Many of us worry about the harm that we might suffer as a result of the criminal conduct of others on the Internet. We probably have not given much thought as to how we unwittingly could become potentially responsible for the online crimes of others, however. Well, now is the time to give the matter some attention.
Let's begin our thinking by turning to a recent attack on the Web site host and domain name registrar Register.com. The service for thousands of Register.com customers was disrupted because of a distributed denial of service (DDoS) attack.
A DDoS attack bombards a site with a tremendous volume of junk data such that the site no longer can function properly for legitimate customers. A DDoS attack can bring down a Web site completely or partially for varying lengths of time, potentially causing true business interruption to the great detriment of the site and its customers.
The DDoS perpetrators may launch their attacks simply to cause mischief and harm to others, or they may also be bent on extortion - threatening further attacks unless they are paid off.
So, how can others become possibly liable for the DDoS attacks of others? A DDoS attack can be routed through the "zombie" site by the perpetrators in an effort to try to cover their tracks. It is possible that a legitimate site could be infiltrated and used as the zombie site and launching pad for the DDoS attackers.
As DDoS attacks become more common knowledge, it is possible that industry standards will develop in such a way that companies reasonably should put in place technical measures to prevent their systems from being used as "zombies" for DDoS attacks coming in from the outside.
If a company were not to employ protective measures that are considered reasonable in the industry, it is conceivable that that company could be deemed negligent as to the site that ultimately is brought down by a DDoS attack. This may become an attractive legal theory, because victims of DDoS attacks may not have recourse against the true perpetrators, as they may be very difficult to locate, they could be outside the United States, or they may be judgment proof having no financial wherewithal to pay for legal liability.
This is not stating that the attack on Register.com was through a third-party zombie site. But imagine if a relatively penniless, offshore and hard to find perpetrator launched the attack through a reputable company site in the United States and that company had not taken adequate measures to block such attacks. Register.com might then in such an instance put on its thinking cap and decide to go after that reputable company for negligence.
In cyberspace, it may be prudent not only to protect yourself from attacks, but also to protect yourself from being charged with inadvertently aiding in attacks on others.
Biography
Eric Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual property disputes. To receive his weekly columns, send an e-mail to with the word "Subscribe" in the subject line.
Disclaimer: This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.
Reprinted with permission of Findlaw.com