Jay Leiderman's short-sightedness

Jay Leiderman, attorney for Anonymous (how does that work?) and Lulzsec, writes in the Guardian that distributed denial of service attacks should be regarded as "speech" and thus worthy of First Amendment protection:

A reported 10,000 protesters around the world took to the internet with a protest method known as DDoS (distributed denial of service) – the functional equivalent of repeatedly hitting the refresh button on a computer. With enough people refreshing enough times, the site is flooded with traffic, slowed, or even temporarily knocked offline.
Sounds nasty. Does it cause any damage?
No damage is done to the site or its backing computer system; and when the protest is over, the site resumes business as usual.
Well, the site can't process legitimate customers. So its operators lose money. And the site monitoring will page the company's sysadmins. Who will have to spend hours managing, firefighting, blocking IPs, rebalancing and restoring the site's normal operation. Probably out of hours, at overtime. So the company has to spend money. And maybe the high traffic causes logs to fill up a disk partition and the site to lose logging or transaction information. But no computer actually explodes in a red-hot ball of fire, so no "damage" has been caused.

One person jumping up and down on a wooden bridge is just fine. A hundred people jumping up and down on a wooden bridge in concert can eventually cause timbers to crack, and the bridge to require expensive repairs. But that's OK, because it's just free speech - people are enjoying how springy the bridge is.

One person asking for a glass of water from Starbucks is normal business. A hundred people saturating the Starbucks queue and asking for a glass of water when it's their turn to be served will drive away legitimate customers, tank the store's profitability for that day and wreck their employee's chance of a performance bonus. But that's OK, because it's just free speech - people are thirsty.

One person occupying a table in a vegan restaurant and ordering a hamburger is slightly obnoxious. Twenty people doing this displaces all the restaurant's legitimate customers, aggravates the staff and kills takings for the evening. But that's OK because it's just free speech - people have the right to ask for a hamburger, as the restaurant has a right to refuse to provide one.

Now let's talk technology. Jay Leiderman believes that people hitting the refresh button on their browser at a co-ordinated time is free speech. How about running a little batch script that makes the same HTTP GET request every couple of seconds? Surely the intent is the same. How about running a batch script that listens for commands from a central server and sends HTTP GET requests to specific URLs on command? Surely the intent is the same. How about the person who runs the central server and sends the commands to all the clients - surely they are merely making use of the service that each user installing the script has provided? Congratulations Jay Leiderman, you're well on your way to legitimising botnets.

So how does Jay defend this disruption?

True, customers of the site are temporarily inconvenienced, but democracy is often messy and inconvenient. Moreover, the voice of your fellow citizen should always be worth slowing down to hear for a moment.
Really, Jay? What, specifically, are they saying? If I go to Paypal to pay for something bought on eBay (God forbid) and Paypal isn't responding, how should I know why it isn't responding? How do I know what the DDoS perps are trying to say beyond "we don't like Paypal"? It's not very specific speech, is it?
Thousands of PayPal protesters said, via their protest speech in DDoS form: "I want to make a donation to WikiLeaks; I'll take up my bandwidth to do that, then I'll leave. You'll make money, I'll feel fulfilled, everyone wins."
Wow, Jay. You can really pull information out of silence. I'm impressed. What was John Cage saying in 4'33"? With those kind of skills, you should be a literary critic, not a lawyer (although a certain parasitism characterises both professions).

Incidentally, if you operate an online service and don't have some frontend checking of traffic-per-IP spikes, you probably should. If you see an IP start to request many purchases per minute within the space of a few minutes, it's time to start putting that IP to the back of your request queue. I suspect Jay Leiderman would not appreciate you redirecting those DDoS requests to www.leidermandevine.com, his appreciation for "free speech" notwithstanding. Though I do wonder what he would think they were saying.


  1. So how does one organize a website sit-in, then? If an announcement and call for participation is made with a given message, and then folks participate, is it really so hard to interpret the silence? I guess the difference drom botnets is the consent of the participants. That's pretty substantial.

  2. I guess it's an issue of how visible the call to participation is, and to whom you wish to communicate the message. If you want to communicate it to the site customers, I think you're out of luck short of actually defacing the site (and you probably don't want to do that unless you like serious jail time). If you only want to communicate it to the site maintainers, I suppose it's easier.

    All in all, though, my preference is for action in the real world - travelling to demonstrate at a company's office or shops takes actual commitment and is a sign of a serious conviction in the message. A website sit-in is too easy to participate in to make a serious statement unless you have tens, hundreds as many people as an effective sit-in. That the website can't cope with anything like that level of traffic is an interesting asymmetry...

  3. Many businesses operate mostly or entirely online. Most online business is in no way affected by a physical sit-in, so those can be safely ignored. The travel commitment that you laud is also terribly asymmetric: your cost to protest is thousands of times more if you have to travel than if you sit at your computer (so indeed tens, hundreds, thousands fewer would participate); meanwhile their costs to defend are larger on the computer than offline where police take care of it. Or do you mean time commitment? Learning commitment? Possible jail commitment? Identification commitment? When's the last time you considered physically protesting an online business? It sounds ludicrous. And considering that all harm is gone after they stop, no lasting damage done, it's a particularly mild form of protest.

    You're right that the core of the communication issue is the type and scale of the call to action. Social media can get this kind of thing to happen because of that communication. Don't ridicule Leiderman for helping communicate the intended interpretation to the folks who happened not to have gotten the memo.

    Again, if it's botnets, then that's non-consensual and as you say hard to interpret, and not something I can condone. But regular social-media organized consumer distributed denial of service? Absolutely: it's the internet's sit-in. It is speech.

  4. The point about online-only business is a fair one - so how can we register our displeasure in a form that has proportionate impact on that business? The usual way is to withdraw our custom, but perhaps that won't have a discernable impact on sales. So I wonder how aggrieved parties could calibrate an appropriate and reasonable scale of protest if they chose a DDoS - a retailer with a small online presence could be DDoSed by a very small number of people, whereas someone like Amazon is, for all intents and purposes, un-DDoSable.
    I'll have to agree to differ with you on whether DDoS is at all an appropriate form of speech, but do bear in mind that the effectiveness of DDoS is strongly related to the expertise of the target's sysadmins or hosting providers in mitigating DDoS attacks - this is not strongly correlated with business size, sector, dollar intake, number of users per minute on the site, or geographic centre.
    In terms of what social media alone can accomplish, I would remind people of the #trafigura incident where simply retweeting a hashtag resulted in the deconstruction of a superinjunction. If your message is clear enough, it will achieve a life of its own and reach and affect far more people than a DDoS attack.


All comments are subject to retrospective moderation. I will only reject spam, gratuitous abuse, and wilful stupidity.