Search Mailing List Archives
[liberationtech] "Cyber attacks", advocacy groups, and legitimacy
companys at stanford.edu
Fri May 4 14:04:36 PDT 2012
“Cyber attacks”, advocacy groups, and
Yesterday, Avaaz <http://avaaz.org/> posted a newsletter release stating
that they were experiencing a “massive” cyber attack, sophisticated to the
“likely only a government or major corporation could launch an attack this
large, with massive, simultaneous and sophisticated assaults from across
the world to take down our site.”
Their immediate followup, in the same newsletter, is to ask for donations
on their website, to contribute to a “defence fund” to protect against
This raises all kinds of alarm bells - not of the kind it is in Avaaz’s
interest to raise.
- if their website is currently under attack, should supporters feel
comfortable donating via their website? Wouldn’t that actually put the
supporters’ personal information or credit card details at risk?
- how does “donating now” mitigate an ongoing attack? Security
investments that could come as a result would be implemented months down
the road. If the website continued to function normally throughout that
time, then the urgency or necessity of the “security” donations is strongly
put into question.
- what is the severity of the attack, and who is the expert who can
corroborate that it is happening? Is there any third-party assessment,
beyond Avaaz’s own internal claims?
The overall situation raises an important point - that, in the future, as
online campaigns or online activities of advocacy groups play a more
influential role, they will somehow be targeted by other actors (indeed,
corporations, governments or organizations with a different political view)
who are challenged by their activities. Without a doubt, at some point in
the future this may become a very real concern for advocacy groups.
What isn’t clear, in Avaaz’s messaging, is if that is legitimately the case
here. To - all at once - state that you are “under attack”, that you need
urgent security investments, and to ask for donations, is a combination of
messages that seems ill-advised (if not extremely questionable), especially
without any sort of third-party confirmation. *If you were pretending to be
under “cyber attack” and were hoping to solicit donations under those
grounds, your message would look exactly the same.*
What makes things much more blurry is that “cyber attack” is a term that is
almost impossible to define. Are they being spammed by some malicious
server filling their petition forms with links to (of course) questionable
pharmaceutical sites? If so, that’s less a cyber attack, and more a regular
fact of running a website on the internet, something dealt with (not always
easily) with careful (but not expensive) network security setups. Perhaps
the case here was spawned from a simple miscommunication between some
computer consultant and Avaaz’s campaign team: small-scale “cyber attacks”
are entirely normal, for any website online. In most cases, finding out
that they are occurring does not lead to a donation campaign reaching
If Avaaz was the target of a carefully-designed, globe-spanning computer
virus aimed exclusively at their systems (as was the case in the recent
Iran incidents that Avaaz’s situation is compared to
then that would be a very different story - and a few thousand dollars in
donations would not have any impact in preventing it.
*This sets an extremely uncomfortable precedent for other non-profit
organizations.* To pay for website upgrades or network security, should
they also claim to be “under attack” by mysterious corporate cyber
attackers? If they actually are “under attack”, should soliciting donations
via their (still-under-attack) website really be the first action they take?
And finally: are the groups that are targeted most, really the most
deserving recipients of your donation money? Should *that* be your criteria
for donating to an organization?
Donate to organizations that do good work. Full stop.
And to organizations like Avaaz: if your online sites are under attack,
enlist some computer security firms perhaps on a pro bono basis to improve
your network security. If those investments cost money, ask for it, months
later, as part of your regular administrative costs - not as an urgent,
“only your donation can keep us online” appeal that can only smell
contrived (at best) or put donors at risk (at worst).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech