Produced for a grad school class on media ethics, law, and policy, I presented this paper at AEJMC 2013 in one of the grad divisions (honestly, the conference is so huge and sprawling, the layout of the very program was confusing). It was the first time I wrote a paper that sounded even vaguely legal, so it was a nice opportunity to test it out.
Access copy of the talk below.
The Right to Bear Cannons: Reevaluating DDoS Actions as Civic Protest
Vyshali Manivannan, Rutgers University School of Communication & Information
Association for Education in Journalism and Mass Communication (AEJMC), Washington, D.C.
August 10, 2013
On July 7, 2011, federal agents arrested 14 members of the political activist group Anonymous for participating in Distributed Denial-of-Service (DDoS) actions against the online payment service provider PayPal in December 2010.1 The actions were characterized as “attacks” responding to financial companies’ refusal to process donations to WikiLeaks, the nonprofit publisher of anonymously leaked political information. Participants voluntarily downloaded a denial-of-service (DoS) application called the Low Orbit Ion Cannon (LOIC) to link their computers to a larger botnet capable of executing DDoS actions against a shared target.2 LOIC did not disguise users’ Internet Protocol (IP) addresses, so federal authorities were able to identify participants using logs taken from targeted websites.3 The PayPal 14, as they came to be known, were thus apprehended and indicted on one count of conspiracy and 14 counts of intentional damage to a protected computer under 18 U.S.C. § 1030, or the Computer Fraud and Abuse Act (CFAA).
Passed in 1984 to deter computer hacking and to address charges related to protected machines, the CFAA has been amended numerous times over definitional issues, language clarification, and changes in relevant law. As of 2013, the CFAA covers computer-related charges of espionage and conspiracy, trespass, fraud, threat of damage, tortious interference, and information trafficking.4 The CFAA is the primary law applied to DDoS actions unrelated to extortionate threats.5 However, DoS and DDoS actions are not unitary phenomena, raising important questions about the extent to which politically motivated actions should be prosecuted under U.S. law, specifically the CFAA, which falters under as-applied challenges.6
This Article takes an inductive approach to regulating the relatively uncharted waters of electronic civil disobedience (ECD) without compromising the First Amendment rights of political dissidents. DDoS actions are unreservedly designated “cyber terrorism” in the U.S. and are largely considered illegal internationally despite a specific subset’s manifest similarities to constitutionally protected civil disobedience tactics.7 This Article will reconstitute DDoS software and actions as symbolic speech within a civil disobedience framework.8 It will also explore areas where the rule of law has suffered from apparent bias toward networked grassroots movements using DDoS actions to protest State and corporate policies.9 Part I will delineate the ideology behind privileging dissenting expression under the First Amendment. Part II will provide technical, historical, and sociocultural background on DoS and DDoS actions. Then, in Part III, I will discuss U.S. case law regarding DoS and DDoS actions since 1990. Part IV will establish the philosophic burden of proof for symbolic speech, using criteria applied to civil disobedients to evaluate the semiotic disobedience of expressive altlaws.10 Next, Part V will concretize the distinction between legally sanctionable and criminally prosecutable DDoS actions. Finally, this Article will propose a different legal framework for prosecuting DDoS disobedience and the revision of current DDoS strategies to redress the exorbitant punishments of the CFAA without exceeding First Amendment protections. I will also consider how the principles of such a framework might be applied to other online activities that may qualify as civil disobedience.
First Amendment Ideologies
The First Amendment may be evaluated using an absolutist11, categorical12, or balanced13 approach.14 To varying degrees, each approach values individual self-fulfillment, the discovery of truth, and tolerance of ideas while seeking to promote informed political participation, ensure communal stability, and inhibit potential government abuses of power.15 The four leading theories for analyzing these approaches are marketplace theory, self-government theory, checking value theory, and self-fulfillment theory.
Marketplace theory construed censorship as injurious to the discovery of truth.16 In short, it contends that only sound, true ideas will survive in free and open public discourse; unabridged expression is thus essential to the emergence of truth and to cultivating the sensibility to discern truth from error.17 Self-government theory holds that “the First Amendment, as seen in its constitutional setting, forbids Congress to abridge the freedom of a citizen’s speech, press, peaceable assembly, or petition, whenever those activities are utilized for the governing of the nation.”18 According to this view, the First Amendment nearly exclusively protects the freedom of the people’s electoral power. Checking value theory emphasizes the value of free speech in light of checks and balances in preventing abuses of government power.19 Finally, self-fulfillment theory views freedom of speech as intrinsically valuable and more concerned with the process of forming beliefs through communication than with its social effects.20
Each theory contributes to the clarification of civil disobedience as justifiable, and thus to the formulation of dissent theory. Other dominant First Amendment theories arguably fail to comprehensively consider all forms of speech and usually privilege one form over another. Of course, these four theories are not without shortcomings. Marketplace theory is problematic in its formulation of objective truth and its elevation of communal values over individual ones, which may exclusively privilege the perspective of the audience over the individual speaker. Self-government theory is flawed because it narrowly construes protected speech. Checking value theory underscores political expression at the expense of other types of valuable speech.21 Self-fulfillment theory may lead to autonomous individuals collectively sacrificing certain forms of speech to prevent potential antisocial responses from others. These theories are subsumed by dissent theory, which includes all of these visions but privileges unorthodox speech. Thus, dissent theory better captures the essence of the First Amendment—particularly given the American conception of democracy—than the four aforementioned theories.
Motivated by dissent, civil disobedience is a venerable tradition in the U.S., employing productive lawbreaking to protest a specific law or policy.22 Rawls defined it as “a public, nonviolent, conscientious yet political act contrary to law usually done with the aim of bringing about a change in the law or policies of the government.”23 The act is “thought to be contrary to law, at least in the sense that those engaged in it are not simply presenting a test case for constitutional decision; they are prepared to oppose the statute even if it should be upheld.”24 Thirdly, it is aimed at altering political sovereign power and is guided by political principles of justice, the constitution, and social institutions (as opposed to personal morality or religion). In sum, it is “an appeal to a commonly shared conception of justice that underlies the political order.”25 These classic features are traceable to The Crito, wherein Socrates presents the moral dilemma of civil disobedience, and are also preserved in aspects of the four dominant First Amendment theories. For instance, marketplace theory emphasizes fallibility, as “we can never be sure that the opinion we are endeavouring to stifle is a false opinion; and if we were sure, stifling it would be an evil still.”26 Even self-government theory, despite its narrow protections, recognizes the social importance of literature, arts, and philosophy, implying that dissenting expression conveyed through these forms may be justifiable.27
Dissent theory asserts that “the first amendment’s purpose and function in the American polity is not merely to protect negative liberty, but also affirmatively to sponsor the individualism, the rebelliousness, the antiauthoritarianism, the spirit of nonconformity within us all.”28 This dissent-centered conception of the First Amendment necessitates a jurisprudential approach that does not assume the smothering of dissenting speech and that requires focus on the appropriateness of government tactics in doing so.29 While this risks loosening the bonds of society, this is the lesser evil. At its core, the general theory of freedom of expression embodies a concept of society that eschews conformism, tyranny, and stagnation; instead, it embraces reason, skepticism, initiative, and creativity.30 Dissent calls attention to the failures of the State and corporations to achieve their professed ideals and galvanizes democratic dialogue.31 Valuing dissent is intrinsic to American conceptions of democracy, and “any system of government that tells its citizens that they may not dissent ‘in any way’ from the ideology of the ruling party is by that fact alone an undemocratic government.”32
A broad scope of constitutional dissent facilitates the achievement of social objectives and the evolution of the law. The tools of dissent, however, must be defined such that social disturbance does not follow. For instance, dissent must always exclude violence and avoid expressions and actions that pose an immediate, eminent public danger.33 However, these ideologies do not consider the impact of new media practices on the efficacy and legality of dissenting speech. New technical affordances and their large-scale visibilization of dissent underscore the need for a dissent-centered conception of the First Amendment. The high frequency, momentous scale, and spectacular nature characteristic of DDoS actions may accelerate the need for evolution of legal understandings. Accordingly, Part II will dissect heterogeneous DDoS technologies and assert that certain types are valid tools of dissent in the hands of grassroots actors and are deserving of First Amendment protection.
DDoS Actions
Technical Background
DDoS legal actions must be contextualized in terms of the technical capacities of the medium. The Internet is built on an open architecture of distinct network servers that connect using a suite of communications protocols, such as TCP or UDP.34 These protocols use packet-switching technology to allocate transmission resources as needed by formatting data into packets that are independently transmitted through the network. Because these packets are queued and buffered in transit, transmission rates may be susceptible to inconsistent communication latency.35 As such, packet-switching does not guarantee an end-to-end dedicated communications channel with full bandwidth and consistent connection for the session’s duration. However, packet-switching is necessary to optimize resources on widely shared channels where competition for dwindling resources can result in continual disconnection.36
DoS and DDoS actions are intended to disrupt online communication such as Internet browsing, online gaming, or video streaming, by inundating a host server37 with messages that compromise its operation. The number of websites hosted on a single server is contingent on the availability of limited, consumable resources like bandwidth,38 processing abilities, storage capacity, or protocols connecting clients to the network. Since the amount of information a given band can carry is directly proportional to its width regardless of its location in the frequency spectrum, the rate of information transfer is adversely impacted by the number of machines simultaneously consuming the same bandwidth.39
To successfully exacerbate communication latency, DoS and DDoS actions must generate more traffic than a target can withstand. While a DoS action is bounded in impact because it uses a single machine, DDoS actions recruit multiple machines to amplify consumption and thereby transcend the moderate technical provisions of each machine involved. This consumption by DDoS actions may comprise a “vulnerability action”—which targets a machine with a known vulnerability and submits messages substantively tailored to exploit that vulnerability—or a “flooding action”—which submits a vast quantity of messages that consume bandwidth and memory or require lengthy processing time. While vulnerability actions depend on information substance, flooding actions rely on information quantity.40
DDoS actions have become a practicable means of protest for even infrequent computer users given the recent availability of effective automated tools that require low levels of sophistication and imitate legitimate traffic.41 DDoS flooding subsumes automated rapid refreshing, email bombing, and ping floods.42 Flooding tools like LOIC, its descendant High Orbit Ion Cannon (HOIC), Slowloris, and R-U-Dead-Yet (RUDY) constitute DoS when used by a single machine. When used by multiple individuals as a voluntary botnet against a shared group target, the action is amplified into a DDoS tactic. Unlike vulnerability actions, which permit a single operator to significantly impact traffic by immaterially or materially damaging a system, DDoS flooding actions merely slow or stop traffic for the duration of the action. Attendant expenses for flooding targets are likely to include the cost of bandwidth, while vulnerability targets may incur the cost of hardware repair. If carelessly performed, however, a DDoS action may result in servers, networks, and upstream providers’ networks going offline, which would compromise thousands of machines beyond the intended scope.
Social, Cultural, and Historical Background
Situating DDoS tactics within a broader tradition of civil disobedience can shed light on the evolution of recent American case law and jurisprudence, especially since ECD practitioners were never accused of criminal behavior until 2010.43 Like modern ECD, early civil disobedience was conspicuously linked to information and private property. Sovereign power used to be anchored in prominent architectural structures like fortresses or castles and was effectively disrupted by occupations obstructing the flow of personnel and information.44 U.S. civil rights protestors in the 1960s engaged in protracted lawbreaking by occupying segregated lunch counters. As expressive disobedients, they consumed physical space to restrict the flow of capital, visibilize racist policies, and render tangible the perceived injustice of property arrangements.45 However, as sovereign power grew diffusely located and capital more decentralized, these tactics became less adequate.46 Post-computerization, power, and capital could be concretely located in electronic conduits of information. The State restricted and deployed information to surveil and control disenfranchised subjects in cyberspace, where resistance was largely absent.47 Electronic channels became a valuable site of contestation, where civil disobedients could impede the traffic of information capital as a new means of resistance.
Offline and online occupations allow a disenfranchised minority to express dissent with dominant legal understandings, the prerogatives of private ownership, and the disabling effects of exclusion from existing property regimes.48 Along these lines, the link between property lawbreaking and ECD is particularly significant. As the Internet comprises wholly of private property controlled by Internet Service Providers (ISP) and State, corporate, and private owners, the disenfranchised have no recourse but to dissent through occupation and appropriative negotiation.49 Dissenters must become “expressive altlaws,” or individuals operating within unconventional alternative interpretations of established legal norms, simultaneously protesting the perceived injustices of institutions and the online property regime.50 Due to property’s visible identification with an owner, nonviolently targeting it is especially effective as an expression of dissent. By the same token, the importance of property compels property owners to forcefully protect their entitlements.51 This leads to harsh punishments for challenging the existing speech hierarchy, in which State and corporations hold valuable information that is largely inaccessible to citizens.52
However, electronic disruption was not criminally penalized in the United States prior to 2001.53 Instead, it was tacitly accepted as “hacktivism,” a term coined in 1996 by the hacker collective Cult of the Dead Cow (cDc). cDc adopted a “disruptive compliance” approach to ECD and coded software to empower prohibited conduct instead of enabling actions against sovereign power.54 Consisting of lawyers, traditional activists, and hackers, cDc coded the national firewall circumvention program Peekabooty, the steganography program Camera/Shy, and Tor, which allows users to browse the Web anonymously.55 cDc shunned DoS and DDoS actions as censorship, explicitly paralleling hacktivism with Article 19 of the Universal Declaration of Human Rights (UDHR), which states: “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”56
By contrast, the ECD group Electronic Disturbance Theater (EDT) embraced DDoS actions. Unlike cDc’s ominous underground subculture, pseudonymous members, and purportedly criminal behavior, EDT was committed to radical transparency and was founded by publicly respected net.artists, net.activists, and intellectuals.57 EDT promoted nonviolent occupations and “virtual sit-ins” to protest oppressive governmental and military actions. In 1998, EDT coded and released the DDoS software Zapatista Tactical FloodNet “to reload a targeted web page several times per minute [and permit] the conceptual-artistic spamming of targeted server error logs.”58 In protesting U.S. support of Mexico’s suppression of the Zapatista uprising, EDT and other participating disobedients used FloodNet to disrupt the websites of Mexican President Ernesto Zedillo and the White House. FloodNet was modified by other hacktivists and used against the World Trade Organization (WTO) in 1999, accompanied by the release of an open-source ECD toolkit that galvanized international hacktivism in the form of DDoS flooding disobedience.59 The electrohippies collective (Ehippies) performed virtual sit-ins against the WTO in 1999 and the International Monetary Fund (IMF) and World Bank in 2000 to protest corporate Internet control.60 In 2006, EDT and the borderlands Hacklab engaged in DDoS flooding actions against French government websites to oppose the arrests of students striking against the precaritization of life under the First Employment Contract.61
EDT, Ehippies, and Hacklab combined offline and online elements in their protests for added effect and legitimacy, politicizing online components “as an amplification gesture for those who do not have access to the biopolitical rules of globalization or state laws.”62 They positioned themselves within civil disobedience traditions legalized as symbolic speech. Their claims to legality lay in their formation of majority coalitions of DDoS disobedients and their willingness to accept responsibility for their actions.63 This behavior is traceable to Thoreauvian civil disobedience and the 1960s Greensboro sit-ins, which were both characterized by the disobedient’s deliberately unlawful actions at personal risk.64
Expert testimony underscored ECD’s democratic value as “civil disobedience analogous to street protests and physical sit-ins, not as acts of violence or terrorism,” regardless of whether the actions targeted allies or enemies of the State. ECD tactics were formulated as multivalent in method, motivation, and consequence; thus, DDoS tactics could not be legally treated as a monolithic cyberterrorist entity. The experts recommended that DDoS actions be evaluated in light of duty of care and the role of mens rea in any resulting harm.65 In this assessment, duty of care would be judged by the use of vulnerability actions, malice or negligence regarding sensitive information or system architecture, and social responsibility. Mens rea would be based on actors’ focus on communicative versus destructive goals.66 However, the status of DDoS actions as symbolic speech remained debatable in popular fora.67 The first well-publicized DDoS actions transpired in February 2000 against Yahoo, Amazon, CNN, ZDNet, Buy.com, eBay, E*Trade, and Schwab.com. Emphasis was given to financial losses sustained by downtime.68 Given the importance of property, it is unsurprising that DDoS actions were then construed as malicious “cracker” behavior inevitably leading to massive financial loss.69 ECD’s claims to legitimacy were further fractured by apparent hacktivist infighting, as prestigious hacker groups like Chaos Computer Club, L0pht, and cDc maligned DDoS actions as First Amendment violations and hacktivism as profoundly misunderstanding hacker culture.70 EDT compounded this factionalism by noting that “FloodNet was not created by hackers or terrorists, but by artists and activists,” suggesting that socially responsible work can only be created by artists and activists and excludes hackers, who are here equated with terrorists.71
Popular, often stereotyped representations facilitated the reconfiguration of DDoS actions from multivalent to nonvariant phenomena. The competition over meaningful organizational or subcultural labels can be particularly fraught, and the “rivalry for the possession of certain words” is a staple feature of media representation and judicial response.72 Where hacktivism was originally characterized as the struggle for freedom of speech, today it is variously defined as “cyberwar,” “cybercrime,” and “cyberterrorism.” DDoS tools rhetorically evoke warfare, as in “email bombs,” “attacks,” and “strikes,” coupled with participants’ facetious declarations of “tango down” on success. The discursive shift from nonviolent civil disobedience to militant vigilantism in government, media, and participant representations indicates a critical juncture in the contestation of Internet rights and property regimes. Recourse may be found in the law because it has the power to organize and reorganize meanings since law impacts culture and culture impacts law.73 Furthermore, emergent law may be articulated with recourse to culture.74 For instance, the popular mind links the name and face with self-awareness and accountability; correspondingly, Anonymous is constructed as successfully attempting to avoid the consequences of their actions. However, the notion that anonymity is invariably used to evade responsibility demonstrates a lack of nuanced understanding by the public and the judiciary. Prominent social movements may have been helmed by identifiable leaders, but multiple-use pseudonyms like Ned Ludd and Luther Blissett have historically served to protect participants from legal persecution that would have a chilling effect on dissent.75 Even where identity indicators are fully suppressed, anonymity does not circumvent the risk of confrontation by sovereign authority.76 Instead, it seeks to minimize the risk of excessively harsh punishment in order to increase the possibilities for participatory resistance.
Prosecutability is impacted by the identifiability of suspects. However, effort is made to identify or deter DDoS disobedients primarily when State or major corporate interests are threatened. The legitimacy of the tactic—as well as who can legally deploy it—was first obfuscated during the Zapatista FloodNet protest when the Pentagon launched a militarized and computerized counteroffensive against domestic targets by redirecting FloodNet requests to cripple the program.77 According to current First Amendment ideologies, tools of dissent should not be militaristically deployed by state agencies.78 Criminal allegations were not brought against EDT members or the Pentagon, despite its illegal use of federal military defense measures in domestic law enforcement.79 Confusion over legal stewardship of the tactic blossomed in 2010 with Anonymous, LulzSec, and th3j35t3r, a DoS operator. In their use of DDoS, Anonymous and LulzSec targeted international and domestic institutions, including but not limited to the Tunisian and Zimbabwean governments, the Church of Scientology, the CIA, the Senate, the U.S. Department of Justice and Copyright Office, the Motion Picture Association of America (MPAA), and the Recording Industry Association of America (RIAA). By contrast, th3j35t3r solely targeted recognizable State enemies like WikiLeaks, Iranian President Mahmoud Ahmadinejad, jihadist websites, and 4chan, in retaliation for Anonymous’ actions against State agencies. Moreover, th3j35t3r’s asserted motivations were American patriotism, while Anonymous represented itself as universally opposing human rights abuses and censorship.80
Both th3j35t3r and Anonymous have used DoS and DDoS flooding actions. Tellingly, however, Anonymous’ DDoS disobedience in support of WikiLeaks in December 2010 attracted federal attention and severely punitive criminal charges allowed by the CFAA’s broad parameters.81 One month prior, after WikiLeaks published U.S. diplomatic cables, th3j35t3r took the site offline with a DoS action using his custom program XerXeS.82 The domain name provider consequently removed WikiLeaks, which suffered a loss of corporate infrastructure and capital.83 Although th3j35t3r was not sought by federal authorities, Anonymous, who largely avoided criminal allegations until 2010, was prosecuted under the full extent of the CFAA specifically for its support of WikiLeaks. The intimation is that DDoS tactics are arbitrarily legitimate based on the identity and motivation of the actors deploying them. th3j35t3r is a single operator who lacks the symbolic force of a majority coalition; however, this is seemingly mitigated by the fact that he is pseudonymous but reveals identity indicators: he was a former U.S. Special Operations military contractor and has given live presentations online.84 By contrast, Anonymous is an unknowable, networked multitude, highlighting abuses of power by domestic authorities as often as international ones.
Asymmetric conflicts in cyberspace are evidently approached with considerable partiality and socially, culturally, and legally impact DDoS’s claims to legitimacy. Such legal quandaries and ideological disparities have destabilized the legitimacy of ECD. Additionally, they have provided fertile ground for the moral panic surrounding hackers and Anonymous as well as for legal overreach in DDoS cases.85 As DDoS actions have become a necessary staple in dissenting expression online, it is important to examine the legal frameworks that, hypocritically, uphold theories of freedom of expression for all while seeking to impose restrictions on particular types and perpetrators of dissent.86 Next, Part III will build on this historical background by examining the CFAA and relevant case law and demonstrating the ways in which prosecutions, indictments, and verdicts are inflected by the sociocultural considerations delineated above.
Computer Crime Statutes and Case Law
The Computer Fraud and Abuse Act
Hacking grew to prominence in the 1960s and 1970s, reaching its heyday in the 1980s.87 It was criminalized with the passage of 18 U.S.C. § 1030, or the Computer Fraud and Abuse Act of 1984 (CFAA). Other federal computer crime legislation includes the Electronic Communications Privacy Act of 1986 (ECPA), the National Information Infrastructure Protection Act of 1996, and the Digital Millennium Copyright Act of 1998 (DMCA).88 In 2001, the European Convention on Cybercrime coordinated international anti-hacking lawmaking efforts,89 but the CFAA is still the primary piece of legislation used in DDoS cases. These cases elide specific definition regarding content, materiality, copyright, and infrastructural damage.90 Unconstitutionally vague, the CFAA has been revised multiple times over issues of vagueness, overreach, and statutory reinterpretation by courts or to reflect evolving legislation.91 In 2013, after Internet pioneer Aaron Swartz’s recent suicide, Congress introduced a new draft that increases penalties for crimes of little economic impact, expands the conspiracy parameters, and otherwise broadens an already sweeping law.92 Given the statute’s adherence and universal applicability to computer crimes, the CFAA plays a pivotal role in DoS and DDoS cases and should be exactingly scrutinized.
The CFAA protects “protected computers,” which encompass any U.S. machine connected to the Internet.93 In subsections (a) and (c), it criminalizes the activity of an individual who:
knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period; knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss; [or] damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or damage affecting 10 or more protected computers during any 1-year period.94
In subsection (e), the CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information” and “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”95
Over the years, the CFAA’s scope was repeatedly expanded and statutory limits on its application were abolished.96 Initially, it was specifically tailored to government interests in national security, property, and financial records. It was later expanded to include wire fraud, information manipulation, password trafficking, offenses over an interstate network, accidental damage, felony enhancements, and unauthorized access to information of any kind over an interstate or foreign connection. Its definition of “computers” was amended from federal machines to U.S. computers to U.S. computers outside the U.S. of governmental or commercial interest. Congress now seeks to expand its conspiracy parameters and felony enhancements.97 Under the void-for-vagueness doctrine, the constitutionality of a statute must be preserved through narrow and clear statutory interpretation by the courts. The language of the statute problematically centralizes sweeping concepts and definitions of knowingness, intent, damage, and loss. The meaning of unauthorized access is also unclear, provoking divisive court interpretations.98 This legal ambiguity is compounded in matters of DDoS disobedience. By definition, DDoS actions require knowing intent and must cause damage and loss. Expansive definitions of damage and loss enable DDoS disobedients to be charged with inflicting costs greater than $5,000, where costs may include assessment, restoration, reparation, and employee wages following the incident, and may be arbitrarily estimated to meet the $5,000 minimum limit.99 Potential conspiracy charges and exorbitant fines and prison sentences, delineated in subsections (b) and (c), indicate the level of risk facing DDoS disobedients and criminal hackers alike.100
Broad interpretations of the CFAA discourage expressive altlaw behavior like temporary DDoS flooding actions or violations of terms of service by treating them the same as malicious hacking like vulnerability actions, identity theft, financial fraud, and data deletion.101 Since everything on the Internet is privately owned, DDoS actions automatically violate established property regimes in addition to the CFAA. Civil rights activism is recognized by First Amendment jurisprudence as legitimate and worthy of space for expression outside the boundaries of fully protected speech.102 Thus, the CFAA must be narrowly interpreted in order to legitimate DDoS disobedience as symbolic speech. Furthermore, this narrow interpretation is required to preserve the appearance of impartiality of the government and judiciary.
Foundations for DoS and DDoS Case Law
Beginning with United States v. Riggs in 1990, the CFAA was used to deter criminal hacker activity.103 Defendants Riggs and Neidorf were indicted for the unauthorized acquisition, possession, dissemination, and storage of the allegedly proprietary and highly valuable E911 document belonging to BellSouth Telephone Company. Pursuant to an alleged fraud scheme with Neidorf, Riggs used illegally obtained access codes to download and transfer the file to a bulletin board system (BBS) in Illinois. Neidorf accessed the file at his university in Missouri and edited and uploaded it to the Illinois BBS for Riggs to review before publishing it in his e-zine Phrack. Under the CFAA and the wire fraud statute, the defendants were charged with unauthorized access to protected computers and interstate information trafficking.104 The CFAA permitted a sweeping interpretation of the intent to defraud as well, which covered Neidorf’s actions despite his expressed intent to publish for a social purpose rather than acquire property for a personal agenda.105 The court held that “electronic impulses” were equivalent to transferable, accessible, and salable “goods, wares, or merchandise” valued at $5,000 or more, provided there existed the intent to defraud, namely the scheme to defraud BellSouth out of confidential, valuable property.106
By this definition, “electronic impulses” may range from immaterial property like the E911 document to transmitted signals like a ping flood, for which value becomes a particularly complicated issue. Unlike Riggs, where a file composed of electronic impulses was transferred without damage to computer systems, DDoS actions are the electronic impulses that are both transferred and temporarily impair informational integrity and availability. The social and symbolic value of these impulses is downplayed while the material value of the targeted property is overemphasized. For instance, the E911 document retailed at $13 but was valued at $80,000 at trial.107 The CFAA’s $5,000 minimum limit for federal investigation of computer crimes encourages such arbitrary or speculative valuation, totalizing the link between computer crime and exorbitant financial costs. Intent was comprehensively equated to a desire to cause pecuniary loss, instead of seeking to improve legal regulation through electronic civil disobedience. Furthermore, these expenses often include the belated implementation of security updates to remedy extreme laxity of information security.108 Pecuniary loss is also publicized over reputational damage, likely due to the social, cultural, and economic importance of material property as well as governmental and corporate interests in minimizing reputational damage. In 2000, the FBI pursued a Canadian teenager who performed DDoS flooding actions against the servers of Yahoo, eBay, CNN, Amazon, and various ecommerce sites, rendering them unavailable for hours at a stretch.109 These actions illustrated the ease with which a single individual could impact corporate servers, which directly affects that corporation’s reputation as a secure service provider. However, crime analysis and media coverage avoided that issue—and hence the issue of dissenting expression—by focusing on damages and loss.110
Reputational damage, which is more closely associated with lawbreaking for social, legal, and policy change, emerged in 2001. Following a 2001 DDoS vulnerability action intended to showcase the laxity of information security in the corporate sector, Microsoft claimed a cumulative loss of $500 million over a period of a few days.111 However, the costs of repairing the damage of a DDoS flooding action are minimal and center on upgrading information infrastructure that, arguably, should have previously been regularly performed at company cost.112 Reputational damage is more difficult to repair, as companies become associated with poor security, potentially shrinking their customer base.113 A white paper on the subject also noted that “company reputations are tarnished, sometimes permanently.”114 The CFAA’s expansiveness permits the deployment of concepts like property damage, fraud, excessive loss, and hacker stereotypes to eclipse governmental and corporate shortcomings that have security implications for millions of users.115 Courts mete out excessively punitive fines of up to $10,000 per target coupled with prison sentences of up to 15 years as attempts to appear proactive in deterring the hacker “threat.” A broad definition of “impairment” helps government and corporate interests deflect reputational damage by criminalizing all computer crime as fraudulent and focusing on exaggerated pecuniary loss.
DoS and DDoS actions specifically have caused and received legal attention in United States v. Dennis, United States v. Collins et al., United States v. Cleary, and United States v. Ackroyd et al. The Dennis case was the first overt DoS disobedience case tried in the United States. The defendant, a former computer systems administrator for the U.S. District Court for the District of Alaska, was indicted for three DoS flooding actions against the U.S. District Court for the Eastern District of New York to draw attention to the vulnerabilities of the Eastern District’s server.116 Prosecutors did not differentiate between Dennis’s stated intentions and the antagonistic personal agendas of defendants tried for the sale of access codes, extortion, and use of federal computers to host personal services.117 For intentional impairment of protected computers, Dennis was sentenced to six months of incarceration, supervised release, and $5,300 in restitution.118
Prosecution of Anonymous Over DDoS Disobedience
Prior to 2010, Anonymous largely evaded legal attention for its use of DDoS actions, as in those taken against Hal Turner in 2006.119 Anonymous was pursued for and charged with DDoS-related impairment of a protected computer in 2009 in United States v. Guzner and again in 2010 in United States v. Mettenbrink, the first cases to legally treat LOIC.120 The respective defendants participated in DDoS disobedience against the Church of Scientology in a protest movement with online and offline components that began in 2008. Anonymous prefaced its protest with communiqués publicizing popular dissatisfaction with the Church’s “campaigns of misinformation, suppression of dissent, [and] litigious nature.”121 As with EDT’s release of FloodNet, Anonymous published LOIC as an open-source computer program freely available for easy download and use. LOIC, like FloodNet, flooded the Church of Scientology’s websites with reload requests, mimicking legitimate user traffic. Moreover, LOIC logged users’ IP addresses, suggesting that, like EDT, protestors were not evading responsibility despite their prima facie anonymity. In Guzner, the first prosecution of a member of Anonymous despite prior uses of DDoS, the defendant was charged with a felony count of hacking under the CFAA. He pleaded guilty to intentional impairment of a computer and was sentenced to a one-year federal prison term, two years’ probation, and $37,500 in restitution.122 In Mettenbrink, the defendant was identified as having committed an extreme amount of “damage” due to 800,000 reload requests sent from his machine alone. He pleaded guilty to conspiracy to impair a computer and “transmission of a code, information, program, or command to a protected computer.” He was sentenced to a year in prison and a year of probation.123
The use of DDoS in electronic civil disobedience skyrocketed following Guzner and Mettenbrink, with actions taken against the RIAA, the MPAA, federal institutions, and cybersecurity companies. Anonymous overtly politicized those entities’ actions by publicly linking them to collective dissatisfaction with existing intellectual property regimes, legal overreach, and negligent treatment of sensitive end-user information.124 DDoS actions peaked in December 2010 immediately following WikiLeaks’ publication of classified U.S. State Department cables and a retaliatory banking blockade against WikiLeaks. In response, Anonymous coordinated DDoS actions against the corporations that instated the blockade, PayPal among them. Expressly done to combat governmental suppression of information transparency advocates, Anonymous’ actions echo EDT’s unprosecuted use of FloodNet in 1998. The FBI executed 27 search warrants on January 27, 2011 in 12 states and the District of Columbia; 14 individuals were arrested and indicted on 15 counts of conspiracy and intentional damage to protected computers. An additional 21 search warrants were executed in 11 more states as part of the continued investigation, starkly contrasting with the relative lack of federal persecution of EDT, ehippies, or cDc.125
Like ECD movements that preceded them, Anonymous’ operation entailed publication of communiqués, instructions, manifestos, software, open-source code, and links to group targets. They linked their movement to governmental and corporate infringement on First Amendment rights, citing the fact that these institutions blocked grassroots support for WikiLeaks but continued to facilitate donations to controversial organizations with little national impact, like neo-Nazi groups.126 The PayPal protests attracted the largest number of DDoS participants to date, with over 10,000 disobedients utilizing LOIC from December 6–10, 2010. They did little more than “occupy” bandwidth, so PayPal’s site never even went offline and its pecuniary losses were minimal.127 However, in United States v. Collins et al., the PayPal 14 were charged with one count of conspiracy; 14 counts of knowing transmission of a program, information, code, or command to intentionally damage a protected computer; loss of more than $5,000 to targets resulting from conduct affecting a protected computer; and a prison sentence of up to 10 years. Prosecuting computer crimes under the CFAA requires “either an intentional denial-of-service or some form of trespass, which would be an unauthorized access…. [T]he problem here is if this is a public website, merely going to the website repeatedly is many, many authorized accesses, not an unauthorized access.”128 Accordingly, LOIC is not exploitative and is intended only to cause outage and damage to service availability. By mimicking legitimate traffic, LOIC can be interpreted as dissenting expression operating within an existing framework of law and policy that has been recognized as legitimate. In their use of LOIC, the 2010 DDoS disobedients caused minimum economic distress to PayPal and democratically engaged citizens in political dialogue by equalizing participation, resulting in “an electronic sit-in at its finest.”129 As with offline dissent, the State should be obliged to provide adequate space for online disobedience, as these actions are well within the range of acceptable dissent.
The CFAA’s Overreach in DDoS Cases
Compared to the treatment of ECD tactics preceding them, Dennis, Guzner, Mettenbrink, and Collins et al. are problematic precedents. Intentionality is centralized but the motivations undergirding that intent are overlooked or eclipsed by potential property damage. The CFAA’s overreach permits the dubitable equalizing of flooding actions, which cause temporary and minimal material and economic impact, and vulnerability actions, which require extensive reparation or hardware replacement.130 The prosecution applied the CFAA in its legal action against LulzSec, a faction of Anonymous that engaged in vulnerability, flooding, and cybergraffiti actions, as well as the acquisition and dissemination of sensitive information.131 Unlike Anonymous, LulzSec targeted media outlets over difference of opinion in addition to established property regimes controlling the Internet and intellectual property. Accordingly, their actions both violated and defended the First Amendment, respectively.132
In United States v. Ackroyd et al., five members of LulzSec were indicted under the CFAA for multiple acts of obtaining and distributing sensitive information, deleting data, stealing credit card information, commandeering social network accounts, and defacing sites.133 In Ackroyd, DDoS actions were not included in the indictment. They are featured in United States v. Cleary, in which the defendant was charged under the CFAA for conducting DDoS actions via an involuntary botnet, using exploitative tactics, and acquiring and redistributing sensitive information.134 Finally, the prosecution in United States v. Monsegur charged an informant under the CFAA with conspiracy and the commission of DDoS actions, which were categorized alongside cybergraffiti, botnet use, and dissemination of confidential information.135 As illustrated by these three cases, the CFAA’s increasing overreach expedites its use in prosecuting both the vulnerability actions used by LulzSec and the civically minded flooding actions used by the PayPal 14. This reductive approach thus treats acts of differing impact and aims as equally damaging and deserving of equal punishment.
The State defines criminal behavior in such a way that it can easily, selectively equate it with types of dissenting expression. For instance, actions taken in 2011 against international government websites in Tunisia and Egypt were not pursued or prosecuted to the same extent. Despite orchestrating 16 similar protests, EDT avoided criminal prosecution until the 2010 surge in moral panic about DDoS actions.136 The intimation is that electronic civil disobedience is held to a double standard in which members of reputable professions, like academics, serve democracy and the furtherance of knowledge; on the other hand, grassroots protestors associated with hacking are criminalized regardless of their motives.137 Comparably, online expression is purportedly democratic while its uses for dissent are markedly circumscribed. A system of free speech succeeds “only when it rests upon the strongest possible commitment to the positive right and the narrowest possible basis for exceptions,” which must be fixed, identifiable, and controllable, lest suppression become the rule.138 The CFAA permits the creation of exceptions based on the State’s vested interests in the status quo, essentially rendering the system of online speech undemocratic.
The primary differences between Collins et al. and prior ECD actions seem to lie in the size of the majority coalition involved, its global diversity and reach, its targets, and the popular misconception that anonymity reduces risk and accountability. Arguing that these criteria invalidate DDoS protests is tantamount to claiming that civil disobedience is only legitimate when it is physically and financially restrictive or when aimed at State-approved targets. Despite being privatized, the Internet enables globally networked protests, allowing for movements of immense size and visibility. Additionally, for civil disobedience to have significant effect, the disobedients “must appropriate something of value to the state. Once they have an object of value, the resisters have a platform from which they may bargain for (or perhaps demand) change.”139 As control of electronic impulses constitutes power and value to the State, the Internet is the ideal site for symbolic occupation through ECD. Like a physically embodied sit-in, participants enter a space that abstractly represents State or corporate power and blockade it with their bodies or their “cannons,” software downloaded and unloaded on the shared site of occupation. In this manner, the traffic of electronic capital is impeded in the same way that business may be halted by a sizable physical sit-in.
The law understandably hinges on intent, which is a necessary component of civil disobedience and also factors into the legal evaluation of protected symbolic speech. In computer crime legislation, there is no explicit legal protection for electronic civil disobedience. What tacit recognition exists seems to be arbitrarily and prejudicially applied. The defendants in Guzner and Mettenbrink faced potential prison terms of 10 years with potential fines of $250,000, excessively punitive measures compared to the typical overnight incarcerations and meager fines handed down to civil disobedients in physical spaces.140 Since there are always legal consequences for lawbreaking, it would be naïve not to expect punishment. However, principles of justice dictate that the punishment be commensurate to the crime and all crimes be pursued and prosecuted impartially.
The use of DDoS tactics as tools of dissent are further undermined by issues of legitimate stewardship. Corporations have adopted DDoS tactics in dealing with rival corporations and potential attackers.141 These “professional” DDoS actions are tacitly legitimate when directed at other companies or aimed at groups with interests that conflict with State or commercial interests. For instance, when the MPAA hired an Indian software company, Aiplex, to use DDoS actions against The Pirate Bay, their actions received little publicity until 4chan retaliated by using DDoS actions against Aiplex and the MPAA.142 Meanwhile, expressive DDoS actions aimed at improving human rights, freedom of information, and information security policy are criminalized. This gap in legal protections is significantly problematic regarding the tactic’s claims to legitimacy and the creation of a robust system of freedom of expression in online contexts.
In reevaluating DDoS tactics within a civil disobedience framework, it is important to refine the notion of knowingness and intent. Expressive altlaws use DDoS disobedience to challenge preconceived stereotypes about property regimes, information security, anonymity, legal impartiality, and censorship.143 These tactics are intended to foster dissenting dialogue, persuade majoritarian opinion, and eventually effect legal change. This is familiar symbolic speech recast in an unfamiliar, uncharted environment. In the next part, I will discuss current jurisprudence on civil disobedience, symbolic speech, and semiotic disobedience as well as the expressive altlaw in the context of DDoS case law and the need for narrower interpretations of the CFAA.
Civil Disobedience and Symbolic Speech
Claims to Legitimacy
Dissent theory forms the inexplicit core of First Amendment theory, despite its frequent decentering in favor of preserving the status quo.144 Until the nineteenth century, it was common for individuals and groups to insist on free speech for themselves while restricting it for others.145 However, dissent is crucial to the social and political vibrancy characteristic of democracy and, to a degree, is legally recognized as such. The question becomes further complicated by symbolic speech, expressive actions often employed in protest movements. Symbolic speech receives partial protection under the First Amendment.146 This protection dates from at least Stromberg v. California (1931), in which a statute prohibiting display of a symbol of opposition to organized government was deemed “impermissibly vague” by the Supreme Court.147 The prevailing doctrine on restrictions of symbolic speech stems from United States v. O’Brien, where the Supreme Court ruled that the government may limit an individual’s right to engage in symbolic speech.148 Cox v. Louisiana set a two-pronged standard for approaching civil disobedients’ speech by distinguishing between “speech pure” and “speech plus,” or symbolic speech.149 Speech pure is communication that is fully protected under the First Amendment, such as leaflets or orations; symbolic speech encompasses protest tactics like parades, picketing, and sit-ins and receives less legal protections than speech pure.150 Supreme Court doctrine factors speech type into its analysis of whether or not a form of civil disobedience passes constitutional muster. Free speech is further constrained by the public forum doctrine, where public forums such as streets, sidewalks, and parks are protected spaces under the First Amendment, whereas private forums are unprotected.151
Civil disobedients have suggested that the First Amendment protects expressive protest speech as a form of symbolic speech.152 However, First Amendment jurisprudence has only expanded the boundaries of democracy to protect certain forms of expressive disobedience.153 In United States v. O’Brien, the court recognized the overlap between symbolic speech and destruction of property. O’Brien, who burned his draft card in protest of the Vietnam War, was ultimately convicted for willfully frustrating the functioning of the Selective Service System—not for the communicative aspects of his conduct. However, O’Brien illustrates the court’s prioritization of preserving the inviolability of government property at the risk of deterring expressive altlaw dissent.154 The ruling was justified because it did not impose a substantial restriction on expression that contravened governmental interests since “O’Brien manifestly could have conveyed his message in many ways other than by burning his draft card.”155 Despite the irrelevance of the property issue to the message O’Brien was attempting to convey, the case hinged on the relationship between property and symbolic speech.156 Significantly, O’Brien incentivized alternatives to property destruction where available.157 However, visible protest cannot be enacted on the Internet without some form of appropriative negotiation, where property is necessarily appropriated for expressive modification or recreation. The Internet is privatized to such an extent that it is impossible to enact expressive dissent that will be visible to a diverse public. The least disruptive alternative to appropriative negotiation would be to create a top-level domain to house protest speech, which would effectively ghettoize it and neutralize the protest. Potentially, hacktivists could insert protest-oriented splash screens that end-users must view for a limited period of time before being taken to the website; however, this technique does not yet exist and comes closer to constituting a vulnerability action in that it manipulates a website’s code.158
Semiotic disobedience concerns “the conscious and deliberate re-creation of property through appropriative and expressive acts that consciously risk violating the law that governs intellectual or tangible property.”159 Among other tactics, it includes cybergraffiti and DDoS actions. Cybergraffiti overtly refashions intellectual property in the form of websites that abstractly represent State and corporate power. On the other hand, DDoS actions negotiate intellectual property by temporarily rendering it inaccessible, recoding websites through their unexpected absence rather than the presence of new semiotic forms. Viewed in this light, the subset of DDoS flooding actions becomes an issue of dissenting speech performed to illustrate social injustice. Under the CFAA, however, it can only be considered property damage regardless of its expressive potential as symbolic speech and the lack of alternative means of visible expression online. Consequently, the CFAA must be narrowly interpreted and supplemented with a dissent-oriented First Amendment framework to truly meet American standards of democracy.160 The next section will consider specifically whether or not DDoS actions should be punitively regulated in either framework.
The CFAA and the First Amendment
In order to determine how to balance the interests of expressive altlaws and semiotic disobedients and the proprietary interests of government, corporations, and private owners, it is necessary to revisit DDoS case law within a First Amendment context. The First Amendment’s social value partly lies in its permitting individuals to self-govern and form majority coalitions against corrupt governments.161 It was originally structured around government representation and majoritarian opinion, preserving the free speech rights of minorities so that they could attempt to persuade the majority.162 Civil disobedients exercise symbolic speech to persuade the political elite about contemporary injustices, like inequality before the law, human rights abuses, or First Amendment violations. From a First Amendment standpoint, harsh criminal sanctions have a demonstrable chilling effect. For instance, there have not been DDoS actions of significant scale and diversity since the PayPal incident, likely due to fear of State reprisal. Online protest is restricted to appropriative negotiations of private property through semiotic disobedience. However, like symbolic speech offline, it is restricted and its protections are limited. If Internet expression is fully afforded First Amendment privileges, civically-minded political protest speech online would enjoy the partial protections afforded its offline counterpart and operate similarly unsanctioned.163
Although civil disobedience attains legitimacy and symbolic force based on numbers, the individual DoS actions of Dennis serve as an early instance of ECD meant to publicize the issue of information security to an unwitting public. DoS actions had existed for decades previously, escaping public attention until Dennis drew media attention to the ease with which a single individual could impact a supposedly stable government computer system. Furthermore, Dennis highlighted legal discrepancies between the treatment of ECD against international targets and federal institutions. The action may not have been civil disobedience with majoritarian approval, but neither are th3j35t3r’s actions, which were treated differently by U.S. legal frameworks. Additionally, Dennis did not act for personal gain and lacked alternative means of spreading his message, as he could not have reached a significant audience otherwise. Information security issues typically remain invisible to the broader public. Instead, they are featured primarily in technological publications, security pamphlets of limited circulation, and hacker zines. Dennis’s intent to raise media attention is clear in his assertion that he performed three DoS actions in order to ensure they did not escape notice.164 Under the CFAA, however, Dennis was charged under the same subsection applied to credit card thieves and information traffickers.165
The DDoS actions of Guzner and Mettenbrink illustrate the same legal biases toward property and institutional interests. The defendants admitted to their crimes and pleaded guilty with the expectation that they would be treated as civil disobedients. By engaging in productive lawbreaking, the defendants hoped to visibilize the public’s longstanding collective dissent with the Church of Scientology’s stringent proprietary policies and censorship. Instead, both were sentenced under the CFAA as though they had participated in vulnerability actions.166 Guzner was ordered to pay $37,500 in restitution and Mettenbrink was sentenced to two years of incarceration, while two members of Anonymous committed offline vandalism of Church of Scientology property and received sentences of five years’ community service and were prohibited from entering the Church’s premises.167 As in O’Brien, the defendants’ motivations were overshadowed by larger concerns of property damage, in this case the CFAA’s overbroad “impairment to protected computers.”168
Regarding the PayPal 14, who represented the 10,000 DDoS participants in the actions of December 2010, it is peculiar that the First Amendment question was largely submerged. Governmental interest seemed to lie in suppressing expression that conflicted with State interests—namely, thwarting WikiLeaks’ publication of diplomatic cables—rather than in the incidental repression of symbolic speech. Moreover, the repercussions in this particular case seem to be part of a sustained effort by the U.S. government to shut down WikiLeaks altogether, further abridging the First Amendment.169 The State also has a vested interest in protecting targeted corporations like Bank of America, PayPal, the MPAA, and the RIAA. The overbroad application of the CFAA in prosecuting DDoS actors thus seems aimed at hindering anti-corporate, anti-government symbolic speech.
Finally, from a technical perspective, it is important to note that code was deemed speech after a series of arrests and lawsuits.170 Like symbolic speech, computer code is deemed expressive and within the scope of the First Amendment. However, “computer code is not merely expressive any more than the assassination of a political figure is purely a political statement. Code causes computers to perform desired functions. Its expressive element no more immunizes its functional aspects from regulation than the expressive motives of an assassin immunize the assassin’s action.”171 Despite the threat of vulnerability actions, software and its availability to unskilled participants and skilled programmers are integral to civic elements of DDoS flooding actions. As such, DDoS methods can be refined to comply with existing legislation and narrowing statutory reinterpretations to improve the CFAA and the application of symbolic speech principles to ECD tactics. Ideally, these recommendations will also aid in normalizing ECD practices in sociocultural contexts.
Recommendations
Jurisprudence must evolve to encompass DDoS as a legitimate civil disobedience practice. DDoS actions must also be reevaluated to constrain their potential to cause irrevocable damage and irreparable economic distress and to advance their civic potential. Currently, the CFAA lacks sufficient safeguards to maintain a distinction between DDoS disobedience and harmful DDoS actions. The framework used here, which distinguishes between DDoS flooding actions and DDoS vulnerability actions, begins to untangle what has so far been treated monolithically. However, it must be expanded to fully address the nuances of DDoS tools in contemporary ECD tactics.
Legally Sanctionable DDoS Methods
Presently, DDoS actions are criminalized regardless of the way in which they are technologically and symbolically enacted. Popular media representations often fail to delineate the different types of DDoS actions; instead, they incorrectly unify flooding and vulnerability exploits into a single category. The information security sector deconstructs DDoS actions, system vulnerabilities, as well as future offense and defense tactics, but these articles typically go unseen by the mainstream public. These articles are also often saturated with technical jargon and tend to characterize DDoS actions as threats to networked systems that need to be preempted. Unfortunately, neither representation distinguishes between exploitative or flooding DDoS actions. In establishing DDoS actions as symbolic speech, we must consider that vulnerability exploits may qualify as fraudulent and damaging even under a narrow interpretation of the CFAA. This is because the aftermath of vulnerability actions often necessitates extensive programming to rework the system’s security infrastructure.172 However, it could also be argued that such damage is symbolic speech in that it publicizes how little corporations care about securing sensitive information that belongs to the end-users whose interests they purportedly serve.173
The legal quandary seems to lie in the potential for information manipulation and “theft” due to the use of a vulnerability exploit, particularly given the courts’ tendency to privilege property damage. For instance, Anonymous and LulzSec have linked DDoS flooding actions with subsequent cybergraffiti, which more overtly alters private property.174 Semiotic disobedience is meant to be damaging and disruptive, so it would be naïve not to expect producers and consumers to be unsettled to some degree as a result.175 The vital consideration regarding symbolic speech is end-user impact. DDoS vulnerability actions are often linked with leaks of end-user information in pursuit of legal and corporate reform; however, this does both end-users and ECD movements a disservice. The point could easily be made with minimal impact to the end-user by publishing the exploit without obtaining or manipulating the information itself. Unlike opportunistic vulnerability actions, DDoS flooding actions resemble legitimate traffic by consuming the target’s available bandwidth through reload requests, ping floods, or packet floods and thus more unequivocally resemble the symbolic speech acts of sit-ins, marches, and draft-card burning. Accordingly, these DDoS actions can be interpreted as operating within existing technical and legal frameworks as much as possible, not as an attempt to undermine the entire infrastructure.176 End-users experience little more than slowed service or temporary disruption of a conscientiously chosen group target, usually the website of a government or corporation perceived to be socially unjust.
If it were possible for a single user to refresh a page millions of times per minute, the law would have a tenuous case at best even under the CFAA, as there is no clause for damage caused through legitimate traffic. Today, software like FloodNet, LOIC, HOIC, Slowloris, and RUDY allow millions of users to overwhelm a page with information requests. Furthermore, like th3j35t3r’s XerXeS program, Anonymous’ favored tools like HOIC and Slowloris raise the capacities of single machines but minimize the collateral damage done to intermediary nodes. Consequently, it would be imprudent to dismiss DDoS tactics as illegitimate based simply on the affordances of the medium, which facilitate the formation and participation of self-governing majorities with civic and symbolic force. Curtailing all DDoS actions because of the dangers posed by only some of them would abridge freedom of expression for expressive altlaws and semiotic disobedients. Instead, the law should recognize that a narrow subset of DDoS actions—namely those that involve flooding, which are specific and self-restricting in their target selections and also limited in duration—are dissenting expression deserving of First Amendment protection. Future revisions of the CFAA should thus seek to narrow the scope of the law with respect to DDoS cases.
Unsanctionable DDoS Methods
DDoS actions are not universally sanctionable, however. Many comprise opportunistic criminal activity meant for personal gain. These types include peer-to-peer actions, involuntary botnets, blended threats, worms, and self-replicating malware such as autonomous propagation, where a worm carries a DDoS “payload” and utilizes an exploit to plant it on infected machines.177 Because these methods involve involuntary botnets assembled without the consent of each node, they do not reflect the collective opinion of any majority coalition. As such, they cannot be interpreted as civic engagement and should remain unprotected speech. Perpetrators of these acts should be charged under the CFAA in specific accordance to the technical transgressions they committed. Revisions to the CFAA could aid in creating legal distinctions between DDoS disobedients and DDoS crime by linking indictments to technical transgressions rather than relying on broad sociocultural notions like “impairment” in order to press charges.
DDoS semiotic disobedients should be tried under the First Amendment; however, permanent DoS (PDoS) offenders, for example, should be indicted under a narrow reading of the CFAA focusing on whether permanent hardware damage occurred. Other laws that are applicable to malicious computer activity—such as the use of botnets and credit card and identity theft—might include the wire fraud statute used in Riggs, unauthorized electronic communications interception and disclosure, unlawful access to stored electronic communications and transactional records, and fraud in connection to access devices.178 Regardless of technological type, DDoS actions overwhelm targeted servers with information by definition. In a sociocultural context, both types—to a certain degree—may be construed as the productive lawbreaking of expressive altlaws to compel reluctant information security sectors to reform their security protocols or to draw attention to under-recognized political issues. The crucial difference is that DDoS vulnerability actions may be validly interpreted under existing law as unauthorized access of a protected computer, while DDoS flooding actions—at present—defy such easy categorization.
Remaining Obstacles to Legitimacy
Even with the above safeguards in place, there remain caveats for both sanctionable and unsanctionable DDoS actions. If targets are carelessly selected, there may be unintended collateral effects. This may arise as a result of social circumstances or technical limitations. For instance, Anonymous is a decentralized, nonhierarchical movement, and it is difficult to distinguish “trolls” from activists. During the coordination of DDoS actions against the Church of Scientology in 2008, one participant revealed a “hidden” targeted Scientology IP address, which was revealed to belong to a Netherlands primary school.179 As such, extreme care must be taken within anonymous activist groups, where meticulous fact-checking is necessary to ensure that only the intended objects of protests are affected. This is extremely important because when DDoS flooding actions are performed on a server, whole sections of a network or the entire network may be affected. Theoretically, a single DDoS action taken against even a State-approved target may simultaneously disable websites that promote governmental and corporate interests.180 This would constitute an abridgment of free speech that does not explicitly serve a political purpose. While this is an unlikely hypothetical scenario, it is important to remain aware of the potential collateral damage of DDoS actions and to tailor software accordingly, as illustrated by tools like XerXes, HOIC, and Slowloris.
Discursive shifts in media representation cued by changes in legal perception would best combat sociocultural obstacles to legitimacy. For instance, the cultural perception of anonymity in civil disobedience is that it decreases risk and responsibility, falsely suggested by the ease of online tools and lack of immediate visibility. Unlike groups like EDT, EHippies, or cDc, Anonymous protestors do not operate under their offline identities, and legal aspersions have been cast on pseudonyms since Riggs.181 However, consistent pseudonyms used on IRC, Twitter, or the Why We Protest forums are persistently linked to members’ offline identities. LOIC actions are also simple to detect in system logs and can easily be traced back to their originating IP addresses. This reinstates Anonymous’ DDoS actions within the romanticized tradition of personal risk and responsibility in civil disobedience.182 Protestors are not actually evading responsibility for their actions but are seeking to minimize their persecution in light of overly harsh punitive measures and in compliance with semiotic disobedience.
There also remains a persistent misperception regarding the treatment of DDoS actions as property rather than expression. DDoS tools have become sophisticated enough to cause significant disruption, occasionally taking sites offline for days instead of briefly impeding traffic. While the costs of bandwidth expenses are salient, they are no more excessive than the costs incurred by real-world occupations of stores like Starbucks that deter clients and raise the costs of doing business.183 This should inform future courts’ decisions and persuade them to privilege DDoS actions as semiotic disobedience instead of property violations.184 The law must also confront the issue of commensurability in prosecuting and sentencing DDoS actors affiliated with grassroots movements versus governments or corporations. The same level of dedication and thoroughness must go into identifying and prosecuting State and corporate uses of DDoS actions to preserve the appearance of impartiality.185
Finally, DDoS software coders should exercise great care in publicizing their tools. For example, LOIC is easily locatable and accessible online and is extremely user-friendly. While this increases its civic potential, it also poses an attractive nuisance to children, vigilantes, casual users with personal vendettas, and individuals with an itchy trigger finger. Coders must address this risk by instituting measures such as registration protocols, word-of-mouth invite codes, or similar mechanisms to limit potential abuse of the software.
The Right to Bear Cannons
Social practices have to be constructed and made normative through repeated use, efficacy, and the approval of reputable groups like the judiciary, which plays an important role in naturalizating symbolic speech in civil disobedience tactics. To protect proprietary interests and permit appropriative semiotic disobedience online, new types of DDoS actions could be considered and promoted as alternatives to exploiting system vulnerabilities. LOIC may serve as the contemporary starting point of this evolution, given its successful use and popularity following the 2008 protests against the Church of Scientology. It has already generated newer, more powerful, and more effective iterations, like HOIC, designed to outpace firewall programs and defensive scripts written by information security companies to address LOIC.
Unfortunately, at present LOIC has been largely denigrated without sufficient consideration for its democratic civic potential. LOIC “removed the need to educate new Anonymous participants on the spot,” lowering barriers to entry for individuals wishing to participate but lacking in technological skill.186 In this regard, LOIC enhanced the expressive capacities of the majority of individuals who formerly were restricted by their lack of technological knowledge. The more recent version, HOIC, targets more than the front page of a site using custom scripts and also has the built-in safeguard of requiring at least 50 users before taking a target offline. This helps to ensure that the tactic will be used legitimately, as its functionality requires the support of a coalition.
Law participates in the cultural and semiotic production of meanings but is also a product of culture. Protest legitimacy in the popular mind is significant in this process given that culture can reflect and refract the law.187 Legitimizing LOIC and HOIC as DDoS disobedience tools would provide DDoS actors with an appropriate model for future software iterations and could incentivize the use of these “legitimate” models instead of alternatives that might be legally murky or possess greater potential for collateral damage. Because the media is responsible for ideological closure, it must also use rhetoric normalizing the use of DDoS as a legitimate civil disobedience practice. Dissent-oriented rhetoric deployed by the judiciary would instructively exemplify new ways of conceptualizing DDoS tactics for the mainstream media.
Given the social, technical, and cultural aspects of DDoS tactics, the law must adopt a pluralistic approach to viewing them. As DDoS actions display a great deal of variance in motivation and execution, a unitary model of governance cannot be fairly used to exercise authority over them. Instead, a case-by-case type of legal analysis is preferable. ECD tactics transpire in privatized spaces that are difficult to interpret. These spaces are simultaneously proprietary and public, lack free speech zones, and their owners are able to selectively delete comments to homogenize opinion and deter dissent. Thus, the expansion of intellectual property law and the narrow tailoring of the CFAA are necessary to avoid restricting First Amendment rights in spaces where free speech zones are already limited, significantly isolated, and homogeneous due to pressures to conform and the resulting exclusion of dissent.
The vagueness of the CFAA remains problematic—more so in the wake of Aaron Swartz’s death. It is overbroad on its face and as applied, using imprecise language that allows continued appeals over statutory interpretation and does not clearly define the conduct it forbids. Instead, the CFAA relies heavily on inconsistently interpreted elements of authorization, impairment, intent, and knowingness. Courts should balance the aforementioned factors and designate DDoS flooding actions as partially protected symbolic speech under the First Amendment, so long as that speech does not constitute a breach of peace. Second, DDoS flooding actions should be divorced from concurrent malicious activity, such as cybergraffiti, which should be designated as semiotic disobedience and evaluated differently, and unauthorized transfers of proprietary information, which should remain prosecutable under a narrow interpretation of the CFAA and relevant existing case law. Third, the CFAA should be amended to reduce harsh, overly punitive sentences for DDoS semiotic disobedients and expressive altlaws.
Conclusion
The CFAA’s faulty mens rea standard and general overbreadth is a problem that transcends statutory reinterpretation. A majoritarian coalition has formed around the CFAA’s shortcomings and the legitimacy of DDoS tactics. In fact, on January 7, 2013, Anonymous filed a petition with the U.S. government requesting that the Obama administration recognize DDoS tactics as a legal form of protest. In the petition, Anonymous explicitly compared DDoS actions to sit-ins, evoking the history and social legitimacy of embodied and electronic civil disobedience measures that preceded it. Ultimately, the petition expired due to its failure to reach the signature threshold.188 Regardless, it overtly publicized the sentiment that has undergirded Anonymous’ actions over the previous two years: that the law should reevaluate DDoS actions within a civil rights and free speech context, disentangled from the overbroad frameworks of current computer abuse laws, the lingering prejudices incurred by past hacker trials, and the social status and unilateral power of State and corporate actors involved. Instead of adopting a hardline rule of law approach, in which intellectual property transgression of any kind is deemed deserving of excessive punitive consequences, the law must recognize the symbolic nature of semiotic disobedience and accept it, evenhandedly, as symbolic speech, regardless of the actors involved.189
The checking value of the First Amendment allows the media to serve as a counterweight for and deterrent to potential governmental abuses of power.190 When the media predominantly serves as the State’s ally and mouthpiece, the checking value of the First Amendment becomes especially critical for grassroots activist movements that must rely on semiotic tactics to “hack,” reclaim, and redirect public attention.191 It is at these moments of legal complexity and sociocultural entanglement that it is most important to avoid blindly upholding legislation that does not monolithically apply to embodied and mediated environments. Instead, the courts should amend the CFAA to restrict its scope, vagueness, and mens rea standard and also recognize DDoS actions as symbolic speech protected under the First Amendment. Unless courts do so, they will fail to fulfill their obligations as impartial arbiters of the law.
Free speech under a democratic government functions best when it “induces a condition of unrest, creates dissatisfaction with conditions as they are, or even stirs people to anger. Speech is often provocative and challenging. It may strike at prejudices and preconceptions and have profound unsettling effects as it presses for acceptance of an idea.”192 The present quandary regarding the legitimacy of DDoS tactics is linked not to democratic ideals but to the preservation of existing property regimes.193 Reversing that linkage opens up possibilities for improving and inventing ECD tactics that safely operate within the purview of symbolic speech.194 Such a framework would also provide safe harbor for other online activities that, under current legal understandings, constitute intellectual property infringement. Civically-minded remixes that lie outside the protections of fair use, for instance, could be reconsidered as symbolic speech. Then the actions of authors who make their closed-access scholarship publicly available in the wake of Aaron Swartz’s death could comprise dissenting speech. Individuals could even become empowered to confound behavioral advertising and targeting by corporations or the State through “statistical noisemaking,” or the collective clicking of particular types of ads to create false, unusable data.195
Acts of ECD or semiotic disobedience could thus be judged based on fixed technical specifications and intention to pose dissent rather than arbitrary valuation of economic impact. As such, the dissent-oriented conception of the First Amendment—which is necessary for the appropriate restructuring of the CFAA—also more closely resembles the theory of freedom of expression on which the First Amendment was founded.196 Self-discipline, self-restraint, and the ability to look beyond the interests of State and corporate institutions are essential to such a legal reconfiguration. In a networked era where “speaking noise to power” has been made possible, the judiciary would do well to remember that it has an obligation to encourage dissent in public and private hierarchies to correct for the corruption, injustice, and inequality within a powerful status quo that, otherwise, would fail to change.197
Endnotes
- A denial-of-service (DoS) action temporarily or indefinitely interrupts the services of an Internet server or site. ↩︎
- A botnet is a collection of programs communicating through the Internet to perform legitimate or illegitimate tasks, such as monitoring Internet Relay Chat (IRC) channels or sending spam email. ↩︎
- Kim Zetter, Feds Arrest 14 ‘Anonymous’ Suspects Over PayPal Attack, Raid Dozens More, Wired (July 19, 2011), available at http://www.wired.com/threatlevel/2011/07/paypal-hack-arrests/. ↩︎
- Fraud and related activity in connection with computers, 18 U.S.C. § 1030 (2012). ↩︎
- There are at least forty U.S. computer crime statutes. Noah C.N. Hampson, Hacktivism: A New Breed of Protest in a Networked World, 35 B.C. Int’l & Comp. L. Rev. 511 (2012), available at http://lawdigitalcommons.bc.edu/iclr/vol35/iss2/6/. ↩︎
- See Jelena Mirkovic, Sven Dietrich, David Dittrich, & Peter Reiher, Internet Denial of Service: Attack and Defense Mechanisms § 8.2 (2005), available at http://denialofservice.uw.hu/. See generally Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561 (2010), available at http://www.minnesotalawreview.org/wp-content/uploads/2012/03/Kerr_MLR.pdf. ↩︎
- See generally Computer Misuse Act, 1990 (U.K.); Internet Denial of Service Attacks and the Federal Response: Joint Hearing Before the Subcomm. on Crime of the H. Comm. on the Judiciary and the Subcomm. on Criminal Justice Oversight of the S. Comm. on the Judiciary, 106th Cong. (2000). ↩︎
- See Gabriella Coleman, Code is Speech: Legal Tinkering, Expertise, and Protest Among Free and Open Source Software Developers, 24 Cultural Anthropology 420 (2009), available at http://steinhardt.nyu.edu/scmsAdmin/uploads/003/681/cuan_1036.pdf; see also Universal City Studios, Inc. v. Reimerdes, 111 F. Supp. 2d 294 (S.D.N.Y. 2000). ↩︎
- Actors targeting State enemies are frequently implicitly exempt from prosecution. ↩︎
- Expressive altlaws are those who act to protest the current legal system but not for personal gain (as in acquiring property). See generally Sonia K. Katyal, Semiotic Disobedience, 84 Wash. U. L. Rev. 489 (2006), available at http://lawreview.wustl.edu/inprint/84-3/p489Katyalbookpages.pdf; Eduardo M. Peñalver & Sonia K. Katyal, Property Outlaws: How Squatters, Pirates, and Protestors Improve the Law of Ownership (2010). ↩︎
- The absolutist approach states that no law should abridge free speech. ↩︎
- The categorical approach states that only certain categories of speech should be protected. ↩︎
- The balanced approach states that individual interest in free expression must be weighed against government interest in restricting said expression on a case-by-case basis. ↩︎
- See generally Thomas Emerson, Toward a General Theory of the First Amendment, 72 Yale L.J. 5 (1963), available at http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=3769&context=fss_papers. ↩︎
- See generally id.; Vincent Blasi, The Checking Value in First Amendment Theory, 2 L. & Soc. Inquiry 521 (1977); Alexander Meiklejohn, The First Amendment is an Absolute, 1961 Sup. Ct. Rv. (1961). ↩︎
- Truth was cast as needing “no policies, nor strategems, nor licencings to make her victorious, those are the shifts and the defences that error uses against her power: give her but room, and do not bind her when she sleeps.” John Milton, Areopagitica: A Speech of Mr. John Milton for the Liberty of Unlicenc’d Printing to the Parliament of England (1644) available at http://www.dartmouth.edu/~milton/reading_room/areopagitica/. ↩︎
- John Stuart Mill, On Liberty § 2 (1869). ↩︎
- Meiklejohn, supra note 15, at 256. ↩︎
- This theory presumes the corrupting effect is constant, as “the central premise of the checking value is that the abuse of official power is an especially serious evil—more serious than the abuse of private power, even by institutions such as large corporations which can affect the lives of millions of people.” Blasi, supra note 15, at 538. ↩︎
- Id. at 546. ↩︎
- For example, other valuable speech may range from attorney speech about the judiciary—which is chilled by severe sanctions—or potentially influential popular criticism of corporations—which is difficult due to financial disincentives. ↩︎
- See generally Peñalver & Katyal, supra note 10. ↩︎
- John Rawls, A Theory of Justice 364 (1971). ↩︎
- Id. at 365. ↩︎
- Id. ↩︎
- Mill, supra note 17, § 2. ↩︎
- Meiklejohn, supra note 15. ↩︎
- Steven Shiffrin, The First Amendment, Democracy, and Romance 48 (1990). ↩︎
- Steven Shiffrin, Dissent, Injustice, and the Meanings of America 10 (1998). ↩︎
- Emerson, supra note 14, at 886. ↩︎
- Shiffrin, supra note 29, at 17. ↩︎
- Id. at 70. ↩︎
- See generally Abe Fortas, Concerning Dissent and Civil Disobedience (1968). ↩︎
- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are core protocols of the Internet Protocol (IP). ↩︎
- Communication latency refers to the delay between an input and response: that is, the time it takes for a sent packet of data to be received at its destination. ↩︎
- See generally Barry Leiner, Vint Cerf et al., Brief History of the Internet, Internet Society (2000), http://www.internetsociety.org/internet/what-internet/history-internet/brief-history-internet. ↩︎
- A host server constitutes a computer hardware system running one or more services to serve clients on the network. ↩︎
- Bandwidth is the difference between the lower and upper limit of a continuous band of frequencies. ↩︎
- Mirkovic et al., supra note 6, § 1.1. ↩︎
- Id. ↩︎
- Id. § 5.1 ↩︎
- A ping flood is a simple DoS action wherein the operator overwhelms the target with ping packets. ↩︎
- See generally Evan R. Goldstein, Digitally Incorrect – Ricardo Dominguez’s Provocations: Art or Crime?, The Chronicle of Higher Education (Oct. 3, 2010), http://chronicle.com/article/Digitally-Incorrect/124649/. ↩︎
- For example, in 19th century Paris, street protests rendered the State inert by blocking sovereign access to capital. Critical Art Ensemble, Electronic Civil Disobedience 11 (1996), available at http://www.critical-art.net/books/ecd/. ↩︎
- Peñalver & Katyal, supra note 10, at 16-17. ↩︎
- Critical Art Ensemble, supra note 44, at 13. ↩︎
- Id. ↩︎
- Peñalver & Katyal, supra note 10, at 25. ↩︎
- Critical Art Ensemble, supra note 44, at 27. ↩︎
- Peñalver & Katyal, supra note 10, at 18. ↩︎
- Despite owners’ general desire to protect their property, many remain negligent, thus compromising the security of their property by their own omission. This is especially true of large corporations whose responsibility it is to protect employee, consumer, and client information; due to their negligence, this information is often insecure. ↩︎
- Peñalver & Katyal, supra note 10, at 31. See generally Vyshali Manivannan, We Do It for the Lulz: Graffiti as a Metaphor for Digital Defacement (Dec. 2, 2012) (unpublished manuscript) (on file with author) (explaining how cybergraffiti visibilizes lax security implemented by proprietary owners of citizens’ sensitive information). ↩︎
- See United States v. Dennis, 341 U.S. 494 (2001). ↩︎
- cDc Communications & HACKTIVISMO, Hacktivismo Declaration, cDc Files (July 4, 2001), http://www.cultdeadcow.com/cDc_files/declaration.html. ↩︎
- Elinor Mills, Oldtime Hacktivists: Anonymous, You’ve Crossed the Line, CNet (Mar. 30, 2012), http://news.cnet.com/8301-27080_3-57406793-245/old-time-hacktivists-anonymous-youve-crossed-the-line/. ↩︎
- Oxblood Ruffin, “Hacktivism: From Here to There” Speech at Yale Law School CyberCrime and Digital Law Enforcement Conference (Mar. 28, 2004), available at http://lawmeme.law.yale.edu/static/pastevents/digitalcops/papers/ruffin_hacktivism.pdf. ↩︎
- Net.artists and net.activists refer to artists and activists working with the Internet medium, as a parody of the avant garde movement and as tactical experiments in social responsibility: for example, pop-up interventions, browser-crashing applets, or political gestures such as “human rights not found on this server” messages in place of an expected 404 error message. See generally cDc, Running a Microsoft Operating System on a Network? Our Condolences, cDc Files (July 21, 2000), http://www.cultdeadcow.com/news/back_orifice.txt; Mills, supra note 55; Weasel Boy & Lizard, CULT OF THE DEAD COW Sought in Obscenity Case, 302 cDc Files (Jan. 1, 1996), http://www.cultdeadcow.com/cDc_files/cDc-0302.txt; Stefan Wray, The Electronic Disturbance Theater and Electronic Civil Disobedience, Electronic Civil Disobedience (June 17, 1998), available at http://www.thing.net/~rdom/ecd/EDTECD.html. ↩︎
- Brett Stalbaum, The Zapatista Tactical FloodNet: A Collaborative, Activist, and Conceptual Art Work of the Net, Electronic Civil Disobedience (July 6, 2007), http://www.thing.net/~rdom/ecd/ZapTact.html. ↩︎
- Ricardo Dominguez, Electronic Civil Disobedience: Inventing the Future of Online Agitprop Theater, 124 Theories & Methodologies 1806, 1807 (2009), available at http://academia.edu/2701960/Electronic%Civil%Disobedience%Inventing%the%Future%of%Online%Agitprop%Theater. ↩︎
- the electrohippies collective, Client-Side Distributed Denial-of-Service: Valid Campaign Tactic or Terrorist Act? (Feb. 2000), available at http://www.fraw.org.uk/projects/electrohippies/archive/op-01.html. ↩︎
- EDT and borderlands hacklab, Virtual Sit-In with the Striking Students of France!, IndyMedia (Mar. 16, 2006), http://www.indymedia.org.uk/en/regions/world/2006/03/335967.html. ↩︎
- Dominguez, supra note 59, at 1810. ↩︎
- See generally id.; the electrohippies collective, supra note 60. ↩︎
- Henry David Thoreau, Resistance to Civil Government: a Lecture Delivered in 1847, in Aesthetic Papers 189 (1849). ↩︎
- Cyberterrorism: Hearing Before the Special Oversight Panel on Terrorism of the H. Comm. on Armed Services, 106th Cong. 73–74 (1999) (testimony of Dorothy Denning) [hereinafter Cyberterrorism Hearing]. ↩︎
- Hampson, supra note 5, at 516. For instance, hacktivist group LulzSec’s use of DDoS flooding actions and redacted database leaks against InfraGard Atlanta would be judged communicative but socially irresponsible but would be significantly less grave than the Irish Republican Army’s use of similar actions to disseminate officials’ addresses for the purposes of assassination. See generally Cyberterrorism Hearing, supra note 65. ↩︎
- See generally Dorothy Denning, Barriers to Entry, 1 IO J. 6 (2009), available at http://faculty.nps.edu/dedennin/publications/Denning-BarriersToEntry.pdf; Dominguez, supra note 59; electrohippies, supra note 60. ↩︎
- Gary Kessler & Diane Levine, Denial-of-Service Attacks, in Computer Security Handbook (Seymour Bosworth et al. eds., 5th ed. 2009). ↩︎
- Moreover, “cracker” unitarily associates DDoS with vulnerability actions, which are legally tenuous in contrast to the flooding actions undertaken by expressive altlaws, who may claim that their interpretation of the law coincides with existing law. ↩︎
- See generally Oxblood Ruffin, Key Concepts: Electrohippies, Anticorporatism, Packet Wankers, Denial of Service (DoS), Freedom of Expression, Hacktivism Versus [H]activism (July 17, 2000), http://w3.cultdeadcow.com/cms/2000/07/hacktivismo.html; Ruffin, supra note 56. ↩︎
- Winn Schwartau, Cyber-civil Disobedience: Inside the Electronic Disturbance Theater’s Battle with the Pentagon, Network World Fusion (Jan. 11, 1999), http://www.networkworld.com/news/0111vigcyber.html. ↩︎
- Ronald Rotunda, The Politics of Language: Liberalism as Word and Symbol 9 (2009). ↩︎
- Naomi Mezey, Law as Culture, 13 Yale J.L. & Human. 35, 45–46 (2001), available at http://scholarship.law.georgetown.edu/facpub/317/. ↩︎
- Id. at 50–51. ↩︎
- See Marco Deseriis, Lots of Money Because I Am Many: The Luther Blissett Project and the Multiple-Use Name Strategy, 21 Thamyris/Intersecting 65 (2011), available at http://autonomousuniversity.org/sites/default/files/Deseriis_Blissett_Cultural_Activism.pdf. ↩︎
- See generally James Sears, Behind the Mask of the Mattachine: The Hal Call Chronicles and the Early Movement for Homosexual Emancipation (2006). ↩︎
- Schwartau, supra note 71, at ¶ 9. ↩︎
- Fortas, supra note 33. ↩︎
- Use of Army and Air Force as posse comitatus, 18 U.S.C. § 1385 (1981). ↩︎
- Kristina Wong, Patriotic ‘Hacktivist’ Claims He Took Down WikiLeaks Site, ABC News (Nov. 30, 2010), available at http://abcnews.go.com/US/patriotic-hacktivist-claims-wikileaks-site/story?id=12272776. ↩︎
- United States v. Collins, No. CR 11-00683 DLJ WL 3537814 (C.N.D. 2012). ↩︎
- See generally Anthony Freed, Jester Unveils Automated XerXeS Automated DoS Attack, InfoSecIsland (Feb. 10, 2010), http://www.infosecisland.com/blogview/2882-Jester-Unveils-XerXeS-Automated-DoS-Attack.html (explaining the technical capabilities of XerXeS to eliminate collateral damage, randomize IP locations, and take down multiple targets with only a single machine). ↩︎
- Jessica L. Beyer, The Emergence of a Freedom of Information Movement: Anonymous, WikiLeaks, the Pirate Party, and Iceland 7–8 (unpublished manuscript) (on file with author). ↩︎
- See generally th3j35t3r, The Jester’s Court, http://www.http://jesterscourt.at.tf/. ↩︎
- See Collins; DPP v. Lennon, EWHC 1201 (2006) (U.K.) (appeal) (holding that DoS actions were criminal “impairments” under the Computer Misuse Act based on intentionality and consent on the part of the target, despite an initial dismissal of “impairment” as limited to exploitative code), available at http://www.leagle.com/xmlResult.aspx?xmldoc=20011071246F3d825_1993.xml&docbase=CSLWAR2-1986-2006. ↩︎
- Emerson, supra note 14, at 888. ↩︎
- See generally Steven Levy, Hackers: Heroes of the Computer Revolution (ed. 2010); Bruce Sterling, The Hacker Crackdown: Law and Disorder on the Electronic Frontier (1992), available at http://www.gutenberg.org/ebooks/101. ↩︎
- Digital Millennium Copyright Act, Pub. L. No. 105-304, 112 Stat. 2860 (1998); Electronic Communications Privacy Act (ECPA), Pub. L. 99-508, 100 Stat. 1848 (1986); National Information Infrastructure Protection Act, Pub. L. 104-294, 110 Stat. 3488 (1996) (amending 18 U.S.C. § 1030). ↩︎
- Hampson, supra note 5, at 521. ↩︎
- Id. at 525. ↩︎
- USA PATRIOT Act of 2001, Pub. L. No. 107-56, 115 Stat. 272 (2001); Sterling, supra note 87; see United States v. Middleton, 231 F. 3d 1207 (9th Cir. 2000) (holding that “loss” in the CFAA was defined as reasonable costs to the victim of computer crime regarding response, damage assessment, restoration, employee wages, and lost revenue). ↩︎
- Trevor Timm, Congress’ New CFAA Draft Could Have Put Aaron Swartz in Jail for Decades Longer Than the Original Charges, Electronic Frontier Foundation (Mar. 27, 2013), https://www.eff.org/deeplinks/2013/03/congress-new-cfaa-draft-could-have-put-aaron-swartz-jail-decades-longer-he-was. ↩︎
- Hampson, supra note 5, at 525. ↩︎
- 18 U.S.C. § 1030(a)(4), (a)(5)(A)–(C), (c)(4)(A)(V)–(VI) (2008) (emphasis added). ↩︎
- Id. § 1030(e)(8), (e)(11) (2008) (emphasis added). ↩︎
- Kerr, supra note 6, at 1563. ↩︎
- Id. at 1564–1571. ↩︎
- Id. at 1562. ↩︎
- See generally United States v. Riggs, 739 F. Supp. 414, 743 F. Supp. 556 (N.D. Ill. 1990); Sterling, supra note 87, at 246–247, 272 (explaining the inclusion of bureaucratic overhead and purchase costs and maintenance of preexisting software and hardware in revaluing a $13 document at $80,000). ↩︎
- 18 U.S.C. § 1030. ↩︎
- Kerr, supra note 6, at 1563. ↩︎
- Katyal, supra note 10, at 510; Fortas, supra note 33. ↩︎
- See generally Sterling, supra note 87. ↩︎
- Transportation of stolen goods, securities, moneys, fraudulent State tax stamps, or articles used in counterfeiting, 18 U.S.C. § 2314 (2012). ↩︎
- Riggs. ↩︎
- Id. ↩︎
- Sterling, supra note 87, at 241. ↩︎
- See James Niccolai, Analyst Puts Hacker Damage at $1.2 Billion and Rising, InfoWorld (Feb. 10, 2000), http://www.infoworld.com/articles/ic/xml/00/02/10/000210icyankees.html. ↩︎
- Today’s FBI: Facts and Figures, Internet Archive WayBack Machine (Apr. 2003), available at http://web.archive.org/web/20070326115414/http://www.fbi.gov/libref/factsfigure/factsfiguresapri2003.htm (explaining that the defendant was tried in Canadian court and charged with mischief to property in excess of $5,000 and unauthorized access to protected computers and private Internet websites, similar to the CFAA). ↩︎
- Niccolai, supra note 108. ↩︎
- Mirkovic et al., supra note 6, § 3.3.1. ↩︎
- See generally Hampson, supra note 5, at 517, 539–540. ↩︎
- See generally Jason Schreier, Sony Hacked Again: 25 Million Entertainment Users’ Information at Risk, Wired (May 2, 2011), available at http://www.wired.com/gamelife/2011/05/sony-online-entertainment-hack/. ↩︎
- Reports indicated that damages were calculated by totaling service credits to frustrated customers, lost productivity, lost revenue, increased IT expenses, and litigation expenses. Defeating DDoS Attacks, Cisco (2004), http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5879/ps6264/ps5888/prod_white_paper0900aecd8011e927.html. ↩︎
- Hampson, supra note 5, at 517. ↩︎
- United States Attorney’s Office, District of Alaska, Alaska Man Indicted for Alleged Attack on United States Court Computer System, U.S. Department of Justice, Computer Crime & Intellectual Property Division (Apr. 19, 2000), http://www.justice.gov/criminal/cybercrime/dennis.htm. ↩︎
- See generally U.S. Department of Justice, Computer Crime & Intellectual Property Division, available at http://www.justice.gov/criminal/cybercrime/ (listing indictments for United States v. Lindsly, United States v. Iffeh, United States v. Zezov, and United States v. Torricelli). ↩︎
- U.S. Attorney’s Office, supra note 116. ↩︎
- See generally We Are Legion: The Story of the Hacktivists (FilmBuff 2012). ↩︎
- Id. ↩︎
- Julian Dibbell, The Assclown Offensive: How to Enrage the Church of Scientology, Wired (July 21, 2009), available at http://www.wired.com/culture/culturereviews/magazine/17-10/mf_chanology?currentPage=all. ↩︎
- David Kravets, ‘Anonymous’ Member Pleads Guilty to Scientology Web Attacks, Wired (May 11, 2009), available at http://www.wired.com/threatlevel/2009/05/teen-pleads-guilty-to-scientology-web-attacks/. See generally Par-AnoiA, http://par-anoia.net/. ↩︎
- United States v. Mettenbrink, No. CR 09-01149 GAF, 2010 (C.D. Cal.). ↩︎
- See generally We Are Legion, supra note 119. ↩︎
- Melinda Haag, Prosecution of Internet Hacktivist Group ‘Anonymous,’ U.S. Attorney for the Northern District of California’s Office, http://www.justice.gov/usao/briefing_room/cc/mca_anonymous.html. ↩︎
- We Are Legion, supra 119. ↩︎
- Jay Leiderman, Justice for the PayPal WikiLeaks Protestors: Why DDoS is Free Speech, The Guardian (Jan. 22, 2013), available at http://www.guardian.co.uk/commentisfree/2013/jan/22/paypal-wikileaks-protesters-ddos-free-speech. ↩︎
- Dan Goodin, ‘Virtual Sit-In’ Tests Line Between DDoS and Free Speech: Civil Disobedience in the Digital Age, The Register (Apr. 9, 2010), available at http://www.theregister.co.uk/2010/04/09/virtual_protest_as_ddos/ (emphasis added). ↩︎
- We Are Legion, supra note 119. ↩︎
- See generally Mirkovic et al., supra note 6; Kerr, supra note 6. ↩︎
- See United States v. Ackroyd, S1-12 CR 185 LAP (S.D.N.Y., 2012). See generally Manivannan, supra note 52. ↩︎
- We Are Legion, supra note 119. ↩︎
- Ackroyd. ↩︎
- United States v. Cleary, 12 CR-00561-UA-1 (W.D.L.A., 2012). ↩︎
- United States v. Monsegur, SI-11 CR 666 LAP (S.D.N.Y., 2012). ↩︎
- Goodin, supra note 128. ↩︎
- Research has yet to explore the intersection between reputable professions and grassroots movements, for example, as in academics who are also activists. ↩︎
- Although freedom of speech is considered a negative right, the right to dissent includes a positive right to State protections from hostile private audiences, or aid in preventing powerful groups from excluding certain points of view. See generally Red Lion Broad. Co. v. Fed. Communications Comm’n, 395 U.S. 367 (1969); Emerson, supra note 14. ↩︎
- Critical Art Ensemble, supra note 44, at 11. ↩︎
- We Are Legion, supra note 119. ↩︎
- Brian Bloom, The New DDoS: Silent, Organized, and Profitable, PC World (May 29, 2012), http://www.pcworld.com/article/256431/the_new_ddos_silent_organized_and_profitable.html. ↩︎
- Lance Whitney, 4chan Takes Down RIAA, MPAA Sites, CNet (Sept. 20, 2010), http://news.cnet.com/8301-1009_3-20016961-83.html. ↩︎
- See generally Peñalver & Katyal, supra note 10. ↩︎
- See generally Shiffrin, supra note 29. ↩︎
- Emerson, supra note 14, at 888. ↩︎
- Barbara Katz, Civil Disobedience and the First Amendment, 32 UCLA L. Rev. 904, 906 (1985). ↩︎
- Stromberg v. California, 283 U.S. 359 (1931). ↩︎
- United States v. O’Brien, 391 U.S. 367 (1968). ↩︎
- Cox v. Louisiana, 379 U.S. (1965). ↩︎
- Katz, supra note 146, at 906. ↩︎
- Id. ↩︎
- Id. at 904. ↩︎
- Katyal, supra note 10, at 553. ↩︎
- Id. at 558; O’Brien. ↩︎
- O’Brien. ↩︎
- Katyal, supra note 10, at 558-559. ↩︎
- Id. at 559; O’Brien. ↩︎
- Molly Sauter, Towards a New Framework for the Ethical Analysis of Activist DDoS Actions (2012) (unpublished manuscript). ↩︎
- Katyal, supra note 10, at 493. ↩︎
- See generally Shiffrin, supra note 28. ↩︎
- Akhil Amar, The Bill of Rights: Creation and Reconstruction xiii (1998). ↩︎
- Id. at 21. ↩︎
- See generally Mettenbrink; U.S. Attorney’s Office, supra note 116; Leiderman, supra note 127; We Are Legion, supra note 119. ↩︎
- U.S. Attorney’s Office, supra note 116. ↩︎
- Id. ↩︎
- We Are Legion, supra note 119. ↩︎
- Camille Tuutti, Member of ‘Anonymous’ Sentenced for Attacking Scientology Church, The New New Internet (Apr. 16, 2010), http://www.thenewnewinternet.com/2010/04/16/member-of-anonymous-sentenced-for-attacking-scientology-church/. See generally Dibbell, supra note 121. ↩︎
- 18 U.S.C. § 1030. ↩︎
- Beyer, supra note 83, at 5. ↩︎
- Coleman, supra note 8, at 435. ↩︎
- Reimerdes. ↩︎
- See generally Mirkovic et al., supra note 6; Kessler & Levine, supra note 68. ↩︎
- See generally Katyal, supra note 10; Schreier, supra note 113. ↩︎
- See generally Manivannan, supra note 52. ↩︎
- See generally Katyal, supra note 10. ↩︎
- See generally Cyberterrorism Hearing, supra note 65. ↩︎
- Mirkovic et al., supra note 6, at 4. ↩︎
- 18 U.S.C. § 1029 (2012); Fraud by wire, radio, or television, 18 U.S.C. § 1343 (2012); Interception and disclosure of wire, oral, or electronic communications prohibited, 18 U.S.C. § 2511 (2012); 18 U.S.C. §§ 2701–2712. ↩︎
- See generally Dibbell, supra note 121. ↩︎
- See generally Freed, supra note 82. ↩︎
- Riggs. ↩︎
- See generally Sauter, supra note 158. ↩︎
- David Harris Gershon, Activists Occupy Starbucks Cafes, Turning Them Into Women’s Shelters & Day Care Centers Across UK, Daily Kos (Dec. 8, 2010), available at http://www.dailykos.com/story/2012/12/08/1168270/-Activists-Occupy-Starbucks-Cafes-Turning-Them-into-Women-s-Shelters-Day-Care-Centers-Across-UK. ↩︎
- See generally Katyal, supra note 10. ↩︎
- Bloom, supra note 141. ↩︎
- Beyer, supra note 83, at 12. ↩︎
- Mezey, supra note 73, at 37. ↩︎
- White House Petition, Make Distributed-Denial-of-Service (DDoS) a Legal Form of Protesting (Jan. 7, 2013), https://petitions.whitehouse.gov/petition/make-distributed-denial-service-ddos-legal-form-protesting/X3drjwZY. ↩︎
- See generally Penalver & Katyal, supra note 10; Katyal, supra note 10. ↩︎
- See generally Blasi, supra note 15. ↩︎
- See Katyal, supra note 10. ↩︎
- Terminiello v. City of Chicago, 337 U.S. 1 (1949). ↩︎
- See generally Penalver & Katyal, supra note 10. ↩︎
- Although beyond the scope of this Article, the dissent-oriented framework proposed here would accommodate certain types of cybergraffiti actions—particularly those linked to DDoS actions—as well as other forms of semiotic disobedience and culture jamming, such as redirects to fake corporate websites, 404 pages, or so-called click fraud. See generally Sauter, supra note 158; Alexis Madrigal, The New Culture Jamming: How Activists Will Respond to Online Advertising, The Atlantic, May 15, 2012, available at http://www.theatlantic.com/technology/archive/2012/05/the-new-culture-jamming-how-activists-will-respond-to-online-advertising/257176/. ↩︎
- Id. ↩︎
- Emerson, supra note 14, at 889. ↩︎
- Madrigal, supra 194, at ¶ 13. See generally Shiffrin, supra note 29. ↩︎
