Skip to content

Is volunteering to take part in a Distributed Denial of Service Attack (DDoS) a valid form of legal protest?

February 22, 2013

For a few years since studying Internet Law as part of my law degree I have always wondered if volunteering to take part in a DDoS attack by downloading software as a political statement is protected by Article 10 of the European Convention on Human Rights (ECHR).

As is normal when looking at laws applied online, there often needs to be a real-world parallel drawn. I wrote a mini-dissertation on this subject and will probably publish on here soon enough. In this case, the right to peaceful protest, granted under the rule of law is a good place to start.

A person has the right to peacefully protest in the UK. This was acknowledged by Nicolas Price QC when sentencing Francis Fernie, who threw sticks at Police outside the Fortnum & Mason occupancy/protest in March 2011[1]. Anti-war marches were attended by nearly a million people in 2003, and not deemed illegal. Anti-cuts marches have also happened since then, and mostly people who committed offences while on the march (assault, criminal damage etc.) were arrested and charged. (I am talking generally; this is not an article about Police behaviour at demonstrations).

After the occupation of Fortnum, Police then arrested and charged the 150 odd members of the group with Aggravated Tresspass, contrary to s.68(1) of the Criminal Justice and Public Order Act 1994[2], which was an offence designed to curtail fox hunt disruptors. In July 2008, the CPS said that charges against 109 protestors were being dropped as prosecution was not ‘in the public interest’.[3]

So there was a line drawn in the sand between prosecutions. A person who threw placard sticks at Police was treated differently to people who occupied a shop peacefully. Specifically keeping in mind the words of Judge Price, perhaps the peaceful protestors had exercised their right to protest.

It is important to note that prosecutions of some protestors did continue, and that dropping prosecution of an act does not make it legal nor confirm a defence. But if it is treated like the DPP’s advice on assisted suicide and helping those ill to travel abroad, then it’s not too far a jump to say that the behaviour is nearly condoned.

So currently there is an act, of peaceful occupation, that is seemingly tolerated by the CPS. Right. Good.  That’s real world. But how does this translate online? Well, the act of occupying a place that impairs it’s operation online is effectively a DDoS attack.

Ok, but is a DDoS attack actually illegal? Yes. Yes it is. Section 3 of the Computer Misuse Act 1990 makes it illegal to without authorisation to impair the operation of any computer. The maximum sentence for this is TEN YEARS in prison. This is longer than for Theft and various drug possession offences[4].

Now extrapolate the real-world defences and justification to online.

Let’s imagine a website as a ‘place’ which isn’t a fair leap. This is how it is used in common language, one ‘leaves site x’ and then ‘Logs In’ to another. This is the common parlance which we use regarding websites.

We also have to put a ‘person’ in that place, disrupting it’s activities. In the case of a DDoS attack, the person is replaced by their bandwidth and their requests for information from that server.

The person also needs to have in their mind some type of political endeavour for Article 10 to start to apply. That is the freedom of expression. Disrupting for disruption’s sake is not really an expression of anything. When applying this to those downloading freely Anonymous’s LOIC or DDoS program, then the person needs to be aware of the target, and each individual target. If the controller of the botnet targets PayPal after the withdrawal of services to Wikileaks, and each Activist downloads the program to attack PayPal, then fine. But the same person’s bandwidth, without their consent, should not be used to attack for instance, Visa. It would be the equivalent of dragging while asleep the Fortnum & Masons protestors to Selfridges. Although the sentiment may be the same, the execution and effects are very different and it now becomes disruption for disruption’s sake. Not likely to be protected.

To continue the metaphor, the bandwidth of activists online has disrupted the operation of a website. The protestors have disrupted the operation of the shop by their presence.

The real-world scenario and the online scenario have been and will likely to continue to be treated very differently by the Police and the courts. Why? It is cheaper for a Government for DDoS attacks to be a form of protest as they do not have the clean-up process afterwards nor do they have to pay Police overtime when managing the protest. There are no dramatic pictures in a newspaper – merely a 404 error on a monitor.

This allowance of one’s bandwidth to be used for a DDoS attack, which is a peaceful way of protesting, I argue, should be protected by Article 10 as a freedom of expression of political views in the same way a protest march is.

Perhaps if the Coalition’s promised peaceful protest laws were drafted[5] then there could be a different argument to take, rather than relying on patchy ‘rules of law’ for a written-in-stone right to protest. Oh well. It is the first thing they have not delivered on, after all…

[1] “It has been long established in this country that citizens have the right to demonstrate and march in favour or against particular causes. Such a rule has been described by the courts as a hallmark of our democratic society,” –

2 Comments leave one →
  1. Cyberleech permalink
    February 22, 2013 6:06 pm

    Well written. Although a different metaphor could be applied. DDoS could be interpreted as employing a device to prevent a commercial organisation from executing their business. In other words sabotage. Is it not similar to throwing a crowbar into a manufacturers production line, or disconnecting electricity from a munitions factory? Neither could be argued as a peaceful protest, and would take time and cost money to rectify. As does a DDoS attack. DDoS does not automatically parallel occupation.

    • February 22, 2013 6:13 pm

      That’s a good question – the cutting of electricity to a munitions factory is a great example, along the lines of the CND campaingers efforts to disrupt nuclear doo dahs.

      I would argue in that scenario that the disabling of electricity would have some form of physical damage done most likely, thereby being criminal damage. That charge apples much better to the crowbar in the production like (or the sabot in the loom?). Criminal damage is relevant, not the political motivation.

      What I am talking about is an effort where there really is no permanent damage. Where the crime is by existing in a certain place at a certain time. In the hall of Fortnum & Masons or your 1MB upload speed in After removing, then the effect has gone. No damage.

      Should the cutting of electricity be done by hacking (maybe not beyond the realms of possibility) then this is dealt with elsewhere in the Computer Misuse Act where unauthorised access to a system is illegal.

      With a DDoS attack, there is no ‘access’ to speak of, merely knocking on the door…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: