He was eighteen when he started his first tech business, and was already sole proprietor of his second when he began helping democratic activists in Iran and other countries demonstrate safely in the face of brutal repression during the Arab Spring.
But instead of waking up to a big government contract or a peace prize, one morning Keith Wilson Downey woke up with an M4 assault rifle in his face. After an FBI SWAT team served their search warrant in Jan. 2011, the U.S. government took away his Internet access and threatened him with fifteen years in federal prison. His crime was an act of peaceful Internet protest intended to defend free speech.
The government caught him because he chose to not hide his political protest.
Keith is one of the PayPal14 — the fourteen Americans arrested for a digital denial of service (DDoS) protest against PayPal in Dec. 2010 due to its participation in the due process-free financial blockade on WikiLeaks. DDoS usually involves using software and lots of computers to make more connections to a website than it can respond to — making it unreachable to normal users. DDoS is the de facto protesting tool for online civil disobedience. In this case, about 10,000 protesters used LOIC—low-orbit ion canon — a modified network stress-testing tool — along with IRC (Internet Relay Chat) networking channels to coordinate a DDoS protest in support of WikiLeaks’ freedom of speech as a journalistic organization.
Anyone using DDoS — from political protesters to governmental security services — can easily avoid detection. One way to avoid detection when using DDoS is by using a Virtual Private Network (VPN) — a set of servers on their own network that conceals your IP address. Keith chose not to use one of his VPNs when participating in the protest, because he saw it as an act of civil disobedience that he had a political obligation to participate in as a citizen with the knowledge of how to join the protest.
The FBI asked him if he had any way of concealing himself online. He told them about his VPNs, and they asked him why they were there.
“You can tell me it was illegal ‘til you’re blue in the face — but you’ll never convince me it was wrong,” he told the arresting agents in July 2011. They stopped talking to him. He stands by his belief in Americans’ political obligation to be informed, know what the government is up to, and protect the freedom of the press.
“The press is the only protected profession in the Constitution. If there’s no freedom of the press — there’s no freedom. They’re controlling the narrative.”
The PayPal14 acted when WikiLeaks was in the news for the Iraq War files and CableGate. The U.S. Department of State asked PayPal to stop processing payments for WikiLeaks as part of a broader extrajudicial financial blockade. PayPal had been processing payments to WikiLeaks through the Wau Holland Foundation — a German non-profit that helps charities globally with the logistics of fundraising for freedom of information. PayPal complied. A leaked Army memo — leaked to WikiLeaks — shows officials in the Department of Defense (DoD) Intelligence Analysis Program considered WikiLeaks “a potential force protection, counterintelligence, operational security (OPSEC), and information security (INFOSEC) threat to the US Army.” By DoD’s logic in the memo, all independent media poses such a potential threat. This logic is consistent with Defense’s more recent operational manual classification of journalists as “unprivileged belligerents.” DoD threatens freedom of the press by targeting WikiLeaks as a potential infosec threat. Keith sees broader implications.
“It’s a violation of the freedom of press, WikiLeaks was a journalistic organization. These banks, without some sort of order from the government, don’t have the right to tell me where to send my money.” In the wake of the U.S. Supreme Court Citizens United v. Federal Election Commission (2010) ruling that corporations are people — and thus have the right to spend unlimited money on political campaigns, because spending money is a form of political expression — Keith and some other protesters felt defending equality of political expression in the U.S. was even more important than ever.
Don’t say: DDoS is hacking and hacking is like leaking and leaking is terrorism zomgs terrorism zomgs bombs terrorism liquids zomgs zomgs!
Do say: I can haz free speech?
The High Cost of Repression
All-told, the costs to Keith, the other PayPal14, Keith’s former clients, PayPal, the U.S. Government, and the cause of the defeated protest are staggering — but they don’t break down the way you might imagine.
Keith was convicted of one misdemeanor count of damaging a protected computer without authorization, and sentenced to the lowest possible crime under the Computer Fraud & Abuse Act (CFAA). He paid his $5,600 restitution on the day of his sentencing — on a credit card he can’t pay off because he can’t get a job. About 10 of the other PayPal14 had to go on probation for a year instead, because they couldn’t even pay the restitution on credit. Their probation will be up the end of this month.
Before the feds took away his Internet for a few months, Keith ran an IT business. The ban killed his business, because it kept him from doing his job. As a result, two music studios, a CPA, and two locally owned and operated coffee shops lost their tech person. A California judge later overturned the restriction, after the National Lawyer Guild picked up the PayPal14’s case — but the damage was done. The government never compensated Keith.
For their part, taxpayers footed a seven-figure bill for the feds’ operation against the PayPal14 — excluding opportunity costs of the defendants’ lost work. Direct cost to taxpayers in Keith’s case alone include: 4.5 years of “pretrial release,” ($10/day * 365 * 4.5 = $16,425) monthly or bimonthly drug testing ($42 * 18 * 4.5 = $3,402), loss of taxes from Keith not being able to work (an estimated $4,788.75
on $30,000 * 4.5 = $21,549.38), and computer checks to see what they were up to — as if that tactic could possibly be effective against any digital adversary worth his arrest — exceeding $41,376.38. Multiply that by fourteen and the direct taxpayer cost estimate comes to breaks $579,000 — without investigative and administrative costs such as serving the warrant with an FBI SWAT team armed with M4s — that’s expensive. But it’s hard to get cost estimates of federal investigations. That information is typically not released under the security exemption of the Freedom of Information Act. But sources say investigation costs here are easily another $500,000. So taking down a bunch of digital democratic peace activists in the middle of a bunch of peaceful democratic revolutions was a seven-figure operation — and taxpayers footed the bill.
In addition, economic costs to Keith alone include not being able to work ($30k * 4.5 = $135,000), totaling $154,827. The social loss of his volunteer expert aid to democratic peace activists in the Arab Spring (40-50 hours/month helping them on IRC * $60/hourly rate for his clients * 4.5 years * 12 months/year = $145,800) — is immeasurable. The economic cost of that volunteer work would have been another six figures at Keith’s former hourly rate — if he hadn’t been helping out for free.
Keith was also banned from using Twitter for a year. His understanding of the ban is that it stemmed from other protesters — having nothing to do with his case — using the service to circumvent police blockades. He was also banned from IRC for 4.5 years — the entire period of his pretrial release.
This is the digital equivalent of standing in the doorway of a Barnes & Noble holding a sign after the bookstore pulled a political author’s book for political reasons — thus blocking some consumer traffic in protest — and being banned from Starbuck’s or work in the sign industry. Even though the bookstore later told shareholders they didn’t actually suffer any financial harm as a result of the protest.
PayPal reported $5.6 million in damages from the protest to the Department of Justice (DOJ). Then, they reported $0 in damages to the SEC for the same quarter. This suggests PayPal may have committed fraud against political protesters after being instructed in the initial blockade being protested by the U.S. Government.
“PayPal could’ve just sued us — they didn’t have to file criminal charges,” Keith explained. But PayPal’s criminal charges, filed through DOJ — with the high amount of damages indicated — were the only reason Keith and his co-defendants were charged with a felony. Under the Computer Fraud and Abuse Act (CFAA), denial of service attacks are conspiracy and damage to a protected computer — even in the absence of damage. Technically, violating Facebook’s terms of service, too, is a violation of the CFAA. This is a concrete example of the type of vagueness and breadth of federal law that has led scholars and commentators like Harvey Silverglate to suggest that we all commit an average of three felonies a day — if the feds should choose to prosecute us.
Meanwhile, roughly five million Iranians who had taken to the streets under armed and sometimes live-firing police response — aided by Anonymous’s Operation Iran — went home. Arab Spring activists in several other Middle Eastern and North African countries also lost some of their technical and experienced activist support.
So while the U.S. Government legally exists for the limited purpose of protecting life, liberty, and the pursuit of happiness, in the case of the PayPal14 it undermined democratic peace activists globally by attacking peaceful protesters at home. And it may have encouraged a private company to commit fraud in the course of this seven-figure attack. A conceptual miscomprehension of Anonymous as a terrorist organization explains the kind of intense anxiety that might motivate this kind of response.
“It’s black and white and miscomprehends what groups like Anonymous are — it’s a platform, a network, there is no hierarchy, there is no single group, people are freely able to join, make a proposal, help. You end up with all these small operations doing their own thing,” Keith said.
But the language of the public discourse and the legal regime hasn’t caught up with tech thought leaders’ practice here yet. We don’t have a way to draw clear distinctions between groups like Anonymous and WikiLeaks — network, non-state actors and groups running information operations like the free press always have — versus terrorist groups like al-Qaeda using information and physical force for political ends. The use of force is a clear bright line, but it’s not the only distinction in play. Because some members of groups like Anonymous actually see themselves as defending the values for which the U.S. Government stands. In the cause of their political protest, prosecution looks like friendly fire.
Don’t say: Who is the leader of Anonymous?
Do say: Take me to the leader of your decentralized, leaderless group.