Distributed Denial-of-Service Attacks
Module 2: Restricting Access and Content
Overview of DDoS attacks
The UNSR on FreeEx defines a DDoS attack as a cyber-attack that seeks to undermine or compromise the functioning of a computer-based system.(1) The UNSR notes further that a DDoS attack can have the same effect as an internet shutdown. This increasingly common online phenomenon uses a large number of computers to target websites and online services and overwhelms them with more traffic than they can handle rendering them temporarily inoperable.(2)
DDoS Attacks and critical moments
The 2019 UNSR Research Paper on Freedom of Expression and Elections in the Digital Age found:
“During elections, State actors have historically denied access to unfavourable views and information concerning incumbent officeholders. In the digital age, technological advances have enabled perpetrators to increase the scope and frequency of these attacks on freedom of expression. One common practice involves the use of Distributed Denial of Service (“DDoS”) attacks, where a network of online systems is compromised and directed to flood another online system with Internet traffic, effectively rendering the target inaccessible. These attacks have targeted the websites of political parties, journalists and media outlets, and human rights defenders and civil society organizations. Perpetrators have also targeted the websites of States’ election commissions, which publicize critical information such as changes to ballot locations. DDoS attacks are also potentially a cover for coordinate hacks on voter registration and other electoral databases and other attempts to steal the data of voters, candidates and public officials. Given that online media have become the primary resource of news and information for many voters, and the integration of electronic systems into electoral processes, DDoS attacks are likely to increase in magnitude and frequency. Furthermore, in the Internet of Things era, the growing number of connected devices makes them attractive targets for DDoS attacks.”
Given their similarity to internet shutdowns, DDoS attacks, whether committed by a state or non‑state actor, infringe the right to freedom of expression. They are usually well hidden, covert and illicit in nature, and, accordingly, fall foul of the “provided by law” requirement of article 19(3) of the ICCPR. They completely disable access to online content, usually during a critical time – such as an election – and they are distinctly disproportionate. The UNSR Research Paper further found that DDoS attacks “whether committed by State actors or their agents, are incompatible with Article 19 of the ICCPR” and are “almost always unnecessary and disproportionate measures under Article 19(3).”
The Inter-American Commission on Human Rights reported in 2013 that DDoS attacks can be extremely disruptive to the exercise of the right to freedom of expression, and, as a result, states are obligated to investigate and properly redress such attacks. The principles mentioned above and sentiments relating to access and freedom of expression are implicated by DDoS attacks. The UN Guiding Principles on Business and Human Rights can also be relied on when trying to prevent and mitigate DDoS attacks by non-state actors, including the safeguarding of systems infrastructure.
Recent DDoS attacks
In 2017, Freedom House reported:
“Independent blogs and news websites are increasingly being taken down through distributed denial-of-service (DDoS) attacks, activists’ social media accounts are being disabled or hijacked, and opposition politicians and human rights defenders are being subjected to surveillance through the illegal hacking of their phones and computers. In many cases, such as in Bahrain, Azerbaijan, Mexico, and China, independent forensic analysts have concluded that the government was behind these attacks.”
DDoS attacks are affecting states across the world, regardless of their social policies or economic status. In 2018, it was reported that a website of a Mexican political opposition party was rendered inoperable by a DDoS attack. The attack occurred during a debate between presidential candidates in the lead up to the elections. In 2019, the South African financial sector fell victim to a string of DDoS attacks. Additionally, DDoS attacks were ranked among the top five security threats in Kenya in 2019. British political parties were also subject to back-to-back DDoS attacks in the lead up to the general election in 2019.
Be it politically, socially or economically motivated, DDoS attacks are a legitimate threat to freedom of expression. Nefarious state and non-state actors are becoming increasingly skilled and sophisticated, posing new challenges for states to overcome in order ensure they fulfil their positive obligations to protect and promote freedom of expression. Mitigating DDoS attacks in future will take multidisciplinary teams of litigators and technologists working jointly to protect and promote freedom of expression.