Denial-Of-Service Attacks As Civil Disobedience, Part III
Last week's Economist, which I'm only now getting around to reading, has a brief and interesting article on DoS attacks and civil disobedience. Of particular note is the following passage:
But in a free society the moral footing for peaceful lawbreaking must be an individual’s readiness to take the consequences, argue in court and fight for a change in the law. Demonstrators therefore deserve protection only if they are identifiable. Some countries (like Germany) even prohibit protesters from wearing masks.
Protesters in cyberspace, by contrast, are usually anonymous and untraceable. The furtive, nameless nature of DDOS attacks disqualifies them from protection; their anonymous perpetrators look like cowardly hooligans, not heroes.
The author has a valid point which I failed to take into consideration in my previous defense of DoS attacks. An act of civil disobedience derives its moral authority from the perpetrator's willingness to suffer legal sanction in order to further eir cause. Seminal examples, such as Gandhi's violation of the British salt tax or Rosa Parks' refusal to yield her seat, involved public, head-on confrontation with the powers that be. DoS attacks are, by contrast, relatively anonymous and thus pose little personal risk to the perpetrators, which seems a strong argument in opposition to the notion that they are a valid form of civil disobedience.
Can a DoS attack ever be a legitimate form of civil disobedience? If I put up a web page saying "I'm DoS'ing X in support of Y" I'm no longer anonymous and am thus vulnerable, in theory at least, to prosecution for my actions. This would seem to clear the hurdle set up in the previous paragraph.
Now, what if I join a DDoS, and all 10000 of us put up web pages? Again, in theory each of us could be prosecuted for our actions, though as a matter of pure logistics its unlikely that the government would ever bring 10000 prosecutions, which means that the risk to any particular individual is small. One could argue that, because each participant is exposed to only nominal personal risk, a DDoS isn't a legitimate form of civil disobedience.
Here, however, we have a real-world example against which to test that assertion. Suppose that I, and 9999 of my closest friends, participate in an illegal gathering; maybe we block an intersection in protest against something or another. Clearly the police can't arrest all 10000 of us, so the individual risk to myself is small, but at the same time such mass actions are typically seen as a legitimate form of civil disobedience. Which indicates to me that, in meatspace at least, nominal exposure to prosecution is sufficient to surpass the threshold of legitimacy. I can see no reason to hold online protests to a higher standard, in which case DoS attacks can be considered legitimate provided that the actors identify themselves in a meaningful fashion.