increasingly interconnected by technology, it is critically important to recognize and protect valid forms of such expression in this medium. Distributed denial-of-service (DDoS? ) “attacks,” demonized by the media and effectively criminalized by statute, by their nature deserve such protection if a “free, public internet” is anything more than just empty rhetoric.

Servers under “Attack”: What is a DDoS? “Attack?”

A general denial-of-service operation is an attempt to interrupt or suspend the services of a web host, typically through inundating the server with external data requests. Such methods are nothing new, first appearing in 1989 in the form of ping floods.

A DDoS? “attack,” is a DoS? method employing multiple systems in order to flood a server with requests for data. Typically, computers are co-opted into a “botnet,” either through malware or voluntarily, and an operating server instructs the machines to act so as to “attack” a particular server.

Although personal computers may be forcibly conscripted into a botnet through malware, voluntary participation has emerged as a form of cyber-protest. Notable examples include the “hacker collective” Anonymous’s efforts against the Church of Scientology in 2008, their efforts in September 2010 against the RIAA and the MPAA, their efforts in November 2010 against firms such as PayPal? for cutting off service to WikiLeaks? , and their most recent endeavor in 2014, a smaller operation against the city of Ferguson in protest of the events surrounding the Michael Brown shooting.

Non-Violent Protest or Acts of Cyberterrorism?

The U.S. government treats DDoS? “attacks” as no trivial matter. Although most of them eventually agreed to plea bargains, fourteen suspects were arrested in July 2011 over their November 2010 actions against PayPal? . In October 2013, thirteen offenders were indicted in the Eastern District of Virginia in connection with the MPAA and RIAA matter. In both cases, the government alleged either “Intentionally Causing Damage to a Protected Computer” or conspiracy to do so under Section 1030 of the Computer Fraud and Abuse Act, which was passed in 1986. Such offenses amount to a felony and are punishable by a maximum sentence of ten or five years, respectively, and up to a $250,000 fine. The “PayPal 14” prosecution has had a chilling effect on protests of such scale.

DDoS? “attacks” typically face a similar media treatment. Fueled by fear, hacktivists are demonized and depicted as anything from petty vandals to “cyberterrorists” attacking legitimate, established American businesses. Such branding is pervasive to even the most basic terming of DDoS? operations as “attacks.” The actions of a hacktivist “collective” like Anonymous, which is hardly an organized entity at all, are associated with actual instances of efforts to compromise the security of private machines and scandals such as leaking nude celebrity and Snapchat photos, as if the works of a few bad actors on an open, anonymous bulletin board system could discredit possible acts of legitimate protest.

What’s the Difference?

First “hacking” in the sense of “hacktivism” must be distinguished from other, illegitimate cyber-crimes. Richard Stallman, founder of the Free Software Foundation, suggests a distinction between “cracking” and “hacking.” The former involves “breaking computer security,” whereas the latter is essentially the equivalent of protesting in the street in front of a place of business. DDoS? , at least when absent an accompanying crime like extortion, cleanly fits into the latter category. Operators send requests, through a botnet, to a server that is designed precisely to receive requests and handle traffic.

Although the matter has not been meaningfully litigated, DDoS? “attacks” should not be held to violate Section 1030 of the Computer Fraud and Abuse Act. In 2006, a German Court held that such operations lacked the requisite force to constitute coercion. Likewise, DDoS? “attacks” in this sense do not cause actual damage to web servers. Servers may lack the adequate hardware to answer the slew of information requests and slow down or even temporarily shut down, but no permanent damage is done. In its most basic sense, a DDoS? “attack” is no different than times of high traffic.

Even if held to violate Section 1030, DDoS? should nonetheless be protected as a public demonstration under the First Amendment. DDoS? allows for the sort of public demonstration that has no other digital analogue. As more and more of the corporations that influence our politics through lobbying diminish their physical presence in favor of their digital presence, what other answers do we have? Pundits emphasize the harmful economic effects that DDoS? has on business, but that’s precisely the point–so does an effective picket line.

A “Free, Public Internet”

At the heart of the discussion of DDoS? is a more pervasive issue: that of a truly “free, public internet.” Our understanding of what a DDoS? “attack” really is depends on whether the “Internet” is a collection of privately-owned web servers that we have the privilege to “visit,” or a greater social experience that is conceptually open to everyone. This marks the difference between a DDoS? “attack” as trespass and a real “attack” on property, and as a demonstrative in a public space.

Activist Molly Sauter characterizes the “Internet” as a “melded commercial/military space” where users face surveillance from government and corporation alike, a far-cry from a “discursive democracy.” Although Sauter suggests that it may be too late and “that the online space is being or has already been abdicated to a capitalist-commercial governance structure,” there are still fights to be fought in the social and legal arenas, like that over DDoS? , and it would not be right to sleep on our right to hack.

I'll discuss this issue in more detail in the spring offering. For now I would say that I think your analysis of hacktivism is basically sound. (You would benefit from tracking down the work of Roberto Dominguez, who took your positions as a matter of social practice with the Pentagon and others at the beginning of the century.)

The essay would be stronger, in my view, if it went beyond the usual criticism of the CFAA, which everyone can see is a completely defective statute, to consider the more serious issues with your basic argument. Picketing and demonstrating are regulated activities everywhere. The contours of the First Amendment in relation to the general police power of government in this area are complex, and there's lots of law (about parades, street blockages, permits, injunctions, labor picketing, general facilities like shopping centers as opposed to business premises of the employer, etc.) to consider in many directions. Suggesting that the constitutional condition is straightforward because CFAA is a bad law is grossly oversimplifying.

Nor can this be a matter of metaphors. It can't be resolved by saying that a traffic-snarl deliberately created at a business's or government's website is "like" a demonstration, requiring something "like" a parade permit. Time, place and manner restrictions are about the specifics of times, places, and manners. If a DDoS attack is "like" the use of many bullhorns on the street at 3am, what's the point of claiming First Amendment privilege to undertake it?

So in my view, the route to the improvement of the draft is to shorten the exposition (which it can well stand), minimizing the CFAA, and addressing directly the central issues as they relate to the broad patterns of existing constitutional law.


Webs Webs

r2 - 04 Jan 2015 - 17:13:27 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM