arX

iv:1

208.

4568

v1 [

cs.C

Y]

22

Jul 2

012

Hacktivists:Cyberterrorists or Online Activists?

An Exploration of the Digital Right to Assembly

J. SlobbeI S.L.C. VerberktII

4th Junel 2012

Abstract

The last decade, online activism has vastlygrown. In the current digital society, fromtime to time citizens decide to expresstheir opinion by attacking large corpor-ations digitally in some way. Where theactivists claim this to be a digital as-sembly, others see it as criminal offences.

In this paper, we will explore the legaland technical borders of the digital rightto assembly. By doing so, we can gain in-sight into digital manifestations and makeup the balance on the digital right to as-sembly. As an additional contribution, wewill discuss how the digital right to as-sembly could be granted and which legaland technical requirements should be setfor a digital assembly.

Keywords

Right to Assembly, Digital Assembly, Dis-tributed Denial of Service (DDoS), VirtualSit-In, Digital Blockade.

Ij.slobbe@student.tue.nlIIs.l.c.verberkt@student.utwente.nl

1. Introduction

Due to groups like “Anonymous” and“LulzSec”, distributed denial of service(DDoS) attacks became a returning topicin newspapers (Teffer 2010b). Not only arethe inner workings of a DDoS attack oftenmisunderstood by the general public, therecent avalanche of attacks also showed anew phenomenon: the DDoS attacks wereclaimed to be an act of activism (Schouten2010).

In this paper, we will investigate the useof a DDoS attack as a means of exercisingthe right of assembly1. Furthermore, wewill also discuss how a digital right to as-sembly could be embodied in current le-gislation. For this embodiment, we willbase ourselves on the characteristics of theright to assembly and how this relates tothe digital world. We will also presenta set of both legal and technical require-ments a digital assembly should complywith.

We will start out with discussing thegeneral terminology, in Section 2, wherewe will discuss, amongst others, the(D)DoS, (online) activism, and the legalsubsidiarity problem. Afterwards, the

1

legal part of this paper commences witha short survey of the right of assembly, inSection 3. In this survey, we will discussnotable characteristics of digital availab-ility attacks in the light of the right toassembly. This is followed by a discussionof attacks on availability in criminal law,in Section 4, which also notes recent caselaw on the (D)DoS. Before the legal sec-tion is concluded, in Section 7, we will dis-cuss the policy of the public prosecutor, inSection 5, and civil disobedience, in Sec-tion 6. Finally, we will focus on embody-ing the right to assembly discussing theoption to embed it in the current legisla-tion or to formulate complete new legis-lation and thereby set requirements to adigital assembly, in Section 8, followed bya technical adoption, in Section 10.

1.1. Related work

According to Klang (2005), the currentlegislation criminalising DDoS attacks inthe name of (cyber)terrorism have a seri-ous effect on the civil rights of individuals.Klang (2005) vouches for a more modestapproach to the DoS technique, which isnot build upon the notion of cyberterror-ism.Kreimer (2001) states that the digital

world has the potential of facilitating so-cial movements of all sorts and is increas-ingly being used for this cause2. In hispaper, besides discussing the value of thedigital world for social movements as wellas the risks, he also touches on the phe-nomenon of hacktivism. The three dis-cussed approaches to hacktivism are di-gital graffiti, political attacks on systems– under which he categorises the virtualsit-in, which is discussed in detail in Sec-tion 2.2 –, and the digital release of secretinformation. In his argument, Kreimer(2001) states that the virtual sit-in is

probably as legal as repeatedly shoutingwith the goal of making verbal commu-nication impossible.Samuel (2004) constituted a very de-

tailed and broad overview of hacktivismand all its forms. One of the types dis-tinguished is the performative hacktivism,which she describes as legally ambigu-ous. The group of performative hacktiv-ists tries to take a more artistic approachto pressing political issues. As one of theirinstruments, the virtual sit-in is named.Samuel (2004) notes that the virtual sit-in may be a legal version of the DDoS.

2. Terminology

Since this paper offers a cross disciplin-ary perspective on digital assemblies andrelated subjects, consisting of both com-puter science and legal studies, we willstart with the establishment of termino-logy. This way, we can acknowledge thedifferent meanings of terms based on thedifferent fields of science and to preventus from misunderstandings. In this sec-tion, we will touch upon the phenomenaof (distributed) denial of service, (virtual)sit-ins, (online) activism, (cyber)terrorismand other subjects fundamental to this re-search.

2.1. (D)DoS

A denial of service (DoS) attack can bedefined as an attack on the availabilityof a system (Anderson 2008). A distrib-uted denial of service (DDoS) attack is thesame type of attack, but the attack ori-ginates from multiple parties. There aremultiple techniques for executing a denialof service attack on a computer system(Kang, Zhang and Ju 2006). Currently, away to distinguish attacks is based on the

2

method of attack. The method of flood-ing boils down to sending lots of data toa server until the maximum capacity isreached and the machine is unable to pro-cess new data requests or only able to doso very slowly. This type of attack is mostoften executed in a distributed fashion –possibly using a network of hacked com-puters –, because it takes lots of data re-quests for a server to become unavailable.Notice that this technique is also used forload balance testing – tests aimed at find-ing out the maximum number of users asystem can take.Another method of attack is by exploit-

ing known weaknesses in the software usedon the server. Sending a single maliciousrequest to the target could lead to theserver software entering a deadlock, crash-ing, or otherwise being pushed into deny-ing service to other clients. One com-mon technique to disable a server thatuses a relational database is SQL injection(Kindy and Pathan 2011). SQL Injectionis a type of attack on a Web applicationwhere the attacker provides SQL code –the language used to query databases –as user input to perform unauthorized ac-tions. This type of attack may allow asingle attacker to shut down the service.However, there are methods that lie in

between. For example, the DNS ampli-fication attack, as described by Vaughnand Evron (2006), abuses a property ofthe DNS infrastructure – the subsystemresponsible for translating domain namesto IP-addresses. This makes it possiblefor an attacker to generate 8.5 times moretraffic then with an ordinary (D)DoS at-tack. Therefore, the critical group of at-tackers, in case of a distributed attack, isdecrease by a proportion 8.5.When regarding the physical world, the

usage of a method such as DNS amplific-ation can be compared to a group of pro-

testers blocking a bottleneck of a build-ing, e.g. a single entry to the construction.The impact of this group increases signi-ficantly by the use of a bottleneck, whencompared to their impact in an open field.In this paper, we will consider whetherthis is on the verge of permissible use ofweaknesses in an assembly or not.Of course, the discussed techniques can

also be combined. For example, it is pos-sible to use one of the techniques men-tioned to attack other services, causingthe operating system to fail and makingthe intended service unavailable.For average users, some of the tech-

niques may be hard to understand.However, there exist tools that al-low for an attack by means of asimple click on a button. Suchtools are, for example: TFN, TFN2K,Mstream, Naphta, Stacheldracht-V2.66,Stacheldrachtv4, Trinoo, Shaft, IRCbots,FAPI, Targa, Trinity, LOIC3 (Dietrich,Long and Dittrich 2000). For the sakeof simplicity, we exclude physical (D)DoSattacks. In the rest of this paper, the(D)DoS attack is defined as an attack onthe availability of an information systemfrom one or more remote systems capableof achieving its goal – causing unavailab-ility.

2.2. Virtual Sit-Ins

The virtual sit-in is when a large groupof people rapidly reloads a specific webpage (Samuel 2004). This method is pop-ularised by a group of activists that callsthemselves the Electrohippies Collective(Klang 2005). As opposed to traditionaldistributed denial of service attacks, thismethod requires the consent and activeparticipation of every participant. Thus,the virtual sit-in requires a critical massin order to be of any effect.

3

Furthermore, the method of virtual sit-ins does not use the system different fromthe normal use, besides that the amountof requests is a lot higher than the nor-mal case. In other words, the virtual sit-indoes not abuse the system in a technicalsense, e.g. using an exploit.

2.3. Online Activists

Samuel (2004) defines those that non-violently use illegal or legally ambiguousdigital tools in pursuit of political goals ashacktivists. According to her, hacktivistsare a special kind of online activists, thatdo not necessarily obey order. In otherwords, they show civil disobedience in thedigital world. We can apply this notionof hacktivism to our view on digital act-ivists. This also encapsulates online civildisobedience.In the digital world, activists may be-

have disobedient for political reasons. Ac-cording to Klang (2005), these online act-ivists exercise their fundamental rights tofreedom of expression4 and assembly5.To give a bit more context, we will

describe some characteristics from twoself proclaimed prominent digital activistgroups. As will be explained, these ex-amples do not qualify as digital assem-blies.

2.3.1. Anonymous

One distinctive characteristic of Anonym-ous is the fact that it does not have a uni-form political opinion with the seeminglyexception of the ideal of absolute freedomon the Internet – e.g. no filtering, censor-ship or content based payment should beallowed in their opinion. The communic-ation is decentralized over a broad supplyof communication channels, such as im-age boards, mailing lists and IRC chan-

nels. Since the communication is distrib-uted and the participants are eclectic intheir opinions, there is not and cannot bea leader nor spokesmen. Therefore, everydigital protest and no digital protest atall can originate from Anonymous at thesame time.One should always question a press

statement by Anonymous, becausechances are high that a statement is false– note that blaming Anonymous is aneffective way to masquerade a digital at-tack. The general method of Anonymousconsists of specifying a target and usingthe method of DDoS for taking it down,while asking for other participants on theinternet.

2.3.2. LulzSec

In comparison to Anonymous, LulzSec fo-cuses on the confidentiality of a systemrather then the availability of a system.LulzSec claims to actively hack systemsto publish personal data and credentialsstored by governments and multinationalcorporations. Self proclaimed members ofLulzSec also claim to have delivered im-portant documents to WikiLeaks.Besides the ideal of absolute freedom

on the Internet, these activists share anideal of transparency of the governmentand corporations to the society. It alsoholds for LulzSec that they do not havea spokesmen or leader. Therefore, everystatement should be treated with suspi-cion, since the name of the group couldbe misused to hide another attacker.Under current legislation, it is clear that

the activities of LulzSec are illegal, as theyfall within the scope of offences such asintrusion of information systems6. Webriefly discussed some characteristics ofLulzSec to provide an accurate overviewof hacktivism, but will not consider them

4

nor refer to them in the rest of the paper.

2.4. The Legal Problem ofJurisdiction

Two important legal problems arise whenconcerned with legislation in the digitalworld. First, we have the subsidiaritylegal problem – or the problem of jurisdic-tion. As the digital world is much largerthan country borders prescribe, it is diffi-cult to cope with cases where the nationallegislation of two countries differ. At thesame time, world wide legislation is noteasily made – not even to mention enforce-ment. We will not discuss this problem indepth, as it is an entire issue in itself, butit should be noted.The second problem is the broad spec-

trum of already existing conventions,which should be taken into account. Inour case, the Budapest Convention onCybercrime is of importance, which re-quires the national governments to crim-inalise the serious hindering of computersystems7. Of course, this convention com-plies with fundamental rights and imple-ments related safeguards8. In Section 8,we will return to this issue.

2.5. Technology Change and theImpact on Law

It is important to have technology neut-ral legislation, to the extent this is pos-sible. This means that the legislator maybe aware of the technologies at hand, butdoes not propose legislation that is spe-cifically aimed at a certain technology. Forexample, if an expensive DDoS-attack pre-vention mechanism is invented, legislationthat permits specifically DDoSes as formof assembly would be rendered mostlyuseless. However, it may be clear thatwith multidisciplinary problems, such as

those discussed in this paper, the legis-lator should provide a technical appendix.

3. Fundamental Rights and

Digital Demonstrations

The right of assembly refers to the fun-damental right for everyone to have apeaceful assembly, which is granted in theEuropean Convention on Human Rights9.This charter also grants the related rightof freedom of expression10. The right ofassembly may only be restricted when it isdone lawful, necessary in a democratic so-ciety and this is in the interest of nationalsecurity or public safety, for the preven-tion of disorder or crime, for the protec-tion of health or morals, or for the protec-tion of the rights and freedoms of others11.

In the Netherlands, the right of as-sembly is granted in the Dutch Constitu-tion12, as is the right of freedom of ex-pression13. Nevertheless, in practice, therights granted by the European Conven-tion on Human Rights14 is more import-ant. This is due to the fact that the courtsmay not judge acts of parliament andtreaties for compliance with the Dutchconstitution15. The right of assembly isregulated in Dutch legislation via the Pub-lic Manifestations Act16 (Ferdinandusse2001). Restrictions may only be imposedfor protection of health or traffic, or tofight or prevent disorder17.

It is important to note that the art-icle of the Dutch constitution that grantsthe right of assembly in its current form,only came into force on 17 February 1988(Schilder 1989). Since that change, theconstitution, literally translated, grantsthe right of assembly and manifestation18,where the change boils down to the ad-dition of manifestation19. The legislator

5

notes that manifestation refers to a groupof people publicly expresses their emotionsor wishes concerning a social or politicalsubject20. As, Schilder (1989) notes, thismay be seen as a collective form of thefreedom of expression.Finally, in Germany, the constitution

grants the right of peaceful assemblywithout registration and permission21.However, this right may be limited whenthe assembly is in the open and the limit-ation is lawful22.

3.1. The Blockade as anAssembly

Schilder (1989) notes that the Dutch le-gislator, in response to the question ifa blockade may fit within the definitionof an assembly, remarked that an action,where the aspect of collective expressionhas faded in favour of a coercive charactertowards the government or a third party,cannot be seen as an assembly as meantin the constitution23. However, later theMinister of Internal Affairs added thatthis does not mean that a manifestationcannot have characteristics of a blockade.Schilder (1989) summarises that as long asan assembly in the form of a blockade doesnot have the goal of imposing a decisionor action, it fits the definition.In 1996, the court of appeal judged

in a case between a chlorine producerSolvay and environment defence organisa-tion Greenpeace24. Greenpeace had de-cided to impose a blockade on the chlorinetransport of Solvay. Due to the fact thatGreenpeace did not notify Solvay, did notconsult the company on the consequences,did not leave room for alternatives, anddid not clarify on the duration of theirblockade, the intervention with the affairsof Solvay subordinated the interests of thecompany overly to the interests pursued

by Greenpeace. This resulted into thecourt ruling that the action of Greenpeaceshould be qualified as a tort.Furthermore, the Greenpeace vs Solvay

case shows that the freedom of expres-sion25 may provide the right to infringeother rights26. However, due to the com-plete inconsideration of the interests ofSolvay, this argument does not hold. Sim-ilarly, a ruling of the court of appeal inThe Hague showed that a blockade maybe allowed in the context of a strike undervery strict circumstances27.In another case against Greenpeace, ori-

ginating from the summer of 1982, thecourt states that as it is unavoidable thatsome damages occur during an assembly,this should be allowed to a certain de-gree28 (Schilder 1989). Furthermore, peraction, there should be tailored criteriabased on to which extent the performingparty pursues a general interest, to whichextent this could be pursued differently,and the proportionality between the pos-sible damages and the pursued goal of theaction29.Although the additional requirement of

peacefulness to the German right of as-sembly30 seems unclear, especially whenconcerned with blockades, the legislatorprovides clarification in the German Acton Assemblies and Processions (Schilder1989). This act states that an assemblymay only be prohibited in individualcases, where the organising party or hissupporters – not others that want to cre-ate havoc at the expense of the assembly– have a violent or inflammatory goal31.The German constitutional court has

ruled that blockades – in this specificcase sit-ins – are not outside the scope ofthe right of assembly, just because parti-cipants are accused of violent coercion32,as the constitutional notion of peaceful-ness is not as narrow as the broad defin-

6

ition of violence in the law seems to dic-tate33 (Schilder 1989). However, six yearslater, the constitutional court ruled thatthe term assembly should be interpretedas an orderly gathering of people parti-cipating in the public building of opinion,with a focus on discussion or manifesta-tion34. Furthermore, this ruling decidedthat it is not up to the parties acting upontheir right to assembly to decide how thecolliding rights of others may be limited.Thus, blockades are allowed to that extentwhere they are the normal side effect of anassembly, and not when its the goal of theassembly to hinder.

3.2. Assemblies in PrivatelyHeld Locations

If and to what extent rights also have athird-party applicability – or horizontalfunction, which means that they can alsohold between two private parties and notonly between a private party and the gov-ernment – is not stated in the EuropeanConvention on Human Rights (Haeck andVande Lanotte 2005). However, it is clearthat the European Court of Human Rightsdoes not accept direct third-party ap-plicability 35. Nevertheless, as Haeckand Vande Lanotte (2005) remark, theEuropean Court on Human Rights hasaccepted cases concerning indirect third-party applicability including cases con-cerned with the right of assembly36. Insuch a case, a member state gets sued fornot protecting the fundamental rights of acitizen against a third party.The Dutch legislator remarks that fun-

damental rights may also have a hori-zontal function37. As Haeck and VandeLanotte (2005) note, the legislator statesthat the third-party applicability is to bedecided by the judge and not the legis-lator. Thus, this is comparable to the

European case, where the judge has to bal-ance the interests of the community andthose of the relevant parties.Schilder (1989) discusses the Hoog

Catherijne-issue, named after theprivately held shopping mall at thecentral station in Utrecht. Due tothe very public character of the mall,which is highlighted even more by itsfunction as passageway, congress facil-ity, and recreational area, the right ofassembly is applicable – assuming thatthe fundamental right of assembly is notsolely meant for protection against thegovernment, but also has a horizontalfunction.It is important that the assembly has

a public character, as the Dutch legis-lator notes38. Of course, it clearly doesnot make sense to have a manifestationin a location where nobody is able to seeit. The Dutch Public Manifestations Actdefines public locations as places that byfunction or normal usage are open to thepublic39. As Schilder (1989) mentions,strikes are a bit different in this respect,as they normally happen at the workplace.Furthermore, the freedom of choice of loc-ation and time of the assembly is deemedimportant40 – this can also be concludedfrom the ruling of the German constitu-tional court41.In conclusion, the public character of

an assembly is important for its perceivedgoal as collective usage of the freedom ofexpression. Therefore, a protest in a non-public location does not fit the definitionof an assembly in most cases.

3.3. Relation of DDoS toFundamental Rights

Since the European Convention on Hu-man Rights is from 1950, the right to adigital assembly is obviously never gran-

7

ted explicitly. However, as the mediumor infrastructure which is used to executethe right to assembly42 is never explicitlymentioned, one could argue that an as-sembly executed over a digital medium,e.g. the Internet, may well be allowed,taking into account the restrictions on theright43.

As a DDoS appears most as a type ofblockade, the notes on blockades as a formof assembly are very relevant. Further-more, this leads to interpreting virtual sit-in – not necessarily following the definitionof virtual sit-in as proposed by the Elec-trohippies Collective (Klang 2005) – alsoas a type of blockade. Thus, we will inter-pret the DDoS – and the related virtualsit-in – using the doctrine of blockades andsit-ins as methods of assembly.

By approaching the DDoS as a block-ade, we first need to see if it fits in thebroad definition of an assembly. Thus, thecharacter of collective usage of the free-dom of expression must be prevalent. Ifthis is true, we learn that a DDoS maywell be protected, albeit with very strictrestrictions. To start, the DDoS may inno way be a method to force a party toa decision or action. Finally, the interestsof the party that is subject to the DDoSmust be well-balanced against the goalpursued by the protesting party, therebytaking in account possible different meth-ods to pursue this goal and the propor-tionality between the damages and thepursued goal.

As discussed before, the public char-acter of an assembly is very important.Therefore, if a DDoS does only result indowntime, without the public having anyidea of the goals the protesters pursue, itcannot be deemed an assembly.

3.4. Individual versus CollectiveActions

As discussed before, the Dutch constitu-tion recognises the right to assembly andmanifestation44. However, it does notmake a distinction between individual andcollective assemblies – being computer sci-entists, we consider an empty set stillas a set. Nevertheless, the Dutch legis-lator gives collective meaning to the defin-ition of assembly45. Furthermore, theEuropean Convention on Human Rightsdoes not make this distinction either46,nor does it distinguish between the rightof assembly and collective freedom of ex-pression47.

The Dutch Public Manifestations Actdoes not provide direct clarification on thedifference between individual and collect-ive actions48. However, this act does reg-ulate that every municipality could havea different implementation strategy of theact in local regulations49. Therefore, itis possible that one municipality makesa distinction between collective and indi-vidual protest and the other does not.

In practice, according to Embregts andNieuwenhuys (2007), there is a differencein the right to protest as individual versusthe right to protest as a collective. As anindividual protests, this is not a case forthe right of assembly, but for the right offree speech50. Therefore, the Public Mani-festations Act is not applicable. There aretwo exceptions. First, when other indi-viduals spontaneously join the protest itbecomes an assembly. The second excep-tion is when the individual protest is dur-ing another protest.

In conclusion, a strictly individualmanifestation is protected by the free-dom of speech and is not considered anassembly. Therefore, individual actionsare even better protected by fundamental

8

rights than collective actions, as there aremore safeguards implemented.

3.5. Boundaries on theFundamental Rights ofassembly

In 2007, the Dutch ombudsman released areport in which the boundaries for a phys-ical demonstration as described by theDutch public manifestations act51 are cla-rified (Embregts and Nieuwenhuys 2007).The ombudsman states that, althoughprotesting is a fundamental right, thisright may be infringed if the protest dis-proportionally disrupts security, health orproperty. The boundaries given by theombudsman could be a good base for test-ing the digital protest. The first import-ant boundary is that there is a registrationperiod of 4 days for a collective protest.This makes it possible for the object pro-tested against to enforce an injunctionif it thinks the protest disproportionallyharms his interest.

The second interesting point is thatthe identification duty52 is widened (Em-bregts and Nieuwenhuys 2007). The pro-tester does not have to be suspected of acriminal offence, but could be enforced toidentify himself as part of the protectionof order – even if the police already knowsthe suspect. For regulating purposes, thelaw enforcement authorities appreciate ascheme from the organisation about theway the protest is organised. This, how-ever, is not an obligation.

A third interesting aspect is that in-tervention of the police when the protestis near an (important) government build-ing is allowed (Embregts and Nieuwen-huys 2007). A restriction is that it is for-bidden to use tools which could be usedas weapons – such as sticks – during the

protest. This restriction could have in-teresting implication in a digital protest.The last obligation to the protest is thatthe protesters have to leave the locationof protest clean after the action. Thiscould also have interesting implication fora digital protest. Finally, the governmenthas a department for facilitating manifest-ations and assemblies.

4. Criminal Law andAvailability Attacks

The Budapest Convention on Cybercrime,which entered into force in 2004 andwas enacted in the Netherlands in 2007,urges the national governments to crim-inalise the intentionally and without righthindering the functioning of a computersystem inputting, transmitting, dam-aging, deleting, deteriorating, altering orsuppressing computer data53. At thetime of ratification, most Dutch law wasalready in line with the convention54, partof the pending act ComputercriminaliteitII55 – either originally or as an exten-sion due to the convention. As the namesuggests, at this time, there already wasan act called Computercriminaliteit56,which, amongst others, contained the firstcriminalisations of attacks on the availab-ility of automated systems.

Dutch law has several criminalisationsof attacks on the availability of automatedsystems. To start, the intentionally ren-dering unavailable of an system for tele-communications is punishable with up toa one year sentence if this affects thetransmission, storage or processing of datawithin a public telecommunication net-work or a public telecommunication ser-vice; punishable with a sentence of up tosix years if this damages goods or ser-

9

vice; punishable with a sentence of at mostnine years if this endangers life; and pun-ishable with a sentence of up to fifteenyears if this led to death57. If the act wasunintentional, sentences drop to at mostsix months in the first two cases, up toone year in the third case, and at mosttwo years imprisonment in the last case58.The legislator notes that these articles alsocriminalise the creation of unavailabilityby sending a lot of data to some electronicaddress59.The two offences discussed in the pre-

vious paragraph where introduced as themodern society became more and more de-pendent on automated systems60. The le-gislator even thought computer networksto be so important that a strike was notaccepted as an exception to the offences.Nevertheless, it is later clarified by theDutch legislator that this article is onlyconcerned with automated systems of gen-eral interest61. Furthermore, it is alsonoted that it is not focussed on caseswhere there only is slight interference andno real damage to the services.Furthermore, it is not allowed to in-

tentionally and without right make dataunavailable that is stored using an auto-mated system62. If this is done with hack-ing the sentence goes up to four years63,and without up to two years64.Finally, a sentence of at most one year

can be given for the intentionally andwithout right making unavailable of anautomated system by sending or offeringit data65. One of the main motivators forthis article was spamming66.

4.1. Case law

In 2005, the local court in The Haguedecided that a DDoS attack may wellbe punished under the conditions of thefirst part of the first member of article

161sexies of the Dutch penal code67, asit overloads the network thereby affect-ing the complete automated work68. Fur-thermore, in this specific case one websitewas attacked, but the attack resulted indowntime at other clients of the internetservice provider that hosted the attackedwebsite, which caused the judge to findingthe second part of the article also applic-able, as the services offered where broadlyinterrupted69.In the higher appeal of these cases was

referred back to the comment of the legis-lator that the articles the conviction wasbased on where relevant70, even thoughthe article of the Dutch penal code spe-cifically meant for DDoS attacks71 wasstill pending in parliament72. The otherhigher appeals had a comparable out-come73.However, another case from 200574 led

to acquittal for the court of appeal75. Themain motivation was that the court de-cided it to be not proven that the net-work of the given internet service providerwas endangered, only the specific system,which made the court decide that article161sexies of the Dutch penal code76 wasnot applicable.From the case law, we can learn that in

order to be convicted on the basis of art-icle 161sexies of the Dutch penal code77,at least an automated system of networkgeneral interest needs to be endangered78.Nevertheless, in cases where other web-sites beside the website that is subject ofthe ddos experience downtime, the articleis applicable again79.

4.2. Grounds of Justification

Mevis (2009) notes that the Dutch PenalCode provides two types of grounds forexclusion of criminal liability. Namely,grounds for justification – grounds which

10

regard the wrongfulness of the act – andgrounds for excuse – grounds which regardthe culpability of the actor. Of these, onlythe first type is of interest to our research,as we are not interested in personal cir-cumstances, but only in the general act.Especially Force Majeur80 is of relev-

ance. This article provides, due to thecase law, both a ground for justificationas a ground for excuse (Mevis 2009). Theground of justification created by this art-icle, also known as state of emergency, jus-tifies punishable behaviour when there isa conflict between the duty to solve anemergency and the duty to comply withthe law – given that the emergency is sub-stantial in proportion to the criminalisa-tion81. Mevis (2009) illustrates this typeof Force Majeur using a case where an op-tician broke the law by opening his storeoutside of the allowed shopping hours inorder to provide a client in dire need witha pair of glasses82.In some cases, the description of an

offence contains the requirement that ithappened without right (Mevis 2009).The legislator normally adds this require-ment when the described offence also fre-quently happens rightfully. The additionof without right requires the public pro-secutor to explicitly prove that the actionwas without right, whereas if this is omit-ted, the action is always considered to bewithout right, unless the defence submitsa ground for justification. In other words,the burden of proof with regard to justi-ficatory grounds is changed by the addi-tion of without right. For example, thedescription of the offence destruction83

contains the requirement without right,which, amongst others, clears honest de-molition companies of the possible crim-inal charge of destruction.As discussed before, one of the offences

commonly charged in cases concerning a

form of DDoS does not require the of-fence to be without right84. Furthermore,the legislator claims to have omitted thisrequirement due to the dependability onautomated systems and networks in ourmodern society85.

Mevis (2009) also mentions absenceof substantive wrongfulness, which is animplicit ground for justification. Thisprovides a ground of justification when theact perfectly fits the description of the of-fence, but the offender objectively actedin favour of the cause the criminalisationtries to pursue86. However, this does notfit idealistic causes87. Therefore, it is notan applicable ground of justification in thepresent research.

5. Policy of the PublicProsecutor

As Mevis (2009) discusses, the public pro-secutor may choose not to prosecute88. Inpractice, there is the possibility of tech-nical dismissal – when it is not likely theprosecution will lead to a conviction – andthe dismissal on the basis of the expedi-ency principle89 – when the public prosec-utor decides prosecution is not opportune.

When the public prosecutor considersa conviction possible, but thinks prosec-ution is not in favour of the general in-terest, he may decide to a dismissal out ofopportunity, as he considers prosecutionnot to be opportune (Mevis 2009). This isdue to the fact that Dutch criminal lawis based on the principle of opportunity,as opposed to the principle of legality –as German criminal law is. Such a de-cision that prosecution is not opportuneis a decision of policy. Furthermore, thepublic prosecutor may create guidelines,which describe when he will not prosec-

11

ute. Thus, a decision to tolerate a certaincrime may be formulated in the form ofsuch a guideline – a common example inDutch criminal law is the policy on softdrugs90 and euthanasia91.

Recently, the Public Prosecutor orderedtwo suspects of performing a DDoS on thewebsites of MasterCard and VISA to com-munity service92. These actions were –allegedly – performed with political reas-ons, namely the blocking of donations toWikiLeaks by these credit card companies(Teffer 2010b; Teffer 2010a). The publicprosecutor decided not to prosecute thesuspects under one of the offences dis-cussed in Section 4 – most notably 161sex-ies of the Dutch penal code93 –, but usetheir competence to give a punishment or-der94 – which is allowed for offences penal-ised with up to 6 years of detention. Theunderage offender was ordered to 26 hoursof community service, whereas the oldersuspect was ordered to 80 hours of com-munity service.

6. Civil Disobedience

After discussing the (D)DoS method withrespect to the European rights, criminallaw and the policy of the public prosec-utor we decided to analyse the (D)DoSmethod with respect to civil disobedi-ence to harvest (more) requirements whichcould bind a legal requirement.

With civil disobedience, we mean eventsin which citizens disobey the law, claimingto do so for a greater good (Klang 2005).An example of civil disobedience can befound in Rosa Parks, who, in 1955, refusedto give up her seat in the bus to a whiteman, whereby she broke the law.She performed this action, to oppose

against discrimination and thereby break-ing the dogma of racial differences.

In this section the guidelines providedby Schuyt (1972) will be discussed in thecontext of digital civil disobedience. Hisfirst guideline prescribes that the violationof law should be the result of a process ofdeliberation. Therefore, the time and aimof the action may not have a spontaneouscharacter. This guideline could be adop-ted in the digital infrastructure withoutthe loss of generality.The second guideline of Schuyt (1972)

describes that there must be a relationbetween the method chosen to protest andthe objective of the protest. Therefore, ifthe objective of protest concerns the phys-ical infrastructure, then a digital protestis not eligible until a later stage, when thephysical options are exhausted. However,if the objective concerns the digital infra-structure, then a digital protest is appro-priate.The third guideline prescribes public vi-

olation of the law (Schuyt 1972). If theprotester does not try to hide his actions,he stands stronger in influencing the pub-lic opinion. A typical DDoS attack couldbe anonymous and mere downtime doesnot express much opinion. Therefore, thisguideline needs technical adaptation whenimposed on DDoS as an assembly. Fur-thermore, this also fits with the publicproperty that the Dutch legislator notesof assemblies95.Besides the requirement that the vi-

olation should have a public character,Schuyt (1972) also requires voluntary co-operation when prosecuted. Therefore,the disobedient protester should not usea proxy or other means of hiding and hasto store (forensic) evidence to be able tocooperate with possible prosecution.As a fifth requirement, Schuyt (1972)

notes the absence of violence. Althoughthe technique of DDoS is classified as anattack, it does not necessarily cause phys-

12

ical harm to individuals or property – al-though it is possible. However, if the tech-nique is used against critical systems as,for example, SCADA systems (Cai, Wangand Yu 2008), it could create major phys-ical damage. Since the protester is not al-ways able to decide whether a system heblocks is important – for example, whena website is run on the same mainframeas a critical system –, the protester hasthe responsibility to exclude this risk. InSection 8, we will discuss both technicaland juridical requirements to mitigate thisrisk.

A long manifestation could harm the in-terests of other citizens, which could vi-olate the sixth requirement: the rightsof others citizens should be respected asmuch as possible. Nevertheless, this,again, boils down to an act of balancingthe interests of all involved parties.

The seventh requirement from Schuyt(1972) prescribes that all legal resourcesneed to be exhausted. One should notdirectly resort to civil disobedience, butfirst seek to use other resources such asinfluencing the public opinion, trying toenforce your rights in court, and the likes.This requirement does not differ from thephysical world, because most of the legalresources are constituted in the physicalworld.

The disobedient citizen has to acceptthe risk of being punished (Schuyt 1972).For common violations (e.g. enteringprivate terrain or temporary occupation)the maximal punishment could be accept-able to the disobedient. However, thepunishment for a DDoS could be 6 years.

Finally, the disobedient citizens is act-ing as he does to provoke a trial case incourt, in order to test his moral groundsof justifications for a judge.

7. Recap of CurrentLegislation

To get a good picture of the statusquo of digital manifestation in Dutchand European legislation, we performed athorough legal study. At this point, wewill summarise the results of the legal partof the research and give a brief descriptionof the current status of the digital right toassembly.

In Section 3, we have seen under whichconditions the DDoS may be consideredas a method of exercising the right to as-sembly. To start, the DDoS has to fitthe description of an assembly, which re-quires it to have a public character andto have a prevalent character of collectiveexpression of opinion (definition). Fur-thermore, the DDoS can be seen as a vir-tual blockade – and, thus, virtual sit-in.This gives the following requirements fora DDoS to be considered as covered by theright to assembly: reasonable alternativeshave already been pursued (subsidiar-ity), the (possible) damages of the mani-festation are proportional to the interestsof the party subject to the protest (pro-portionality), and the protest is in thegeneral interest (necessary). As we havealso seen, in Germany it would be requiredthat the blocking effect of the DDoS is aside effect of a normal peaceful assembly,which will commonly not be the case.

Especially the requirement of visibilitymakes it hard for a DDoS to be deemeda reasonable blockade, as this would re-quire artificial interventions, such as theuse of social networking, microblogs orcomparable services, where the protestingcitizens unite. As the activity should havea character of publicly collectively exer-cising the freedom of expression and notof hindering services, a loosely connecting

13

campaign on a social networking site couldbe seen as the assembly, but the DDoSitself would still be questionable. How-ever, their may be variants possible thatwithstand this requirement, such as flood-ing an email-address or contact form withthe message of the protest. Please notethat requirements considering the balan-cing of interest or the pursuing of the goalthrough other means make it less likely fora DDoS to be considered as means of ex-ercising the right to assembly in practice,they do not make the change for that tohappen negligible.

As we saw in Section 4, the DDoS iscriminalised in Dutch legislation. How-ever, it is not completely unambiguouswhich offences in particular fit the bill ingeneral, which leaves this task to case law.Due to the omission, of without right inthe most commonly used offence, any ac-tion that fits the description is consideredto be without right. In combination withthe importance the Dutch legislator has inmind, when it comes down to informationnetworks, it seems unlikely the court willallow an appeal to necessity as a groundof justification using the right to assemblyin a DDoS case.

Therefore, we can safely assume that,in most cases, it is not possible to callupon the right to assembly for a DDoSattack. Furthermore, there currently is nopolicy of the public prosecutor consideringdigital rights, which we discussed in Sec-tion 5. Nevertheless, the door is still opento the in Section 6 discussed phenomenonof civil disobedience.

8. Embodying the DigitalRight to Assembly in

Legislation

For the next step in this research, we willask ourselves to what extent digital as-semblies should be possible and how thisshould be embodied in the current legis-lation. As the first question – whetherthe digital assembly should be possible –is mostly a political question, we will fo-cus on the second question. In order to dothis, we will first evaluate if this requiresextending or creating fundamental rights,followed by the possibility of the publicprosecutor issuing a special policy.

8.1. Extending Current Rights

In the Dutch constitution, the secrecyof correspondence is granted96 (Asscher1999). As this only protects written let-ters, telegraphs, and telephone conversa-tions, it is not of use for other forms ofcommunication. However, nowadays, theright to privacy97 is understood as alsoincluding private communication. Thus,privacy was extended to fill the gap of thesecrecy of correspondence of other formsof communication. In analogy to this ex-ample, we will evaluate whether an exten-sion of the existing fundamental rights isfeasible.As discussed in Section 3, the Dutch

constitution grants the right to assemblyand manifestation98, as opposed to theEuropean Convention on Human Rights,which only grants the right to assembly99.Merely the addition of a right to mani-festation to the right to assembly may en-able digital assemblies under strict condi-tions – that fit in with the requirementswe will discuss in Section 9. Furthermore,this solution clarifies the general place of

14

the manifestation, which lies somewherebetween the right to assembly100, the rightto freedom of expression101, and the rightto association102.

There are two noteworthy risks withextending existing rights. Firstly, mostrights form a foundation for other legis-lation that builds on it, which leads todifficulties when those rights are changed.Secondly, it can feel as if the legislatortried very hard to fit in additional rightswith current legislation, when there actu-ally are enough differences to justify intro-ducing a new right.

8.2. Creating New Rights

When the Dutch government found thatintrusion into information systems wasnot punishable under trespassing, the le-gislator decided to create a new offencefor intrusion into information systems103.The new offence is based upon the offenceof trespassing, but is also an adaptationto the digital world. With this examplein mind, we will discuss the creation ofa new fundamental right to enable digitalassemblies.

The discussed right to manifestationcould also be introduced as a separateright, which has some benefits. Most not-ably, this makes the right truly separateof previous rights, and does not give it theposition of little brother in comparison tothe right to assembly. Furthermore, thisleaves room for a more specific approachto the right and its safe guards.

The most notable backside to introdu-cing new rights is that this eventuallyleads to devaluation due to the existenceof too much fundamental rights. However,it seems that the right of manifestation isrecognised highly, and thus not capable ofcausing such devaluation.

8.3. Policy of the PublicProsecutor

As we discussed in Section 5, it may bepossible to protect the digital assemblyby policy of the public prosecutor. Aspolicies of the public prosecutor are a typ-ical Dutch phenomenon, this approach isnot very useful in the global issues gen-erated by the digital world. However, itmay be of use as a temporary solution.

9. Requirements for DigitalAssemblies

A digital assembly should comply with anumber of requirements. To find these re-quirements, we will look back at the gen-eral doctrine on assemblies and try to ad-opt this to the general world. In addition,we will consider differences between thedigital and the physical world and try tofind requirements that settle these differ-ences.In Appendix A, the relations of the sev-

eral proposed requirements to each otherand the general doctrine are displayedgraphically. These figures are referred fora more detailed overview of the require-ments.

9.1. Defining Digital Assemblies

We have seen that the Dutch legislatorconsiders a manifestation as a group ofpeople that publicly expresses their emo-tions or wishes concerning a social orpolitical subject104 and that the Germanconstitutional court decided that an as-sembly should be interpreted as an orderlygathering of people participating in thepublic building of opinion, with a focus ondiscussion or manifestation105 Our idea ofa digital assembly will build further upon

15

these perceptions. Thus, we will considervisibility, the expression of opinion, andcollectivity as requirements.

9.1.1. Visibility

That assemblies should be visible is oneof the major requirements to an assembly,as this can make the difference betweenan action where the goal of hindering isprevalent and an action where the goalof publicly expressing an opinion prevails.The same goes for a digital assembly.Thus, the public should be able to see theopinion that the assembly tries to express.

9.1.2. Expression of Opinion

Besides being public, in an assembly thegoal of collectively expressing an opinionshould prevail. This means that a digitalassembly should be politically or sociallymotivated, and not be aimed at, for ex-ample, smear campaigns106.

9.1.3. Collectivity

The collective character of an assembly isone of the reasons of its power. If a verylarge group of citizens opposes a certaindecision, they are more likely to be heard,than if an individual does.

However, in the digital world, automa-tion is cheap. Thus, one could act as ifhe is a group of people. Therefore, therequirement of collectivity prescribes theone man, one vote principle.

Furthermore, a certain proportionalitybetween the size of the target and the sizeof the participants in the assembly and theimpact of the assembly is important. Inother words, assemblies require a certaincritical mass, in order to be of effect.

9.2. Permissibility of DigitalAssemblies

The court evaluates the permissibility ofan assembly on several conditions. Firstof all, the action may not be a methodto force some party to a decision or ac-tion – please note that this is also in linewith the general requirement that the ex-pression of opinion should be a prevalentcharacteristic. Secondly, the goal pursuedby the protesting party should be well-balanced against the interests of the otherparty, especially concerning possible dam-ages. Finally, other possible methods topursue the goal should have been takeninto account or tried.

9.2.1. No Coercion

As stated before, the non-permissibilityof coercion lies also with the requirementthat an assembly is mainly about the ex-pression of opinion and not about hinder-ing or comparable goals. Of course, thereis a slight difference, as the assemblingparty may try to force the opposing partywith social pressure to follow the opin-ion they are expressing. However, forcingthem at gunpoint is obviously not per-missible at all, and can be considered aform of coercion.

9.2.2. Proportionality

As we have seen before, proportionalityis always an important consideration. Inthis case, it is of great importance thatthere is a balance between the goal that ispursued and the interests of the party thatis subject to the protest. For example,if a protest aims at a local milk factorywhich actually is bound by the decisionsof the municipality, the protest may notbe proportional. However, if it was their

16

own decision that caused the protest, itmay be proportional.The same reasoning could be used for

damages. A small wrong does not justifya lot of damages, but a large issue may.Proportionality between the pursued goaland the potential damage to the interestsof the opposing party is, thus, an import-ant requirement. For this, the practicalit-ies can be left to the judge.

9.2.3. Subsidiarity

An assembly – especially a more intrusiveone – should probably not be the first an-swer when someone feels their interests –or opinions – are not heard. It is import-ant that those that want to express theiropinion have followed other possible pathsin the pursue of their goal, before theystep up to more heavier methods, such asthe assembly. Therefore, it is important toevaluate whether other methods of reach-ing the intended goals are sufficiently ex-hausted.

9.3. Enabling Orderly DigitalAssemblies

Finally, there are requirements whichmake digital assemblies orderly. These re-quirements are of a lower importance, asthey are not as much build on the legalityof the digital assembly, but say somethingabout the ability to keep order. This isnot only beneficial for the authorities, butalso for the protesters, as they have lesschance of their assembly getting hijackedfor violent or otherwise unwanted reasons.In practice, the municipality regulates

the held manifestations (Embregts andNieuwenhuys 2007). Although most of theregulations by the municipality are notstrictly required, protesters are urged tocomply with them, to prevent excesses.

This leads to a central organisation foreach assembly, which also announces theactivity. Furthermore, the police willprovide supervision, which will take actionwhen individuals step beyond the law.

9.3.1. Supervision

Within a physical demonstration, thepresence of law enforcement officers isa preventive measure against escalation.The officers can inform the mayor aboutthe status of the protest, providing himwith information to make a decisionwhether the protest should be broken up.

This requirement is hard to satisfy,since the anonymous nature of the Inter-net prevents it, although it could be sat-isfied when part of the infrastructure isprovided by the government. Neverthe-less, chances are fairly high that this infra-structure raises distrust and may for thatreason not be used.

9.3.2. Central Organisation

Most of the larger manifestations have acentral organisation. This organisation re-gisters the manifestation with the muni-cipality and tries to help the law enforce-ment to keep the organisation orderly.However, in Section 3.5, we saw that itis not required to register a manifestationnor to have a central organisation.

Even a digital assembly requires somesort of announcement to gather those whowant to protest at the right time, for theprotest to be successful. After this ac-tion, the protest can be considered re-gistered. In addition, details of the mani-festation could be provided using somesort of pseudonymity or anonymity.

17

9.3.3. Announcement

Commonly, the municipality asks its cit-izens to register manifestations. Althoughthis is not always required – for ex-ample, ad hoc manifestations cannot beregistered –, this is an interesting require-ment to discuss, due to the risk of miscon-figuration of a system, which could lead tomuch extremer effects than expected in anormal situation.

An announcement should be unambigu-ous and provably delivered to the legalsubject who is subject to the manifest-ation. This gives the legal subject ofprotest the option to ask for a delay orrejection by filing an injunction in court.The time granted by the judge should besufficient to prevent great disaster. How-ever, it should not be sufficient to disarmthe protesting party. For example, if thesubject of the protest does not repair themisconfiguration, the protest will be al-lowed at some point. Please note that, inthis example, this badly configured serveris targeted, not the misconfiguration itself.

10. Technical

Requirements forDigital Assemblies

In this section, we will discuss the tech-nical requirements, based on the legalrequirements, to make digital assembliespossible. Based on the requirement of vis-ibility, we will introduced a technical re-quirement concerning visibility. The re-quirement of collectivity brings us to in-troduce one man one vote, and group pro-portionality as technical requirements.

We will also consider additional require-ments that provide for an orderly as-sembly. From the legal requirement of su-

pervision, we come to the use of revocableanonymity. Finally, although we noticedthe existence of central organisations inSection 9.3.2, technically we acknowledgethe importance of a decentralised solution.

10.1. Visibility

A concrete example, which satisfies thevisibility requirement, is protesting by e-mail. If a digital assembly is shaped inthe form of sending multiple e-mails at apredefined time as a group, it will havethe properties of an attack on the availab-ility of a system. Furthermore, if enoughindividuals participate in sending e-mailswith, for example, large attachments andprevention against technical countermeas-ures, such as spam filters, the content isclearly visible to the subject of the protest.The visibility becomes even stronger if

carbon copies are used, in order to send acopy of the e-mail to a public place, whereit is for everyone to see (Resnick 2008).The i-box of the party that is subject tothe protest may become so full that it isnot feasible to use at that moment. Evenstronger, the memory of the mail servercould fill up and cause the server to crash,which is a (D)DoS by definition (Basset al. 1998). A recent example of such aprotest over e-mail is when a Dutch mem-ber of the European Parliament placeda call on citizens to send protest e-mailsagainst ACTA to all the members of theEuropean Parliament107.Within a physical demonstration, the

ground where the protesters assemble isimpervious for other people. However,when they watch the assembly from above– e.g. from a building – or from the side,they can clearly see the statements of thegroup. Beside carbon copying protest e-mails to publicly accessible boards, socialmedia could get filled with the collectively

18

expressed opinion of the manifestation.

10.2. One Man, One Vote

The infrastructure must ensure that eachperson has at most one vote – e.g. onedevice – in the manifestation. In the ex-ample of one device, this device may notbe able to generate more than the averageof possible request, i.e. super computersare not allowed.This requirement mainly ensures that

the use of bot-networks (Rajab et al. 2006)or hired server park capacity does not be-come legal for the use of protesting. It alsocontributes to the requirement of groupproportionality on which we will elabor-ate in Section 10.3.

10.3. Group Proportionality

The impact of the assembly should be pro-portional to the size of the target and thesize of the group of participants to the as-sembly. Therefore, it should not be pos-sible for one person to take down anotherparty single handed – e.g. by exploiting avulnerability. Comparably, a small groupof protesters should not be able to takedown a corporation that is much larger.Thus, the used techniques should com-ply with this requirement of group pro-portionality.

10.4. Revocable Anonymity

An important requirement for a protest isthat the protesters are anonymous. How-ever, when one of the protesters abusethe anonymity by, for example, trying tohack the server, the investigative authorit-ies should be able to track this individualdown. Since these authorities should notbe able to track the whole group down orotherwise abuse this procedure, revocable

anonymity can be put in place (Kpsell,Wendolsky and Federrath 2006).For revocable anonymity to work, some

entity needs to be in charge of revoca-tion. This can be implemented in multipleways. For example, critical mass based re-vocation could be used, where the protest-ers give up on people trying to disturb theevent.

10.5. Decentralised

As a non-negligible amount of the mani-festations is aimed at the government,people may not have trust in a infrastruc-ture which is actively maintained or sup-plied by that same government. There-fore, it may not be effective for a gov-ernment to straightforwardly implementthese requirements.Furthermore, as decentralisation is in

the very veins of the Internet, the di-gital assembly infrastructure should be asdecentralised as possible, thereby omit-ting central contributors to the infrastruc-ture, such as the government. In addition,the government should only contribute toparts that are necessary for law enforce-ment in the case a manifestation escalates.

11. Conclusion

In this paper, we have investigated the di-gital right of assembly, especially consid-ering attacks on the availability of inform-ation systems as assembly, e.g. the DDoS.This lead us to conclude that, in mostcases, such attacks cannot be deemed ameans of exercising the right to assembly.This is due to the fact that such attacks,which can be seen as digital blockades,do commonly not have a public character.Furthermore, the Dutch legislator arguesthat the digital infrastructure is of such

19

importance that attacks on the availabil-ity of information systems should almostalways be unlawful.We learned that an effective way of cre-

ating the right to digital assemblies canbe found in granting the right to mani-festation, which is currently only grantedby the Dutch constitution108 and thus notinvocable in court109.Finally, we discussed the requirements

that should be met to conform to thedefinition of a digital assembly – visibil-ity, expression of opinion, and collectiv-ity –, which resulted in the technical re-quirements of visibility, one man one vote,and group proportionality. We also notedrequirements for a digital assembly tobe permissible, namely a lack of coer-cion, proportionality, and subsidiarity. Fi-nally, we found that digital assemblies canbe held orderly by implementing revoc-able anonymity, acknowledging decentral-isation, and allowing some means of an-nouncement.

11.1. Further Research

Some of the threads started in this paperare of interest for future research. Digitalassemblies also have a social component.In future research, the social influences ofa digital assembly and the power this givesto the participants should be studied. Re-lated to this, the dynamics of group pro-portionality, as proposed in Section 10.3,could be evaluated.The proposed fundamental rights

should be further evaluated. The inter-sections between the digital assembly andthe Budapest Convention on Cybercrimealso require further research. This couldbe extended to the related directions andregulations of the European Union.The issue of jurisdiction will continue

to be of high importance, especially when

it concerns digital topics. In this case,it should be explored what happens whenthe European legislator grants its citizensthe digital right to assembly and the gov-ernment of the USA does not grant this.This question could also be expandedto collaboration between the EuropeanUnion and the USA in police activities.

Some legal requirements are not eas-ily translated to technical requirements,due to their nature. However, this doesleave gaps, as shown in the figures in Ap-pendix A. Therefore, we recommend fur-ther research on this translation, with afocus on those topics that are not suit-able for direct translation to technical re-quirements. Additionally, several tech-nical topics are worth further pursuance,such as the implementation of revocableanonymity.

Acknowledgement

We are very grateful for the supervision,advise, and knowledge given to us by prof.mr. dr. M. Hildebrandt. For his technicaladvise, we are very thankful to dr. J.H.Hoepman.

Notes

Section 1

1. Article 11 of the European Conventionon Human Rights

2. It should be noted that the prematurestate of digital social movements at thetime Kreimer (2001) was published hasbeen changed to a more mature state.

Section 2

3. http://sourceforge.net/projects/loic/

20

4. Article 10 of the European Conventionon Human Rights5. Article 11 of the European Conventionon Human Rights6. Artikel 138ab van het Wetboek vanStrafrecht7. Article 5 of the Budapest Conventionon Cybercrime8. Article 15 of the Budapest Conventionon Cybercrime

Section 3

9. Article 11 of the European Conventionon Human Rights10. Article 10 of the European Conventionon Human Rights11. Article 11 member 2 of the EuropeanConvention on Human Rights12. Artikel 9 van de Grondwet13. Artikel 7 van de Grondwet14. Article 11 of the European Conventionon Human Rights and Article 10 of theEuropean Convention on Human Rights15. Artikel 120 van de Grondwet16. Wet Openbare Manifestaties17. Artikel 2 van de Wet Openbare Mani-festaties18. Artikel 9 lid 1 van de Grondwet19. Kamerstukken II 1975/76, 13 872, nr.3 (MvT), p. 38-3920. Kamerstukken II 1975/76, 13 872, nr.3 (MvT), p. 3921. Artikel 8 Absatz 1 des Grundgesetzes22. Artikel 8 Absatz 2 des Grundgesetzes23. Kamerstukken II 1976/77, 13 872, nr.7 (MvA), p. 3324. Hof Amsterdam, 24-4-1996, NJ 1998,17925. Article 10 of the European Conventionon Human Rights26. Hof Amsterdam, 24-4-1996, NJ 1998,17927. Hof s-Gravenhage, 22-5-1987, NJ1988, 646

28. Rb. Amsterdam, 26-8-1982, KG 1982,15429. Rb. Amsterdam, 26-8-1982, KG 1982,154 en Rb. Amsterdam, 23-1-1986, KG1986, 9030. Artikel 8 Absatz 1 des Grundgesetzes31. 5 Absatz 3 des Versammlungsgesetzin der Fassung der Bekanntmachung vom15. November 1978 (BGBl. I S. 1789),das zuletzt durch Artikel 2 des Gesetzesvom 8. Dezember 2008 (BGBl. I S. 2366)gendert worden ist.32. 240 des Strafgesetzbuch in derFassung der Bekanntmachung vom 13.November 1998 (BGBl. I S. 3322), das zu-letzt durch Artikel 1 des Gesetzes vom 6.Dezember 2011 (BGBl. I S. 2557) gendertworden ist.33. BVerfGE 73, 206 (Sitzblockaden I)und BVerfGE 92, 1 (Sitzblockaden II)34. BVerfGE 104, 92 (Sitzblockaden III)35. Article 34 of the European Conventionon Human Rights36. ECHR 21-6-1988, no. 10126/82 (Caseof Plattform rzte fr das Leben v. Austria)37. Kamerstukken II 1975/76, 13 872, nr.3 (MvT), p. 15-1638. Kamerstukken II 1975/76, 13 872, nr.3 (MvT), p. 3939. Artikel 1 lid 1 van de Wet openbaremanifestaties40. HR, 17-10-2006, AB 2007, 2341. BVerfGE 104, 92 (Sitzblockaden III)42. Article 11 of the European Conventionon Human Rights43. Article 11 member 2 of the EuropeanConvention on Human Rights44. Artikel 9 van de Grondwet45. Kamerstukken II 1975/76, 13 872,nr. 3 (MvT), p. 39, Kamerstukken II1985/86, 19 427, nr. 3 (MvT) en Kamer-stukken II 1985/86, 19 427, nr. 5 (MvA),p. 8.46. Article 11 of the European Conventionon Human Rights

21

47. Article 12 of the European Conventionon Human Rights

48. Artikel 1 van de Wet Openbare Mani-festaties

49. Artikel 4 van de Wet Openbare Mani-festaties

50. Artikel 7 van de Grondwet

51. Wet Openbare Manifestaties52. Artikel 447e van het Wetboek vanStrafrecht

Section 4

53. Article 5 of the Budapest Conventionon Cybercrime

54. Kamerstukken II 2004/05, 30 036, nr.3, p. 1

55. Kamerstukken II 1998/99, 26 671, nr.1-2

56. Kamerstukken II 1989/90, 21 551, nr.1-2

57. Artikel 161sexies lid 1 van het Wet-boek van Strafrecht

58. Artikel 161septies van het Wetboekvan Strafrecht

59. Kamerstukken II 1996/97, 25 533, nr.3 (MvT), p. 69 en Hof ’s-Gravenhage, 10-2-2006, LJN AV1452

60. Kamerstukken II 1989/90, 21 551, nr.3 (MvT)

61. Kamerstukken II 1990/91, 21 551, nr.6 (MvA), p. 13

62. Artikel 350a van het Wetboek vanStrafrecht

63. Artikel 350a lid 2 van het Wetboekvan Strafrecht

64. Artikel 350a lid 1 van het Wetboekvan Strafrecht

65. Artikel 138b van het Wetboek vanStrafrecht

66. Kamerstukken II 1998/99, 26 671, nr.3 (MvT)

67. Artikel 161sexies lid 1 sub 1 van hetWetboek van Strafrecht

68. Rb. ’s-Gravenhage, 14-3-2005,Computerrecht 2005, 36, Rb. ’s-Gravenhage, 14-3-2005, LJN AT0222, Rb.’s-Gravenhage, 14-3-2005, LJN AT0224,Rb. ’s-Gravenhage, 14-3-2005, LJNAT0230, Rb. ’s-Gravenhage, 14-3-2005,LJN AT0239 en Rb. ’s-Gravenhage, 14-3-2005, LJN AT024969. Artikel 161sexies lid 1 sub 2 van hetWetboek van Strafrecht70. Kamerstukken II 1996/97, 25 533, nr.3 (MvT), p. 6971. Artikel 138b van het Wetboek vanStrafrecht72. Hof ’s-Gravenhage, 10-2-2006, LJNAV145273. Hof ’s-Gravenhage, 10-2-2006, LJNAV1449, Hof ’s-Gravenhage, 10-2-2006,LJN AV1451 en Hof ’s-Gravenhage, 10-2-2006, LJN AV145474. Rb. Breda, 10-11-2005, LJN AU670375. Hof ’s-Hertogenbosch, 12-2-2007, LJNBA189176. Artikel 161sexies van het Wetboek vanStrafrecht77. Artikel 161sexies van het Wetboek vanStrafrecht78. HR, 22-2-2011, RvdW 2011, 317, Hof’s-Hertogenbosch, 12-2-2007, NJFS 2007,184 en Hof ’s-Hertogenbosch, 12-9-2008,NJFS 2008, 212, LJN BF077079. Rb. Rotterdam, 14-4-2010, NJFS2010, 173, LJN BM117280. Artikel 40 van het Wetboek van Stra-frecht81. HR, 16-9-2008, LJN BC793882. HR, 16-10-1923, NJ 1923, 132983. Artikel 350 van het Wetboek van Stra-frecht84. Artikel 161sexies van het Wetboekvan Strafrecht en Artikel 161septies vanhet Wetboek van Strafrecht85. Kamerstukken II 1989/90, 21 551,nr. 3 (MvT), p. 20 en Kamerstukken II1990/91, 21 551, nr. 6 (MvA), p. 35-36

22

86. HR, 20-2-1933, NJ 1933, 91887. Rb. Haarlem, 5-6-2008, LJN BD5505

Section 5

88. Artikel 167 van het Wetboek vanStrafvordering en Artikel 242 van het Wet-boek van Strafvordering

89. In Dutch: opportuniteitsbeginsel90. Aanwijzing Opiumwet (2011A021)91. Aanwijzing vervolgbeslissing inzakelevensbendiging op verzoek (euthanasie enhulp bij zelfdoding) (2006A009 )92. http://www.om.nl/actueel-0/nieuws-persberichten/@157968/taakstraffen/

93. Artikel 161sexies van het Wetboek vanStrafrecht94. Artikel 257a van het Wetboek vanStrafvordering

Section 6

95. Kamerstukken II 1975/76, 13 872, nr.3 (MvT), p. 39

Section 8

96. Artikel 13 van de Grondwet97. Artikel 10 van de Grondwet98. Artikel 9 lid 1 van de Grondwet99. Article 11 of the European Conventionon Human Rights100. Article 11 of the European Conven-tion on Human Rights101. Article 10 of the European Conven-tion on Human Rights102. Article 11 of the European Conven-tion on Human Rights103. Kamerstukken II 1989/90, 21 551,nr. 3 (MvT)

Section 9

104. Kamerstukken II 1975/76, 13 872,nr. 3 (MvT), p. 39

105. BVerfGE 73, 206 (SitzblockadenI), BVerfGE 92, 1 (Sitzblockaden II) undBVerfGE 104, 92 (Sitzblockaden III)106. Artikel 262 van het Wetboek vanStrafrecht

Section 10

107. http://www.reddit.com/r/politics/comments/ow1v5/acta_note_from_marietje_schaake_member_of_the/

Section 11

108. Artikel 9 lid 1 van de Grondwet109. Artikel 120 van de Grondwet

References

Anderson, Ross J. (2008). Security Engin-eering: A Guide to Building Depend-able Distributed Systems. Second.Wiley Publishing. isbn: 978-0-470-06852-6.

Asscher, L.F. (1999). Constitutionele con-vergentie van pers, omroep en tele-communicatie. Ed. by L.F. Asscher.Kluwer.

Bass, T. et al. (Mar. 1998). ‘E-mailbombs and countermeasures: cyberattacks on availability and brand in-tegrity’. In: Network, IEEE 12.2,pp. 10 –17. issn: 0890-8044. doi:10.1109/65.681925.

Cai, Ning, Jidong Wang and XinghuoYu (July 2008). ‘SCADA systemsecurity: Complexity, history andnew developments’. In: Indus-trial Informatics, 2008. INDIN2008. 6th IEEE International Con-ference on, pp. 569 –574. doi:10.1109/INDIN.2008.4618165.

23

Dietrich, Sven, Neil Long and David Dit-trich (2000). ‘Analyzing DistributedDenial of Service Tools: The ShaftCase’. In: Proceedings of the 14thSystems Administration Conference(LISA 2000), pp. 329–339.

Embregts, M. C. D. and J. Nieuwen-huys (Dec. 2007). Demonstrerenstaat vrij. Tech. rep. 2007/290.De Nationale Ombudsman. url:http://www.nationaleombudsman-nieuws.nl/sites/default/files/rapport_2007-290.pdf.

Ferdinandusse, W.N. (2001). ‘De straf-baarheid van een grondrecht: deWet Openbare Manifestaties enhet grondrechtelijke karakter vande betoging’. In: Nederlands Jur-istenblad 13.76, pp. 615–619. url:http://dare.uva.nl/record/92571.

Haeck, Yves and Johan Vande Lanotte(2005). Hankdboek EVRM, Deel 1:Algemene beginselen. Ed. by YvesHaeck and Johan Vande Lanotte. In-tersentia.

Kang, Jian, Yuan Zhang and Jiu-Bin Ju (Aug. 2006). ‘ClassifyingDDoS Attacks by HierarchicalClustering Based on Similarity’.In: Machine Learning and Cyber-netics, 2006 International Con-ference on, pp. 2712–2717. doi:10.1109/ICMLC.2006.258931.

Kindy, D.A. and A.K. Pathan (June2011). ‘A survey on SQL injection:Vulnerabilities, attacks, and preven-tion techniques’. In: IEEE 15th In-ternational Symposium on ConsumerElectronics (ISCE), pp. 468 –471.doi: 10.1109/ISCE.2011.5973873.

Klang, Mathias (2005). ‘Virtual Sit-Ins,Civil Disobedience and Cyberterror-ism’. In: Human Rights in the DigitalAge. Ed. by Mathias Klang and An-drew Murray. Routledge-Cavendish.Chap. 11, pp. 135–145.

Kpsell, Stefan, Rolf Wendolsky andHannes Federrath (2006). ‘RevocableAnonymity’. In: Emerging Trends inInformation and Communication Se-curity. Ed. by Gnter Mller. Vol. 3995.Lecture Notes in Computer Sci-ence. Springer Berlin / Heidelberg,pp. 206–220. isbn: 978-3-540-34640-1. doi: 10.1007/11766155_15.

Kreimer, Seth F. (2001). ‘Technolo-gies of Protest: Insurgent SocialMovements and the First Amend-ment in the Era of the Inter-net’. English. In: University ofPennsylvania Law Review 150.1,pp. 119–171. issn: 00419907. url:http://www.jstor.org/stable/3312914.

Mevis, P. A. M. (July 2009). Capita Stra-frecht. Ed. by P. A. M. Mevis. 6th.Ars Aequi Libri.

Rajab, Moheeb A. et al. (2006). ‘A mul-tifaceted approach to understandingthe botnet phenomenon’. In: IMC’06: Proceedings of the 6th ACM SIG-COMM on Internet measurement.New York, NY, USA: ACM Press,pp. 41–52. isbn: 1595935614. doi:10.1145/1177080.1177086.

Resnick, Peter W. (Oct. 2008). In-ternet Message Format. RFC5322 (Draft Standard). Inter-net Engineering Task Force. url:http://www.ietf.org/rfc/rfc5322.txt.

Samuel, Alexandra Whitney (2004).‘Hacktivism and the Future ofPolitical Participation’. PhD thesis.Harvard University.

Schilder, Arnold Emanuel (1989). Hetrecht tot vergadering en betoging. Ed.by Arnold Emanuel Schilder. GoudaQuint.

Schouten, Peter (14th December2010). ‘Vervolging van cyber-aanvaller is onzin’. In: NRC

24

Handelsblad 41.64, p. 9. url:http://archief.nrc.nl/index.php/2010/December/14/Overig/09/Vervolging+van+cyberaanvaller+is+onzin.

Schuyt, C. J. M. (1972). Recht, orde enburgerlijke ongehoorzaamheid. Dutch.Ed. by C. J. M. Schuyt. Rotterdam:Universitaire Pers Rotterdam. isbn:9023762266.

Teffer, Peter (15th December 2010a). ‘Devrije mening heiligt de aanval’. In:NRC Handelsblad 41.65, p. 3. url:http://archief.nrc.nl/index.php/2010/December/15/Overig/03/De+vrije+mening+heiligt+de+aanval.

— (Sept. 2010b). ‘’Vijanden’WikiLeaks aangevallen’. In: NRCHandelsblad 41.60, p. 9. url:http://archief.nrc.nl/index.php/2010/December/9/Buitenland/09/’Vijanden’+WikiLeaks+aangevallen.

Vaughn, Randal and Gadi Evron (July2006). DNS Amplification Attacks.

A. Relations of theRequirements

In figure 1, the relations of the require-ments of the proposed definition of a di-gital assembly are displayed. Figure 2does the same for the requirements con-cerning the permissibility of a digital as-sembly. Finally, figure 3 concerns the re-quirements for orderly digital assemblies.

25

Definition of adigital assembly

A group of peoplethat publicly expresses

their opinion ( 7)

Visibility ( 9.1.1)

Expression ofopinion ( 9.1.2)

Collectivity ( 9.1.3)

Visibility ( 10.1)

One manone vote ( 10.2)

Groupproportionality ( 10.3)

Figure 1: Relations of the requirements of the proposed definition of a digital assembly.

Permissibility of adigital assembly

The protest is in thegeneral interest ( 7)

Possible damagesare proportional ( 7)

Alternativeshave been pursued ( 7)

Expression ofopinion ( 9.1.2)

No coercion ( 9.2.1)

Proportionality ( 9.2.2)

Subsidiarity ( 9.2.3)

Figure 2: Relations of the requirements concerning the permissibility of a digitalassembly.

Order within adigital assembly

Policesupervises ( 9.3)

Centralorganisation thatanounces ( 9.3)

Supervision ( 9.3.1)

Centralorganisation ( 9.3.2)

Announcement ( 9.3.3)

Revocableanonymity ( 10.4)

Decentralised ( 10.5)

Figure 3: Relations of the requirements to an orderly a digital assembly.

26