Why DDoS protests won’t fit into freedom of expression rights

A response to ‘Prioritise intent, not effects: A nuanced approach to DDoS cyber-attacks and free speech’

Last year, we published an article by Izaan Khan, a law student at the London School of Economics, on DDoS (Distributed Denial of Service) cyber-attacks and free speech. He argued that ‘free speech’ should be introduced as a defence to DDoS attacks. Now, Rahim Talibzade, a fellow LSE law student, has written a response to Khan and his article.

This article is a response to Khan’s argument about DDoS attacks as a legitimate form of protest. I argue that such form of protest undermines the public infrastructure and requires additional elements to be legitimate. The inefficiency of law in cyberspace will also be discussed.

My first argument focuses on Khan’s notion of the “direct and symbiotic relationship between various stakeholders”. Although it is correct to claim that technology and online network brought people closer in terms of giving them more power, especially in collective influence, it is essential to balance it against the other actors of cyber world.

The public infrastructure such as government websites and national security agencies like FBI and CIA, public services that rely on online communication (NHS sites/courts), and commercial infrastructure such as banks and building societies play an integral part in maintaining society’s security and public goods. Disrupting any of these would certainly have an impact that would last even after the protests. That is because protests tend to occur outside on the public space without necessarily entering the properties.

Yet, DDoS attacks on the listed infrastructures would expose it to other potential attacks — regardless of whether they constitute part of original intention or not. Khan indeed refers to infrastructure’s websites as a “semi-private” property. Hence, such exposure would entail stealing, deleting, or exposing data of people — a growing importance of which cannot be understated.

Already the exhibitions of an inappropriate aggressive behaviour sometimes lead to acts that go beyond the protests. In the latter case, however, such aggression could be easily contained since the source of calamity would come from an identifiable group of people that could then be supressed; such feat is not viable in an online reality. Here, Khan emphasises the importance of fundamental rights of freedom of expression, however, it is important to understand that the balance of any rights will always exist be it in real or virtual reality. Law’s efficiency slowly degrades, giving ground to the importance of cyber-architecture.

My second argument will attempt to illuminate how DDoS attack can become more legitimate even with the consequences it creates. I shall look at the conditions of real life protests and how they ought to happen.

Before organising the protest and marches, one is required by law to inform the police authorities of an intention to do so by providing them with date, time, and route of the march. The Public Order Act 1986 further supplements it in section 14(1) by endorsing the police officers with power to instruct the organiser to take steps in preventing aggressive behaviour and damage to property during the march. The case cited in an original article, Schimidberger v Austria, in paragraph 84 of the judgment — although agreeing that protest was legitimate — adds that “main proceedings took place following a request for authorisation presented on the basis of national law and after the competent authorities had decided not to ban it”. Such measures are used in democratic countries to allow for appropriate protests.

Hence, the missing element of DDoS attacks is the information about the time and place of the attack. Just like an unannounced protest, any DDoS attack becomes illegitimate and unlawful. Although Khan does state that the IP addresses are left to be discovered (similar to the requirement of naming of protestors), my responses are that it is not an occurring element of DDoS attacks, secondly that DDoS attacks can be done by the bots, and thirdly, there is no point in pursuing aggressors after the attack just like tracking down protestors who went home after the march through the street cameras. It would be a waste of resources and would lead to a further inefficiency.

If an attack is committed from overseas, it would make such operation impossible and fruitless due to the inherently elusive nature of cyberattacks. Hence, the information about the upcoming protest is what would legitimise the DDOS-based forms of expression. If Khan elevates DDoS attacks to an organised protest, then it already lacks the original elements such as effort put into organising a physical protest. Due to such phenomena, information of time and place of the attack becomes even more essential and needs to be integrated into the cyberspace.

For instance, notification of a DDoS attack would encourage people to withdraw money from the bank before the attack, allow government sites to shift their encrypted data assets to another server and so on. This would minimise the damage and inconvenience done.

The second limitation would be to ban DDoS attacks from certain infrastructures such as the NHS as such attacks, instead of raising awareness, would only draw negativity due to the quintessential nature of such public service.

Although, one could already see issues with regulating DDoS protests, such as fake notifications, any further steps to regulate such as creating an online agency which would grant permissions to registered, verified users to participate in DDoS attacks would either be impractical, or completely defeat the purpose of DDoS attack. One could see the inefficiency of law in the online world once again, calling for changes in the codes and algorithms in cyber dimension.

The debate on DDoS attacks and protests continues to show unresolved tensions. Giving notice of DDoS attacks would at the very least help brace for impact rather than finding out dealing with the disastrous chain of events, ranging from stolen data to cyberterrorism.

Although the DDoS protests can be good in intent, the inherent nature of the virtual world is such that more damage than foreseen or intended would be done such as giving an opportunity for further malicious attacks; DDoS protest is likely to lose credibility and be labelled as a distraction and part of a bigger criminal scheme in the end benefitting neither the protestors, nor the purpose they tried to achieve. I acknowledge Khan’s efforts in pushing for the legitimisation of DDoS attacks through law, however, for it not to cause more harm than good, it must be refined by the digital architecture of the cyberworld.

Rahim Talibzade is in his final year of his law degree at the London School of Economics.