I am still trying to untangle the numerous moral complexities involved in DDoS attacks. Two arguments stand out in particular.
First - and I briefly touched upon this subject in my previous post - some Internet experts fear that participating in DDoS attacks, even if one has morally justifiable reasons for doing so, might make DDoS a more acceptable form of silencing dissent. As such, anyone participating in DDoS – even if they have perfectly good reasons for doing so – should first consider the indirect consequences of popularizing DDoS as a tactic. (I have written about DDoS as a new censorship mechanism on numerous occasions – see, for example, the story of the Georgian blogger Cyxymu.)
Let's leave philosophy aside for a moment and just use some common sense. Would we advise anyone participating in lunch-counter sit-ins during the civil rights era not to do it because it may popularize sit-ins as a tactic that might be abused by all sorts of crazy people and criminals? I don't think so: just because one can organize a sit-in to block an entrance to the offices of ACLU to protest their defense of civil liberties would hardly be a factor in deciding whether to block an entrance to the offices of the Department of Defense to protest a war.
Why is DDoS different? Arguably, physical civil disobedience is often much easier to conduct than its virtual counterpart: having 100 people show up and block entrance to Amazon's offices, on average, is far more effective than having the same 100 people launch DDoS attacks on its web-site. Sure, there are oddballs like Jester, who claims to have taken the entire WikiLeaks with a solo DoS attack; but such people are not exactly missing from the offline domain. Cindy Sheehan has been quite effective acting solo - is it a reason to impose a moratorium on acts of civil disobedience? I don't think so.
I think that those who worry about the adverse effects of popularizing DDoS as a tactic misunderstand what civil disobedience is (moreover, I'm not sure they understand the distinction between its direct and indirect varieties). Civil disobedience involves breaches of law by definition; anyone lamenting the popularization of DDoS as a tactic is only lamenting the fact that those practicing it would violate the rule of law. But what such critics do not seem to understand is that for a breach of law to count as civil disobedience its perpetrators should be willing to accept the consequences, get arrested and serve jail time if this if what the law demands. Submitting oneself to the rule of law after breaching it is the compensatory act that makes such acts morally permissible.
Those who oppose DDoS on the grounds that it will popularize DDos as a tactic are essentially saying: don't breach the rule of law because it would lead others to breach the rule of law. Note that such a position leaves no space to comment on whether the laws that are being breached are unjust to begin with or, in case the laws are, indeed, just, whether violating them may be a morally permissible way to right other wrongs (i.e. engage indirect civil disobedience).
Frankly, I think this is a morally impotent position – and those who advocate it need to spend more time thinking about ways to resolve competing moral claims than about the costs of server administration. Is it really obvious that a bunch of environmental activists in Russia should not launch DDoS attacks on the web-site of a company engaged in illegal deforestation just because it may result in more DDoS attacks on the web-sites of independent newspapers in Burma? It's not that obvious to me – and I'd like to see the experts who condemn DDoS engage in some rigorous (and preferrably public) ethical calculus before making such loud pronouncements.
The second brief point that I'd like to address is this: many liberal democracies are extremely lenient when it comes to allowing their citizens to organize protests and demonstrations. As someone who comes from Belarus, where protests are few and far in between, this is one feature of democratic societies I find extremely attractive.
I've lived in Berlin's Kreuzberg neighborhood - and I have seen a plenty of spontaneous demonstrations, some of them not particularly peaceful and many involving broken windows and the like. I don't see why the German state should be any less lenient when it comes to allowing its citizens to protest in cyberspace than they are in allowing them to riot on Oranienstrasse. Such considerations, as far as I understand, were part of the reasoning of the German court in the Lufthansa case.
What I find amusing about the present situation is that the same people who often lament the fact that the Iranian government denies freedom of assembly to the Green movement almost reveal themselves as crypto-conservatives when they are forced to think about the digital equivalent of protests and demonstrations in democratic societies. So, those opposing authoritarian governments should feel free to protest anytime they want – but those who want to protest Amazon should be careful and ask for permissions and all that?Does anyone else smell hypocrisy here?
While the exact conditions differ from country to country, I am pretty sure that most liberal democracies do permit unconditional protests as long as the protesters do not cause serious public disorder and do not seriously disrupt the life of the community. Even if the protests are organized on private rather than public property, trespassing is not always viewed as a criminal offense (unless, of course, it is aggravated trespassing, with lots of disruption/damages, in which case it is often criminalized). Don't they teach such basic stuff at Harvard Law School?
True, we don't yet have a neat theoretical framework to translate the norms surrounding the criminalization of trespassing (or lack thereof) in the physical world into the digital domain. What I do know is that I don't want a blanket ban on anything that involves groups of people seeking to protest an activity that they find unjust simply because it occurs on the Internet. Even more so in the case of protesting the actions of technology companies, who, unlike conventional factories and plants, bury all their infrastructure underground, where it's unreachable to those who may otherwise choose to protest in the physical space. How do you disrupt Amazon's business in the real world anyway? I know how to do it with, say, a Ford factory; I'm not sure how to do it with a data center.
Anyone arguing against DDoS on the grounds that it may have some undesired secondary consequences is implying that some basic human rights do not apply online. I find this unacceptable. And by the way, I think that the current laws that criminalize DDoS in liberal democracies – some with up to 10 years in prison – are in for some major revision as well. No one blocking access to a physical building or even tinkering with some corporate infrastructure without causing it much damage would receive 10 years in jail. This doesn't mean we need to de-criminalize DDoS altogether but I think that we do need to think about proportionality here.
What bothers me even more is that the leading brains working on DDoS – especially the folks at the Berkman center – are once again not particularly vocal in this debate. A few months ago, I pointed out that they were conspicuously silent on the Haystack issue; their excuse then was that they were working on a report about circumvention tools and felt like they shouldn't weigh in on a tool they haven't tested.
Now they are also working on a report about DDoS attacks – and once again, there is nearly complete silence from their end, not counting a comment that Ethan Zuckermand left on Deanna Zandt's blog and a handful of tweets and retweets. Perhaps, if it distracts them from participating in some of the most fundamental debates taking place online today, they should take it easy on all this report-writing.
I am absolutely serious about this, as I happen too believe that too much coyness and pragmatism by the leading minds working on Internet issues is what has allowed the US government to behave as recklessly as they have towards the Internet in the last few weeks. But perhaps we'll read all about this in a report next year.
Update #1: I think many people misunderstand the reason why I'm engaging in this debate about DDoS attacks as acts of civil disobedience. This is not to debate the effectiveness of this tactic nor is it to understand whether it fits (or defies) the charge of "slacktivism". I think that hundreds of people who have participated in such attacks risk getting arrested - and some have been arrested already.
If some of them were acting on the assumption that their actions were fully public and that they were ready to get arrested, I think we should honor their willingness to go to jail for launching attacks on companies that behaved in a very cowardly fashion. (By the way, one of the two teeanagers arrested in the Netherlands for launching these DDoS attacks said as much - he chose not to disclose his online identity precisely to make a public statement about WikiLeaks and suffer the consequences).