Earlier this year, India had an encounter with “Anonymous”, a diffuse alliance of what are commonly (and incorrectly) called hackers. In its much-publicized “Operation India”, Anonymous blocked public access to, hacked and defaced various websites in protest against the rising censorship of the Internet. This is a legitimate political cause. However, a movement cannot be judged purely by the legitimacy of its goals, and it is important to consider the legitimacy of the means used to achieve these goals.
Anonymous used distributed denial of service (DDoS) attacks to submerge, albeit temporarily, many websites. The DDoS attack bombards the target website with more user requests than it can bear, until it becomes unavailable to all others. Many compare this to picketing, and use the term “virtual sit-in” for it. The DDoS attack does not breach a website’s security, and is therefore not hacking (more correctly called “cracking”). In contrast, defacement of websites, deletion of data or leaking restricted data, entails hacking, which involves breaching a website’s security and is more analogous to breaking and entering physical premises. Anonymous has done this too in India—defacing some websites and leaking confidential data from others.
There are a few crucial differences between picketing as civil disobedience, and the DDoS attack. One is that picketing requires many people to come together and sit in protest. One or two peace protesters cannot successfully block a road. Although there was a time when DDoS attacks also required a large number of people to bombard the target, they can now be achieved by one person with the technological skills to “fire” a large number of computers at the target website.Therefore, a DDoS attack no longer implies that a sizeable section of the public cares enough to be part of a virtual sit-in.
The second difference between DDoS attacks and civil disobedience lies in the “hacktivists” unwillingness to be accountable. Martin Luther King and Gandhi made it clear that civil disobedience includes accepting the penalty for breaking the law. Faceless untraceable hackers are far removed from this ethic. While it is true that they risk harsh reprisal if identified, the legitimacy and heroic aura of civil disobedience comes from the willingness to risk that reprisal.
It may therefore be difficult to argue that even the DDoS attacks by Anonymous qualify as civil disobedience, which arguably is the most legitimate of the spectrum of options available to a political dissident. If political activists use varied and escalating tactics in the physical world, “hacktivists” use strategies ranging from DDoS to more intrusive defacement, disabling and leaking of data to draw attention to political causes. The legitimacy of these methods—the proportionality and justification of harm caused—can only be determined with reference to particular contexts. One has to evaluate the threat necessitating activism, innocent casualties of the activists’ actions and whether less harmful strategies have already been explored. This is difficult. For instance, the indirect
repercussions of a DDoS attack or leaking data may not be apparent at first glance.
Anonymous tried setting boundaries to avoid harming innocent citizens during Operation India. It declared that infrastructure websites such as the railway booking portal were not to be attacked, and it prevented disclosure of sensitive financial information when a cinema tickets database was hacked. These precautions, though laudable, are however not quite enough. The influential members of Anonymous cannot successfully identify every action that may cause public harm. For instance, when Anonymous attacked the Supreme Court of India and the Reserve Bank of India websites, it seemed ignorant of the potential impact on litigants and the economy. When it leaked confidential police records, it seemed unaware of the significant hazards of leaking people’s names, addresses and other private data. The precautions taken by Anonymous may vanish next time, since the loosely knit, ever-changing nature of Anonymous community means that power and influence can shift; splinter groups with fewer scruples can emerge. Anonymous cannot achieve the control and accountability possible in a more tangible organized group.
This collective operates under disturbingly low levels of transparency and accountability, greatly exacerbated by its ability to veil itself in the shadows of the Internet. New recruits are sometimes endangered by misleading information about the legality and consequences of joining in DDoS attacks. Guerilla warfare is often used without properly exploring more peaceable means, thanks to the power and revenge mob-ethic by which Anonymous is driven. The use of
technological arsenal to launch cyber-attacks ignores the likelihood of escalation— “hacktivists” tend to forget that technology is a neutral tool that governments can also use. The government may counter-attack, using its considerable resources to acquire the necessary technological capacity. Citizens may end up being the casualties of the exchange.
Phase one of Operation India was riddled with moral ambiguity. If OpIndia participants wish to show the world that they are more than bored nerds playing at a social movement like it is a video game, with all the accompanying air-punching, adrenaline boosting, self-aggrandising thrills, they will ensure that phase two’s constructive and legitimate Right to Information campaign is a roaring success. Comments are welcome at firstname.lastname@example.org.
Chinmayi Arun is an assistant professor of law at National Law University, Delhi and a Fellow at the Centre for Internet and Society, Bangalore