Sunday, 30 October 2011

Vulnerable cyberautonomy

As respected legal writer @davidallengreen points out, perhaps the most remarkable thing about the Occupy London protest movement has been the unexpected scale of its impact.

One of the consequences of this movement has been, quite by accident, a serious impact on St. Paul's Cathedral. St. Paul's is an icon of the City, but is not connected to the capitalist civic that the City is said to represent. It is, to that extent, an innocent bystander. Does this make the effect it suffers more deserving of intervention? Does the fact that these consequences were not intended by the protestors affect their level of responsibility for them?

Any pro-social creature is mindful of the impact of his actions and inactions on others. Social norms evolve around consideration for others: standing on the right on the escalators to the tube, saying 'please' and 'thank you', not playing loud music at night. To renege on this mindfulness is considered antisocial, even criminal.

Peaceful protest, however, is not a criminal act. Neither is trespass, generally speaking. Yet, section 3 of the Computer Misuse Act 1990 criminalises the now commonplace 'distributed denial of service' (DDoS) attack: an act which might be described as digital trespass, and is often politically motivated, causing a website or other service temporarily to close its doors.

The parallel with the Occupy London movement is clear. Under the Computer Misuse Act, a digital Occupy movement which made use of DDoS would be a criminal act: rather than facilitating peaceful protest, the police would no doubt use their newly-expedited powers to 'seize' domains to hamper the movement and criminal prosecutions might follow, carrying the possibility of considerable custodial sentences. No digital 'ring of prayer' could hope to interfere with this process. How can this inconsistency be explained?

Ramsay applies his 'theory of vulnerable autonomy' to explain the expansion of criminalisation inherent in civil preventative orders such as the ASBO. He suggests that a state-level concern for 'vulnerable autonomy' demands 'liability for failure to reassure' others of a disposition to observe social norms, to be considerate of others' needs.

It is argued that a concern for vulnerable cyberautonomy can explain the breadth of the net cast by section 3. Given the inconsistency with the comparable law of trespass, the criminalisation of 'digital trespass' seems to be a legislative over-reaction to a new kind of threat. Could it be that there exists a 'right to access' other websites, and a de facto duty on Internet users to reassure each other of a disposition not to interfere with this right?

One of the key differences between offline and online protest is the visibility of the cause: offline visitors to the cathedral are met by protestors with their tents and placards, and can even visit the 'information tent' to find out more about the cause. A digital 'occupation' in the form of a DDoS attack would simply deny access to the would-be user, without any explanation  unless the website had been hijacked and replaced with another bearing a particular message, which is more akin to vandalism than trespass.

Indeed, those engaging in a denial of service attack intend to block access to the affected service by legitimate users. The same cannot be said of the Occupy protestors, as the effect upon St. Paul's was quite unintended. However, it is not necessarily the case that DDoS attacks are malicious per se. Indeed, that the Occupy movement would cause some kind of disruption to the City was plainly foreseeable. Would a digital 'occupation', in the form of a DDoS attack, really be so markedly different from an 'occupation' or picket line to justify criminal regulation?

The differences between the worlds of atoms and bits then stretch the 'trespass' analogy  but, it is argued, not fatally so. Notwithstanding these differences, it is argued that the over-broad applicability of section 3 is the result of a catch-all approach on the part of the draftsmen, placing the onus of fairness in its application in the hands of the discretion of public prosecutors and the interpretive powers of the courts. The trial of Paul Chambers ought to be a warning against trusting either of these safeguards when dealing with so-called cybercrime.

This overreaction might be explained by the fact that the effectiveness of many DDoS attacks is bolstered by the expansion of 'botnets' by unlawful means: unsuspecting users are infected with viruses or duped into downloading infected software, causing their computers to join the botnet without the user's knowledge or consent. This is a criminal wrong which ought to be dealt with separately, rather than relying on a catch-all section 3.

An amended section 3 could build in an exception to reassure peaceful protestors that they will not face prosecution for seeking to bolster their cause with technology; or perhaps limit the offence to DDoS against 'protected sites', mirroring the criminalisation of trespass at sections 128-131 of the Serious Organised Crime and Police Act 2005. DDoS ought to be treated as a civil wrong, like its trespass cousin, with the possibility of claims for damages for loss of revenue. States, it is argued, have no business criminalising the peaceful use of technology to draw attention to a particular cause. A compromise could be drawn by issuing cyber-ASBOs against the most prolific orchestrators of malicious DDoS attacks.

It is at least arguable that section 3 is an example of what Husak called overcriminalisation. The novelty and complexity of cybercriminality, and the importance of tech-neutral drafting in a society in which technologies evolve more quickly than statutes (@AndrewDMurray), creates a dangerous temptation for Parliament to over-react to new threats.

We — the community of users and lawyers — must be vigilant in our scrutiny and prolific in our discourse if we are to mitigate against this risk. The extent of the 'right to access' is something we all ought to be discussing as part of Murray's call for an Internet Bill of Rights. In this spirit, comments are very welcome indeed.

Image courtesy of

1 comment:

  1. Great Article
    Cyber Security Projects

    projects for cse

    Networking Security Projects

    JavaScript Training in Chennai

    JavaScript Training in Chennai

    The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training