The legality of denial of service attacks December 12, 2010
With all the banter about Wikileaks and the reports of attempted DDoS attacks, I thought this might be a good time to explore some of the legal issues that can follow DoS activity. As usual, this isn’t meant to be a comprehensive practice guide or constitute advice.
First, for a primer on denial-of-service (DoS) and distributed-denial-of-service (DDoS) attacks, read the Wikipedia article — it’s easy to follow. In the simplest terms, a successfully orchestrated DoS or DDoS attack results in an overloaded network device (e.g., a webserver) such that the device ceases responding to requests for activity or functions intermittently for the duration of the attack.
In the United States, participants in these attacks can run into a number of legal problems at the Federal level, both criminally and civilly. For our purposes, there is no need to distinguish the “distributed” form of the attack from the singular (i.e., DDoS vs. DoS), since, as you will see below, a culpable person is one who merely directs the attack at a target.
In terms of criminal violations, there’s the Computer Fraud and Abuse Act (the “CFAA”), which prohibits a person from “knowingly caus[ing] the transmission of a program, information code, or command, and as a result of such conduct, intentionally causes damages without authorization to a protected computer” (see 18 U.S.C. § 1030(a)(5)(A)). The requisite “damage” element under the CFAA is “any impairment to the integrity or availability of data, a program, a system, or information” (see 18 U.S.C. § 1030(e)(8)) and a “protected computer” is defined as a computer “which is used in or affecting interstate or foreign commerce, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication” (see 18 U.S.C. § 1030(e)(2)(B)).
DoS attacks almost unquestionably fall under the broadly-worded prohibited activity in this portion of the CFAA (“transmitting … information, code, or command”) and would likely meet the low standard of damage (“any impairment to the integrity or availability of data, program, system, or information”). The CFAA may also apply to unsuccessful attempts (see 18 U.S.C. § 1030(b)).
The CFAA also has a civil component that permits “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunction relief.” In other words, the target of the DoS attack can sue the individual(s) who were responsible for the damages incurred as a result of the attack (e.g., server downtime, costs to repair, and in some lost revenue (see 18 U.S.C. § 1030(g)). There is a limitation that requires the damages exceed $5,000; however, some courts have liberally construed its calculation to include consultation services (e.g., IT/security persons) used to assess the extent of damage caused by the attack. Also, this provision does not require that a person ever be convicted before being sued for damages.
Private parties that are an intermediary along the vector of attack (e.g., an ISP) may also have additional legal options available at the state court level. Since most U.S. homes connect to the internet through an ISP, like Comcast, their usage of Comcast’s services are likely subject to a “terms of service” agreement that prohibits DoS attacks and other illicit activities. For instance, the Comcast Terms prohibits “undertak[ing] or accomplish[ing] any unlawful purpose” including “interfer[ing] with computer networking or telecommunications services service to any user, host or network, including, without limitation, denial of service attacks, flooding of a network, overloading a service, improper seizing and abusing operator privileges, and attempts to ‘crash’ a host.” Since these terms are a legal contract, it is possible for an ISP to sue a subscribe/user for breach of contract. Similarly, if the target of a DoS attack is a website, website visitors may also have their own terms of service agreement with similar contractual prohibitions. For instance, PayPal’s terms prohibit users from “tak[ing] any action that imposes an unreasonable or disproportionately large load on our infrastructure” under the “Restricted Activities” section. The PayPal terms also list a number of potential remedies that the company may pursue legal action for violations — which might include a lawsuit for breach of contract or even on a “trespass to chattels” theory.
Finally, one last point, social websites like Facebook also contain provisions within their terms of service agreement that prohibit certain types of unlawful activity (e.g., “you will not use Facebook to do anything unlawful, misleading, malicious, or discriminatory”). Although it would be unlikely for a company to be charged with a crime under the CFAA (at common law corporations usually lack the requisite criminal intent) for unknowingly hosting a group that encourages participation in DoS attacks, once aware, they most certainly do not want to find themselves defending their lack-of-action to an unlawful situation or face a civil lawsuit filed by the target website (though, it would probably take very unique facts to be successful on the merits). So, it comes at no surprise that Facebook took the risk-averse approach this week by terminating groups that encouraged participation in DoS attacks.
I hope this post clears up some of the misconceptions I’ve heard in passing this week.