Many Cyber Warfare analysts have noted the pivotal role that Twitter played in the recent (and possibly ongoing) Cyber Warfare efforts related to the Iranian election dispute. See http://tinyurl.com/lfq5pa and also http://tinyurl.com/nl56wj. However, is Twitter exposing themselves to negligence liability, and if so, is there something they can do about it?
Cyber experts agree that Twitter was a main medium used to conduct denial of service (DoS) attacks on various Iranian websites. The 50,000 foot description of how this works is that thousands of twitterers would post a link to the website that they wish to bombard (most websites can only handle a limited number of requests at a time). The link then initiates a continuous stream of page refresh requests to the targeted Web site that will eventually overcome the site if enough people click on the link. Those thousands of users would then, not only click on the link, but would also repost the message as a tweet– only to have even more twitterers to do the same thing– creating a domino effect. The result is that the target website then crashes. A “close-to-home” example of this is how many websites (most notably Google) actually thought they were under attack following the announcement of Michael Jackson’s death. Upon hearing the news, thousands of people tweeted the announcement, causing one of the biggest spikes of Internet traffic ever. A number of sites crashed, and Google publicly admitted to thinking this surge was a DoS attack.
The Michael Jackson surge, for all purposes, was an unintentional DoS attack, but what happens when Cyber Warriors want to use Twitter to intentionally conduct a DoS attack- exactly like the DoS attacks witnessed during the recent Iranian election protests?
As we learn early in law school, negligence requires duty, breach, causation, and harm. Instead of analyzing these individual elements, I will simply note several facts below, and let you (the reader) do the analysis yourself:
- It is no secret that Twitter is likely to be used for future DoS attacks. For example, the Iranian war situation and the resulting DoS attacks on various Iranian websites.
- Technologies exist that may allow twitter to flag and possibly block “hostile” posts. (Of course this may raise freedom of speech issues, but if the message is clearly intended to carry out illegal activities then….)
- “But for” Twitter and other similar social networking sites, the spike in Internet traffic (causing the DoS) might not be possible.
In light of the above, the marriage of Twitter and DoS attacks is a lawsuit waiting to happen. Simply stated, when a large American company experiences financial harm from a DoS attack that was made possible using Twitter, STAND BY.
This is not a matter of if; this is a matter of when.
Twitter and similar sites should take steps to shield themselves from liability resulting from the above-described situation. For example, Twitter should examine its end-user agreement and expressly forbid the use of the site to conduct DoS attacks (not just forbid illegal acts in general). Twitter should also determine whether it is feasible to identify and flag when its site is being used to intentionally and maliciously conduct DoS attacks.
With that said… I have put it out there….
DW