Online petitions, boycotts and speaking out on social media are common ways to raise your voice about a particular issue or individual. But a more controversial method, hacktivism (hacker+activism), has been increasingly employed to further agendas. Hacktivism is defined as hacking, or breaking into a computer system, for political or social ends, and it is currently illegal. Proponents claim hacktivist actions mirror real-world protests but incur harsher penalties because they are carried out in the online environment. Are they right and are hacktivists indeed treated in a way that violates our notions of justice and fairness?
The Computer Fraud and Abuse Act (CFAA), also known as the “anti-hacking law,” was created in 1984 to criminalize unauthorized access to computers. Since then, the law has been modified five times, with each modification resulting in a broader definition of what constitutes “unauthorized access.” Opponents of the CFAA argue that the expansion potentially regulates every computer in the U.S. and many more abroad. Intentionally vague language within the law allows the government to claim that something as minor as violating a corporate policy (as in the case of the United States v. David Nosal) is equivalent to a violation of the CFAA, putting even minor offenders at risk for serious criminal charges. But is comparing hacktivism with real-world protests an apples-to-apples equation?
Hacking has been around for decades. Steve Wozniak and Steve Jobs first hacked into the Bell Telephone System in the mid-70s with the famous “blue box” to place (i.e. steal) free long-distance calls. In the mid-1980s, a college student protesting nuclear weapons released a computer virus that took down NASA and Department of Energy computers. And in 1999, Hacktivismo, an international cadre of hackers, created software to circumvent government online censorship controls, as they believe freedom of information is a basic human right. Since then, the rapid proliferation of online groups able to shut down individual, corporate and even government computers has become a focus for the FBI and other agencies concerned about this trend.
Hacktivism made headlines in 2010 when the group Anonymous reacted to events arising from the arrest of WikiLeaks leader Julian Assange. Assange’s detainment, which coincided with the WikiLeaks release of classified information hacked from U.S. intelligence channels, had supporters outraged. Feelings escalated when the website recruiting donations for his defense was left reeling by the refusal of MasterCard, Visa and PayPal to handle donations earmarked for Assange’s aid fund. Anonymous fought back by hacking into and disrupting the websites of all three financial companies, causing service outages and millions of dollars in damage.
Anonymous achieved its goal by mounting a distributed-denial-of-service (DDoS) campaign. Interested parties could join the Anonymous coalition by direct participation or by downloading a tool that allowed their computer to be controlled by Anonymous operatives. Dr. Jose Nazario, a network researcher with Arbor Networks, claims that it takes as few as 120 computers linked together in this way to bring down a large corporation’s web presence. Anonymous insists this technique is not hacking; it is simply overloading a website by flooding it with traffic that makes it impossible to load pages for legitimate visitors. According to Dylan K., an Anonymous representative: “Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website to slow (or deny) service of that particular website for a short time.” But this is not equivalent to a real-world protest: hacktivists don’t need the voices of thousands for their protest to be effective. Less than 120 computers would suffice to take down an entity—something 120 people on the sidewalk could not manage.
The FBI soon unearthed the identities of some of the hacktivists involved in various Anonymous hits. One, Fidel Salinas, was charged first with simple computer fraud and abuse. By the end of seven months, there were 44 counts of felony hacking looming over him for his part in disrupting government servers. Salinas claims the escalating charges were due to the FBI increasing pressure on him to turn informant. This kind of “encouragement” is nothing new. Cybercriminal and Anonymous hacker Hector Xavier Monsegur, under the internet alias “Sabu,” initiated the high-profile attacks on MasterCard and PayPal in response to the Assange arrest. By 2012, Monsegur had been arrested and was busy working in concert with the FBI to unearth the identities of other Anonymous members, who were then prosecuted under the CFAA.
The Electronic Frontier Foundation (EFF) which, according to its website, is “the leading nonprofit organization defending civil liberties in the digital world,” is promoting reform of the CFAA through consumer education, petitions and other legal means. One of their central arguments for CFAA reform concerns the treatment of hacktivist Aaron Swartz, who downloaded millions of scholarly journals from the JSTOR database, a subscription-only service, through MIT’s campus network. Swartz’s actions were predicated on his belief that publicly-funded scientific literature should be freely accessible to the taxpayers who paid for it. After his arrest, federal prosecutors charged him with two counts of wire fraud and 11 violations of the CFAA, amounting to up to 35 years in prison and over $1 million in fines. Swartz committed suicide a few days after declining a plea bargain that would have reduced the time served to six months in a federal prison. The EFF explains that if his act of political activism had taken place in the physical world, he would have only faced penalties “…akin to trespassing as part of a political protest. Because he used a computer, he instead faced long-term incarceration.” However, the EFF seems to gloss over the fact that, no matter how pure his reasoning, when Aaron Swartz played Robin Hood he wasn’t merely trespassing — he was stealing.
In response to Swartz’s untimely death, the EFF suggested changes in the way the CFAA calculates penalties, seeking refinement of overly broad terms and arbitrary fines. Its emphasis is on the punishment fitting the crime, and its hope is to align the CFAA’s penalty recommendations more closely with those received for the same acts when they arise during a physical political protest. The EFF is currently working on a full reform proposal that they hope will restrict the CFAA’s ability to criminalize contract violators or technology innovators while still deterring malicious criminals.
It’s true that the CFAA is too broad and may allow prosecutors to apply draconian charges for misdemeanor crimes, but the EFF is not taking into consideration the real harm done by hacktivist “protests.” A physical political protest is most often a permitted, police-monitored event. It may cause temporary (a few hours or days at most) disruption of business; garner media attention; and alert the public to the seriousness of the issue. The online protests staged by “Operation Payback”, Anonymous, and most recently, Team Impact, the Ashley Madison hacker(s), resulted in far more damage and disruption to the targeted organizations than would a “real world” protest. These acts are more akin to vigilantism or even terrorism since the hacktivists rely on intimidation in pursuit of self-defined injustice—and outcomes often involve harm to innocent people. If a physical protest had resulted in the same outcome—a company looted, lives destroyed and money lost—it would be considered a criminal act.
Hacktivists seem hardened against the collateral damage they inflict in achieving their goals, arguing that the end justifies the means. The recent Ashley Madison scandal is a great example of hacktivism without conscience. Hackers calling themselves Team Impact threatened Avid Life Media, Inc., the parent company of infidelity website Ashley Madison, to release information regarding their customers if they didn’t shut down the site. They believed that Ashley Madison was faking most of the female profiles available on the site to scam more men into signing up. When the company continued operating, Team Impact released the data, potentially ruining marriages, destroying careers, and compromising the personal data of users who now face threats of blackmail and identity theft. The company itself is facing $500 million in lawsuits, but the toll on its customers—the very people that Team Impact was claiming to help—was heavy indeed.
Similarly, Anonymous’ hacking of the PayPal website alone cost that company $5.5 million in revenue and damaged numerous small businesses and individuals who were unable to complete financial transactions during the shut-down.
Hacktivists claim their actions are equivalent to real-world protests and as such, should be protected from criminalization. It’s true that citizens’ right to peaceful public assembly is protected by the United States’ Constitution’s First Amendment and further guaranteed by the Supreme Court. However, the law is clear that the government can put restrictions on the manner, time and place of such a gathering to preserve order and safety.
The First Amendment does not guarantee the right to assemble when there is the danger of riot, interference with traffic, disorder, or any other threat to public safety or order. One group’s right to speak out should not conflict with rights of other individuals to live and work safely. This should be true online as well as in the physical world, but hacktivists often act outside of this stricture. Mikko Hypponen, chief research officer for F-Secure, sums it up well: “The generation that grew up with the Internet seems to think it’s as natural to show their opinion by launching online attacks as for us it would have been to go out on the streets and do a demonstration. The difference is, online attacks are illegal while public demonstrations are not. But these kids don’t seem to care.”
Online groups should not be allowed to achieve their desired results using extortion, intimidation, terror or vigilantism. But it is equally important that governments and corporations not have the right to sway, direct, or otherwise channel the free will of the people toward or away from any one purpose by using force or fear of penalty. And setting laws in place that make non-violent, non-damaging civil disobedience a major infraction of the law is tantamount to muzzling free speech. Gabriella Coleman, Assistant Professor of Media, Culture and Communication at New York University writes that if DDoS attacks by hacktivists are always deemed unacceptable, that this would be “damaging to the overall political culture of the internet, which must allow for a diversity of tactics, including mass action, direct action, and peaceful of (sic) protests, if it is going to be a medium for democratic action and life.”
Both sides are wrong to some extent. The problem with internet hacktivists is the veil of anonymity behind which they hide. Real-world political protests require that people stand up for what they believe—physically. They put their faces out there, sign their names on petitions and take responsibility for their views. The Supreme Court has ruled that anonymous speech deserves protection, but hacktivism is not speech—it is action. Hacktivists can intimidate and extort individuals, corporations, and governments without having the courage to step forward. Sometimes, people will take actions anonymously that they would not under scrutiny, a truism that makes the groups like Anonymous capable of causing chaos on a worldwide scale.
There can and should be many ways to speak your mind and promote your political agenda online, and you should be able to do so without fear of reprisal from law enforcement. However, intentional damage inflicted by anonymous disruptive mass action can also hurt unrelated innocent individuals. With our society’s level of reliance on internet services for business and daily living, hacktivist activity has potentially far-reaching consequences. Shutting down banking or payment capabilities doesn’t just hurt the targeted banks and credit card companies; it prevents many small businesses and individuals from conducting necessary business and impacts their daily lives in a negative way. Releasing the personal data of subscribers or customers to harm a government or company doesn’t just hurt the target—it sets thousands, sometimes millions, of lives on edge.
And let’s face it: Breaking into a store in a “real world” protest, stealing its customer lists or proprietary data and either disseminating it or destroying it is not trespassing. It’s not a misdemeanor. It’s not peaceful. It’s theft at best and terrorism at worst.
Online activists should mount an up-front, highly publicized, web-based boycott of their opponent—peacefully and legally—to exercise their freedom of public redress in the way in which the Constitution intended. Team Impact could have constructed a viral message letting people know that Ashley Madison was scamming them and easily made their point without the collateral damage. And governments who are interested in keeping discourse alive need to take a step back from the edge of fascism by narrowing their definition on “unauthorized use” of computers to prevent minor instances of online civil disobedience from being classified as criminal offenses.