Data Management

(Cyber) Rebels with a cause

Cyber civil disobedience is a concept that is increasingly in the news as high-profile protests and attacks proliferate. Deb Shinder looks at the new "hacktivism" and the line between crime and political dissent.

Most people with whom I've discussed the topic believe that we should all obey the law, both in the "real world" and in cyberspace. Black hat hackers, attackers, virus writers, and spammers are considered by the average citizen to be criminals who should be punished for their deeds, whether they do it for fun, out of malice or for profit. Where the line gets a little blurry is when we start talking about cyber civil disobedience, which is also referred to as ECD (electronic civil disobedience) or by the more colloquial moniker, hacktivism.

Whichever you call it, the meaning is generally the same: the use of computers and/or the Internet in defiance of the law for the purpose of making a political statement or furthering a political cause, particularly as a form of protest against what the protesters believe to be unjust laws. Technically, ECD is the broader term, encompassing all electronic means, whereas cyber civil disobedience is focused on Internet-based activities.

Civil disobedience has a long history; the act of disobeying the law in order to bring about change has been around almost as long as organized law itself and was an important element of the U.S. civil rights movement in the 1950s and 1960s. Computer-based activism has been with us at least since the 1980s, via BBS (Bulletin Board Systems) and listservs, but the early incarnations were more oriented toward communication and coordination of "real world" protests than using the technology as the means of protesting.

There have even been college courses taught on the subject of electronic civil disobedience, such as those taught by University of California at San Diego professor Ricardo Dominguez. But what are the legal issues involved and when do "peaceful online protest" activities cross the line?

Forms of cyber civil disobedience

How do hacktivists go about staging online protests? One way is the kind of "online sit-in" described in the link about Dominguez. This takes the form of many people visiting a particular website at the same time and constantly reloading the page, which overloads the server, renders the site unavailable, and has the effect of a denial of service attack. This is an example of an organized civil disobedience event, comparable to a "real world" sit-in or rally.

Civil disobedience - cyber or otherwise - can also take the form of unorganized disregard of a particular law or laws that are considered unjust. Real world examples would include widespread use of illegal drugs such as marijuana, which in some jurisdictions resulted in decriminalization or reduction of the penalties for the offense. The same sort of thing occurs in the cyber world when large numbers of people ignore the copyright laws to share music files on a peer-to-peer network, for example. The idea is that the government doesn't have the resources to prosecute everyone, so if a substantial portion of the populace "just says no," the laws will either be repealed or rendered unenforceable. The copyright laws have also been the target of organized and coordinated civil disobedience, as in the February 2004 "Grey Tuesday" event when over 100,000 people downloaded a particular item in protest against the copyright law.

Another method of cyber protest is electronic vandalism or electronic graffiti, whereby the protester(s) deface the website of the entity they've targeted to put up their own message. This can be done by using SQL injections to access the administrative accounts of the web servers and then replace the web page content with a page of the protester's making. Government websites or those of large corporations are often the targets of these types of protests.

Of course, technology makes it possible for only a handful of people (or even just one) to have a much larger impact than a sole protestor in the physical world could normally accomplish. With good hacking skills or just a well-written script, a lone dissident can take down servers or entire networks, even disrupt the operations of the Internet by targeting key components such as the DNS servers.

Common issues

Other than copyright issues, what are the hacktivists protesting? As computers and Internet access have become so ubiquitous, the online and offline worlds have merged. The same issues that are the subject of protest offline - political "hot spots" such as abortion, gay marriage, gun control, taxes, ecology and so forth - also trigger electronic protests. However, online civil disobedience often tends to focus on freedom of speech and freedom of information. After all, information is what computers and the Internet are all about.

Interestingly, while early protesters more often advocated the position that "information wants to be free," many recent protesters take the opposite stance, or at least modify that to append, "but not my information." Privacy of personal information online has become a big issue for hacktivists.

Who are the hacktivists?

Like their more traditional activist counterparts, hacktivists come from all walks of life but frequently are young and/or are engaged in less traditional work (i.e., artists or other creative types vs. corporate employees or government workers). Given the nature of the medium, it's not surprising that many hacktivists are computer programmers - whether employed in that field, doing it on a freelance basis, or just talented hobbyists.

Many hacktivists conceal their identities for obvious reasons; they're breaking the law and don't want to get caught and charged with a crime. Others are eager to take credit for their parts in the protest and believe that operating openly under their real identities is part of taking a stand against the laws or practices they're protesting.

A benefit of organizing into groups - in addition to giving you the "power in numbers" resources to do more, more quickly - is that a group can take credit for its protest activities as a group, without revealing the identities of its individual members. The most famous (or infamous) groups that have been in the news recently include Anonymous, which got started in the early 2000s but only recently came to the attention of the average member of the general public, after a great deal of mainstream media coverage of its role in the ongoing Wikileaks controversy, and LulzSec (Lulz Security), which took credit for several high profile attacks and web defacements.

Where do you draw the line?

Since civil disobedience by definition involves breaking the law, anyone engaging in it is technically a criminal. However, individual hacktivists and organized groups differ in their philosophies regarding just how far it's acceptable to go in doing that. In the physical world, it's relatively easy to distinguish between violent and non-violent protest. It's harder to differentiate between "harmful" and "benign" actions, though. If a picket line shuts down a company's business for a period of time and causes it to lose thousands or millions of dollars, certainly harm was done. However, in most cases, the only recourse the company would have would be to sue the protesters for the damages and/or have them arrested on misdemeanor charges such as trespassing (if they are on company property). If protesters spray painted negative statements about a company on the walls of its building, they could be charged with graffiti or vandalism offenses, also usually misdemeanors.

In the online world, consequences for causing the same amount of monetary harm can be greater. That's because activities such as defacing a website involve unauthorized access to computer systems - and the law treats that more like the equivalent of burglary in the real world. Of course it depends on the jurisdiction under which you're charged, but fines are often steep and prison time may even be on the table.

On the other hand, making a case against online protesters can be more difficult than prosecuting "real world" activists, because of jurisdictional issues (the location where the crime takes place or where the victim reports it may be far away from where the hacktivists are located), use of anonymizers, and the intangibility of electronic evidence.

At what point does legitimate electronic civil disobedience turn into cyberterrorism? Certainly the hacking of systems that control the critical infrastructure - electric grid, water system, hospital network, traffic lights, police dispatch systems, and so forth - can place the lives of innocent people in danger and would be considered off limits by most hacktivists. When it comes to things like DoS/DDoS attacks, website defacements, email bombing, and other activities that can cause a monetary loss, there is less agreement. Legislators, police, and courts are faced with coming up with laws that are fair and protect society and innocent Internet users while allowing for freedom of political speech and the means to change laws through this new incarnation of a method used successfully throughout history. They don't have an easy road ahead.

Meanwhile, before you join in online protest activities, check out the laws in all applicable jurisdictions and make sure you understand what risks you're taking.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

9 comments
AZ_IT
AZ_IT

Motives definitely play a role in hacktivism or civil disobedience however the actions taken must also be considered. Hacking into a company and stealing account names and passwords and posting them online hurts the users first and foremost the company may lose face but what else have they lost? The users on the other hand are the ones that have to take action to protect themselves. It's like stealing customer information from McDonalds and then abusing the customers that have purchased something there in the last five years in order to somehow punish McDonalds?!? I mean seriously. If hacktivists want to hurt a company isolate the damage to the company and leave all the poor saps who have ever been associated with the company out of it. Otherwise the only ideal they're promoting is that hurting customers/citizens is a valid form of protest against companies/governments. That sounds oddly like terrorism.

dogknees
dogknees

Civil disobedience is not new, and the traditional "rules" still seem to apply to me. The primary difference is that one who engages in civil disobedience accepts that their actions are illegal, and do not attempt to escape prosecution or minimise the punishment for their actions. The criminal generally doesn't accept either of these.

Neon Samurai
Neon Samurai

Nice differentiation; does the dissident take responsability openly for political reasons or does the criminal try to escape responsability after the action. It brings a demonstration of intent into it.

bboyd
bboyd

http://www.techrepublic.com/photos/anonymous-protests-shut-down-bart-in-sf-photos/6278717?seq=12&tag=siu-container;thumbnail-view-selector Ask people in Pol Pot's regime how that demonstrating your principles thing works. Patriots and Agitators are willing in various degrees to sacrifice for their causes. Demonstration of intent is necessary for the cause to grow, not to prove to some other that you cause is "Just". Getting arrested or killed may or may not serve your cause. Getting arrested for a Sit in or DOSS attack doesn't serve any purpose for most. Civil disobedience does not require being arrested. Ask any of the activists in Egypt. It requires participation and in doing so a risk. Criminal action requires exactly the same and has similar risks. I would say that differentiation is moral. We know how well defined morality is for society. /smirk

seanferd
seanferd

I generally go by the definition that such protest is open, and the protesters do not evade arrest, but fight within the justice system. Perhaps this is a technical refinement of the idea, but not the base definition. It isn't worth haggling over, as your points are valid regardless of the label.

bboyd
bboyd

Maybe the civil disobedience is more subtle in those places. Just hiding your reading glasses in Pol Pots regime would have been effectively civil disobedience given some were killed for having such horrible bourgeoisie items.

santeewelding
santeewelding

To see how it would or will go down here. Could redefine "ugly".

seanferd
seanferd

I wouldn't call any protesters in the old Soviet Union or under Pol Pot, open or hidden, practitioners of civil disobedience. You have to be demonstrating to a gov in which at least some members are listening, and which will not outright kill you and and any other dissident. Sure, law enforcement in the U.S. is hardly perfect, and is quite capable of committing heinous crimes, but officers can't just round up and kill or beat everyone they come across. Sure, they do it sometimes, but then they have to try and hide it.

Editor's Picks