DDoS Attacks as Constitutional Problem: Germany’s Experience
A distributed denial of service (DDoS) attack targets a computer system’s resources by flooding it with requests beyond its capacity in hopes of negatively impacting its functionality. Does society consider DDoS attacks a legitimate form of protest? When an anonymously posted petition appeared on the White House’s We the People page and advocated the legalization of DDoS attacks most commentators didn’t look to kindly at the idea. But liberal western-style constitutions tend to be biased towards a protected realm of personal liberty, especially when basic rights important for a functioning democracy like Freedom of Speech or Freedom of Assembly are involved.
From a website owner’s perspective, “DDoS attack” is a term that already implies someone with a black hat being well-deservedly marked for criminal and civil lawsuits. While the term “DDoS” may have a nerdy charm, “attack” is an obvious red flag word. Participants in DDoS attacks may use this label to describe their activity to add a certain rebellious image.
Taking this into account, not all political activists use the term DDoS attack to label their activity of mass-visiting a certain website, with or without the explicit intention of overpowering its processing capacity. Other searchable terms for this behavior might be Virtual Sit-In (a throwback to the student protest movement of the late 60’s), Online-Protest, or Online-Demonstration. And at this point a clear-cut criminal activity becomes something that might arguably contribute to the democratic experience and would be within the scope of constitutional protection.
German courts and the German government were forced to look behind the labels and determine what a DDoS attack is from the perspective of a society which has not fully adapted its legal framework to a world dominantly shaped by interconnected computers.
Three Examples in Germany
The German government uses commercial airlines to fly a person into his home country or last transit country after application for asylum had been denied or – in cases where countries of origin or transit deemed safe from political persecution (e.g. any EU country) – even before the legal review would have been completed.
To protest the German government’s deportation policies, political interest groups Libertad! and kein mensch ist illegal (no person is illegal) focused their attention on Lufthansa and vowed to block the company’s website for two hours during a shareholder meeting. The organizers notified the City of Cologne’s Department of Public Safety of the upcoming demonstration and declared “www.lufthansa.com” as place of assembly. Just for clarification, since “all Germans have the right to assemble without prior notification or permission peaceably and without arms” (Art. 8 I of the German Constitution), the City of Cologne’s acceptance of the notification does not constitute approval or provide legal cover for the organizer’s activities.
13,000 internet users participated in the attack. Additionally, special software was used during the attack, too. The website was completely down worldwide for 10 minutes. It remained difficult to connect to the site until the attack later ceased.
Lufthansa filed a criminal complaint against some activists. The Frankfurt District Attorney’s Office agreed and pursued charges of Coercion and Public Invitation to Crime. However, the coercion charge requires either “force” or “threat of considerable harm” as means of coercion. The activists argued that a DDoS attack is nothing more than the virtual form of a Sit-In in front of any given facility, blocking physical access to that facility. The German Federal Constitutional Court (Bundesverfassungsgericht) decided back in 1995 that – if no special circumstances can be shown – blocking traffic or access to a place would in itself not qualify as physical force required for coercion. Referencing this ruling, the activists pleaded to be cleared of criminal charges. While the lower court in the DDoS case returned a conviction, a retrial ended with an acquittal. The requirements for coercion were not met due to lack of physical force or threat of considerable harm (the judges found that at least a two hour interruption would not suffice).
DDoS for Profit
More recently, a court in Düsseldorf convicted an individual in connection with a DDoS attack; not for coercion, though, but computer sabotage. The court didn’t spend too much effort on actually testing the legal requirements and received much criticism for it; but this DDoS attack was the pointy end of an extortion attempt, a purely for-the-pay criminal act. Since the offender was convicted of the much more serious offense of extortion, the court did not seem to care too deeply about the charge of computer sabotage and just handed out a two for one package.
Even more recently, the executive branch of the German government received a so-called Kleine Anfrage, which is one form of parliamentary inquiry. One or more internet user with the alias “AnonLulz” took credit for a DDoS attack including use of the software tool known as Low Orbit Ion Cannon – LOIC – against a German copyright organization for the music industry called GEMA. Law enforcement raided homes of suspected participants, seizing hardware and collecting evidence. The parliamentary inquiry – as far as it is relevant to this blog post – asked the Executive whether a DDoS attack can be characterized as a virtual protest or Sit-in, and if it is within the scope of the constitutional protection.
While the Federal Government did not comment on the merits of specific cases, it is pointed out that not all overpowering of websites would be computer sabotage under German law, e.g. mass email protest would probably be viewed as free speech. Additionally, free speech guarantees would have to be considered when looking into any clearly politically motivated DDoS attacks. However, the government does not seem to share the position that the Right to Assembly would offer protection to activists due to a lack of a physical component needed for “assemble”. This also means that the narrow personal protection of the Right to Assemble, which is applicable in Germany only for Germans (at least on the constitutional level, as the level of simple parliament laws extent this right to aliens, too) can be avoided. Free speech constitutional protection does not depend on citizenship in Germany.
The statement of the German Government does not set a legal precedent, but it might shape the general view in Europe. The EU Court in Luxemburg as well as the Court for Human Rights in Strasbourg both consider the protective scope of human rights in Member States when examining those rights on the European level, so the rulings in the above cases may influence the legal perception of DDoS activity in Europe in the future.