The Inevitable Collapse of Legitimacy Under Secret Law: WikiLeaks Hacks

DOJ indicted 16 alleged hackers today, 14 of whom were purportedly involved in hacking PayPal after it refused to accept payments for WikiLeaks.

According to the San Jose indictment, in late November 2010, WikiLeaks released a large amount of classified U.S. State Department cables on its website. Citing violations of the PayPal terms of service, and in response to WikiLeaks’ release of the classified cables, PayPal suspended WikiLeaks’ accounts so that WikiLeaks could no longer receive donations via PayPal. WikiLeaks’ website declared that PayPal’s action “tried to economically strangle WikiLeaks.”

The San Jose indictment alleges that in retribution for PayPal’s termination of WikiLeaks’ donation account, a group calling itself Anonymous coordinated and executed distributed denial of service (DDoS) attacks against PayPal’s computer servers using an open source computer program the group makes available for free download on the Internet. DDoS attacks are attempts to render computers unavailable to users through a variety of means, including saturating the target computers or networks with external communications requests, thereby denying service to legitimate users. According to the indictment, Anonymous referred to the DDoS attacks on PayPal as “Operation Avenge Assange.”

Now, I’m not surprised DOJ indicted these folks. I’m not arguing that, if they did what DOJ alleged they did, they didn’t commit a crime.

But I can’t help but notice that DOJ has not yet indicted anyone for the DDoS attacks–the very same crime–committed against WikiLeaks 8 days earlier than the crime alleged in this indictment.

I’m guessing DOJ has a very good idea who committed that crime. But for some reason (heh), they haven’t indicted those perpetrators.

In fact, I’ll bet you that DOJ also has a better explanation for why PayPal started refusing WikiLeaks donations on December 4, 2010–two days before this alleged crime–than they describe here.

But we mere citizens are privy to none of that. As far as we know–because of choices about secrecy the government has made–a crime was committed against a media outlet on November 28, 2010. That crime remains unsolved. Indeed, DOJ has never made a peep about solving that crime. Meanwhile, today, 14 people were indicted for allegedly committing the very same crime the government–inexplicably, at least according to its public statements–has not pursued.

According to the public story, at least, the rule of law died with this indictment today. The government has put itself–the hackers it likes, if not employs–above the law, while indicting 14 people for the very same crime committed just weeks before those 14 people allegedly committed their crime.

Of course, that’s probably not how the government views it. I presume they went to some judge–probably a FISA judge–in the days leading up to November 28 and told that judge they were pursuing a case of Espionage and couldn’t that judge please give the government permission to commit a crime against a media outlet.

Mind you, I’m not aware of the part of the PATRIOT Act (or other US Code) that permits the government to commit crimes against media outlets it claims are engaged in Espionage. But then I’m not aware of the part of the PATRIOT Act that permits the government to track geolocation of all of us in the name of hunting terrorists.

And we know they do that.

That’s one of the problems with secret law, you know. It’s never clear what basis the government has given a judge, in secret, for breaking the law.

Less perplexing than how the government explains why its hack of WikiLeaks is not a crime but the alleged hacking committed by these 14 people is a crime, is why PayPal and Visa and MasterCard all of a sudden, within days, decided to stop taking donations to WikiLeaks. Withdrawing funding for alleged terrorists and spies with no due process, at least, is at least provided for under the law.

Though, from the perspective of seeing that our government used it to persecute a media outlet, it doesn’t necessarily make it right.

The other interesting thing about how this secret law thing works is that around about the same time this uninvestigated hack against WikiLeaks occurred and around about the same time these alleged hackers hacked PayPal, the government anonymously leaked information about problems with the claim that WikiLeaks was, in fact, engaged in Espionage. Even at that point, the government admitted it didn’t have much of an Espionage case.

The Justice Department, in considering whether and how it might indict Julian Assange, is looking beyond the Espionage Act of 1917 to other possible offenses, including conspiracy or trafficking in stolen property, according to officials familiar with the investigation.

Attorney General Eric H. Holder Jr. acknowledged this week that there were problems with the Espionage Act, a World War I-era law that says the unauthorized possession and dissemination of information related to national defense is illegal. But he also hinted that prosecutors were looking at other statutes with regard to Mr. Assange, the founder of WikiLeaks.


A government official familiar with the investigation said that treating WikiLeaks different from newspapers might be facilitated if investigators found any evidence that Mr. Assange aided the leaker, who is believed to be a low-level Army intelligence analyst — for example, by directing him to look for certain things and providing technological assistance.

If Mr. Assange did collaborate in the original disclosure, then prosecutors could charge him with conspiracy in the underlying leak, skirting the question of whether the subsequent publication of the documents constituted a separate criminal offense. But while investigators have looked for such evidence, there is no public sign suggesting that they have found any.

Did they tell a judge WikiLeaks was engaged in Espionage even while they were telling Charlie Savage it wasn’t?

Particularly from the perspective of today–as it has become clear that Rupert Murdoch has been trafficking in stolen property without his media properties mysteriously getting hacked by people we believe to be aligned with the government–the 7 month period in which DOJ has failed to find any grounds to indict WikiLeaks itself really raises questions about the justification DOJ presumably gave to a judge all those months ago to engage in illegal prior restraint.

I assume DOJ claimed WikiLeaks engaged in Espionage. I assume the government used that claim to hack WikiLeaks and engage in prior restraint. I assume the government used the same claim to cut off US-based donations to WikiLeaks. And if the government admitted that publicly, likely just a few crazy civil libertarians like me would object to the government’s violation of the First Amendment.

We’re so quaint, those of us who believe in rule of law!

DOJ could fix the crisis in legitimacy this indictment will bring about by simply explaining some detail about why they’re not pursuing the hackers that brought down a media outlet last year, but they have pursued hackers that brought down an online payment service (never mind questions about why they’re not pursuing banksters). They could simply explain what law they used–or abused–to be able to incapacitate a media outlet without violating the First Amendment.

That might give their actions today–and back in November–the patina of legitimacy.

But instead, they have apparently chosen to persist in applying their secret laws, such that they can violate the First Amendment of the Constitution, even while prosecuting others for crimes the government has presumably committed itself.

And that, my friends, is how secret law kills democracy and the rule of law.

21 replies
  1. matthew carmody says:

    I really hope kids in college and in their early 20s are paying attention to what’s going on here. I became a cynic when I was 14 and read the Warren Commission Report. I became a confirmed cynic while I was in Vietnam and saw how reporting in no way approximated reality as I knew it.

  2. P J Evans says:

    but-but-but if they did that, we might not believe them the next time they cry wolf. /s
    (I don’t what makes them think we believe what they say now. I’m thinking that just about everything that’s said by government officials is a lie.

  3. pdaly says:

    Excellent point. The dog that did not bark. Or rather the “police” responding angrily to only some dogs that bark and ignoring the calls of neighbors to investigate the louder barking dogs that are really disturbing the peace.

    btw, possible typo: “According to the public story, at least, the rule of “LIE”? died with this indictment today.”

  4. Tom in AZ says:

    matthew carmody on July 19, 2011 at 10:11 pm said:

    I really hope kids in college and in their early 20s are paying attention to what’s going on here. I became a cynic when I was 14 and read the Warren Commission Report. I became a confirmed cynic while I was in Vietnam and saw how reporting in no way approximated reality as I knew it.

    I email this stuff to several young, some in college, friends and relatives. Rarely get a response back, and some have told my wife that they just can’t deal with ‘that stuff’.
    I keep sending it, in hopes that when the light finally goes on, they’ll know who to ask for a good stash of aluminum foil.

    Tom in AZ

  5. orionatl says:

    where is eric holder in all of this?

    he is supposed to lead the doj, morally and ethically, as well as administratively;
    yet the doj careens from one unfairness, e.g., thomas drake, to another to yet another still.

    our board-room-charmer of a prez must be pleased with his tiny little purring pussycat of an attorney general,

    but i am one citizen who is not.

  6. MadDog says:

    Just a couple of more thoughts before I hit the hay:

    I’m guessing that the Feds are going to really stick it to these boys. No deals for lighter sentences. An object lesson for the rest of the hacker community.

    The Feds want the word to get out that “We mean fookin’ business!”

    The 2nd point is more of a paranoia question. I wonder if the Feds didn’t dust off and resurrect one of John Yoo’s old OLC opinions (7 page PDF mostly redacted) from page 5 for this part:

    “…[redacted] we do not believe that Congress may restrict the President’s inherent constitutional powers, which allow him to gather intelligence necessary to defend the nation from direct attack…[redacted]


    …[redacted] intelligence gathering in direct support of military operations does not trigger constitutional rights against illegal searches and seizures…[redacted]”

    Yeah, they probably just went to FISC for domestic Internet hoover warrants under the Patriot Act, but it also wouldn’t surprise me if under the rubric of “Cyberwar” that the Cyber Command folks in the NSA, who are under the DOD umbrella making them “military”, were the initial tracking dogs of war in finding the trail to the indicted. And without any warrants as Yoo’s opinion insisted were unnecessary.

    And after identifying the culprits, the “military” merely passed that “intelligence” over the wall to the FBI.

  7. JTMinIA says:

    Just to be clear, the DDoS attack executed against PayPal was not a “hack” and should not be called such; it was just a vanilla DDoS attack. Where hacking becomes mixed with DDoS is when the originator maliciously inserts code into various other machines to participate in the DDoS attack. That part is sometimes done by a hack. In other cases, however, people seem to willingly infect their own machine in order to participate in a DDoS attack. Now, I, for one, would never do this, but mostly because the IT guys at work would never believe me when I said it was a mistake. Your mileage, morals, and cover story may vary.

  8. MadDog says:

    As a response to my own MadDog on July 20, 2011 at 12:22 am comment, I couldn’t go to sleep without making a couple of crucial and important points.

    Ignore the “paranoia” humor part of my earlier comment and think about this:

    The tracking and detection of these Anonymous folks was not done by the FBI!

    Yes, the FBI could track and detect the average everyday Internet user like you and I, but the FBI simply does not have the technical chops to track down technical wizard folks like those in Anonymous.

    And rest assured that the Anonymous folks would have made a great deal of effort to disguise their tracks.

    No, the organization that tracked these Anonymous folks down had to have been the United States Cyber Command.

    And Cyber Command is functionally the National Security Agency.

    And the NSA is functionally a military component of the Department of Defense.

    Another bit of evidence for this is the relative speed at which this operation was conducted.

    No way could the FBI have done this that quickly. Only the NSA could have accomplished this in the 6 months since the PayPal attack.

    Note that like the CIA, the NSA is legally prohibited from operating domestically.

    Until now that is. Perhaps the US government lawyers even used the “figleaf” of an international component to Anonymous to justify the use of the NSA here domestically just as they did with the Bush/Cheney regime’s warrantless wiretapping.

    So what we really are seeing here is a military operation conducted domestically to track and identify the Anonymous folks who took down PayPal.

    My key takeaways?

    That this was indeed a military operation against domestic folks. Posse Comitatus is henceforth quaint and outdated.

    That this was done under the rubric of “cyberwarfare” rather than that old fashioned mechanism “law enforcement”.

    That we have crossed the proverbial Rubicon forever in regards to cyberwarfare and that its cyberspace battleground makes no distinction between actual domestic and foreign territory.

  9. emptywheel says:


    Here’s who they list as having been arrested:

    The individuals named in the San Jose indictment are: Christopher Wayne Cooper, 23, aka “Anthrophobic;” Joshua John Covelli, 26, aka “Absolem” and “Toxic;” Keith Wilson Downey, 26; Mercedes Renee Haefer, 20, aka “No” and “MMMM;” Donald Husband, 29, aka “Ananon;” Vincent Charles Kershaw, 27, aka “Trivette,” “Triv” and “Reaper;” Ethan Miles, 33; James C. Murphy, 36; Drew Alan Phillips, 26, aka “Drew010;” Jeffrey Puglisi, 28, aka “Jeffer,” “Jefferp” and “Ji;” Daniel Sullivan, 22; Tracy Ann Valenzuela, 42; and Christopher Quang Vo, 22. One individual’s name has been withheld by the court.

    So unless Kayla is the person whose name the Judge is withholding (is she a minor?), then it doesn’t look like they did.

  10. William Ockham says:

    I completely agree with MadDog. The DoD released their “cyberstrategy” last week and the operation against WikiLeaks would fit in perfectly with their approach.

  11. radiofreewill says:

    This seems like classic in-group/out-group behavior –

    Inside the group called ‘us’ there are principled differences between broadly like-minded people – but, in relation to the out-group called ‘them’ there are ideological enemies threatening to over-throw ‘our’ way of life.

    The assumption being that we all live in a Mutually Barbarous World, everywhere surrounded by the pestilence of ‘the other.’

    Rational on the inside – Irrational to the outside: All of the us’s claim to have the only ‘right’ culture, and ascribe to the thems’ the sub-human status of savage or infidel…

    …against whom ‘anything goes.’

    WikiLeaks is an ‘out-group’ precisely because they ‘expose’ our own irrational ‘stomp the bugs out’ Barbarity to a Public that’s been conditioned to think of itself as ‘the civilized good guys.’

    But, when ‘legitimacy’ depends on hiding irrational incoherency from the myth-believing Public – What really is that ‘legitimacy,’ if not the rationalization of an ideology of existential superiority over ‘the other’?

  12. Gitcheegumee says:

    Madog @2:38am

    I am curious as to the role of the ever expanding profile of fusion centers,and what part they may played in this.

    Search the terms “fusion centers and cyberwarfare ” – some very interesting links appear.

  13. JTMinIA says:

    Yes, Kayla is still a minor. It seems that they got some of the majors, but not all … not by a long shot. Maybe she’s the not-named, but maybe she’s OK. I don’t think she did much on PayPal, anyway. She was too busy with HBGary.

  14. ondelette says:

    Now, I’m not surprised DOJ indicted these folks. I’m not arguing that, if they did what DOJ alleged they did, they didn’t commit a crime.

    Oh, really? Causing damage to PayPal machines with a DDoS attack? And pray tell, how do you cause damage to an quad-Intel-based server by pinging it? Please explain, in any level of technical expertise you’re capable of. If you can run me through any process you like that makes it do anything other than hang or reboot, neither of which damage the machine, I’ll be very, very surprised. The Computer Fraud and Abuse Act makes special categories for banks that exempt them from the physical damage or misuse of passwords requirements. PayPal isn’t a bank, last time I checked.

    • bmaz says:

      Intentional interference with their business is malicious criminal damage. You prayed; I told.

  15. ondelette says:

    Damage of what kind, bmaz? The act specifies damage to the machines, as does the indictment.

    • bmaz says:

      You are severely misstating and understating the scope of “damage” under the various provisions of 18 USC 1030.

Comments are closed.