Anonymous Indictment Raises Serious Question: Is It Really A CFAA Violation To DDoS A Website?

By Mike Masnik
TechDirt

Way back in the fall of 2010, we wrote about how it was a really dumb idea for people associating themselves with Anonymous to run a series of DDoS attacks, under the name “Operation Payback,” focused on the RIAA, MPAA, US Copyright Office and other websites. The attacks were protesting attempts to take down The Pirate Bay, as well as a variety of other complaints about general acts of copyright maximalism and copyright trolling. As we noted, such attacks do a lot more harm than good. Either way, the feds have finally gotten around to indicting thirteen individualsfor somehow participating in that fall spree of DDoS attacks. While the indictment tries to make it out like this is a big conspiracy, it’s unclear how connected some of the various attacks are, as it appears (as is frequently the case with Anonymous) that some individuals simply chose some sites to DDoS on their own and announced they were doing it as Anonymous. It’s difficult to see a conspiracy when there’s no real connection.

That said, there’s a much bigger question here. While DDoS attacks can be a nuisance, are they really criminal? In the midst of these attacks, we questioned if they were really criminal acts or more like the equivalent of a sit-in, in which people were disrupting a business for the sake of public protest. In fact, some people arrested for DDoS attacks have been making this claim in court — and there was even a White House petition asking it to recognize DDoSing as a valid form of protest.

Instead, as the indictment shows, the feds are hitting these thirteen individuals with CFAA violations — the broad, troubling anti-hacking law that is regularly abused by the feds for any crime that involves a computer. In this case, the focus is on 1030(a)(5)(A) which targets people who:

… knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

But is a DDoS really “damage”? I can see how there’s a reasonable argument both for and against that. But I have trouble seeing how, as the feds claim, these DDoS attacks did more than $5,000 in damage to the various sites they took down. Furthermore, you can make an argument that these weren’t done “without authorization,” because all a DDoS does is point a ton of traffic at a website. If that web server is open to the public, then isn’t there authorization? It’s just that the web server gets flooded.

Again, I’ll make clear that I think DDoS attacks are dumb, counterproductive and immature. But I have trouble seeing how they’re criminal acts, that could lead to five years in jail.

Also, there’s some oddities, in that one of the lawyers for one of the accused folks claims that he had been working out a settlement, which has now been “scuttled” by the indictment. I imagine that most of the accused will eventually come to some sort of plea bargain deal. The DOJ stacks the deck so that you’re often crazy not to plea your way out of these deals. And it’s unlikely that any of the individuals will appear particularly sympathetic for their alleged actions here. But I’m still quite troubled by the idea that these actions add up to that much in damage, and a computer hacking crime deserving of significant jail time.

Comments are closed.