The latest Snowden-related revelation is that Britain’s Government Communications Headquarters (GCHQ) proactively targeted the communications infrastructure used by the online activist collective known as Anonymous.
Specifically, they implemented distributed denial-of-service (DDoS) attacks on the internet relay chat (IRC) rooms used by Anonymous. They also implanted malware to out the personal identity details of specific participants. And while we only know for sure that the U.K.’s GCHQ and secret spy unit known as the “Joint Threat Research Intelligence Group” (JTRIG) launched these attacks in an operation called “Rolling Thunder,” the U.S.’ NSA was likely aware of what they were doing because the British intelligence agents presented their program interventions at the NSA conference SIGDEV in 2012. (Not to mention the two agencies sharing close ties in general.)
Whether you agree with the activities of Anonymous or not — which have included everything from supporting the Arab Spring protests to DDoSing copyright organizations to doxing child pornography site users — the salient point is that democratic governments now seem to be using their very tactics against them.
The key difference, however, is that while those involved in Anonymous can and have faced their day in court for those tactics, the British government has not. When Anonymous engages in lawbreaking, they are always taking a huge risk in doing so. But with unlimited resources and no oversight, organizations like the GCHQ (and theoretically the NSA) can do as they please. And it’s this power differential that makes all the difference.
There are many shades of gray around using denial-of-service attacks as a protest tactic. Unlike a hack, which involves accessing or damaging data, a DDoS attack renders a web page inaccessible due to an excessive flood of traffic. As an anthropologist who has studied hacker culture, hacktivism, and Anonymous in particular, I struggled to find some black-and-white moral certitude for such activities. But as one member of Anonymous told me: “Trying to find a sure fire ethical defense for Anonymous DDoSing is going to twist you into moral pretzels.”
Judging the “moral pretzel” of DDoS attacks requires understanding the nuances of how they are carried out, and DDoS attacks tend to be problematic no matter what the motivation. Still, they’ve been a worthwhile exercise in experimenting with a new form of protest in an increasingly digital era. In the case of Anonymous, this form of protest came about because of the banking blockade against WikiLeaks. While the protest was rooted in deceit (they used botnets and many of their participants did not know that), it was certainly not destructive (especially since it was leveled against a large organization that could withstand it). The whole point was to get media attention, which they did.
But here’s the thing: You don’t even need to believe in or support DDoS as a protest tactic to find the latest Snowden revelations troubling. There are clearly defined laws and processes that a democratic government is supposed to follow. Yet here, the British government is apparently throwing out due process and essentially proceeding straight to the punishment — using a method that is considered illegal and punishable by years in prison. Even if DDoS attacks would do more damage upstream (than to IRC), it’s a surprising revelation.
The real concern here is a shotgun approach to justice that sprays its punishment over thousands of people who are engaged in their democratic right to protest simply because a small handful of people committed digital vandalism. This is the kind of overreaction that usually occurs when a government is trying to squash dissent; it’s not unlike what happens in other, more oppressive countries.
Since 2008, activists around the world have rallied around the name ‘Anonymous’ to take collective action and voice political discontent. The last two years in particular have been a watershed moment in the history of hacktivism: Never before have so many geeks and hackers wielded their keyboards for the sake of political expression, dissent, and direct action.
Even though some Anonymous participants did engage in actions that were illegal, the ensemble itself poses no threat to national security. The GCHQ has no business infecting activists’ systems with malware and thwarting their communications. And if we’re going to prosecute activists and put them in jail for large amounts of time for making a website unavailable for 10 minutes, then that same limitation should apply to anyone who breaks the law — be they a hacker, our next door neighbor, or the GCHQ.
As it is, the small subset of Anonymous activists who engaged in illegal civil disobedience face serious consequences. These activists — on both sides of the Atlantic — are currently paying a steep price for breaking the law, because the current form of the laws under which they’re charged (the Computer Misuse Act in the U.K., and the CFAA in the U.S.) tend to mete out more excessive and often disproportionate punishments compared to analogous offline ones. For instance, physical tactics such as trespass or vandalism of property rarely result in serious criminal consequences for participants and tend to be minor civil infractions instead of federal crimes. Yet that same nuance — which fundamentally recognizes the intention and the consequences of such protest actions — is rarely extended to online activities. Criminal punishments for such acts can stretch out to years, disrupt lives, lead to felony charges on employment records, and result in excessively high fines.
To put this in perspective: In Wisconsin alone a man was fined for running an automated DDoS tool against the Koch Industries website for 60 seconds. (He was protesting the billionaire Koch brothers’ role in supporting the Wisconsin governor’s effort to reduce the power of unions and public employees’ right to engage in collective bargaining.) The actual financial losses were less than $5,000, but he was charged a fine of $183,000 — even though a far worse physical crime in the same state was only fined $6400.
In the U.K., Chris Weatherhead — who didn’t directly contribute to a DDoS campaign but ran the communication hub where the protests were coordinated — received a whopping 18-month sentence. This is even more time than was given to hackers who broke into computer systems, stole data, and dumped it on the internet.
Based on these and other sentences already handed out, it’s clear that judges consider Anonymous’ actions to be serious and punishable. Scores of Anonymous hacktivists have already been arrested or jailed.
Meanwhile, agencies like the GCHQ face no such risks, deterrents, consequences, oversight, or accountability. This scenario is all the more alarming given that some of Anonymous’ actions may be illegal and might warrant attention from some law enforcement agencies — but do not even come close to constituting a terrorist threat. And that means we’re inching into the same territory as the dictatorial regimes criticized by democratic governments for not respecting internet freedoms.