Tag: Internet

Designing an Insecure Internet

If there were any doubt that the 90s are back in style, witness the Obama administration’s attempt to reignite the Crypto Wars by seeking legislation that would force Internet services to redesign their networks and products to provide a centralized mechanism for decrypting user communications. It cannot be stressed enough what a radical—and terrible—idea this is.  I’ll be writing on this at greater length this week, but a few quick points.

First, while the Communications Assistance for Law Enforcement Act (CALEA) already requires phone and broadband providers to build in interception capacity at their network hubs, this proposed requirement—at least going on the basis of the press description, since there’s no legislative text yet—is both broader and more drastic. It appears that it would apply to the whole panoply of online firms offering secure communication services, not just big carriers, imposing a greater relative burden. More importantly, it’s not just mandating that already-centralized systems install a government backdoor. Rather, if I understand it correctly, the proposal would insist on a centralized (and therefore less secure) architecture for secure communications, as opposed to an end-to-end model where encryption is handled client-side. In effect, the government is insisting on the right to make a macro-design choice between competing network models for thousands of companies.

Second, they are basically demanding that providers design their systems for breach. This is massively stupid from a security perspective.  In the summer of 2004, still unknown hackers exploited surveillance software built in to one of Greece’s major cell networks to eavesdrop on high government officials, including the prime ministers. The recent hack of Google believed to originate in China may have used a law-enforcement portal to acquire information about dissidents. More recently, we learned of a Google engineer abusing his access to the system to spy on minors.

Third, this demand has implications beyond the United States. Networks designed for interception by U.S. authorities will also be more easily tapped by authoritarian governments looking to keep tabs on dissidents. And indeed, this proposal echoes demands from the likes of Saudi Arabia and the United Arab Emirates that their Blackberry system be redesigned for easier interception. By joining that chorus, the U.S. makes it more difficult for firms to resist similar demands from unlovely regimes.

Finally, this demand highlights how American law enforcement and intel agencies have been circumventing reporting requirements designed to provide information on this very problem. As the Crypto Wars of the 90s drew to a close, Congress amended the Wiretap Act, which creates strong procedural protections when the government wants to use intrusive electronic surveillance, to add a requirement that agencies report each instance in which they’d encountered encryption.  The idea was to get an objective measure of how serious a problem this posed. The most recent report, however, cited only one instance in which encryption was encountered, out of 2,376 wiretap orders. Why, then, are we now being told encryption is a huge problem? Almost certainly because law enforcement and intelligence agencies aren’t using the Wiretap Act to intercept electronic communications—preferring, instead, to avail themselves of the far more lax standards—and spare reporting requirements—provided by the Stored Communications Act.  It’s always easier to claim you need sweeping new powers from Congress when you’ve managed to do an end-run around the provisions Congress put in place to keep itself informed about how you’re using your existing powers, after all.

Speier (D-Silicon Valley) Sows Techno-panic

“Techno-Panics” are public and political crusades against the use of new media or technologies, particularly driven by the desire to protect children. As the moniker suggests, they’re not rational. Techno-panic is about imagined or trumped-up threats, often with a tenuous, coincidental, or potential relationship to the Internet. Adam Thierer and Berin Szoka of the Progress & Freedom Foundation have written extensively about techno-panics on the TechLiberationFront blog.

Talking about techno-panic does not deny the existence of serious problems. It merely identifies when policymakers and advocates lose their sense of proportion and react in ways that fail to address the genuine issues—such as censoring a web site because it reveals the fact that some few among a community of tens of millions of people will conspire to break the law.

You’d think that a congressional representative from the heart of Silicon Valley would not sow techno-panic, but here’s Jackie Speier (D-Calif.) on the Craigslist censorship issue:

“We can’t forget the victims, we can’t rest easy. Child-sex trafficking continues, and lawmakers need to fight future machinations of Internet-driven sites that peddle children.”

Of all representatives in Congress, Speier should know that Craigslist has been making it easier for law enforcement to locate and enforce the law against any perpetrators of crimes against children. Pushing them to rogue sites does law enforcement no good. Censoring Craiglist only masks the problem, which may be in the interest of politicians, but definitely not children.

Unleashing an Internet Revolution in Cuba

By now the name of Yoani Sánchez has become common currency for those who follow Cuba. Through the use of New Media (blog, Twitter and YouTube) Yoani has challenged the Castro regime in a way that various U.S. government-sponsored efforts have  failed to do before, earning the respect and tacit admiration of even those who continue to sympathize with the Cuban regime. As my colleague Ian Vásquez put it a few months ago, Yoani keeps speaking truth to power.

Although she’s a remarkable individual, Yoani is not alone in fighting repression with technology. Other bloggers are making their voice heard, and that makes the Castro dictatorship nervous. As Yoani wrote in a paper recently published by Cato, despite the many difficulties and costs that regular Cubans face when trying to access Internet,

… a web of networks has emerged as the only means by which a person on the island can make his opinions known to the rest of the world. Today, this virtual space is like a training camp where Cubans go to relearn forgotten freedoms. The right of association can be found on Facebook, Twitter, and the other social networks, in a sort of compensation for the crime of “unlawful assembly” established by the Cuban penal code.

As recent events in Iran and elsewhere have shown, once a technology becomes pervasive in a society, it is extremely difficult for a totalitarian regime to control it. A new paper published today by the Cuba Study Group highlights the potential of technology in bringing about democracy and liberty to Cuba. The document entitled “Empowering the Cuban People through Technology: Recommendations for Private and Public Sector Leaders,” also recommends lifting all U.S. restrictions that hinder the opportunities of companies to provide cell phone and Internet service to the island. For example, the paper reviews the current U.S. regulatory framework on technology investment in other repressive regimes such as Iran, Syria, Burma and North Korea, and finds that “the U.S. regulations governing telecommunications-related exports to Cuba are still some of the most restrictive.”

By removing these counterproductive restrictions, Washington could help unleash an Internet revolution in Cuba. More Yoanis will certainly bring about more change in the island than 50 years of failed U.S. trade and travel bans.

Technology vs. Tyranny

The Wall Street Journal reports Saturday that Turkey and Pakistan are blocking, monitoring, and threatening such websites as Google, YouTube, Facebook, Yahoo, and Amazon. At least you’ve got to give them credit for going after the big guys! The Journal notes, “A number of countries in the Islamic world, including Iran and Saudi Arabia, have banned Internet content in the past for being sacrilegious. But those countries have authoritarian governments that closely monitor the Internet and the media.” Of course, it’s not just Islamic countries that try to protect their citizens – or subjects – from dissenting thoughts. China has been involved in well-publicized battles with Google, Rupert Murdoch’s Star TV, and other media companies.

But it’s hard to make your country a part of the world economy and keep it closed to outside thoughts and images. North Korea may be able to do it – though recent stories suggest that even the benighted people of the world’s most closed society know more about the world than we have previously thought. Countries that don’t want to be North Korea have a harder time. The latest example: Thomas Erdbrink reports in the Washington Post that Murdoch’s Farsi1 satellite station is

pulling in Iranian viewers with sizzling soaps and sitcoms but has incensed the Islamic republic’s clerics and state television executives.

Unlike dozens of other foreign-based satellite channels here, Farsi1 broadcasts popular Korean, Colombian and U.S. shows and also dubs them in Iran’s national language, Farsi, rather than using subtitles, making them more broadly accessible. Its popularity has soared since its launch in August….

Satellite receivers are illegal in Iran but widely available. Officials acknowledge that they jam many foreign channels using radio waves, but Farsi1, which operates out of the Hong Kong-based headquarters of Star TV, a subsidiary of Murdoch’s News Corp., is still on the air in Tehran.

Viewers are increasingly deserting the six channels operated by Iranian state television, with its political, ideological and religious constraints, for Farsi1’s more daring fare, including the U.S. series “Prison Break,” “24” and “Dharma and Greg.”

Those who want to build a wall around the minds of the Iranian people denounce Murdoch and his temptations:

Some critics here hold Murdoch responsible for what they see as this new infestation of corrupt Western culture. The prominent hard-line magazine Panjereh, or Window, devoted its most recent issue to Farsi1, featuring on the cover a digitally altered version of an evil-looking Murdoch sporting a button in the channel’s signature pink and white colors. “Murdoch is a secret Jew trying to control the world’s media, and [he] promotes Farsi1,” the magazine declared.

“Farsi1’s shows might be accepted in Western culture … but this is the first time that such things are being shown and offered so directly, completely and with ulterior motives to Iranian society. Does anybody hear alarm bells?” wrote Morteza Najafi, a regular Panjereh contributor.

The Iranian state – Akbar Ganji calls it a “sultanate” in Weberian terms – has tried to block access to Farsi1. It jams foreign channels, it sends police out to confiscate satellite dishes, but it can’t seem to prevent many citizens from tuning in to officially banned broadcasts.

Way back in 1979, David Ramsay Steele of the Libertarian Alliance in Great Britain wrote about the changes beginning in China. He quoted authors in the official Beijing Review who were explaining that China would adopt the good aspects of the West – technology, innovation, entrepreneurship – without adopting its liberal values. “We should do better than the Japanese,” the authors wrote. “They have learnt from the United States not only computer science but also strip-tease. For us it is a matter of acquiring the best of the developed capitalist countries while rejecting their philosophy.” But, Steele replied, countries like China have a choice. “You play the game of catallaxy, or you do not play it. If you do not play it, you remain wretched. But if you play it, you must play it. You want computer science? Then you have to put up with striptease.” 

North Korea and Burma choose to “remain wretched.” That’s not the future Iran’s leaders want. But they too will find it difficult to keep their citizens in an information straitjacket while participating in a global economy. 

Footnote: In all this discussion of how authoritarian governments try to protect their citizens from offensive images, alternative ideas, and what’s going on in the rest of the world, I am for some reason reminded of the “30 Rock” episode in which NBC executive Jack Donaghy (Alec Baldwin) is trying to figure out how to deal with a high-strung performer. Another actress tells him, ”You’ve got to lie to her, coddle her, protect her from the real world.” Jack replies,”I get it – treat her like the New York Times treats its readers.”

Planning a Cybersecurity Auto-Immune Reaction

A Senate plan to give the president authority to seize control of the Internet in the event of emergency is security malpractice of the highest order. As I told C|Net’s Declan McCullagh, this is a plan for an auto-immune reaction. When something goes wrong with the Internet, the government will attack that infrastructure and make society weaker.

The Internet is the medium over which we communicate and self-organize. It’s where emergency response happens—where individuals learn what is happening, communicate it to others, compare notes with friends and loved ones, and determine appropriate responses. (Our appreciation for “first responders” should not be diminshed by noting that they are typically second responders, taking over for private citizens who are almost always first on any scene.)

The Internet is also self-repairing. When weaknesses in it are exposed, that fact is communicated via Internet, and the appropriate fixes and patches are distributed via Internet. Seizing control of the Internet—to the extent the government can do that—would degrade society’s natural response to emergency, and it would undercut the Internet’s ability to self-heal.

This idea—of government authority taking over the Internet for our protection—fundamentally misunderstands the nature of the Internet, the nature of our society, and the type of government the Framers prescribed for us.

Unfounded Government Plans to Take Control of the Internet

Wired News reports on another bill proposing to create government authority to take over the Internet—this time, because of “cyberattacks.”

Most revealing is the part of the report exposing how Senate staff must fish around for reasons why the authority would be exercised, never mind to what effect:

In order for the President to declare such an emergency, there would have to be knowledge both of a massive network flaw — and information that someone was about to leverage that hole to do massive harm. For example, the recent “Aurora” hack to steal source code from Google, Adobe and other companies wouldn’t have qualified, one Senate staffer noted: “It’d have to be Aurora 2, plus the intel that country X is going to take us down using that vulnerability.”

A second staffer suggested that evidence of hackers looking to leverage something like the massive Conficker worm — which infected millions of machines and was seemingly poised in April 2009 to unleash something nefarious — might trigger the bill’s emergency provisions. “You could argue there’s some threat information built in there,” the staffer said.

These scenarios will never happen. And we wouldn’t want the government grabbing control of the Internet if they did.

The idea of government “taking over” the Internet for security purposes is equal parts misconceived and self-defeating. It’s a packet-switched network, meaning that it routes around the equivalent of damage that would be caused by anyone’s attempt to “control” it. The government could certainly degrade the Internet with a well-coordinated attack, of course.

And that’s the way to think about government controlling the Internet in some kind of emergency: It would be an attack on the country’s natural resilience.

In February, CNN broadcast a bogus reality TV show produced by the Bipartisan Policy Center called “cyber.shockwave.” A variety of technically incompetent government officials talked about pulling the plug on the Internet and cell phone networks in response to some emergency. Commentator D33PT00T captured the idiocy of this idea, Tweeting, “ok my phn doesn’t work & Internet doesn’t work – ths guys R planning 2 run arnd w/ bullhorns ‘all is well remain calm!’”

The Internet may have points of weakness, but it is a source of strength overall. A government take-over of the Internet in the event of emergency would be equivalent to an auto-immune reaction in which the government would attack the society. Proposals for the federal government to take control of the Internet under any circumstance are unfounded and dangerous.

McCotter’s Plan to Expand DMCA-Style Take-Downs

The “Cyber Privacy Act”? No it ain’t!

Michigan Representative Thaddeus McCotter (R) has introduced a bill to create a take-down regime for personal information akin to the widely abused DMCA process. The Digital Millennium Copyright Act established a system where copyright holders could as a practical matter force content off the Internet simply by requesting it.

McCotter’s proposal would similarly regulate every Internet site that has a comment section. He thinks it’s going to protect privacy, but he’s sorely mistaken. Its passage would undermine privacy and limit free speech.

I’ll take you through how McCotter’s gotten it wrong.

The operative language of H.R. 5108 is:

Any Internet website that makes available to the public personal information of individuals shall–

(1) provide, in a clear and conspicuous location on the Internet website, a means for individuals whose personal information it contains to request the removal of such information; and

(2) promptly remove the personal information of any individual who requests its removal.

The Federal Trade Commission would enforce the failure to abide by requests as it does unfair and deceptive trade practices. (Meaning: penalties.)

So if someone posts his or her name in a comment section and later regrets it, the operator of that web site would have to take it down. Sounds nice—and that is the right thing for webmasters to do when the circumstances warrant. But what about when they don’t?

Let’s say you run a site that receives hundreds or thousands of comments per day, many of them from anonymous visitors. Let’s say the site deals with controversial issues, and some visitors are angry at each other—they’re even angry at the site for hosting the discussion. Those visitors start working to undermine the conversation. They personally attack others, adopt false names, tell lies, and use vulgarities. This kind of person is well known on the web. They’re called “trolls.”

What would trolls do if federal law required webmasters to take down personal information by request? Simple: They would post the personal information of others. They would pose as others and falsely ask to have information taken down.

It’s a great way to attack a site: require it to consider hundreds or thousands of personal information take-down requests, each one backed by the threat of federal penalties.

What do you do as a webmaster to counter that? You require all comments to be tied to a fixed identity. Require a log-in before site visitors can comment. Then you can figure out later if the person requesting a take-down of personal information is the person who it pertains to.

What’s the result of that? Web sites collect and store more information about visitors. Then they turn around and use it for tracking and marketing. The information is available to litigators and government investigators, of course, through subpoenas and warrants.

Are you doing the math? McCotter’s “Cyber Privacy” bill is a proposal to increase Internet surveillance. Maybe he intends to improve Internet courtesy and decency. But decency is not a federal government project. It’s bottom-up, not top-down.

I write, of course, as a spare-time webmaster myself. The bills on WashingtonWatch.com get hundreds of comments per day. Many bills get lots of comments, but one in particular—subject of dispute, controversy, and trolling, along with productive political organizing—has over 130,000 comments.

I do a lot to foster a good visitor experience, consistent with maintaining the space available for free speech. I advise people about how to deal with trolls, I allow people to register so their stable identities can build trustworthy reputations, I proctor commenters about controlling vulgarities—sometimes strongly editing comments when they don’t, and I allow users to block commenters and words they don’t want to see.

When the context warrants it, I do remove personal information at the request of people that I believe are making honest, good faith requests. I think it’s part of what builds allegiance to the site.

But if I were required by law to do this, it would be an entirely different calculation. Each request would present me with a veiled legal threat, not a small customer service opportunity.

As trolls figured out how to exploit the law—the way some copyright holders exploit the DMCA—they could inundate small sites with requests. Webmasters would be right to treat all requests with suspicion. Confirming requests would require them to convert to greater surveillance. A percentage of the small sites and blogs that are hobbies or money-losers would just shut down comments rather than deal with the nonsense.

Representative McCotter’s plan to regulate Internet communications this way is no “Cyber Privacy” act. It’s anti-privacy, and it’s anti-free-speech.