(Cyber) Rebels with a cause

Cyber civil disobedience is a concept that is increasingly in the news as high-profile protests and attacks proliferate. Deb Shinder looks at the new "hacktivism" and the line between crime and political dissent.

Most people with whom I've discussed the topic believe that we should all obey the law, both in the "real world" and in cyberspace. Black hat hackers, attackers, virus writers, and spammers are considered by the average citizen to be criminals who should be punished for their deeds, whether they do it for fun, out of malice or for profit. Where the line gets a little blurry is when we start talking about cyber civil disobedience, which is also referred to as ECD (electronic civil disobedience) or by the more colloquial moniker, hacktivism.

Whichever you call it, the meaning is generally the same: the use of computers and/or the Internet in defiance of the law for the purpose of making a political statement or furthering a political cause, particularly as a form of protest against what the protesters believe to be unjust laws. Technically, ECD is the broader term, encompassing all electronic means, whereas cyber civil disobedience is focused on Internet-based activities.

Civil disobedience has a long history; the act of disobeying the law in order to bring about change has been around almost as long as organized law itself and was an important element of the U.S. civil rights movement in the 1950s and 1960s. Computer-based activism has been with us at least since the 1980s, via BBS (Bulletin Board Systems) and listservs, but the early incarnations were more oriented toward communication and coordination of "real world" protests than using the technology as the means of protesting.

There have even been college courses taught on the subject of electronic civil disobedience, such as those taught by University of California at San Diego professor Ricardo Dominguez. But what are the legal issues involved and when do "peaceful online protest" activities cross the line?

Forms of cyber civil disobedience

How do hacktivists go about staging online protests? One way is the kind of "online sit-in" described in the link about Dominguez. This takes the form of many people visiting a particular website at the same time and constantly reloading the page, which overloads the server, renders the site unavailable, and has the effect of a denial of service attack. This is an example of an organized civil disobedience event, comparable to a "real world" sit-in or rally.

Civil disobedience - cyber or otherwise - can also take the form of unorganized disregard of a particular law or laws that are considered unjust. Real world examples would include widespread use of illegal drugs such as marijuana, which in some jurisdictions resulted in decriminalization or reduction of the penalties for the offense. The same sort of thing occurs in the cyber world when large numbers of people ignore the copyright laws to share music files on a peer-to-peer network, for example. The idea is that the government doesn't have the resources to prosecute everyone, so if a substantial portion of the populace "just says no," the laws will either be repealed or rendered unenforceable. The copyright laws have also been the target of organized and coordinated civil disobedience, as in the February 2004 "Grey Tuesday" event when over 100,000 people downloaded a particular item in protest against the copyright law.

Another method of cyber protest is electronic vandalism or electronic graffiti, whereby the protester(s) deface the website of the entity they've targeted to put up their own message. This can be done by using SQL injections to access the administrative accounts of the web servers and then replace the web page content with a page of the protester's making. Government websites or those of large corporations are often the targets of these types of protests.

Of course, technology makes it possible for only a handful of people (or even just one) to have a much larger impact than a sole protestor in the physical world could normally accomplish. With good hacking skills or just a well-written script, a lone dissident can take down servers or entire networks, even disrupt the operations of the Internet by targeting key components such as the DNS servers.

Common issues

Other than copyright issues, what are the hacktivists protesting? As computers and Internet access have become so ubiquitous, the online and offline worlds have merged. The same issues that are the subject of protest offline - political "hot spots" such as abortion, gay marriage, gun control, taxes, ecology and so forth - also trigger electronic protests. However, online civil disobedience often tends to focus on freedom of speech and freedom of information. After all, information is what computers and the Internet are all about.

Interestingly, while early protesters more often advocated the position that "information wants to be free," many recent protesters take the opposite stance, or at least modify that to append, "but not my information." Privacy of personal information online has become a big issue for hacktivists.

Who are the hacktivists?

Like their more traditional activist counterparts, hacktivists come from all walks of life but frequently are young and/or are engaged in less traditional work (i.e., artists or other creative types vs. corporate employees or government workers). Given the nature of the medium, it's not surprising that many hacktivists are computer programmers - whether employed in that field, doing it on a freelance basis, or just talented hobbyists.

Many hacktivists conceal their identities for obvious reasons; they're breaking the law and don't want to get caught and charged with a crime. Others are eager to take credit for their parts in the protest and believe that operating openly under their real identities is part of taking a stand against the laws or practices they're protesting.

A benefit of organizing into groups - in addition to giving you the "power in numbers" resources to do more, more quickly - is that a group can take credit for its protest activities as a group, without revealing the identities of its individual members. The most famous (or infamous) groups that have been in the news recently include Anonymous, which got started in the early 2000s but only recently came to the attention of the average member of the general public, after a great deal of mainstream media coverage of its role in the ongoing Wikileaks controversy, and LulzSec (Lulz Security), which took credit for several high profile attacks and web defacements.

Where do you draw the line?

Since civil disobedience by definition involves breaking the law, anyone engaging in it is technically a criminal. However, individual hacktivists and organized groups differ in their philosophies regarding just how far it's acceptable to go in doing that. In the physical world, it's relatively easy to distinguish between violent and non-violent protest. It's harder to differentiate between "harmful" and "benign" actions, though. If a picket line shuts down a company's business for a period of time and causes it to lose thousands or millions of dollars, certainly harm was done. However, in most cases, the only recourse the company would have would be to sue the protesters for the damages and/or have them arrested on misdemeanor charges such as trespassing (if they are on company property). If protesters spray painted negative statements about a company on the walls of its building, they could be charged with graffiti or vandalism offenses, also usually misdemeanors.

In the online world, consequences for causing the same amount of monetary harm can be greater. That's because activities such as defacing a website involve unauthorized access to computer systems - and the law treats that more like the equivalent of burglary in the real world. Of course it depends on the jurisdiction under which you're charged, but fines are often steep and prison time may even be on the table.

On the other hand, making a case against online protesters can be more difficult than prosecuting "real world" activists, because of jurisdictional issues (the location where the crime takes place or where the victim reports it may be far away from where the hacktivists are located), use of anonymizers, and the intangibility of electronic evidence.

At what point does legitimate electronic civil disobedience turn into cyberterrorism? Certainly the hacking of systems that control the critical infrastructure - electric grid, water system, hospital network, traffic lights, police dispatch systems, and so forth - can place the lives of innocent people in danger and would be considered off limits by most hacktivists. When it comes to things like DoS/DDoS attacks, website defacements, email bombing, and other activities that can cause a monetary loss, there is less agreement. Legislators, police, and courts are faced with coming up with laws that are fair and protect society and innocent Internet users while allowing for freedom of political speech and the means to change laws through this new incarnation of a method used successfully throughout history. They don't have an easy road ahead.

Meanwhile, before you join in online protest activities, check out the laws in all applicable jurisdictions and make sure you understand what risks you're taking.