Legal considerations for cyber-activism

SystemsResearchandBehavioralScienceSyst. Res.22, 565^570 (2005)DOI:10.1002/sres.625

& NotesandInsights

Legal Considerations for Cyber-Activism

David W. Gresty*, Mark J. Taylor and Janet Lunn

Information Systems Group, School of Computing and Mathematical Science, Liverpool John MooresUniversity, Liverpool, UK

INTRODUCTION

Weber et al. (2003) suggests that 33.8% ofsurveyed US citizens have sent a letter to theirpolitical representative. The capacity for theInternet to improve this level of engagement, beit through electronic voting systems, materialpresented on websites, online forums or e-mailcampaigns, is clearly a benefit to politically activecitizens and consequently the political represen-tatives.

Any technology can, however, be technologi-cally misused, and even improved security forthe Internet has not prevented numerous inci-dents of website defacements such as thosearchived at attrition.org (Attrition, 2004); a longline of network ‘worms’ such as Lovebug, therecent SQLSlammer and MS Blaster; many largeand well-established entities on the Internet weresubject to a mass distributed Denial of Service byuse of a ‘Tribe Flood Network’ attack in February2000, with the effect of taking many of theseentities off the Internet for several hours.

Currently no definitive definition of Denial ofService is available, but most frequently the termis used within the Internet research communityto describe a situation where an attacker causesthe victim to waste resources servicing irrelevantrequests and as such the victim is too busyto service legitimate requests. The joint Compu-ter Security Institute and Federal Bureau of

Investigation (CSI/FBI) 2003 survey on Compu-ter Crime and Security (CSI, 2003) identified thatincidents of Denial of Service have been steadilyincreasing over the last five years; 42% ofrespondents to the survey reported havingsuffered from a Denial of Service incident in2003, which was a steady increase of 15% fromthe 27% of respondents who reported to the 2000survey. The average cost from this survey for aDenial of Service incident within the USA was$1,427,028, with an overall total of approx-imately $65.6 million for the 2003 period (anincrease of $47.2 million in a 12-month period).The majority of the other losses reported in theCSI/FBI report are well-understood offencessuch as theft of laptops, and viral and insiderabuses of networks, which are criminal offencesin the UK under such acts as the Theft Act 1968(TA, 1968) and the Computer Misuse Act 1990(CMA, 1990) respectively.

The purely commercial problemwith Denial ofService is the financial losses incurred recov-ering from the incident, the potential loss ofrevenue from customers that fail to engagewith aservice provider and the potential loss tocorporate ‘brand’ should knowledge of theincident enter the public domain.

If, however, a government were to use someform of ‘electronic engagement’, for example asecure electronic voting system to solicit ballotinformation from the voting population, thepotential financial loss caused by a Denial ofService incident could be quite minimal; how-ever, the legal and procedural ramifications ofpeople being unable to cast their votes would betremendous. What happens, however, if 1000

Copyright # 2005 John Wiley & Sons, Ltd.

*Correspondence to: David W. Gresty, Information Systems Group,School of Computing and Mathematical Science, Liverpool JohnMoores University, Liverpool, L3 3AF, UK.E-mail: [email protected]

people or 10,000 people send the same e-mail to apolitical representative at once? Is this a legit-imate form of protest, or considering the factthat anyone organizing such action must beaware that it will cause significant congestion—possibily to the point of failure—is this action aDenial of Service attack and as such subject to thepunitive measures to be contained in recent andupcoming legislation?

A brief review of some of the attitudes withinthe Internet-enabled activist community is pre-sented in the next section. The third section looksat some of the considerations for legislation toaddress Denial of Service, while not restrictingand criminalizing certain forms of activism. Thefourth section presents some considerations forInternet-enabled citizens. The paper concludeswith references.

E-ACTIVISM

A measure of the standing of a governing bodycould be how it responds to criticism. Certainlythe response to protest is often the decisive factorwithin the media concerning the use of the term‘regime’, as opposed to ‘government’.

To investigate the types of electronic activismand their ramifications, first a brief parallel mustbe drawnwith traditional forms of activism, or atleast public protest. The parallel to these con-ventional practices can indicate a way forward—or at least a route for further research can beidentified.

A balance exists between freedom of speech orexpression and the need to ensure public order ismaintained within the conventional environ-ment, for example a crowded high street. Withinthe UK a common law exists that empowers allcitizens with the authority and responsibility tomaintain public order. The Public Order Act 1986(POA, 1986) presents offences for unacceptablebehaviour (e.g. what constitutes abusive beha-viour, racially motivated harassment). In con-trast to that, within the Internet a ‘common law’of sorts does exist in the guise of ‘netiquette’(Shea, 1996) principles. Netiquette does placean onus of acceptable behaviour onto eachparticipant of the Internet, but this is not

comprehensive, by no means constitutes law ora regulatory requirement and does not stoppeople pushing the boundaries of acceptabilityto promote their agenda.

Denning (1999) has described electronicallyenabled activism as ‘normal, non-disruptive useof the Internet in support of an agenda or cause’and hacktivism as ‘the marriage of hacking andactivism. It covers operations that use hackingtechniques against a target’s Internet site withthe intent of disrupting normal operations butnot causing serious damage.’ Denning thereforesees the Internet as an enabler of traditional acti-vism with the use of e-mail and websites; how-ever, using techniques such as the ‘cyber sit-in’and the ‘computer virus’ are seen as hacktivism.

Within the hacktivist community—if it can infact be said to be a community—there is aslightly different classification scheme:

* There is still activism enabled by moderntechnological advances.

* Electronic direct action (EDA) directly trans-lates to Denning’s classification of ‘hackti-vism’ as it involves the intent to disruptnormal operations.

* Finally there is the use of modern technologyto circumvent a problem and, in doing so,raise awareness of the problem.

The final classification is the ideological viewof hacktivism: the natural result of the hackers’call to arms in the Hacker Manifesto (The Mentor,1986; analysed in Furnell et al., 1999) or thestatement of intent from Hacktavismo.com(Oxblood Ruffin, 2002a). There is the usualdebate at this point about what makes a ‘hacker’(Himanen, 2001) and is it fair to describe thepeople that intentionally violate computer sys-tems as ‘hackers’ (they are usually known as‘crackers’ within the computer security commu-nity)? It is a reasonable proposition then to referto all flavours of electronic activist as e-activists,and to differentiate between the EDA and thehacktivist.

This classification scheme, although reason-ably adequate to show the differences in atti-tudes and methods for the ‘e-activist’, fails toidentify a level of acceptability. In the conven-tional world it is perfectly acceptable for half a

NOTES AND INSIGHTS Syst. Res.

Copyright � 2005 John Wiley & Sons, Ltd. Syst. Res. 22, 565^570 (2005)

566 David W.Gresty et al.

million people to organize a march through thestreets of a major capital city to protest about warif the authorities are notified in advance, despitethe fact that all the retail outlets would suffer lossof business during the protest. Similarly, if half amillion people were to organize simultaneousattempts to log-on to a number of merchants’websites then this would almost certainly beconsidered unacceptable. In the second examplethere is no central authority to inform to ensurethings are managed, acceptable and that there isa suitable route to support the throughput.

The basic hacktivist form of expression at themoment is the attempt to circumvent technolo-gical restrictions placed upon Internet usage oncitizens of countries that are being enforced,in the words of the hacktivists, by ‘totalitariangovernments’. This may seem perfectly accepta-ble (in some cases quite desirable) but again thereis the issue that what is perfectly acceptable tosome certainly is not acceptable to the ‘totalitar-ian governments’. As the Hacker Manifesto callsfor complete unfettered access to information it isdifficult to imagine any form of control thatwould not be subject to circumvention by thisideology, as such moderate liberal institutionswould also be subject to hacktivist activityeventually.

Any legislative attempt to discourage anddeter the ideological hacktivist or activist seekingexposure for their cause by using EDA is likelyalso, due to an imprecision or even rapidlychanging technological environment, to restrictwhat should be a desirable situation of engage-ment between governments and citizens. Fromthis brief study it is apparent that certain people,due to ideology or inclination, will alwaysattempt to circumvent the law, and such lawmust always seek to preserve the rights andliberty of those that genuinely seek to act withinthe law rather than broadly criminalize.

LEGAL ISSUES

Despite attempts to classify ‘Denial of Service’(e.g. Gresty et al., 2000) and the under-standing that it has always been a concern withincomputer misuse legislation, such as was

outlined in the Scottish Law Commission’sreport (SLC, 1986), it is not a well-understoodproblem and there has been little satisfactoryprogress made to legally address this problem.

Within the UK there was in 2002 a PrivateMember’s Bill (CMHL, 2002) that sought toamend the Computer Misuse Act 1990 (CMA,1990) to meet the modern challenge of Denial ofService incidents. This proposed Bill did notbecome law and critics later suggested that it hadonly been put forward to stimulate debate,despite the fact that the forum that this wasproposed in may have made it criminal law. TheBill proposed the following amendment:

3A Denial of Service Attacks

(1) A person is guilty of an offence if withoutauthorisation he does any act

(a) which causes; or(b) intends to cause,

directly or indirectly, a degradation, failure, orother impairment of function of a compu-terised system or part thereof.

(2) A person is guilty of the offence in subsection(1)(a) even if the act was not intended tocause such an effect, providing that a reason-able person could have anticipated that theact would have caused such an effect.

There is also a third subsection to ensure thatthe attack is unauthorised.

Subsection (2) is interesting, as it requires thejudgement of ‘a reasonable person’ to anticipatethe effect. The requirement to anticipate reason-able effect is not unusual within UK legislation.This requirement pushes an onus of judgementonto the ‘attacker’; the attackers must askthemselves ‘Is what I am about to do likely tocause a degradation, failure, or other impairmentof function?’ This onus of judgement has aprofound impact on trying to determine whenperfectly legitimate activism become intentionalElectronic Direct Action, which has been high-lighted earlier as most likely undesirable.

Within the USA at the state level, recentlegislation on computer crime has effectivelyincorporated traditional unauthorized accessand fraud with Denial of Service issues. Conleyand Bryan (1999) very succinctly provide a

Syst. Res. NOTES AND INSIGHTS


Legal Considerations for Cyber-Activism 567

summary of relevant statutes within the USA. Anotable example of this state legislation isConnecticut’s sections 53a–251(d), which prohi-bits unauthorized and intentional or recklessdisruption or degradation of computer servicesor denial of services to an authorized user.

Legislation at the US federal level, however,has with the introduction of the USA PATRIOTAct (USA PATRIOT, 2001), gained considerablepower to investigate and prosecute computermisuse against, computers of national interestwith section 814 ‘Deterrence and Prevention ofCyberterrorism’. Within section 814, it is anoffence to cause ‘damage affecting a computersystem used by or for a government entity infurtherance of the administration of justice,national defense, or national security’. The Actalso goes on to highlight that ‘the term ‘‘damage’’means any impairment to the integrity oravailability of data, a program, a system, orinformation’.

Section 814 clearly states then that an impair-ment of availability against government systemsis an offence against this Act. There is theargument that there are only a limited numberof systems that are essential, and any politicalrepresentative that presents an Internet presenceshould not be one of those. This argumentpresupposes that each system has only onefunction and that it may not have a differentfunction at a time of emergency. The authorscould not find a sufficient example of this andanything else would be contrived; however, it isnot unreasonable to suggest that an e-mail servercould be used as an essential line of communica-tion between government agencies during someform of incident.

Considering that much of the computer mis-use legislation examined comes from a legaltradition that requires a level of case law andprecedent to be truly effective, there is the stilloften unqualified idea of ‘acceptability’. Oneperson may do something, but how much dothey or a group of people need to do before weconsider it unacceptable—possibly even anattack?

Without the law to provide the parameters forpeople, then there needs to be some form of ethicof acceptable usage for the Internet-enabled

citizen. Without a code of acceptable behaviourthen the people that want to express the freedomof expression that they should be entitled to inthis technological revolution may unfortunatelytransgress laws designed to stop people thathave the intent to behave in unacceptable ways.

CONSIDERATIONS

Besides the various elements of legislation indifferent countries that attempt to define what islegal and acceptable and what is criminal interms of using the Internet for political activism,there is also the question of the morality of suchaction.

Morality can be taken to be the set of standardsand norms that are considered appropriate in agiven society. If freedom of speech is the norm inmost democratic societies, then it can be arguedthat freedom of expression should be the normwith regard to the Internet. However, thequestion arises of how far one individual’s rightor one group’s freedom of expression can occurbefore it adversely affects the freedom ofexpression of others, or indeed the majority ofsociety. For example, Denial of Service incidentsin the name of cyber-activism may be viewed asfreedom of expression for one group, but arestriction for others that may need to use theservice within that society. Ultimately, cyber-activism falls within the same moral grey area asconventional activism—how far ethically canone group promote their aims before the detri-ment of others or society in general begins?

A good example of this is Huntingdon LifeSciences Ltd in the UK, which is a scienceresearch centre. In June 2002 a computer pro-gram called ‘clogscript’ was released by thehuntingdonsucks.com (HS, 2004) ‘AnimalRights’ campaign, with the intent to performan e-mail Denial of Service attack againstHuntingdon Life Sciences Ltd. Although hun-tingtonsucks.com referred to this as a ‘protest’,the clogscript program was clearly intended toproduce an unacceptable frequency of e-mailssuch as to classify it as EDA. Regardless of theethical motivation of the protest, there is a clearlyan ethical problem in this example of one entity




deliberately stifling another’s freedom of expres-sion (namely the e-mail and web services atHuntingdon Life Sciences Ltd).

In a twist of irony the hacktivists, in the purestsense of the word, have already created anethical code of conduct within their ideology:‘creation is good; destruction is bad. Hackersshould promote the free flow of information, andcausing anything to disrupt, prevent, or retardthat flow is improper’; it refers to Denial ofService as ‘an assault on free speech’ (OxbloodRuffin, 2002b). Therefore any campaign with theintent to cause Denial of Service is an act ofrepression.

How then is the code of ethics for ‘InternetCitizenship’ to be developed? Wong (1995)argued that as computers become indispensablein our lives there is a need to acknowledge theincreasing number of ethical issues and dilem-mas involving computers. However, dissentersfrom both the academic and business commu-nities have raised serious questions aboutwhether ethics can or should be taught (Trevinoand Nelson, 1995). Trevino and Nelson (1995)argue that higher education courses can do littleif a student has not already learned ethics fromtheir family, clergy, school, or employer. Anopposing viewpoint is put forward by Davis(1999), who argues that professional ethicscannot be learned in most families, religiousinstitutions or primary or secondary schools, butinstead must be taught as part of a formalprofessional education. Can a ‘Common Law’that transcends cultural, national and linguisticdifferences develop? The Hacker Manifesto high-lights that hackers already transcend suchboundaries, brought together by computers.Does Internet Citizenship need more hackers,acting like role models, then? There needs to bean understanding of acceptability, or perhapsunacceptability, in the Electronic Common Law.

From the political perspective there is ulti-mately going to be conflict between the electronicdirect activists, hacktivists and governments dueto differing ideologies. Clear guidelines ofacceptable behaviour have to be drawn up inthe absence of case law; these guidelines shouldhopefully support or at least not conflict toogreatly with an emerging Electronic Common

Law. Government can support responsible Inter-net Citizenship by placing issues relating to thisonto national curricula and running campaignssuch as ‘E-mail your political representative’.

While computer crime is on the increase, andwhile computers are becoming indispensable inpeople’s lives, there is a pressure on govern-ments and political entities to enforce stringentlaws to protect themselves and society at large.Such laws enacted without a deeper under-standing of the ethics that exist on the Internetmay act as an instrument of oppression againstfreedom of expression and curtail the engage-ment between political entities and their citizens.

REFERENCES

Attrition. 2004. Attrition.org defaced commentary maillist archive. http://www.attrition.org/security/commentary/ [January 2004].

CMA. 1990. Computer Misuse Act 1990. Elizabeth II.Chapter 18, July 1990.

CMHI. 2002. Computer Misuse (Amendment) Bill(HL): House of Lords Bills 2001–02 79.

Conley JM, Bryan RM. 1999. A survey of computercrime legislation in the United States. Information andCommunications Technology Law 8(1): 35–58.

CSI. 2003. CSI/FBI Computer crime and securitysurvey, 2003. Computer Security Issues and Trends 8.Computer Security Institute. http://www.gocsi.com/ [January 2004].

Davis M. 1999. Ethics and the University. Routledge:London.

Denning D. 1999. Activism, Hacktivism, and Cyberterror-ism: The Internet as a Tool for Influencing Foreign Policy.The Internet and International Systems: IT andAmerican foreign policy decision making work-shop.

Furnell SM, Dowland PS, Sanders P. 1999. Dissectingthe ‘Hacker Manifesto’. Information Management andComputer Security 7(2): 69–75.

Gresty DW, Shi Q, Moynihan EP. 2000. Survivablesystems concept to protect core e-business functionsfrom denial-of-service. In 10th BIT Conference.Manchester, UK.

Himanen P. 2001. The Hacker Ethic and the Spirit of theInformation Age. Vintage: New York.

HS. 2004. Huntingdonsucks.org homepage. 2004.http://www.huntingdonsucks.com/ecd/ [January2004].

Oxblood Ruffin. 2002a. The Hacktivismo declara-tion. http://hacktivismo.com/about/declarations/[January 2004].

Oxblood Ruffin. 2002b. Waging peace on the Internet.http://hacktivismo.com/about/ [January 2004].

Syst. Res. NOTES AND INSIGHTS


Legal Considerations for Cyber-Activism 569

POA. 1986. Public Order Act 1986. Elizabeth II.Chapter 64, November 1986.

Shea V. 1996. Netiquette. Albion: San Francisco.SLC. 1986. Scottish Law Commission. 1986. Para. 4.28.TA. 1968. Theft Act 1968. Elizabeth II. Chapter 60,August 1968.

The Mentor. 1986. The Hacker Manifesto. Phrack 1(7).Phile 3 of 10. http://www.phrack.org/phrack/7/P07-03 [January 2004].

Trevino L, Nelson K. 1995. Managing Business Ethics.Wiley: New York.

USA PATRIOT. 2001. Uniting and strengtheningAmerica by providing appropriate tools requiredto intercept and obstruct terrorism (USA Patriot Act)Act of 2001. HR 3162, October 2001. 107th Congressof USA: Washington.

Weber LM, Loumakis A, Bergman J. 2003. Whoparticipate and why? Social Science Computer Review21(1): 26–42.

Wong E. 1995. How should we teach computer ethics?A short study in Hong Kong. Computers andEducation 25(4): 179–191.




Documents

Legal considerations for cyber-activism