April 4, 2012
Over the past year, the U.S. government has begun to think of Anonymous, the online network phenomenon, as a threat to national security. According to The Wall Street Journal, Keith Alexander, the general in charge of the U.S. Cyber Command and the director of the National Security Agency, warned earlier this year that “the hacking group Anonymous could have the ability within the next year or two to bring about a limited power outage through a cyberattack.” His disclosure followed the U.S. Department of Homeland Security’s release of several bulletins over the course of 2011 warning about Anonymous. Media coverage has often similarly framed Anonymous as a threat, likening it to a terrorist organization. Articles regularly refer to the Anonymous offshoot LulzSec as a “splinter group,” and a recent Fox News report uncritically quoted an FBI source lauding a series of arrests that would “[chop] off the head of LulzSec.”
This is the wrong approach. Seeing Anonymous primarily as a cybersecurity threat is like analyzing the breadth of the antiwar movement and 1960s counterculture by focusing only on the Weathermen. Anonymous is not an organization. It is an idea, a zeitgeist, coupled with a set of social and technical practices. Diffuse and leaderless, its driving force is “lulz” — irreverence, playfulness, and spectacle. It is also a protest movement, inspiring action both on and off the Internet, that seeks to contest the abuse of power by governments and corporations and promote transparency in politics and business. Just as the antiwar movement had its bomb-throwing radicals, online hacktivists organizing under the banner of Anonymous sometimes cross the boundaries of legitimate protest. But a fearful overreaction to Anonymous poses a greater threat to freedom of expression, creativity, and innovation than any threat posed by the disruptions themselves.
Hackers inserted a prank article on the PBS Web site declaring that the deceased rapper Tupac Shakur was “alive and well” in New Zealand.
No single image better captured the way that Anonymous has come to signify the Internet’s irreverent democratic culture than when, in the middle of a Polish parliamentary session in February 2012, well-dressed legislators donned Guy Fawkes masks — Anonymous’ symbol — to protest their government’s plan to sign the Anti-Counterfeiting Trade Agreement (ACTA). The treaty, designed to expand intellectual-property protection, involved years of negotiation among the United States, Japan, and the European Union, which are all like-minded on copyright law. It had the support of well-organized and well-funded companies, particularly in Hollywood and the recording industry. Although originally negotiated in secret, its contents were exposed by WikiLeaks in 2008. As a result, public pressure caused the treaty’s negotiators to water down many of its controversial provisions. But the final version still mimicked the least balanced aspects of U.S. copyright law, including its aggressive approach to asset seizure and damages. And so a last-minute protest campaign across Europe, using the symbolism of Anonymous, set out to stop the agreement from coming into force. So far, it has succeeded; no signatory has ratified it.
That is power — a species of soft power that allows millions of people, often in different countries, each of whom is individually weak, to surge in opposition to a given program or project enough to shape the outcome. In this sense, Anonymous has become a potent symbol of popular dissatisfaction with the concentration of political and corporate power in fewer and fewer hands.
It is only in this context of protest that one can begin to assess Anonymous’ hacking actions on the Internet. Over the last several years, the list of Anonymous’ cyber targets has expanded from more-or-less random Web sites, chosen for humor’s sake, to those with political or social meaning. In 2010, Anonymous activists launched a distributed denial of service (DDoS) attack — an action that prevents access to a Web site for several hours — against Web sites of the Motion Picture Association of America and the International Federation of the Phonographic Industry, the major trade groups for the film and music industries. The action came in response to revelations that several Indian movie studios had used an Indian company called Aiplex to mount vigilante DDoS attacks against illegal file-sharing sites.
Anonymous launched its next major campaign in the wake of what members saw as an illegitimate U.S. attack on WikiLeaks. A series of public statements — from U.S. Vice President Joseph Biden’s referring to WikiLeaks’ founder, Julian Assange, as a “high-tech terrorist” to Senator Joseph Lieberman’s call for companies not to do business with WikiLeaks — resulted in the organization losing access to its online storage, its domain-name service, and, most damagingly, its ability to receive donations through PayPal, Visa, and MasterCard. Any effort by the U.S. government to achieve these results directly, through legal processes, would have faltered on the shoals of the first amendment. So in retaliation for this perceived abuse of power, Anonymous members launched a DDoS attack against PayPal’s homepage, slowing it down for a few hours. This attack was primarily an act of protest; it did not affect the payment processing itself and was not really designed to do so. Another symbolic defense of WikiLeaks came in 2011, when activists affiliated with LulzSec perceived PBS coverage of the leaking scandal to be biased. They inserted a prank article on the PBS Web site declaring that the deceased rapper Tupac Shakur was “alive and well” in New Zealand.
Then, over the course of 2011, Anonymous mounted attacks against the official Web sites of the dictatorial regimes of Egypt, Libya, and Tunisia in support of the revolutions there. In each case, the attacks slowed access to the sites or redirected those trying to reach the site to an alternative, antigovernment site.
Most recently, Anonymous participants have aimed to defend Internet freedom against what they perceive as the U.S. government’s overaggressive enforcement of intellectual property, cybersecurity, and computer crime laws. A particularly egregious example of such practices in late 2010 involved federal agents shutting down several online hip-hop magazines for over a year, purportedly as part of an intellectual-property-infringement investigation, without bringing charges or giving them an opportunity to challenge the enforcement. So in 2011, Anonymous launched the “#FuckFBIFriday” campaign, consisting of DDoS attacks and document releases against government agencies and contractors.
The most aggressive aspects of the campaign included obtaining and releasing information about personnel in Arizona’s Department of Public Safety, in purported reaction to the state’s stringent anti-immigration law; hacking and posting an online recording of an international law-enforcement conference call about Anonymous; as well as hacks of, and document releases from, defense contractors. After releasing customer information from the private intelligence contractor Stratfor, Anonymous members illegally used credit card numbers from Stratfor customers to donate more than $700,000 to charities, including the Red Cross, CARE, and the Electronic Frontier Foundation. These operations, as well as those against PayPal, MasterCard, and Visa, are at the core of a March 2012 indictment against several members of LulzSec.
The political nature of these targets demonstrates why it is patently wrong to see Anonymous purely as a cyberthreat. Opinions about the justifiability of any given attack may differ, either because of the target or because of its form. The main challenge becomes one of deciding who gets to set the boundaries of legitimate protest. If one unquestioningly accepts the validity of all U.S. government decisions, as well as the current distribution of power in the private sector, the pattern of Anonymous’ attacks seems unambiguously dangerous. But surely there must be a place for civil disobedience and protest that is sufficiently disruptive to rouse people from complacence. Viewing Anonymous purely as a matter of crime reduction or national security will lead governments to suppress it and ignore any countervailing considerations. A more appropriate, balanced response to Anonymous’ attacks would err on the side of absorbing damage and making the hacks’ targets resilient, rather than aggressively surveilling and prosecuting the network and its participants.
Achieving this balance requires an understanding of the different types of Anonymous attacks. Four techniques constitute the bulk of its direct actions: distributed denial of service attacks; document disclosures; defacement of Web sites; and non-cyber action, ranging from pranks, such as sending targets unwanted pizza deliveries, to street protests. Web-site defacements and non-cyber actions are protest, pure and simple. Except in extreme cases akin to the real-world burning of cars and smashing of windows (e.g., had PayPal’s payment systems been disrupted and customers lost money, rather than the company’s homepage being unavailable), they should simply be absorbed as part of the normal flow of the Internet. When addressed, these actions should be treated as a disruption to the quality of life, similar to graffiti.
Up to now, most of Anonymous’ DDoS attacks have been symbolic. When participants join such an attack, they add their computer to a network of computers that simultaneously ask for information from a given Web site; the surging traffic volume temporarily slows down or crashes the site. It causes disruption, not destruction, and the main technique that Anonymous has used requires participants to join self-consciously and publicly, leaving their Internet addresses traceable. By design, these are sit-ins: Participants illegally occupy the space of their target. And they take personal responsibility for the consequences: In 2011, the FBI arrested over 75 people in connection with DDoS attacks. They are a far cry from the kind of attacks on critical infrastructure, such as causing a power outage, that General Alexander’s remarks suggested that the U.S. government expected.
In more naïve times, one might naturally prefer a law-bound state deciding which power abuses should be reined in and which information exposed. But these are no longer naïve times.
Document disclosures, which are intended to embarrass and undermine those whom Anonymous views as having abused their influence, raise more complex questions. Anonymous’ basic idea is that when powerful players such as governments, corporations, and security contractors doubt their ability to keep what they do secret, they will restrain themselves. In recent years, document disclosures have exposed everything from invasions of individual privacy to wasteful expenditures in NATO contracts. In assessing whether such disclosures are justified, the relative power of the observed and the observer is key. How powerful a target is makes all the difference between hacking to promote transparency and hacking to abuse privacy; between what enhances accountability and what undermines personal autonomy.
Many of these cases, however, are ambiguous: Last November, for example, Anonymous activists released the personal details of a police officer who had pepper-sprayed protesters at the University of California, Davis. Similar personal disclosures were a mainstay of the hacks against Arizona law-enforcement officers in 2011. In those cases, there are fewer easy answers to the questions of who is a valid target, what of that target’s information can rightfully be exposed, and who gets to answer these very questions.
We are left, then, with the task of assessing threats in a state of moral ambiguity. In more naïve times, one might naturally prefer a law-bound state deciding which power abuses should be reined in and which information exposed. But these are no longer naïve times. A decade that saw the normalization in U.S. policy of lawless detentions, torture, and targeted assassinations; a persistent refusal to bring those now or formerly in power, in both the public and private sectors, to account for their failures; and a political system that increasingly favors the rich have eroded that certitude. Perhaps that is the greatest challenge that Anonymous poses: It both embodies and expresses a growing doubt that actors with formal authority will make decisions of greater legitimacy than individuals acting collectively in newly powerful networks and guided by their own consciences.
Anonymous demonstrates one of the new core aspects of power in a networked, democratic society: Individuals are vastly more effective and less susceptible to manipulation, control, and suppression by traditional sources of power than they were even a decade ago. At their worst, Anonymous’ practices range from unpleasant pranksterism to nasty hooliganism; they are not part of a vast criminal or cyberterrorist conspiracy. Instead, Anonymous plays the role of the audacious provocateur, straddling the boundaries between destructive, disruptive, and instructive. Any government or company that fails to recognize this will inevitably find itself at odds with some of the most energetic and wired segments of society. Any society that commits itself to eliminating what makes Anonymous possible and powerful risks losing the openness and uncertainty that have made the Internet home to so much innovation, expression, and creativity.