Prioritise intent, not effects: A nuanced approach to DDoS cyber attacks and free speech

LSE student Izaan Khan sets out his vision for the future of cyber crime law — in the winning entry of the BARBRI International Cyber Crime Blogging Prize

Distributed Denial of Service (DDoS) attacks are attempts to temporarily take down a system (usually an online service through its web server) by overloading it with traffic from multiple sources. It can be analogised to having a large crowd of people disrupting or blocking access to some place… Or can it?

DDoS attacks are one of the most common cyber threats that have been used for extorting SMEs, attacking competitors and rivals, and in the name of simple mischief.

But they have also been used as a powerful form of online protest, which is why the comparison above is the subject of massive debate — the recognition of DDoS attacks as a legitimate form of political activism entails being entitled to free speech protections. Indeed, the hacktivist collective Anonymous launched a petition in 2013 asking the White House to recognise DDoS attacks as a legitimate form of protest. But the governing law on this matter however (Computer Misuse Act 1990), does not distinguish between different intentions of DDoS, and uses the blanket language of “unauthorised activity”, which is structured to focus primarily on the effects of such activity, irrespective of the motivations.

Most academic debates on this subject can be reduced to arguments about the correctness of the analogy. Legal scholars such as Mathias Klang and Yochai Benkler argue that DDoS attacks can take the form of non-violent acts of civil disobedience comparable to the Occupy movement; the digital equivalents of sit-ins, where participants can join voluntarily and publicly.

Others contest the description, making three common arguments against it: firstly, that there is a low threshold for participation in the online environment — participants don’t assume the same level of risk or incur the same costs present in a physical protest. Secondly, it is unclear whether websites can actually be classified as an entirely “public” platform, since it can be argued that websites act as private/semi-private property, and thus the analogy would point us in the direction of the law of trespass. Thirdly, the economic costs incurred by the target website are not insignificant; the attack can be perceived as a lot more aggressive and disproportionate in its effects than a typical protest.

This is a classic example of the problem of perspective in internet law, resulting from an over-reliance on the physical world to explain online phenomena.

While they can aid understanding, the fundamentally different essence of online social interaction is lost. The internet has allowed for a more direct and symbiotic relationship between various stakeholders, which has the potential to massively increase the bargaining power of the collective for the purpose of bringing change. The idea that a protest ceases to become a valid form of expression simply because of reduced costs ignores the changes that technology has brought to people’s ability to collaborate and express themselves for a cause. Further, the very fact that protesters leave their IP addresses traceable in DDoS attacks means that they have voluntarily undertaken the risk of discovery of illegal activity. If anything, contrary to the first objection, this should be embraced.

The second objection is more pertinent, since it directly concerns legal understanding of DDoS attacks in the courts. In DPP v Lennon, the court — by drawing comparisons with “a footpath on private property” — held the view that although the open configuration of servers implied the owner’s consent to the receipt of traffic, the consent wasn’t without limits, and did not extend to traffic that overwhelmed the servers.

However, this can be contrasted with the US Public Forum Doctrine, where space is recognised as an important element of free speech. In this doctrine, emphasis is placed on the nature of open access of the forum, even if it is privately owned (such as protests in shopping malls; e.g. the California Supreme Court case of Robins v Prune Yard Shopping Centre) and it could be argued that this applies in the online context as well. It is self-evident that the internet is meant to be accessed by the general public, but also self-evident that websites are provided by private parties with certain expectations. In order to resolve the conflict between the values of free speech and “private property” in the online context, one needs to evaluate the extent of the harm done that justifies a restriction, which leads us to the third objection and with it a potential solution.

Depending on the length and type of DDoS attack, the actual destruction of physical property (i.e. servers) is minimal, but the monetary costs suffered through brand damage, loss of revenue and IT/security expenditure can be quite large (even after discounting data breaches, which aren’t a feature of protests). Protests are inherently disruptive, and are meant to make the targets feel an economic pinch.

But the legitimacy of a protest is derived from the proportionality of the disruption and the use of non-violence. Schmidberger v Austria is a good example to gauge against, where the European Court of Jusice held that a 30-hour long protest on a highway that caused the claimant an economic loss of 140,000 Austrian schillings and almost stopped trade between two nations, despite being a violation of EU free movement principles (which are almost constitutional in nature), was nonetheless justified with regard to free speech.

Thus, I argue that a “free speech” defence should be introduced in the CMA 1990, against sections 3 (which covers “unauthorised impairment” i.e. DDoS) and 3A (which covers the “obtaining and supply” of software for the offense in section 3, such as LOICs which Anonymous often uses). The attacker(s) bears the burden of providing evidence that their protest was proportional, which can be measured against factors like: tolerance capacity of the target based on its size (preventing unnecessarily lengthy attacks), the level of popular support (evidenced by user participation or indirect approval), the relevance of the target to the cause (preventing gratuitous attacks against human rights websites and SMEs), and the type of attack performed. This, I conclude, is the fairest way to bring much-needed recognition to evolving digital activism.

Izaan Khan is a law student at the London School of Economics. He has a particular interest in law and tech, and how the two interact. He is the winner of the BARBRI International Cyber Crime Blogging Prize.

BARBRI International will be hosting a 4 July Independence Day party at its London office. Register to attend here.

Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We'd be grateful if you could keep your comments constructive.


Just Anonymous

Beautifully argued, but I find rather insidious the idea that DDOS attacks could be justified as ‘free speech.’

Free speech should mean that all opinions and views can be expressed. Such attacks however are designed to destroy a website’s ability to function and convey its message (whatever that message may be).

It’s the same as saying that shouting down public speakers you disagree with (so that nobody else can hear them) constitutes free speech. It doesn’t.

Reply Report comment

Depends on the perspective you take. You could equally legitimately think of it as disrupting access to a service, as opposed to shutting people’s speech out.

A DDoS attack on PayPal could be seen as a protest (if you view it as a public forum) or getting rid of another’s right to speak (if you view as a platform for the company’s speech).

Which is why analogies aren’t useful. Instead, thinking of it in sui generis terms allows for an exemption to be made in the online environment for DDoS, which is a better idea provided there are strong justifications for it (in order to ensure that DDoS attacks pursue legitimate goals instead of just shutting people out as you mention).

Reply Report comment

Can’t have been hard to get a gig at your own club. I’m interested in the name – did you call it that because you hear it so often in a normal day?

Reply Report comment

Well argued Izaan Khan, however due to “political expediency”, it seems like, realistically, the change in the law you espouse will never materialise !

Reply Report comment

Leave a comment

Your email address will not be published.