The browser or device you are using is out of date. It has known security flaws and a limited feature set. You will not see all the features of some websites. Please update your browser. A list of the most popular browsers can be found below.
The billionaire founder of eBay, Pierre Omidyar, is bankrolling a new media company with reporters who have used WikiLeaks to break giant stories.
But the eBay-owned subsidiary PayPal is working with the Justice Department to prosecute a handful of WikiLeaks supporters. The defendants could serve decades in prison, and their convictions could decide if “hacktivism” is free speech or a felony offense.
On Oct. 31, 14 defendants are scheduled to walk into a federal court in San Jose, Calif. They are known as the PayPal 14, and prosecutors will ask them to plead guilty to attacking PayPal, the online payment service based in that city.
In December 2010, PayPal, Visa, Mastercard and major banks became targets of a spate of cyberattacks, but not by criminals who wanted to steal credit card numbers.
When the companies stopped processing online donations for WikiLeaks founder Julian Assange, supporters — some associated with the hacker group Anonymous — responded with a novel form of protest.
In the case of PayPal, they sent thousands of packets of data to the company’s servers at such a speed, its system nearly crashed.
“It was serious,” said PayPal spokesman Anuj Nayar, who recalled that deflecting the traffic felt like a chess game.
The DOJ cannot comment on pending cases but relies on prosecution guidelines that consider how likely a person is to repeat an alleged offense. Attorney Peter Leeming, who represents one of the defendants, says the selection “seemed arbitrary to me.”
Leeming, based in Santa Cruz, Calif., has represented political protesters for decades and is developing a boutique practice around hacktivism, or online attacks that are politically or socially motivated and not driven by financial gain.
“They’re a relatively new creature,” he said. “Is demonstrating and shutting down a street any different from shutting down a line of commerce on the Internet?”
The attacks on PayPal were not strong enough to shut down the company’s servers. But, Nayar said, “if PayPal had done nothing, our servers may have gone down."
Chris Finan, a former chief of cybersecurity at the White House, says that problem may not be one for the criminal-justice system to solve.
“Companies need to make the investments so that things like that don’t affect their bottom line or at most have a marginal effect on their operations,” he said. “That’s the cost of doing business these days.”
The good and the bad
Finan is a senior manager at Impermium, a Redwood City, Calif., company that sells security products to firms. He advised President Barack Obama on Internet regulation at the same time that the DOJ was mounting its case against the PayPal hackers.
In technical speak, the attack against PayPal is called a distributed denial of service (DDoS). Attackers flood a website with waves of irrelevant data packets in order to make the site unavailable. The targeted company can lose significant money when customers and users can’t access a service on the front end. On the back end, the attack is not tampering with a database of bond purchases or customer IDs.
In the hierarchy of sophisticated cyberattacks, Finan says, DDoS ranks pretty low.
“I don’t mean to minimize what some of these groups can do,” he said. “But in this day and age, protest has gone from physical to virtual space.”
The Arab Spring illustrates how hacktivism can be a public good, he says. Protesters in the Middle East used DDoS and other cybertactics to target hostile regimes.
“We’ve seen the upside of activism online in those countries,” Finan said. “It’s the same enabling technologies. So in public policy, you have to consider the good and the bad.”
Politics not an excuse
Hacktivist groups use DDoS so often, experts say they’ve made DDoS tools more accessible to midtier cybercriminals who attack the financial industry for monetary gain.
The federal government prosecuted 233 new computer-fraud cases in 2012, according to the Transactional Records Access Clearinghouse. Hacktivists don't account for many of them. The case of Aaron Swartz, who committed suicide while facing felony charges for breaking into MIT servers, shined global attention on the U.S. prosecution of hacktivists.
Hacktivists are typically charged, under the Computer Fraud and Abuse Act, with causing damage to a protected computer. Prosecutors contend that political motivation is not an excuse. If the harm to the victim was more than $5,000, it is a felony.
Raynaldo Rivera, a 21-year-old from Maricopa, Ariz., was convicted recently for stealing user data from Sony Pictures. Prosecutors say he was motivated by the “chaotic thrill of entertainment and anarchy,” and that he harmed over 100,000 citizens whose personal information he posted online. Rivera claims he hacked Sony to prove it was doing a poor job of protecting those users.
He must serve a year in prison and pay about $600,000 in restitution. “I understand why I’m being punished,” he said. “Just the amount of time doesn’t make sense.”
Former prosecutors who worked in the DOJ’s computer-crimes division cannot recall a misdemeanor hacktivist case. Because of limited resources, they say, the DOJ is focused on the most serious offenses.
A growing problem
According to a popular industry report by Verizon, hacktivism is a growing problem. In 2011, 58 percent of all data theft was tied to such groups. The 2012 Data Breach Investigations Report stated “the specter of ‘hacktivism’” is “doubly concerning for many organizations and executives” because these groups don’t follow “the logical lines of who has money and/or valuable information. Enemies are even scarier when you can’t predict their behavior.”
Defense attorney Jay Leiderman, based in Los Angeles, says the government has to take a more measured approach when it prosecutes online protest. “You can’t stop it altogether,” he said. Despite the FBI crackdown on Anonymous, for example, the loose collective continues to protest online and recently brought national attention to a rape case in Maryville, Mo.
Leiderman represents several hacktivists pro bono, and he compares them to more traditional protesters. Say 10,000 people rally in front of city hall or a company’s headquarters. “If cops have to drag them out,” he said, “they get ringed up for trespassing. A $50 fine maybe, or the case gets dismissed.”
If those 10,000 jammed the computer network of a city or company, even if they didn’t break into the server, they’d face up to 15 years in federal prison.
Leiderman said, “The contrast is stark.”
A tough one
One of his clients skipped bail and fled to Canada after being indicted for attacking Santa Cruz in retaliation for a law barring homeless people from sleeping in public.
According to the indictment, Christopher Doyon, aka Commander X, allegedly led a DDoS attack that slowed down networks for 18 minutes during a weekday lunch hour and caused the city $6,300 in damage.
Leiderman says his client was stunned to find himself at the center of a felony case. “He thought he was a do-gooder.”
Sadly, Leiderman says, the protester turned himself into an international fugitive when his case was winnable. They just had to prove the total harm was about $1,300 less than charged. “It wouldn’t have been hard.”
When the PayPal case returns to court, one defendant may be able to ruin a plea deal for all the others. Defense attorneys said a plea deal may be in the offing but that all of the PayPal 14 have to take it.
But Dennis Collins, who is represented by Leeming, was recently indicted in Virginia for his 2010 hacking activity because it also harmed institutions in that jurisdiction, like the Recording Industry Association of America and the U.S. Copyright Office. He may fear that the California plea would harm his case in Virginia.
Leeming, who would not allow his client to be interviewed, said, “This one is going to be tough.”
This article has been updated to correct an error. Attorney Jay Leiderman represented Christopher Doyon, not Josh Covelli, in the Santa Cruz hacking case.