For the past year, I’ve been working on a study on distributed denial of service (ddos) attacks against independent media and human rights sites with colleagues at the Berkman Center. The resulting report will be out shortly, but one of the main conclusions is that independent media sites are not capable of independently defending themselves of large, network based ddos attacks. There are many things an independent site can do to protect itself against smaller ddos attacks that target specific application vulnerabilities (including simply serving static content), but the problem with a large, network based attack is that it will flood the link between the targeted site and the rest of the Internet, usually causing the hosting ISP to take the targeted site down entirely to protect the rest of its network.
Defending against these large network attacks requires massive amounts of bandwidth, specific and deep technical experience, and often connections to the folks running the networks where the attacks are originating from. There are only a couple dozen organizations (ISPs, hypergiant websites, and content distribution networks) at the core of the Internet who have sufficient amounts of bandwidth, technical ability, and community connections to fight off the biggest of these attacks. Paying for services from those organizations is very expensive, though, starting at thousands of dollars per month without bandwidth costs and often going much, much higher. An alternative is to use one of a handful of hosting services like blogger that offers a high level of ddos protection at no financial cost. One of the recommendations we make in our report is for independent media sites that think they are likely to be attacked and want to be able to defend against themselves either find the resources to pay for a ddos protection service or accept the compromises of hosting on a service like blogger in return for the free ddos protection.
We make this recommendation with a great deal of caution, however, because moving independent media sites to these core network actors trades more freedom from ddos attacks for more control by one of these large companies. It’s great to be able to withstand a 10Gbps ddos attack on youtube, but it’s not so great for youtube to take down your video at its sole discretion for violation of its terms of service. In general, these core companies have struggled in this genuinely difficult role. How is youtube supposed to judge what to do when it receives complaints about a violent video in Arabic posted from Egypt? Do videos of police brutality qualify as the ‘graphic or gratuitous violence’ that youtube disallows in its terms of service?
So with this context, I’ve been watching the Wikileaks attack with great interest. It has been suffering a pretty big network attack (Wikileaks claims about 10Gbps, which is big enough to take down all but a couple dozen or less ISPs in the world; arbor claims about 2-4 Gbps, which is still big enough to cause the vast majority of ISPs in the world major disruption). The attack successfully took its site offline at its main hosting ISP. Wikileak’s textbook response was to move to Amazon’s web services, one of those core Internet services capable of defending against big network attacks.
The move seemed to work for a couple of days, but then Amazon exercised its control, shutting the site down. Joe Lieberman claimed responsibility for Amazon’s decision to take the site down. But Amazon responded with a message claiming that it made the decision to take the site down based purely on its own decision based on its terms of service. The core of their argument is that Wikileaks was hosting content that it did not own and that it was putting human rights workers at risk:
for example, our terms of service state that “you represent and warrant that you own or otherwise control all of the rights to the content… that use of the content you supply does not violate this policy and will not cause injury to any person or entity.” It’s clear that WikiLeaks doesn’t own or otherwise control all the rights to this classified content. Further, it is not credible that the extraordinary volume of 250,000 classified documents that WikiLeaks is publishing could have been carefully redacted in such a way as to ensure that they weren’t putting innocent people in jeopardy. Human rights organizations have in fact written to WikiLeaks asking them to exercise caution and not release the names or identities of human rights defenders who might be persecuted by their governments.
If this is really how they made their decision, this is a worse process than merely succumbing to the political pressure of the US government. At least Lieberman is an elected official and therefore to some degree beholden to his constituents. Amazon is instead arguing dismissively that it made the decision based on its own interpretation of its terms of service. Without getting into the merits of either side, the questions of whether Wikileaks has the rights to the content and especially of what level of risk of harm merits censorship are very, very difficult and should clearly be decided by some sort of deliberative jurisprudence rather than arbitrarily and dismissively decided by a private actor.
This need for careful, structured, and public deliberation on these questions is obviously balanced by Amazon’s right to decide what to do with its own property. But as a society, we have reached a place where the only way to protect some sorts of speech on the Internet is through one of only a couple dozen core Internet organizations. Totally ceding decisions about control of politically sensitive speech to that handful of actors, without any legal process or oversight, is a bad idea. The problem is that an even worse option is to cede these decisions about what content gets to stay up to the owners of the botnets capable of executing large ddos attacks.
12 Comments
Wikileaks has no “right” to be hosted by AWS or any other specific provider; in the same way that provider can terminate a business agreement at any time if they feel that their TOS have been violated (which is exactly what Amazon did). Without a right to be hosted, Wikileaks deserves no deliberative jurisprudence. In fact, being “arbitrarily and dismissively decided” is all they are truly entitled to.
Yes, I agree that Wikileaks does not have a right to be hosted by a specific provider, as I tried to make clear by acknowledging Amazon’s property rights. But I think they have a right at the least to some sort of deliberative process to decide whether they get to be hosted at all. The problem is that there are only a couple dozen actors in the world capable of hosting them in the face of large ongoing ddos attacks, and none of them are good at making these sorts of decisions right now. I think we need to figure out how to provide a space as a society for hosting politically sensitive content that is not subject to arbitrary takedown with no process or oversight. The most likely way to make that happen right now is to apply pressure to those private companies at the core of the Internet to figure out how to deal better with these difficult situations.
I guess the better question is: what is the legal basis for this supposed right to deliberative process…? Or are you conceding that there isn’t a right, but there should be? As you point our in your post, this is a private business, and not the government, so realistically speaking, there are no rights.
Interesting, @theprez98, that you imply that businesses are outside of the law when there so many examples of individual rights established in law that clearly do affect the conduct of business.
@hrobers wants us to think, I guess, about new legislation that would apply to service providers on the internet.
Without speaking for @hroberts, this legislation would ensure that free speech is more than a paper right because the new legislation would overrule a TOS in some cases, and ensure that free speech was protected.
Fine. I’d like also to think a little more about Hilary Clinton’s ‘initiative’ to establish a right to the internet.
In the case of Wikileaks and DDOS, we can ask the question of the fitness of the internet for giving us the online equivalent of ‘free air’ in which free speech can take place.
At the moment, it looks like there are criminals who can deny our right to free air and deny our right to voice our opinions and conduct political business over the internet.
If the internet is to be the commons that we all hope for, Wikileaks shows that the internet needs far greater protection – technological and legal – than it has at present.
WallaseyBoy, I certainly do not imply that businesses are outside of the law. My statement is made upon the fact that rights (such as the First Amendment) are protections against government infringement, not business. The First Amendment does not say, “Amazon.com shall make no law…” In other words, you cannot sue Amazon for violating your free speech rights, because you have no such rights in their environment, and there is no such prohibition against them doing so. If you can find factual or legal information to oppose this notion, I’d love to see it.
I’m not arguing that Wikileaks has a legal right to service by Amazon (note that in the post the only time I use the term ‘right’ is in reference to Amazon’s property rights). I’m not even arguing that Wikileaks *should* have a legal right through some sort of new legislation. As a last resort, I think I would prefer such a legal right over the current status quo. What I’d like to see now is more pressure applied to Amazon and other core Internet companies to treat the process of politically sensitive take downs seriously. Some companies are doing a better job than others (including Google, Microsoft, and Yahoo through participation in the Global Network Intiative), but none are doing a good job at making these decisions in a transparently thoughtful way. As a first step, I think we should collectively pressure these companies to do a better job not only because it’s the right thing to do but also for their own interest, including avoiding major embarrassments and the threat of legislation if their current practices blow up on them. Even in this specific case, Amazon would have been in a much better position to make and to defend the decision either to keep wikileaks up or take it down if it could have pointed to some reasonable process based on a policy (even just its own published internal policy) it went through to make the decision. Instead, they published this post which basically says they took the site down just because they felt like it.
Sorry, @theprez98, if I misunderstood you. To you both, I thought that the ground on which you were arguing was firmer.
I’m fascinated by US law, then. I just hadn’t realised that US business can deny free speech to individuals without redress. But then, again, why should I have believed this?
In general, it’s difficult now to see the internet as anything other than ‘pipe’ owned by big telcos – a trend that’s getting worse?
Do you think then that it’s the equivalent of oligopolies in print and TV media?
The question of free speech in general seems to be on very shaky ground – I’m used to that elsewhere, but I thought that there were some quite fundamental rights in the US that protected this.
I have sent emails to pay pal and amazon notifying them i will boycott their services as they do not support transparency in the use of tax money….I suggest you get your readers to do the same. Nothing gets their attention like a hit in the profit groin.
Hal, you write, “I think we need to figure out how to provide a space as a society for hosting politically sensitive content that is not subject to arbitrary takedown with no process or oversight.”
I agree, but is there any nation in the world courageous enough to do this? I’d been thinking Sweden, but they’re obviously caving. Switzerland, maybe? Australia? What do you think?
Interesting and thought provoking post, thank you.
I have a question about the claim that there is only a handful of hosts who can keep material available while withstanding a DDoS attack. I understand that in practice the cables are distributed using BitTorrent. WikiLeaks needs to reach initial downloaders, but once the torrent is seeded, all that needs to be distributed is a link to the torrent. This is lightweight, can be rapidly posted in many places (Twitter, Facebook), and is easily re-blogged by sympathisizers. If there is sufficient interest, it quickly becomes nearly impossible to shut down the p2p torrent distribution of the actual “publication” by either government action or DDoS.
Is there really a need to push high-powered hosters to host material beyond their Terms of Service? Or do we simply need to ensure that services like Twitter and BitTorrent are available to any and all?
To Kate, you might be interested in the Iceland Modern Media Initiative, which has been praised by folks at wikileaks as a possible solution.
IMMI proposes a set of airtight legal protections for data hosts on Icelandic soil. However, this doesn’t fix something like Amazon Web Services, which has bundled a giant swath of hosting environments with the business interests of Amazon.com, a company that enjoys highly beneficial tax considerations with the US government. These private hosts could act differently on US soil — legal protections for hosts here aren’t bad — but they choose not to because the participation of political minorities is less important than not drawing bad press to their brand or business interests. There is no first amendment of private hosting, and that’s a problem.
Best,
Jonathan at Global Integrity
theprez98 says: “you cannot sue Amazon for violating your free speech rights, because you have no such rights in their environment, and there is no such prohibition against them doing so.”
It’s not as simple as theprez98 would like it to be(free speech/1st amendment).
The implication regarding Rights and constitutional protection of amazon’s autonomous speech right is far from evident. Follow the supreme court history Austin v. Michigan Chamber of Commerce, 494 U.S. 65 > Buckley v. Valeo 424 U.S. 1 (1976) > Bellotti, 435 U.S 435 U.S > Citizens United v Federal Election Commission, 130 S.Ct. 876c. There you’ll find the line of reasoning (while i strongly disagree with the courts argument) where the Right for the listener is one of unobstructed listening, ergo passive speech. Evidently, Wikileak is a new twist to the discourse of free speech. That is, what about the right of free speech pertaining to market leaders (large corporations), thence, their refusal of speech, i.e. suppressing passive free speech.
Ceteris parius, the passive right to speech is very much in line with the courts quantitative argument. It says, the more information there is disseminated, the more speech there is, the more freedom of speech there is, etc.
6 Trackbacks/Pingbacks
[…] “…as a society, we have reached a place where the only way to protect some sorts of speech on the Internet is through one of only a couple dozen core Internet organizations. Totally ceding decisions about control of politically sensitive speech to that handful of actors, without any legal process or oversight, is a bad idea (worse even than ceding decision to grandstanding politicians). The problem is that an even worse option is to cede these decisions about what content gets to stay up to the owners of the botnets capable of executing large ddos attacks.” From Hal Roberts’ blog post, Amazon’s Wikileaks Takedown […]
[…] the rest here: Hal Roberts / Amazon's Wikileaks Takedown Share and […]
[…] Amazon wrote: ‘ for example, our terms of service state that “you represent and warrant that you own or otherwise control all of the rights to the content… that use of the content you supply does not violate this policy and will not cause injury to any person or entity.” It’s clear that WikiLeaks doesn’t own or otherwise control all the rights to this classified content.’ […]
[…] to stress the complexities of a Website under attack as pointed out by Hal Roberts on his article Amazon´s Wikileak take down and the role of private corporations on it: as a society, we have reached a place where the only […]
[…] web, comme l’indique Hal Roberts, du Berkman Center de Harvard, dans son article consacré à l’abandon de Wikileaks par Amazon, et le rôle que peuvent jouer les entreprises privées : Notre société a atteint une période […]
[…] but shut down their server and wait for it to pass. Or, as the Berkman Center’s Hal Roberts points out, they can turn to “only a couple dozen organizations … at the core of the Internet who have […]