Jay Leiderman, attorney for Anonymous (how does that work?) and Lulzsec, writes in the Guardian that distributed denial of service attacks should be regarded as "speech" and thus worthy of First Amendment protection:
A reported 10,000 protesters around the world took to the internet with a protest method known as DDoS (distributed denial of service) – the functional equivalent of repeatedly hitting the refresh button on a computer. With enough people refreshing enough times, the site is flooded with traffic, slowed, or even temporarily knocked offline.Sounds nasty. Does it cause any damage?
No damage is done to the site or its backing computer system; and when the protest is over, the site resumes business as usual.Well, the site can't process legitimate customers. So its operators lose money. And the site monitoring will page the company's sysadmins. Who will have to spend hours managing, firefighting, blocking IPs, rebalancing and restoring the site's normal operation. Probably out of hours, at overtime. So the company has to spend money. And maybe the high traffic causes logs to fill up a disk partition and the site to lose logging or transaction information. But no computer actually explodes in a red-hot ball of fire, so no "damage" has been caused.
One person jumping up and down on a wooden bridge is just fine. A hundred people jumping up and down on a wooden bridge in concert can eventually cause timbers to crack, and the bridge to require expensive repairs. But that's OK, because it's just free speech - people are enjoying how springy the bridge is.
One person asking for a glass of water from Starbucks is normal business. A hundred people saturating the Starbucks queue and asking for a glass of water when it's their turn to be served will drive away legitimate customers, tank the store's profitability for that day and wreck their employee's chance of a performance bonus. But that's OK, because it's just free speech - people are thirsty.
One person occupying a table in a vegan restaurant and ordering a hamburger is slightly obnoxious. Twenty people doing this displaces all the restaurant's legitimate customers, aggravates the staff and kills takings for the evening. But that's OK because it's just free speech - people have the right to ask for a hamburger, as the restaurant has a right to refuse to provide one.
Now let's talk technology. Jay Leiderman believes that people hitting the refresh button on their browser at a co-ordinated time is free speech. How about running a little batch script that makes the same HTTP GET request every couple of seconds? Surely the intent is the same. How about running a batch script that listens for commands from a central server and sends HTTP GET requests to specific URLs on command? Surely the intent is the same. How about the person who runs the central server and sends the commands to all the clients - surely they are merely making use of the service that each user installing the script has provided? Congratulations Jay Leiderman, you're well on your way to legitimising botnets.
So how does Jay defend this disruption?
True, customers of the site are temporarily inconvenienced, but democracy is often messy and inconvenient. Moreover, the voice of your fellow citizen should always be worth slowing down to hear for a moment.Really, Jay? What, specifically, are they saying? If I go to Paypal to pay for something bought on eBay (God forbid) and Paypal isn't responding, how should I know why it isn't responding? How do I know what the DDoS perps are trying to say beyond "we don't like Paypal"? It's not very specific speech, is it?
Thousands of PayPal protesters said, via their protest speech in DDoS form: "I want to make a donation to WikiLeaks; I'll take up my bandwidth to do that, then I'll leave. You'll make money, I'll feel fulfilled, everyone wins."Wow, Jay. You can really pull information out of silence. I'm impressed. What was John Cage saying in 4'33"? With those kind of skills, you should be a literary critic, not a lawyer (although a certain parasitism characterises both professions).
Incidentally, if you operate an online service and don't have some frontend checking of traffic-per-IP spikes, you probably should. If you see an IP start to request many purchases per minute within the space of a few minutes, it's time to start putting that IP to the back of your request queue. I suspect Jay Leiderman would not appreciate you redirecting those DDoS requests to www.leidermandevine.com, his appreciation for "free speech" notwithstanding. Though I do wonder what he would think they were saying.