The changing landscape of hacktivism

Oxblood Ruffin
Oxblood Ruffin is a member of the Cult of the Dead Cow hacking collective

Hacktivism is the word of the moment. And like many trendy words it is overused and misused. Hacktivism is a term very much like "hacker" in that sense. The original meaning of hacker - according to jargon.txt at MIT's AILab - is one who "programs enthusiastically, or who enjoys programming rather than just theorizing about programming".

By that definition Richard Stallman, Linus Torvalds and Bruce Perens are hackers and proud to be labelled as such. However, for some time now the press and public have used the term hacker to connote a cybercriminal. A word that started out well has fallen into disrepute. And so it is with hacktivism.

Hacktivism was invented by the Cult of the Dead Cow (cDc), an opinion leader in the computer underground since 1984. From the beginning hacktivism was defined as "Using technology to improve human rights." References were continuously made to Article 19 of the Universal Declaration of Human Rights to help frame the concept.

The practice of hacktivism was developed in accordance with the original intent of the internet and with a wise eye to international law. As the principle driver for hacktivism within the cDc I became preoccupied with two things: how to safely work with human rights activists living behind national firewalls, and how to keep my team out of jail.

On one early project we had a technical team on the ground in South America, the United States, Canada, the European Union, Russia, India, the People's Republic of China, and South Korea. I had to constantly seek legal advice from attorneys in private practice and the Electronic Frontier Foundation.

Once we waited months for the United States Department of Commerce to rule on whether the cryptography we used in one software release conformed with American export law. At the time approximately a third of our team was based in the US and there was no way I was going to toss anyone in the jackpot. Then, as now, it seems irresponsible not to have a care for team members.

New faces

Over the past year Anonymous has emerged in the press as the new face of hacktivism, but this is mostly a misrepresentation. The group's more thoughtful members appear to represent - in its broadest strokes - a strain of cypherpunk politics militating against institutional opacity and internet censorship. Yet Anonymous is still very difficult to categorise. Defining the group as a whole is like trying to nail jelly against the wall.

Anyone can join Anonymous and no one can be thrown out. And while some influential members have used their prestige to contain some counter-productive operations, Anonymous can still be a free-for-all. Added to which many Anonymous cadres are teenaged sympathisers. Being young is not a drawback in itself. But where peer pressure is brought into the mix serious problems can arise.

Anonymous relies primarily on three tactics: web site defacements; distributed denial of service (DDoS) attacks; and data theft. All are illegal. The first two violate free speech and the third is clearly cybercrime. Some Anons have claimed that DDoSing is a form of civil disobedience but that argument is difficult to swallow.

Civil disobedience entails breaking the law for a higher good; placing a burden on the system to arrest and process dissidents; and having one's day in court.

Deliberately hiding behind a veil of anonymity is like sending a virtual servant down to the lunch counter because the master is too craven to go himself. Far from being civil disobedience, Electronic Frontier Foundation co-founder John Perry Barlow has described DDoSing as "the poison gas of cyberspace." And things are going from bad to worse.

Changing times

Anonymous - and its copycats - are responsible for an excrescent trend in cyber-espionage. Normally such data theft is committed by governments or corporations and is never publicised. The objective of cyber-espionage is to break in quick and quiet, then beat a hasty and silent retreat.

But not so with Anonymous. A wave of SQL injection attacks has hijacked information ranging from police records to consumer user data. The objective is to publicise some perceived political or commercial ill in imitation of Wikileaks. But sometimes consumers have seen their credit cards compromised as a result of public disclosure. These are not all victimless crimes, regardless of intent.

Data theft is arguably the game changer.

DDoSing or web defacements are one thing. Breaking into government and commercial networks is another. Already the clouds are forming. The Danish police wish to ban all anonymous use of the internet. The Indian Government wants real-time monitoring of Twitter, Facebook, and Skype. The OECD is seeking tighter regulatory control of the internet. And the United Kingdom is seeking stricter laws to deal with cybercrime.

While it would be unfair to say that Anonymous is completely responsible for these reactions, it's certainly part of the problem. And when the whip comes down - and come down it will - Anonymous will have to accept part of the blame when online privacy rights are scaled back even further.

Hacktivism, real hacktivism, has always managed to get things done without upsetting the apple cart. And even though Anonymous is more decentralised than traditional hacktivist models there's no reason why it can't muster more discipline.

Because the downside will affect us all: first world broadband activists as well as our more vulnerable peers in the emerging democracies. If we are at war, as has so often been said, then there have to be accepted rules of engagement. There's a reason why the Geneva Convention exists.

Hacktivists need to be very careful about the tactics they chose. We don't need any Pyrrhic victories.

Oxblood Ruffin is a member of the Cult of the Dead Cow hacking collective and Executive Director of Hacktivismo, an international group of technologists that counsels human rights organizations. Oxblood is a founding member of the Dharamsala Information Technology Group in Dharamsala, India, and has spoken at the University of Oregon, Yale, and Harvard law schools on cybercrime and free speech issues. He is currently writing a book on information warfare. Follow Oxblood on Twitter at @oxbloodruffin.