On the past years we have witnessed a big increase on the activities of
cybergroups like Anonymous1, LulzSec2 among others, that have created the term
Hacktivism3 to back some of their actions as legitimate protests against the
system. According to this claims and the Colombian law we want to make an
objective analysis on the new situations faced by the Colombian authorities
nowdays on this field of study.
By: Sergio Augusto Ovalle Pérez
Hacktivism according to the free crowdsourcing4 encyclopedia Wikipedia is: “The
use of computers and computer networks as a mean of protest to promote
political ends”, as well as “the non-violent use of legal or illegal digital tools in
persuit of politicals ends”. This tools include web site defacements5, redirects6,
denial of service attacks7, information theft8, virtual sit ins9, typosquatting10 among
For the cyberlawyer11 the Hacktivism term could be a very controversial one
because it contains many conducts that are very different among themselves and
some of them according to the Colombian 1273 of 2009 cybercrime Act12 are
conducts that are sactioned by law with imprisonment sentences.
Hacktivism on an analogy with activism in our legal system may have multiple
problems on subsisting, at least under the empire of Colombian law; But first, lets
try to delimit what hacktivism is and how it clashes with Colombian legislation.
Elements of Hacktivism
• Political motivation.
• Moderate outlaw orientation, as opposed to severe.
• Agressive policy circumvention.
• Capacity for solo activity.
• Most often carried out anonymously.
Forms of Hacktivism
• Defacing web sites: Is an attack on a site that changes its appearance, is
used in hacktivism to make a statement but also is used to show off the
vulneravility of the site, it can also lead to much more serious cyber crimes
such as phishing13 .
• Web sit ins: Is a form of electronic civil desobedience taking its name from
the Civil Rights Movement14 that is conducted using a DDoS15 attack.
• E Mail bombing: This are large emails with large files to target an specific
• Code for building activism sites: The act of constructing sites to suppport
• Web site mirroring: It copies the full content of a censured site and it is
posted on domains or sub domains that are not censored.
• Anonymous blogging: Is a method for blogging as an anonymous entity
using an alias or a pseudonym, it uses different web tools that allow the
blogger to keep an anonymous profile.
Hacktivism vs Colombian laws
One of the purposes of the Constitution of 1991 was to break the permanent State
of Siege16 that the Colombian State declared in order to criminalize any protest
among society. The new constitution of 1991 had different mechanisms to control
social protests such as State of Inner Conmotion17.
Social protest is a constitutional right and as such it cannot be criminalized even
under State of Inner Conmotion, but not always protest is protected as a
constitutional right. The use of the tutela18 or the knowledge of the law could help
activists and their causes better than the use of violence and illegality on the
social protest inside a democratic regime.
According to the analysis19 made by Rodrigo Uprimny and Luz María Sanchez the
use of criminal law against social protestors brings certain risks.
1. The use of criminal law for conducts that with the common use of criminal
law and constitutional law cannot be considered actions attached to a
particular felony, such as the insult to national symbolism and flags20.
2. Law can preview something as a crime but the offense could be ambiguous,
that favors an extensive interpretation of it and can end up in criminalization
of conducts that dont need any criminal treatment. On this we could talk
about the legislation on terrorism in Colombia and also about in some
articles in the 1273 Act of 2009 that we will discuss later.
3. Criminal law can preview an offense as a punishable but can get carried out
on a disproportionate way on the punishment.
The 1273 Act21 of 2009 modified the Colombian Criminal Code22 and created a new
legally protected right of protection of information and data. Its title is about the
attacks on confidentiality, integrity and availability of data and computer systems.
Its is composed of two chapters.
On chapter one we see:
Article 269A: Abusive access to an informatic system. The person that obtains
unauthorized access to a protected or non protected informatic system can get a
prison sentence from 48 to 96 months and a fine of 100 to a 1000 current minimum
Article 269B: Illegitimate obstruction to an informatic system or
telecommunications network. The person that impede, obstruct, the operation and
normal access to an informatic system and to the data contained there or to a
telecommunications network can get a prison sentence from 48 to 96 months and
a fine of 100 to a 1000 current minimum montly salaries.
Article 269C: Illegal interception of computer data. The person or entity that
without a court order intercepts informatic data on its origin, destiny or within a
computer system or electromagnetic emissions from a computer system can get a
prison sentence of 36 to 72 months.
Article 269D: Computer damage. The person that without proper authorization
destroys, damages, erases, deteriorates, alters or eliminates informatic data, or a
system for data treatment, can get a prision sentence from 48 to 96 months and a
fine of 100 to a 1000 current minimum montly salaries.
Article 269E: Use of malicious software. The person that without proper
authorization produces, traffics, purchases, distributes, sells, sends, introduces or
extracts, from or into country borders, malicious software or programs for
damaging means, can get a prison sentence from 48 to 96 months and a fine of 100
to a 1000 current minimum montly salaries.
Article 269F: Personal data violations. The person that without proper
authorization and for their own benefit or for a third party’s benefit, obtains,
compiles, sustracts, offers, sales, exchange, sends, buys, intercepts, communicates,
modifies or uses, personal codes, or personal data contained on files, databases or
similar means, can get a prison sentence from 48 to 96 months and a fine of 100 to
a 1000 current minimum montly salaries.
Article 269G: Website Defacing for capturing personal data. The person that for
illegal means and without proper authorization designs, programs, developes,
traffics, sales, executes websites, links or pop ups, can get a prison sentence from
48 to 96 months and a fine of 100 to a 1000 current minimum montly salaries when
the illegal conduct does not configurate a crime with a bigger penalty. On the same
sanction will incur the person that modifies the DNS system so that it makes an
user enter a different IP address that is not the intended site when the conduct is
not sanctioned with a bigger penalty.
Article 269H: Punitive aggravating circumstances. This article will increase the
penalties on one aditional half to three quarters if the conduct is carried towards
systems or networks owned by the goverment or State, or by the financial system
foreign or local. If the conduct is carried out by a government functionary, in the
incurrance of abuse of confidence, revealing in damage of a third party, revealing
for obtaining benefit for himself or for a third party, using a third party on his use
of good faith, and if the person responsible for this actions is the one in charge of
the information he canget banned from working in similar jobs up to three years.
On chapter two we see:
Article 269I: Theft with the use of computer systems and related means. This
person will incur on the penalties prescribed on the article 240 of the criminal
Article 269J: Transfer of assets without consent. The person that for his own
benefit using any informatic manipulation or any similar action that favors the non
authorized transfer of assets in prejudice of a third party when the conduct doesnt
configurate a crime with a bigger penalty can get from 48 to 120 months in prison,
and a fine from 200 to 1500 minimum montly salaries. The same penalty will be
imposed to the one who builds, introduces, has or facilitates the computer
program intended for the commision of the crime. The penalty can increase for this
last two articles if the amount is superior to 200 minimum monthly salaries.
The job of making laws for the digital world is truly a challenge, the internet 2.0 23
with its social networking sites, blogs and many other services allow citizens to get
in touch one with another, and so that they can get organized, do activism in a
faster and much more effective way as we had explained on previous papers24 on
Sociologist have discussed that social networks allow activists to get a faster
return on their social actions. On activism this could be that if we support one
cause and the activist is linked or retransmited in some sort of way, it can lead to
more supporters or also that the message can reach a much bigger audience.
Sometimes what the netizen25 wants is just retransmitting a message from
Anonymous or any other cybergroup where the netizen may have sympathy
towards that specific topic, even if not participating on the “sit in” convoked.
This kind of conducts could be done on an anonymous way to prevent for example
any kind of retaliations from society specially when the message is supported by a
small minority of individuals in society as it could be done in plain sight.
Examples of valid hacktivism in Colombia are clear with what we saw on 2011 for
the discussion of the Bill 241 of 2011 that was later known as the Ley Lleras26 and
nowdays with the new Bill in discussion at the Second Commission of the
colombian Senate, the Bill 202 of 201227. We see again hacktivists protesting28 the
lack of discussion of this new Bill and also the rush that the Colombian Government
is trying to apply to this whole process. We saw and we keep seeing groups being
created out of nowhere such as redpatodos.co, lacontracultura.com among others
that brought activists together to support and on this case oppose the Act
proposed by the government.
Some oppose because it did not had enough socialization among citizens, others
because it violates their fundamental rights on free speech and creation of content
inside the net under the new posibilities and also for ingprevent innovation from
happening, among many other reasons, unhappy internet users took the
discussion inside the Senate about an actual copyright reform that will also listen
to all parties involved.
Social activism and political activism online are creating what many are calling
“zeitgeist”. This zeigeists or conventional toughts or pre conceived ideas are
making part of what is the social imaginary feeling that can fuel or frustrate social
actions on the near future.
Social activism can use the short term to channel volatile will of citizens toward a
cause, also use the long term to channel the “zeitgeist” and with this achieve a
favorable enviroment for allied or own causes.
Colombian law and Colombian Constitution 29 allows freedom of tought and
expression on its article 42nd, and as on the information age30 we would have to
consider that everybody that has a computer and an internet connection is a media
broadcast center of some sort.
The 51st Act of of the 18th of december of 1973 regulates the excercise of
journalism in our country, as well as the statute of security promulgated by a
legislative decree number 1923 of september 6th of 1978 which has some special
dispositions of freedom of press and speech in conditions of disturbance of public
order that are rather restrictive in counter to the actual world healthy tendencies
for freedom of speech and press.
The article 37th of The Colombian Constitution allows citizens to peaceful
assembly and manifest in a peaceful manner, it is a fundamental right and it gives
the law the authority to regulate this matter. On the right of peaceful assembly
and association we found that the Constitution on its article 44th says that “it is
forbidden to form or create companies that are contrary to the good moral
manners and the legal system”, and also on political rights we have that the
Colombian constitution guarantees the political rights of the citizens, on its article
18 on which is said “nobody would be troubled for their beliefs and convictions”.
The 1273 Act and Hacktivism actions.
There is an actual discussion31 in matters of evidence like if an IP adress is personal
data32 and can someone be liable of an illegal action conducted through his IP
address. A british Court has ruled33 that if the IP address is used as a proof for
identifying one person charged of some illegal conduct, “does not make liable” the
suspect of the illegal actions commited.
In Colombia we do not have an actual ruling to this date but we do have people
captured34 for alleguedly committing one of the conducts established on the 1273
Act, on this particular case charged by the prosecutor Patricia Pelaez of Art 269A,
abusive access to an informatic system. This case was the widely known Sophie
Germain attack against Daniel Samper Ospina. This capture on the Sophie Germain
attack and the lack of one on the case between Anonymous and the ex president
Alvaro Uribe35 may have happened because the accused on the Sophie Germain did
not used any legal anonymous ip software such as TOR36.
In orded to make somebody liable of the conducts of the 1273 Act this would have
to be determined by specialists in computer forensics that eventually will
determine if the machine asociated to the IP address was used with the knowledge
of committing an illegal activity and that it wasnt just beign used remotely for the
illegal conduct and without its owners consent or knowledge, as for the
cyberlawyer the good use of computer forensics37 could mean winning or loosing a
This brings us to ciber crime on the 1273 Act and the convenience for the
Colombian Prosecutor on charging big amounts of netizens on a massive ciber
crime attack or a massive web sit in for example. This plus the actual need to ratify
the Budapest Cybercrime Convention 38 and also the need for an actual data
protection law that with proper regulation could protect the fundamental rights
that the 15th article of our constitution contemplates that with responsible
copyright law reforms that just do not fold for corporations lobbyst are the biggest
challenges for the lawmakers in our country as well for society on for a proper
direct interaction with the net of our netizens. We could follow recommendations
from netizens and consider building platforms big enough to have a direct
socialization of our laws in our democracies. The theory has been formulated by
Hackett on his essay Revolutionise the way we govern ourselves39 and is up for
discussion and also for implementation.
Web sit ins is a very controversial issue. A web sit in is usually conducted through a
DDoS attack which according to article 269B could be singled out as a pure
Illegitimate obstruction to an informatic system or telecommunications network.
The accusation its also backed out with article 269H where it increases the penalty
given in one half to three quarters when conducted towards networks and systems
that belong to the State.
Big internet personalities like John Perry Barlow have clearly40 opposed this kind of
hacktivism tool. Also Cory Doctorow has opposed this means of protest41 I would
have to back this positions. Specially Doctorow where he says that shutting some
one up is no acceptable means for backing up free speech.
Most sit ins are conducted against government sites and rarely towards institutions
like big lobbyst on copyright and companies that with their direct or indirect
actions have created a state of unconformity that channeled through social
networks and that when with a simple click on a button you are already taking part
in the action of protest, it may be the actual need to protest considered as a
constitutional right that we may be talking about here. This is something that
requires further discussion among lawyers and policy makers and also law
Activists will have to consider for their cause sake, that when the attack is
conducted towards a government site or impedes the normal functioning of the
State and affects other citizens rights, like for example, taking down the site of the
Colombian Police d aff affecting the issuing of the judicial certification g s. This can
affect other citizens rights when in search of a job tthey need this kind of
document for the job position. Actions like this then should be considered as
Sit ins like the onnes conducted against the DNDA in Colombia was probably a
good sit in protest. This for having so many problems the DNDA integrating all
artists or interested parties on the construction of a copyright law in Colombia that
is in accordance to alll kinds of inputs and not just the old industry. It may have
caused problems for regiistrations online but as we know according to Colombian
law the registration is not mmandatory for copyright on most works and the
registration is still available on physical means. So in this case the “sit in” may be a
valid protest under hacktivism means.
Any Hacktivist participating on a web site defacement in Colombia could be
charged of website defacement for capturing personal data if this was the intempt
of the action. If the defacement is conduct just to make a statement charges could
be article 269A or abusive access to an informatic system. Also the defacement
could be used to capture personal data and also conduct a different action also
punishable by the law such as articles 269I theft with the use of computer systems
and related means and also article 269J transfer of assets without consent. So in
Colombia no unauthorized website defacement is arguable as a legit protest.
E Mail bombing is also another punishable hacktivism activity under article 269B,
269D and 269E. The hacktivist could be charged of Illegitimate obstruction to an
informatic system or telecommunications network, also computer damage and use
of malicious software. This activities should be sanctioned as they do not represent
an actual viral activism or a valid social statement.
Code for building activism sites. This is a perfect hacktivism form that does not
clash with the legislation in Colombia. If the site does not promote hate or violence
or violates rights that can be attributed to an especific person it shouldnt have any
problems in existing legally. There are plenty of activism sites in Colombia that we
know of we would like to mention like redpatodos.co or lacontracultura.com
among many others that do not break the law and still do hacktivism.
Web site mirroring. This hacktivism tool is used usually for defense purposes.
Under Colombian law this conduct it does not represent a crime. One of the most
active web site mirrorings was the case ikwikiileaks vs USA, impass where wikileaks
sitte was taken down42 by a US DNS provider, and also bloocked by Mastercard and
Paypalpal without a court warrant. This carried out a big clashh from hacktivists
against this companies and governments that originated this situation causing
many DDoS attacks in consecuence.
Anonymous blogging. According to the article 20th of the Constitution of 1991 we
see that “is guaranteed to everybody the freedom of speech and opinions, also the
freedom to inform and receive genuine and impartial information and to establish
mass media” .
The principle of safefuarding anonymity is contemplated on our legal system and
allows the activist or whoever in proper excercise of freedom of speech to diminish
risks for the person involved in the act of freedom of expression and is properly
authorized by the 23 Act of 1982 on its article 30 which recognizes the ability of
one author of one statement or one work considered as such under copyright law
as “anonymous until his death or afterwards when so ordered by testamentary
disposition”. This may not be a very popular discourse speciallly after the policy
reigning on security issues in most of our countries after the well known events of
september the eleventh of 2001, but anyways anonymity is still a standing right.
According to the work43 of Natalia Tobón and Eduardo Varela we can conclude that
courts in Colombia have just treated the principle of safeguard anonymity when
the person or human beign is object of the information, leaving on the side two
different approaches to date.
1. One considering anonimity when the person is in the use of his freedom of
2. Considering anonymity when the person is the information source. This last
one is observed on our Constitution on the article 74 which establishes the
inviolability of the professional secret.
On a comparative law approach we see that The Supreme Court of the United
States has ruled on the much cited 1995 McIntyre Vs Ohio44 that “protection for
anonymous speech are vital to democratic discourse. Allowing dissenters to shield
their identities frees them to express critical minority views.” Also we see on the
same ruling “anonymity is a shield from the tyrany of the majority” and to conclude
“ if thus exemplifies the purpose behind the Bill of Rights and of The First
Amendment in particular: to protect unpopular individuals from retaliation at hand
of an intolerant society”. This is a very important international legal precedent for
our magistrates in our legal system in lack of decisions on this matter.
Then we consider that anonymity should be encouraged as one still standing
freedom on our liberal democratic systems. Anonymity then should be
encaouraged on situations like but not limited to:
• To protect people’s privacy from unscrupulous marketers and identity
• To protect people’s communications from irresponsible corporations.
• To protect information that you do not want to disclose like for example
your children identities.
• Research, discuss or ask about sensitive topics that may bring a strong
censoring from the community like AIDS, birth control, abortion and many
• Report abuses from authority on dangerous zones.
• Report cases of corruption within the government.
• To protect own speech when you do not intend to offend someone that you
may have a personal or professional relation by the nature of your beliefs.
• For giving a voice to the voiceless or the ones in impossibility of free speech
because of their job relations
“Unlike other social processes, the opportunity offered by the information
society,should not be measured from just an economic perspective, cultural,
legal or technological in isolation, but from a political perspective, it must
be understood as a process that runs through our society,changing it, and is
generating a series of special problems”45. Erick Iriarte.
The understanding of peacefull assembly and free speech through social protest as
fundamental rights is a big conquest to avoid criminalization of social protest in
our country. There are still several risks to finally protect the fundamental right to
social protest in digital actions.
This we need to start bringing into discussion even though when it may not be a
very popular subject to be talking about, social protest is still a standing right in
our liberal and democratic regimes so there is the discussion that the 1273 Act may
be criminalizing a fundamental right.
¿Es legítima la criminalización de la protesta social en américa latina?. Eduardo
Libertad de expresión e información en internet. Lorenzo Cotino Hueso, editor.
Unión Internacional de Comunicaciones. Guía de ciberdelitos para paises en
desarrollo. Edición 2009.