The big news out of Europe today is that the European Court of Justice (ECJ) has invalidated the 15-year old EU-US safe harbor agreement, which facilitated data transfers between the EU and US. American tech companies have relied on the safe harbor to do business in the European Union, which has more onerous data handling regulations than the US. [PDF summary of decision here.] Below I offer some quick thoughts about the decision and some of its potential unintended consequences.

#1) Another blow to new entry / competition in the EU: While some pundits are claiming this is a huge blow to big US tech firms, in reality, the irony of the ruling is that it will bolster the market power of the biggest US tech firms, because they are the only ones that will be able to afford the formidable compliance costs associated with the resulting regulatory regime. In fact, with each EU privacy decision, Google, Facebook, and other big US tech firms just get more dominant. Small firms just can’t comply with the EU’s expanding regulatory thicket. “It will involve lots of contracts between lots of parties and it’s going to be a bit of a nightmare administratively,” said Nicola Fulford, head of data protection at the UK law firm Kemp Little when commenting on the ruling to the BBC. “It’s not that we’re going to be negotiating them individually, as the legal terms are mostly fixed, but it does mean a lot more paperwork and they have legal implications.” And by driving up regulatory compliance costs and causing constant delays in how online business is conducted, the ruling will (again, on top of all the others) greatly limits entry and innovation by new, smaller players in the digital world. In essence, EU data regulations have already wiped out much of the digital competition in Europe and now this ruling finishes off any global new entrants who might have hoped of breaking in and offering competitive alternatives. These are the sorts of stories never told in antitrust circles: costly government rulings often solidify and extend the market dominance of existing companies. Dynamic effects matter. That is certainly going to be the case here.

#2) Cross-border digital trade suffers: This conclusion follows from point #1, of course. Writing just before the decision was announced, lawyers as Norton Rose Fulbright’s Data Compliance Report blog noted that if the safe harbor was invalidated, “the impact on the world economy would be immense.” Well, here we are.  Dan Castro of ITIF hopes that EU and US officials can pull back from the brink of this impending disaster and “finish the process of creating a Safe Harbor 2.0 with terms that give comfort to all parties.” I suspect that many tech companies are hoping for the same miracle to occur. But don’t hold your breath. The Europeans have decided that this is the hill that they will die on. They haven’t shown too much interest in preserving an innovative tech market or enhancing global digital trade flows in the past due to heightened concerns about privacy, and there’s no reason to think they will back down now with a more measured approach. Importantly, as I noted in my earlier essay, “How Attitudes about Risk & Failure Affect Innovation on Either Side of the Atlantic,” this trans-Atlantic clash of vision transcends the debate over privacy law. It’s about broader cultural and political attitudes toward risk-taking and disruption. Most leaders in Europe value stability–both economic and cultural stability–more than US officials and citizens. This tension was always bound to reach a breaking point and the Digital Economy and data handling policies is where the you-know-what is finally hitting the fan.

#3) Web Balkanization accelerates: This is just another blow to the idea of a seamless global Internet. But as tech lawyer Tiffany C. Li pointed out on Twitter this morning in response to the decision, while Web pundits decry balkanization in other contexts, many of them seem to be cheering it on in this case because this decision deals with privacy and data regulation, which they favor more regulation of. But you can’t have your cake and eat it to. Indeed, the great irony of so many “Internet freedom” debates today is that pundits absolutely hate the idea of Internet control and Web balkanization… right up until the point where they absolutely love it! Think of this as the tech policy world’s selective morality problem. (I elaborated on these themes in my essays “When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed,” and “Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges.”)

Interesting that the same ppl who decried Russia’s data localization law now cheer EU upping extraterritorial data regulation. #SafeHarbor

— Tiffany C. Li (@tiffanycli) October 6, 2015

@AnupamChander @AdamThierer Yes, #Schrems opens up possibility that companies will now have to comply w/28 different DPAs applying 95/46/EC. — Tiffany C. Li (@tiffanycli) October 6, 2015

This is the beginning of the Balkanization of the Internet: http://t.co/mbFxxhN7tQ

— Dino A. Dai Zovi (@dinodaizovi) October 6, 2015

Another step toward the jurisdictional balkanization of the Internet https://t.co/83FIYvU2Sm — Milton Mueller (@miltonmueller) October 6, 2015

#4) But the big dogs won’t bolt out of Europe: But this should also be another reminder that there are no “John Galt moments” in the world of tech, as some tech libertarians hope. The biggest players won’t pack their bags and head home because there’s still too much money sitting on the table in Europe. Big firms will instead scramble to comply, just as they are trying to do with the so-called Right to Be Forgotten ruling. Of course, this just exacerbates problem #1 already discussed above: The big dogs stay and do their best to comply with the costly regulatory regime while smaller players get crushed by the rules and all the other potential new entrants just stay home.

#5) The decision ignores the real problem: widespread government surveillance: I don’t often find myself agreeing with Cory Doctorow on much, but he gets it exactly right when he notes that, “this doesn’t mean that Europeans won’t be subjected to mass surveillance, including mass surveillance by the NSA.” He elaborates:

If the European Court of Justice wants to end mass surveillance of Europeans, it can only do so by banning mass surveillance — by ruling that laws that treat foreigners’ data as fair game are unconstitutional. If US tech giants want to get loose from a farcical, expensive, and pointless exercise that continues to treat them as adjuncts to the world’s spy agencies, they need to lobby the US government to change the laws under which it treats foreigners as fair game.

Thus, it would certainly be nice if, as CDT suggested in response to the ruling, that the “EU Safe Harbour Ruling Should Reinvigorate Surveillance Reform Efforts.” Of course, that requires that tech companies muster the courage to stand up to public officials here in the States who always want them to (literally) hand over the keys to the kingdom. That’s why the current debate over crypto backdoors is so essential. It’s good to see a number of tech companies pushing back on that front and refusing to get rolled by law enforcement and national security agencies the way that far too many telecom and tech companies have been in the past. Following today’s ECJ ruling, tech companies are realizing just how serious this problem really is because now European officials are striking out against the safe harbor agreement as a surrogate for their general frustrations with US surveillance more generally. Indeed, in a press release following today’s ECJ ruling, the Internet Association, which represents major US tech firms, noted that, “The Internet industry has consistently supported surveillance reform” and the Association pushed for swift congressional action to clarify and limit existing surveillance powers. It remains to be seen whether the US tech sector and other related industries will be able to push back effectively against the growing surveillance state leviathan, but it’s more clear today than ever before why that’s a fight worth having.

Ladar Levison, founder of encrypted email service Lavabit, discusses recent government action that led him to shut down his firm. When it was suspected that NSA whistleblower Edward Snowden used Lavabit’s email service, the FBI issued a National Security Letter ordering Levison to hand over SSL keys, jeopardizing the privacy of Lavabit’s 410,000 users. Levison discusses his inspiration for founding Lavabit and why he chose to suspend the service; how Lavabit was different from email services like Gmail; developments in his case and how the Fourth Amendment has come into play; and his involvement with the recently-formed Dark Mail Technical Alliance.

Download

Related Links

• Lavabit, Levison
• Dark Mail, Zimmerman, Callas, Janke, Levison
• Lawyers raise civil liberty concerns in Lavabit case, Salon
• Lawyers for Lavabit founder: judges may dismiss civil liberties concerns, The Guardian

James Barrat, author of Our Final Invention: Artificial Intelligence and the End of the Human Era, discusses the future of Artificial Intelligence (AI). Barrat takes a look at how to create friendly AI with human characteristics, which other countries are developing AI, and what we could expect with the arrival of the Singularity. He also touches on the evolution of AI and how companies like Google and IBM and government entities like DARPA and the NSA are developing artificial general intelligence devices right now.

Download

Related Links

• Our Final Invention: Artificial Intelligence and the End of the Human Era, Amazon
• About the Author, Barrat
• The Definitive Tech Books of 2013, Huffington Post

Last month, I wrote at The Guardian that NSA surveillance is harming our Internet freedom efforts. Now we have tangible evidence of that. Speaking at the UN Human Rights Council on behalf of Cuba, Venezuela, Zimbabwe, Uganda, Ecuador, Russia, Indonesia, Bolivia, Iran, and China, Pakistan delivered the following statement (video, starts around 52:25). Pay special attention to the last two paragraphs:

Mr. President,

Freedom of expression is a fundamental human right. The right to privacy is an essential element of the right to freedom of expression as defined in the ICCPR. At the last session of the Human Rights Council, the Special Rapporteur on Freedom of Expression presented his report which focused on the right to privacy and freedom of expression and opinion in the context of states surveillance of communications systems.

We believe that this is an area of great concern, particularly in light of recent revelations regarding the use and abuse of advanced surveillance technologies by some states. These involve unilateral unauthorized access to private data and performing extensive, in-depth surveillance on live communications and stored information with examples including email, voice chat, videos, photos, file transfers, and social networking details. The extent of recent events of mass data collection has been far greater than the global community knew and is a serious violation of the right to privacy as well as domestic and international law.

Much of the world’s electronic communications pass through only one country because electronic communications data tend to follow the least expensive route rather than the most physically direct route, and the bulk of the world’s Internet infrastructure is also based there. This provides an opportunity for intercepting the private communications of foreign nationals as their electronic data pass into or through that one country.

This situation is further aggravated when we see several major international internet and telecommunication technology companies overstepping in privacy and information theft including companies like Microsoft, Yahoo, Google, Facebook, YouTube, AOL, Skype and Apple. Some of these entities have been developing and executing their own surveillance capabilities and intruding into the private space of their customers around the globe without their knowledge or consent. As the Special Rapporteur has mentioned in his report, the private sector corporations often facilitate some states in their surveillance of individuals and states are increasingly adopting legislation requiring communications service providers direct access to the communications data. This is a disturbing development because this is intrusion of privacy on a mega-scale. It means that states can use these technologies and data against persons who are not their citizens and do not reside in their borders. This has complicated legal and human rights implications.

Article 12 of the Universal Declaration of Human Rights, and numerous international statutes and treaties forbid such systems of massive, pervasive surveillance. More importantly, the international community needs to take urgent action to protect individuals from such violation of their fundamental freedom.

A transparent international system with adequate international framework of internet governance including appropriate safeguards is all the more important in such circumstances. The internet is too big, too international and too much of a household thing to be left operating by a few who have misused it without any international legislation and monitoring of these abuses.

The existing mechanisms like the Internet Governance Forum established under the paragraph 72 of the World Summit on Information Society (WSIS)-Tunis Agenda have not been able to deliver the desired results. A strategic rethinking of the global internet governance mechanism is inevitable. Further development of an international mechanism in the context of ‘Enhanced cooperation’ within the WSIS Tunis Agenda can be a concrete way forward. However we will need to be sincere in our efforts to ensure a transparent, free, fair and respectful international intergovernmental mechanism of internet governance and one that also ensures the right to privacy.

In June, The Guardian ran a groundbreaking story that divulged a top secret court order forcing Verizon to hand over to the National Security Agency (NSA) all of its subscribers’ telephony metadata—including the phone numbers of both parties to any call involving a person in the United States and the time and duration of each call—on a daily basis. Although media outlets have published several articles in recent years disclosing various aspects the NSA’s domestic surveillance, the leaked court order obtained by The Guardian revealed hard evidence that NSA snooping goes far beyond suspected terrorists and foreign intelligence agents—instead, the agency routinely and indiscriminately targets private information about all Americans who use a major U.S. phone company.

It was only a matter of time before the NSA’s surveillance program—which is purportedly authorized by Section 215 of the USA PATRIOT Act (50 U.S.C. § 1861)—faced a challenge in federal court. The Electronic Privacy Information Center fired the first salvo on July 8, when the group filed a petition urging the U.S. Supreme Court to issue a writ of mandamus nullifying the court orders authorizing the NSA to coerce customer data from phone companies. But as Tim Lee of The Washington Post pointed out in a recent essay, the nation’s highest Court has never before reviewed a decision of the Foreign Intelligence Surveillance Act (FISA) court, which is responsible for issuing the top secret court order authorizing the NSA’s surveillance program.

Today, another crucial lawsuit challenging the NSA’s domestic surveillance program was brought by a diverse coalition of nineteen public interest groups, religious organizations, and other associations. The coalition, represented by the Electronic Frontier Foundation, includes TechFreedom, Human Rights Watch, Greenpeace, the Bill of Rights Defense Committee, among many other groups. The lawsuit, brought in the U.S. district court in northern California, argues that the NSA’s program—aptly described as the “Assocational Tracking Program” in the complaint—violates the First, Fourth, and Fifth Amendments to the Constitution, along with the Foreign Intelligence Surveillance Act.

In a statement today, TechFreedom President Berin Szoka described the lawsuit as follows:

We’re standing up for the constitutional rights of all Americans: The First Amendment protects our right to communicate and associate privately. The Fourth Amendment protects us against unreasonable searches and seizures by barring the kind of general warrant that compelled U.S. telephone carriers to turn over potentially sensitive information about Americans’ telephone call records. The secretive processes of the Foreign Intelligence Surveillance Court violate the most fundamental guarantees of the Fifth Amendment to due process, as well as basic principles of the rule of law.

Amen. Our founding fathers wrote the 4th Amendment to prevent precisely this kind of secretive sifting through citizens’ private records. As the recent scandal involving the IRS targeting tea party groups illustrates, America’s founders knew all too well that government would always be tempted to use perfectly innocuous information about Americans’ beliefs and behaviors to harass them and treat them unfairly. This is why our Constitution and federal laws restrict the government’s power to collect private information about its citizens. These rules exist not so criminals can conceal their behavior, but to protect you and me. And when the government violates those rules, it is acting criminally.

Think you’re off the the hook because you communicate primarily using the Internet, rather than via phone? Think again. We know that far more extensive collection of Americans’ data has occurred under the same authority—50 U.S.C. § 1861—upon which the Associational Tracking Program is based.

According to a leaked 2009 NSA Inspector General report, NSA in 2001 began collecting “bulk Internet metadata” from at least three unknown large Internet companies. A 2007 DOJ memo regarding “supplemental procedures” for NSA data collection authorized the agency to collect Internet metadata—including the “email address[es]” of each sender and recipient of an email, along with their “IP address”—for “persons in the United States.” The memo further states that “NSA has in its database a large amount of communications metadata associated with persons in the United States.” However, a spokesman for James Clapper, the Director of National Intelligence has claimed this Internet metadata collection program was “discontinued in 2011 for operational and resource reasons.” Who knows if this is accurate, or another “clearly erroneous” statement that will be corrected in future months or years in a statement resembling the letter James Clapper sent to the Senate Intelligence Committee a few weeks ago.

Yet if the NSA’s Associational Tracking Program is lawful, the Internet metadata program is probably legal as well. If courts fail to halt the NSA’s program as it currently exists, and clarify what Section 215 of the USA PATRIOT Act really means, nothing is stopping the government from resuming its acquisition of Internet metadata—that is, if it hasn’t already done so.

These suspicionless mass surveillance programs don’t just endanger our constitutional rights. They also threaten free enterprise in the information economy. Increasingly, we transact, communicate, innovate, and create in the digital realm, where information itself is a form of wealth. But if Americans reasonably perceive their digital communications—including metadata—are subject to warrantless governmental interception, some who might use cloud services will choose not to do so. Not only would this distort the future of Internet commerce, it might cause cloud computing servers and businesses to move or be formed abroad—which, ironically, could deny U.S. law enforcement access to this cloud data.

If the information age is to realize its full potential, providers of electronic communications services must be free to make credible assurances to their users about when private information will be shared, and with whom. Users need to know that the data they relinquish is confined to agreed-upon business, transactional, and record-keeping purposes—not automatically stored in a government datacenter.

Ronald J. Deibert is the director of The Citizen Lab at the University of Toronto’s Munk School of Global Affairs and the author of an important new book, Black Code: Inside the Battle for Cyberspace, an in-depth look at the growing insecurity of the Internet. Specifically, Deibert’s book is a meticulous examination of the “malicious threats that are growing from the inside out” and which “threaten to destroy the fragile ecosystem we have come to take for granted.” (p. 14) It is also a remarkably timely book in light of the recent revelations about NSA surveillance and how it is being facilitated with the assistance of various tech and telecom giants.

The clear and colloquial tone that Deibert employs in the text helps make arcane Internet security issues interesting and accessible. Indeed, some chapters of the book almost feel like they were pulled from the pages of techno-thriller, complete with villainous characters, unexpected plot twists, and shocking conclusions. “Cyber crime has become one of the world’s largest growth businesses,” Deibert notes (p. 144) and his chapters focus on many prominent recent examples, including cyber-crime syndicates like Koobface, government cyber-spying schemes like GhostNet, state-sanctioned sabotage like Stuxnet, and the vexing issue of zero-day exploit sales.

Deibert is uniquely qualified to narrate this tale not just because he is a gifted story-teller but also because he has had a front row seat in the unfolding play that we might refer to as “How Cyberspace Grew Less Secure.” Indeed, he and his colleagues at The Citizen Lab have occasionally been major players in this drama as they have researched and uncovered various online vulnerabilities affecting millions of people across the globe. (I have previously reviewed and showered praise on a couple important books that Deibert co-edited with scholars from The Citizen Lab and Harvard’s Berkman Center, including: Access Controlled: The Shaping of Power, Rights, and Rule in Cyberspace and Access Denied: The Practice and Policy of Global Internet Filtering. They are truly outstanding resources worthy of your attention.)

Black Code’s Many Meanings

So, what is “black code” and why should we be worried about it? Deibert uses the term as a metaphor for many closely related concerns. Most generally it includes “that which is hidden, obscured from the view of the average Internet user.” (p. 6) More concretely, it refers to “the criminal forces that are increasingly insinuating themselves into cyberspace, gradually subverting it from the inside out.” (p. 7) “Those who take advantage of the Internet’s vulnerabilities today are not just juvenile pranksters or frat house brats,” Deibert notes, “they are organized criminal groups, armed militants, and nation states.” (p. 7-8) Which leads to the final way Deibert uses the term “black code.” It also, he says, “refers to the growing influence of national security agencies, and the expanding network of contractors and companies with whom they work.” (p. 8)

Deibert is worried about the way these forces and factors are working together to undermine online stability and security, and even delegitimize liberal democracy itself. His thesis is probably most succinctly captured in this passage from Chapter 7:

We live in an era of unprecedented access to information, and many political parties campaign on platforms of transparency and openness. And yet, at the same time, we are gradually shifting the policing of cyberspace to a dark world largely free from public accountability and independent oversight. In entrusting more and more information to third parties, we are signing away legal protections that should be guaranteed by those who have our data. Perversely, in liberal democratic countries we are lowering the standards around basic rights to privacy just as the center of cyberspace gravity is shifting to less democratic parts of the world. (p. 130-1)

What Deibert is grappling with in this book is the same fundamental problem that has long plagued the Internet: How do you preserve the benefits associated with the most open and interconnected “network of networks” the world has ever known while also remedying the various vulnerabilities and pathologies created by that same openness and interconnectedness?  Deibert acknowledges this problem, noting:

Ever since the Internet emerged from the world of academia into the world of the rest of us, its growth trajectory has been shadowed by a grey economy that thrives on opportunities for enrichment made possible by an open, globally connected infrastructure. (p. 141)

The Paradox of the Net’s Open, Interconnected Nature

Again, paradoxically, this inherent instability and vulnerability is due precisely to the Net’s open and globally interconnected nature. And many governments are looking to exploit that fact. “These unfortunate by-products of an open, dynamic network are exacerbated by increasing assertions of state power,” Deibert notes. (p. 233)

More generally, this uncomfortable fact—that the Net’s open, interconnected nature leads to both enormous benefits as well as huge vulnerabilities—isn’t just true for criminal online activity or the cyber-espionage activities that various nation-states are pursuing today. It is equally true for everything online today. There is a sort of yin and the yang to the Net that is simply undeniable and completely unavoidable. For one issue after another we find that the Net’s greatest blessing—its open, interconnected nature—is also its greatest curse.

For example, as I noted here recently in my review of Abraham H. Foxman and Christopher Wolf ‘s new book, Viral Hate: Containing Its Spread on the Internet, the open and interconnected Internet gives us “the most widely accessible, unrestricted communications platform the world has ever known” but also  means we have to tolerate a great many imbeciles “who use it to spew insulting, vile, and hateful comments.” The same is true for other types of online speech and content: You have access to an abundance of informational riches, but there’s also no avoiding all the garbage out there now, too.

Similarly, as I noted in my essay, “Privacy as an Information Control Regime: The Challenges Ahead,” the open and interconnected Internet has given us historically unparalleled platforms for social interaction and commerce. But that same openness and interconnectedness has left us with a world of hyper-exposure and a variety of privacy and surveillance threats—not just from governments and large corporations, but also from each other.

And then there’s the never-ending story of digital copyright. On one hand, the open and globally interconnected network or networks has provided us with an amazing platform for sharing knowledge, art, and expression. On the other hand, as I noted in this essay on “The Twilight of Copyright,” creators of expressive works have less security than ever before in terms of how they can control and monetize their artistic and scientific inventions.

I could go on and on—as I did in my essays on “Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges” and “When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed”—but the moral of the story is pretty clear: The Internet giveth and the Internet taketh away. Openness and interconnectedness offer us enormous benefits but also force us to confront major risks as the price of admission to this wonderful network.

Will the Whole System Collapse?

The uncomfortable question that Deibert’s book tees up for discussion is: When will this balance get completely out of whack in terms of online security? Or, has it already? In some portions of the text, he hints that may already be the case. Consider this passage in Chapter 11 in which Deibert discusses whether the Chicken Little-ism of digital security worry-warts like Eugene Kaspersky and Richard Clarke is warranted:

Eugene Kaspersky, Richard Clarke, and others may sound like broken records or self-serving fear mongers, but there is no denying the evolving cyberspace ecosystem around us: we are building a digital edifice for the entire planet, and it sits above us like a house of cards. We are wrapping ourselves in expanding layers of digital instructions, protocols, and authentication mechanisms, some them open scrutinized, and regulated, but many closed, amorphous, and poised for abuse, buried in the black arts of espionage, intelligence gathering, and cyber and military affairs. Is it only a matter of time before the whole system collapses? (p. 186)

That sounds horrific, but is it really the case that the entire system really about to collapse? And, if so, what are we going to do about it?

This raises a small problem with Deibert’s book. He does such a nice job itemizing and describing these security vulnerabilities that by the time the reader wades through 230 pages and nears the end of the book, they are left in a highly demoralized state, searching for some hope and a concrete set of practical solutions. Unfortunately, they won’t find an abundance of either in Deibert’s brief closing chapter, “Toward Distributed Security and Stewardship in Cyberspace.”

Don’t get me wrong; I agree with the general thrust of Deibert’s framework, which I describe below. The problem is that it is highly aspirational in nature and lacks specifics. Perhaps that is simply because there are no easy answers here. Digital security is damn hard and, as with most other online pathologies out there, no silver-bullet solutions exist.

Deibert notes that some government officials will seek to exploit those vulnerabilities—many of which they created themselves—to expand their authority over the Internet. “Faced with mounting problems and pressures to do something, too many policy-makers are tempted by extreme solutions,” he notes. (p. 234) He worries about “a movement towards clamp down” that would be “antithetical to the principles of liberal democratic government” by undermining checks and balances and accountability. (p. 235) In turn, this will undermine the “mixed common-pool resource” that is the current Internet.

Deibert’s alternative cyber security strategy to counter the push to “clamp down” is based on three interrelated notions or components:

1. Principles of restraint or “mutual restraint”: “Securing cyberspace requires a reinforcement, rather than a relaxation, of restraint on power, including checks and balances on governments, law enforcement, intelligence agencies, and on the private sector,” he argues. (p. 239)
2. “Distributed security”: “The Internet functions precisely because of the absence of centralized control, because of thousands of loosely coordinated monitoring mechanisms,” Deibert notes. “While these decentralized mechanisms are not perfect and can occasionally fail, they form the basis of a coherent distributed security strategy. Bottom-up, ‘grassroots’ solutions to the Internet’s security problems are consistent with principles of openness, avoid heavy-handedness, and provide checks and balances against the concentrations of power,” he observes. (p. 240)
3. “Stewardship” which Deibert defines as “an ethic of responsible behavior in regard to shared resources” and which, he argues, “would moderate the dangerously escalating exercise of state power in cyberspace by defining limits and setting thresholds of accountability and mutual restraint.” (p. 243)

Again, as an aspirational vision statement this all generally sounds fairly sensible, but the details are lacking. I think Deibert would have been wise to spend a bit more time developing this alternative “bottom-up” vision of how online security should work and bolstering it with case studies.

Digital Security without Top-Down Controls

Luckily, as my Mercatus Center colleague Eli Dourado noted in an important June 2012 white paper, distributed security and stewardship strategies are already working reasonably well today. Dourado’s paper, “Internet Security Without Law: How Service Providers Create Order Online,” documented the many informal institutions that enforce network security norms on the Internet and shows how cooperation among a remarkably varied set of actors improves online security without extensive regulation or punishing legal liability. “These informal institutions carry out the functions of a formal legal system—they establish and enforce rules for the prevention, punishment, and redress of cybersecurity-related harms,” Dourado noted.

For example, a diverse array of computer security incident response teams (CSIRTs) operates around the globe and share their research and coordinate their responses to viruses and other online attacks. Individual Internet service providers (ISPs), domain name registrars, and hosting companies, work with these CSIRTs and other individuals and organizations to address security vulnerabilities. A growing market for private security consultants and software providers also competes to offer increasingly sophisticated suites of security products for businesses, households, and governments.

A great deal of security knowledge is also “crowd-sourced” today via online discussion forums and security blogs that feature contributions from experts and average users alike. University-based computer science and cyberlaw centers (like Citizen Lab) and experts have also helped by creating projects like “Stop Badware,” which originated at Harvard University but then grew into a broader non-profit organization with diverse financial support.

Dourado continues on in his paper to show how these informal, bottom-up efforts to coordinate security responses offer several advantages over top-down government solutions, such as administrative regulation or punishing liability regimes.

Dourado’s description of the ideal approach to online security is entirely consistent with Deibert’s vision in Black Code. In fact, Deibert notes, “It is important to remind ourselves that in spite of the threats, cyberspace runs well and largely without persistent disruption. On a technical level, this efficiency is founded on open and distributed networks of local engineers who share information as peers,” he observes. (p. 240) That is exactly right, but I wish Deibert would have spent more time discussing how this system works in practice today and how it can be tweaked and improved to head off the heavy-handed and very costly top-down solutions that we both dread.

Toward Resiliency

But there’s one other thing I wish Deibert would have explored in the book: resiliency, or how we have adapted to various cyber-vulnerabilities over time.

For example, in another recent Mercatus Center study entitled “Beyond Cyber Doom: Cyber Attack Scenarios and the Evidence of History,” Sean Lawson, an assistant professor in the Department of Communication at the University of Utah, has stressed the importance of resiliency as it pertains to cybersecurity and concerns about “cyberwar.” “Research by historians of technology, military historians, and disaster sociologists has shown consistently that modern technological and social systems are more resilient than military and disaster planners often assume,” he writes. “Just as more resilient technological systems can better respond in the event of failure, so too are strong social systems better able to respond in the event of disaster of any type.”

More generally, as I noted in my recent law review article on “technopanics” and “threat inflation” in information technology policy debates:

while it is certainly true that “more could be done” to secure networks and critical systems, panic is unwarranted because much is already being done to harden systems and educate the public about risks. Various digital attacks will continue, but consumers, companies, and others organizations are learning to cope and become more resilient in the face of those threats.

What Professor Lawson and I are getting at in our respective articles is that the ability of organizations, institutions, and individuals to bounce back from adversity is a frequently unheralded feature of various systems and that it deserves more serious study. (See Andrew Zolli and Ann Marie Healy’s nice book, Resilience: Why Things Bounce Back, for more on this general topic). In the context of online security, what is most remarkable to me is not that the Internet suffers from vulnerabilities due to its open and interconnected nature; it’s that we don’t suffer far more damage as a result.

This gets us back to that very profound question that Deibert poses in Black Code: “Is it only a matter of time before the whole system collapses?” The better question, I think, is: why hasn’t the system already collapsed? Perhaps the answer is, because things haven’t gotten bad enough yet. But I believe that the more realistic answer is that: individuals and institutions often learn how to cope and become resilient in the face of adversity. This is partially the case online because of the stewardship and distributed, decentralized security we already see at work today that makes digital life tolerable.

But it has to be something more than that. After all, many of the security problems that Deibert describes in his book are quite serious and already affect millions of us today. How, then, are we getting by right now? Again, I think the answer has to be that adaptation and resiliency are at work on many different levels of online life.

Consider, for example, how we have learned to deal with spam, viruses, online porn, various online advertising and privacy concerns, and so on. Our adaptation to these threats and annoyances has not been perfectly smooth, of course. No doubt, some people would still like “something to be done” about these things. But isn’t it remarkable how we have, nonetheless, carried on with online commerce and interactive social life even as these problems have persisted?

Conclusion

Going forward, therefore, perhaps there are some reasons for hope. Perhaps the various generic strategies that Deibert outlines in his book, coupled with the remarkable ability of humans to roll with the punches and adapt, will help us come out of this just fine (or at least reasonably well).

Of course, it could also be the case that these security concerns just multiply and that the Internet then morphs into sometime quite different than the interconnected “network of networks” we know today. As I noted in my 2009 essay on “Internet Security Concerns, Online Anonymity, and Splinternets,” we might be moving toward a world with more separate dis­connected digital networks and online “gated communities.” This could take place spontaneously over time and be driven by corporations seeking to satisfy the demand of some consumers for safer and more secure online experiences. As I noted in my review of Jonathan Zittrain’s book, The Future of the Internet, I am actually fine with some of that. I think we can live in a hybrid world of “walled gardens” alongside of the “Wild West” open Internet, so long as this occurs in a spontaneous, organic, bottom-up fashion. [For a more extensive discussion, see my book chapter, “The Case for Internet Optimism, Part 2 – Saving the Net From Its Supporters.”]

If, however, this “splintering” of the Net is done from the top-down through intentional (or even incidental) government action, then it is far more problematic. We already see signs, for example, that Russia is pushing even more strongly in that direction in the wake of the NSA leaks. (See “N.S.A. Leaks Revive Push in Russia to Control Net,” New York Times, July 14.) The Russians have been using amorphous security concerns to push for greater Internet control for some time now. Of course, China has been there for years. So have many Middle Eastern countries. Of course, there’s no guarantee that their respective “splinternets” are, or would be, any more secure than today’s Internet, but it sure would make those networks far more susceptible to state control and surveillance. If that’s our future, then it certainly is a dismal one.

Anyway, read Ron Deibert’s Black Code for an interesting exploration of these and other issues. It’s an excellent contribution to field of Internet policy studies and a book that I’ll be recommending to others for many years to come.

Additional resources:

• the official website for Black Code
• the Citizen Lab website at the University of Toronto
• follow Ronald Deibert and The Citizen Lab on Twitter
• video of Washington, D.C. book launch for Black Code (held at the National Endowment for Democracy on 6/24/13)

Other books you should read alongside “Black Code” (links are for my reviews of each book):

• Access Controlled: The Shaping of Power, Rights, and Rule in Cyberspace edited by Ronald J. Deibert, John G. Palfrey, Rafal Rohozinski, and Jonathan Zittrain
• Consent of the Networked: The Worldwide Struggle for Internet Freedom , by Rebecca MacKinnon
• Cyber War: The Next Threat to National Security and What to Do About It, by Richard A. Clarke and Robert K. Knake
• Liars & Outliers: Enabling the Trust that Society Needs to Thrive, by Bruce Schneier
• Regulating Code: Good Governance and Better Regulation in the Information Age, by Ian Brown & Christopher T. Marsden
• Networks and States: The Global Politics of Internet Governance, by Milton Mueller
• Resilience: Why Things Bounce Back, by Andrew Zolli & Ann Marie Healy

The New York Times reports:

The Russians, who with only minimal success, had for years sought to make these companies provide law enforcement access to data within Russia, reacted angrily. Mr. Gattarov formed an ad hoc committee in response to Mr. Snowden’s leaks.

Ostensibly with the goal of safeguarding Russian citizens’ private lives and letters from spying, the committee revived a long-simmering Russian initiative to transfer control of Internet technical standards and domain name assignments from two nongovernmental groups that control them today to an arm of the United Nations, the International Telecommunications [sic] Union.

It’s not immediately clear to me how moving Internet standards and DNS from IETF and ICANN to the ITU is supposed to stop the NSA from spying on Russians, so the smart read is that this is retaliation pure and simple.

Brazil’s foreign minister, Antonio Patriota, for example, a week ago endorsed the Russian proposal to transfer some control over Internet technical standards to the United Nations telecommunications agency.

While these are not major changes in policy positions, the NSA’s surveillance programs seem to be galvanizing those who want the ITU to take an active role in Internet governance. It’s time for the USA to practice what it preaches on Internet freedom.

Declan McCullagh, chief political correspondent for CNET and former Washington bureau chief for Wired News, discusses recent leaks of NSA surveillance programs. What do we know so far, and what more might be unveiled in the coming weeks? McCullagh covers legal challenges to the programs, the Patriot Act, the fourth amendment, email encryption, the media and public response, and broader implications for privacy and reform.

Download

Related Links

• Snowden: NSA snoops on U.S. phone calls without warrants, McCullagh
• Snowden: Feds can’t plug leaks by ‘murdering me’, McCullagh
• Feds: Power grid vulnerable to cyber threats, McCullagh

Over at The Umlaut, I try to articulate why even people who have “nothing to hide” should be concerned about NSA surveillance:

I have no doubt that Prism is a helpful tool in combatting terrorism and enforcing the law, as the Obama administration claims. But ubiquitous surveillance doesn’t just help enforce the law; it changes the kinds of laws that can be enforced. It has Constitutional implications, not just because it violates the Fourth Amendment, which it does, but because it repeals a practical barrier to ever greater tyranny.

Read the whole thing, and pass it on.

Last summer at an AEI-sponsored event on cybersecurity, NSA head General Keith Alexander made the case for information sharing legislation aimed at improving cybersecurity. His response to a question from Ellen Nakashima of the Washington Post (starting at 54:25 in the video at the link) was a pretty good articulation of how malware is identified and blocked using algorithmic signatures. In his longish answer, he made the pitch for access to key malware information for the purpose of producing real-time defenses.

What the antivirus world does is it maps that out and creates what’s called a signature. So let’s call that signature A. …. If signature A were to hit or try to get into the power grid, we need to know that signature A was trying to get into the power grid and came from IP address x, going to IP address y.

We don’t need to know what was in that email. We just need to know that it contained signature A, came from there, went to there, at this time.

…

[I]f we know it at network speed we can respond to it. And those are the authorities and rules and stuff that we’re working our way through.

…

[T]hat information sharing portion of the legislation is what the Internet service providers and those companies would be authorized to share back and forth with us at network speed. And it only says: signature A, IP address, IP address. So, that is far different than that email that was on it coming.

Now it’s intersting to note, I think—you know, I’m not a lawyer but you could see this—it’s interesting to note that a bad guy sent that attack in there. Now the issue is what about all the good people that are sending their information in there, are you reading all those. And the answer is we don’t need to see any of those. Only the ones that had the malware on it. Everything else — and only the fact that that malware was there — so you didn’t have to see any of the original emails. And only the ones that had the malware on it did you need to know that something was going on.

It might be interesting to get information about who sent malware, but General Alexander said he wanted to know attack signatures, originating IP address, and destination. That’s it.

Now take a look at what CISPA, the Cybersecurity Information Sharing and Protection Act (H.R. 624), allows companies to share with the government provided they can’t be proven to have acted in bad faith:

information directly pertaining to—

(i) a vulnerability of a system or network of a government or private entity or utility;

(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network;

(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or

(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility.

That’s an incredible variety of subjects. It can include vast swaths of data about Internet users, their communications, and the files they upload. In no sense is it limited to attack signatures and relevant IP addresses.

What is going on here? Why has General Alexander’s claim to need attack signatures and IP addresses resulted in legislation that authorizes wholesale information sharing and that immunizes companies who violate privacy in the process? One could only speculate. What we know is that CISPA is a vast overreach relative to the problem General Alexander articulated. The House is debating CISPA Wednesday and Thursday this week.

Daily news service TechLawJournal (subscription) reports that the U.S. District Court (DC) has granted summary judgment to the National Security Agency in EPIC v. NSA, a federal Freedom of Information Act (FOIA) case regarding the Electronic Privacy Information Center’s request for records regarding Google’s relationship with the NSA.

EPIC requested a wide array of records regarding interactions between Google and the NSA dealing with information security. Reports TLJ:

The NSA responded that it refused to confirm or deny whether it had a relationship with Google, citing Exemption 3 of FOIA (regarding records “specifically exempted from disclosure by statute”) and Section 6 of the National Security Agency Act of 1959 (which prohibits disclose of information about the NSA).

The FOIA merits of EPIC’s suit are one thing. It’s another for Google to have an intimate relationship with a government agency this secretive.

This would be a good time to not be evil. Google should either sever ties with the NSA or be as transparent (or more) than federal law would require the NSA to be in the absence of any special protection against disclosure.

Reliable national security reporter Siobhan Gorman at the Wall Street Journal has broken a story about an Internet surveillance program called “Perfect Citizen” to be managed by the National Security Agency.

Reading about it is frustrating, and for me blame quickly settles on Congress. Our legislature is utterly supine before the national security bureaucracy, which exaggerates cybersecurity threats and consistently uses the secrecy trump card to defy oversight.

If there is to be a federal government role in securing the Internet from cyberattacks, there is no good reason why its main components should not be publicly known and openly debated. Small parts, like threat signatures and such—the unique characteristics of new attacks—might be appropriately kept secret, but no favor is done to any potential attackers by revealing that there is a system for detecting their activities.

A cybersecurity effort that is not tested by public oversight will be weaker than ones that are scrutinzed by private-sector experts, academics, security vendors, and watchdog groups.

Benign intentions do not control future results, and governmental surveillance of the Internet for “cybersecurity” purposes may warp over time to surveillance for ideological and political purposes.

These abstract criticisms of “Project Citizen” are all that publicly available information allows. Far better would come from me and others more qualified if Congress were to do its job.

Congress owes it to us, the United States’ true citizens, to have public hearings on “Perfect Citizen.” Congress should reject broad assertions of secrecy so that the whole body politic can participate in securing our country from all threats.

Congressional and public oversight—searching oversight that tests assumptions and asks hard questions—would strenghten any government cybersecurity effort we find warranted. It would also ameliorate the threat of such programs to our civil liberties, democratic processes, and privacy.

San Antonio too.

by Eric Beach & Adam Thierer

In our ongoing “Privacy Solutions Series” we have been outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online. These tools and methods form an important part of a layered approach that we believe offers a more effective alternative to government-mandated regulation of online privacy. [See entries 1, 2, 3, 4]  In this installment, we will be exploring CCleaner, a free Windows-based tool created by UK-based software developer Piriform that scrubs you computer’s hard drive and cleans its registry. We’ll describe how CCleaner helps you destroy data and protect your private information.

Whenever you move files to the recycling bin and subsequently purge the recycling bin, the affected files remain on your computer. In other words, deleting files from the recycling bin does not remove them from the computer. The reason for this is important and, in many ways, beneficial. In some respects, many computer file systems work like an old library catalog system. A file is like a catalog card and contains the reference to the actual place on the hard drive where the information contained in the file is stored. When a user deletes a file, the computer does not actually clean all the affected hard drive space. Instead, to extend the analogy, the computer simply removes the card catalog entry that points to the hard drive space where the file is contained and frees up this space for new files. The reason this is usually beneficial is that cleaning the hard drive space occupied by a file can take a while. If you want evidence of this, look no further than the length of time required to reformat a hard drive (reformatting a hard drive actually clears the disk’s contents). The practical implication of the way hard drives work is that when you delete an important memo from your computer, it is not actually gone. Similarly, when you clear your browsing history, it is not gone. The bottom line is that an individual who can access your hard drive (a thief, the government, etc.) could view many or all of the files you deleted.

The solution to this problem is to ensure that when a file is deleted, the space on the hard drive occupied by that file is not simply flagged as available space but is entirely rewritten with unintelligible data. One of the best programs for accomplishing this is CCleaner (which formerly stood for “Crap Cleaner”!)

CCleaner enables you to select a host of potentially sensitive files (e.g., recycling bin, browser history, memory dumps, and cookies) and definitively delete them by writing over them at the root of the file system. In particular, CCleaner enables the user to choose whether files should be entirely overwritten once, thrice (DOD 5220.22-M standard), seven times (NSA standard), or 37 times (Gutmann standard). The end result of this is that users can entirely remove a file from their machines. As an added benefit, CCleaner also allows users to delete files that may not be sensitive in nature, but are not necessary for everyday computer tasks and as a result, their continued presence slows down the computer.

The best part of CCleaner is that it is free, stable, safe, and extremely easy to use. It has won numerous awards and, according to the CCleaner website, the tool has been downloaded an astounding 300 million times.

To download CCLeaner, visit http://www.ccleaner.com or http://download.cnet.com/ccleaner. More information about CCleaner is embedded down below, including a couple of YouTube videos. The most important tip to using CCleaner is ensuring that all files that are deleted from the recycling bin are subsequently overwritten (and therefore cannot be uncovered by someone who later accesses your hard drive).  This feature is not enable by default. To turn it on, do the following: (1) Open CCleaner (2) Click on “Options” from the bar on the left hand side of the program. (3) Click on “Settings”. (4) Click on “Secure file deletion (Slower)”.  The adjoining exhibit shows what that screen looks like.

For more information about CCleaner, please see the following helpful sites:

• CCleaner Help
• CCleaner Documentation
• Wikipedia entry for CCleaner
• CNet Download Center page for CCleaner
• a coupe of YouTube video tutorials follow…

You can tell I like my writing when I take a sentence from a post and make it the title.

Annnyway, my brief comment on the whistleblower who outed “Stellar Wind” is on the Cato@Liberty blog.

According to ABC News:

Despite pledges by President George W. Bush and American intelligence officials to the contrary, hundreds of US citizens overseas have been eavesdropped on as they called friends and family back home, according to two former military intercept operators who worked at the giant National Security Agency (NSA) center in Fort Gordon, Georgia.

It’s a simple formula: Lack of oversight produces abuses. Members of Congress may scurry around and declare outrage, but the responsibility is their own as much as anyone else’s.

Declan McCullagh has done some great reporting this morning on an ITU plan to trace the source of all Internet communications. Meaning: no more anonymous speech online.

The U.S. National Security Agency is also participating in the “IP Traceback” drafting group, named Q6/17, which is meeting next week in Geneva to work on the traceback proposal. Members of Q6/17 have declined to release key documents, and meetings are closed to the public.

Read the whole thing.

It’s particularly interesting to note the role of VeriSign in developing this surveillance capability for the ‘net. McCullagh quotes Tony Rutkowski of VeriSign stepping up to defend the plan. Rutkowski published a summary of the plan in May.

Great reporting by McCullagh. Not a great thing for VeriSign to be doing.