When digital agitators intentionally overload an opponent's website with a distributed denial of service attack, or DDoS, it’s a crime with sentences akin to manslaughter. To Molly Sauter, the punishment doesn’t fit the crime. In her new book, “The Coming Swarm,” Sauter explores the case of 14 members of Anonymous who shut down PayPal’s blog to protest the company cutting ties with WikiLeaks. They each faced up to 15 years in prison and $500,000 fines. Had they formed a human chain to shut down PayPal’s headquarters instead, the maximum penalty would have been six months in jail and a $1,000 fine for trespassing.
Sauter argues that political DDoS should be treated as a legitimate form of protest and not result in felony convictions. Passcode spoke with her about the ethics, limits, and philosophies of DDoS as activism.
Edited excerpts follow.
Passcode: DDoS attacks can be destructive, knocking sites offline for extended periods of time and causing tens of thousands of dollars in damage. When you say DDoS is a legitimate form of protest, does that mean you’re giving protesters free reign to do substantial damage?
MS: There should be a legal, social, and cultural recognition that this can be a valid form of political activism. Disruptive activism — not just DDoS attacks, but real life activism, too — becomes a necessary part of a healthy democracy when it’s used by people who have no other way to make their points heard, people who have been systematically denied what we would consider mainstream political participation. And that the legal, social, and cultural political costs of this tactic should be made much more equivalent to standard penalties for participating in disruptive activism offline, which are things like getting charged with trespassing or disturbing the peace. Or often getting arrested and released not getting charged with anything.
My idea is that these penalties that are attached to computer-based disruptive activism, including DDoS, have a chilling effect on speech and political action, because they’re so extreme. And this is preventing people from participating in certain zones of activism that might be most appealing. If you’re fighting an online event, doing your protest where that structure of power is could be the most effective way to express those views.
Passcode: So, when the “event” is PayPal cutting ties with WikiLeaks, the “structure of power” protesters might find most appealing is website everyone thinks of and engages with as PayPal rather than the corporate headquarters?
MS: Exactly. And this — this point has been made in offline activism as well. There’ve been a couple of attempts to only allow protests at the national Democratic and Republican conventions in free speech zones that are usually hundreds of yards away from where the convention is happening. And the attempts to establish a political free speech zone far from the convention itself was overturned by [the Massachusetts] Supreme Court, which said that this is actively interfering with the free speech right of protesters, for whom it was invaluable.
Passcode: A major difference between accepted offline protests and using a denial of service is that people who sit-in are physically present and put themselves in jeopardy. The most prominent use of DDoS was carried out by a group literally called Anonymous. Does anonymity matter?
MS: I don’t think anonymity is a bad thing. It’s disingenuous on the part of people in power to demand that people who are not in power put themselves in jeopardy in order to participate in an action. What you’re doing is restricting the core people who can participate in this type of activism to people who have nothing to lose. If you’re a single parent with two jobs, two kids, and you’re also taking night classes, you have a lot to lose. What I would prefer is to open up the pool of participation as wide as possible, to as many people as possible. By saying that there should be a cost for the expression of dissent, you’re taking so many people out of the equation of politics in this country.
Passcode: One of the most interesting parts of the book is how much older denial of service protests are than many people are aware of —it was a tactic used to protest French nuclear testing two decades ago. But you also point out that, while the tactic is similar, the philosophy behind it has changed.
MS: The classic holding-up-signs-on-the-street activism is a one-voice, one-lobby concept. In street activism, no matter how hard you try, there’s always just going to be one of you. You can be with a bunch of your friends, but you can’t be in two places at once. You can make a commitment with the resource of your body to show up at a place, and do a thing. Early DDoS practitioners, like the Electronic Disturbance Theater supporting Mexican Zapatistas, were very attached to that sit-in metaphor. They were very invested in the one-voice, one-body, one stream of signals relationship. And so, they weren’t interested in the affordances that technology could provide them, like multiple streams of signals, or multiplying traffic, or creating the modern structures that enable people to participate in a DDoS action with their computer and have their body be off doing something else – participating in additional protest action or just out walking their dog.
'Disruptive activism — not just DDoS attacks, but real life activism, too — becomes a necessary part of a healthy democracy when it’s used by people who have no other way to make their points heard ... .' - Sauter
That shift is one of the primary contributions Anonymous has made toward development of this tactic, fully embracing those modifications. LOIC [the commonly-used Low Orbit Ion Cannon software] allows people to not sit in front of their computer for the entire duration of the action. It also added to the use of botnets, which can be legal, volunteer-based botnets, or illicit, nonvolunteer-based botnets.
Passcode: Do nonvolunteer botnets fit in with your idea of a legitimate protest?
MS: No, it’s not an ethical way to protest. Use of someone else's resources without their permission to make a political statement is just a huge ethical problem.
'I don’t think anonymity is a bad thing. It’s disingenuous on the part of people in power to demand that people who are not in power put themselves in jeopardy in order to participate in an action.' - Sauter
Passcode: Then what about, say, a small Internet service provider? A DDoS potentially overloads anything that takes all that traffic to the end target.
MS: Small ISPs have a much more substantial chance of being significantly negatively affected by these types of actions, especially economically. Having downtime that affects other clients, just in terms of negative externalities, they will suffer more. However, there are usually negative externalities for disruptive actions. If you sit down in the middle of the street with all of your friends to protest the Iraq war, and block traffic, there are going to be negative externalities. There’s going to be people who can’t make it to work, or who are going to be late for work. You could have an ambulance that needs to get though. So, I would encourage people to understand that debates about negative, negative externalities and quote-unquote “collateral damage,” are debates that activists deal with a lot of the times. These are questions that regularly come up when planning these types of actions.
[Editor's note: Due to an error in transcription, the original version of this interview mistakingly used the word "destructive" when it should have used "disruptive." Ms. Sauter characterized DDoS attacks as disruptive actions, not destructive.]