The NSA and an escalating battle over Internet privacy

post-beach

Beach at Brighton, UK, August 2013

~~~~

“I would rather have a rectal examination on live TV by a fellow with cold hands than have a Facebook page.” — George Clooney, Sept 2009

“To the engineers, I say this: we built the Internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.” — Bruce Schneier, Sept 2013

~~~

Update (Sept 9). More evidence of the damage to online privacy politicians can cause without any help from spooks or decryption… TorrentFreak is running a story about British PM David Cameron and his alarming online content filter. Mobile carriers in the UK must have the filter turned on by default to block content that may be considered “harmful” to children. As the story points out: “The filter mainly targets adult-oriented content, but one provider now says that VPN services also fall into this category as they allow kids to bypass age restrictions.” In other words, the use of a VPN service like WiTopia, which I describe at the end of this post, may turn out to be illegal. Without the anonymity provided by tools like VPNs (virtual private networks), the public cannot expect to have any reasonable measure of privacy on the Internet.

Update 2 (Sept 9). ISOC has issued a statement strongly condemning the US government’s attack on the Internet’s core encryption technologies. An excerpt:

“The Internet Society believes that global interoperability and openness of the Internet are pre-requisites for confidence in online interaction; they unlock the Internet as a forum for economic and social progress; and they are founded on basic assumptions of trust. We are deeply concerned that these principles are being eroded and that users’ legitimate expectations of online security are being treated with contempt. … Security is a collective responsibility that involves multiple stakeholders. In this regard, we call on:

  • Those involved in technology research and development: use the openness of standards processes like the IETF to challenge assumptions about security specifications.
  • Those who implement the technology and standards for Internet security: uphold that responsibility in your work, and be mindful of the damage caused by loss of trust.
  • Those who develop products and services that depend on a trusted Internet: secure your own services, and be intolerant of insecurity in the infrastructure on which you depend.”

ssl-3

This summer, the Snowden NSA revelations greatly altered priorities in the battle for an otherwise enduring goal: keeping the Internet secure and open for use by us ordinary folk.

VerizonLogo1True, some things never change. Persistently the enemy of reason and fair play, Verizon will have its day in court on September 9, when it begins arguments before the D.C. Circuit as to why the FCC’s network neutrality rules should be torn up into little pieces, cremated and cast into the Chesapeake Bay. The carrier claims the FCC has no possible grounds for imposing such rules; is acting capriciously by trying to do so; and is threatening Verizon’s First Amendment rights into the bargain. As Harold Feld of Public Knowledge wrote in his policy blog:

“Just like Verizon FiOS decides whether or not to carry Al Jazeera America, and on what terms, Verizon argues it has the right to decide whether or not to go to AlJazeera.com, and on what terms.”

Abuse as a feature, privacy as a bug

fb-like-2Which brings us to Facebook and another unsettling story about risks to privacy. Facebook has once again given not just movie stars and world-renowned cryptographers like Bruce Schneier but a billion other people compelling reasons to worry about their privacy. Not that this is news. Abusing everyone’s privacy – in part by changing the abuse policy regularly – is a Facebook feature not a bug. This month it’s not even changing policy, just “clarifying” it. As the LA Times noted:

“The new language says users automatically give Facebook the right to use their information unless they specifically deny the company permission to do it. At the same time, Facebook made it more complicated to opt out.”

Unless they opt out, users – including those not of majority age – consent to having their data act as endorsements of advertised products, even if they’ve never laid eyes on said products. The Center for Digital Democracy, which joined several other advocacy groups last week in a vehement protest, takes great exception to exploiting teens in this manner:

“Through legal fictions Facebook’s new policy tries to bind both minors and their parents to consent to ongoing invasions of privacy, based only on the nonaction of teenage users. This violates the FTC 2011 Facebook Order’s requirement of affirmative consent before the company undercuts privacy, as well as basic concepts of capacity to consent.”

Facebook’s chief privacy officer, Erin Egan, made the affair out to be a mere misunderstanding: “All we are changing is that we are providing more information and more specifics.” But Egan knows very well that the very thing protecting his livelihood and making Zuckerberg ever-richer is giving their users enough information to drown in.

That’s the business model: exploit users’ data at no direct cost, wait to get sanctioned occasionally, then keep shifting the terms around to stay ahead of both the customers and the regulators. To illustrate the power of too much fine print, consider the piece posted last year by Alexis Madrigal in The Atlantic entitled “Reading the Privacy Policies You Encounter in a Year Would Take 76 Work Days.” This graphic, based on work a few years ago by two researchers at Carnegie Mellon, tells you why Facebook and Egan are being a little disingenuous with their offer of ever-more specifics:

atlantic-privacy-reading-cost

~~~

Escalation: the devils you don’t know 

In January 2010, I posted some responses I’d made to the Pew Internet survey on the Future of the Internet, which included a question about anonymity. I was pessimistic:

“The battle over online anonymity is much like the tug-of-war between large copyright holders and online ‘pirates’. It’ll never end. Several kinds of people feel they have too much at stake to let other people hide online: besides movie studios and record labels, that would include law enforcement officials, national security agencies and marketers of all descriptions. At least some of the time, bad behavior (or suspected bad behavior) will trump any rationale for hiding identities.”

edward_snowden-3Three-plus years later, Snowden’s whistleblowing certainly seems to support a pessimistic view of our online future. But the underlying issues are not as black-and-white as we might want them to be. What’s remarkable about the revelations, moreover, is not merely the NSA’s disregard for boundaries, legal and otherwise. After all, it’s a spy agency, enjoying all the privileges that go with being both powerful and invisible. (Secrecy corrupts and absolute secrecy corrupts absolutely, say I.) No less remarkable is the range and number of institutional actors – the digital bullies with gatekeeping power, like Verizon – that are hellbent on using the Internet to build invasive and abusive pathways into the lives of much of the human race.

nsa-headline-nyt

Until a few days ago, I could persuade myself that Snowden’s disturbing news was mitigated by seeing his revelations jump-start a global debate over online privacy. Then on September 5 came an even bigger and better bombshell, courtesy of the New York Times, The Guardian and ProPublica. According to a stack of fresh documents, vetted under the expert eye of Bruce Schneier, the NSA is not merely waging a clandestine war against millions of individuals. It’s waging war against the Internet’s core security technologies. The NY Times report begins thusly:

“Documents show that the N.S.A. has been waging a war against encryption using a battery of methods that include working with industry to weaken encryption standards, making design changes to cryptographic software, and pushing international encryption standards it knows it can break.”

When I checked back today (Sept 8), the piece featured a startling addition: photocopies of sections from the top-secret documents in question.

nyt-nsa-exhibit-1

If you read the passage highlighted by the journalists, you’ll see this budget is for breaking commercial encryption technologies while keeping users lulled into believing the protections work as advertised. You can also begin to see why this initiative is a great deal more dangerous than attacking individual users, since in attacking enabling technologies, the NSA is undermining the very foundations of the most important communications medium, and engine of economic growth, ever invented. It’s a bit like the difference between interfering with end-user free-speech rights and rescinding the First Amendment.

Here’s how the Times summed up the breadth of the war against keeping secrets from the spooks (which goes by the code-name Bullrun):

“Some of the agency’s most intensive efforts have focused on the encryption in universal use in the United States, including Secure Sockets Layer, or SSL;virtual private networks, or VPNs; and the protection used on fourth-generation, or 4G, smartphones. Many Americans, often without realizing it, rely on such protection every time they send an e-mail, buy something online, consult with colleagues via their company’s computer network, or use a phone or a tablet on a 4G network.”

Schneier’s take

The new revelations prompted Schneier to write two opinion pieces that ran last week in the Guardian. The first is entitled “The US government has betrayed the internet. We need to take it back.” It’s a bold pronouncement, calling for nothing less than the “dismantling of the surveillance state.” To do so, Schneier argues that more technologists and engineers must follow in Snowden’s footsteps:

“If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story. Your employer obligations don’t cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers.”

bruce-schneierThe day after that appeared, Schneier was back with another item, this one describing short-term measures that can be taken by those of us who aren’t ready to go up against the whole US intelligence establishment. In “NSA surveillance: A guide to staying secure,” the author offers several ways for end-users to stay safe. The central message I take away from them is that while nothing can provide ironclad protection, good crypto works – so we should use it.

Despite the concerns he airs in the Guardian, however, Schneier expresses deep scepticism on his blog about the NSA’s ability to crack good encryption. In an entry posted on September 6, he explains the two-pronged attack needed to break strong encryption: brute force combined with cryptanalysis. Brute force refers to running encrypted code through billions or trillions of possible combinations using a lot of computing power. But the brute-force approach cannot crack keys over about 80 bits in length. That’s where the NSA’s brain power comes in: applying cryptanalysis to figure out the underlying mathematics of encrypted text, rather than hitting it repeatedly with sledge hammers (the NSA reportedly employs more math PhDs than any other American organization). As Schneier adds, most modern encryption algorithms use 128-bit or even 256-bit keys.

ssl-3a

So does that mean we’re safe from the marauding NSA math geniuses? Yes and no. Schneier says it’s not the code but sloppy execution that’s the real problem:

“Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system. I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks. Those are where the real vulnerabilities are, and where the NSA spends the bulk of its efforts.”

A VPN to call your own

If you’re persuaded by Schneier’s pleas about encrypting, here’s a modest suggestion about first steps. I subscribe to a service called WiTopia, which provides sophisticated personal virtual private networks, VPNs, at a very reasonable price (the main point of a VPN is to create a “tunnel” through the Internet that hides your communications from third parties). I’m running it now while finishing this post in my local Starbucks, since the connection is over public WiFi.

WiTopia uses good technologies like OpenVPN and IPsec for building encrypted tunnels between the subscriber’s machine and any of its dozens of private gateways located on all five continents (see map below). Once your tunnel is built, the system generates virtual numeric IP addresses on the fly for both you, the client, and the gateway server. WiTopia offers 256-bit encryption if you think you’re being pursued by “extraterrestrials or the Illuminati.” Otherwise they’ve got you covered at 128 bits:

“Despite some speculation to the contrary, properly deployed 128-bit encryption cannot be broken with modern computing power. Mathematically, it would literally take thousands, if not millions, of years.”

(Just make sure your VPN password isn’t “password” or 1-2-3-4-5-6.)

witopia-1

D.E.

One thought on “The NSA and an escalating battle over Internet privacy

  1. Schneier is also someone I like to pay attention to on these matters. We’ll see how far his call to take back the internet in Vancouver’s IETF meeting goes (http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying).

    VPNs are nice. I’d also recommend startpage.com for private googling and Ghostery for blocking/learning about commercial trackers. In all these matters, it’s important to remember that the most dangerous situation is not simply one where your information is compromised, but one where you assume you’re secure and this leads you to do something you end up regretting (https://freedom-to-tinker.com/blog/felten/nsa-apparently-undermining-standards-security-confidence/). If being actively targeted by the NSA is what you’re worried about, there’s not a lot I’d be confident in keeping you safe.

    Something I think you may want to touch on in the future is the Canadian connection on the NSA stories, or perhaps the lack of a connection here amongst the public. CIRA wants to change this (http://cira.ca/news/news-releases/survey-finds/), but overall, I get the sense that Canadians aren’t too bothered.

    Would this change if we learned the NSA was covertly tapping Canadian cables? Well, in effect they already do this when our boomerang routing crosses the border. Emailing someone in Canada often means your packets are heading to the US and back (ixmaps.ca), where your traffic is effectively “foreign” and thereby not protected by the NSA’s legal formalities. There’s an argument that this is an infringement on the sovereignty of our telecommunications, but
    arguing for Canada’s internet sovereignty reinforces trends towards net balkanization and the increasingly ridiculous distinction between “domestic” and “foreign” traffic”. All this being said, I’m fully in favor of keeping more Canadian/local traffic local (IXPs and such). When you can’t trust your intermediaries, it’s better to limit their numbers and the numbers of jurisdictions they answer to.

    In all of this, it’s important not to overinflate the NSA threat, as our technologies are full of vulnerabilities and there are more personally relevant dangers most people should worry about. But there are broader social consequences to pervasive surveillance, and the normalization of surveillance threatens core democratic freedoms most Canadians don’t currently seem to be too bothered in exercising or defending. This is the sort of thing that dramatically impacts the activites of journalists and political activists – the people we depend on for a healthy democracy. Canada’s “special relationship” with the US means also we need to stay attentive to developments on both sides of the border.

Comments are closed.