Uncontroversially controversial

Anonymous, most recently known for their digital protest interventions, are tough to pin down with definitive definitions. Perhaps one of the most uncontroversial statements one can nail on them is that they and their tactics are controversial. After yesterday’s extensive Anon-led distributed denial of service attacks prompted by the take-down of the popular file sharing site Megaupload, I thought I would ask CO readers to reflect on the DDoS as a political tactic. I have complied a few basic questions to help kick-start the discussion.

  1. Is it reasonable to compare a DDoS with civil disobedience or direct action?
  2. What might be an appropriate legal response for those campaigns that are deemed by courts as political protest? (Perhaps not answerable)
  3. How does the media and the public misunderstand these events? (and perhaps the media are the ones are responsible for the “success” of a DDoS campaign)
  4. Is the political effect of the DDoS primarily symbolic and a way for people to very quickly and collectively express their position on a matter?
  5. Is there anything lulzy about the DDoS? (Does that even matter?)
  6. How might the DDoS be deployed more ethically as political protest? Under what conditions or configurations might it be more permissible, palatable or effective? Or i it just too noxious and problematic to use for political purposes?


I will admit the DDoS is not what interests me the most about Anonymous, a bias clearly reflected in this piece I just published on them, but definitely worth pausing on for a bit after yesterday’s actions.



You may also like...

23 Responses

  1. Andres says:

    I am reminded once more of this brilliant xkcd: http://xkcd.com/932/

  2. One of the finest of xkcd’s, (although there are so many)

  3. BRuTal says:

    I Like your text. I think that your question number 4 is the most appropriated definition for the use of an attack like DDoS these days.

  4. Eric says:

    1. I’d compare it with a passive-agressive form of direct action in par with a “sit-in” effectively you grind the business to a halt, but it’s not like you’re actually smashing windows or anything.

    2. Well that’s a sticky one, in a perfect world you’d review the moral, ethical, and legal issue being protested if valid the protest shold be permissible, if I’m just DDOSing a compeditor to hurt them, that’s another animal.

    3. The Media is disappointing at best, I’d argue misunderstanding is only half as bad as misinformation. Choose any mainstream media source they neigther understand what’s going on, and always have their spin on it. (Can you just tell me what happened and not how it’s the republicans, democrats, libitarians, etc fault?)

    4. Yes, DDOSing is primarily symbolic, while you could effectively deal extensive fiscal damages to some companies through DDOSing, for move government websites getting DDOSed is more of an annoyance and embarassment than financially damaging. Individuals DDOSing would go entirely unnoticed, only when their is large scale ourcry with heavy participation does DDOSing start making a real effect.

    5. I believe the “lulz” of DDOSing is when someone like a security firm who specializes in this stuff goes down from it. It points out at times, our “experts” aren’t really that good… I believe the “lulz” does play an important part though, many people get very upset with companies which is why the DDOS, by DDOSing with “lulz” attached it helps vent anger, which helps keep things to peaceful DDOSing rather then letting things turn more vindictive.

    6. If politicians actually listened to normal protests at all there would be no need for DDOSing, but right now our government doesn’t respond to it’s constituents, so turning to sit-ins, occuptions, DDOSing, and similiar tactics have become the only way to get a message out. Essentially you put yourself in the way to force whomever you’re protesting to deal with you. Hopeful these dealings are discussion, democracy, and compromise rather forceful dispersion by police.

  5. dexterJ says:

    Anyone watching the hearings will remember the high point where legislators, upon receiving some actual technical detail regarding enforcement, all started to pipe in “.. I’m no nerd .. but” – and – “.. we should get some nerds in here ..”

    .. Clearly wikipedia is already blacked out on Capital Hill (and many other Legislatures planet wide) ..

    The fact that legislators amd media don’t know that #opMegaupload is an exact technical re-enactment of several RIAA/MPAA sponsored DDoS actions on napster and piratebay remains as ironic as it is alarming.

    So – as SOPA and PIPA and DNAA will do nothing to stop Piracy, but everything to slow and imped the growing movement of independent artists bypassing RIAA and MPAA cartels – I, for one, fully support what was measured and completely harmless protest.

    DDoS as executed #opMegaupload for is nothing more and nothing less than the exact digital equivalent of a sit in or a picket line.

    They just can’t pepper spray the kids when the traffic jam starts to piss us folks off ..

  6. Alexandra says:

    It can be either an ethical or unethical form or protest. I generally am not a fan since, unlike sitting in, which is an attempt to make one’s voice louder, DDoS can be an attempt to hide the voice of the opponent. However, that is what made it right and effective (to me) in this case. As Anonymous tweeted, it was SOPA blackout day for SOPA supporters. It said, “Before you silence us, remember that you too are vulnerable. Because we will.”

  7. Green says:

    Screw the government tryin to police us. I would rather have Anonymous protecting our rights on the internet. Rock on anonymous!

  8. vance says:

    1. Yes. A DDoS is basically the digital equivalent of a Sit in. It does not actually do any physical or soft damage to the site it is being levied against. The purpose of a DDoS is identical to a sit in as well. Disrupt the the regular flow of daily life and in doing so draw attention to a cause. The other trait that is shared by a sit-in and a DDoS ( the way anonymous does it ), is that it requires voluntary participation to be successful. Anonymous DDoS attacks ask users to participate, if enough people participate the attack is successful. This is in strong contrast to the cyber warfare tactic of using a bot net it issue a DDoS.

    2. The grammer of this question is so bad that I don’t even know what you are asking.

    3. The media doesn’t understand these events. Period. As a result the public doesn’t understand them. The problem is that DDoS attacks are portrayed as “hacking” which they are not. Information is not stolen, access is not gained, networks and computers are not compromised. The only thing being exploited is network architecture… it is exploited in the same way as a sit in which blocks a hall way.

    4. That’s really about all it is. No Anonymous DDoS has ever had any substantial impact on a sites traffic. Most outages are measured in minutes.

    5. Of course there is. Let’s face it what separates Anon from the man, is that they take joy in what they do. And yes there is something hysterical in a bunch of nobodies knocking the FBI website off-line…

    6. More ethically? I have a hard time imagining a political protest which is more ethical. An Anon DDoS requires broad consensus and does no actual damage. One could argue that some sites loose financial assets but that just takes us into a discussion about how an Anon DDoS is also a Boycott or a Strike… again entirely ethical forms of Civil Disobedience and protest.

    7. BTW if Anonymous wanted to actually cause damage they would be DDoSing large assets of the CDN’s of these sites, it wouldn’t take down the site but it would cost the site proprietors alot of money and thus hit them where it hurts, the pocket book. But that’s not the point now is it, the point is draw public attention in a benign fashion.

  9. anon says:

    1.) yes completely. we actually like to think of the ddos as ecd (electronic civil disobedience).

    2.) i think that question is too situational to answer.

    3.) the media is (have become) part hype-machine, part corporate soap box, and part political/government spin doctor. with their track record i believe nothing they say. honestly, every story they report on is spun to match their backers desires. they don’t use real “experts” just paid mouth pieces they say what they want. they neither see a ddos as a political protest nor an act of cd/da. they see it as “digital-terrorism” because they can spin it that way to gain more “perceived” power through fear.

    4.) in the “real world” yes. they are almost totally symbolic, because people only perceive these things, they are not directly affected by them. but in the “online world” it’s a more tangible thing. during #oppayback the sony programmer felt real pressures when the psn was down. just like the church of scientology felt real world repercussions when 100s of anons were standing in front of their doors.

    5.) that’s a question of perception. not everyone like the same jokes. not everyone should. ddos’ing for lulz depends on the target and how they take it. if someone (*ahem* sony) says they are completely secure then they get ddos’ed to the stone age, that’s lulz worthy. but if yer just some horrible entity and your being ddos’ed that’s more of a “moralfag” thing. not as funny. but imho lulz are the reason for the op/raid (everything), but not always the result.

    6.) i totally agree w/ the above poster @eric, if political protests really matter to politicians they would be illegal. political protest/angst is more for the oppressed then the oppressors. we’re trying to stand up and do something positive. the more people hear about it the stronger it becomes. we gain followers/comrades. we change minds. we get boards. we move on.

    we’re legion
    united as one
    divided by zero
    expect us!

  10. Jonathan Wolf says:

    1) It’s totally reasonable, as cited by XKCD. Taking down a website temporarily has little to no effect on infrastructure.

    2) I’m not sure what an appropriate legal response to the DDoS would be, but I know for damn sure that a decade in prison is definitely not appropriate.

    3) The public and media misunderstand these events by making no distinction between data types and server types. All that gets reported on is “20,000 passwords leaked!” but makes no mention of the fact that those passwords are like “Password1” and “12345”. You don’t want cracked passwords, pick a better password. Similarly, if cia.gov is taken down, the public hears “Someone hacked the CIA!” without even remotely understanding that the website is merely a digital brochure, and not the operation. The public needs better education on these matters, as do our legislators and our media outlets.

    4) The DDoS is exactly that – a voice of the masses. Letters and phone calls to politicians are largely ignored. Petitions are quaint. But when you go after a company or government’s image, that hits them in their most painful spot – their marketability.

    5) DDoS itself is a bit lulzy, but not nearly as lulzy as watching candy-ass geezers wet themselves with fear as over 9000 kids simultaneously draw penises on their face so fast and hard that it melts.

    6) DDoS should be the absolute first tool that anyone uses in cyberwar. It’s basic, it’s blunt, it’s only effective if you have lots of people using it. The laws governing things like DDoS are horribly outmoded and need a serious overhaul, starting with safe harbor provisions allowing for the digital sit-in. But really, let’s be honest: the Internet just needs sovereignty.

  11. tomslee says:

    1. Direct action yes, civil disobedience no. Civil Disobedience has always had a strong element of witnessing to it. It’s the opposite of anonymous action. On the other hand, direct action covers a multitude of sins (and non-sins), and DDOS is pretty clearly direct.
    2. Agreed, not answerable in a general way. It depends on the nature of the business. The CIA doesn’t do it’s business on the web, Pitchfork does. DDOS against one is different to DDOS against another, same as blocking the physical entry to a company organized virtually would be different to blocking the entry of a physical workplace.

  12. Kevin Carson says:

    I got my Lulz from thinking the MegaUpload takedown was almost certainly timed in response to the Copyright Nazis’ loss of face Wednesday. And about five whole minutes after those evil bastards started chortling with glee about how they’d “shown us”… BAM!!

    That was a DDOS attack like in Grandpa’s day two years ago, BTW, organized on an impromptu basis. I can’t waith for the doxing to start.

  13. DOS says:

    A sit-in or picket line can be crossed. A dead site cannot be reached by anyone.
    While a site may not be damaged, being down can cost sites revenue and loss of users and customers. Calling it a peaceful protest seems to oversimplify the full impact and potential of DOS.

  14. Quite apart from anything else, this particular attacked tricked innocent bystanders into being part of it: http://www.wired.com/threatlevel/2012/01/anons-rickroll-botnet/ That alone puts this particular action into a different ethical category.

    More broadly speaking, I think the way to approach your questions is to reason by analogy. There is a lot of very honorable precedent for obstructive protests — a sit-in by definition blocks others’ access. Classic works on civil disobedience (e.g., Thoreau’s essay or King’s “Letter from a Birmingham Jail”) state the utter necessity of refusing to obey immoral laws or taking direct action to oppose them. There is no reason to say that online actions are any less proper than offline ones.

    A more trenchant objection is the question of whether or not such protesters must disobey openly and hence risk arrest. It is one classic aspect of the pattern, but King himself called the Boston Tea Party a massive act of civil disobedience and at least some of the participants disguised themselves. Online behavior is much more anonymous. (A few years ago, I challenged Orin Kerr on this issue: I asked how the Court’s decisions in _Talley_ and _McIntyre_ on the right to anonymity squared with his desire for identification. He answered that in the physical world, one has to appear in person, and thus take some risks, to act, and that this was a necessary balancing force to discourage extreme behavior. Online, what is the balance? While I don’t agree with his reasoning, let alone his conclusion, the the point is worth considering.)

  15. AnonAnonAnon says:

    1. No. It is reasonable to compare it to slashing someone’s tires to keep them from being able to drive, which is a crime.

    2. The legal system has dealt with this sort if minor-property-damage-as-protest case many times before, and the usual answer is criminal indictment. Here’s a relevant case:

    3. The question is too vague to answer.

    4. Lulz are in the eyes of the beholder.

    5. Just too problematic.

  16. AnonAnonAnon says:

    Steve Bellovin,

    Can you explain your analogy more? I thought the very honorable precedent for civil disobedience was to violate the law that you think is unjust and then demand punishment for violating that law. It’s honorable to violate the unjust law, and punishment brings attention to the injustice of the law.

    Applying the analogy, the way to engage in civil disobedience over copyright enforcement would be to openly violate copyright laws and then demand to be prosecuted for criminal copyright infringement. Ins’t that pretty different from what is happening here?

  17. J04N 8AK3R says:

    Great set of questions! Would love to see them reprinted individually as Plus Posts on G+.

    Biella Coleman You on Google Plus, yes? Share some of this love over there please?

  18. Miriam says:

    I agree that DDoS is more direct action than civil disobedience. As @tomslee points out, “witnessing” is an important component to civil disobedience that is absent in DDoS situations. For witnessing to happen, individuals stand together to form a collective that is not collapsed into one, but instead resonates with a cacophony of voices and faces. They witness and also are witnessed by others. DDos does not achieve the same effect, since DDoS may consist of many people participating, or can be achieved by one or a handful of people. The result looks the same and thus does not carry the same meaning. This is not to say DDoS is not a political tactic, but it does not carry the risk and exposure that civil disobedience has historically carried in other social movements, and I feel that this point is significant somehow.

    I think that the political effect of DDoS can be both material and symbolic, depending on the unique situation of the attack. It matters “who is being attacked and why” to uncover the ramifications and significance of DDoS. In this case, Anonymous taking down the FBI sites may have more symbolic effects derived from the media exposure around the event, the context of SOPA, the rapid organizing involved, etc. As another commenter stated, the actual operations of the FBI were not disrupted in this case, it was more that the public image of the FBI was poked at and made a spectacle of- a symbolic demonstration of power. In other scenarios though, taking down a website (like a small non-profit, a women’s clinic site, a personal blog, a church site) may separate people from necessary services, may tax an organization who doesn’t have dedicated technical support, may be interpreted as a personal attack associated with physical threat. In these cases, DDoS poses more material political damage. So DDoS may not have the same meaning, impact, or effect in other scenarios or configurations.

    To your point, Biella, I think the observation that the media creates these events is right on. The media has a huge hand in framing a DDoS attack as a political protest versus a terrorist attack. Given all of the rhetoric around Homeland Security and protecting our borders, I find it FASCINATING that when Anonymous takes down the FBI site, it is viewed as protest and not “the threat of terrorists”. I think an analysis of Whiteness as part of how these attacks are framed would be valuable here. A large part of the collective identity and culture of Anonymous draws on the white, male, hacker identity. I guarantee if Anonymous was an African-American technologist group, or a Muslim collective interested in free speech and open access, the media read would be: terrorism. Technology in the hands of white tech guys against the government: protest. Technology in the hands of non-white folks against the government: terrorism. Just sayin’.

  19. A.J. Sutter says:

    Having participated in protests during the late 1960s and the 1970s, I agree with @tomslee#11 and @Miriam#18. The comparison to sit-ins shouldn’t be limited to the question of property damage (e.g. @Eric#4), but should include the question of personal commitment. Those who participate in marches and sit-ins are willing to be gassed, photographed and arrested. I don’t find the Boston Tea Party precedent mentioned by @Steven#14 to be dispositive. Regardless of how deserving hackers’ targets may be in any specific case, anonymous actions are on much flimsier moral ground than sit-ins.

    My sense is that the lulz issue does matter, but pinning down how it does so isn’t easy. Political protests have often included satire. But somebody who, say, draws a mustache, penis, etc. on some public figure’s face just because he thinks it’s funny isn’t necessarily engaging in political protest. Doing something just for the lulz indicates a certain shallowness, some failure of political and ethical awareness. It’s depressing to witness, but probably not dispositive in any legal sense.

  20. All of these are great responses, thanks, I hope to responsd to a few more this week.

    @Miriam thanks for your great response (are you writing a dissertation on the DDoS or something? 🙂 but to your statement “I guarantee if Anonymous was an African-American technologist group, or a Muslim collective interested in free speech and open access, the media read would be: terrorism”

    I think that moniker could have easily been tagged on Anonymous as well and there were some news organizations Fox and CNN who have. I have been asked many times whether they are terrorists as well and have argued against it dozens upon dozens of times. I think it has taken some work, in other words, to keep that association at bay (but yes if it had been mostly Muslim collective, it would have been much easier to association to make)

  21. All great questions, and I’m still mulling over the first five. But I did post an “Open Letter to Anonymous” that has relevance to question 6, to the extent (if any) that choice of target is based on ethics and predicted effectiveness. Please see http://theodoramichaels.com/articles/CopyrightOfficeDDOS.php .

    I had tweeted the link to many Anonymous-associated twitter accounts, and to you and other observers, and thus far I’ve received almost no response. I’d be interested to know what factors Anonymous is using to choose their targets, and whether they take into account those I mention.

  22. A.J. Sutter says:

    @Theodora: Good for you, though I suspect the reference to being a lawyer in the entertainment industry on your webpage might have made some recipients think you a Them-not-Us, leading them to discount your message. I also suppose many of those involved in the attack don’t realize that it would take a Constitutional amendment, rather than action by the Copyright Office, to get rid of copyright altogether. The lack of response maybe is some evidence that the attack was motivated by lulz and by a good measure of ignorance (a “creationism” of a different kind).

  23. Thanks, A.J. I agree that some may assume I’m a “them” not an “us” (ignoring the last line of every Anonymous press release 😀 ), but I don’t think they’d automatically discount my points on that basis. They do seem willing to read and consider the views of knowledgeable observers (Biella being one example, and there are others from journalism & tech fields).

    Obviously Anonymous has been very busy over the past few days, so maybe they haven’t had much time for reading, or choosing targets carefully. Just yesterday they targeted Kaspersky, which has spoken out *against* SOPA. I asked about this, and again, no reply. ( https://twitter.com/#!/tmichaels1/status/161541919158181889 ) Just wish I knew if they agree with me but don’t want to admit to mistakes, or disagree with me but can’t be bothered to tell me, or haven’t noticed me at all. Uh oh, I am feeling another attack of butthurt coming on . . . better go fill out another form . . . 😉