This has been happening ever since the early days of such “cyber sit ins / DDoS” protests or attacks e.g. the Electronic Disturbance Theater’s Floodnet, back in 1998, which was nominally in support of the Zapatista rebels in the Chiapas province, against the Government of Mexico.

http://www.thing.net/~rdom/ecd/EDTECD.html

On the Protest Day thousands of gullible armchair supporters of the online protest, who went to the protest web page, and thereby doenloaded a javascript which peacefully protested by repeatedly calling for a nonexistant file name from the President of Mexico’s website i.e. writing a “Down with the President Up with the Zapatistas!” slogan in the web server logfiles.

However what really happened was that the script was modified by the political activists with their own hidden agenda and political prejudices, and the thousands of nominally pro-Zapatista supporters from the USA and Europe, were actually also “attacking” the US Pentagon and the Frankfurt Stock Exchange websites, something which was not made clear to those participating before or during the protest. Neither of these targets had any direct relevance to the Chiapas conflict in Mexico.

The Pentagon retaliated by getting their non-existent target slogan page to actually spring into life, with a javascript that spawned hundreds of browser windows, thereby crashing many of the “attacking” browsers and locking up some of the “attacking” PCs.

“Real world” sit ins, marches and demonstrations are not susceptible to this sort of “bait and switch” cyber protest fraud.

I agree that there is likely to be little if any legal distinction between our meat-space protesters and keyboard-jockey, however within the space of the virtual protest I believe we will find a few new layers:

(IANL but I play one on the Internet, so bear with me)

- Are all participants complicit in the act? I think we agree that using a covert botnet for a protest is evil no matter how honorable the cause.

- Are the participants active in the act? IMO Installing a script and going to lunch should have less 1st Amendment protection than manually refreshing a webpage or submitting a form over and over. I dare say I don’t think less should equal none just less. Consider sending a “non-sentient” robot to our physical protest.

- Are the participants anonymous? I am not sure how I feel about this one yet. In the real world you can anonymously attend a protest (wearing a mask). However if something goes wrong for example someone gets trampled that anonymity can be rescinded in the name of public-safety. If a life were somehow lost as a direct result of a e-protest are the protesters still entitled to maintain their anonymity? Who is responsible if the Lufthansa protest had taken down a computer system which prevented a flight from leaving on-time carrying transplant organs? (I realize that scenario is a big stretch but you get the idea).

As far as I am aware all of this is un-tested in the field. Even the botnet research community is still coming to grips with the ethical/legal questions currently on the table. It is sure to be hotly contested, but I think a calibration framework would be a positive step.

I think both points are right on target.

There is a huge difference sociopolitical difference between enduring taunts and threats at a counter and drinking a liter of mountain dew in your $1000 chair while refreshing the Scientology page a billion times a second. However, I’m not quite sure why there is a legal distinction – you’d think that the lack of bravery or effort in the latter act would be reflected in the fact that most people wouldn’t perceive it as being as noble or self-sacrificing, and that the cost would thus be internalized in its relatively lack of effect, not externalized in the law.

And yes, I definitely agree that there is a huge difference between a botnet and the Lufthansa case. I think that it’s safe to say a botnet DDOS isn’t OK because you’re exploiting someone else’s computer – the kidnapping analogy works well here.

Here’s my broader point, I suppose:

We seem to care an awful lot about the political character or moral content of a trespass in the physical world. That’s why we love Betty Hall and hate cat burglars and calibrate punishments accordingly. We don’t seem to care about the these moral questions in the context of virtual trespasses, however. I think what I’d like to do – if this ever gets to the more formal level, which it may not – is not so much advocate for a First Amendment right to DDoS, but rather to offer a conceptual framework for calibrating punishments based on the moral value of the DDoS at issue.

I have two quick thoughts about this, both growing from your analogy. I think for the most part it is an apt metaphor (albeit with some rough edges).

First, When engaging in a “meat-space” sit-in style protest the protester has to sacrifice to some extent. Usually in terms of time where they could be doing something else. This sacrifice serves to add some nobility (for lack of a better term) to their contribution. A virtual sit-in as you describe does not require the continued attention or any significant resources on the part of the protester and therefore lacks that nobility. I suspect that this difference will translate into a decreased level of acceptability for this kind of activity.

Second, In a “traditional” DDOS the majority of the participants are ignorant of the event. The fact that the participants in this case were knowing willing contributors may alter the public perception. It is the difference between a script kiddie taking down a site for fun and a large group intending to send a clear message that they find a behavior objectionable. To tie back into your analogy a traditional DDOS in meat-space would require kidnapping a sufficient number of people and handcuffing them to the establishment that you wish to protest.

Thanks
Ben