Jay Leiderman on DDoS attacks as a form of global civil-rights protest, whom he'll defend, whom he won't, and why.
As a lawyer not particularly immersed in the technology world, Jay Leiderman first became interested in the hacker collective Anonymous around December 2010. That was when Anonymous activists launched distributed denial of service attacks (DDoS) against Mastercard and PayPal, who stopped processing donations to WikiLeaks.
Since then, he has represented a number of high-profile hackers, including Commander X, who is on the run from the FBI for a DDoS attack on a county website in Santa Cruz, California, to protest a ban on public sleeping, and Raynaldo Rivera, a suspected hacker from LulzSec who is accused of stealing information from Sony computer systems. Both Commander X and Rivera could face up to 15 years in prison.
Leiderman, who represents many of his hacker clients pro bono, argues that the law should be changed on DDoS. In an interview I conducted with Leiderman recently, he told me why slapping teenaged hackers with harsh prison sentences is counterproductive.
How did you first become involved with representing Anonymous?
The politics of it spoke to me and the fact that it was a newly emerging area of law really spoke to me. My partner and I do a lot of medical marijuana law. Primary among the reasons that we do that are that it's new and emerging so we can help shape the way that the law ultimately fits society. And because we believe in the politics behind it. And it's the exact same with Anonymous.
We have an opportunity here to make the courts, as these cases wind their way up, understand privacy issues, emerging tech issues, against the backdrop of civil rights and through the prism of free information. And that was something that was just an amazing opportunity for me and something that still engages me as I continue to take on these cases.
You've said about DDoS attacks that "they are the equivalent of occupying the Woolworth's lunch counter during the civil rights movement," but under U.S. law DDoS attacks are illegal. Do you think the law should be changed?
Oh, absolutely. Keep in mind that I didn't say that in an unqualified manner about DDoS. If you were knocking someone's front page offline to ultimately rape their servers and take credit-card information and things like that, that's not speech in the classic sense. When you look at Commander X's DDoS, what he was accused of in Santa Cruz, or with [the] PayPal [protests], these are really perfect examples. And very rarely in law do we have perfect examples.
Take PayPal for example, just like Woolworth's, people went to PayPal and said, I want to give a donation to WikiLeaks. In Woolworth's they said, all I want to do is buy lunch, pay for my lunch, and then I'll leave. People said I want to give a donation to WikiLeaks, I'll take up my bandwidth to do that, then I'll leave, you'll make money, I'll feel fulfilled, everyone's fulfilled. PayPal will take donations for the Ku Klux Klan, other racists and questionable organizations, but they won't process donations for WikiLeaks. All the PayPal protesters did was take up some bandwidth. In that sense, DDoS is absolutely speech, it should absolutely be recognized as such, protected as such, and the law should be changed.
But say that I had a rival law practice across town from you and I was perhaps a bigger more powerful rival with more money and perhaps I wanted to down your website every single day. Isn't that just the equivalent of me just going outside and spray painting and taking down your sign every day and preventing customers from coming to you?
But both of those actions would be illegal in the abstract. Taking down my sign or vandalizing it would be a graffiti or vandalism type charge whereas repeatedly DDoSing my site would be similar in method and manner to that. It's why you have to be careful with the speech. What you have with PayPal, it's a pure form of speech -- it was a limited and qualified thing like Woolworth's. African-Americans went into Woolworth's and said, I want lunch, feed me lunch, I will eat it, pay for it, and leave. Same with PayPal.
Santa Cruz perhaps provides a more compelling case on that because Santa Cruz was about literally petitioning the government for a redress of grievances. Santa Cruz wanted to essentially criminalize -- or did criminalize -- homeless people sleeping in public without qualification. And the city council wouldn't listen, the police wouldn't listen, no one would listen. People regularly die from exposure, because they can't find safe and secure places to sleep in the community. Therefore getting your government's attention in that manner should not be something that the U.S. government is interested in criminalizing and spending resources to prosecute. So in those regards, it's different from the examples you gave, where I would be under perpetual DDoS.
So you're not saying decriminalize DDoS per se, but perhaps it's the way that DDoS is used and other legal factors would come into play there.