Lawyer For Accused: DDoS Is A Legal Form Of Protest
from the this-could-get-interesting dept
Last year, we discussed whether or not things like Operation Payback by Anonymous (DDoSing sites of organizations they didn't like) was really the equivalent of a modern-day sit-in protest, rather than a criminal hacking, as law enforcement (and victims) wanted to allege. It appears that this may be a question that courts are going to need to answer. Nick points us to the news that the lawyer for a homeless guy accused of setting up a DDoS on the City of Santa Cruz (he was pissed about a law) is claiming that DDoS attacks are legal and protected speech in the form of a protest:“There’s no such thing as a DDoS ‘attack’,” Leiderman said. “A DDoS is a protest, it’s a digital sit in. It is no different than physically occupying a space. It’s not a crime, it’s speech.”In this case, the case has nothing to do with Anonymous, Lulzsec or any of those high profile groups, but they might want to pay attention to the case. It seems that some of those already arrested in various sweeps against Anonymous and Lulzsec have indicated that they're considering the same defense strategy. In that last one, involving Mercedes Haefer, who was charged with being a part of Anonymous, her lawyer is pointing out that President Obama has asked supporters to overload the switchboards of Congress -- and that's a form of a denial of service attack:
Leiderman said the crimes shouldn’t be prosecuted at all. “Nothing was malicious, there was no malware, no Trojans. This was merely a digital sit in. It is no different from occupying the Woolworth’s lunch counter in the civil rights era.”
"I think this is a political persecution, end of story," Cohen said. "This administration wants to send a message to those who would register their opposition: 'you come after us, we're going to come after you.' That's what has happened in the Eric Holder Department of Justice."Not surprisingly, I'm sympathetic to this argument, though I do wonder how well it'll play in court. In both of these cases, I think a decent case can be made that the actions are a form of speech, in that they were both designed to protest certain actions. The question is whether or not the courts will recognize them as legitimate and protected protests. And that may very well come down to the judges in the cases.
"When Obama orders supporters to inundate the switchboards of Congress, that's good politics, when a bunch of kids decide to send a political message with roots going back to the civil rights movement and the revolution, it's something else," Cohen told TPM, stipulating that he was not indicating that his client was even involved. "Barack Obama urged people to shutdown the switchboard, he's not indicted."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anonymous, ddos, free speech, protests, sit in
Reader Comments
Subscribe: RSS
View by: Time | Thread
Sit in protesters are arrested for trespassing
A sit in is a form of civil protest. It is peaceful, but that doesn't mean it is legal. Civil protesters deliberately risk arrest during their protest because a sit in is a form of trespassing if the protesters don't leave when asked to do so. So claiming that a DDoS is like a sit in is like asking the jury to convict his client.
[ link to this | view in chronology ]
Re: Sit in protesters are arrested for trespassing
[ link to this | view in chronology ]
Re: Sit in protesters are arrested for trespassing
[ link to this | view in chronology ]
Re: Re: Sit in protesters are arrested for trespassing
If you opt for concurrent sentencing, I'm going to ask for fines. If you want jail time, we'll go with consecutive sentences.
Any other brilliant ideas?
[ link to this | view in chronology ]
Re: Sit in protesters are arrested for trespassing
[ link to this | view in chronology ]
Re: Sit in protesters are arrested for trespassing
Rather depends on where you sit, doesn't it.
a sit in is a form of trespassing
only if you sit somewhere you don't have the right to.
A ddos - like some forms of sit in - only involves individual actions that are entirely legal.
[ link to this | view in chronology ]
Re: Re: Sit in protesters are arrested for trespassing
Rather depends on where you sit, doesn't it."
Right. When unions go on strike, there is a reason they walk in circles. Because standing still is often loitering. But there's no law against walking on the sidewalk.
[ link to this | view in chronology ]
Re: Re: Re: Sit in protesters are arrested for trespassing
[ link to this | view in chronology ]
The fact that the president advocates for much the same sort of action will likely fall on deaf ears. It's been apparent for many years that we have two sets of laws.
Moreover, if a DDOS made it difficult for a regular customer to buy a book or transfer some money into PayPal, that's felony obstruction of profit, worse than taking a human life.
[ link to this | view in chronology ]
Re:
So the DDOS at worst made their main websites invisible for the period of time, but did not interfere with this business... and well its really stupid of them to admit now that it did interfere with their business because one then has to ask your the largest payment transaction providers online and a group of meddling "kids" were able to cripple your operation?
It is sort of like the hysteria when CIA was "hacked", they want everyone to believe that these "super hackers" now have access to all the secrets in the world... not that they took down an outward facing website that had nothing but the sanitized version of what they do on it, some kids games, and the hours of operation for their gift shop.
[ link to this | view in chronology ]
You should wonder. You should also wonder about the culpability of those who allowed their servers to be used in the attacks.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Or the telcos for putting up the wire to transmit the DDOS.
Try again!
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: servers
[ link to this | view in chronology ]
DDoS may be akin to civil disobedience, but that doesn't make any more legal than analog forms of civil disobedience.
And the fact that it's perpetrated by a single individual (or a very small group, relatively) will imply, I'm guessing, a proportionally concentrated punishment.
[ link to this | view in chronology ]
Re:
DoS attacks and DDoS attacks are not the same. If this truly was a DISTRIBUTED DoS attack, the perp would likely have needed to gain control of a group of machines to collectively perform the attack. Did he have permission from all the machine owners to use their computers in such a way?
[ link to this | view in chronology ]
Re: Re:
Even if there were zombie machines used in the attack you'd have then to proceed in checking where the command to attack came for those zombies and see if it was a direct action of the said organizer of the protest or some kid that went overboard while participating in the said act (and thus the organizers are not necessarily at fault).
I can see the logic in this argument and I can also see how it's impossible to break it since law enforcement usually lacks an e-penis that big (in the sense that they aren't capable of doing such a large forensics work).
Hmmm.... Maybe I've just found a way to support the claim that ddos is a legal form of protest?
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Then again, it probably is just a case of most people not knowing the difference.
[ link to this | view in chronology ]
This homeless guy has a computer and legal counsel? How did he get caught, did they trace his IP back to his cardboard box? Seeing as he has nothing better to do couldn't he have just actually staged a sit-in?
[ link to this | view in chronology ]
Re:
That being said, I do not really think the word homeless should be repeated in these stories about the guy every time. It does feel like leading people to conclude that he was indeed out on the streets as that seems to be most people's initial reaction.
[ link to this | view in chronology ]
Re:
Homeless doesn't equate to unemployed. Have you watched the evening news in the last year or two? Something like 1 in 4 are facing foreclosure these days.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Unfortunately, the homeless problem has grown exponentially in the last couple of years. Whole families living in cars or in shelters when there is space for them and trying to keep the kids in school at the same time. A lot of these people are still employed (or underemployed) or are trying to find work and that is made even more complicated when you don't have a permanent address.
[ link to this | view in chronology ]
I'm sure he wouldn't mind if a DDoS was organized against http://leidermandevine.com considering his viewpoint that it should be protected speech and all.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Sit-Ins
> the Woolworth’s lunch counter in the civil rights era.
I wonder when someone is going to point out to this guy that sit-ins *are* illegal. Occupying the Woolworth's lunch counter was trespassing. You can't just walk into someone's private business and 'occupy' it against their wishes and say it's legal because it's a form of protest.
Claiming a DDoS isn't a crime because it's the equivalent of a sit-in isn't exactly a winning argument.
[ link to this | view in chronology ]
Re: Sit-Ins: "Occupying the Woolworth's lunch counter was trespassing."
[ link to this | view in chronology ]
Re: Re: Sit-Ins: "Occupying the Woolworth's lunch counter was trespassing."
Nope. At the time it *was* illegal. The civil disobedience during that time did cause a change in laws, but when it was happening it was against the law.
[ link to this | view in chronology ]
Re: Re: Sit-Ins: "Occupying the Woolworth's lunch counter was trespassing."
No, we'd be upgrading to liberty.
By the way, with that upgrade would come some other interesting results:
1. The segregationist company would go out of business, or at least suffer massive losses due to bad publicity.
2. The government would not have the authority to bail the company out.
2. Neither the federal nor state government would not have the power to defend such businesses with nonsense like the Jim Crow laws. Based on their current power to regulate who private business can serve, they have the authority to re-institute laws just as dreadful. It's not hard to imagine a time in the near future where such authority could ban service to Muslims, immigrants, etc. (Do you realize that the Jim Crow laws were passed to protect segregationist companies from the effects of boycotts, which were destroying those businesses even back in much more racist times than these? The two most racist policies in our history -- segregation and slavery -- were both instituted by government. Both were defeated by the people. Yet, you want the government in charge of such things?)
[ link to this | view in chronology ]
Re: Re: Re: Sit-Ins: "Occupying the Woolworth's lunch counter was trespassing."
[ link to this | view in chronology ]
Re: Re: Sit-Ins: "Occupying the Woolworth's lunch counter was trespassing."
> a lunch counter that refused to serve them because color of skin,
> then you're flatly wrong. Businesses aren't "private" and above
> common law.
They were at the time.
And common law at the time said segregation was okay. It was only subsequent statutory law (the Civil Rights Act) that overruled it and banned segregation.
[ link to this | view in chronology ]
Re: Sit-Ins
[ link to this | view in chronology ]
Sit-ins are not entirely illegal: a jury can decide justified.
That said, only up to a point in practice. Temporarily hampering a machine from access to the internet isn't very serious. But we obviously can't allow every yahoo to do so without limit or reason.
I'd advise play to jury as justified, but it'll be a tough sell.
[ link to this | view in chronology ]
Re: Sit-ins are not entirely illegal: a jury can decide justified.
[ link to this | view in chronology ]
Re: Sit-ins are not entirely illegal: a jury can decide justified.
In the remnants of the United States, such action by citizens are weighed in context of greater good and free speech. So you legalistic weenies asserting they're illegal are wrong.
Not really sure what you are trying to say here Blue. If something is illegal, it's illegal. No grey area whatsoever.
I agree that a jury can nullify a conviction on an individual case and acquit the accused, but the law remains unchanged. Juries cannot change laws.
[ link to this | view in chronology ]
Interesting compare/contrast point
That's a good point. Deliberately inundating the switchboards of Congress (or the White House, or Jim's Bank and Donuts) is a DoS attack if launched from a single point, a DDoS attack if launched from many. So why hasn't the DoJ indicted everyone who carried that out (after all: they can easily acquire their phone numbers) and why haven't they gone after those instigating it?
Of course, calling for mass phone calls (or letters, or anything else) is hardly new and unique; it's an old tactic, and many politicians have used it over the years. So have corporations, lobbyists, public interest groups, and many others. All that's changed are the media: e.g., now email is sometimes used, perhaps tomorrow something else will be.
This shouldn't be read as approval, by the way. But I do think there's an inconsistency here that needs to be addresssed.
[ link to this | view in chronology ]
I think that in order for any sort of DDoS attack to be similar to a sit-in, many individuals must voluntarily occupy the digital space. Botnets, malware, etc. shouldn't count because they are not voluntary individuals. The only grey area I see is what constitutes an individual's action. Must the person manually be hitting refresh, or can they have some device or program that participates?
[ link to this | view in chronology ]
Another analogy
An ICMP ping flood would be closer to a sit-in.
[ link to this | view in chronology ]
It's not surprising--you'll latch onto any halfway plausible argument if you agree with the result. Yes, protesting is a form of protected speech, but there is a line that can be crossed where it becomes illegal. Obviously DDOSers like Anonymous are crossing that line. You'll milk all the FUD out of this you can, but no judge is going to buy this argument because it's bullshit.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
DDOS Doesn't Require Hacking
This overloaded server cannot provide service to legitimate users, thus whatever service was hosted on it is blocked. This sounds a lot like a strike picket line, an blockade, a sit in, chaining yourself to a tree, etc. Sure, it's subject to arrest if trespass if that occurs, but that's not a serious crime.
DDOS does not mean hacking in. It does not mean cracking security. It does not mean stealing information, nor providing false credentials. It does not mean sneaking past electronic locks. It just means "overwhelming". Are you guilty of DDOS when you get on the freeway and become part of a traffic jam? No.
Calling up your 2000 twitter followers to execute a DDOS does seem like free speech, or legal action to me. In fact, I don't even see any sign of trespass. The server is there to accept requests from the Net, and you are doing just that. Perhaps you would be in violation of some Terms of Service or fair use guidelines, but there's no crime in that either.
The only way DDOS should be seriously illegal is when executed with a botnet of hacked computers. At some point, those computers were illegally hacked. This, as we know, is the most common form of DDOS, but a DDOS could also be organized through computers you control legitimately, friends you organize, or a grassroots movement.
I dunno what the homeless guy in the story did, but I don't agree that DDOS is automatically a crime.
[ link to this | view in chronology ]
Re: DDOS Doesn't Require Hacking
A single man with a single connection in a single browser cannot create a DoS (unless the server is truly weak). So it requires software to automatically make hundreds or thousands of connections, or perhaps the use of corrupted machines to make such an attack (a good example would be to seed something in the computers of every public library in the area).
A sit in (or a phone in) requires many people exercising their individual rights. a DDoS can be made by a single person. No really fair, is it?
[ link to this | view in chronology ]
Re: Re: DDOS Doesn't Require Hacking
I mean, of course I know one guy with one PC can't pull off a DDOS. My comment alone shows that I'm not an idiot. The first D is for distributed, which is important because if it's just one guy, the server easily detects it is getting bombarded from that IP, and reacts by ignoring it. Similarly, filters in any ISPs along the route could also block/ignore that ping. But when the attack is Distributed, it is harder to block.
It is possible for someone with a big following to trigger a DDOS, with no bots - just many individuals actively pinging from one browser each. With enough people, DDOS!
That is to say, the illegal part is the botnet, or specifically how it is created. The DDOS part is "speech", or a picket line.
I dunno anything about this homeless guy's case. I just want to reserve the right for myself to take part in a DDOS, as just one person with one PC, someday, if I so choose.
[ link to this | view in chronology ]
Re: Re: DDOS Doesn't Require Hacking
Nope all you need is a URL and a plugin to reload that page.
https://addons.mozilla.org/en-US/firefox/addon/reloadevery/
http://www.chromeextensions.or g/utilities/auto-reload/
So everyone can just keep reloading one page.
Peopole can also set the ping command to keep pinging some range of IP' addresses indefinetely, this is also known as ping of death.
Now a DDoS can't be accomplished by a single person unless that single person commands thousands of machines, no single user machine can flood a network, you need thousands of machines.
[ link to this | view in chronology ]
Re: Re: Re: DDOS Doesn't Require Hacking
[ link to this | view in chronology ]
Automation
[ link to this | view in chronology ]
Re: Automation
But a DDOS isn't necessarily automated.
[ link to this | view in chronology ]
Re: Automation
If they kept calling the company order lines over and over again, to keep the phone lines busy, I am sure that there would be some law that would apply as well.
Remember, for a protest to be a protest, you have to communicate something. Normally it is with placards, banners, picket signs, chants... what have you. What message does a DDoS deliver? Nothing, except "computer down for an unknown reason".
A DDoS (as opposed to a DoS) suggests organization. I somehow doubt that a homeless guy lead a huge crusade with thousands of people helping him out. Sounds more like one guy, a few hacked computers, and automated software to attack the server in question. There is very little in his actions that can be taken as protest, and everything shows vengeance and a vile attitude.
[ link to this | view in chronology ]
DENIAL of service
The physical world equivalent would be forming a human chain to prevent people from entering a building -- and police will and do break those up.
Standing around with signs and bullhorns chanting is like having another web site, or posting messages on their web site. It does not actually interfere with their ability to operate (other than in the mind of potential customers/visitors).
[ link to this | view in chronology ]
Re: DENIAL of service
If a service is denied by virtue of offering service to any host that reaches out to it, and getting overwhelmed, which host is responsible for the denial. Every one individually? All of them in aggregate?
BTW, the use of the word "DENIAL" comes from whoever named the form of "attack". If the web community had instead called it "Distributed Overwhelming Of A Server, I Say" (DO AS I Say), would you then have called it authoritarian? It seems very arbitrary to conclude that the made up terminology precisely defines the intent of the one guy accused.
[ link to this | view in chronology ]
Re: Re: DENIAL of service
How about motive Derek. Are you such a sniveling apologist that you ignore that element entirely?
[ link to this | view in chronology ]
Re: Re: Re: DENIAL of service
[ link to this | view in chronology ]
Re: Re: Re: Re: DENIAL of service
Um, hello? That's the whole basis of the criminal system. We don't punish the act unless there was a criminal intent element as well. We legal types call that "mens rea" (i.e., guilty mind). Therefore, the reasons for one's actions are extremely relevant to punishment. Otherwise we would have a regime of strict liability crimes (i.e., punishment for acts regardless of intent).
[ link to this | view in chronology ]
Re: Re: Re: DENIAL of service
When striking workers picket a plant, one of their intents is to disrupt the flow of goods and resources in and out...usually in a legal way. Can you convict them for their intent?
When workers organize a "work to rule" campaign, which means they follow every rule in the book to the letter, seriously reducing their efficiency, is it illegal because their intent is to disrupt the business?
If French farm workers drive their tractors on the Champs Elysees (legally) with the intent to disrupt traffic, is it illegal?
Hitting a publicly open and available server for information is not illegal. Doing so with intent to disrupt service should not be any more illegal.
Screw the criminals who hack PCs to make botnets. But get them for the hacking, not the DDOS. And let's protect the citizens and their right to form a true grassroots protest.
[ link to this | view in chronology ]
Re: Re: DENIAL of service
Did I intend to deny you the ability to run your delivery business? Or was that merely a consequence of me exercising my legal privilege to drive on the road?
If a service is denied by virtue of offering service to any host that reaches out to it, and getting overwhelmed, which host is responsible for the denial. Every one individually? All of them in aggregate?
All of whom intended to disrupt the service from operating. Those individuals with the appropriate culpability should be jointly and severally liable.
[ link to this | view in chronology ]
Re: DENIAL of service
[ link to this | view in chronology ]
[ link to this | view in chronology ]
A Theoretical Case
OK, so on Sunday, U2 fans from around the world, and other Monsanto haters, all ping the crap outta those servers. DDOS will result. But let's assume no botnets need be involved (it's my hypothetical case, after all).
Questions for the class:
- Is Bono a criminal for the DDOS?
- If he didn't touch one keyboard or launch one packet, how is he responsible for a DDOS?
- Did he yell "fire" in a cinema?
- Is each individual who heeded Bono's call a criminal?
- Was Bono just exercising free speech?
- Is the DDOS on Monsanto just a legal protest so that they would "hear everyone's voices" of disapproval?
[ link to this | view in chronology ]
edit of Re: servers
Not surprisingly, I'm sympathetic to this argument, though I do wonder how well it'll play in court.
You should wonder. You should also wonder about the culpability of those who allowed their servers to be used in the attacks.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
just a question...
[ link to this | view in chronology ]