The New Snowden Revelation Is Dangerous for Anonymous - And for All of Us
08 February 14
he latest Snowden-related revelation
is that Britain's Government Communications Headquarters (GCHQ)
proactively targeted the communications infrastructure used by the
online activist collective known as Anonymous.
Specifically,
they implemented distributed denial-of-service (DDoS) attacks on the
internet relay chat (IRC) rooms used by Anonymous. They also implanted
malware to out the personal identity details of specific participants.
And while we only know for sure that the U.K.'s GCHQ and secret spy unit
known as the "Joint Threat Research Intelligence Group" (JTRIG)
launched these attacks in an operation called "Rolling Thunder," the
U.S.' NSA was likely aware of what they were doing because the British
intelligence agents presented their program interventions at the NSA
conference SIGDEV in 2012. (Not to mention the two agencies sharing close ties in general.)
Whether you agree with the activities of Anonymous
or not - which have included everything from supporting the Arab
Spring protests to DDoSing copyright organizations to doxing child
pornography site users - the salient point is that democratic
governments now seem to be using their very tactics against them.
The key difference, however, is that while those
involved in Anonymous can and have faced their day in court for those
tactics, the British government has not. When Anonymous engages in
lawbreaking, they are always taking a huge risk in doing so. But with
unlimited resources and no oversight, organizations like the GCHQ (and
theoretically the NSA) can do as they please. And it's this power
differential that makes all the difference.
There are many shades of gray around using
denial-of-service attacks as a protest tactic. Unlike a hack, which
involves accessing or damaging data, a DDoS attack renders a web page
inaccessible due to an excessive flood of traffic. As an anthropologist
who has studied hacker culture, hacktivism, and Anonymous in particular,
I struggled to find some black-and-white moral certitude for such
activities. But as one member of Anonymous told me: "Trying to find a
sure fire ethical defense for Anonymous DDoSing is going to twist you
into moral pretzels."
Judging the "moral pretzel" of DDoS attacks requires
understanding the nuances of how they are carried out, and DDoS attacks
tend to be problematic no matter what the motivation. Still, they've
been a worthwhile exercise in experimenting with a new form of protest
in an increasingly digital era. In the case of Anonymous, this form of
protest came about because
of the banking blockade against WikiLeaks. While the protest was rooted
in deceit (they used botnets and many of their participants did not
know that), it was certainly not destructive (especially since it was
leveled against a large organization that could withstand it). The whole point was to get media attention, which they did.
But here's the thing: You don't even need to believe
in or support DDoS as a protest tactic to find the latest Snowden
revelations troubling. There are clearly defined laws and processes that
a democratic government is supposed to follow. Yet here, the British
government is apparently throwing out due process and essentially
proceeding straight to the punishment - using a method that is
considered illegal and punishable by years in prison. Even if DDoS
attacks would do more damage upstream (than to IRC), it's a surprising
revelation.
The real concern here is a shotgun approach to justice
that sprays its punishment over thousands of people who are engaged in
their democratic right to protest simply because a small handful of
people committed digital vandalism. This is the kind of overreaction
that usually occurs when a government is trying to squash dissent; it's
not unlike what happens in other, more oppressive countries.
Since 2008, activists around the world have rallied
around the name 'Anonymous' to take collective action and voice
political discontent. The last two years in particular have been a
watershed moment in the history of hacktivism: Never before have so many
geeks and hackers wielded their keyboards for the sake of political
expression, dissent, and direct action.
Even though some Anonymous participants did engage in
actions that were illegal, the ensemble itself poses no threat to
national security. The GCHQ has no business infecting activists' systems
with malware and thwarting their communications. And if we're going to
prosecute activists and put them in jail for large amounts of time for
making a website unavailable for 10 minutes, then that same limitation
should apply to anyone who breaks the law - be they a hacker, our next
door neighbor, or the GCHQ.
As it is, the small subset of Anonymous activists who
engaged in illegal civil disobedience face serious consequences. These
activists - on both sides of the Atlantic - are currently paying a
steep price for breaking the law, because the current form of the laws
under which they're charged (the Computer Misuse Act in the U.K., and the CFAA
in the U.S.) tend to mete out more excessive and often disproportionate
punishments compared to analogous offline ones. For instance, physical
tactics such as trespass or vandalism of property rarely result in
serious criminal consequences for participants and tend to be minor
civil infractions instead of federal crimes. Yet that same nuance -
which fundamentally recognizes the intention and the consequences of
such protest actions - is rarely extended to online activities.
Criminal punishments for such acts can stretch out to years, disrupt
lives, lead to felony charges on employment records, and result in
excessively high fines.
To put this in perspective: In Wisconsin alone a man
was fined for running an automated DDoS tool against the Koch Industries
website for 60 seconds. (He was protesting the billionaire Koch
brothers' role
in supporting the Wisconsin governor's effort to reduce the power of
unions and public employees' right to engage in collective bargaining.)
The actual financial losses were less than $5,000, but he was charged a fine of $183,000 - even though a far worse physical crime in the same state was only fined $6400.
In the U.K., Chris Weatherhead - who didn't directly
contribute to a DDoS campaign but ran the communication hub where the
protests were coordinated - received a whopping 18-month sentence.
This is even more time than was given to hackers who broke into computer
systems, stole data, and dumped it on the internet.
Based on these and other sentences
already handed out, it's clear that judges consider Anonymous' actions
to be serious and punishable. Scores of Anonymous hacktivists have
already been arrested or jailed.
Meanwhile, agencies like the GCHQ face no such risks,
deterrents, consequences, oversight, or accountability. This scenario is
all the more alarming given that some of Anonymous' actions may be
illegal and might warrant attention from some law enforcement agencies -
but do not even come close to constituting a terrorist threat. And
that means we're inching into the same territory as the dictatorial
regimes criticized by democratic governments for not respecting internet
freedoms.
