On October 3, 2013, a federal grand jury in Virginia indicted 13 members of Anonymous for conspiracy premised on underlying violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (CFAA). Those indicted allegedly committed a DDoS attack (distributed denial of service) on certain websites. The indictment (download) has, yet again, stirred up quite a bit of discussion about the breadth of the CFAA and, one article in particular has raised the question of whether it even violates the CFAA to DDoS a website. The short answer is YES, based on current case law (i.e., persuasive authority).
The article that raised this question is Anonymous Indictment Raises Serious Question: Is It Really A CFAA Violation To DDoS A Website? in techdirt, authored by Mike Masnick (@mmasnick). The article is very thought provoking and Masnick did a fine job of applying common sense reasoning to the CFAA issues … but if you’ve followed the CFAA, you probably already know how far common sense goes with that one. Nonetheless, Masnick raises several good questions but the big overall question is whether it violates the CFAA to DDoS a website, a question that has been answered by several courts.
In 2011, the Sixth Circuit Court of Appeals addressed this general issue in Pulte Homes, Inc. v. Laborers’ Intern. Union of North America, 648 F.3d 295 (6th Cir. 2011), a case that did not deal directly with a DDoS attack but did deal with a labor union’s concerted email and telephone “attack” on a company of such a volume that it disrupted the company’s ability to do business. Specifically, in Pulte, a labor union directed the bombardment of Pulte’s sales offices and three of its executives with voluminous phone calls and e-mails of such a volume that the communications
clogged access to Pulte’s voicemail system, prevented its customers from reaching its sales offices and representatives, and even forced one Pulte employee to turn off her business cell phone. The e-mails wreaked more havoc: they overloaded Pulte’s system, which limits the number of e-mails in inbox; and this, in turn, stalled normal business operations because Pulte’s employees could not access business-related e-mails or send e-mails to customers and vendors.
Id. at 299. Pulte sued the labor union for violating the Computer Fraud and Abuse Act pursuant to 18 U.S.C. § 1030 (a)(5)(A) which is a transmission claim (as opposed to the more common access claim) as it prohibits “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” The trial court had found that Pulte failed to state a claim for this violation which the Sixth Circuit addressed:
To state a transmission claim , a plaintiff must allege that the defendant “knowingly cause[d] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause[d] damage without authorization , to a protected computer. Id. at 301.
The issue before the court was whether the labor union “intentionally caused damage,” which is one of the specific questions that Masnick raised. The Pulte Court, in finding a violation of the Computer Fraud and Abuse Act and, consequentially, “damage” arising from this activity, held that “a transmission that weakens a sound computer system—or, similarly, one that diminishes a plaintiff’s ability to use data or a system” causes damage. Id. at 301. The court reasoned:
Under the CFAA, “any impairment to the integrity or availability of data, a program, a system, or information” qualifies as “damage.” Because the statute includes no definition of three key terms–”impairment,” “integrity,” and “availability”–we look to the ordinary meaning of these words. “Impairment” means a “deterioration” or an “injurious lessening or weakening.” The definition of “integrity” includes an “uncorrupted condition,” an “original perfect state,” and “soundness.” And “availability” is the “capability of being employed or made use of.” Applying these ordinary usages, we conclude that a transmission that weakens a sound computer system–-or, similarly, one that diminishes a Plaintiff’s ability to use data or a system–-causes damage.”
[The labor union’s] barrage of calls and e-mails allegedly did just that. At a minimum, according to the complaint’s well-pled allegations, the transmissions diminished Pulte’s ability to use its systems and data because they prevented Pulte from receiving at least some calls and accessing or sending some e-mails.
The court goes on to say this “diminished-ability concept” it is endorsing is not new and cites several district court opinions applying that standard, as well as two other circuit courts of appeal:
The Third Circuit sustained a transmission conviction where the defendant “admitted that in using the direct e-mailing method and sending thousands of e-mails to one inbox, the targeted inbox would flood with e-mails and thus impair the user’s ability to access his other ‘good’ e-mails.” United States v. Carlson, 209 Fed. Appx. 181, 185 (3rd Cir. 2006). And the Seventh Circuit, in United States v. Mitra, upheld the defendant’s transmission conviction because he impaired the availability of an emergency communication system when “[d]ata that [he] sent interfered with the way the computer allocated communications to the other 19 [radio] channels and stopped the flow of information among public-safety officers.” 405 F.3d 492, 494 (7th Cir. 2005). . . .
Because Pulte alleges that the transmissions diminished its ability to send and receive calls and e-mails, it accordingly alleges an impairment to the integrity or availability of its data and systems–i.e., statutory damage.
Applying the Pulte Court’s principle that a transmission that weakens a sound computer system–-or, by analogy, that diminishes the ability to use data or a system–-causes damage, the Pulte opinion and the cases it cites do support the proposition that it is a violation of the Computer Fraud and Abuse Act to DDoS a website.
However, as many readers know, just because one circuit court holds one way on this issue (i.e., the Sixth Circuit) does not mean that other circuit courts will follow suit (i.e., the Fourth Circuit) so there is ample opportunity to make arguments either way, especially since the CFAA’s transmission jurisprudence is no where near as well developed as its access jurisprudence. This case could be one to watch!
Related articles
- Petition ask White House to allow DDoS attacks as form of Protest (venturebeat.com)
- US indicts 13 Anonymous members for DDoS attacks (pcworld.com)
- Several IT workers among “Operation Payback” indicted suspects (net-security.org)
- 5 Notorious DDoS Attacks in 2013 : Big Problem for The Internet of Things (siliconangle.com)
- Operation Payback : indictment document (wikileaks-forum.com)
- US Indicts 13 Anonymous Members for DDoS Attacks (cio.com)
Thank you for your comment. This is a nice comparison / contrast to the Aaron Swartz. Maybe that’ll be a future blog post!
Indeed an interesting argument from the court, however it appears to be flawed. I am not a lawyer, though I am studying the lsats, anyways, here is how I find the rulings to be flawed. The flaw in this case is the definition of a “protected computer”. The person would have to prove that the server that they used to get their emails from was properly protected…. although if it was, his system wouldn’t have become clogged. I have been handling the security of servers for over 7 years. So, I feel quite confident in saying that the server he was using for emails was not “protected”, although a server is accessible via the web, so how does it fall into a protected computer? One could say the measures put in place to try and handle security issues are a form of protection for certain areas of the computer, but as a whole it isn’t a protected computer. Also, the transmission section states that “(5)(A) knowingly causes the transmission of a program…. of such conduct, intentionally causes damage WITHOUT AUTHORIZATION, to a protected computer;”. The emphasis and the removal of some text that wasn’t needed to express my point was done by me. We now have the argument of what is authorization to a server? If the server allows connections to it, then a denial of service does not exceed authorization, since a denial of service usually is a ton of connections to a site from bots, users, or sometimes security holes. I am not going to address how a security hole can create a Denial Of Service.
Since connecting to a site has to happen for a user to access the site, then a ton of connections shouldn’t be deemed illegal, since the CFAA does not address normal functionality of a server and how many connections exceeds that. Honestly, as of now these types of rules would need to be addressed under contract law, since the CFAA was not designed to handle these issues.
I hope you find my current opinion and current interpetation of this subject interesting.
Ryan, thank you for your excellent comment. The only problem is that “protected computer” is not used in the CFAA in the way in which you are viewing it. Under the CFAA “protected computer” is defined in 18 U.S.C. sec. 1030(e)(2)(A)-(B) which has been interpreted to include every computer that is connected to the Internet. See Quantlab Techs. Ltd. (BVI) v. Godlevsky, 719 F. Supp.2d 766, 775-76 (S.D. Tex. 2010).
Your comment did raise another implicit point about DDoS that goes to the nature of websites — some websites are out there doing anything they can to get as many hits as possible and some are not — if you DDoS a website that is just trying to get volume traffic, is there really anything wrong as they got exactly what they wanted?
The nature of a DDoS is simply a large volume of traffic which should RAISE a sites ranking in systems like alexa, if it is from a ton of IP addresses. I’ve noticed when fighting spam that when you defeat the bots, your ranking in alexa falls a lot. I agree that putting a limit on how much traffic a site could receive could cause damage for sites like facebook and every other site on the web.
A DDOS isn’t fancy, it isn’t even hacking, since hacking in this context is slang for cracking. In regards to sites trying to get traffic and a DDoS, well there is a somewhat subtle difference. The goal of a DDoS attack is to make a site inaccessible, which isn’t what companies are trying to achieve when getting a lot of customers. If you want to talk more at length, feel free to contact my security company planetzuda.com