Practice Hacktivism at Your Own Risk

A hacker’s 10-year prison sentence shows that courts don’t care what an attacker’s motives are.

A sign reads, "Children's Hospital Primary Care Center."
A sign at Boston Children’s Hospital is seen in 2009. Martin Gottesfeld launched a distributed denial-of-service attack on the hospital in 2014.
Brian Snyder/Reuters

People launch cyberattacks for all sorts of different reasons—to steal money, to steal secrets, to show off their skills, to wreak havoc, but also for (what they consider to be) altruistic reasons. Martin Gottesfeld did it to draw attention to the case of Justina Pelletier, a Connecticut teenager who was admitted to Boston Children’s Hospital in 2013 and kept in a psychiatric ward there, against her parents’ wishes, for more than a year. Pelletier was ultimately returned to her family, but before that, Gottesfeld launched distributed denial-of-service attacks on two Massachusetts medical facilities involved in Pelletier’s care. On Jan. 10, he, was sentenced to serve 121 months in prison and pay a $443,000 fine. Gottesfeld’s relatively severe sentence is an important marker of how seriously courts are taking denial-of-service attacks and how little it matters, at least from a legal standpoint, whether the people behind those attacks were motivated by a “hacktivist” agenda.

Gottesfeld’s case is technically fairly straightforward but ethically complicated. He targeted Boston Children’s Hospital as well as the Wayside Youth and Family Support Network, a residential treatment facility where Pelletier was also a patient. Unlike more recent ransomware attacks on hospitals, Gottesfeld’s denial-of-service attacks deliberately did not target or compromise any patient records, but they did plenty of damage. The weeklong attacks directed at Boston Children’s Hospital in April 2014, for instance, “disrupted the Hospital’s day-to-day operations as well as the research being done at the Hospital” and forced Children’s to shut down portions of its network, making it more difficult for doctors outside the hospital to access medical records and hampering patients’ ability to communicate with their doctors there, according to FBI agent Michael Tunick. Tunick said that during the attack, “patient care was not affected,” but the hospital had to “re-allocate its resources in a significant way,” costing some $300,000 in damage, as well as an additional estimated $300,000 in lost fundraising. (The attack was planned to coincide with a fundraising drive.)

Compared with the damage done by the WannaCry ransomware program, which shut down more than a dozen National Health Service hospitals and clinics in the U.K. in 2017, Gottesfeld’s denial-of-service attacks seem relatively tame. Unlike ransomware, which encrypts the contents of a computer network so that no one can access any of the information stored on it or use the computers until a cryptocurrency ransom has been paid, Gottesfeld bombarded a server with so much online traffic that it crashed and could not respond to legitimate user requests. That’s how he managed to take down the Children’s Hospital fundraising website without affecting patient records.

But just because Gottesfeld didn’t target patient records doesn’t mean that denial-of-service attacks, especially those directed at hospitals and other critical infrastructure, aren’t incredibly dangerous and damaging. Denial-of-service attacks, bolstered by the influx of Internet of Things devices that can be harnessed into ever larger botnets to launch attacks, have become increasingly serious threats. Even some hackers who are comfortable pushing the boundaries of the law in the name of activism draw the line at targeting hospitals. In fact, though Gottesfeld is a self-proclaimed member of the hacking group Anonymous, the Anonymous Twitter account YourAnonNews tweeted during his attacks: “To all the ‘Anons’ attacking the CHILDREN’S HOSPITAL in the name of Anonymous via Op #JustinaPelletier – IT IS A HOSPITAL: STOP IT.”

Gottesfeld himself didn’t take great pains to hide his tracks—he uploaded a YouTube video threatening Children’s and included a link to the hospital’s server information in order to enable others to join his attack. He exchanged Twitter direct messages explaining his plans and also created a new Twitter handle, @AnonMercurial2, to call on others to join his attacks on the Wayside treatment center. (The FBI traced this activity back to Gottesfeld using his internet provider RCN to establish his IP address at the time. In an interesting Fourth Amendment twist, Gottesfeld’s lawyers tried to argue that he had a “reasonable expectation to privacy” of his IP address because he used encryption, but the court was not persuaded.)

After he and his wife tried and failed to flee to Cuba in 2016, Gottesfeld even released a statement to the HuffPost taking credit for the attacks. “I coded around the clock for two weeks to perfect the attack,” Gottesfeld wrote. “Small test runs were made. [Children’s] bragged to the media that they were withstanding the onslaught and hadn’t been taken down. They had no idea what was to come.”

In Gottesfeld’s view, he did nothing wrong—and he isn’t alone in that opinion. A sympathetic Rolling Stone profile, published in June 2017, dubbed Gottesfeld “The Hacker Who Cared Too Much” and invoked the controversial case of Aaron Swartz, the Reddit co-founder who downloaded academic articles from JStor using MIT’s network and then killed himself in January 2013 while awaiting trial. But while both Swartz and Gottesfeld were charged under the Computer Fraud and Abuse Act for accessing protected computers without authorization, their actual technical actions bear little resemblance. Swartz downloaded millions of academic articles using a university network. Gottesfeld launched a denial-of-service attack against a hospital and a medical treatment facility, forcing them to shut down portions of their networks and hampering patient communications and access to medical records.

At a moment when hospitals seem especially vulnerable to online attacks, and denial-of-service attacks are growing bigger and more damaging than ever before, it’s not surprising that a court would view Gottesfeld’s actions as deserving of a 10-year prison sentence. It’s significantly more time than many other perpetrators of denial-of-service attacks have received in the past, and much longer than the 30-month sentence that 30-year-old British hacker Daniel Kaye received recently for a series of denial-of-service attacks in 2015 that temporarily took Liberia—yes, the entire country—offline. It’s hard to say whether that’s because Gottesfeld went after a hospital, or because courts are taking denial-of-service attacks more seriously than they used to, or because so few perpetrators of online attacks are ever actually tried that the court wanted to make an example of Gottesfeld as a warning to other would-be attackers. Probably all of those motivations played some role in the sentencing. If nothing else, it sends a clear signal that the penalties for hacking in the name of a political agenda are every bit as stiff as those for hacking in pursuit of money, fraud, and state secrets.

Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.