WikiLeaks and the PROTECT-IP Act: A New Public-Private Threat to the Internet Commons
The WikiLeaks affair and proposed copyright bills introduced in the Senate are evidence of a new, extralegal path of attack aimed at preventing access and disrupting the payment systems and advertising of targeted sites. In this model, the attacker may be a government agency seeking to circumvent constitutional constraints on its power or a private company trying to enforce its interests beyond those afforded by procedural or substantive safeguards in the law. The vector of attack runs through the targeted site’s critical service providers, disrupting technical services, such as Domain Name System service, cloud storage, or search capabilities; and business-related services, such as payment systems or advertising. The characteristics that make this type of attack new are that it targets an entire site, rather than aiming for removal or exclusion of specific offending materials; operates through denial of business and financial systems, in addition to targeting technical systems; and systematically harnesses extralegal pressure to achieve results beyond what law would provide or even permit.
In December 2010, a website that the Pentagon had described in 2008 as dedicated “to expos[ing] unethical practices, illegal behavior, and wrongdoing within corrupt corporations and oppressive regimes in Asia, the former Soviet bloc, Sub-Saharan Africa, and the Middle East,” and that in 2009 had received the Amnesty International New Media Award for reporting on extrajudicial killings in Kenya, came under a multisystem denial-of-service attack intended to prevent it from disseminating information. The attacks combined a large-scale technical distributed-denial-of-service (DDoS) attack with new patterns of attack aimed to deny Domain Name System (DNS) service and cloud-storage facilities, disrupt payment systems services, and disable an iPhone app designed to display the site’s content.
The site was WikiLeaks. The attackers ranged from unidentified DDoS attackers to Senator Joseph Lieberman and, more opaquely, the Obama administration. The latter attack is of particular interest here, having entailed an extralegal public-private partnership between politicians gunning to limit access to the site, functioning in a state constrained by the First Amendment, and private firms offering critical functionalities to the site–DNS, cloud storage, and payments, in particular–that were not similarly constrained by law from denying service to the offending site. The mechanism coupled a legally insufficient but publicly salient insinuation of illegality and dangerousness with a legal void. By publicly stating or implying that WikiLeaks had acted unlawfully, the attackers pressured firms skittish about their public image to cut off their services to WikiLeaks. The inapplicability of constitutional constraints to nonstate actors created the legal void, permitting firms to deny services to WikiLeaks. This, in turn, allowed them to obtain results (for the state) that the state is prohibited by law from pursuing directly. The range of systems affected by the attack was also new: in addition to disrupting technical service providers–which had been familiar targets since efforts to control the Net began in the 1990s–the attack expanded to include payment systems.
. . .