How is MasterCard like the Greensboro Woolworth’s? The diffuse Internet group Anonymous would have you believe they are very alike.
In the past week, distributed denial of service (DDoS) attacks have been launched against MasterCard, Visa, and PayPal in the wake of their refusing to service payments to the controversial site WikiLeaks. DDoS attacks rely on “botnets” of compromised computers to overload a server with phony requests, interrupting the server’s ability to process real requests.
Anonymous, a self-styled cyberactivist movement (sometimes called “hacktivists”) best known for launching cyberattacks on the Church of Scientology, took credit for the attacks. Anonymous also claims to have launched attacks against the Swedish Prosecution Authority and the Swiss Post Bank, as well as an attack on Amazon that it claims to have aborted. (It is more likely that the attack on Amazon simply failed.) These recent attacks, says Anonymous, are retaliation against groups that have helped to suppress WikiLeaks.
These attacks are unique, however, in that Anonymous apparently supplemented its own DDoS capabilities with volunteers. Anonymous encouraged ordinary Internet users to download a program called the Low Orbit Ion Cannon (LOIC), which launches a small-scale denial-of-service-like request from the user’s machine, and use it at the same time Anonymous launched its own attacks. LOIC is available for download on computers and on the iPhone, and is even available through a JavaScript applet online. LOIC’s simplicity and availability allow anyone, even without any specialized computer knowledge, to participate in a DDoS with only a few clicks of the mouse.
The use of LOIC is probably only symbolic. There is no reason to believe that more than a few thousand people have actually used LOIC to help Anonymous. DDoS attacks typically require tens of thousands of machines or more to successfully disrupt a large-scale commercial site. The brunt of these DDoS attacks is probably coming from Anonymous’s own botnets (which have executed attacks of this scale in the past), with LOIC serving as a PR tool to create the appearance of a mass movement.
LOIC itself is not illegal. It was developed as a stress-testing tool for network managers and has legitimate diagnostic uses. A DDoS attack, however, will usually violate the Computer Fraud and Abuse Act (CFAA) and could, for a first conviction, carry a sentence of up to ten years imprisonment. Similar statutes exist in other countries, most notably the UK’s Computer Misuse Act.
The CFAA criminalizes not only compromising a computer, but also attempts and conspiracies to engage in such behavior. Therefore, any user participating in a DDoS attack using LOIC is probably guilty of violating the CFAA, no matter how ineffectual his individual contribution to the attack. A LOIC-supported attack might subject thousands of people who don’t properly know what a DDoS is, and who believe they are simply making a statement, to felony charges under the CFAA.
Anonymous released an open letter on Thursday titled A Letter from Anonymous: Our Message, Intentions, and Potential Targets, comparing itself to the Greensboro Four:
During the Civil Rights Movement in the 1960s, access to many businesses was blocked as a peaceful protest against segregation. . . We are using the LOIC to conduct distributed denial of service attacks against businesses that have aided in the censorship of any person. Our attacks do no damage to the computer hardware. We merely take up bandwidth and system resources like the seats at the Woolworth’s lunch counter.”
Anonymous’s appeal to history is seductive, but ultimately misleading. Civil disobedience – intentionally breaking the law as a form of protest – has a proud place in United States history, most notably during the Civil Rights protests. But Civil Rights protestors knew what they were doing and consciously decided to break the law. They volunteered to suffer the legal consequences of disobedience to serve as a symbol against systemic injustice. Many went willingly to jail to become the faces of equality.
The people using LOIC to help Anonymous are probably unaware that their actions are both felonious and easily traceable. Nowhere in its calls to action does Anonymous warn its supporters of the possible consequences.
Anonymous, unsurprisingly, refuses to identify its members. No member of Anonymous has ever volunteered to come forward. In public they wear Guy Fawkes masks and on the Internet they sign their posts “-Anonymous.” Rather than standing up in public to decry perceived injustice, Anonymous is putting unsuspecting citizens on the hook for its actions. Anonymous isn’t simply taking up seats at Woolworth’s; it’s approaching random Woolworth’s shoppers, asking “Hey, would you like to sit in on this protest?” and then running to hide in the bathroom when the police arrive.
It’s easy to mistake Anonymous for the good guys, but they’re wearing ski masks, not white hats. They are using the rhetoric of free speech to trick thousands into criminal behavior. Luckily, federal criminal law allows for accomplice liability. If Anonymous continues to hide its criminal behavior behind sympathetic citizens, federal prosecutors should be prepared to bring the full force of the CFAA – including accomplice liability for all the violations Anonymous induced others to commit using LOIC – against any members of Anonymous who are eventually identified and apprehended.
Update: BBC reports that five persons (including two minors) have been arrested in the United Kingdom for violation of the Computer Misuse Act in relation to these incidents.