As reaction to the WikiLeaks affair shows, online users expect websites to protect their privacy at all costs. And with ‘payback’ technologies increasingly available if they don’t, companies will need to decide which side they’re on

W hen, a year ago, we highlighted the danger of thinking that traditional legal remedies could be applied to online allegations (‘Don’t reach for the lawyers’, December 2009), we could not have foreseen that 2010 would end with the US government battling it out with the proponents of free speech following the publication of confidential diplomatic cables on the whistleblowing website, WikiLeaks. Our judgment of the risk remains the same: the US Department of Justice may win some legal battles, but it is likely to lose the war. And this particular war may have far-reaching consequences.

To recap: on 7 January this year, it emerged that the US justice department had obtained a court order demanding that social network site Twitter hand over details of a number of people linked to WikiLeaks, among them Icelandic parliamentarian Birgitta Jónsdóttir. It had thrown a gagging order into the bargain. Twitter challenged the gag, and won, allowing it to notify the named users that their data had been requested and giving them time to prepare.

Wired magazine’s comment that “by standing up for its users, Twitter showed guts and principles” was echoed globally by the network’s users. As a result, the US ambassador to Iceland was called in to explain why Jónsdóttir’s details were being sought. Bloggers are now keen to know whether Facebook and Google received similar court orders and, if so, why they had not been challenged.

Protest blockade

Immediately before releasing the series of leaked cables, WikiLeaks suffered several distributed denial of service (DDOS) attacks, which succeeded in putting the website temporarily offline. In an apparent act of revenge, sites that had refused to support WikiLeaks were targeted in return, with Mastercard briefly being forced offline and Amazon also targeted. The ‘hacktivist’ group Anonymous, which has hitherto confined its actions mostly to anti-pirate organisations and the Church of Scientology, is widely believed to have had a hand in these attacks, dubbed ‘Operation Payback’.

The growing ease with which DDOS attacks can be mounted is a huge concern. Risk managers not familiar with the Low Orbit Ion Cannon (LOIC) might wish to track it down. This downloadable program allows a user with virtually no technical knowledge to conduct DDOS attacks – and sites are starting to appear where you can just point and click, and the website of your chosen target begins to suffer overload. The spread of similar user-friendly technologies means that the risk of cyber attack will no longer be confined to sophisticated hacking attempts. Already the ironic vocabulary beloved of the web is tagging such disruptive behaviour ‘online riots’.

The WikiLeaks saga is driving concerned social network users to the perception that their privacy may not be safeguarded by the websites they use if government lawyers step in. While this has long been the case in many countries, users mostly felt that the big US-based social networks, such as Twitter or Facebook, were safe.

As the Guardian put it: “President Obama has urged repressive regimes to stop censoring the internet, yet a bill before Congress would allow the attorney-general to create a blacklist of websites. Is robust democracy only good when it’s not at home?”

The hostile reaction to Amazon and PayPal disowning WikiLeaks by refusing to host its servers or pass on donations shows that this opinion is widely shared.

On the battleground

So, we have reached a point where concerns about online privacy are growing at the same time as ‘revenge’ technologies are becoming more widely available. Consumers already expect websites to handle their personal data carefully, but will now be increasingly concerned as to how far website owners are prepared to go to stand up to the authorities on their behalf.

Do you defend your customers’ right to privacy at all costs, or do you cave in to the first legal demand? On the one hand lies a hostile battery of lawyers, possibly backed by government fiat; on the other a network of citizens prepared to take your website down or trash your reputation if they feel betrayed. Commercial organisations may find themselves having to tread very carefully in deciding where their loyalties lie. SR