Schneier on Security
A blog covering security and security technology.
« Facial Recognition Door Lock |
| Australia Restores Some Sanity to Airport Screening »
December 17, 2009
The Politics of Power in Cyberspace
Thoughtful blog post by The Atlantic's Marc Ainbinder:
We allow Google, Amazon.com, credit companies and all manner of private corporations to collect intimate information about our lives, but we reflexively recoil when the government proposes to monitor (and not even collect) a fraction of that information, even with legal safeguards. We carry in our wallets credit cards with RFID chips. Data companies send unmarked vans in our neighborhoods, mapping wireless networks. The IBM scientist and tech guru Jeff Jonas noted on his blog that every time we send a text message, we're contributing to a cloud where "powerful analytics commingle space-time-travel data with tertiary data." Geolocated tweets can tell everyone where we are, what we're doing, and who we like. Sure, The data is ostensibly anonymized, but the reality is a bit different: we provide so much of it that, as Jonas notes, we tend to re-identify ourselves -- out our identity -- fairly quickly. This is good and bad; the world becomes more efficient, we leave less of a footprint, we get what we want more quickly. But we also sacrifice privacy, individuality, and other goods that can't be measured in dollars and cents.
Government power is just different than corporate power. Our engagement with technology implies a certain consent to give up information to companies. A deeper mistrust of government is healthy, so far as the it places pressure on lawmakers to properly oversee the exercise of state power. Warrantless domestic surveillance by NSA during the Bush administration doubtless ensnared a number of innocent Americans and monitored the communications of people who posed no harm to anyone. Where the standard is personal privacy and the rule of law, the violation is severe.
But where the standard is harm, the damage is minimal compared to the information that is routinely and legally collected by non-state entities -- information that is used to target us for political appeals, to sell us something, or to steal money, to pilfer intellectual property or abuse technology. 85 percent of infrastructure in this country is in private hands; it is extremely vulnerable to attack and even to catastrophic resource failure.
This asymmetry is distorting the politics of cyber security. It frustrates the front line cyber folks to no end, but they are, in some ways, responsible for it.
For one thing, the NSA lacks credibility with many Americans and with some lawmakers because of its aforementioned activities. And yet the NSA is -- really -- the only entity with the expertise, the size, and the capability to secure the cyber realm. For another, the government remains obsessed with secrecy. The NSA and the Department of Defense can penetrate virtually any computer network on the face of the planet, and probably do so with regularity for defense purposes. Their capabilities in this "offensive" realm are awesome, and kind of scary. The technology that'll be used to defend the country from cyber attacks of all types is the same technology used to track insurgents in Iraq (classified), tap into terrorist net-centered communications (classified), probe nation-state computer defenses (classified), figure out how to electronically hack into missile guidance systems (classified). Also: they're worried that terrorists would figure out how vulnerable we really are if they knew everything. Here's the weird part: China, Russia, savvy cyber terrorists -- they know all this. They have the same technology.
My essay on who should be in charge of cybersecurity.
Posted on December 17, 2009 at 6:10 AM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This is not a technical problem.
Google and Amazon.com will not send out SWAT teams to enforce their business policies.
i don't care who the opponent is. if it's forbidden for the government, why should it be allowed for private corporations? if stalking and spying are forbidden in the "real world", why allow both at the www?
The German Federal Constitutional Court calls this the right to informational self-determination.
there must be a lot of money in this business. why else are we talking about it so often?
And as an addendum to Team America ... Google collects information on you in order to be more efficient in the services it can PROVIDE to you (for a price).
The government tends towards collecting information because it highly suspects that you are an enemy.
Amazon would like to sell you a cruise trip the the country where the book you just bought is based.
The government puts you on a no-fly list because your name is too generic and has no process for getting your name off that list.
"And yet the NSA is -- really -- the only entity with the expertise, the size, and the capability to secure the cyber realm. ... The NSA and the Department of Defense can penetrate virtually any computer network on the face of the planet, and probably do so with regularity for defense purposes. Their capabilities in this "offensive" realm are awesome, and kind of scary."
Then start doing something about the spam and crap that's already on the Internet. Earn the trust.
"Google and Amazon.com will not send out SWAT teams to enforce their business policies." ...yet.
As someone on slashdot.org put it a while ago, "I am not afraid of what google is doing with my personal information. I am afraid of what google may be doing with my information 2 or more decades from now."
"Google collects information on you in order to be more efficient in the services it can PROVIDE to you (for a price)."
Minor pedantic correction: Google collects information on you in order to be more efficient in the services it provides it's real customers, advertisers. They also use that information to provided you services, but providing you those services is also for the ultimate purpose of becoming more efficient at providing services to advertisers.
I'm not terribly concerned with any of this, but I am concerned with who google may decide it is profitable to sell information to in the future. I am however concerned with what the government is doing in the present.
I think it's important to realize that when it comes to private companies, we individually make the decision to share data with them. Google cannot force me to give them my information. (and so I am able to manage somewhat what information I give them) I am able to make a determination about my level of comfort with the lost privacy versus the service I gain access to in exchange. With the State, that decision is taken out of our hands as we cannot individually choose what we share with the state. That decision is made once and applies to everyone regardless of consent. That is the problem. (That, and the fact that since I am not a terrorist, there is no benefit to the State having my data. But they can't know that obviously...)
Let's face it: unless something changes drastically, we're well into the era of corporate governance. I mean, come on, Congress is wholly bought by corporate lobbyists, who write bills, who literally dictate floor speeches of Congressmembers, etc. Right now, corporations increasingly ARE the government. Setting aside the emotional upset over fascism, the fact is that America is increasingly a nation whose policies are set by the wealthiest transnational corporations owned by the wealthiest individuals in the world.
In such an environment, the idea that the government is bad while corporations are neutral if not good is one that makes little sense. The airlines hand traveller data to the government: the government is beholden to the corporations, so where do you think that data goes? When government personnel rotate out into corporate service and then back into government, where is the boundary on that information?
Increasingly, the issue is not how to protect your private information: I contend that battle is already lost. The issue instead is how to protect yourself from the harm and liability of identity theft or the misuse of data whose release you initially approved.
And government versus private? Pointless. Someone said private firms don't send out SWAT teams, which is simply wrong: private firms send private agencies round to collect, and when you resist the private collection agency the sheriff shows up. End result is the same.
So look at it realistically. First, the war to protect your private data is over, you lost. Second, government is increasingly the agent of corporate interests, whether collecting data, removing privacy protections, or enforcing corporate claims. So in such an environment, how does the individual protect themselves from the inevitable abuse of their personal information?
"Google and Amazon.com will not send out SWAT teams"
Of course they will; but instead of carrying smg's they'll have briefcases, instead of tac vests, brooksbrother vests, instead of bullets....billable hours.
They can bring force to bear without immediate resort to violence.
The one thing people forget when talking about cyber security is the bad analagies those in the political sphere use.
"The Information highway" incorrectly links what are effectivly "publicaly owned" roads with "privatly owned" networks.
Imagine for a minute what kind of hell you would be in if every road was privatly owned and self financing.
Likewise when it comes to defence the politicos view the internet as "national structure" to be defended as the nations boarders are.
It just does not apply.
The Internet is more like a medievil kingdom wher the King has his high court and personal body guards of profesional soldiers (the NSA). The Dukes and Barons have their own personal body guards etc (large corperations). The peasants pay a tieth to the local landlord (ISP's) who might or might not provide basic defence and maintain the roads...
The likes of Google can be looked at as road tolls.
They "offer a service" at a price, the problem is it's an unknown price that realy makes them the equivalent of "Robber Baron's" and their brigands.
I don't agree.
It it correct, that there is a difference between "make the decision to share data" and being forced to share data. And it is a difference between having the power to send out a SWAT team or do something else.
But 1. the government forces the industrie to share the data concerning their customers.
2. i have no contol over all the Douleclick (or similar) activities. i don't even know about this activities before i visit a web page.
3. i have no control about my data after they were collected. i know nothing about resale, further processing, etc.
I come back to the concept of informational self-determination (German: informationelle Selbstbestimmung).
Who does not know or has no affect on which information (concerning her behaviour) are stored, will change her behaviour because of caginess (carefulness, better?).
You can't live free (as person and community) if you don't know who knows (when) what about you.
Organizations that claim a monopoly on the use of force are just inherently scarier. At least Google can't kidnap me and put me in a box, without first getting the cooperation of someone else.
Of course, judging by recent comments, they willing turn information over to the government anyway.
Why is it anyone's job to "secure cyberspace?" Is that even desirable? What's their definition of security here, and whose benefit is it for primarily: the "citizens" of the internet or the organization/agency doing the securing? Somehow, having the NSA "securing" the internet for me would make me feel a lot less safe than the current status quo.
I own my laptop. the space on my harddrive is my property, I do not give permission to anyone to put spyware of any kind on this computer, If I were to rent this harddrive space I will charge about a thousand dollars a month for every kb.
I am owed many thousands of dollars by companies who have put thier code for thier profit and spying on my computer without signing an agreement with me.
I assert the right under the ninth amendment my personal right to be informed when any data about me is accessed, used and especially profited from. who is using this data, for what purpose, must be revealed to me and approved before any use is made of it.
anyone who does not chose to respect this is simply a pirate hacker regardless if they have the corporate privateering liscense of impunity
Regarding Google, this is how they frame their information collecting:
"Google Inc. (GOOG) director of U.S. public policy and government affairs Alan Davidson said online consumers are a savvy bunch and understand the tradeoff that's being made--they divulge some information about themselves in exchange for free online content and applications supported by advertising."
Not sure I'd agree with much of that. This quote is from a report on the FTC privacy hearings on 12/7.
The FTC talks are part of a series of Roundtables. The next one is in Berkeley, CA on Jan 28, 2010. Pity that there don't appear to be any transcripts online but there are links to relevant documents and comments can be submitted online and you can read comments submitted by others. Here's the link:
I was wrong. Video and transcripts are available from the FTC Privacy Roundtables if you click the webcast link. Here's the link for the first event that took place on 12/7.
There are two more scheduled.
@Clive "every road was privatly owned and self financing"
Which is exactly what I live on. We didn't even have a name on it until the last few years. We pay to pave and patch it, plow it in the winter. It is the homeowner community's biggest annual expense yet every time we attempt to get a vote to let the state take it over we're overruled. It is a nightmare.
i would be at an extreme disadvantage if I wanted to pay for my own fire department, food safety inspectors and armed fighters.
There are valid services that only a government should provide that you'll never hear the right-wing in the US admit to.
@bongo "the ninth amendment "
Strictly speaking the constitution is only between you, me, the states and the federal government and not between you and me.
Isn't what you want better law that governs how you and I can interact in this brave new world?
@Albatross "And government versus private? Pointless. Someone said private firms don't send out SWAT teams, which is simply wrong: private firms send private agencies round to collect, and when you resist the private collection agency the sheriff shows up. End result is the same."
Yes if you owe them something, they will send someone after you. But if you don't like doing business with a company, or how they handle your information, you can stop buying from them. You can't stop doing business with the government, or doing it the way they want, or they send the swat team after you.
Businesses assess the risk of losses from attacks, and decide how much money should be spent vs how much loss is avoided. Government has no incentive to make the right tradeoff, since it isn't their money they are spending, and they are employing people who will lobby that they should be doing more.
"...if you don't like doing business with a company, ... you can stop buying from them..."
bogus, in the Google world it's nearly impossible. with Google Adsense, Analytics, etc. How?
and if you want to send an email, the addressee uses GoogleMail etc. etc.
I don't want to think about the future with the RFID technics in all sorts of products (food, clothes, ...), with wireless (sensor) networks nearly everywhere, with the data from GPS and mobile phones.
data mining, and automatic trading software etc. will leave us in a dunst of personal information and everyone will be able to use it (how knows what "the machines" will do with this data.).
as long as we don't have a lable on the personal data, that displays the creator (and maybe the path through the "owners"-network) we will have this problems.
WHO knows what "the ma....
"Government power is just different than corporate power."
And entities which employ both are extremely dangerous, which is the current situation. Eisenhower nailed it. Smedley Butler nailed it. We have forgotten what they told us and why and we will need to repeat those lessons.
The telecommunications system and Internet are the military/industrial complex's most vulnerable points. "Securing" it stopped being about the privacy of the individual citizen quite some time ago. As someone else here observed, this is causing reactive behavior by governments, corporations and individuals which can often be described as feudal, and in some cases fascist, but ALWAYS fit "organized crime" as you near the top of the hierarchy.
The Internet is the art which most closely imitates the life of the powerful entities in question. It provides the least amorphous and deceptive picture of an organization and it's relationships. Governments and corporations leave footprints, too. These days, hiding that information has become what "securing" the Internet is about, because larger entities such as governments/corporations/the alliances thereof and individual citizens are not currently required to play by the same rules.
Transparency will not be achieved until the fear factor dissipates and the rights and freedoms of individual citizens are restored. That in turn won't happen until there is accountability for those who have abused both government and corporate power, and by doing so have blatantly flouted both US and international law. When it's made clear that certain people and the entities (corporate and/or government) which they hide behind are beyond the law, that creates an environment of fear.
The price of gold has never been higher, and there's never been a better barometer throughout history for determining a nation's future.
Apparently people recoil from corporations as well. EPIC just filed a Unfair and Deceptive
Trade Practices complaint with the FTC over Facebook's new privacy settings.
Ok, I lost any credibility for the information in that blog post because of two statements: "The NSA and the Department of Defense can penetrate virtually any computer network on the face of the planet, and probably do so with regularity for defense purposes." and "85 percent of infrastructure in this country is in private hands; it is extremely vulnerable to attack and even to catastrophic resource failure."
Those are both very extreme stances, and no evidence is given to prove these tin foil hat statements.
Excellent subject matter and article for hopefully articulate comments.
Looks like IT is now like the planet Arrakis, also known as, Dune, with its SPICE, Redhat even uses the word SPICE now, fancy that. Http://en.wikipedia.org/wiki/SPICE_(protocol)
Things are going to get interesting over these power fights.
Frank Herbert's DUNE books, sure seem like a good read again.
Google Street View is worth a mention, too. That said, at least the cars are marked and the cameras are obvious (for now).
The linked essay doesn't seem to address who should be in charge of cybersecurity. It speaks a lot about who SHOULDN'T be in charge, but it suggests no particular alternative to the NSA.
I see your point, but I think Bruce alludes to a good solution. He says that governments should share their security findings and improvements with the public, making all of us more secure. I wonder if the answer is to have a consortium made up of security experts from all over the world. That way they can collectively "govern" cyber security with an independent focus (little or no ties to governments). And this consortium would share all of their knowledge and workings with the public.
One big difference: you can sue Google, or even file criminal charges if they overstep the law. Google can't claim state's secrets to shut down your case against them.
it is in fact quite easy to stop Google from collecting your data:
1) stop using Google services (maps, search, mail, ...)
2) get your pc/router/firewall to stop accepting traffic coming from or leaving to the "google-realm".
that's all. and not that difficult. 1) can be done by simply not clicking on any link or calling any site related to google and 2) is what firewalls are actually made for, so that is not difficult eather.
Tagging personal data with it's "owner" to make sure you can trace down the flow of information in the internet has at least 2 obvious problems. First: telling everybody "this is my data" isn't quite a good idea if you want to hide the same fact from someone. The second is even worse. Whatever signature you put on the data: technically you cannot force anyone to keep it while using your data for whatever purposes. Because such a signature again is only data. Which you can use in whatever way you like. Nobody can hinder you in that. Not even the law: doing something forbidden (delete/fake signature) to do something forbidden (share data without asking user) ... I don't think the "bad guys" will faint on such a thought ...
okay, but not using Google services and blocking the traffic won't solve the problem. even with this self-restrictions you have no contol over a third party giving data to a Google service (public authorities, health insurance funds, business partner). (i want to make clear: for me it is not about Google. Google is just an example.)
It is clear that my "Homer J. Simpson ... " record won't need a "Copyright: Homer J. Simpson" tag, but maybe a "created by Mr. Burns Nuclear Inc." tag.
You are right, a tag is only an extra piece of data and could be deleted etc. But every peronal information without a proof of origin would be suspect. This is not a perfect concept, but an idea. I don't want to talk about the same problems (or worse) in ten years. If you have a better idea, share it (asides the firewall confguration and don't leave the house advice. i'm kidding).
After the fall of the GDR, the people attacked the secret police (Stasi) headquarters, because they wanted their lives back. they wanted that papers, and documents. All the information. This documents represented the power of the Stasi and the crimes of the government. It was an act of liberation, the change of power, and most important the freedom of private life.
Don't get me wrong, Google is not the GDR. I just want to make clear how powerful this data is.
RIAA is sending out the Govt's SWAT teams to enforce their business policies already.
Also: isn't it ironic to read about how proficient DoD is in cybersecurity and about the Predator fiasco — all on the same day?
The overconfidence of DoD is why the Predator drone feeds were hackable, and it is an overconfidence I've seen this before, up close and personal. It was "the General's daughter" who directly ordered me to change all the passwords for a particular joint services system I worked on during Desert Storm to "army1", "marines1", "usaf1", "navy1". The system was eventually penetrated by hackers in the Netherlands because of the stupid passwords, but by the time it happened the donnybrook between myself and this Captain about the stupidity of the passwords was all over the office, so it was impossible to lay the blame on me.
The military is frequently it's own worst enemy. Overconfidence, corruption, and incompetence excerbated by political malice, greed, sexism, racism and out of control egos. You can set your watch by how often they'll show up every time.
The RIAA is asking the gov't to enforce the laws that the gov't passed. Don't get me wrong, I hate the RIAA as much as the next guy. But the RIAA couldn't do all the "enforcing" of their business policies if our gov't hadn't passed a law supporting their business policies.
Your anecdote is horrifying... and utterly believable based on my experience in small business. Thanks for sharing.
@Jake: Who influenced the government to pass those laws? Heavy and expensive lobbying is a prerequisite for getting the SWAT team to intervene in your particular interest.
I see your problem. Of course, anyone, even I, can give for whatever reason whatever data to whomever he likes. There is no way to prevent this, and modern legal systems don't work like that. They are made to first declare something a crime (here: sharing third persons' data with anyone without direct permission). And then they punish the crime AFTER it has been done (I know, it is quite difficult to tell who put your data where, but I think at least Google knows very well who told them what), thereby putting a cost on that crime that should be higher than any income from doing it.
So my proposal (for discussion at least) is: put a value onto your data! If you know your insurance company saled your data to Google, tell them to stop that and delete it or you would quit your contract. If thats no option to you - pull them into court and make them comply the law and pay the cost. And if you don't know who put your data on the internet, ask whereever you find it: first to delete your data and second to tell you where it came from. If they don't do as asked, you again can make them pay the cost. It is your data. It is protected by the (German) law.
So I don't see any need for any kind of technical solution. One way or another, we can use the instruments given to us by law and economy to regain control on our data if anyone misuses it.
As I said, that is not easily done, but maybe there is some potential to optimize that process before starting to invent new processes?
"One way or another, we can use the instruments given to us by law and economy to regain control on our data if anyone misuses it."
There is a significant problem in this aproach.
The first and primary concern is cross boarder shipment.
In Europe we have legislation to give some small degree of ownership of personal data.
However even though there are "safe harbour" rules with regard to it they are unenforcable once the data crossess out of the EU boarders.
In the US the law effectivly gives ownership of personal data to whom soever possesses it...
In the US you are required to give up personal and medical data not just on yourself but on others in your family to participate in any kind of "medical insurance".
In the UK the same US companies are behind much of the UK medical insurance and in order to get insurance you have to sign a blanket waiver on not just your medical information but any and all informtion the company sees fit to ask for including all financial and other seamingly unrelated information. In the process you also give concent for the data to be shared with an organisation you have absolutly no legal relationship with. As this is done outside of the EU there is nothing legaly you can do about it.
Banks and other financial institutions routienly ship your entire financial records across to places like India where each record can be sold for more than the equivalent of a days wages. The Indian Government say they are making attempts to shut down this trade in stolen personal information. However whenever a Journo goes over they usually have little or no trouble finding an "information broker" within 24Hours. The IB will usually quite happily sell the journo may peoples ID and financial information for quite minor sums.
Tort Laws realy only apply within a juresdiction and are also difficult to investigate and bring to Court, the chance of extradition is usually minimal and the chance of getting any payment of costs etc so minimal that any win will be pyrrhic in nature.
My viewpoint is not to hand out any information on principle as standard practice and if people do not like it tough.
Feel free to play new and exciting dress up games on dress up games that was
built for girls and boys! Here you can play thousands of fun girls dress up.
Enjoy your stay and welcome come back dress up games 8!
There is no way to prevent this, and modern legal systems don't work like that. They are made to first declare something a crime (here: sharing third persons' data with anyone without direct permission).
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.