On October 3, 2013, a federal grand jury in Virginia indicted 13 members of Anonymous for conspiracy premised on underlying violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (CFAA). Those indicted allegedly committed a DDoS attack (distributed denial of service) on certain websites. The indictment (download) has, yet again, stirred up quite a bit of discussion about the breadth of the CFAA and, one article in particular has raised the question of whether it even violates the CFAA to DDoS a website. The short answer is YES, based on current case law (i.e., persuasive authority).
The article that raised this question is Anonymous Indictment Raises Serious Question: Is It Really A CFAA Violation To DDoS A Website? in techdirt, authored by Mike Masnick (@mmasnick). The article is very thought provoking and Masnick did a fine job of applying common sense reasoning to the CFAA issues … but if you’ve followed the CFAA, you probably already know how far common sense goes with that one. Nonetheless, Masnick raises several good questions but the big overall question is whether it violates the CFAA to DDoS a website, a question that has been answered by several courts.
In 2011, the Sixth Circuit Court of Appeals addressed this general issue in Pulte Homes, Inc. v. Laborers’ Intern. Union of North America, 648 F.3d 295 (6th Cir. 2011), a case that did not deal directly with a DDoS attack but did deal with a labor union’s concerted email and telephone “attack” on a company of such a volume that it disrupted the company’s ability to do business. Specifically, in Pulte, a labor union directed the bombardment of Pulte’s sales offices and three of its executives with voluminous phone calls and e-mails of such a volume that the communications
clogged access to Pulte’s voicemail system, prevented its customers from reaching its sales offices and representatives, and even forced one Pulte employee to turn off her business cell phone. The e-mails wreaked more havoc: they overloaded Pulte’s system, which limits the number of e-mails in inbox; and this, in turn, stalled normal business operations because Pulte’s employees could not access business-related e-mails or send e-mails to customers and vendors.
Id. at 299. Pulte sued the labor union for violating the Computer Fraud and Abuse Act pursuant to 18 U.S.C. § 1030 (a)(5)(A) which is a transmission claim (as opposed to the more common access claim) as it prohibits “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” The trial court had found that Pulte failed to state a claim for this violation which the Sixth Circuit addressed:
To state a transmission claim , a plaintiff must allege that the defendant “knowingly cause[d] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause[d] damage without authorization , to a protected computer. Id. at 301.
The issue before the court was whether the labor union “intentionally caused damage,” which is one of the specific questions that Masnick raised. The Pulte Court, in finding a violation of the Computer Fraud and Abuse Act and, consequentially, “damage” arising from this activity, held that “a transmission that weakens a sound computer system—or, similarly, one that diminishes a plaintiff’s ability to use data or a system” causes damage. Id. at 301. The court reasoned:
Under the CFAA, “any impairment to the integrity or availability of data, a program, a system, or information” qualifies as “damage.” Because the statute includes no definition of three key terms–”impairment,” “integrity,” and “availability”–we look to the ordinary meaning of these words. “Impairment” means a “deterioration” or an “injurious lessening or weakening.” The definition of “integrity” includes an “uncorrupted condition,” an “original perfect state,” and “soundness.” And “availability” is the “capability of being employed or made use of.” Applying these ordinary usages, we conclude that a transmission that weakens a sound computer system–-or, similarly, one that diminishes a Plaintiff’s ability to use data or a system–-causes damage.”
[The labor union's] barrage of calls and e-mails allegedly did just that. At a minimum, according to the complaint’s well-pled allegations, the transmissions diminished Pulte’s ability to use its systems and data because they prevented Pulte from receiving at least some calls and accessing or sending some e-mails.
The court goes on to say this “diminished-ability concept” it is endorsing is not new and cites several district court opinions applying that standard, as well as two other circuit courts of appeal:
The Third Circuit sustained a transmission conviction where the defendant “admitted that in using the direct e-mailing method and sending thousands of e-mails to one inbox, the targeted inbox would flood with e-mails and thus impair the user’s ability to access his other ‘good’ e-mails.” United States v. Carlson, 209 Fed. Appx. 181, 185 (3rd Cir. 2006). And the Seventh Circuit, in United States v. Mitra, upheld the defendant’s transmission conviction because he impaired the availability of an emergency communication system when “[d]ata that [he] sent interfered with the way the computer allocated communications to the other 19 [radio] channels and stopped the flow of information among public-safety officers.” 405 F.3d 492, 494 (7th Cir. 2005). . . .
Because Pulte alleges that the transmissions diminished its ability to send and receive calls and e-mails, it accordingly alleges an impairment to the integrity or availability of its data and systems–i.e., statutory damage.
Applying the Pulte Court’s principle that a transmission that weakens a sound computer system–-or, by analogy, that diminishes the ability to use data or a system–-causes damage, the Pulte opinion and the cases it cites do support the proposition that it is a violation of the Computer Fraud and Abuse Act to DDoS a website.
However, as many readers know, just because one circuit court holds one way on this issue (i.e., the Sixth Circuit) does not mean that other circuit courts will follow suit (i.e., the Fourth Circuit) so there is ample opportunity to make arguments either way, especially since the CFAA’s transmission jurisprudence is no where near as well developed as its access jurisprudence. This case could be one to watch!
- Petition ask White House to allow DDoS attacks as form of Protest (venturebeat.com)
- US indicts 13 Anonymous members for DDoS attacks (pcworld.com)
- Several IT workers among “Operation Payback” indicted suspects (net-security.org)
- 5 Notorious DDoS Attacks in 2013 : Big Problem for The Internet of Things (siliconangle.com)
- Operation Payback : indictment document (wikileaks-forum.com)
- US Indicts 13 Anonymous Members for DDoS Attacks (cio.com)