The Crackdown on Hacktivism

Last month, Internet activist Aaron Swartz, one of the creators of RSS and Reddit and leaders of the campaign against SOPA/PIPA, sadly passed away after hanging himself in his New York apartment. He was due to stand trial on charges of computer fraud, after having allegedly downloaded millions of documents from JSTOR, an academic journal repository, to release them to the public for free.

His tragic death has strongly affected many of the communities in which Aaron was an important member.  And some of those hurt by his passing believe that his death was due to his harsh treatment at the hands of federal prosecutors. His father went so far as to say that his son “did not commit suicide but was killed by the government. Someone who made the world a better place was pushed to his death by the government.” It’s easy to understand why many viewed Swartz’s prosecution as overly harsh.  He had already spent most of his life savings on legal fees, and a conviction would have led to upwards of 35 years in prison and fines of up to $1,000,000. Even if the prosecutions’ offered plea bargain was harsh — under the offer, Swartz would have to plead guilty to every charge and face six to eight months in prison, after committing a crime that was purely for the benefit of the public.

As one of the creators of the Creative Commons copyright licenses, Swartz had been an advocate for the sharing of knowledge and creative materials. The vision of the Creative Commons license is to “realize the full potential of the Internet – universal access to research and education, full participation in culture — to drive a new era of development, growth, and productivity.” Swartz’s actions were in keeping with this idealistic vision.

Swartz’s death generated a lot of attention (and protests from groups like Anonymous), but in many ways it has overshadowed how many Internet activists have recently found themselves in the law’s crosshairs.  For instance, in the past few months, two British men were arrested in Britain for their involvement with Anonymous’ recent DDoS (distributed denial of service) attack on PayPal (carried out due to PayPal’s refusal to process WikiLeaks donations).  And last year six people in the US were arrested in connection with Anonymous’ activities, including alleged leader Barrett Brown. Some proponents of DDoS attacks argue that the attacks are a form of civil disobedience, and have even gone so far as to ask the White House to recognize them as such.  But the law currently views DDoS as something more nefarious; participating in a DDoS attack can carry a maximum of ten years in prison in the UK and US.  Moreover, because participation is as easy as downloading a free program and pressing a single button, many people may participate in such attacks without fully appreciating the significant legal risks they are taking.  Those who do appreciate such risks may be dissuaded from engaging in this form of protest (for better or worse).

The security firm McAfee has predicted that participation in the Anonymous collective will decline in 2013, stating that too many “un-coordinated and unclear operations” are destroying the group’s reputation. The very fact that anyone can claim to be a member of Anonymous has created a situation where the group’s aims have become fragmented. To make matters worse, the main Anonymous Twitter account was hacked by rival group Rustle League, undermining its reputation.

Regardless of whether Anonymous continues in its current form, or splinters into many smaller groups, what is clear is that these forms of cyber protest will continue to become more prevalent as will the prosecutions for them. Considering Anonymous’ recent attack on PayPal was said to cost the company around $5m, it’s clear to see why businesses aren’t taking these attacks lightly.

The law, however, should leave room for digital protest.  Although some punishment is a necessary component of civil disobedience, that punishment should not be the same for protest and outright vandalism.  That said, distinguishing between protest and vandalism is not easy.  Vandalism, by definition, involves the deliberate destruction or damage of property, DDoS attacks are conducted only for a set period of time (usually a few hours), and leave the website undamaged afterwards. In Swartz’s case, he did not physically damage or delete JSTOR’s archives; he intended to do nothing but share its contents with others.  But his actions were not harm free.  He shared 4 million articles from academic journals, representing a financial loss for JSTOR.  JSTOR charges as much as $50,000 a year for an annual subscription fee, at least parts of which go to pay copyright fees to the owners of the articles in the databases.  Thus, were Swartz’s actions more like protest or vandalism?  According to legal expert Orin Kerr, the case was a reasonable application of the law and wasn’t an abuse of prosecutorial authority.

DDoS attacks can also have an economic impact through site downtime, lost customers, and lost sales, but in a digital world, how else can an angry public make its presence felt or its voice heard?  Anonymous is currently calling for DDoS attacks to be recognised as a form of protest, and punished accordingly with a token fine rather than a prison sentence. Jay Leiderman of the Guardian agrees that these attacks are in fact a form of speech and should be protected under the first amendment.  This right of protest, however, must be balanced against the potential harms that DDoS can have on online businesses and others uses of online content affected by DDoS.