On Global Surveillance

Back in 2001, I was just one of many warning that the PATRIOT Act gave broad authority to track people. This is what I wrote in 2001, Chapter 4 "Legal Threats to Individual Privacy" of a book named Privacy Defended. The writing was on the wall, in plain sight.

The Patriot Act of 2001
In the wake of the terrorist attacks in the U.S. on September 11, 2001, several U.S. laws have been considered to provide more power to law enforcement to track terrorists and other types of criminals. One law that was signed was the Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act of 2001. This law gives federal investigators broader authority to track phone and Internet activities. While aimed at terrorist activities, the language covers other types of activity as well.
Civil liberties activists protested the law, which would allow wiretap orders under foreign intelligence rules. The law also allows law enforcers to obtain Internet records under so-called “trap-and-trace” orders. The attacks on the U.S. helped push this law past the privacy concerns of many groups, but a provision in the law states that Congress will review it in two years. Part of the law expands the capabilities of the FBI’s DCS1000 program. ISPs must make their systems more available to the DCS1000 program, although the law does provide for a judge to review the FBI’s Internet wiretaps.

To sum up where we're at today in 2013, the US NSA in collaboration with British GCHQ has engaged in wholesale, unrestricted surveillance across the global Internet and telephone companies. And we the taxpayers have funded this. Surveillance has increased exponentially beyond 'suspects' and 'targets' to simply 'everybody'. The equivalent of not only reading and monitoring all activity but storing it presumably for many years. Imagine what someone good could do with all that data! Imagine what someone bad could do...

It's not unexpected, and in fact we've known this capability was growing. But the tactics should be disturbing because, well, they're attacks. They look like attacks we use in Internet security testing, and attacks we try to defend against. Man in the middle, backdoors, and sabotaging national RNG standards deployed across most major software. No ISP is safe, no Facebook, Google, or other provider is safe, no software and no cryptography even seems safe from the capability. But these attacks are more interesting than criminal, or nation-state attacks. These attacks are legal... so we the public have already agreed to them, somewhere, some how, without really knowing... then again there was the Patriot Act. We warned you.

In 2001 when I was writing Privacy Defended, government surveillance was one of the threats I discussed. At that time, I think most of us who worked in Internet security and privacy expected such surveillance would be rather limited to slices of traffic and data. For example, we knew the FBI had Carnivore, and would show up at an ISP asking to plug in their device and siphon traffic, or else they might just install a hard drive array to mirror traffic and collect it in a month or so. Still, it was thought to be used for targeted investigations into criminal leads, but it was also understood that significant amounts of unrelated and untargetted traffic could potentially be captured.

Of course we understand that companies such as Google, Facebook, Microsoft, and Amazon have incredible amounts of data about us. Our habits, content of our email, documents, purchases, etc. But there's a certain level of trust we have with them, and they at least seem a little isolated from each other. When the secret FISA court system in the US gives the NSA legal access to their data on demand, the trust breaks down. Are those companies morally or ethically responsible to resist handing over their entire databases to the NSA?

And then there are the advertisers. These companies extend their reach in scope similar to how the NSA does. Advertisers can record our activities and information across Internet services, in a way that transcends just one site. Of course they're mostly just trying to track metadata, it's not like advertisers are out there trying to collect all of our private email and financial data, are they? And they certainly don't have access to telephone calls.

Morally, it looks pretty bad. If the intelligence community wants unconstrained access to everything that traverse the Internet - business data, financial data, shopping, social, friends, email, and general Web surfing activity... why don't they just come out and ask for it? How could you think such a massive operation would continue growing unnoticed by the general public? Did you think it would be better to beg for forgiveness than to ask permission? Or did you just not even care what the public would think, because the legal framework had already been setup to support it?

Effectively, this could get ugly. If nations start creating their own Internet implementations as some are saying, well what a mess we might end up with. If businesses and individuals can't trust our data is safe and secure when we want or need it to be, then our practices We can clean up this mess, and many of us want to! But only if a majority of people everyone care to recognize the issues. If you're curious to know more just ask someone questions!

Leaders of the Internet infrastructure recently denounced the USA's global surveillance. As it has destroyed trust, these leaders including ICANN, IANA, W3C, ARIN, APNIC, IETF, and RIPE have called to distribute Internet governance across nations, rather than keep most of it in the USA.

In a recent Internet Engineering Task Force meeting, Jari Arkko gave a nice presentation on this. As we can see, the trust problem runs deep. All the way from the Web applications, down through the operational stack, and down through the tool chain, compilers, and hardware that supports it all.

After listening to more and more people discuss this, it leads me to believe that philosophically security isn't just a mere illusion, it's almost a complete waste of time. On the one hand, it's only effective in layers - against layers of attackers. We can stop some general attacks but we could never stop anything so well organized, or coercive as global surveillance, not to mention something that's already been designed as 'legal' by the authorities. As the saying goes, if someone wants to get in, they'll find a way.