LSE student Izaan Khan sets out his vision for the future of cyber crime law — in the winning entry of the BARBRI International Cyber Crime Blogging Prize
Distributed Denial of Service (DDoS) attacks are attempts to temporarily take down a system (usually an online service through its web server) by overloading it with traffic from multiple sources. It can be analogised to having a large crowd of people disrupting or blocking access to some place… Or can it?
DDoS attacks are one of the most common cyber threats that have been used for extorting SMEs, attacking competitors and rivals, and in the name of simple mischief.
But they have also been used as a powerful form of online protest, which is why the comparison above is the subject of massive debate — the recognition of DDoS attacks as a legitimate form of political activism entails being entitled to free speech protections. Indeed, the hacktivist collective Anonymous launched a petition in 2013 asking the White House to recognise DDoS attacks as a legitimate form of protest. But the governing law on this matter however (Computer Misuse Act 1990), does not distinguish between different intentions of DDoS, and uses the blanket language of “unauthorised activity”, which is structured to focus primarily on the effects of such activity, irrespective of the motivations.
Most academic debates on this subject can be reduced to arguments about the correctness of the analogy. Legal scholars such as Mathias Klang and Yochai Benkler argue that DDoS attacks can take the form of non-violent acts of civil disobedience comparable to the Occupy movement; the digital equivalents of sit-ins, where participants can join voluntarily and publicly.
Others contest the description, making three common arguments against it: firstly, that there is a low threshold for participation in the online environment — participants don’t assume the same level of risk or incur the same costs present in a physical protest. Secondly, it is unclear whether websites can actually be classified as an entirely “public” platform, since it can be argued that websites act as private/semi-private property, and thus the analogy would point us in the direction of the law of trespass. Thirdly, the economic costs incurred by the target website are not insignificant; the attack can be perceived as a lot more aggressive and disproportionate in its effects than a typical protest.
This is a classic example of the problem of perspective in internet law, resulting from an over-reliance on the physical world to explain online phenomena.
While they can aid understanding, the fundamentally different essence of online social interaction is lost. The internet has allowed for a more direct and symbiotic relationship between various stakeholders, which has the potential to massively increase the bargaining power of the collective for the purpose of bringing change. The idea that a protest ceases to become a valid form of expression simply because of reduced costs ignores the changes that technology has brought to people’s ability to collaborate and express themselves for a cause. Further, the very fact that protesters leave their IP addresses traceable in DDoS attacks means that they have voluntarily undertaken the risk of discovery of illegal activity. If anything, contrary to the first objection, this should be embraced.
The second objection is more pertinent, since it directly concerns legal understanding of DDoS attacks in the courts. In DPP v Lennon, the court — by drawing comparisons with “a footpath on private property” — held the view that although the open configuration of servers implied the owner’s consent to the receipt of traffic, the consent wasn’t without limits, and did not extend to traffic that overwhelmed the servers.
However, this can be contrasted with the US Public Forum Doctrine, where space is recognised as an important element of free speech. In this doctrine, emphasis is placed on the nature of open access of the forum, even if it is privately owned (such as protests in shopping malls; e.g. the California Supreme Court case of Robins v Prune Yard Shopping Centre) and it could be argued that this applies in the online context as well. It is self-evident that the internet is meant to be accessed by the general public, but also self-evident that websites are provided by private parties with certain expectations. In order to resolve the conflict between the values of free speech and “private property” in the online context, one needs to evaluate the extent of the harm done that justifies a restriction, which leads us to the third objection and with it a potential solution.
Depending on the length and type of DDoS attack, the actual destruction of physical property (i.e. servers) is minimal, but the monetary costs suffered through brand damage, loss of revenue and IT/security expenditure can be quite large (even after discounting data breaches, which aren’t a feature of protests). Protests are inherently disruptive, and are meant to make the targets feel an economic pinch.
But the legitimacy of a protest is derived from the proportionality of the disruption and the use of non-violence. Schmidberger v Austria is a good example to gauge against, where the European Court of Jusice held that a 30-hour long protest on a highway that caused the claimant an economic loss of 140,000 Austrian schillings and almost stopped trade between two nations, despite being a violation of EU free movement principles (which are almost constitutional in nature), was nonetheless justified with regard to free speech.
Thus, I argue that a “free speech” defence should be introduced in the CMA 1990, against sections 3 (which covers “unauthorised impairment” i.e. DDoS) and 3A (which covers the “obtaining and supply” of software for the offense in section 3, such as LOICs which Anonymous often uses). The attacker(s) bears the burden of providing evidence that their protest was proportional, which can be measured against factors like: tolerance capacity of the target based on its size (preventing unnecessarily lengthy attacks), the level of popular support (evidenced by user participation or indirect approval), the relevance of the target to the cause (preventing gratuitous attacks against human rights websites and SMEs), and the type of attack performed. This, I conclude, is the fairest way to bring much-needed recognition to evolving digital activism.
Izaan Khan is a law student at the London School of Economics. He has a particular interest in law and tech, and how the two interact. He is the winner of the BARBRI International Cyber Crime Blogging Prize.
BARBRI International will be hosting a 4 July Independence Day party at its London office. Register to attend here.
Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We'd be grateful if you could keep your comments constructive.