The WikiLeaks controversy has opened up one of the most complicated intersections of politics and the Internet that we’ve seen in a while. One particularly interesting development has been the launch of attacks against companies and politicians perceived to be foes of WikiLeaks, by a loose group of online activists called Anonymous.
At the Personal Democracy Forum’s symposium on Wikileaks over the weekend, organizer and blogger Noel Hidalgo put forth an idea that divided the room pretty quickly: that the distributed denial-of-service (DDoS) attacks are a legitimate form of civil disobedience.
A quick lesson on DDoS for the unfamiliar: a group of people gets together and decides to render a website unusable. They do this by flooding the website’s server with so many requests that the server gets overloaded and either slows down, or stops responding altogether. A big important point: this is not hacking. “Hacking” generally applies to incidents where systems are actually broken into and data is compromised. DDoS doesn’t do this.
Anonymous (more on them in a second) decided to render, among others, Mastercard’s website unusable. This does not mean that credit card data was stolen, or that people were unable to use their Mastercards for purchases. It means that if you went to Mastercard.com, you got a message that the website was unavailable.
So, the question: is this a legitimate form of civil disobedience?
The first sentence of the civil disobedience entry in Wikipedia reads, “Civil disobedience is the active, professed refusal to obey certain laws, demands, and commands of a government, or of an occupying international power.” After that, all bets are off on what you consider the term to mean. It’s generally accepted in the US to mean an organized, non-violent way of protesting or expressing extreme displeasure with a situation. I’m certainly open to hearing others’ definitions, here -- this is as concisely as I can nail my own understanding.
The next part of this question is to look at the word “legitimate.” Legitimate doesn’t always mean legal; in fact, most of the time, it doesn’t have much to do with law at all. I want to clarify this because it also explains how I approach politics. As I said in my talk at PdF this year:
Let’s be clear about what politics are. “Politics” is not just about candidates, elections, and ballot initiatives. Politics is the art and science of influencing or changing any kind of power relationship: the cultural norms by which we act; the laws that govern us; the expectations we experience based on our gender, race, class, sexuality, abilities, and more. When I talk about political work, I’m talking about challenging and radically redefining those power relationships.
Because “legitimate” is so much more than laws, in the same way that politics is more than government, I use the term to mean “justifiable,” or otherwise “acceptable.”
To be clear, most DDoS attacks are rarely explicitly politically motivated; the people that commit them are often just in it for the lulz. (In other words, in it for kicks ‘n’ giggles.) Those folks, typical of Anonymous’ membership, are what I call “chaos enthusiasts.” They want to cause disruption for its own sake, and love watching the theater and drama of an attack play out. When politics do become involved, other tactics are often added to the DDoS attacks, and aren’t what I’d consider OK within the realm of protest vs. power. Friends, clients and colleagues have been the victim of this end Anonymous’ work in the past -- particularly my feminist cohorts have experienced their brutal misogyny.
When we face issues of free speech on the Net, we’re confronted with a severe reality in the harshest moments: we consider this here to be public space, but in reality it’s owned and operated by private companies. There is currently no set of accepted standards that say we have a set of rights online. (Though many have tried -- Katrin Verclas referred us to a very short history of Internet rights, for example.)
Several corporations bowed to political pressure and cut off services to Wikileaks. It has not yet been proven that the organization broke any laws, but Paypal, Mastercard and others decided to stop allowing citizens to show their support for the organization by giving them money. This is a clear violation of limiting a form of speech -- the Supreme Court ruled this year that political donations are a form of free speech, at least when corporations are doing the donating. To me, this was the first volley in this theater of battle. It angered me, and a whole lot of other people, clearly. I’ve been told that in Germany, where the citizenry are notoriously suspicious of technology, privacy and politics, the federal courts there have labeled DDoS a form of free speech.
Thus, in response, Anonymous launched a DDoS attack against the websites of the companies that took away people’s rights to support a political organization. Many, myself included, consider DDoS in this context to be much like a sit-in in the offline world. The point of a sit-in is to render a building/room/service unusable for a temporary period of time. Sit-ins aren’t “legal” -- you get arrested, and most activists who participate in them know this ahead of time and prepare for it. (At the event, I was asked what happens after arrest; most of the time, it’s a misdemeanor charge, and you’re issued an ACD.)
No permanent damage is done in a DDoS attack. This is particularly important to note when discussing DDoS as a political tool. It’s the difference between participating in a die-in at an embassy, for example, and smashing the windows of an embassy. As with any other form of activism, it shouldn’t be the only prong in a campaign strategy, and shouldn’t be used in every campaign.
Many at the forum disagree vehemently with this line of thinking: from what I understand, the argument is that “attacking the network does everyone a disservice.” I understand this and see the nobility it tries to bring; I was pointed to a quote from 2000 by Cult of the Dead Cow opposing early political DoS attacks -- “One does not make a better point in a public forum by shouting down one’s opponent.” However, I disagree in cases where we are dealing with powerful corporations who do not respond to traditional forms of protest. I also believe it is, in cases against corporate abuse of power, a way to get direct media attention for a cause.
Noel asked what I’d ask people who disagree with me: how do I digitally throw myself in front of a tank? What we do online often runs the risk of slacktivism. For example, I’m surprised at how many people rallied around last weekend’s “change your Facebook picture to a cartoon character to raise awareness about child abuse.” Really? This is the innovation we’re coming up with? What does a picture-swap do except make us feel chummy with each other?*
We -- tech activists and politically-minded folk, especially in the US -- bring a tremendous amount of privilege to the table. We have the ability and freedom to risk ourselves for the benefit of many who do not. So with that in mind, we’re using our privilege to poo-poo the temporary disabling of a giant corporate website, while looking for just the right shot of Mickey Mouse? Power dynamics matter. There is a reason that David and Goliath is such a powerful story in Western culture.
Perhaps what some people are afraid of is that giving a stamp of approval to DDoS as a political tool makes it okay for their political enemies to do the same. What’s to stop the CIA, or Iran’s government ops, or whomever to do the same to sites we believe in and support? Again, I understand, but I maintain another angle on the slippery-slope fears: I fear cataloging DDoS as illegitimate will ultimately prevent other forms of digital activism from being used, or even from being able to be used. There’s a nicely nuanced post about DDoS from the Iranian protest period of 2009 that discusses pros and cons, vis a vis the “we don’t want to stoop to the enemy’s level” argument.
The last point of discussion I want to bring up is one of accountability -- over on Twitter, Ben Greenberg made this point: “I question actions that are not accountable to a community or to the other side. How is that ‘civil’ disobedience?” Well, I think Anonymous certainly is accountable to itself, with its own set of wacky mores and rules. In a case like this, who else do they need to be accountable to? Maybe I’m misunderstanding the question, which is why I wanted to take this part beyond the 140-character limit. An anti-war group that sits-in at a recruiting station is accountable to whom? Themselves, certainly. Are they accountable to the entire rest of the anti-war movement? The opposing side, in this case, the military or the police, can hold them accountable by arresting them. In the case of DDoS, that’s not as easy, but still quite possible. (Especially when the publicly released tool to propel the DDoS on Wikileaks’ detractors didn’t disguise IP addresses.)
Nonetheless, anonymity is mainstay of DDoS, and this could be the sticking point for many as to whether it’s considered “civil.” My friend Arthur said, “Anonymity is generally not accepted as civil disobedience- that is not a bad thing, it’s just a different category. Civil disobedience uses the spectacle of the citizen confronting the mechanisms of the state to create its power. I don’t think denial of service attacks are comparable in that regard.” What if members of a DDoS attack volunteered their names? Would that change how people who currently disagree with the tactic feel?
Ultimately, I’m far more fearful of (and angered by) corporate reactions to politically sticky situations, and what we’re going to be doing to aid people I buy Internet services from in protecting me against politically-motivated squelching, and how we’ll stop those companies that seek to do it anyways. Until we have clear, strong protection globally, I have few to no issues with using many of the tools at our disposal.