<26>: but people are going to jail
[…]
For the great majority of participants who contributed or used LOIC, it is safe to assume that they considered this tool and tactic a morally acceptable method of protest. Whether LOIC was in fact legal is a different question. At the time, the AnonOps party line affirmed that DDoSing with LOIC was safe: not because the tool anonymized your IP address (it did not, and generally no one claimed it did), but because the huge numbers of individuals participating would make it nearly impossible, or at least unduly inconvenient, for authorities to track down and arrest everyone. The main operators in the #operation-payback channel, some of whom were also in #command, would, in rare moments, ban those who warned others of its illegality. Those in #command wanted to instill trust, not fear, in their methods. AnonOps also circulated “instructions” for how to use LOIC, which featured atrocious security advice coupled with the overly pushy—and extremely dubious—legal advice in case of arrest:
IF YOU ARE V& [vanned] declare you had no participation in this event. Note you are using a dynamic IP address and that many different people use it, because it’s dynamic. If they prove that it was yours, then tell them you are a victim of a “botnet virus” that you had no control or knowledge of. Additionally if you set your wireless to unsecured or WAP prior to LOIC you can claim someone hacked your wireless. Case closed.19
More shockingly, a small cohort of journalists also spread misinformation. While Anonymous could, perhaps, be understood and forgiven for its mistakes, journalists should have done their homework rather than relaying incorrect legal advice and misleading technical information provided by their sources. The most egregious example of this practice came from the popular tech news site Gizmodo on December 8, 2010, in an article entitled “What Is LOIC?”: “Because a DDoS knocks everything offline—at least when it works as intended—the log files that would normally record each incoming connection typically just don’t work.”20 This point is just plain wrong. The DDoS’ed site can still monitor its traffic, culling and keeping IP addresses, which can be subsequently used to identify participants.
LOIC was about as safe as a torn condom. If a person using LOIC did not take other measures to cloak their IP address, it would be plain in every packet—in every attack—transmitted. Many participants likely lacked even rudimentary knowledge of how the technology worked, a baseline necessity for making an informed decision. The heat of the moment and the dominant sense of safety swept up journalists and participants alike. Generally speaking, and with a few exceptions, most people involved in #command, however naive the position might seem in hindsight, were, I think, sincere in believing that protection followed from strength in numbers; some of the individuals in #command used LOIC themselves and were subsequently arrested.
For much of the fall of 2010, Anons used DDoS with no repercussions, boosting the false sense of confidence that would soon evaporate under the first FBI raids at the end of December. There was also the issue of personalized messages accompanying the DDoS attacks. When individuals connected to the AnonOps hive, and packets were sent to a target, it included a message: “Goodnight, and sweet dreams from AnonOps.” The government could surely use this message to counteract claims that the sender was ignorantly a “victim of a botnet virus.” But with a good lawyer, that argument would crumble because the message could be identified as part of the virus (problem is, good lawyers are pricey). Regardless, none of this was discussed or seemingly understood.
The tide changed quickly. Soon after the first wave of attacks, a poster warning that LOIC was unsafe made the rounds. The bad advice presented by sites like Gizmodo was soon set straight by carefully researched articles on sites like Boing Boing, providing warnings and accurate technical details about LOIC’s security vulnerabilities. Around this time, a talented programmer managed to corral a small team of Anons to start writing a more secure, but harder to use, version. Upon release, it was downloaded en masse—before people realized it contained a trojan.
Finally, irrefutable proof of traceability arrived: law enforcement in plain blue jackets with yellow FBI letters visited over forty homes across the United States, trucking out hard drives loaded with incriminating data. Eventually, in July 2011, the FBI arrested fourteen alleged participants, thirteen of whom have since pled guilty. In October 2013, a grand jury indicted thirteen American citizens for participating in Avenge Assange and some of the earlier Operation Payback attacks.21
Now everyone knew that LOIC was an unsafe tool; that the US government was willing to go after online political protesters, even those who had not used LOIC (some of the participants swept in by the DDoS raid never used LOIC or botnets, but were charged based on IRC log conversations); and that there was no safety in numbers. Presumably, a hard lesson was learned.
DDoS as a Moral Pretzel
Equipped with these details, what ethical and historical insights might be drawn from these extraordinary direct action events—the largest DDoS political demonstration the web has seen? By fall 2010, the use of DDoS attacks was an established political tactic among hacktivists; Anonymous by no means pioneered the technique. In the 1990s and early 2000s, the Electronic Disturbance Theater (EDT), for instance, staged DDoS campaigns that they labeled “virtual sit-ins.” These actions combined technical interventions with poeticism and performance art. EDT targeted Mexican government websites to publicize the plight of Zapatistas fighting for autonomy in Chiapas, Mexico.22 They distributed press releases before the events and, while drawing less than a few hundred participants and causing no downtime to the sites, succeeded (somewhat) in the goal of gaining media attention. Regardless, the action hardly qualified, as Molly Sauter has perceptively argued, as “disruptive,”23 and it never reached a saturation point in the mainstream press.
Anonymous altered the scale, expression, and effects of DDoSing enough that the group broke the mold it inherited. Rather than spending months organizing small, well-crafted events, Anonymous experimented with the art of harnessing realtime anger into a wild, unpredictable, and continual uprising. As with any form of public assembly, alongside the politically motivated were those along just for the ride—and also those who were there simply to make the ride as bumpy and wild as possible. It’s inevitable that participants in Anonymous will have an array of positions and desired ends, given the group’s philosophical platform and the accessibility of its software tools; the actions are open to seasoned activists and newcomers alike.
By considering this tactic historically, we can plainly see that DDoSing is nothing new—virtually every movement advocating social change in the past two hundred years (from abolitionists to ACT UP) has relied on large-scale, rowdy, disruptive tactics to draw attention and demand change.24 The novelty lay in how the availability of a software tool, LOIC, and an Anonymous hype machine publicizing its existence, enabled such sizable and disruptive demonstrations to take root and unfold nearly spontaneously on the Internet. In a detailed analysis of the tool’s features, Sauter convincingly argues that the “Hive Mind mode” helped secure the hefty numbers: “Although Anons may not have ‘hit the streets’ as EDT envisioned Hive Mind mode did enable them to go to school, work, sleep, or anywhere while still participating in DDOS actions as they arose.”25
But even if DDoS simply extends a longer tradition of disruptive activism, it still sat uneasily with many Anons and hackers—even those who had no issue with law breaking. One day, chatting with an Anonymous hacker about the morality of the protests, I was told, “Trying to find a sure-fire ethical defense for Anonymous DDoSing is going to twist you into moral pretzels.” Particularly troubling to many Anons was the discovery that the DDoS campaigns in the fall and winter of 2010, including Avenge Assange, were built on deceit and buffered by the deployment of hacker-cont
rolled botnets. Had participants known that an army of zombie computers provided the ammunition, they might have chosen differently.
And yet, without this turbo boosting enabled by the hijacked computers, the use of LOIC—even by thousands of willing, ideologically committed participants, each contributing a small bit of power—would never have resulted in the downtimes that generated the media attention that was sought. This same hacker, critical of the technique, elaborated: “I have had several discussions about DDoS with people who, similar to myself, are not overly fond of it, but we keep coming back to it, as it is effective; the media does drive a lot of this activity.”
It was pivotal. Robust public participation may not have been technically necessary, and claims of LOIC’s safety were atrociously off the mark, but without the appearance of a critical mass, the operation would have likely lacked moral gravitas and authority. In this case, strength in numbers conveyed a potent message, even if there was no safety in them (and no technical need for them): it palpably revealed to the world at large the scope of supporters’ disenchantment with what they saw as corporate censorship.
Geeks and others also leveled more general critiques against the tactic, struggling to analogize the DDoS campaign with offline equivalents. Most persistent was the notion that DDoS attacks trample the targets’ right to speak freely. If one takes an absolutist view of free speech, then DDoS extinguishes the possibility of speech by disabling access to a website expressing a set of views. This mirrors the position of some hackers, like Oxblood Ruffin of the Cult of the Dead Cow, resolutely against this tactic for decades. In an interview with CNET, he reasoned: “Anonymous is fighting for free speech on the Internet, but it’s hard to support that when you’re DoS-ing and not allowing people to talk. How is that consistent?”26
He is right, up to a point. A more dynamic view of free speech could take power relations into account. By enabling the underdog—the protester or infringed group—to speak as loudly as its more resourceful opponents (in this case, powerful corporations), we might understand a tactic like DDoS as a leveler: a free speech win. I favor a more contextualized, power-driven analysis of free speech. In the case of Avenge Assange, PayPal and its kin never really lost their ability to speak, and the action itself was in response to a unilateral banking and service blockade that crippled WikiLeaks’ capability to speak or present a position. Where WikiLeaks had one proactive outlet—its disabled website (and the occasional sympathetic journalist)—many of the targets, like the MPAA and PayPal, commanded lobbyists, advertisers, and media contacts capable of distributing their message far and wide.
But understanding DDoS as a modulator of free speech is itself contentious. Others think it aligns more with another traditional protest tactic: the direct action blockade. In one debate among members of the Cult of the Dead Cow, hacker Tod Gemuese declared the free speech analogy to be “hooey.” He continued: “It’s the digital equivalent of physical-world forms of protest such as padlocking the gate of a factory or obstructing access to a building, etc.”27 Those who were critical of the tactic because companies had to expend resources to defend their websites failed to understand the nature of direct action. Direct action exceeds a liberal politics of publicity, speech, and debate, having the goal of directly halting activity or impacting and inconveniencing the targeted party.28 DDoS fits the bill.
Of course, all of these arguments do not necessarily justify DDoS in all situations. Rather, they more thoroughly demonstrate its pretzel-logic and ethical relationality. Internet scholar Ethan Zuckerman and his coauthors have written persuasively about how DDoS can truly harm small organizations lacking the defensive resources of a large corporation.29 Even if one supports its limited use (say, against well-resourced and powerful organizations), the proliferation of DDoS, critics charge, still encourages the use of a tactic that can quickly devolve into an arms race where those with more bandwidth can out-muscle those with less.
Whatever one might think of the utility and morality of the tactic, we can gain additional perspective by considering the actual technical and legal outcome of a typical DDoS attack. This will also help us weigh the fairness (or lack thereof) of the punishments meted out to participants. In spite of erroneous media reports, the servers that bear the brunt of DDoS traffic are not hacked into—nor do they suffer any permanent damage or data loss.30 Costs are incurred primarily because targets need to hire firms to provide DDoS protection. A successful DDoS attack against a corporation blocks access to an Internet domain. This may stall access to e-commerce, but it does not affect an organization’s internal computer system. The typical Anonymous DDoS attacks, or “traffic floods,” were unsuccessful against service sites that perform a lot of data transactions and are served by CDNs (Content Delivery Networks) like Amazon.com. (AnonOps briefly tried to target Amazon.com directly and it was a spectacular failure.) Even with the estimated thousands of individuals contributing their computers to a voluntary botnet, their efforts never shuttered infrastructural backbones like Amazon Web Services. Anonymous’s DDoS campaigns tended to be more successful against informational sites like mpaa.org. Anonymous’s digital protest tactics essentially blocked access to these domains, but only their Internet-facing websites.
Given what transpires during a DDoS attack, and whatever one might think of the risks and seriousness of it, one thing seems certain: the charges leveled against Anonymous participants in the US and the UK tend to be out of line with the nonviolent nature of these actions. In the US, arrests for DDoS attacks were made under the Computer Fraud and Abuse Act (CFAA), which tends to lead to harsher punishments as compared to charges brought under analogous offline statutes. Offline protesting tactics such as trespassing or vandalism—wherein damage is not merely speculative—rarely result in catastrophic consequences for participants. Yet this nuance that recognizes the intention and the consequences of actions is rarely granted to online activities, especially when the CFAA is invoked. As a result, similar behavior that might earn an offender an infraction or misdemeanor offline (with a penalty of perhaps thirty days in jail) is punished as a felony with hefty fine and jail time when it takes place online.
To put this in perspective: in Wisconsin, a thirty-eight-year-old truck driver, Eric J. Rosol, was fined for running an automated DDoS tool against the Koch Industries website for sixty seconds. (As part of an Anonymous operation, he was protesting the billionaire Koch brothers’ role in supporting the Wisconsin governor’s effort to reduce the power of unions and public employees’ rights to engage in collective bargaining.) The actual financial losses were less than $5,000, but he was slapped with a fine of $183,000—even though a far worse physical crime, arson, would earn a fine of only $6,400 in the same state.31 The fine represents the cost the Koch brothers spent hiring a consulting firm prior to the campaign for advice on mitigating the attack. In the UK, Chris Weatherhead—who didn’t directly contribute to a DDoS campaign but ran the Anonymous communication hub where the protests were coordinated—received a whopping eighteen-month sentence, “convicted on one count of conspiracy to impair the operation of computers.”32
The legal outcome for those arrested for the PayPal attacks merits further discussion. Due to excellent legal help and a plea bargain (still in the works), most of the thirteen defendants charged with DDoSing PayPal will be fined only a modest $5,600 each and will evade jail time. Even though they will be charged with felonies, the judge will likely wipe it off their records if they comply with their probation. Two others will likely go to jail for ninety days to avoid the felony charge, and one defendant’s fate is undecided.33 (Final outcomes will be delivered in December 2014.) Even though the punishments are less harsh than expected, the defendants were still put through an expensive and draining three-year ordeal, and with felonies hanging over their heads, many may have had (and will likely continue to have) trouble landing jobs.
The whole affair is also marked by doublespeak that illustrates the flagrant hypocrisy of a single corpor
ation, PayPal, going after protesters who participated in Avenge Assange. (MasterCard and Visa did not seek to prosecute.) In court, PayPal’s lawyers estimated damages to be up to $5.5 million.34 Meanwhile, in other venues, corporate officials claimed either that “PayPal was never down,” or that the attack only “slowed down the company’s system, but to such a small extent that it would have been imperceptible to customers.”35 This is a perfect example of how corporate actors not only can continue to voice their positions just fine through multiple channels, but can also engage in hypocritical and contradictory doublespeak as they put defendants through a costly, time-consuming legal process.
Eventually, the debate about DDoS became largely moot within Anonymous. The tactic’s success became identified with its ability to generate news headlines. This reliance on an obsessively cycling news media would grant a very short half-life to the visibility of actions like Avenge Assange. Anonymous, no fool, saw this coming; ceasing the operation, the group announced to the world in a poster that “we have, at best, given them a black eye. The game has changed. When the game changes, so too must our strategies.” From December 2010 on, DDoS, with all its moral conundrums left unsorted, became one occasionally wielded weapon in an increasingly diverse portfolio of tactics. Meanwhile, events began to stir in the small country of Tunisia, and the actions of a couple of hackers, one from AnonOps, set in motion events that would, yet again, shift everything for the collective of collectives—events as important as the birth of Chanology itself.
CHAPTER 5
Anonymous Everywhere
As 2010 became 2011 and Operation Avenge Assange waned, other operations on AnonOps waxed. It was not that AnonOps was splintering, but rather that it was flowering. This IRC network became the digital platform du jour for Anonymous activists of different stripes to organize their operations. By the end of January there were operations and dedicated IRC channels for Italy, Ireland, Venezuela, Brazil, Syria, Bahrain, Tunisia, Egypt, and Libya, along with non-place-based operations like Operation Leakspin, an effort to comb through the WikiLeaks diplomatic cables in search of newsworthy information. Many of these endeavors were small but nevertheless gave birth to vibrant regional nodes, the most prominent being Italy, Brazil, and the Hispano-Anons. (At the time of this writing, Anonymous Italy has leaked documents from the office of the governor of the Lombardy region, declaring the politician to be “one big corrupted son of a gun” and accusing him, among other things, of allowing criminals who distribute child porn to launder their funds through a Lombardy bank.1) These geographical pockets have thrived and grown into full-bodied communities. Although showing no signs of slowing down, very few regional nodes have been documented.2
Hacker, Hoaxer, Whistleblower, Spy Page 14
