After I found one of my earlier FP blog posts quoted in an Anonymous press-release, I thought that I need to clarify my position. Here is my piece for Slate where I attempt to do just that. (Warning: some light political philosophy ahead).
The crux of my argument is that there are certain conditions, which, if met, could make DDoS attacks a form of civil disobedience. However, the case of Anonymous doesn't meet all of them, mostly because the Anonymous attackers don't want to take legal responsibility for their actions.
The part of my original blog post quoted in the press-release -- the one that mentioned DDoS as a "legitimate expression of dissent" -- is not at all ambiguous: what I was suggesting is that the actions of Anonymous would not be interpreted as such by the U.S. media/political circles and may thus result in more control over the Internet by the governments and complete de-legitimization of DDoS attacks as civil disobedience. So I was surprised that Anonymous took those words somewhat out of context and used them to imply that I actually viewed their acts as "legitimate"; I did not. This, however, does not mean that I view all DDoS attacks as illegitimate!
So let me just repeat this once again:
1. To understand whether DDoS attacks can be viewed as civil disobedience, we need to examine the context in which they occur.
2. As far as I can judge the context of the Anonymous case, they failed the test (for more on the specifics of the test, see my Slate piece; I rely on John Rawls's views on civil disobedience n his A Theory of Justice).
3. Operation Payback and its successors may, indeed, harm the causes of Internet freedom but this is NOT what makes them illegitimate.
There is a vibrant debate about DDoS as a legitimate expression of dissent in the blogosphere -- see this excellent summary of positions at TechPresident and this blog post by Deanna Zandt. There is an interesting comment by Ethan Zuckerman in response to Deanna's original blog post that I would like to examine a big more closely.
In short, Ethan is arguing that DDoS attacks are increasingly used to silence down independent publishers; they don't have the same resources as MasterCard or PayPal to deal with them; as a result, for them DDoS causes real rather than just temporary damage; Operation Payback has given DDoS as-a-silencing-tactic a lot of PR; and, finally -- and I am really putting words into Ethan's mouth here -- Anonymous and others should consider the consequences of their actions for others.
As much as I would like to agree with Ethan, I am not sure I am buying the (rather implicit) prescriptive part of his argument. First, it seems to conflate the issues of legitimacy and efficacy -- something that I explicitly caution against in my Slate piece. I'm strongly opposed to making efficacy a factor in evaluating the morality of particular DDoS attacks, not least because efficacy is too fickle of a concept and tends to undervalue the deterrence value of civil disobedience.
How do we know that the reason why Facebook and Twitter still have not removed WikiLeaks' account was not because they feared DDoS retaliation from Anonymous? Of course, it's much easier to measure the costs -- greater crackdown on the Internet, more NSA types in 4chan chatrooms, etc -- but it's not so easy to measure the benefits; will PayPal be as forceful in freezing the funds when it comes to the next WikiLeaks? We simply don't know -- but I'd venture to suggest that the attacks have probably had some impact on corporate decision-making.
This is not to suggest that we shouldn't try to assess the efficacy of DDoS but only to suggest that tying it to legitimacy seems misguided. That an entity like Anonymous has a good moral reason to act on something does not mean that they should necessarily act on it. In the end, it all boils down to good judgment -- and this is where wise Internet intellectuals should step in and theorize about potential fall-outs, crackdowns and what not, so that any of us can make the right (for us) call on whether to join the DDoS effort.
The other thing that bothers me about Ethan's comment is that it doesn't really make an effort to reconcile my right to protest injustice by engaging in acts of civil disobedience (forget Anonymous, we are talking abstract DDoS which doesn't fail the test) with some independent web-site's right to publish what they want and when they want online. (Remember: the theory at play here is that as DDoS get popular/mainstream, this would result in more attacks across the board, thus having a very negative impact on independent/poor publishers).
Is it really always the case that I shouldn't engage in DDoS to right some moral wrongs just because this may potentially make it harder for some third-party to conduct their affairs? I can think of conditions when this would be the case -- but critics of DDoS as civil disobedience need to spell out those conditions in great detail before they assume a particular resolution of competing claims. I can, for example, also think of conditions where my right to protest an injustice might trump a third-party's right to publish.
Otherwise, we end up with very simplistic moral and ethical frameworks where all attacks are presumed to be good or bad simply because of the intrinsic qualities of DDoS. This is an outlook that I reject as technology-centrism (in The Net Delusion, I am actually very critical of a similar tendency in "Internet freedom studies," where the assumptions about the Internet's inner logic seem to outweigh the assumptions about the context in which it manifests itself).
Unfortunately, I can't sign up to Ethan's call -- "Just don't give moral and ethical air cover to the bastards who are using DDoS to silence sites for whom a DDoS is a shut down, not a sit in" because "giving moral and ethical cover to bastards" is often the unfortunate result of allowing those who are NOT bastards to act in morally justifiable ways (as opposed to ways recommended by the estimable Berkman Center).
Until we hear some cogent arguments as to why the possibility of digital shutdowns should always prevent us from participating digital sit-ins, I would like to urge more caution on this subject. My own guess these arguments would never work in the abstract and would still need to be evaluated on a case-by-case basis in the particular contexts they are set in. Which, to return to my original post, was my whole point: we shouldn't prejudge DDoS to be "good" or "bad" simply because it's illegal or because it is "DDoS."
p.s. plenty of folks -- check comments to Deanna Zandt's post -- suggest that there are better, more constructive ways to express one's solidarity with WikiLeaks or one's indignation with the companies that dumped it. Sure, there are. However, most of the "constructive" activities mentioned in the comments are fully legal and thus do not meet the definition of "civil disobedience," which presumes a breach of law. So, once again, this is the question of efficacy, not legitimacy.
The current chapter in the WikiLeaks saga has finally forced me to come out of my blogging semi-retirement! While I'm still trying to make sense of everything that has happened in the last ten days, here are some analytical notes on Anonymous and the challenges facing the Obama administration as it mulls an appropriate response to WikiLeaks.
The impact of the recent wave of cyber-attacks launched by Anonymous on a handful of companies that dropped WikiLeaks as their client -- Amazon, EveryDNS, MasterCard, Visa and others -- is hard to gauge. I'm certain these attacks won't make any of these firms to reconsider, strike peace with WikiLeaks, and offer them some vouchers in compensation. But could the attacks serve as a deterrent to other firms that have been considering dropping WikiLeaks?
Perhaps -- but I don't know how many such companies there are. Right now, WikiLeaks is heavily dependent on Twitter and Facebook as their primary channels for external communications; it's these two firms that need to be watched most closely. (I don't expect many people to call on Google to remove WikiLeaks from its search results -- but let's wait and see...) So far, both Twitter and Facebook have been taking rather bold steps: they declined to stop doing business with WikiLeaks and actually removed the accounts of Anonymous (alas with little success, as new accounts were created within minutes). It's clear that should these two companies succumb to pressure and part with WikiLeaks this would result in a major online backlash.
Now, the fact that Anonymous chose to go after Visa and MasterCard has created all sorts of other challenging issues. While the attacks targeted only the public web-sites of these companies -- rather than the underlying infrastructure that allows card transactions to be processed -- such subtleties are likely to get lost in the public debate. As far as policymakers are concerned, these attacks would be viewed as striking at the very of the global economy (even if they obviously aren't in reality). It's still not clear to me whether any credit card data has been leaked or compromised as a result of such attacks, even though Anonymous posted some links to such data on their Twitter feed. This too won't matter, as most people would assume that data has, in fact, been stolen.
I seriously doubt that U.S. authorities would be able to effectively go after Anonymous, in part because there are too many people involved, they are scattered all over the globe, and attributing cyber-attacks to them would be impossible (and would surely require reading a lot of chat transcripts from IRC). The only other possible policy response at their disposal is to make it easier to trace such attacks in the future -- most likely by empowering the likes of NSA/Cyber Command. I would imagine that after the current cyber-attacks on credit card companies -- even if they didn't cause much damage -- this would enjoy bipartisan support in the United States.
As far as long-term developments are concerned, I think that much depends on whether the WikiLeaks saga would continue being a debate about freedom of expression, government transparency or whistle-blowing or whether it would become a nearly-paranoid debate about the risks to national security. Anonymous is playing with fire, for they risk tipping the balance towards the latter interpretation -- and all the policy levers that come with it.
That said, I don't think that their attacks are necessarily illegal or immoral. As long as they don't break into other people's computers, launching DDoS should not be treated as a crime by default; we have to think about the particular circumstances in which such attacks are launched and their targets. I like to think of DDoS as equivalents of sit-ins: both aim at briefly disrupting a service or an institution in order to make a point. As long as we don't criminalize all sit-ins, I don't think we should aim at criminalizing all DDoS.
I can spend hours debating this subject but, in short, while Anonymous' actions may result in greater government oversight of the Internet, they are not necessarily illegal or immoral just because they involve DDoS attacks. The danger here is obviously that if the narrative suddenly becomes dominated by national security concerns, we can forget about DDoS as legitimate means of expression dissent -- that possibility would be closed, as they would be criminalized.
What is the impact of these attacks on WikiLeaks? The organization has been silent about its own relationship to Anonymous -- I didn't see any tweets, let alone press-releases, that either spoke out against or in favor of cyber-attacks. As far as strategy is concerned, I think it's a big mistake for WikiLeaks to stay silent on the issue. In the absence of any statements from their end, most people -- especially those who have never heard of Anonymous before -- would assume that they are part of the same hacker gang. (Sarah Palin seem to have implied as much when she accused WikiLeaks about attacking her site).
That WikiLeaks chose not to address this issue publicly suggests that the organization is either overstretched or has not yet reached a level of maturity that some of us expect from it before expressing our unqualified support for what they do. As long as most people link WikiLeaks to the cyber-attacks on credit card companies, it's a net loss for WikiLeaks. It would also make it easier for certain cyber-hawks in Washington to justify classifying them as a "terrorist" organization -- at least whenever they appear on Fox News. Arguably, this is not a battle they can win with facts anyway -- but they should at least be leaving some public record of their stance on such issues. I'm also not sure about the overstretching argument: I'm sure plenty of smart people would volunteer to do PR for WikiLeaks for free...
All in all, if the public continues to associate WikiLeaks with hacking and cyber-attacks -- rather than, say, providing a safe platform for whistleblowers -- this will greatly erode the goodwill that WikiLeaks has built over the course of the last few months by increasing their cooperation with media organizations and NGOs. That "normalization by third parties" allayed the concerns of many -- but cyber-attacks may once again seed doubt in many people's minds.
Looking beyond Anonymous, I'd like to note that when it comes to crafting an appropriate response to WikiLeaks, the Obama administration is in a very delicate position. On the one hand, the domestic pressure to do something about WikiLeaks is growing -- and it will get even worse, as Anonymous continues its attacks and adds more political targets to their list (and I'm sure they will as there is some vicious circle at play here: the more attacks they launch, the more people condemn WikiLeaks, the more new targets Anonymous has). On the other hand, it's obvious that going after WikiLeaks would put the final nails in the coffin of the State Department's Internet Freedom Agenda, which is the most obvious victim of the last ten days.
I have always had mixed feelings about this Internet Freedom drive. While I think it's misguided and led by highfalutin techno-boosters unaware of the geopolitical background to their own actions, it's also obvious to me that there is some good that may come out of the U.S. government's interest in such matters -- for example, the support they offered to tools like Tor has been most appreciated. (That support, however, predated the formation of the Internet Freedom Agenda as articulated by Clinton in January 2010).
The real question here is whether, as the public attitudes towards tools like Tor -- which provide the very anonymity that benefits leakers -- quickly turn negative, the State Department and agencies like the National Endowment for Democracy would lose the ability to fund anything in this space. It's also not clear to me whether many of the geeks associated with the "Internet freedom" movement would feel comfortable taking money from the U.S. government, given that the latter are actively pursuing people like Assange.
I think this partly explains why the U.S. government has been so slow/low I key in lashing out against WikiLeaks, leaving the rhetorical heavy-lifting to populists like Sarah Palin, Rush Limbaugh and Joe Lieberman. Leaving in their hands also means abandoning control of the conversation; so far, it seems to me that such approach has been quite detrimental.
For example, many foreign politicians are already calling on Washington's duplicity and lack of media freedoms and disrespect of human rights -- all because Glenn Beck and Sarah Palin said something radical. As far as most foreign audiences are concerned, few draw distinctions between the elected officials, those in the opposition, and the punditry -- they are all part of "Washington"; so whatever the radicals says would, of course, eventually be associated with the White House and the State Department. I don't know how long the administration can afford to stay on the sidelines of this debate.
Another possible unfortunate consequence of the current backlash is that more U.S. government funding would go to tools that don't provide full anonymity but that still allow to circumvent censorship in authoritarian states. These are the tools developed by the Falun Gong technologists who already enjoy vast support from various neocon interest groups in Washington.
This would be most unfortunate and would further alienate geeks from policymakers, as Falun Gong tools are less effective and, well, they don't provide much security at all. This would only further reveal the duplicitous nature of Washington's Internet Freedom Agenda: it will seem as if all they want to promote is the ability to break through China's firewall -- but not the ability to say and publish what one wants without attribution. Many people in the State Department are not very keen on the Falun Gong crowd either, so I can't imagine that they would be interested in highlighting such issues (and yes, I know that State Dept is not monolithic but getting into internal squabbling inside Foggy Bottom would add another page or two to this post!).
I hope to post more analysis soon! In the meantime, make sure to check my Twitter feed, where I do post occasional observations and share links about WikiLeaks.
Update #1: There is now a statement on Anonymous/DDoS posted on WikiLeaks' site. They distance themselves from the attack -- which is good -- but don't really say what they feel about it (which is not so good...)
Evgeny Morozov, originally from Belarus, is a visiting scholar at Stanford and a Schwartz Fellow at the New America Foundation.