There are plenty of ideas for addressing the surveillance problem but perhaps it is time to take a step back and look at the "big picture". In any conflict, no matter how big or small, there is considerable advantage in having advance knowledge of your opponent's intentions. In military conflicts the invention of telegraph, radio, aircraft and satellites has more or less solved the problem with blindly marching into an area and getting annihilated. Nobody ever suggested that these technologies should be banned in order to create a level playing field.
It is going to be the same patttern with all forms of electronic communication. The spectre of weapons of mass destruction (anything that can kill more than one person at a time) is the justification/motivation for government and law enforcement to monitor everything online. Whether it has merit is kind of besides the point. It is an advantage, perceived or otherwise, that is not going to be given up, under any circumstances.
Another part to this is whether conspiring online actually constitutes a crime. People can chat all day about terrorist plots but until someone actually goes out and starts building a bomb or procuring weapons has a crime really taken place? Only when a society can decide on the answer to this question will it be possible to address online surveillance.
> There are plenty of ideas for addressing the surveillance problem but perhaps it is time to take a step back and look at the "big picture".
The "big picture" for me are the effects of the loss of privacy. What was once one of the most horrendous forms of punishment/torture, is now mainstream. Also, this only gives more power to already too powerful of people (you already mentioned the nukes). I think we've already proven we don't need mass surveillance to not blow ourselves up.
> Another part to this is whether conspiring online actually constitutes a crime.
""To be classified as a crime, the act of doing something bad (actus reus) must be usually accompanied by the intention to do something bad (mens rea), with certain exceptions (strict liability)."" - http://en.wikipedia.org/wiki/Crime
In other words, it's up to the most powerful, who are also in control of the surveillance to decide this, not us. Also, the "big picture" issues here aren't really surveillance itself, but MASS surveillance, SECRET courts, and CLASSIFIED evidence.
The only real WMD is a nuclear bomb. No non-state actor has ever used a chemical or biological weapon with other than trivial effect (the Aum cult came closest, and only illustrates the difficulty), and the military value of such weapons is questionable. So, who are the "opponents" that could lay a hand on the US without suffering immediate and total defeat? North Korea? Or, let's bug them. But in our present world, we could have a lot more freedom and privacy than we do, and a lot less economic drag from a bloated security apparatus.
I think the best approach is P2P decentralized and mesh-networked apps running locally, licensed under the Affero GPL. That way there is no profit (or gov't) center which can collect data. And any user with the app can get the source code (per the Affero GPL). Developers can monetize their apps either with paid support/development services or by accepting cash (in lieu of a 'proof of work' by solving hashes) to be let on the mesh networks for their apps.
While is support premise of the article, I have difficulty in accepting the fact that our democratically elected and funded government will continue to spy on us and is beyond our control.
What, exactly, makes you think the government is democratically elected?
I mean, if the NSA/CIA/FBI can get away with this kind of surveillance, and seeing the scope of "Tailored Access", why wouldn't they have rigged the last few elections, too? Clearly the security around voting machines isn't nearly as tight as that of Level 3,
FYI, you can start helping right away! There's the Aaron Swartz Memorial Hackathon starting tonight that has topics focusing on privacy and anonymous publications.
I want to reiterate one line of thought that's been seen here before but bears repeating: you should not give your data to Google, Facebook, or any other commercial entity just as much as you don't want NSA to have it. While NSA may have political motives and thus may use illegally obtained information for political ends, Facebook et al. could use it for reasons that serve their economic gain. That's a conclusion that's just as undesirable (if not moreso) than NSA using it.
I don't see a very good future of fighting the 'surveillance internet' if we don't face the notion that once data is out there -- of lots of people, in one place -- NSA will always be interested in it and will probably get it. Pragmatically speaking, pulling out of Facebook, Google, etc. is the only surefire way to fight the surveillance internet.
Does Google kidnap people? Confiscate their equipment? Harass travellers at the airports? Send IRS after their competition? No?
Can Facebook maybe deny me a business license? Cancel my passport? Is there a Facebook commando that would break down my doors if I did something Mark Zuckerberg didn't like? No?
Can we then stop pretending like corporations and governments play even remotely in the same league?
What can Google actually do? Target me with ads? I won't so much as see them.
And I don't use facebook, it barely raises an eyebrow. I couldn't try that with a national ID because I wouldn't be able to do anything.
Wouldn't the upside be that at least they'd have to ask? Just saying there is a difference even if they get the data either way. Well, there should be at least.
and that is the purpose of the Constitution. Eventually, governments can force their way into anything. Which is why the Fourth Amendment is so explicit. They are breaking the law.
A few months ago they were using the "metadata" argument. Where are the prosecutions now that thats obviously BS?!
I (probably) did miss that. I only have so much time to spend on here and so much stuff just falls through the cracks. It's the worst of both worlds then already.
Google also doesn't: molest me at airports or train stations, drone civilians, assassinate anybody, launch wars that kill tens of thousands, murder your family with a SWAT team, violate your rights with force via parallel construction, threaten you with the espionage act, sell guns to Mexican cartels, sell weapons to anybody much less theocracies and violent 3rd world states. Google also can't null and void the entire US Constitution at will by using force.
Yep, it's absurd to the extreme to compare the NSA and Feds to Google.
I thnk you're missing the economics of all the bad stuff: without dragnet surveillance, the NSA/FBI/TSA can't really drone-whack anyone appropriate. They have to put out a little old-fashioned effort to decide who to drone. It's inefficient at best. Also, without dragnet surveillance, the TSA can only hassle random travelers (which might actually be an improvement in security).
Does the NSA do any of that? Does the NSA even run operations at all? Can they do any of that?
Google, Facebook, et. al. can willfully share your information with the US or any other government.
AT&T gets paid $10 million annually for access to your data, and as a publicly traded company, if they don't do that, they're not being fair to their shareholders, to whom they've promised to maximize profits.
I think this is important to have emphasized. Especially because the opinion of business has a very loud voice in today's market-worshiping gov't. Even though there are technological remedies can be used by the most tech savvy to regain some ground, practically speaking any changes that protect the not-savvy have to be statutory. Companies will side with the consumers and howl like a dog when something more powerful than either of them surveils them, but spin on a dime and exploit their position of power over consumers.
I also agree that you could make a convincing case that aside from the legality and broad social unacceptability of the collection, the way data is currently used by the government is much much more in line with the surveilled's interests than many of the businesses gobbling up consumer data. Corporate surveillance isn't inherently any better than government surveillance. Pretending otherwise makes us enablers.
While not disagreeing that Facebook et al. pose a problem, the real problem is that you can't evade surveillance as you lay a digital trail of almost everything you do in your live. Your phone is location-tracked, every non-cash payment is tracked, the sites you surf onto are tracked (by your provider at least), your medical dossiers are electronic and pass eventually through public parts of the net, automatic face recognition is about to become ubiquitous,...
So no, leaving Facebook or Google solves only a tiny part of the problem.
The Internet does not require "Data on lots of people in one place" it would be just as happy with data on lots of people in lots of places, places that aren't always online too.
While we are playing cat-and-mouse with our own government, why don't we also make the NSA's activities illegal and/or enforce existing laws which already state as much?
Articles like these presume that it is OK for the government to access whatever it can technically get its hands on, in spite of Constitutional constraints and laws that do or should state otherwise.
Recognizing the reality that a powerful entity will seize whatever power or advantage it can find, is not a value judgment that that conduct is OK. I'm not clear on how you inferred such an endorsement from statements that people are going to resist by technical means.
"[W]hy don't we also make the NSA's activities illegal and/or enforce existing laws which already state as much?"
Who is "we" in your proposal? The people of the society? Some percentage don't mind the snooping - they think it is protecting us from terrorism. Another percentage object, and a third subset have little idea of what's going on.
Maybe you imagine there is some approximation of democracy in the US. Why do you think so? How well do you think the legislators represent the interests of citizens? How many viable parties compete for votes? Can you even verify that the announced election results have any definite relation to the votes cast at electronic machines?
Some elements in Congress have tried regulating the surveillance apparatus, at least since the Church committee in the 1970s. Obviously the effort has not succeeded, and I'm not perceiving much prospect of improvement on that front.
The only realistic avenue to improving privacy and digital security is some combination of (a) securing endpoint systems (b) an open-standard, no-back-door solution for pervasive encryption of data in transit and (c) services that somehow offer secure communications hubs without the operators having to shut down, sell out or be imprisoned.
These guys are working on (b), and I applaud their efforts.
>...not a value judgment that that conduct is OK. I'm not clear on how you inferred such an endorsement from statements that people are going to resist by technical means.
By "OK", I don't mean that you agree with it. I mean that by assuming the posture that you are going to focus on defending yourself technically, you are effectively ceding that the government has the right to access whatever it can. You're telling the government that it's OK to get whatever you are unable to protect. It is absolutely the wrong posture and it's what the NSA wants.
>Who is "we" in your proposal? The people of the society?
Yes. Exactly. Who else would "we" be? What does it matter that some don't get it yet when there is some group that finds it objectionable and contrary to our fundamental rights? I mean, it's really a strange position to take when you think of it. If the government was coming after you with tanks and guns, would you go buy a shotgun and stronger locks for your doors? Or would you spread the word and work to check the government per the laws of the land?
So, how about a grassroots campaign to change the public perception landscape?
>Maybe you imagine there is some approximation of democracy in the US.
An approximation of democracy is exactly what I think we have. Listen, you're preaching to the choir on the whole "our democracy is broken" thing. But, to the extent that there's anything left or any way back, fixing this democracy is our only hope. Again: grassroots.
It boggles my mind that the response is to cede everything--broken democracy, surveillance state, etc.--then just dig in to prepare to defend oneself from his/her government. If you actually believe that you can defend yourself from government lawlessness, then you ought to believe that you can play a role in fixing the government.
>Some elements in Congress have tried regulating the surveillance apparatus...I'm not perceiving much prospect of improvement on that front.
And, how long have we been patching zero-day exploits, fending off viruses, etc.? Why are you so confident that you are capable of defending yourself from a determined government with unlimited resources?
>The only realistic avenue to improving privacy and digital security is some combination of [technical solutions]".
I am not advocating that we don't take prudent, precautionary technical measures. Of course we should. I'm saying that they should be secondary and we must lead with legal measures to have any hope of reclaiming our rights and putting an end to this. All of the things you listed sound great. But, in truth, we know that there are exploits and vulnerabilities everywhere. Ironically, as technologists, we want to believe in technical solutions. At the same time, we also know better than anyone that a determined adversary will find a way to pwn us.
For instance, all of your technical "solutions" rely on an up-to-date OS with no zero-day vulnerability, perfect non-exploitable endpoint software, and even full knowledge of our hardware stack, firmware, etc.
In general, what you propose is exactly what the NSA would want. And, you will lose. If you are fortunate enough to even know when you've been pwned, you'll patch things up until the next time. You'll just play cat-and-mouse while your information floats away. Then, at some point, you will say "Wait, this is what we normally do to defend ourselves against criminals. Why am I having to do this to defend against my own government?"
At that point, you will realize that this is first and foremost a legal problem. Only then will you demand what I am advocating right now.
Do you really believe that it is wise to treat our government as a virus writer and put ourselves in the position of antivirus software writers? Do you want them in the exploit business while we, the citizenry, resolve to simply apply patches? Do you really want them to have legal carte blanche to use their unlimited resources (including your own tax dollars) to do as they please, then scurry off to try to erect some defense against whatever you think they are doing next?
When the NSA approaches Google, I want Google's General Counsel to deny the request with solid legal standing. Likewise with backbone providers and on down the line.
We are either a nation of laws or we're not. Our government is either beholden to those laws or they are not. Had we the proper laws and commitment to our Constitution, then Snowden's revelations would have resulted in trials and prosecutions. Instead, too many seem to be ceding to the government the right to surveil its citizens with impunity, and are instead focusing on technical defenses against their own government.
It's lunacy, and if the primary emphasis is not on legal redress, then we have already lost.
In case you didn't get the news, the NSA already does not bother to approach Google. They just install secret taps on Google's private lines between data centres, and siphon off all the replication traffic.
The NSA is a rogue agency that does not respect laws (or reinterprets them as they see fit). Going through the legal process to shut it down is certainly worthwhile, as is throwing its criminal elements in jail, particularly those that are happy to lie in congress.
However, the reality is that a rogue agency can evolve in the dark corners of the government, and that therefore it is likely that it will happen again. And even if it never happens in the US again, there are other countries out there, you know?
A strong technological solution that makes large-scale snooping impractical is a sine-qua-non no matter what happens on the legal side.
>In case you didn't get the news, the NSA already does not bother to approach Google...
I got the news. They approach Google AND they plug into private lines. The latter case is what I referred to when I mentioned "backbone" providers. Again, I want any private entity to have legal standing to refuse NSA requests.
>The NSA is a rogue agency that does not respect laws (or reinterprets them as they see fit)
I agree that if an agency goes rogue, then laws are only retroactive. That is, laws provide a penalty that is triggered only after an offense has occurred. But, clear (i.e. not ambiguous) laws with clear penalties can be a powerful deterrent. Whistle-blowers like Snowden are then empowered to stop abuses and illegal activity. They are automatically branded as heroes instead of traitors who must flee the country or worry for their safety. As it is, the good guys like Snowden are being put on the wrong side of the law and vice-versa. This must change.
>However, the reality is that a rogue agency can evolve in the dark corners of the government, and that therefore it is likely that it will happen again.
That's true and always has been. But, we don't just say "well, laws will be broken, so let's not bother having them". It's really the entire point: to prescribe what is acceptable behavior and provide penalties for violations.
>A strong technological solution that makes large-scale snooping impractical is a sine-qua-non no matter what happens on the legal side.
We actually agree to some extent. I don't advocate that we not implement technical measures. Where we depart is on priority. The wording of your last sentence signals this departure. I would flip "technical solution" with "legal side".
Ultimately, if the emphasis is on technical solutions, then we will all be pwned with impunity. Period. Are you going to write your own firmware? Manufacture your own chips? Are you going to personally write all of the security and other endpoint software in your stack, including the OS? Even if you did, would you be able to guarantee zero vulnerabilities in your own code?
Checking rogue agencies, providing more oversight and enforcing clear laws are the only way out. Technological solutions are but a backstop that we hope will provide us with some defense in the event that a rogue agency goes undetected for some period.
I agree with your response on the whole, but one point is worth quibbling with:
> I got the news. They approach Google AND they plug into private lines. The latter case is what I referred to when I mentioned "backbone" providers.
As far as I understand, these were not lines provided by "backbone providers". These were private lines laid and paid for and owned by Google. There was no third party who bent - Google got pwned directly, in secret, with impunity.
I understand that these guys are different from a random group of guys part of Anonymous or something like that, but still, is this comment relevant at all to the situation? As in, is the end result inevitable?
Facebook, Google and others offer you something in return for your data: use of their software and servers. You have a choice over whether or not to use these sites.
The NSA gives you nothing in return, other than the blanket reassurance that you are safer. You have no choice but to submit to NSA surveillance, other than limiting your online footprint.
“Fundamentally, surveillance is a business model of the Internet. The NSA didn’t wake up and say: ‘Let’s just spy on everybody, it said: ‘Wow, corporations are spying on everybody, let’s get ourselves a copy,’ ”
There are ways to make the Internet much more secure than it is today, and implement them tomorrow, with existing protocols and encryption methods. It's just a matter of browser vendors, hosting companies and websites agreeing to do it.
That being said, I hope IETF starts working on a new highly secure Transport layer protocol to replace TCP, within the next 5 years, and I hope they use Dan Bernstein's CurveCP [1] for inspiration.
We need the Internet encrypted and secure by default, and I don't care what Google or other advertising companies have to say about it. Adapt or die. Security of the web and the protection of the human right to privacy is way, way more important in my book. If they choose to fight such a move, instead of adapting and actually supporting it, then they will have become the enemy, and they'll end up on the wrong side of history.
So IETF's goal should be to get everyone to switch to these more secure, already existing protocols, and implement them within a year, or two at most.
In the meantime work on replacing TCP within the next 5 years, and also think about ways to create a new secure-by-default and easy to implement, IP-level protocol, to be used within 10-15 years.
If we are to "take the Internet back", then it needs to stop being such an easy tool for mass surveillance, so in a way, we need to replace all of its insecure parts.
It is going to be the same patttern with all forms of electronic communication. The spectre of weapons of mass destruction (anything that can kill more than one person at a time) is the justification/motivation for government and law enforcement to monitor everything online. Whether it has merit is kind of besides the point. It is an advantage, perceived or otherwise, that is not going to be given up, under any circumstances.
Another part to this is whether conspiring online actually constitutes a crime. People can chat all day about terrorist plots but until someone actually goes out and starts building a bomb or procuring weapons has a crime really taken place? Only when a society can decide on the answer to this question will it be possible to address online surveillance.