In Praise of [Some] DDoSs?

by on Jul.21, 2009, under rfc

Germany’s major carrier Lufthansa became the target of a Distributed Denial of Service (DDoS) attack…The attack was initiated by Andreas-Thomas Vogel, an activist and website administrator for the Libertad, an advocacy group criticizing as “inhumane” Lufthansa’s policy of letting the police use its planes for the forced deportation of asylum seekers. On June 20, 2001, Vogel called for Internet users to participate in what he claimed to be an “online demonstration.” He released software that systematically contacted the website of Lufthansa and flooded the company’s web server with messages, forcing it to shut down. According to Lufthansa lawyers and Human Rights organizations, Lufthansa registered about 1.2 million hits that day, which originated from some 13,000 computers.

I’m currently doing some work on cyberaggression for Urs Gasser at the Berkman Center. The Vogel case – quoted above – would seem to be a textbook example of malicious online aggression: a number of users, acting in concert, overwhelm the web servers of a foe until the site shuts down. As far as I can tell, it is a textbook distributed denial of service attack, with the one rather noteworthy exception that instead of hiring out a botnet for an hour or so Vogel actually got real people to run the software.

So here is the question: should we treat Vogel like a ruthless criminal or like a virtuous activist? Or, in other words, was the Lufthansa DDoS more like blackmail (Vogel was charged with coercion) or more like a sit-in?

Blackmail and sit-ins are both illegal, of course. Activists were arrested for trespass or breach of the peace across much of the American South during the Civil Rights Era for sitting at restaurant bars and preventing other customers from using the space.

But there seems to me to be a normative distinction between the two. No one considers the students who sat silently at the counter at Woolworth’s to be hardened criminals, despite the fact that they deprived other customers of the ability to use the counter and indeed may have cost individual shopowners hundreds or thousands of dollars in lost revenue and bad publicity. There is a moral element to the sit-in that gets more respect than crime for financial benefit alone. That’s why activists at sit-ins were booked for trespassing and then released usually within hours. The political content and moral character of their behavior contextualized and mitigated the formal offense.

In some ways a DDoS is like a sit-in. Both, at their conceptual core, consist of overutilizing scarce resources (in the former, server cycles; in the latter, space at a counter) to exclude others for political effect. Both are nonviolent but economically painful. And both can have a political character that might contextualize the offense.

This is the argument that Vogel made, at least, and the German appeals court bought it. Meanwhile, here in the U.S., script kiddie Dmitry Guzner faces 10 years in jail for DDoSing Scientology as part of Project Chanology. Now, details on Guzner and what he did are hard to find. It’s not clear to me whether he hired a botnet or whether he just distributed software that a bunch of 4chan kids used in concert similar to the Libertad movement. And I’m not saying that the DDoS is a good tactic, or a morally right tactic, or that it shouldn’t be illegal. But there is a huge disproportionality between the punishments for the two crimes.

Paul Ohm has a good paper called The Myth of the Superuser (h/t Chris Soghoian) where he argues that all lawmakers have Kevin Mitnick in mind when they write cybercrime statutes and that therefore they are always prone to overcompensation. And I think this is really what interests me – not whether or not the DDoS incurs the same costs or should have the same social effect, but why the punishments are so different, and why we treat all DDoSs the same when we treat trespassing very differently depending on its political character.

There is (as far as I can tell) zero investigation of this issue in the legal literature. There are plenty of law review articles about assessing tort liability for the various parties to a DDoS attack (i.e. what percentage of damages should Microsoft pay in recompense for not patching their system against malware quickly enough). But there doesn’t seem to be anything out there investigating what I think to be a very interesting and possibly important unexplored issue. To what extent (or under what circumstances) may a DDoS be considered a political act analogous to a sit-in? What analytical framework could distinguish malicious (i.e. blackmail) DDoSs from political (i.e. sit-in) DDoSs? How should these distinctions or similarities inform both the social and legal responses to different DDoSs?

This is very much a half-baked idea, something I’ve been mulling over for the last few days while reviewing the legal and behavioral literature for this project for Urs. There are already some major conceptual problems with the analogy (i.e. difference in costs incurred by those conducting the “demonstration”, both in terms of physical inconvenience during the act and legal repercussions after the act, just to hit the most obvious point). But it seems to me that this is something worth formal investigation at some point. And I’d love to know if anyone out there has any thoughts about it.

:, , ,
11 comments for this entry:
  1. Ben April

    Chris-

    I have two quick thoughts about this, both growing from your analogy. I think for the most part it is an apt metaphor (albeit with some rough edges).

    First, When engaging in a “meat-space” sit-in style protest the protester has to sacrifice to some extent. Usually in terms of time where they could be doing something else. This sacrifice serves to add some nobility (for lack of a better term) to their contribution. A virtual sit-in as you describe does not require the continued attention or any significant resources on the part of the protester and therefore lacks that nobility. I suspect that this difference will translate into a decreased level of acceptability for this kind of activity.

    Second, In a “traditional” DDOS the majority of the participants are ignorant of the event. The fact that the participants in this case were knowing willing contributors may alter the public perception. It is the difference between a script kiddie taking down a site for fun and a large group intending to send a clear message that they find a behavior objectionable. To tie back into your analogy a traditional DDOS in meat-space would require kidnapping a sufficient number of people and handcuffing them to the establishment that you wish to protest.

    Thanks
    Ben

  2. chris

    Ben –

    I think both points are right on target.

    There is a huge difference sociopolitical difference between enduring taunts and threats at a counter and drinking a liter of mountain dew in your $1000 chair while refreshing the Scientology page a billion times a second. However, I’m not quite sure why there is a legal distinction – you’d think that the lack of bravery or effort in the latter act would be reflected in the fact that most people wouldn’t perceive it as being as noble or self-sacrificing, and that the cost would thus be internalized in its relatively lack of effect, not externalized in the law.

    And yes, I definitely agree that there is a huge difference between a botnet and the Lufthansa case. I think that it’s safe to say a botnet DDOS isn’t OK because you’re exploiting someone else’s computer – the kidnapping analogy works well here.

    Here’s my broader point, I suppose:

    We seem to care an awful lot about the political character or moral content of a trespass in the physical world. That’s why we love Betty Hall and hate cat burglars and calibrate punishments accordingly. We don’t seem to care about the these moral questions in the context of virtual trespasses, however. I think what I’d like to do – if this ever gets to the more formal level, which it may not – is not so much advocate for a First Amendment right to DDoS, but rather to offer a conceptual framework for calibrating punishments based on the moral value of the DDoS at issue.

  3. Ben April

    Chris-

    I agree that there is likely to be little if any legal distinction between our meat-space protesters and keyboard-jockey, however within the space of the virtual protest I believe we will find a few new layers:

    (IANL but I play one on the Internet, so bear with me)

    – Are all participants complicit in the act? I think we agree that using a covert botnet for a protest is evil no matter how honorable the cause.

    – Are the participants active in the act? IMO Installing a script and going to lunch should have less 1st Amendment protection than manually refreshing a webpage or submitting a form over and over. I dare say I don’t think less should equal none just less. Consider sending a “non-sentient” robot to our physical protest.

    – Are the participants anonymous? I am not sure how I feel about this one yet. In the real world you can anonymously attend a protest (wearing a mask). However if something goes wrong for example someone gets trampled that anonymity can be rescinded in the name of public-safety. If a life were somehow lost as a direct result of a e-protest are the protesters still entitled to maintain their anonymity? Who is responsible if the Lufthansa protest had taken down a computer system which prevented a flight from leaving on-time carrying transplant organs? (I realize that scenario is a big stretch but you get the idea).

    As far as I am aware all of this is un-tested in the field. Even the botnet research community is still coming to grips with the ethical/legal questions currently on the table. It is sure to be hotly contested, but I think a calibration framework would be a positive step.

  4. chris

    Thanks Ben! I am unfamiliar with the botnet research community’s take on this as I’m coming mostly from the sociolegal literature, but I may hit you up for some specific questions if I decide to pursue this further. I very much appreciate your feedback and sense that there is at least a kernel of something interesting and worthwhile here.

  5. …My heart’s in Accra » links for 2009-07-25

    […] In Praise of [Some] DDoSs? – Chris Peterson Should we see DDOS – as used by activists – as analagous to a sit-in protest… or as a form of blackmail or other criminal coercion? Good questions on an interesting DDOS incident from Chris Peterson (tags: ddos activism hactivism berkman lufthansa protest) […]

  6. Watching Them, Watching Us

    Do not forget the “bait and switch” tactics which have been abused by evil political activists, who think nothing of “manipulating the masses”, because they think that somehow “the end justifies the means”.

    This has been happening ever since the early days of such “cyber sit ins / DDoS” protests or attacks e.g. the Electronic Disturbance Theater’s Floodnet, back in 1998, which was nominally in support of the Zapatista rebels in the Chiapas province, against the Government of Mexico.

    http://www.thing.net/~rdom/ecd/EDTECD.html

    On the Protest Day thousands of gullible armchair supporters of the online protest, who went to the protest web page, and thereby doenloaded a javascript which peacefully protested by repeatedly calling for a nonexistant file name from the President of Mexico’s website i.e. writing a “Down with the President Up with the Zapatistas!” slogan in the web server logfiles.

    However what really happened was that the script was modified by the political activists with their own hidden agenda and political prejudices, and the thousands of nominally pro-Zapatista supporters from the USA and Europe, were actually also “attacking” the US Pentagon and the Frankfurt Stock Exchange websites, something which was not made clear to those participating before or during the protest. Neither of these targets had any direct relevance to the Chiapas conflict in Mexico.

    The Pentagon retaliated by getting their non-existent target slogan page to actually spring into life, with a javascript that spawned hundreds of browser windows, thereby crashing many of the “attacking” browsers and locking up some of the “attacking” PCs.

    “Real world” sit ins, marches and demonstrations are not susceptible to this sort of “bait and switch” cyber protest fraud.

  7. shell scripts work better than giant puppets « Manifest Density

    […] about that DDoS. I’m not sure what to say about it, really. I find the argument that it can be considered civil disobedience to be more compelling than I would’ve expected. I’m somewhat sympathetic to arguments […]

  8. DDoS as civil disobedience: The Debate - Chris Peterson

    […] chris on Dec.15, 2010, under general Last summer I posted “In Praise of [Some] DDoSs?”, a quick essay documenting the response gap between DDoS attacks and sit-ins. My argument […]

  9. The Heihachi Cybercrime Gang | SVIRGULA AGAINST ALL

    […] stuff and not a lot of war. Those events weren’t even worth staid academic terms like “cyberaggression,” let alone the word for man’s only […]

  10. FREE RYAN | FREE RYAN CLEARY

    […] consistent with a belief in freedom of speech and concepts of peaceful protest. Eminent jurists and Net theorists increasingly agree. Whose side will you […]

  11. Vasileios Karagiannopoulos

    Dear Chris,

    I found this page while browsing the net in relation to the Vogel case. You will be glad to know that I am doing a PhD since 2009 on exactly the legal issues that you raise in your post. The lack of any deep legal analysis on virtual sit-ins and punishment was exactly what spurred me to pursue this research. Hopefully, it will be submitted in a year’s time. I would really like it, if we could get in touch and discuss the issue more, if you are still interested.

    Best,
    Vasileios

Leave a Reply