Blog Post

While hacktivism secures the web, SOPA could expose it

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Hacktivism efforts get a bad rap when it comes to web security, but it’s possible they are actually doing more good than harm. In a security world empowered by big data tools, information gleaned from the countless attacks on LulzSec and Anonymous provide invaluable information to help stop similar attacks in the future. They are like baits that attract hackers en masse.

Curiously, however, the proposed SOPA antipiracy legislation that has drawn such strong negative reactions from web-based service providers could end up playing right into hackers’ hands. Or so says Matthew Prince, the co-founder and CEO of popular security service CloudFlare and professor at the John Marshall School of Law.

Hacktivism first

Although it is a security company that tries to prevent websites from DDoS and other types of attacks, Prince told me CloudFlare actually counts a number of antiestablishment and arguably nefarious groups as users. LulzSec, along with various other hacktivist sites, is a CloudFlare user, as are most of the various “Occupy” sites. Their methods and objectives might be different, but all of those organizations share a common characteristic in that they attract a lot of attention from other hackers trying to bring them down to boost their own notoriety.

If you’re trying make the Internet safer, that’s a good thing. “Security is really a data problem at the end of the day,” says Prince, so companies such as CloudFlare will take all the data they can get. As with most analytics use cases, the more information that security systems have to analyze, the smarter they get and the faster they can identify those attacks in the future. That’s why so many security services, whether for personal use or enterprise firewalls, now utilize a cloud-based model — so they can route all of their customers’ traffic through a central network and let everyone benefit from the collective intelligence.

It’s in the spirit of the greater good that made CloudFlare, at least, decide to keep serving its hacktivist users, despite what Prince calls “a lot of internal debate about . . . the right approach.” Because most services don’t actually host content — as was the case with (s amzn) Amazon Web Services and Wikileaks, as well as (s rax) Rackspace and Reverend Terry Jones — deciding whether to keep a user is really an ethical decision more than a legal one.

“There are lots of things on the Internet that I find very personally troubling,” Prince said, but he doesn’t think he’s in the position to decide what’s on the Internet (or, in his company’s case, what’s protected from attacks). Generally speaking, he added, invoking the theory that reason will prevail in the marketplace of ideas, “sunlight is rarely a bad disinfectant” for information that some find dangerous.

Most of the time. While LulzSec and other less-known hacktivist groups remain as customers, Prince said CloudFlare has worked closely with law enforcement to deny protection to child pornography sites that are uncovered as users.

Copyright laws do not discriminate

While hacktivism actually enhances the greater mission of Internet security, though, Prince thinks the Digital Millenium Copyright Act actually does a lot to hinder it. The proposed SOPA legislation, he wrote in a blog post on Wednesday, would “effectively streamline DDoS attacks.” That’s because, unlike the ethical decision that serving hacktivists poses, these laws don’t give service providers like CloudFlare a meaningful choice on how they should act.

As I’ve written before, the DMCA is somewhat unfair to service providers, because it places on them the onus of being judge, jury and, in some cases, executioner with regard to copyright-infringement claims. Prince writes that although CloudFlare does the best job it can, it’s becoming difficult to detect legitimate claims as criminals’ requests get more sophisticated:

Imagine the challenge for someone on CloudFlare’s support team. If someone writes to us alleging that they are a photographer who took a picture that appears on a website, or a designer who drew a logo, or an author who wrote some text, how can that claim be verified? I’m an attorney and member of the bar. I teach a course on intellectual property and technology law at the John Marshall Law School. I serve on the Board of the Center for Information Technology and Privacy Law. I’ve reviewed many of these requests and, even with my training in the subject, I have no idea how to effectively and efficiently tell the difference between valid and invalid complaints. (emphasis added)

Essentially, Prince explains, when network services such as CloudFlare receive valid complaints under the DMCA, they must expose the host domain so takedown actions can commence. The problem is that cybercriminals are aware of this law, and they are increasingly making bogus requests against legitimate sites. Once they have the host information they need, they can attack.

SOPA takes things a step further, Prince says, because it keeps the same adjudication onus on the service provider while ramping up the response. Whereas exposing a host domain pursuant to DMCA still requires technical acumen to exploit, SOPA actually requires network providers to stop resolving DNS for infringing sites. “The allegation merely needs to include some evidence and does not need to be validated by a court,” Prince writes. “In other words, a carefully crafted letter could be all it takes for a future attacker to knock a site offline. No botnet needed, just a passable mastery of legalese.”

Feature image courtesy of Flickr user Abode of Chaos; guillotine image courtesy of Flickr user The Tedster

4 Responses to “While hacktivism secures the web, SOPA could expose it”

  1. When technology surpasses the system, what is needed more? To change with the technology or to preserve what has worked in the past? This is the real issue here. In such unstable times, is it such a good idea to change what we know has worked in the past, or is it really necessary to change with the technology and rewrite the rules that govern us. Obviously, if these laws are rewritten poorly in either direction, it could mean more than just a censoring of the internet, but a fundamental collapse of American society. However, if we decide to deal with this later, is the best way to do that by creating new legislation?
    I don’t know.

  2. Challenge of judging copyright infringement is a key in his view. Deciding if some content infringes or not is almost impossible to solve automatically. And is it is very very costly. Best system to date is one that Google made on YouTube, and it has its own deep flaws. And I wonder how much additional costs it added to running YouTube service.
    So fighting digital piracy will always be a costly endeavor, question is who must pay for it? for a while content businesses are trying to push costs and responsibility of policing copyrights on others, on governments and all kind of services. But is there really a reason for population at large to pay for protecting content businesses? Should they not pay themselves for this?
    Should they not invest in making a global YouTube like service that would help to identify cheaply if something infringes or not. Shouldn’t they actually start solving problems their own business model has instead of pushing them on others.

    • Derrick Harris

      I could not agree more. It’s a flawed system. It was an attempt to pass a law that could keep up with the web in terms of speed and adaptability, but it kind of ignored due process. Service providers are not well suited to distinguishing bogus claims from legit ones, much less deciding whether legit claims are actually violations.

  3. “There are lots of things on the Internet that if find very personally troubling,” – if find very personally troubling or I find very personally troubling? Typo?