Lycos goes straight
One way to avoid criminal prosecution
After a week of well-deserved criticism, Lycos is abandoning its scheme to launch denial-of-service attacks against spammy websites. Did the company reform in time to avoid criminal prosecution?
A short-lived project by Lycos's European subsidiary to give users a method to "attack" spammers was an overall bad idea, albeit motivated by a laudable goal.
On December 1, 2004 Lycos Europe NV offered users the ability to download a special screensaver that reportedly used the spare cycles of your computer to continuously send HTTP requests to a list of sites that Lycos has put on its "blacklist" as belonging to identified spammers. The assumption is that, if enough people download the screen saver, the "spammers" will be bombarded with tens of millions of HTTP requests, thereby slowing down their servers, and substantially impeding their ability to send spam.
A spokesman for Lycos Europe reportedly defended the tactic stating that it was not a denial-of-service, since the attack was designed to only use up 95 per cent of the available bandwidth, always making sure that at least five per cent of capacity was available - thus, it was lawful, Lycos claimed, because service was not completely "denied."
While the goal of eliminating spam and punishing spammers is a laudable one, the approach taken by Lycos Europe was not only wrong-headed, but likely felonious.
The first problem with the Lycos screensaver solution arises out of the blacklist itself. While many companies maintain such a list, they don't appear to be required to have any particular standards for maintaining, updating, and most importantly removing entities from these lists. And woe to the unfortunate company or entity that finds itself on such a list through an accident or momentary oversight.
Lycos' approach raises the blacklist stakes considerably. It's one thing to be on a list that prevents you from sending mail - quite another if your inclusion suddenly makes you the target of an attack. This is one of the primary reasons that the law traditionally disfavors "self-help". If my company were the victim of a distributed "almost denial-of-service" attack from users of the Lycos screensaver and blacklist, you bet I would be hauling their collective derrieres into court.
Moreover, its not just the blacklisted entities that would suffer in these attacks. The ISPs that host these entities will also experience significant slowdown in performance, as will anyone else whose websites or services are hosted on the same ISP. This is particularly true if the ISP attempts to "load balance" the unusual volume of traffic.
Now, you may reply: "Serves 'em right for hosting the damned spammers." Okay; fair enough. But such a result would mandate that the ISPs be responsible for the content, volume and nature of traffic sent across their networks. We already require ISP's to "take down" infringing copyrighted and trademarked materials, notify the cops if they see illegal porn - now we are going to require them to determine whether a website they host is promoted by someone sending too much email to the wrong people? I don't think so.
Crime and Punishment
The second issue for the screensaver purveyors is distinguishing such software from viruses, worms, Trojan horses, and malicious spyware as applied to the computers onto which it is downloaded.
If those who downloaded the screensaver weren't aware of the fact that they will be a vector for an attack, than the program might be illegal. The essence of the US computer crime statute, like the UK computer misuse act and its variants throughout Europe and Asia, is to proscribe "unauthorized access" to computers. Programs that run on your computer without effective consent and do things you don't want them to (like spyware and Trojans) potentially run afoul of these statutes.
More importantly, if the downloaders did know that they were downloading software that is designed to slow down other people's computers without their consent, then the they themselves run the risk of criminal prosecution. It's not a valid defense to claim that an individual computer itself did not slow down the victim's computer.
That means Lycos Europe was effectively encouraging thousands (if not millions) of people to engage in concerted illegal conduct.
Another problem with the software is that it makes not only its purveyors but also its users potential targets for attack. It has already been reported (and denied) that Lycos Europe was the target itself of a denial-of-service attack. Although its developers claim that the IP addresses of those who use the screensaver and therefore send the traffic are not available to the victims, I personally don't see how you can establish HTTP sessions anonymously directly from your machine. Thus, corporate network owners may find themselves the victims of an escalation of attacks and counter-attacks. See what happens when we take the law into our own hands?
Finally, to Lycos's claim that it was not furthering an "actual" denial-of-service, but merely slowing down the spammers' computers, I say "Nuts!" In fact, virtually none of the actual "denial-of-service" attacks that have been successfully prosecuted involved a complete denial-of-service. The law merely requires that the attack "affect" the victim's computer, or impair its operation. If a Trojan horse were to merely slow your computer down by 95 per cent, but not completely stop it, would this preclude a prosecution of either its author of its purveyors?
After suffering week of well-deserved criticism, Lycos announced on Monday that it's abandoning the denial-of-service program. Smart move. In the US, we have a name for people who intentionally distribute and use software designed to impair the operations of others' computers without their consent. We call them "defendant."
Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.