Jay Leiderman on DDoS attacks as a form of global civil-rights protest, whom he'll defend, whom he won't, and why.
As a lawyer not particularly immersed in the technology world, Jay Leiderman first became interested in the hacker collective Anonymous around December 2010. That was when Anonymous activists launched distributed denial of service attacks (DDoS) against Mastercard and PayPal, who stopped processing donations to WikiLeaks.
Since then, he has represented a number of high-profile hackers, including Commander X, who is on the run from the FBI for a DDoS attack on a county website in Santa Cruz, California, to protest a ban on public sleeping, and Raynaldo Rivera, a suspected hacker from LulzSec who is accused of stealing information from Sony computer systems. Both Commander X and Rivera could face up to 15 years in prison.
Leiderman, who represents many of his hacker clients pro bono, argues that the law should be changed on DDoS. In an interview I conducted with Leiderman recently, he told me why slapping teenaged hackers with harsh prison sentences is counterproductive.
How did you first become involved with representing Anonymous?
The politics of it spoke to me and the fact that it was a newly emerging area of law really spoke to me. My partner and I do a lot of medical marijuana law. Primary among the reasons that we do that are that it's new and emerging so we can help shape the way that the law ultimately fits society. And because we believe in the politics behind it. And it's the exact same with Anonymous.
We have an opportunity here to make the courts, as these cases wind their way up, understand privacy issues, emerging tech issues, against the backdrop of civil rights and through the prism of free information. And that was something that was just an amazing opportunity for me and something that still engages me as I continue to take on these cases.
You've said about DDoS attacks that "they are the equivalent of occupying the Woolworth's lunch counter during the civil rights movement," but under U.S. law DDoS attacks are illegal. Do you think the law should be changed?
Oh, absolutely. Keep in mind that I didn't say that in an unqualified manner about DDoS. If you were knocking someone's front page offline to ultimately rape their servers and take credit-card information and things like that, that's not speech in the classic sense. When you look at Commander X's DDoS, what he was accused of in Santa Cruz, or with [the] PayPal [protests], these are really perfect examples. And very rarely in law do we have perfect examples.
Take PayPal for example, just like Woolworth's, people went to PayPal and said, I want to give a donation to WikiLeaks. In Woolworth's they said, all I want to do is buy lunch, pay for my lunch, and then I'll leave. People said I want to give a donation to WikiLeaks, I'll take up my bandwidth to do that, then I'll leave, you'll make money, I'll feel fulfilled, everyone's fulfilled. PayPal will take donations for the Ku Klux Klan, other racists and questionable organizations, but they won't process donations for WikiLeaks. All the PayPal protesters did was take up some bandwidth. In that sense, DDoS is absolutely speech, it should absolutely be recognized as such, protected as such, and the law should be changed.
But say that I had a rival law practice across town from you and I was perhaps a bigger more powerful rival with more money and perhaps I wanted to down your website every single day. Isn't that just the equivalent of me just going outside and spray painting and taking down your sign every day and preventing customers from coming to you?
But both of those actions would be illegal in the abstract. Taking down my sign or vandalizing it would be a graffiti or vandalism type charge whereas repeatedly DDoSing my site would be similar in method and manner to that. It's why you have to be careful with the speech. What you have with PayPal, it's a pure form of speech -- it was a limited and qualified thing like Woolworth's. African-Americans went into Woolworth's and said, I want lunch, feed me lunch, I will eat it, pay for it, and leave. Same with PayPal.
Santa Cruz perhaps provides a more compelling case on that because Santa Cruz was about literally petitioning the government for a redress of grievances. Santa Cruz wanted to essentially criminalize -- or did criminalize -- homeless people sleeping in public without qualification. And the city council wouldn't listen, the police wouldn't listen, no one would listen. People regularly die from exposure, because they can't find safe and secure places to sleep in the community. Therefore getting your government's attention in that manner should not be something that the U.S. government is interested in criminalizing and spending resources to prosecute. So in those regards, it's different from the examples you gave, where I would be under perpetual DDoS.
So you're not saying decriminalize DDoS per se, but perhaps it's the way that DDoS is used and other legal factors would come into play there.
Here's what we conceived in terms of the DDoS. The government and people who write about tech tend to call it a "DDoS attack" but in certain circumstances it's not a DDoS attack, but a DDoS protest. So the law should be narrowly drawn and what needs to be excised from that are the legitimate protests. It's really easy to tell legitimate protests, I think, and we should be broadly defining legitimate protests. The example you gave of the rival law firms, that's not protest activities or traditional free speech activities.
The argument has been made that the problem with some of the sentences for Anonymous/LulzSec members is that a lot of them are really just foot soldiers, naive, young, vulnerable kids, who perhaps get into something over their heads. And they're not skilled hackers who are trying to bring down the U.S. government and they don't deserve long jail terms . Would you agree with that?
Absolutely, that's probably one of the most often-repeated and truest things about a lot of these Anonymous members is that they're not these ill-intentioned, misanthropes that really need to have the weight of the law come down on them. I agree with that 100 percent.
Who should the weight of the law come down on then? Should the weight of the law come down on the ringleaders who are behind these people?
Sabu's cooperation [aside], he would be a good example of someone who's cruising for one of these eye-popping over-the-top sentences. He was a bit older, he had been involved in the hacking world for 10 or 15 years; he had a lot of prior Internet misdeeds. He was very skilled, or at least reasonably skilled, he had special skills. He was involved in other criminal activity, he was selling pounds of marijuana, which they didn't charge him with. They dismissed those charges as part of his cooperation.
He was using his skills to commit credit-card fraud, without ideology, without politics behind it, without anything. He was literally stealing from people -- this was not a big, nameless, faceless corporation...There was no ideology behind him stealing credit-card numbers from Mr. and Mrs. Smith.... He was recruiting people actively into LulzSec. One of the allegations in the case I'm handling [Raynaldo Rivera] is that Sabu recruited my client based upon my client's skill, through another member of LulzSec, an intermediary.
Sabu was unquestionably the leader of LulzSec. When you read through the reports, as I have, it's very clear that Sabu was giving orders, pressuring people to "get their hands dirty." ... It was Sony Pictures and the databases were organized via movie sweepstakes -- names and password that were ultimately dumped on the Internet -- and Sabu made individual people go in there and do individual databases so everyone had their hands dirty so that he could exert more control and get them to do more. He had importuned them to criminality.
... He's looking at 124 years so that's obviously beyond ludicrous. But if Sabu were to get a decade or something, that [could be] a sentence for someone like him with a really malignant heart. But for someone like Rivera and the typical member of Anonymous, no, those sentences simply don't fit and for the most part I don't believe they should be going to jail. A lot of these kids -- and most of them are kids -- don't understand the criminal consequences here and could be rehabilitated; scared straight without a jail sentence. There are other things that we could do to them to make them understand that this is in fact illegal and not the way to express yourselves politically.
If we are not talking about harsh prison sentences, how should society respond to rehabilitate those hackers?
I really think this is a situation where a lot of these people are really scared of the consequences once they understand them. Usually someone like that, a criminal conviction in and of itself is a terrible black mark on someone's record now. It becomes difficult to get a job. If you're a person with computer skills, it becomes difficult to get computer clearances to be able to work your way up in a lot of these areas. So simply the conviction alone gets the message across, a probationary period where they're being monitored or checked in on, some community-type service, working with the community in a productive manner. All sorts of creative punishments like those that are available and at the government's disposal.
Do you think denying them access to the Internet is useful?
In some cases it might be useful and appropriate. You really have to look at the offense and the offender. If someone's really unhealthy in their Internet use, it may not be a bad thing to look at them and say, a year, 18 months, two years, let's see how you do without Internet in your life except work and school. That may well be a very good and healthy thing for some people, but you have to look at the offense and the offender before saying we should just yank this person's Internet privileges.
You don't think there's a purpose to passing harsh prison sentences in that it sends a message and acts as a deterrent to any potential offenders?
I don't necessarily think that message gets received by this population which are exclusively naive, not legally savvy, fairly young first-time offenders. That's not a population who can really understand in a practical sense that if you do this, you're going to get a harsh prison sentence. In some of their minds, it almost may be worse, to take away Internet use or modify their behavior in some ways as it so violently changes how their life ordinarily progresses.
Are there any Anons you wouldn't represent?
It depends. I've been asked that question before and I struggle with it and here's why. I don't have to like or agree with the people that I represent to represent them. I have represented neo-Nazis and I'm Jewish. I've been assigned them when I was a public defender and it never really occurred to me until someone asked me, how do you feel about representing this skinhead and I said, you know, I didn't think about it.
Everyone is entitled to a defense and the more reprehensible they are and maybe the more guilty they seem at the beginning of the case makes them more entitled to a vigorous and hard-hitting defense. So I don't necessarily know that there's someone I wouldn't represent based upon what they did or based upon their politics. I wouldn't go ahead and represent someone whose views I didn't agree with pro bono. I'm not going to spend my time and energy that way. ... Certainly there are many people I wouldn't represent pro bono.
Would you represent Sabu pro bono?
No. The damage he did by turning so completely on people he used to call his brother [was considerable]. People who cooperate, throw someone else into harm's way so they can soften the blow on themselves, I tend not to represent. For those reasons, I wouldn't represent Sabu at all. [...] He hurt a lot of people and he did it to save his own skin and he hurt a lot of people worse than they would otherwise be hurt.
Copyright (c) 2012. RFE/RL, Inc. Reprinted with the permission of Radio Free Europe/Radio Liberty, 1201 Connecticut Ave., N.W. Washington DC 20036.