It seems that the Obamacare website, http://www.healthcare.gov, has had a spot of trouble lately. However, obscured in all the debate over the policy of the Affordable Care Act and all of the technical problems with the site is the fact that opponents of the universal (well, semi-universal) health insurance portal have taken to social media like Twitter, Facebook and others to distribute a DDoS tool called Destroy Obamacare.
“This program continually displays an alternate page of the Obamacare website. It has no virus, Trojans, worms, or cookies. The purpose is to overload the Obamacare website, to deny service to users and perhaps overload and crash the system,” reads the program’s grammar- and spelling-challenged “about” screen. “You can open as many copies of this program as you want. Each copy opens multiple links to the site.” The advocates continue by noting: “Obamacare is an affront to the Constitutional rights of the people.” It adds “We have the right to civil disobedience!”
But do they?
Most DDoS attacks use a sort-of command and control system. The attacker designs a bot, the bot invades a bunch of hosts (obtains unauthorized access to them) and then these bots launch a coordinated attack at a victim. The intermediate sites that are used as the launching points typically are innocent participants in the attack. Thus, a single attacker, or a small number of attackers, launch a program designed to shut down and cause damage to a website or service.
The US computer crime statute, 18 USC 1030 (a)(5)(A) punishes whomever, “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.” So in the case of a normal DDoS attack, where the attacker transmits the code, intends to cause unauthorized damage, and causes such damage, we have all the elements of the offence wrapped up in one person. A crime.
With the Destroy Obamacare DDoS, not so much.
You see, when the folks who conduct “civil disobedience” send the program to third parties for THEM to launch, it’s unclear as to whether or not they are liable for the intentional and “intervening” acts of the third parties.
Steven Brill, the editor of The American Lawyer recounts an episode at Yale University in January of 1973 where students and others were encouraged to flush their toilets at precisely the instant that Richard Nixon took the oath of office for his second inaugural. This was part of a widely advertised campaign by hippies and others to simultaneously flush toilets around the country instantaneously, which it was hoped would cause a massive drop in water pressure and the disruption of or destruction of the sewage infrastructure in most metropolitan areas. An act of civil disobedience. Of course, it didn’t happen. But what if it did? Could the organizers of the national “flushin” be held criminally liable for the property damage caused? Could those who made others aware of it be held responsible (the 1973 equivalent of the Social Media?) What about a single individual who, with a desire to protest the inaugural, flushed his or her toilet at precisely noon Eastern Savings Time on January 22, 1973?
The problem with the “Destroy Obamacare” bot is that it relies for its effectiveness on mass protest. It compounds but does not create the problems associated with a flood attack. If, as an act of protest, I posted to social media that everyone should log on to www.healthcare.gov at a specific date and time simultaneously, (but assuming I never actually logged on myself) could I be held liable for a denial of service attack? For conspiring with people I never met? Aiding and abetting? Criminal facilitation?
Similarly, does my intent and/or motive matter?
If my intent is to call attention to a claim that the website is robust (and prove that the claim is false) but it’s not my intent to cause actual damage, does that mean that I escape criminal punishment? If my intent is to cause damage, but the damage is actually caused by the fact that the website is poorly designed, should that matter?
What about motive? If I deliberately cause damage (or encourage others to do so,) but I do so as a political protest, should that be protected under the First Amendment? Is there a “right” to “hacktivism”? Is this even hacktivism? Do we distinguish between a DDoS attack meant to protest a U.S. policy (like the Chinese DDoS attack on U.S. corporate computers following the U.S. bombing of the Chinese embassy in Bagdad) and a DDoS attack on a U.S. company for economic benefit? What matters more – what you do, or why you do it?
The short answer is that the law is woefully unprepared to deal with the problem of hacktivism in general and distributed denial of service in particular. As a general rule, a person is responsible for what they themselves do. I flushed the toilet. People are typically not responsible for what others do, unless there is a conspiracy – an agreement – to effectuate a common end.
So it might be possible to go after everyone who launched, or forwarded for launch, the Destroy Obamacare bot. But whether this would be successful remains an elusive undertaking.