applause
Hi, my name is Molly Sauter.
I'm currently a grad student at MIT in comparative media studies
and I do research at the center for civic media at the media lab.
This talk is going to be laying out an analytical framework
that I've been working on for a while
of the ethical analysis of activist DDoS actions.
And though distributed denial of service attacks have been used
as a tool of digital activism for roughly the past 2.5 decades,
the past couple of years we have seen this huge explosion of the use
and the tactic and the popularization of the tactic
as well as a sharp increase in the attention
its use attracts for media and state actors.
All this attention has brought a lot of criticism and
a lot of sort of support from various people in the digital space,
including digital activists.
However both DDoS's critics and DDoS's proponents seek to declare the tactic
as a whole as good or bad, without a nuance understanding the variety of circumstances in contexts
that can render the tactics use ethical or unethical.
So in this talk I'm gonna lay down the preliminaries for a framework
by which to perform an ethical analysis of an activist DDoS action in individual use context.
We're gonna go through a brief technical legal note
which I assume I'm gonna be able to skip for this audience,
criticisms of activist DDoS actions that have been thrown out in the past.
Then we're gonna get in to the analytical framework that I'm proposing
and then I'm gonna tell you a little about where I'm gonna take this
as I write my thesis, which this is.
So everybody knows what a DDoS attack is, right?
Raise your hand if you know what it is.
Awesome, I can totally skip this slide.
laughter
DDoS action, distributed denial of service action by which
you seek to monopulize the resources of a server or other resource
with your resources to prevent other people from using it.
Good, we're happy? We're happy.
applause
Alright, brief legal note: unlike this cat I am not a lawyer.
I do not have a law degree, haven't studied law.
I worked at a law school for a while but that doesn't make me a lawyer.
So I'm gonna talk about legal things in this talk, do not take it as legal advice.
So DDoS actions and DDoS attacks are illegal in most but not all jurisdictions.
In the US they are prosecuted as felonies.
Under title 10 section 1030 of the US Code which is complicated and which I won't read.
But just so that everyone is aware and this does have a bearing on my talk later:
these things are very illegal and this has severe precautions
for how organizers should treat them as they engage with them in their protests.
So one of the major criticisms of DDoS actions is that they constitute censorship.
This is a very popular criticism among sort of "oldschool" hacktivists
like cult of the dead cow hacktivism or other groups like that
which have denounced the tactic as straight-up censorship.
Basically they say you are impinging the movement of bits on the network and that's wrong.
If we're going to be engaging in this type of electronic activism
we want to be encouring the movement of bits on the network, not stopping them.
This criticism privileges the integrity of the network and the rights of specific individuals
to unfettered flows of information,
and it privileges that overpolitical ideals of activism in civil disobedience present in activist DDoS actions.
This criticism also raises very specific unanswered questions about who can engange in censorship.
Can in fact non-state actors and non-corporate actors be engaged as censorious bodies?
And while DDoS is undeniably a disruptive tactic, does disruption of speech,
particularly in context where the target has many other speech outlets,
always equal a denial of speech?
For instance when this tactic is trained against a corporate target
while certain aspects of that organization's presence may be disrupted
their abiltiy to engange in political speech through the press and other outlets is not.
Therefore the criticism that you're engaging in censorship by waging a DDoS action sort of falls flat.
Though the criticism is appropriate in some cases, especially when it's used against organizations
that primarily exist online such as ISPs or independent blogs.
Second major criticism is a sort of a revamping of this very old debate in activism.
Direct action or symbolic/attention-oriented activism, which is better?
And the anwswer is, one isn't really better, they are sort of different.
applause
Thank you.
One group that's been particularly vocal about this in the past is a group called the critical art ensemble
which helped pioneer the idea of electronic civil disobedience in the 90th.
And they critized groups like the electronic disturbance theatre for their use of DDoS in their actions.
Saying that the use is ineffectual because corporations
and states are now ??? waging "media war" with activists.
And it is ineffectual when compared with direct action.
In addition to just sort of being mean to attention-oriented activism for no reason,
this criticism ignores the fact that DDoS is often used as a tool of direct action
Such as when it was used by the electrohippies in 1999 against the Internet
that the world trade organization was using during their annual meeting
or other groups that I'm gonna talk later about in this talk.
The CAE's conception of DDoS also leaves the tactic
out of the context of larger actions that it is associated with.
This tactic is pretty much never and frankly should never be used as the sole tactic in a campaign.
It should always be used in the context with other tactics
and it gets its ethical and politcal viability from the context in which it is used.
Not simply because of things inherent to itself.
Third major criticism: what is a successful DDoS action?
Basically it's really hard to take down a large corporate website with an all volunteer manual DDoS action.
If you and all your friends are really just sitting in your chairs
hitting refresh a bunch of times on like paypal.com you're not gonna bring it down.
So then what are we going to consider a successful DDoS action
if we can't rely on downtime to be a measure of success?
So there are a couple of different answers to this questions.
The first is we want to look at the value of the tactic as something which draws and focuses attention.
And this is way more important now that it has become
much more of a media magnet than necessarily it was maybe 10 years ago.
Another use for the tactic is the biographical impact on the participants
and expanding opportunities for engagement and participation.
If you have never participated in a political action and you get to participate in a DDoS action
and you're in the IRC channel with all of these new friends who you didn't know you had
who you didn't know had the political views that you had
and you didn't know were willing to participate in ways that you are.
That has a huge biographical impact on you and it helps you consider yourself.
And activism helps you move up the ??? the ladder of engagement.
This enables what Ricardo Dominguez of the EDT calls a permanent culture of resistance
where resisting modes of power and resisting oppressive systems is part of the culture.
And it isn't simple something you do for special on weekends but it is something that you do all the time.
And the value of this symbolic resistence is
not necessarily its overt effect on the system that its ostensibly targets
but rather its effects on participants and on the reflective fields that surround it as it occurs
including media and culture.
Basically DDoS acts is a tool for the relevation of what James Scott called hidden transcripts of resistance.
It serves as an open action where an individual participant
can join a community of resistance with others.
Moving on to the second major section:
the analytical framework that I'm presenting.
There are four major parts of it that I'm gonna talk about in this talk.
I'm hoping to expand to maybe five or six later, but not right now.
The first is intended effects and actual effects.
The second is contacts within a greater campaign which we've already talked about a little bit.
The third is technology being utilized in the action.
And the fourth is the specific participant and organizer populations ??at play??.
I'm gonna go through these one by one.
The first is intended and actual effects.
What I mean by this is what the group that is waging the action intends to happen by its use of the action
what actually happens.
So there is a good example of this from 1997.
It's called the IGC Euskal Herria Journal action and that's Basque and I totally butchered it but I'm not Basque.
Basically what happened was there was an ISP called IGC
which was hosting a Basque newspaper publication, an online newspaper.
This was during a time in Spain when the Basques were not terribly popular.
There was a lot of violence going around Basque seperatives actions.
A popular DDoS action was started by people who I don't know, so don't ask me,
to pressure IGC to take this website down,
the Euskal Herria Journal website down. People didn't like it.
It got a lot of popular support.
Actually several major newspapers in Spain eventually
published target email addresses for email bombs and other things
until they eventually decided that was probably a bad idea
and they retracted their support.
But the stated goal of the actions was always to get the website offline.
People didn't like it, they wanted it gone.
Eventually it did go down because IGC was flooded with these packets and mail bombs and it was horrible.
It rendered inaccessible the websites and emails of their over 13000 subscribers
and they couldn't function as a business while this attack was going on.
So they did eventually stop hosting the site but under firm protest.
As an ISP IGC exists primarily in fact entirely online.
Removing its ability to function online removes its core as an organization
and its ability to function.
So the goal of this action was to remove content
by waging the action as long as the DDoS was successful the content was removed.
So actually the goal of the action was the permanent imposition of the state of the action.
Its intended effects were its actual effects as it was occurring.
This fits very well with the criticism that we saw before.
This was actually just plain censorship.
This was people saying: I don't like that you're hosting that content
therefore I'm going to to make you not host that content until you don't host it anymore.
This is not very cool and is unethical and bad.
The second example that I have up here is the EDT electronic disturbance to Lufthansa action from 2001.
This is an example where disrupting content does not equal silencing speech
as opposed to the example that I just showed which was depressing.
So in this example rather than removing content from the Internet
the goal of this action was to raise awareness of Lufthansa's
allowing the German government to deport immigrants using its flights.
It's part of a much greater action called the deportation class action.
While the Lufthansa website itself was rendered inaccessible for brief periods of time,
the actual communications of the airline, its ability to fly planes,
maintain normal operations and communicate internally with itself and with the media
remained for all practical purposes unaffected.
So while the stated goal of the Lufthansa action was
to draw public attention to a specific aspect of the Airline's business model
and through focused attention changed that corporations behavior
it was actually rather successful in that.
The airline did eventually stop allowing the government to deport immigrants with its flights.
Though the action took place on the Internet the effect it sort of had
was not limited to, was not even really present in the online space.
And in and of itself this action could not have achieved
what the electronic disturbance theatre set up to accomplish.
It took positive behavior on the part of Lufthansa for the deportation class action to achieve its goals
as opposed to the IGC example which was designed to accomplish its intended effects by gross fear.
So the third example I'm gonna talk about is something called toywar, or the etoy/toywar campaign.
The twelve days of Christmas campaign took place in 1999 and was an online attempt to draw attention to
a legal dispute between etoy which was a performance art collective
and eToys which was a toy company, an ecommerce company that sold toys online
and they were fighting over the domain etoy.com.
And writing about this is very kamikaze because etoy and eToys,
you have to be very careful.
So this action was designed to draw attention to that legal battle.
But it had the additional effect of having a fairly significant impact on eToys' bottom line
because it took place the twelve days before Christmas
which was the primary shopping season.
And it did have a major how their website ran.
So though their main goal was this attention-oriented campaign in targeting this ecommerce site
they were targeting the central purpose of their competitor.
They were attacking, they were going after what they were which is an online organization.
Etoy, the art ensemble, eventually triumphed in a court case
and claimed their role in the financial losses suffered by eToys Inc.
that occurred over the course of that actions.
Their stock price pretty much plummeted
which you can rather blame on the bubble or the action, whichever makes you feel better.
So in this instance we have a combining of direct action and attention-oriented activism into the same action.
The next part of the framework is context within a larger campaign.
As I said DDoS actions very rarely occur by themselves
and in fact if they did occur by themselves you'd probably never hear about them
because there would be no reason why that site you like
is down, it would just be down.
Like physical world sit-ins DDoS actions must be embedded
within a greater campaign of publicity and messaging
to ensure that content disruptions are registered by viewers
and passers-by as protest actions and not as mere technical glitches.
The EDT/Lufthansa campaign took place within the context of
a coordinated multi-pronged campaign
which included physical world actions at stock holder meetings,
press releases and the distribution of special seatback
information cards on Lufthansa airlines that explained
what the protest was about.
I don't know how they got them into the planes but they did end up in the planes somehow.
Similirarly toywar was also embedded within a larger campaign of press coverage.
They were covered by Wired, the New York Times, and the AP
and there were also solidarity actions and physical world actions
at court houses.
So if you are going for this type of action,
it has to be embedded within many other actions.
It can't just be your sole activist ???
You have to use with a bunch of other tools as well.
The technology problem is a really interesting one.
As I mentioned it's really difficult for a purely volunteer-based DDoS action
to bring down a targeted site.
As a result we started to see the use of botnets,
traffic multipliers, automated attack tools and other exploits
to bring the power of such actions in line with the defenses employed by targets.
While the use of such technological tools doesn't automatically
negatively affect the validity of these actions,
the use of non-volunteer botnets is the one thing
that is particularly worrying.
And the other things do need to be considered within a larger context.
Volunteer botnets present their own ethical concerns
but are less immediately objectionable.
Like marches, sit-ins and other crowd-based tactics
DDoS actions gain their ethical and political validity
from large numbers of willing participants.
The use of traffic multipliers and exploits,
while tempting to achieve downtime,
undercuts claims by organizers that the actions represent a unified political voice of many different people.
So as an organizers, you would have to balance the
"do I want downtime at press coverage" or
"do I want to remain true to the number of participants
that I have and value their participation over publicity".
And this is something that lots of organizers have to deal with.
Non-volunteer botnets, such as those that were used over the course of
Anonymous's operation payback campaign in
addition to volunteer botnets,
they were used together,
present a serious ethical problem.
The use of someone else's technological resources
without their consent in a political action,
particularly one that carries high legal risk,
like DDoS actions do,
is a pretty extremely unethical action.
Moreover it cheapens the participation of activists
who are consensually participating and
makes it easier for critics to dismiss DDoS actions as
criminality cloaked in free speech.
Even though, again, it may be tempting to be like
"oh let's just rent this creepy-ass botnet
from wherever to bring down the site for five minutes"
Really not in fitting with ethical use of mass participation
in political activism.
This brings us to volunteer botnets such as those that were enabled
by the hive mind mode of low-orbit ion cannon, again,
during operation payback.
Participants could pledge their support to an action and then
basically walk away.
They could say "great, use my computer"
"to DDoS whatever you want"
"because I trust you and I believe that we are all fighting for the same cause"
"I'm gonna go walk the dog now"
So they pledge their support for an action and place
their computing resources under the control of the organizers of that action.
This places on those organizers a strong responsibility
to maintain open communication channels to participants
and to not make significant changes to the operation of the campaign
without the consent of those participants.
Changing plans, tactics or targets without the consent
of the participant population constitutes a major breach
of trust and really should not happen.
This brings us to the final ?? bit in the framework
which I'm going to go over in this talk
which is different participant and organizer populations.
The great thing about DDoS actions is that
they're relatively easy to join and
they're fairly relatively easy to wage in the first place
meaning many of these participants in these actions
are inexperienced and unaware of the risks they could potentially be taking
like accidentally committing a felony from the comfort of your own living room.
Therefore it is ??? on organizers to make sure
that all participants have enough information to usefully
consent to participate in such actions.
This includes information about risks that they could be taking
and ways to mitigate those risks.
This was a very big issue in the fallout from
operation payback.
when during the course of the campaign a great deal
of misinformation was present in organizing channels
and the use of the low-orbit ion cannon tool was encouraged
despite significant concerns about its security.
Training should be provided to participants in ways
to mitigate risk and support should be provided in the
event of arrest or other negative outcomes.
This is similar to the way the physical world activists provide
training for their participants in the
"we're gonna go outside today and we're gonna hold up
a bunch of signs and yell at some people.
These people may yell back.
These people may also try to physically harm us.
If you're totally not interested in that
that's ok, we still think you're cool."
There should be that type of effort to educate and
provide different channels for participation for electronic
civil disobedience in the same way there is in the physical world.
There are two big things that I want to do with this model
in the future as I continue to work on my thesis.
The first is: I want to develop an analysis for
state/state related actors,
particularly patriotic hackers
and see how they fit into this framework
and how the entrance of states into this area
affects the ethical validity of these actions
or whether we're just wandering full force into cyberwar territory there.
The second thing I want to do is adapt the framework
from a reflective model, which it currently is,
to a prescriptive model,
so be more useful to activists who want to
organize their own DDoS campaign and want to find out
how to do it effectively and ethically.
And that's actually it.
Who has questions?
applause
Dude who stood up first.
Mike: No other questions.
Hi, I'm Mike. I'm from Poland.
I was heavily involved in the anti-ACTA campaign in Poland.
I was not doing any DDoSes,
I was doing the, you know, subject matter work.
Molly: You don't have to incriminate yourself in this talk.
Mike: Yes. But I can, right?
laughter
Mike: Thank you for this talk
because I feel there is much to little talking
about ethics in the whole DDoS and hacking area.
So thank you for this.
Second thing that I would like to add to this talk is that
I think the framework works quite well
because there is a criticism that I am going to make
about DDoS campaigns right now.
That is already kind of handled in this framework.
The criticism is that while the anti-ACTA campaign in Poland
was at full speed and doing stuff and people were
protesting on the streets,
suddenly Anonymous started DDoSing Polish government websites.
Molly: I've heard about.
Mike: And this had the exact opposite effect.
Maybe it was there, but I didn't see that in your presentation
that you have to be very very careful with
DDoS campaigns
because they can actually cause harm to the cause
that you're trying to do.
I think it was a little bit in the success part
but I don't think it was highlighted enough
that you have to be very careful
because there is this huge framework,
other actions that are happening.
And maybe, just maybe, doing DDoS right now
might actually harm because it will give the
government, as was this case,
the government the excuse to actually do bad stuff
that you don't want them to do.
Because they will say: "Oh they're DDoSing our websites."
"They are hackers and we don't have to do
anything good for them."
Well done, because the framework already kind of works for that. Thanks.
Molly: Yeah, I agree with that.
This tactic is right now extremely controversial
but people keep using it.
My view is that as long as we're gonna use it
we should at least be using it in some sort of
reflective way in which we consider our actions
before we just do them.
Dude over there.
Male: Hi, I just have a question.
You said that disrupting a business which just
relies on the Internet is unethical.
I just ask why you make this assumption.
I would make a different assumption.
I would have said that maybe running an unethical business
on the Internet is unethical and disrupting it is ethical.
Molly: So, really good point. Yay.
applause
Something that I didn't maybe have make clear is that each of these bits
of the framework should not be taken as a
"oh you didn't do that, therefore you are totally unethical."
This should all be taken as sort of a big lump of stuff which you can
sort of massage and be like
"well, you're 60% here on that and 45% here on that
and we'll figure it out from there".
Yes, you're right.
That's actually sort of one of the issues that I'm really
interested in looking at in the WTO/electrohippies example
because I usually don't like it when people are like
"I'm gonna protest you by making you fall off the face of the planet"
That seems like a bit of an overkill to me.
On the other hand disrupting the Internet for the WTO meeting
at the Seattle World Trade Organization meeting
I'm kind of for that
that seems like a good use of resources to me.
So I'm very interested in pushing those weeds aside
and figuring out when exactly it's ok to basically
attack the root of something,
as opposed to having a more symbolic protest
which I'm generally more in favor of.
But you're right, I like you.
We're just gonna switch to this mic and then we'll bounce.
Female: I was wondering what your thoughts are on these action impacts
on non-participants.
Like say you DDoS eBay and then other companies lose business
or you say DDoS a health care provider and people can't access health care.
Is that a factor in your mind?
Molly: Well, you sort of brought up two wildly divergent examples of
eBay which means I can't buy my awesome collectable Battlestar Galactica glasses anymore
and my health care provider which means I can't get my tests
from that thing that I had that may be cancer.
Those seem like very divergent targets to me ,
just to address that off the bet.
Second point, yes, collateral damage is something that does
definitely need to be considered.
But it is not actually sort of specific to DDoS in itself.
Like if you just stay sit-in at a lunch counter,
I just wanted to eat lunch.
I'm not a bad guy, I really just wanted lunch.
But you have a political voice and you're using it to sit-in at this lunch counter.
That needs to be part of the overall consideration of
"do we think this is an appropriate tactic for whatever question is
that you're trying to address with your activism at this time."
Because not all tactics are appropriate for all questions.
Female: Thanks.
Molly: Ok, cool.
That guy.
Sorry, we have a question from the Internet.
It hasn't gotten to speak yet.
Male: I have this kind of comment and question.
Thank you very much for your talk,
it was very original material and I enjoyed it.
But however you announced to talk about the ethics of DDoS
but you didn't say anything about ethics at all
except for some personal beliefs.
Molly: laughs
What kind of ethical framework would you actually suggest to use to analyze DDoS?
Molly: The four bits of the framework that I set out.
I'm looking at you because you were talking, not because you're the Internet.
laughter
Basically you cannot just say that DDoS is ethical or unethical.
The way that I'm looking at, you have to look at it
in the context of these at least four aspects, possibly more.
But you can't just simply slam your hand down and be like
"nope, this one action which actually has very little political value
because it's just a bunch of bits swimming around a bunch of tubes,
has real ethical value."
I'm sure a lot of people were gonna be like
"she's gonna say that DDoS is right or wrong one way or another
and then I will feel good and/or bad about myself."
laughter
I'm sorry, that wasn't what was gonna happen.
I'm far more interesting in looking at these very nuanced questions
of how this fits into political economy and protest methodology
which is far squishier than just saying
this is ethical or unethical straight off the bet.
I hope that answers the Internet's question.
Male: Yeah, I would also come back to the ethics.
Because I wouldn't like to start talking whether DDoS is good or bad.
But I think DDoS is a very interesting example
because it can make us question our ethics again
because basically I, like you, I believe that DDoS
is really a pretty violent act of censorship
but I think it can be very often justified
because this violent act can simply give us benefits
that couldn't be made any other way.
So basically I think that when we think about DDoS and when we want to act with DDoS
we have to think about violence and making violence an ethical act, actually.
Your comment?
Molly: Violence is a pretty prejudicial term.
I prefer not to use it.
You also notice that I usually don't say DDoS attacks.
I try to say DDoS actions because attacks is also a pretty prejudicial term.
I think a lot of the "violence" inherent in DDoS has a lot to do with
the inherent power structures that play among the people who are participating.
For instance, if I am a state government and you have a free press blog
and you like to critize me in your blog
and I hire a bunch of people to DDoS your blog
that's not really cool.
That's fairly violent.
I am silencing your speech using my superior power as a big state.
On the other hand, if you are a private citizen
and you and a bunch of friends use floodnet to attack whitehouse.gov
I feel that there's less violence inherent in that system.
Male: I would partially agree but I think that both acts
are violent but basically the ethics are different.
So instead of avoiding the word I think that we should just think about the term.
That's my opinion.
Molly: The grad student in me wants to come up with a new word, but yeah.
Male: Hello, has the decision process who attacks
which website at what point any effects on the ethical part?
Molly: On the organizing?
Male: Yeah.
Molly: I can't say that I do.
I think that falls into the purview of the people who are actually organizing these actions.
As someone who is not an organizer I can't really comment
on the organizing process, having never sat in one.
Yes? That makes sense? Okay.
We're gonna switch back to this mic.
Male: Aside from the coercive vs. non-coerciveness of volunteer vs. non-volunteer action
which maybe falls into ethical standpoint
other than that, there's a question of liability.
If you're for instance participating in a volunteer action
and you have a packet sniffer going on that network,
then you can trace it back to
"ok you obviously volunteered to this action,
therefore you're obviously culpable for those actions"
vs. if it's "box that's been compromised" and ???
that person is theoretically not liable for those actions
because it was a ??? or a virus or ???
Molly: Yes.
Male: I just wanted to point that out.
Molly: Yes, no, you're right.
That is a thing that also needs to be considered
but it also comes back to
"there needs to be more education" upon people who
are organizing these actions to be like
"hey, you know you could be committing a felony."
"you could lose your house."
"that's a thing that could totally happen if you get arrested in the course of this action."
as oppossed to if you get arrested for chaining yourself to
the ??? of the White House
because you don't like the tarsands pipeline.
You really unlikely lose your house in that instance.
This is something that I have a huge problem with.
I think the state response to these actions is completely out of proportion
and bad and chilling and not good at all.
Until that changes there just needs to be
way more education, way more informed consent happening
among the activist population who participating in these actions.
Male: In terms of looking to the sources of products used to make DDoS,
how do you think about the ethical responsibility of a company based in Redmond,
allowing with their products to very easy make big botnets
and use it for DDoS.
Molly: laughs
Male: Especially this company is working in a country where
DDoS is a crime so they could be forced to change this very easily.
Molly: That's a hell of a question.
applause
Molly: And I think I'm going to politely decline a comment
until I learn more about it
but we can totally talk about this, not right now.
laughs Sorry.
Molly: Sorry, was there more of that?
Male: Why?
Molly: Why? Because I don't like to talk about things that I don't know
a lot about and that I'm not competent talking about.
I'm a grad student, sorry.
Male: Do you really think that DDoS attacks will have a big role in activism in the future?
Because I think the media interest in those kind of attacks is diminishing.
When I think of, I mean, you talk about this partially as
very useful means of activism
but when I think of DDoS I think of a few people sitting in their cellars,
being bored in the IRC room and just hitting their LOICs just like they hit the retweet button
and think they save the world
I don't think that this will make any difference in the future.
Molly: So you roled up a lot of things in that, including a valid, not-so-valid critism of slacktivism
which I will also address in this answer.
You're right.
There are a lot of DDoS attacks happening, not a lot of them getting a lot of coverage.
On the other hand there are a lot of street marches happening
and not a lot of them get a lot coverage.
People still get their signs together and march in the streets sometimes.
There's a concept in social movement theory called the ladder of engagement
which is basically like it's what it sounds like
you start at the bottom and you work your way up
to more and more complex modes of political engagement over the course of time.
You can't just jump straight to the top of the ladder
because you're not Superman and you don't do that usually
cause you'd fall off and hurt yourself.
DDoS is a very useful tool to get on that first rung.
It's easy, it's low financial cost,
it's generally pretty easy to advertise,
it doesn't look like it will cost you a lot of time and money.
All you have to do is really press a button and suddenly you are participating in this thing.
The sense of participating has a big impact on something that is called biographical impact
which is how you view yourself as an activist.
It is really pushing people over the edge to view themselves as activists
and the beginning is very very important.
So while DDoS may not be "effective" or "successful" as a standalone protest tactic,
as part of larger system I think it is still useful.
I think it will probably continue to be useful,
just like retweeting someone saying something vaguely political
on Twitter is also useful.
Or liking someone's status or sharing something on Facebook
or turning your Twitter icon green because you like the Iranian election.
No one in Iran cares that you turn your Twitter icon green.
They don't even know you.
They don't know that you've turned your Twitter icon green
but what that does is that it connects you with all the other people
on Twitter who turn their Twitter icons green.
You can see all the other people who turn the Twitter icon green.
Suddenly you're not just sitting there in your living room
saying I really support democracy in Iran.
You are part of this community of green people on Twitter
who all support democracy in Iran.
That's way more powerful to you as a person.
Not necessarily to anybody else. But to you as a person it matters. laughter
And that's important.
That's important for getting people onto that ladder of engagement
and making them feel like activists.
Feeling like activists is just a couple of ladders away from being an activist
which is even better.
Yeah.
applause
Molly: They're clapping for you.
Male: laughs I'm from Austria and we have an organization
in Austria, it's called Austromechana.
Its website got DDoSes on May 11, 2012
and they didn't get the website on until now.
They used this as an argument:
"Oh my god, the Internet is so cruel."
"It's bad and we can do nothing against them."
"They play with... they have weapons we can't do something against it."
I'm not sure if in this case the DDoS was the right tool
to get Aufmerksamkeit, attention.
I'm not sure if it was helpful in this case.
I don't think it's a good weapon for everything and there was not enough messaging with it.
Molly: No, you're right.
DDoS is not appropriate for all cases.
Given that I know nothing about your organization and didn't hear about that action
they probably didn't have enough messaging.
I don't know.
But I'm sorry your website went down.
Male: Not my website.
It was from the people who want to have the Festplattenabgabe, I don't know the English word.
It was their site.
Molly: Okay.
Hi!
Female: Hi.
What exactly are your parameters for deciding if a DDoS action was ethical right or wrong?
I'm still waiting for this.
Molly: Like I said, this is a very holistic model
in that you look at a bunch of different factors and say
"well, these things fell on one or either side of these different factors,
therefore I'm gonna look at it, squint my eyes
and say ok, I think that this was ethical
and that this was unethical".
Like I said, this is probably much less scientific
than a lot of people here were looking for.
Liberal studies major. What do you want?
laughter
So, this is not gonna give you sort of a tick list for things
that you can say "oh we did this, oh we didn't do that
therefore we're totally on the right side of god and the law".
Instead what I'm hoping that this system will give people is a way to look at these actions
to give them different factors to consider
when saying yes this was appropriate or yes this wasn't appropriate.
Cause I feel right now the debate right now is really a bunch of people being like
"this is always awesome"
and a bunch of other people going
"this is never awesome"
and that's not very useful.
Female: But don't you think that's quite outstanding that
you are the one who is getting to decide which is ethical right and wrong?
Molly: You can also decide.
I would love it if someone else would come up with a framework
so that I didn't have to do all the work.
Female: I thought it's your scientific study, so...
Molly: It's not terribly scientific.
It's me reviewing a bunch of case studies
and saying these are the things that happened,
this is were they fall on these different factors
and this is now what I think of this action.
For instance, Lufthansa/EDT action, I think that actually was ethical.
I think it was ethical because it occurred within the framework of a much larger campaign
because it focused on a corporate website that didn't attack the central core of the corporation.
It didn't stopped it from communicating,
it didn't stop it from responding to the action,
it just made itself known in that way.
And it did a great deal of publicity work.
In the end it actually worked,
The effect that it wanted to have in that,
they wanted Lufthansa to stop flying immigrants out of the country,
actually took place.
And that also has an impact on the ethical validity of an action
which is why this is currently a reflective framework
and not a prescriptive framework.
Female: Thanks. Good luck with your studies then.
Molly: Yay.
There's another question.
Male: My naive approach to judge the ethics of a DDoS attack
would have been to compare it to usual demonstrations,
just marching on the street.
Because I guess what has a rather good feeling on what the ethics are there.
You didn't highlight that too much in your talk.
Was this on purpose or can you say something about that?
Molly: People really like, and lots of people really like to say
"oh DDoS is just a sit-in, except on the Internet".
I really don't like that comparison.
I think it's really attractive because it sort of feels like a sit-in,
You feel like you are monopolizing resources in the same way
that sitting in a lunch counter is monopolizing resources.
But it's not in the physical world, it's on the Internet.
And frankly, these are two different things.
We can't just say "oh this is just like it"
because it's not.
What it is just like, it is just like a DDoS.
It's not just like a sit-in.
Disruptive tactics in both areas are very parallel
but they are very different.
That is something that I want to go into much greater detail on,
specifically both in sort of the socially acceptable disruptive tactics
like sit-ins and street marches
but also the non-socially-acceptable disruptive tactics
like black bloc tactics.
I'd really love to compare that to other modes of
disruptive activism online,
and other modes of disruptive activism
and destructive activism.
So that is, if you are interested in reading my Master's thesis,
I will have a whole chapter on this
that I could not fit into this talk.
Because there is a lot of that there.
But the instinct to fall back on the physical analogy is,
I think, inherently damaging to the discourse of
electronic civil disobedience and digital activism
because you fall back on these tropes
that don't really fit and then
when people point out that they don't really fit
you're sort of left with nothing.
When you say like "that's not actually a sit-in, that's a DDoS"
you sitting there going "but I said it was a sit-in
and you like sit-ins, right?"
and then you're sort of: that's it.
So I'd like to push the argument beyond that point.
Male: Thanks.
Male: Ok, so it looks like we have no more questions. Thank you very much, Molly, for the talk.
applause