The hacktivist collective Anonymous and other online activists use DDoS attacks as a form of protest, claiming that these attacks are equivalent to free speech and should fall under the protection of the first amendment rights. However, DDoS attacks are not equivalent to protest speech and sit-in protests. In some instances, DDoS attacks have been used as a distraction to conduct other types of cybercrimes.
One of the most popular methods of mass disruption of online services is distributed denial of service (DDoS) attacks. This attack consists of sending multiple requests for service than the web server can handle causing the web server to become inaccessible. The disruption of services prevents legitimate users from accessing the organization’s resources and services. Hacktivists perform DDoS attacks not only to protest their cause but they do so with the intent to cause humiliation, reputational loss, loss of financial resources, and intimidation. In the case of PayPal, #OpPayback caused a loss of £3.5m ($55.3m).
In July 2010, WikiLeaks disclosed 91,000 U.S. classified documents. WikiLeaks further announced that it would release another 250,000 classified cables from various U.S. embassies. Following the release of these documents, on November 27, 2010, the State Department declared WikiLeaks actions as illegal resulting in several organizations severing ties with WikiLeaks. In retaliation, in December 2010, Anonymous conducted a serious of online coordinated attacks against MasterCard, PayPal, Visa, Amazon, the Swiss Bank PostFinance, and other companies for suspending WikiLeaks’ accounts. This was called Operation Payback.
The success of DDOS attacks is dependent on the number of computers sending requests for service to the targeted organization’s web server. Since hacktivists cannot solely rely on effectively recruiting enough supporters to successfully carry out a DDoS attack, many hacktivists rely on the use of botnets.
A botnet consists of a large network of compromised computers, called zombies, remotely controlled by an individual or group of individuals known as bot herders. A botnet can consist of thousands even hundreds of thousands of compromised computers. Unlike the tactics used in Operation Payback, where individuals voluntarily became part of a botnet, in a typical botnet, computers become involuntarily compromised. Therefore, a hacktivists using a botnet to launch DDoS attacks could do so without the computer owner’s permission.
During Operation Payback, Anonymous recruited people not only from within their own network but anyone who voluntarily wanted to participate. The coordinated attack consisted in people voluntarily downloading the software LOIC (Low Orbit Ion Canon). This gave Anonymous control of their computers allowing them to conduct DDoS attacks.
Individuals taking part in the voluntary botnet essentially agreed to conduct cyberattacks against corporate computer networks by impairing the operation of that computer system; preventing or hindering access to the organization’s data or programs held on that server. Although many online activists insist that the intent is not to hack into the network servers, by surrendering their computers to conduct a cybercrime, they become accomplices of the commission of a parallel or subsequent cyberattack such as stealing corporate data, spamming, and stealing funds.
In April 2011, during #OpSony, Anonymous retaliated against Sony for taking legal action against two individuals that reversed engineered the PS3 security System. As Sony’s server was under DDoS attack, Anons launched another attack that resulted in the theft of over 12 million customer’s credit card data.
DDoS attacks violate various polices and laws: The Internet Advisor Board (IAB) Internet proper use policy, Internet Service Providers (IPS) acceptable use policies, the U.K’s Police and Justice Bill 2006, the U.S. Computer Fraud and Abuse Act, the Canadian Criminal Law Amendment Act Section 342.1, and other international laws.
Given that hacktivists are using botnets to conduct DDoS attacks, if DDoS was legitimized in the U.S. but not in other countries, then Americans whose computer was compromised by that botnet would have involuntarily committed a cybercrime. These individual could then be charged, prosecuted, and possibly been convicted for a political protests they had not part in. Good luck trying to convince investigators they did not know their computer was compromised!
On January 7, 2013, a petition was filed with the White House to decriminalize DDoS attacks. If these petitioners really thought about it, what they are asking is for the government to extend the First Amendment’s protection to allow people to legally disrupt corporate, private, academic, or military websites, at will. Have they thought about the DDoS attacks from foreign hacktivists? If DDoS was legalized in the U.S. foreign hacktivists attacking American websites would be doing so legally.
The hacktivists Izz ad-Din al-Qassam Cyber Fighter Group has been attacking several American financial institutions. They have vowed to continue attacking more financial institutions until the video “Innocence of Muslism” is taken down from YouTube. Chase, JP Morgan Chase, Bank of American, PNC Financial Services, and SunTrust Banks have nothing to do with the video nor can they force YouTube to take down the video. On September 20, 2012, a Judge refused to order YouTube to remove the video.
To acknowledge DDoS as a legitimate form of speech would not further political activists’ purposes; it would instead help cybercriminals use DDoS attacks as an excuse to attack American websites. It would also assist other criminals to use online activism as an excuse to conduct other forms of cybercrimes.