A U.S. Appeals Court handed down a ruling this week that, at first blush, gives the public free reign to overflow a company's public email and voicemail systems in the name of a legitimate cause, even if they are intentionally hindering the company's ability to do business in the process.
Companies would be well served to pay attention to the ruling, which continues to flesh out the arguably vague U.S. Computer Fraud and Abuse Act. It means that, while they may be legally protected from such activities as malicious hacking and spamming, they can't legally prevent people from using public communications channels -- such as email and phone -- to protest a company, even if their tactics amount to a well-orchestrated DoS-style attack.
Whether the precedent set by the ruling should be viewed as a victory for proponents of free speech or for bad guys looking for loopholes to wreak havoc is best left to the beholder.
In a nutshell, here's what happened. The LIUNA (Laborers' International Union of North America) launched a protest against a Michigan-based company called Pulte Homes. The reason for the protest isn't relevant here; the important point is how the union chose to respond. It started bombarding Pulte with vast quantities of targeted emails and phone calls. The union went so far as to employ an auto-dialing service to flood Pulte with calls. The fallout: Pulte's systems couldn't handle the flood of email and calls. They became overloaded, thus hindering Pulte's ability to do business.
The technique sounds very much like an old-school DoS attack that hackers might use to shut down a website by bombarding it with fake queries. The Appeals Court even acknowledged that the union was clearly trying to hurt Pulte with its actions. However, the court overruled the previous court ruling, saying that LIUNA's actions were legal because the union was employing public communications channels and the protests were not unauthorized.
By the court's account, the union's actions did not constitute a malicious, illegal DoS-style hack, because the protesters weren't, for example, surreptitiously and illegally attacking protected back-end infrastructure recognized as off limits to the outside world. Also, the emails didn't constitute spam, either. Spam, under CAN-SPAM, constitutes unsolicited commercial messages and exempts "transactional or relationship messages." By that definition, it's legitimate for a person to send letters and make phone calls to a company to, say, complain about its business practices.
It can be likened to real-world protests, such as a group of people standing outside a brick-and-mortar company on public property, holding signs and protesting the company's practices. Those types of protests are legal and protected by free speech, even though they can hinder the target company's business.
But if the protesters were to force their way into a company's private offices to protest or to otherwise gum up business practices by unplugging computers or hiding office supplies, the company would be well within its rights to have them removed.
The ruling can be viewed a victory for free speech because it means people can continue to freely launch legitimate protest campaigns against business and politicians alike via email and phone calls. But it also means that groups with questionable aims can engage in similar practices under the guise of fighting for a greater good when, in fact, they're acting out of selfish interests.
Either way, it means IT admins may have to reassess just how robust their email and phone systems are, just in case their organizations happen to be the next target of a legitimate Internet Age-style protest.
No comments yet.
Leave a comment
You must be logged in to post a comment.
No trackbacks yet.