Eleven of the fourteen defendants in the PayPal 14 case have reached a plea deal with federal prosecutors. Under the agreement, the defendants will plead guilty to felonies and misdemeanors under the Computer Fraud and Abuse Act (CFAA). If they observe good behavior, federal prosecutors will ask that the felonies be dropped.
This comes as good news to those who advance the notion that DDoS (Distributed Denial of Service) attacks are acts of civil disobedience. Two other defendants will serve 90 days in prison after pleading guilty to a misdemeanor charge pled guilty to a misdemeanor, while the last of the fourteen defendants was not eligible for a plea deal in the case.
The PayPal 14 are only a small fraction of the over 1,000 participants identified in a DDoS attack aimed at PayPal, which Anonymous hit as part of “Operation Payback” after the company cut service to WikiLeaks’s donations page. Pierre Omidyar, founder of eBay, which is the parent company of PayPal, called for leniency. Ironic given that PayPal provided the Department of Justice with a list of the participants’ IP addresses, which helped the FBI locate the protesters.
“I can understand that the protesters were upset by PayPal’s actions and felt that they were simply participating in an online demonstration of their frustration. That is their right, and I support freedom of expression, even when it’s my own company that is the target,” Omidyar wrote two days ago in a Huffington Post op-ed. “The problem in this case however is that the tools being distributed by Anonymous are extremely powerful. They turn over control of a protester’s computer to a central controller which can order it to make many hundreds of web page requests per second to a target website.”
DDoS works by connecting thousands of computers together to bombard websites with traffic until it collapses. As Omidyar noted, it multiplies the power of a single protester, which is something that cannot be done in the physical realm without significant grassroots effort. Nevertheless, the plea deal is significant because it sets a legal precedent that DDoS isn’t just some effort to cause significant financial harm.
While the plea deal doesn’t define DDoS as digital protest, it might be the first step in acknowledging the attack as something akin to protesters blocking a road or a business. These physical protests are typically prosecuted as misdemeanors, not felonies that can bring hefty prison terms, high restitution costs, and a lifetime designation as a felon. The PayPal 14 plea deal might also help begin the very necessary process of amending the CFAA, which allows stiff penalties for these non-violent crimes in the first place.
Shortly before the news was announced, activist lawyer Stanley Cohen tweeted: “Stay tuned for details. Pay Pal 14 will be resolved today, big win for civil disobedience. Up the Rebels.” And a good win for the internet, which is coming of age as the supreme venue for protest against political and financial power.