Questions of privacy, security and control have occupied me for a long time, both personally and professionally. In fact it was a significant aspect of my decision to switch focus from the Free Software Foundation Europe to Kolab Systems: I wanted to reduce the barriers to actually putting the principles into practice. That required a professional solution which would offer all the benefits and features people have grown accustomed to, but would provide it as high quality Open Source / Free Software with a strong focus on Open Standards.
What surprised me at the time was the amount of discussions I had with other business people and potential customers whether there was really a point in investing so much into such a business and technology since Google Apps and similar services were so strong already, so convenient, and so deceptively cheap.
I remember similar conversations about Free Software in the 90s, where people were questioning whether the convenience of the proprietary world could ever be challenged. Now the issues of control over your software strategy and the ability to innovate are increasingly becoming commonplace.
Data control wasn’t really a topic for many so far although the two are clearly inseparable. But somehow too much of it sounded like science fiction or bad conspiracy theories.
There have of course been discussions among people who paid attention.
Following the concerns about the United States’ capabilities to monitor most of the world’s transmitted information through ECHELON, many people were alarmed about the Foreign Intelligence Surveillance Act (FISA). It has given rise to many conspiracy theories about how the United States have access to virtually all the information hosted with US technology companies anywhere in the world and would be able to use that information to their military, political and economic advantage. But no-one wanted to believe them, as the United States feel so familiar thanks to Hollywood and other cultural exports, and in Europe still thanks to the gratefulness many people still hold for the US contribution to liberating Europe 50 years ago.
Only stories about US surveillance weren’t conspiracy theories, it seems.
There has been a flurry of public reports around a large number of security and privacy relevant issues in the past weeks. But due to the complexity of the issue, most articles only deal with a tiny piece of the puzzle, and often miss the bigger picture that I am seeing right now.
Trying to provide that picture has quickly left me with an article much too long for general reading, so I’ve decided to try and break it up into four articles, of which this is the first. Its goal is to get you up to speed with some of today’s realities, in case you hadn’t been paying attention.
Part I: What We Know
The recent disclosures about the NSA PRISM program have made it quite clear that what is written in black and white in US law is also being put into action. As Caspar Bowden summarized clearly in his presentation at the ORGCon2013, FISA provides agents of the United States with access to “information with respect to a foreign based political organization or foreign territory that relates to the conduct of the foreign affairs of the United States.” It’s limiting factor is the 4th Amendment, which does not apply to people who are not located in the United States. Which is most of us.
In other words: The United States have granted themselves unlimited access to all information they deem relevant to their interests, provided at least one party to that information is not located in the United States.
And they have installed a very effective and largely automated system to get access to that kind of information. Michael Arrington has done a good job at speculating how this system likely works, and his explanation is certainly consistent with the known facts as well as knowledge of how one would design such a system. If true, mining all this information would be as easy and not much slower as any regular Google search query.
What’s more, there is no functioning legal oversight over this system, as the US allow for warrantless wiretapping and access to information. The largest amount of queries most likely never saw a judge while simultaneously being labelled secret. And according to what one has to intepret from the statements of Edward Snowden, only the smallest number of queries ever make it to the secret FISA Court (FISC). A court which is secret itself and has been described as a “rubberstamping court” in many reports.
And we know the United States is far from the only country involved in such activities.
Turns out the United Kingdom has been just as active, and might even have gone to further extremes in their storing, analysis and access of personal information as part of its “Mastering the Internet” activities. It would be naive to assume that is where it stops. We know that other countries have well trained IT specialists working on similar activities, or even offensive measures.
China has been a major target. But it also successfully read the internal documents of German ministries for years, and managed to even breach into Google‘s internal infrastructure. Israel has been known to have some of the best IT security specialists in the world, and countries such as India and Brazil are certainly large enough and with major IT expertise.
Naturally there is not a whole lot of publicly documented evidence, but given that this subject has been discussed for over a decade one would have to assume total ineptitude and incompetence in the rest of the world outside the US and UK to assume these are the only such programs.
The most reasonable working assumption under these circumstances is:
Surveillance is omnipresent and commonly employed by everyone with sufficient ability.
But it’s not just surveillance of readily available data with support from companies that are required by law to comply with such requests.
Another way in which countries engage in the digital world is through active intrusion. In Germany there was a large debate around the ‘Federal Trojan‘, which in some ways goes a good step further than PRISM. Such active intrusion damages the integrity of systems, has the potential to leave them damaged, and potentially subject to easier additional break-ins. How easy it is to make use of this kind of technology has become clear during the public FinFisher debate.
The price tag of this kind of tool is easily within reach of any government worldwide, and it would be naïve to assume that countries and their secret agencies do not make use of it.
But in the flurry disclosures another interesting aspect has also been revealed: At least some software vendors are complicit with a number of governments to facilitate break-ins into customer systems. The company that has been highlighted for this behaviour is Microsoft, source of the world’s dominant desktop platform.
Rumours about a door in Microsoft Windows to allow the US government access have been floating around now for a long time, but always been denied. And rightly so, apparently. It is not that Microsoft has deliberately weakened their software in a specific place. They didn’t have to. Instead, they manipulated the process of addressing vulnerabilities in ways to allow the NSA and others to break into 95% of the world’s desktop systems.
But Microsoft is not the only party with knowledge about vulnerabilities in their systems.
So the situation of users would arguably have been better if they had installed a back door as that would limit the exploit to a number of parties that are given access through SSL or other mechanisms. That would have been imperfect, but still better than the current situation: There is no way to know who has knowledge of these vulnerabilities, and what use they made of it.
How that kind of information can be used in addition to the FinFisher type of software has been demonstrated by Stuxnet, the computer worm that was apparently targeted at the Iranian uranium centrifuges and was in fact capable of killing people.
We now live in a world where cyber-weapons can kill.
Just a couple of days ago, the death of Michael Hastings in a car crash in Los Angeles was identified as a possible cyber-weapon assassination. I have no knowledge of whether that is the case, but what I know is that it has become possible. And of course anyone sufficiently capable and motivated is generally capable of creating such a weapon – no manufacturing plants or special materials required.
All of this of course is also known to all the security agencies around the world. So they are trying to increase their detection and defence. But since this is an asymmetrical threat scenario, it is hard to defend against.
PRISM wasn’t motivated by an anti-democratic conspiracy
Too many comments following the PRISM disclosures sounded like there was a worldwide conspiracy involving hundreds of thousands of people, including many heads of states, to undo democracy. And it seems that some people, such as US president Barack Obama, became part of the conspiracy when they came into power.
To me it seems more likely they received more information and became deeply concerned about what would happen if we for instance started seeing large-scale attacks on the cars in a country. To them, PRISM probably looked like an appropriate, measured response. That is not to say I believe it is an effective countermeasure against such threats. And if Edward Snowden is to be believed, it has likely been subverted for other purposes. Considering he threw away his previous life and took substantial personal risk, and reading up on what people such as Caspar Bowden have to say, I have little reason to doubt his credibility.
Given the physical and other security implications of all of the above I guess only very few people would argue that the state has no role in digital technologies. So I think governments should in fact be competent in these matters and ensure that people are safe from harm. That is part of their responsibility, after all. Just banning all the tools would put a country at a severe disadvantage to fulfil that role for its people.
At the same time these tools are extremely powerful and intrusive. So what should governments be allowed to do in this pursuit, and how should they do it? Also, how do we have sufficient control to uphold the principles and liberties of our democratic societies? Also, what does all of this mean for international business and politics?
These will be some questions for the upcoming articles, so stay tuned.
- [ Part 2: Totalitarian Clouds ] - Trying to understand the social impact
- [ Part 3: No More Business Secrets] – The business impact
- [ Part 4: Politics and Power Struggles ] – The political side