[liberationtech] "Cyber attacks", advocacy groups, and legitimacy

Yosem Companys companys at stanford.edu
Fri May 4 14:04:36 PDT 2012 

http://wajones90.tumblr.com/post/22326898619/cyber-attacks-advocacy-groups-and-legitimacy

 “Cyber attacks”, advocacy groups, and
legitimacy<http://wajones90.tumblr.com/post/22326898619/cyber-attacks-advocacy-groups-and-legitimacy>

 Yesterday, Avaaz <http://avaaz.org/> posted a newsletter release stating
that they were experiencing a “massive” cyber attack, sophisticated to the
point that

 “likely only a government or major corporation could launch an attack this
large, with massive, simultaneous and sophisticated assaults from across
the world to take down our site.”

https://secure.avaaz.org/en/massive_attack_on_avaaz_b/

Their immediate followup, in the same newsletter, is to ask for donations
on their website, to contribute to a “defence fund” to protect against
future attacks.

This raises all kinds of alarm bells - not of the kind it is in Avaaz’s
interest to raise.

   - if their website is currently under attack, should supporters feel
   comfortable donating via their website? Wouldn’t that actually put the
   supporters’ personal information or credit card details at risk?
   - how does “donating now” mitigate an ongoing attack?  Security
   investments that could come as a result would be implemented months down
   the road. If the website continued to function normally throughout that
   time, then the urgency or necessity of the “security” donations is strongly
   put into question.
   - what is the severity of the attack, and who is the expert who can
   corroborate that it is happening? Is there any third-party assessment,
   beyond Avaaz’s own internal claims?

The overall situation raises an important point - that, in the future, as
online campaigns or online activities of advocacy groups play a more
influential role, they will somehow be targeted by other actors (indeed,
corporations, governments or organizations with a different political view)
who are challenged by their activities. Without a doubt, at some point in
the future this may become a very real concern for advocacy groups.

What isn’t clear, in Avaaz’s messaging, is if that is legitimately the case
here. To - all at once - state that you are “under attack”, that you need
urgent security investments, and to ask for donations, is a combination of
messages that seems ill-advised (if not extremely questionable), especially
without any sort of third-party confirmation. *If you were pretending to be
under “cyber attack” and were hoping to solicit donations under those
grounds, your message would look exactly the same.*

What makes things much more blurry is that “cyber attack” is a term that is
almost impossible to define. Are they being spammed by some malicious
server filling their petition forms with links to (of course) questionable
pharmaceutical sites? If so, that’s less a cyber attack, and more a regular
fact of running a website on the internet, something dealt with (not always
easily) with careful (but not expensive) network security setups. Perhaps
the case here was spawned from a simple miscommunication between some
computer consultant and Avaaz’s campaign team: small-scale “cyber attacks”
are entirely normal, for any website online. In most cases, finding out
that they are occurring does not lead to a donation campaign reaching
millions.

If Avaaz was the target of a carefully-designed, globe-spanning computer
virus aimed exclusively at their systems (as was the case in the recent
Iran incidents that Avaaz’s situation is compared to
here<http://www.techweekeurope.co.uk/news/human-rights-body-avaaz-under-massive-cyber-attack-76217>),
then that would be a very different story - and a few thousand dollars in
donations would not have any impact in preventing it.

*This sets an extremely uncomfortable precedent for other non-profit
organizations.* To pay for website upgrades or network security, should
they also claim to be “under attack” by mysterious corporate cyber
attackers? If they actually are “under attack”, should soliciting donations
via their (still-under-attack) website really be the first action they take?

And finally: are the groups that are targeted most, really the most
deserving recipients of your donation money? Should *that* be your criteria
for donating to an organization?

Donate to organizations that do good work. Full stop.

And to organizations like Avaaz: if your online sites are under attack,
enlist some computer security firms perhaps on a pro bono basis to improve
your network security. If those investments cost money, ask for it, months
later, as part of your regular administrative costs - not as an urgent,
“only your donation can keep us online” appeal that can only smell
contrived (at best) or put donors at risk (at worst).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120504/3b044577/attachment.html>

More information about the liberationtech mailing list