In Defense of DDoS

Denial-of-service attacks are just another form of civil disobedience.

A logo for Anon Ops

Judging by the last two weeks, being an enemy of Julian Assange is only marginally less stressful than being Julian Assange. Amazon, PayPal, MasterCard, and Visa, which all moved to cut ties with Assange’s WikiLeaks after the site’s release of diplomatic cables, have been the targets of distributed denial-of-service attacks from a group that calls itself “Anonymous.” There is nothing fancy going on here. DDoS attacks simply aim to send more traffic to a target site than it can handle, slowing it down or making it temporarily unavailable. Many prominent Internet personalities, including John Perry Barlow and Cory Doctorow, have spoken out against DDoS on the sensible-sounding grounds that one can’t fight for free speech by limiting it for others. How, then, does Anonymous defend its actions? In a press release (PDF), the self-described “Internet gathering” explains that its “goal is to raise awareness about WikiLeaks and the underhanded methods employed by … companies to impair WikiLeaks’ ability to function.” For this author, however, the most interesting bit of the press release comes in the next paragraph: “[A DDoS attack] is a symbolic action—as blogger and academic Evgeny Morozov put it, a legitimate expression of dissent” (italics theirs). Yes, it’s true: I did write those words. Under certain conditions—some of which, I believe, are present in the case of Anonymous—DDoS attacks can be seen as a legitimate expression of dissent, very much similar to civil disobedience. In other words, there are cases where DDoS attacks have more in common with lunch-counter sit-ins than with acts of petty vandalism. There is a legal precedent for such comparisons. In 2006, a court in Germany, asked to decide whether a DDoS blockade of Lufthansa for allowing its planes to be used in the deportation of asylum-seekers was tantamount to a demonstration, opined that the civil-disobedience analogy is valid. (Germany being Germany, the organizers of the cyber-attack on Lufthansa’s site had first asked the local authorities for formal permission to go ahead but were turned down.)

Declaring that DDoS is a form of civil disobedience is not the same as proclaiming that such attacks are always effective or likely to contribute to the goals of openness and transparency pursued by Anonymous and WikiLeaks. Legitimacy is not the same thing as efficacy, even though the latter can boost the former. In fact, the proliferation of DDoS may lead to a crackdown on Internet freedom, as governments seek to establish tighter control over cyberspace. 

Likewise, assessing the legitimacy of a particular DDoS attack is not the same as assessing its legality: There is no disputing the fact that DDoS is illegal in many countries (hence the “disobedience”). Thus, to figure out which cases of DDoS may deserve some leniency from the judges, we need to shift the focus away from the medium and on to the message.

John Rawls, one of the most influential philosophers of the 20th century, offered one of the best modern theories of civil disobedience in his 1971 masterpiece, A Theory of Justice. Rawls defended civil disobedience as long as the breach of law was public (i.e., authorities were notified of the disobedient act before or shortly after it occurred), nonviolent (i.e., the disobedient act did not impinge on the civil liberties of others and caused no injuries), and conscientious (i.e., the disobedient act was underpinned by serious moral convictions).  Furthermore, Rawls argued that those who practice civil disobedience should be willing to accept the legal consequences of their actions, if only out of their fidelity to the rule of law.

Some elements of Rawls’ theory are not indisputable—Bertrand Russell, for example, believed that some violence might be acceptable, for it could force the media to pay attention to issues that may otherwise go unnoticed. Still, Rawls’ theory offers an elegant template for evaluating Anonymous’s DDoS warfare.

The attacks were clearly public: Anonymous widely advertised the targets, the software to be used, and even the timeframe. Anyone could follow their deliberations in their online chat. They were conscientious in as much as they believed that companies like Amazon and Visa behaved in a cowardly fashion by pulling support from WikiLeaks and that politicians—especially Joe Lieberman and Sarah Palin—should not have exerted pressure on them without first establishing a strong legal case against WikiLeaks.

Did the attackers want to change policies and laws and not just cause mischief? I believe so. One of their goals was to prevent other companies from bowing down to undue political pressure. Another objective was to show the government that prosecuting Assange based on the contentious Espionage Act of 1917 would enrage many digerati.

Things get a little foggier when it comes to whether the attacks should be classified as “violent.” While the DDoS attacks may have caused some material damage to their targets, this alone seems like a poor indicator of “violence.” That the attacks cause congestion of infrastructure is a feature, not a bug: After all, if acts of civil disobedience did not disrupt the normal flow of affairs, they would hardly be “disobedient.” One could also plausibly argue that since DDoS attacks cause only temporary rather than permanent damage to the attacked servers, they are far less violent than most acts of physical vandalism.

I’d argue, however, that the DDoS attacks launched by Anonymous were not acts of civil disobedience because they failed one crucial test implicit in Rawls’ account: Most attackers were not willing to accept the legal consequences of their actions. This is the crucial difference between Anonymous and the civil rights movement. Those who participated in lunch counter sit-ins — purchasing nothing but cups of coffee and paralyzing restaurants by preventing other patrons from sitting down—knew what they were getting themselves into. They were violating an unjust law, and they knew that they would likely be arrested for it. Their faces could be photographed, their papers could be checked. The civil rights-era protesters knew that effective civil disobedience could not be carried out in complete anonymity; members of the Anonymouscollective have not grasped this yet.

How anonymous is Anonymous?While the FAQ for the collective’s preferred DDoS-launching software claims that those using it run a “zero” chance of arrest, Dutch security researchers have discovered (PDF) that the opposite is true: It’s actually very easy to trace all of its users, unless they take additional steps to “cover their tracks.” If those partaking in Anonymous attacks are cognizant of the fact that their online actions are fully traceable, this may mitigate the anonymity problem and make their actions far more legitimate than they are right now. Without such realization, their acts hardly qualify as civil disobedience and border on hooliganism. For what it’s worth, the announcement of Anonymous’ most-recent operation explicitly calls on its participants to use proxies in order to guard their anonymity—as such, they are clearly not seeking to conduct their politics in the open.

While Anonymous’ attacks fall short of Rawls’ high standard for civil disobedience, we should not prejudge all DDoS attacks to be illegitimate. Yes, DDoS tactics are increasingly abused to silence independent media—newspapers in Belarus, Kazakhstan, Lebanon, and Burma have all fallen victim to DDoS attacks in the last few years. Moreover, such attacks are often launched by relying on zombie computers whose unsuspecting owners have no clue they’re being enlisted as part of an attack. That’s unacceptable however one looks at it.

But should democratic societies really treat everyone who participates in a DDoS attack as a hardened criminal? (The British law, for example, punishes anyone who downloads such tools with up to 10 years in prison.)

Clearly, not all DDoS attacks carry the same moral weight; it all depends on who is attacking whom, as well as how and for what reason. The ethical spectrum here is quite wide: While it’s hard to imagine a situation where launching a DDoS attack on the Web site of the New York Times would ever be justifiable, it’s not so hard to imagine morally permissible attacks on the Web site of the Iranian government or alleged fraudsters like the proprietor of DecorMyEyes. In some situations, it may even be OK for attackers not to disclose their identities fully: Few of us get furious at the sight of Iranian protesters wearing green scarves to protect themselves from the prying eyes of police.

If done right, DDoS may offer the much-needed antidote to the shallow and sterile politics of most Facebook groups and petitions, where participants take no risks and make no sacrifices. Sure, there is always a risk that DDoS attacks will degenerate into acts of vigilante justice. But the same risk exists with any kind of real-world protest or demonstration. This is the price we pay for not living in a police state where there are no unscheduled events or provocations. DDoS, like all forms of protest, is messy. But there will always be certain times and places—even more so in our increasingly networked world—when the use of “DDoS justice” is warranted.