Fear for, and Belief in, the Internet
Fear for, and Belief in, the Internet
Responses - Civil Society
Avri Doria, Non-Commercial User Constituency (ICANN NCUC)
On first reading the two contributed papers, my feelings where of fear, doubt and some uncertainty. To imagine that the Internet had become so unsafe that only governments could save it or else we would need to give it up altogether, made me shudder. To doubt that we are up to the task of finding the proper balance between institutional and decentralized power, made me despair for the future. And since the Internet is as much a belief system as it is a complex network of technology and society, the uncertainty brought on by this doubt and this fear made me wonder if it was time to just give up on the Internet as the doorway to a better future for humanity.
Reading the propositions again, I looked beyond the excellent and convincing way the articles were crafted, and started to focus on some of the building blocks in these articles.
Fortunately I found a bit of hope in questions prompted by President Ilves’ thesis. Before getting to the questions, though, I want to look at the claim that “cyber can simply render the military paradigm irrelevant.” Would that this were so. In a world where, as I sit writing, some governments are using chemical weapons on their own population, while others are poised to bomb those civilian populations to punish their leaders, it is hard to accept that the “military paradigm is irrelevant.” We still live in a world where governments do horrible things to their people and it has nothing to do with the Internet. This does not make Internet threats irrelevant, but it puts distributed denial of service (DDOS) attacks and other property crimes in a different perspective. And while threats to the infrastructure could be catastrophic, these exist mostly in threat scenarios, at least at this point. It is certainly prudent for critical infrastructure to be hardened and protected, including from Internet threats, but to say that we have moved beyond the barbarity of real bombs and real Weapons of Mass Destruction to a greater danger from the Internet is hard to accept.
Moving to questions, why does the existence of the bad hacker and the fear that is generated of the bad hacker, cause us to change our perspective of government and make us trust it. With the examples of information gathering on citizens and others by government operatives and consultants, examples that can be found in many countries – though more egregious in some than in others, how can we pretend that governments have not become Big Brother. According to the book Big Brother is here to protect the citizens. Everything the government does is for the citizen, to keep her safe from terrorists, pedophiles and to allow industry to thrive by protecting them from privacy pirates. Does the existence of an Internet threat give us cause to forget the other threats caused by government activities against the citizenry? Estonia may be a place where, at this point in time, there is a benevolent government that would not abuse the information it collects on its citizens, but what prescience can inform us that this will last and that some future government will not descend into the same sort of barbarity we see other governments perpetrating all around us. Governments make laws, some of which turn benign activities into so-called cybercrime. In some countries, for example, publishing an article on LGBT rights is a cybercrime. In other countries it is a cybercrime to publish an article critical of a leader, or the leader’s daughter. How can governments that make such laws protect the freedom of the Internet?
Are our fears of governments nebulous as indicated in the article? I have the ‘fortune’ of reviewing these propositions written in the pre-PRISM era during the post-PRISM era. It is possible to look at the accusations of paranoia that remain unspoken under charges of “nebulous fears” and laugh, for the paranoids have all been exonerated. All of our countries really are spying on us most of the time, whether is metadata, ubiquitous cameras, or deep packet inspection.
President Ilves’s writing discusses the fact that these days it is private companies that have the information, and it is private companies that have become a threat. This may be true, but for the most part we have voluntarily given the corporations that information and we have an expectation that they will use that information prudently. We can ‘vote with our feet’ if they don’t. And while they often fail us, we still engage in our voluntary relationship with them because they provide us with services we value and give our lives a style we want. Even when they commit the greatest harm by giving our information to governments through secret back doors, we still forgive them because it is a voluntary relationship and they are giving us something we value for our information. I was furious with Facebook and Google for their cooperation with PRISM and other assorted information gathering activities, yet I chat with my friends about it on Facebook and Google + and looked up all kinds of information about PRISM using Google and other search engines.
Is it true that “free movement of people, goods, services, capital and ideas. … can only be accomplished if identities are secure?” (Llves 2013) Do we need government identification? Even if we do need definitive identification, does the government have to track people in order for them to have verified identities? Can technology develop a method to provide secure identities in a privacy-preserving manner, as opposed to allowing this power to governments? To say that systems need to be protected does not explain the need to know everyone’s identity. The activities of many governments constitute crimes against their people’s human rights; the idea of governments providing someone with a secure identity that they control is the basis of many a dystopic vision. While in e-government services governments do need to control the access, the need to do so for citizen services and rights does not extend to the rest of a person’s activities and interactions. We do not need to surrender to the Faustian choice: government control or “to go back to the pen, typewriter, paper and mechanical switch.”
Finally I ask, do all of the increased security and surveillance techniques make us safer, or is it security theatre in the service of other goals? One of the bulwarks of the Westphalian state has always been a controlled population with a similar world view and a common set of principles. But with the Internet, all of the fruits of knowledge become available to anyone with access. And when that happens, people start questioning the control and find ways to try and alleviate their intolerable situation. Governments create laws that fabricate cybercriminals and they then have the bogeyman they can use to make us feel safer with their protection.
In terms of Schneier’s piece, I think that the “nimble and distributed powers” go beyond “such as dissident groups, criminals, and hackers.” I think those who create the Internet itself, it architectures, protocols and code are the main source of the distributed powers. I also believe that they are the nimble source of the solution for the current tussles with the institutional powers and part of what gives me hope that President Ilves’ vision is not the only path forward.
Yes, the cloud is unsafe. But it does not need to remain unsafe. As I write these words, I am certain that there are researchers that are looking into techniques for greater safety in the cloud; for techniques that allow secure transmission and put in place cryptographic controls that can only be accessed with binary key and are not open to system administrator access. And while it is certain that every security technique may eventually be cracked, every cracked security technique will be replaced by an improved technique. Tor was safe, got attacked, and got safer.
Technology keeps progressing and those outside the institutional framework are doing much of the work. And while some countries will try to criminalize their efforts with laws against citizen use of Internet security mechanisms, for the most part the good hackers will succeed in creating ways for users to have safer access. While it is true that using security is not always as easy as loading a music app, it gets easier for the user all the time. On Android, for example, there are many security systems that can be installed directly from the Play Store. As time goes on, it will not only be the savvy hacker who knows how to protect themselves, the savvy kids will show their parents how to turn on the newest security mechanisms.
From my perspective it comes back to technology. What made the Internet possible was technology plus a concept of distributed control. In time institutional powers caught up, they always catch up. The trick is to stay ahead of them. What will help the Internet remain the dream is the technology that is yet to come.
Both of these documents, in their own way, ignore the possibility that the people themselves can employ technology in their random and unorganized way, to escape the conundrum. It was the technology of the Internet that gave humanity one of its first views of a world where human expression was free, where anyone could communicate with anyone and where knowledge could be shared with the rest of humanity. Often, people say the solution is not technical, the solution is legislative. But history shows that the legislative solutions either fail before the wizardly of the bad hackers or become the crimes as in PRISM and related activities. In planning new technology the good hackers can look at the gaps in previous security technology and work on closing those gaps. Yes, there is a constant race between those who want to protect rights and those who want to pry those rights from them.
There is an assumption in human rights documents such as the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights and other covenants, that the governments are responsible for protecting the peoples’ rights. But over the years many instances show that governments cannot be fully trusted to protect the citizen’s rights – the efforts are at best haphazard if not actually contrary to the obligation. We have also seen technology that attempts to defend our rights. While it often fails, after repeated attack, it is often improved and does provide the protection we need; at least for a while. Certainly people need to continue the work on reforming the country they find themselves subject to. But in the meantime, while working our way toward the utopian vision where all countries honor all human rights, we need to continue creating the technological tools that can give the Internet back to the people.
Taking a historical perspective, the global Internet is a very young techno-social system and is still developing according the principles that gave us the Internet in the first place. The multistakeholder model of Internet governance, not mentioned by either author, is currently being expanded to include the governments in the hope that this will give them greater capacity to create national policies consistent with the principles of human rights that have been embodied by the Internet since its beginnings. It is in this multistakeholder policy process that we will figure out how to balance the power of the creative distributed power for freedom and the repressive institutional power for safety. Between technological improvement and multistakeholder process, I find I still have hope for a global Internet.
- I tend to think of hacker as an attribute that indicates a person has deep interest in computer network systems and has the talent and perseverance to write code that can affect the Internet or some other system of interest. I tend to believe there are good hackers and bad hackers, and am always someway distressed to see how this class of person is spoken of in a pejorative way. But perhaps governments think of all hackers as bad because they represent Schneier’s distributed power, a power that most governments cannot abide.
MIND-Multistakeholder Internet Dialog