After I found one of my earlier FP blog posts quoted in an Anonymous press-release, I thought that I need to clarify my position. Here is my piece for Slate where I attempt to do just that. (Warning: some light political philosophy ahead).
The crux of my argument is that there are certain conditions, which, if met, could make DDoS attacks a form of civil disobedience. However, the case of Anonymous doesn't meet all of them, mostly because the Anonymous attackers don't want to take legal responsibility for their actions.
The part of my original blog post quoted in the press-release -- the one that mentioned DDoS as a "legitimate expression of dissent" -- is not at all ambiguous: what I was suggesting is that the actions of Anonymous would not be interpreted as such by the U.S. media/political circles and may thus result in more control over the Internet by the governments and complete de-legitimization of DDoS attacks as civil disobedience. So I was surprised that Anonymous took those words somewhat out of context and used them to imply that I actually viewed their acts as "legitimate"; I did not. This, however, does not mean that I view all DDoS attacks as illegitimate!
So let me just repeat this once again:
1. To understand whether DDoS attacks can be viewed as civil disobedience, we need to examine the context in which they occur.
2. As far as I can judge the context of the Anonymous case, they failed the test (for more on the specifics of the test, see my Slate piece; I rely on John Rawls's views on civil disobedience n his A Theory of Justice).
3. Operation Payback and its successors may, indeed, harm the causes of Internet freedom but this is NOT what makes them illegitimate.
There is a vibrant debate about DDoS as a legitimate expression of dissent in the blogosphere -- see this excellent summary of positions at TechPresident and this blog post by Deanna Zandt. There is an interesting comment by Ethan Zuckerman in response to Deanna's original blog post that I would like to examine a big more closely.
In short, Ethan is arguing that DDoS attacks are increasingly used to silence down independent publishers; they don't have the same resources as MasterCard or PayPal to deal with them; as a result, for them DDoS causes real rather than just temporary damage; Operation Payback has given DDoS as-a-silencing-tactic a lot of PR; and, finally -- and I am really putting words into Ethan's mouth here -- Anonymous and others should consider the consequences of their actions for others.
As much as I would like to agree with Ethan, I am not sure I am buying the (rather implicit) prescriptive part of his argument. First, it seems to conflate the issues of legitimacy and efficacy -- something that I explicitly caution against in my Slate piece. I'm strongly opposed to making efficacy a factor in evaluating the morality of particular DDoS attacks, not least because efficacy is too fickle of a concept and tends to undervalue the deterrence value of civil disobedience.
How do we know that the reason why Facebook and Twitter still have not removed WikiLeaks' account was not because they feared DDoS retaliation from Anonymous? Of course, it's much easier to measure the costs -- greater crackdown on the Internet, more NSA types in 4chan chatrooms, etc -- but it's not so easy to measure the benefits; will PayPal be as forceful in freezing the funds when it comes to the next WikiLeaks? We simply don't know -- but I'd venture to suggest that the attacks have probably had some impact on corporate decision-making.
This is not to suggest that we shouldn't try to assess the efficacy of DDoS but only to suggest that tying it to legitimacy seems misguided. That an entity like Anonymous has a good moral reason to act on something does not mean that they should necessarily act on it. In the end, it all boils down to good judgment -- and this is where wise Internet intellectuals should step in and theorize about potential fall-outs, crackdowns and what not, so that any of us can make the right (for us) call on whether to join the DDoS effort.
The other thing that bothers me about Ethan's comment is that it doesn't really make an effort to reconcile my right to protest injustice by engaging in acts of civil disobedience (forget Anonymous, we are talking abstract DDoS which doesn't fail the test) with some independent web-site's right to publish what they want and when they want online. (Remember: the theory at play here is that as DDoS get popular/mainstream, this would result in more attacks across the board, thus having a very negative impact on independent/poor publishers).
Is it really always the case that I shouldn't engage in DDoS to right some moral wrongs just because this may potentially make it harder for some third-party to conduct their affairs? I can think of conditions when this would be the case -- but critics of DDoS as civil disobedience need to spell out those conditions in great detail before they assume a particular resolution of competing claims. I can, for example, also think of conditions where my right to protest an injustice might trump a third-party's right to publish.
Otherwise, we end up with very simplistic moral and ethical frameworks where all attacks are presumed to be good or bad simply because of the intrinsic qualities of DDoS. This is an outlook that I reject as technology-centrism (in The Net Delusion, I am actually very critical of a similar tendency in "Internet freedom studies," where the assumptions about the Internet's inner logic seem to outweigh the assumptions about the context in which it manifests itself).
Unfortunately, I can't sign up to Ethan's call -- "Just don't give moral and ethical air cover to the bastards who are using DDoS to silence sites for whom a DDoS is a shut down, not a sit in" because "giving moral and ethical cover to bastards" is often the unfortunate result of allowing those who are NOT bastards to act in morally justifiable ways (as opposed to ways recommended by the estimable Berkman Center).
Until we hear some cogent arguments as to why the possibility of digital shutdowns should always prevent us from participating digital sit-ins, I would like to urge more caution on this subject. My own guess these arguments would never work in the abstract and would still need to be evaluated on a case-by-case basis in the particular contexts they are set in. Which, to return to my original post, was my whole point: we shouldn't prejudge DDoS to be "good" or "bad" simply because it's illegal or because it is "DDoS."
p.s. plenty of folks -- check comments to Deanna Zandt's post -- suggest that there are better, more constructive ways to express one's solidarity with WikiLeaks or one's indignation with the companies that dumped it. Sure, there are. However, most of the "constructive" activities mentioned in the comments are fully legal and thus do not meet the definition of "civil disobedience," which presumes a breach of law. So, once again, this is the question of efficacy, not legitimacy.
Evgeny Morozov, originally from Belarus, is a visiting scholar at Stanford and a Schwartz Fellow at the New America Foundation.