As an observer of that interesting case study in Internet regulation that is Anonymous, recent developments have been quite an eye-opener in the potential long-term survival of the group.
When Anonymous coordinated a series of denial-of-service attacks against payment systems and electronic commerce giants in response to the perceived attack against Wikileaks, I wondered what would be the response from the establishment. Law enforcement officials seemed reluctant to dedicate resources to try to pursue a bunch of kids who were defacing and attacking websites related to the music and movie industries. But when Anonymous attacked important financial targets, including the largest credit card companies in the world, it became clear to me that they had also raised their profile, and that some form of response was likely. However, I was not really expecting a fast response, but we got a reasonably prompt one.
Back in January, UK law enforcement struck the first blow against the erstwhile seemingly untouchable group by arresting five people with ages ranging from 15 to 26 years old. The men were charged with sanctions established under the Computer Misuse Act 1990, specifically s3, which clearly specifies that it is an offence to undertake acts with intent to impair, or with recklessness as to impairing, operation of computer. This is a section that was amended to deal specifically with DDoS attacks, as it is worded in a broad-enough manner as to accommodate most remote behaviour that affects the functioning of a system.
Anonymous responded by declaring war on the UK. Besides the rather acrimonious rhetoric on display, the whole statement is worth a read, as it very much exemplifies the two opposed philosophies that are currently clashing online. In a telling paragraph, Anonymous says:
“First and foremost, it is important to realize what a DDoS attack exactly is and what it means in the contemporary political context. As traditional means of protest (peaceful demonstrations, sit-ins, the blocking of a crossroads or the picketing of a factory fence) have slowly turned into nothing but an empty, ritualised gesture of discontent over the course of the last century, people have been anxiously searching for new ways to pressure politicians and give voice to public demands in a manner that might actually be able to change things for the better. Anonymous has, for now, found this new way of voicing civil protest in the form of the DDoS, or Distributed Denial of Service, attack. Just as is the case with traditional forms of protest, we block access to our opponents infrastructure to get our message across. Whether or not this infrastructure is located in the real world or in cyberspace, seems completely irrelevant to us.”
This to me is an important point, and I tend to agree in spirit, but not in the letter of the law. While later Anonymous tries to explain that a DoS is not hacking in the strictest sense (which may be true in many situations), UK cybercrime law specifically ignores the hacking angle, and creates a criminal offence that hinges both in the intent and the result. The person initiating a DoS attack must have the intention of doing so, and the effect is to hinder a computer’s operation. If a person engaged in a DoS attack is caught downloading Low Orbit Cannon, then the intent is clearly shown. Nonetheless, I tend to agree with Anonymous that their DoS attacks are more analogous to sit-ins, blockades, and other methods of pacific demonstration. The problem for anonymous is that, at least in the UK, cyber-demonstrations and real-life demonstrations are typified differently; DoS carries a criminal offence, period.
The above in itself gives us an interesting discussion about cybercrime, mens rea and the criminalisation of protest. But the story of Anonymous is taking an even more interesting twist. Firstly, by the end of January the FBI issued 40 warrants against members of Anonymous, although no arrests had been made because the authorities could not match real people with the Anonymous elites. However, U.S. security firm HBGary Federal claimed last week that it could identify at least 10 of the 40 individuals in the FBI list thanks to an infiltration job that it had undertaken. Anonymous then retaliated by hacking into HBGary’s servers to check their files, and found the evidence wanting. Not only that, they uploaded and shared HBGary’s own emails. If Anonymous intended to claim that it was not engaged in hacking, well, they have just added one more potential indictable offence.
Despite the seeming invulnerability of the Anonymous leadership (if an anarchic group has such a thing), were I in Anonymous I would be nursing some doubts. I still believe that Anonymous operates in relative safety because there has not been a full-fledged effort to find them. It is much more difficult to maintain some form of privacy online, and I suspect that there must be some people in that FBI list that may have committed a mistake from time to time.
So Anonymous still appears to be ahead, but for how long?