chevron-down Created with Sketch Beta.

ARTICLE

Zero Dark Data: Hacktivism, Cybersecurity, and Social Change

Robert W Sweet

Summary

  • This article argues that a reform of the Computer Fraud and Abuse Act (CFAA) is necessary to permit an exception for activists in cyberspace that commit acts of civil disobedience for social change, consistent with the First Amendment’s policy considerations.
Zero Dark Data: Hacktivism, Cybersecurity, and Social Change
Halfpoint Images via Getty Images

Introduction

As interconnected network technologies dominate all aspects of civil life, people increasingly rely on the internet to navigate and effectuate social change. In effectuating social change, the novel legal issue is whether the First Amendment should protect “hacktivism” for hacktivist actions that are narrowly tailored toward matters of public concern. Hacktivist actions and motives are distinguishable from variegated sources of harmful cyber-related activities, with terrorism, espionage, and crime, among many examples.

This article argues that a reform of the Computer Fraud and Abuse Act (CFAA) is necessary to permit an exception for activists in cyberspace that commit acts of civil disobedience for social change, consistent with the First Amendment’s policy considerations.

What Is Hacktivism?

The neologism hacktivism originated from a late-1990s political hacker-group called Cult of the Dead Cow (cDc). The cDc’s mission was to leverage technology to advance human rights and protect the free flow of information. Hacktivism is defined as an ideologically oriented use of computer skills with “an implied philosophical underpinning to the explicit ‘pursuit of attention for worthy and perhaps neglected issues’ to shift public discourse, raise awareness, and create public pressure.” Brian Kelly, Investing in A Centralized Cybersecurity Infrastructure: Why “Hacktivism” Can and Should Influence Cybersecurity Reform, 91 B.U. L. REV. 5 (Oct. 2012). This transgressive cyber activity “translates into the digital realm what disruptive or expressive politics have been using for centuries: demonstrations, sit-ins, labor strikes, and pamphlets.” Peter Krapp, Terror and Play, or What Was Hacktivism, Grey Room (2005).

Recent Examples of Hacktivism

Anonymous and the Killing of Michael Brown

The killing of Michael Brown in 2014 catalyzed the Black Lives Matter (BLM) movement to protest the already-pervasive history of systemic racism and injustice in the United States. In retaliation against the Ku Klux Klan and St. Louis Police Department for infringing on the rights of protestors, Anonymous declared war against the KKK and the police by conducting Distributed denial-of-service (DDoS) attacks on websites, phone lines, and social media accounts associated with the actors, causing them to malfunction. Anonymous’ hacktivism culminated in a leak of the personal contact information for local white supremacists and sympathizers.

Operation Antisec v. Stratfor

Jeremy Hammond, formerly known as  “sup_g”  of Anonymous, hacked the U.S.-based intelligence firm Stratfor by releasing millions of emails to WikiLeaks to expose Stratfor’s unlawful surveillance and intelligence-gathering. Hammond felt that he “had an obligation to use [his] skills to expose and confront injustice—and to bring the truth to light.” Hammond’s actions revealed that Stratfor had “maintained a worldwide network of informants…used to engage in intrusive and possibly illegal surveillance activities on behalf of large multinational corporations.” Sparrow, Sentenced to 10 Years in Prison, Jeremy Hammond Uses Allocution to Give Consequential Statement Highlighting Global Criminal Exploits by FBI Handlers, The Sparrow Project (Nov. 15, 2013).

Blue Leaks

In reaction to the death of George Floyd, the hacktivist group Distributed Denial of Secrets (DDoSecrets) disclosed 269 gigabytes of law enforcement data accessed from fusion centers across the country. The disclosed information detailed the Federal Bureau of Investigation’s counter-surveillance techniques against BLM protestors, how law enforcement deliberately misrepresented threats from far-right extremists and fears within law enforcement actors over how mask-wearing interfered with facial recognition technology. Emma Best, co-founder of DDoSecrets, emphasized that “the public has an interest in the identities of public servants,” because “part of what a lot of the current protests are about is what police do and have done legally.” According to Best, “the potential of the data…outweighs any downsides to allowing the public to examine it.” Andy Greenberg, Hack Brief: Anonymous Stole and Leaked a Megatrove of Police Documents, Wired (June 22, 2020).

How Hacktivists Operate

Denial of Service Attacks

Denial of service (DoS) attacks operate similarly to physical sit-ins: They deny electronic access to a webpage by temporarily turning it offline through excessive network traffic. The connection to the webpage is overloaded, preventing users from access to the material. For example, Anonymous executed the DDoS attack Operation Payback as retaliation against banks and credit card companies who refused to process WikiLeaks payments.

Website Defacement

Hacktivists use website defacement to disfigure the visual appearance of webpages so as to draw attention to a set of issues for which they seek to bring social change. Hacktivists analogize website defacement as cyber-graffiti, as it rarely involves actual damage to the network’s infrastructure; instead, defacement involves merely injecting lines of code into the website. For example, in retaliation for the death of Aaron Swartz, Anonymous executed Operation Last Resort: The group defaced Massachusetts Institute of Technology’s website with the message “REMEMBER THE DAY WE FIGHT BACK,” intended as a reminder of the university’s active role in prosecuting Schwartz.

Data Disclosure: AKA Leaktivism & Panama Papers

To highlight injustice to the public, hacktivists gain unauthorized access to network systems to steal and leak information. Unlike cyber-criminals who access sensitive information to sell on the dark web, hacktivists reveal sensitive information to expose widespread wrongdoing on matters involving the public interest as a means of accountability. For example, in one of the most significant leaks in history, hacktivists disclosed over 11.5 million files from the law firm Mossack Fonseca to expose how wealthy individuals benefit from secret, offshore tax regimes.

The Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA) prohibits conduct that harms computer systems. Specifically, the CFAA protects computers where there is a federal interest, namely computers used in, or affecting, interstate and foreign commerce. Charles Doyle, Cybercrime: An Overview of the Federal Computer Frauds and Abuse Statute and Related Federal Criminal Laws, Congressional Research Service (Oct. 15, 2014). The statutory amendments to the CFAA, which modified the mens rea requirement to easily prosecute all hackers, criminalize hacking if the hacker gains unauthorized access to computer systems, notwithstanding intent to damage the system or not. Haeji Hong, Hacking Through the Computer Fraud and Abuse Act, 31 U.C. DAVIS L. REV. 283 (1997). The particular statutory provision that criminalizes hacking, section 1030(a)(5), describes two provisions: (1) knowingly transmitting “a program, code, or command that intentionally causes damage to a protected computer,” regardless of whether the actor has authorized access; and (2) unauthorized access of a protected computer that causes damage. 18 U.S.C. §1030(a)(5) et seq.

The CFAA’s statutorily broad language encompasses the methods that hacktivists use to effect social change, such as DDoS and website defacement. Despite cyberattacks that physically harm neither the target’s computer nor network elements, the definitional language of “damage” and “loss” subsume hacktivism within the scope of CFAA’s prohibitions. Xiang Li, Hacktivism and the First Amendment: Drawing the Line Between Cyber Protests and Crime, 27 HARV. J. LAW & TECH. 301 (2013); Joshua McLaurin, Making Cyberspace Safe for Democracy: The Challenge Poses by Denial-of-Service Attacks, 30 YALE L. & POL’Y REV. 211 (2011). However, neither DDoS attacks nor website defacements destroy or damage the targeted system, since DDoS attacks only deny temporary access to the webpage, while website defacement neither destroys nor removes code that comprises the system.

Policy Considerations

Anonymous: The First Amendment Should Protect Hacktivism against Criminalization Under the CFAA

Anonymous petitioned the White House to recognize DDoS attacks as a valid form of protest protected by the First Amendment. Anonymous analogized DDoS attacks as a method of civil disobedience, where protestors physically occupy a targeted space: In this case, occupying a targeted webpage through disrupting and overloading the network to deny access to that site.

Hacktivism as Speech Related to Matters of Public Concern

The First Amendment serves to facilitate the free flow of information within the marketplace of ideas since unfettered dissemination of information among citizens operates as the watchdog against a tyrannical government. The Supreme Court declared that “a function of free speech under our system of government is to invite dispute…[f]ree speech may indeed best serve its high condition when it induces a condition of unrest, creates dissatisfaction with conditions as they are, or even stirs people to anger.” Terminiello v. Chicago, 337 U.S. 1 (1949). Additionally, the Court found that “‘[t]he explanation for the Constitution's special concern with threats to the right of citizens to participate in political affairs is no mystery…[t]he First Amendment ‘was fashioned to assure unfettered interchange of ideas for the bringing about of political and social changes desired by the people.’” Connick v. Myers, 461 U.S. 138 (1983). Notwithstanding prescribed limitations, the right functions as a presumption of protecting, rather than restricting, the content of speech. See, e.g.Brandenburg v. Ohio, 395 U.S. 444, 449 (1969); New York Times Co. v. Sullivan, 376 U.S. 254, 265 (1964); Thomas v. Board of Educ., 607 F.2d 1043, 1047 (2d Cir. 1979). Therefore, since the First Amendment operates in favor of permitting speech as opposed to containing it, hacktivist tactics should be protected under the First Amendment. This protection would promote the marketplace of ideas concerning matters of public concern that involve corruption and wrongdoing.

In Snyder v. Phelps, the Court found that for speech to constitute a matter of public concern, “it can be fairly considered as relating to any matter of political, social, or other concern to the community…or when it is a subject of legitimate news interest; that is, a subject of general interest…to the public.” 562 U.S. 443 (2011).  Deciding whether speech is of public or private concern requires an examination of the “content, form, and context” of that speech as revealed by the entire record, since no factor is dispositive. Dun & Bradstreet, Inc. v. Greenmoss Builders, Inc., 472 U.S. 749 (1985).

It would be difficult to imagine a matter more substantial and legitimate of a public concern than the relationship between an actor engaged in wrongdoing and the necessity for public awareness to challenge corruption. For example, the matter of public concern in disclosing information regarding an actor’s wrongdoing, or a DDoS attack against a government website for wrongful and oppressive policies, substantially outweighs the interests of those entities. The hacktivist tactics of exposing an actor’s misconduct are a matter of considerable significance, as the tactics satisfy the “content, form, and context” of speech related to matters of public concern. These tactics are contingent upon matters of political and social concerns to the community without collapsing into purely private matters. To elucidate this point, one can reference the hacktivist collective DDoSecrets’ provisions of only releasing information where: (1) data is of public interest, and; (2) a prima facie case can be made for the veracity of its contents. See DDoSecrets, Welcome to DDOS. Therefore, restricting hacktivist actions that owe existence to matters of public concern infringes upon liberties enjoyed by citizens writ large, which should receive protection under the First Amendment.

Opinion: The CFAA Contravenes Hacktivists' Freedom of Speech

"The [CFAA] is the most outrageous criminal law you've never heard of…[i]t is, in short, a nightmare for a country that calls itself free." Tim Wu, Fixing the Worst Law in Technology, New Yorker (Mar. 18, 2013). To contextualize the absurdity of the CFAA is to highlight the paranoiac atmosphere fueled by the fearmongering release of the movie War Games, which involved a teenager hacking into America’s nuclear arsenal. The overzealous prosecution of Aaron Schwartz, resulting in his suicide, is shocking to one’s conscience and ideological principles concerning criminalizaton of cyber laws and regulations. As hacktivists seek to rectify injustices through cyber civil disobedience, prosecutors abuse the CFAA’s broad provisions to intimidate political activists.  

Thus, to effectuate social change through hacktivism, the CFAA must be reformed to permit an exception for hacktivists whose actions relate to matters of public concern. Specifically, the CFAA’s statutory scheme must account for hacktivists’ specific intent vis-à-vis their conduct: whether the hacker intended to engage in electronic civil disobedience to bring awareness and challenge actions they perceive to be unjust, or whether their intent falls under activities more closely related to cyberterrorism, cyberespionage, and cybercrime. This would allow the factfinder to properly balance the necessity of political activism with the necessity to punish transgressive conduct from actors who may cause harm and/or benefit financially.

To differentiate hacktivists from cybercriminals, the specific intent can be established circumstantially through (1) writings (manifestos, chat logs, emails, etc.), (2) past criminal acts relating to socio-political causes or criminal acts like cyberextortion, and (3) the actual harm caused (temporary inactivity of a website because of a DDoS attack) vis-à-vis any material benefit the hacker may have received (e.g. ransom in exchange of returning information). Once the narrowly tailored exception has been carved out, any hacker’s activity falling outside of that should amount to a misdemeanor. The hacktivist should then use their specialized knowledge to benefit the harmed actor’s cyber infrastructure as a form of community service. Tiffany Knapp, Hacktivism – Political Dissent in the Final Frontier, 49 New Eng. L. Rev. 259 (2015). This will effectively jettison prosecutorial abuse of the CFAA that has discouraged hacktivist goals of achieving progress by exposing systemic wrongdoing. If hacktivists can satisfy the mens rea requirement under a reformed CFAA when their actions relate to matters of public concern by the totality of evidence, they should only be punished by misdemeanors to promote an engaged citizenry in the democratic process.

Conclusion

Hacktivism is a form of transgressive politics that disrupts hegemonic structures within cyberspace. For a country that vaunts its history of free expression to pass an all-encompassing, repressive, statute like the CFAA, the United States demonstrates the illogicality of a bureaucratic governance that fails to protect legitimate means of participation in democratic processes. Since hacktivists could demonstrate that their cyber-actions were narrowly tailored to matters of public concern vis-à-vis the mens rea requirement, their actions should instead constitute a misdemeanor under a reformed CFAA.  Hacktivism’s “form, content, and context” operates to expose corruption and injustice for which public awareness is essential to right wrongs, contemplated perhaps by the Court in Boyd v. United States as one of those “illegitimate and unconstitutional practices [that] get their first footing…by silent approaches and slight deviations from legal modes and procedure.” 116 U.S. 616, 635 (1886). The bravery of those who challenged the illegality of the systemically racist Jim Crow legal system sought a future free of injustice and oppression. One would be burdened to successfully argue that the Black Panther Party, the Student Nonviolent Coordinating Committee, and Congress for Racial Equality erred in their tactics against to achieve a semblance of racial equality. Contemporary hacktivists cyberized this torch of justice in their pursuit to challenge and dismantle injustice in the United States. Time will show that DDoSecrets and Anonymous were on the right side of history, notwithstanding the current illegality of their tactics.

The opinions expressed in this article are those of the author and not of the American Bar Association or the Litigation Section.

    Author