Latest Surveillance Revelations Show U.S., U.K. Government Hypocrisy on Hacking

Chat rooms frequented by Anonymous were targeted by DDoS attacks.

Photo by Rahman Roslan/Getty Images

The U.S. and U.K. governments have shown little sympathy for political activists engaged in disruptive acts of online protest. But according to the latest Snowden documents, the very tactics authorities seek to punish are fair game when it comes to their own efforts against online hacktivist groups.

The newest revelation shows that a secret unit of Britain’s spy agency GCHQ, called the Joint Threat Research Intelligence Group, launched distributed denial-of-service (DDoS) attacks to shut down chat rooms frequented by members of Anonymous, along with a variety of other strategies including “false flag” operations and infecting computers via malicious hyperlinks. The DDoS attacks are particularly disturbing, however, for two reasons: It’s highly likely that they disrupted legitimate speech not tied to any crime, and disruptions from those same kinds of attacks have led to draconian criminal prosecutions in both the United States and United Kingdom.

Unlike other types of attacks that involve breaking into computers and stealing data, DDoS attacks cause only temporary disruptions of websites by flooding them with useless data—the most famous example being “Operation Payback,” which shut down PayPal’s website in protest of its refusal to process Wikileaks donations. Stanley Cohen, a lawyer for one of the “PayPal 14” who participated in the protest, has compared it to a “digital sit-in” because of how the disruptions leave participants’ IP addresses exposed. But under the U.S. Computer Fraud and Abuse Act—and its British equivalent, the Computer Misuse Act—these actions threaten hacktivists with decades in prison simply because they occur electronically, rather than in the physical realm.

In the United States, members of the PayPal 14 each originally faced up to 15 years in prison for Operation Payback. The case concluded with a joint plea bargain, which resulted in lighter sentencing than expected. But such punishments—not to mention the serious charges that compel protesters to plead guilty—bear little resemblance those given for similar acts taking place offline.

For example, most of the 700 Occupy Wall Street protesters who blocked off the Brooklyn Bridge in October 2011 received only a night in jail or community service. Meanwhile, a man in Wisconsin who disrupted a Koch Brothers website for 60 seconds was fined $183,000—despite that the actual calculated damage of the disruption was reportedly only $5,000 and that far more serious physical crimes in that state have received smaller fines.

The same laws have clamped down disproportionately on other kinds of minor vandalism. Matthew Keys, a former employee of Reuters, was indicted last year for providing a member of Anonymous with login and password information for the company’s website—an act the law bizarrely defines as “transmission of malicious code.” The breach resulted in the headline of a single article being changed for 30 minutes, yet Keys has been charged with multiple felony counts that carry a maximum sentence of 25 years in prison and $750,000 in fines.

“The real concern here is a shotgun approach to justice that sprays its punishment over thousands of people who are engaged in their democratic right to protest simply because a small handful of people committed digital vandalism,” wrote Gabriella Coleman, an anthropology professor who has closely studied Anonymous, in an editorial for Wired. “This is the kind of overreaction that usually occurs when a government is trying to squash dissent; it’s not unlike what happens in other, more oppressive countries.”

So what does it say when authorities attempt to crush nebulous hacktivist groups with the very DDoS same tactics? At minimum, it begs the question of why the U.K.’s top intelligence agency sees temporarily taking down an online community—populated mostly by people not involved in committing crimes, many of the minors—as a priority.

“Why do British government spooks so brazenly attempt to inhibit the activities of acephalous online collectives and not, say, the hate-filled Westboro Baptist Church, or chat networks that encourage racism or paedophilia?” wonders Jake Davis, a Scottish member of the Anonymous offshoot LulzSec who was sentenced to 24 months in a juvenile facility, in the International Business Times.

An obvious guess is because they want to intimidate those who challenge their authority. In one of the documents, GCHQ brags that its efforts caused an “80 percent” drop in the number users on the Anonymous chat room. But more importantly, JTRIG operate under the fact that it’s highly unlikely GCHQ (or any police or intelligence service for that matter) will ever have to answer for its own digital disruptions.

Granted, governments engage in all kinds of activities, like wiretapping, that are strictly prohibited to the general public. But those powers are generally given with the presumption that collateral damage to innocent parties will be minimized and subject to redress. And as we’ve learned time and again, when it comes to intelligence agencies, such accountability is often unattainable from behind the thick wall of national security and state secrets.

The message they are sending to hacktivists is simple: “Do as we say, not as we hack.”