Germany’s major carrier Lufthansa became the target of a Distributed Denial of Service (DDoS) attack…The attack was initiated by Andreas-Thomas Vogel, an activist and website administrator for the Libertad, an advocacy group criticizing as “inhumane” Lufthansa’s policy of letting the police use its planes for the forced deportation of asylum seekers. On June 20, 2001, Vogel called for Internet users to participate in what he claimed to be an “online demonstration.” He released software that systematically contacted the website of Lufthansa and flooded the company’s web server with messages, forcing it to shut down. According to Lufthansa lawyers and Human Rights organizations, Lufthansa registered about 1.2 million hits that day, which originated from some 13,000 computers.
I’m currently doing some work on cyberaggression for Urs Gasser at the Berkman Center. The Vogel case – quoted above – would seem to be a textbook example of malicious online aggression: a number of users, acting in concert, overwhelm the web servers of a foe until the site shuts down. As far as I can tell, it is a textbook distributed denial of service attack, with the one rather noteworthy exception that instead of hiring out a botnet for an hour or so Vogel actually got real people to run the software.
So here is the question: should we treat Vogel like a ruthless criminal or like a virtuous activist? Or, in other words, was the Lufthansa DDoS more like blackmail (Vogel was charged with coercion) or more like a sit-in?
Blackmail and sit-ins are both illegal, of course. Activists were arrested for trespass or breach of the peace across much of the American South during the Civil Rights Era for sitting at restaurant bars and preventing other customers from using the space.
But there seems to me to be a normative distinction between the two. No one considers the students who sat silently at the counter at Woolworth’s to be hardened criminals, despite the fact that they deprived other customers of the ability to use the counter and indeed may have cost individual shopowners hundreds or thousands of dollars in lost revenue and bad publicity. There is a moral element to the sit-in that gets more respect than crime for financial benefit alone. That’s why activists at sit-ins were booked for trespassing and then released usually within hours. The political content and moral character of their behavior contextualized and mitigated the formal offense.
In some ways a DDoS is like a sit-in. Both, at their conceptual core, consist of overutilizing scarce resources (in the former, server cycles; in the latter, space at a counter) to exclude others for political effect. Both are nonviolent but economically painful. And both can have a political character that might contextualize the offense.
This is the argument that Vogel made, at least, and the German appeals court bought it. Meanwhile, here in the U.S., script kiddie Dmitry Guzner faces 10 years in jail for DDoSing Scientology as part of Project Chanology. Now, details on Guzner and what he did are hard to find. It’s not clear to me whether he hired a botnet or whether he just distributed software that a bunch of 4chan kids used in concert similar to the Libertad movement. And I’m not saying that the DDoS is a good tactic, or a morally right tactic, or that it shouldn’t be illegal. But there is a huge disproportionality between the punishments for the two crimes.
Paul Ohm has a good paper called The Myth of the Superuser (h/t Chris Soghoian) where he argues that all lawmakers have Kevin Mitnick in mind when they write cybercrime statutes and that therefore they are always prone to overcompensation. And I think this is really what interests me – not whether or not the DDoS incurs the same costs or should have the same social effect, but why the punishments are so different, and why we treat all DDoSs the same when we treat trespassing very differently depending on its political character.
There is (as far as I can tell) zero investigation of this issue in the legal literature. There are plenty of law review articles about assessing tort liability for the various parties to a DDoS attack (i.e. what percentage of damages should Microsoft pay in recompense for not patching their system against malware quickly enough). But there doesn’t seem to be anything out there investigating what I think to be a very interesting and possibly important unexplored issue. To what extent (or under what circumstances) may a DDoS be considered a political act analogous to a sit-in? What analytical framework could distinguish malicious (i.e. blackmail) DDoSs from political (i.e. sit-in) DDoSs? How should these distinctions or similarities inform both the social and legal responses to different DDoSs?
This is very much a half-baked idea, something I’ve been mulling over for the last few days while reviewing the legal and behavioral literature for this project for Urs. There are already some major conceptual problems with the analogy (i.e. difference in costs incurred by those conducting the “demonstration”, both in terms of physical inconvenience during the act and legal repercussions after the act, just to hit the most obvious point). But it seems to me that this is something worth formal investigation at some point. And I’d love to know if anyone out there has any thoughts about it.