Schneier on Security
A blog covering security and security technology.
« "People, Process, and Technology" |
| The Eavesdropping System in Your Computer »
January 31, 2013
Power and the Internet
All disruptive technologies upset traditional power balances, and the Internet is no exception. The standard story is that it empowers the powerless, but that's only half the story. The Internet empowers everyone. Powerful institutions might be slow to make use of that new power, but since they are powerful, they can use it more effectively. Governments and corporations have woken up to the fact that not only can they use the Internet, they can control it for their interests. Unless we start deliberately debating the future we want to live in, and the role of information technology in enabling that world, we will end up with an Internet that benefits existing power structures and not society in general.
We've all lived through the Internet's disruptive history. Entire industries, like travel agencies and video rental stores, disappeared. Traditional publishing -- books, newspapers, encyclopedias, music -- lost power, while Amazon and others gained. Advertising-based companies like Google and Facebook gained a lot of power. Microsoft lost power (as hard as that is to believe).
The Internet changed political power as well. Some governments lost power as citizens organized online. Political movements became easier, helping to topple governments. The Obama campaign made revolutionary use of the Internet, both in 2008 and 2012.
And the Internet changed social power, as we collected hundreds of "friends" on Facebook, tweeted our way to fame, and found communities for the most obscure hobbies and interests. And some crimes became easier: impersonation fraud became identity theft, copyright violation became file sharing, and accessing censored materials -- political, sexual, cultural -- became trivially easy.
Now powerful interests are looking to deliberately steer this influence to their advantage. Some corporations are creating Internet environments that maximize their profitability: Facebook and Google, among many others. Some industries are lobbying for laws that make their particular business models more profitable: telecom carriers want to be able to discriminate between different types of Internet traffic, entertainment companies want to crack down on file sharing, advertisers want unfettered access to data about our habits and preferences.
On the government side, more countries censor the Internet -- and do so more effectively -- than ever before. Police forces around the world are using Internet data for surveillance, with less judicial oversight and sometimes in advance of any crime. Militaries are fomenting a cyberwar arms race. Internet surveillance -- both governmental and commercial -- is on the rise, not just in totalitarian states but in Western democracies as well. Both companies and governments rely more on propaganda to create false impressions of public opinion.
In 1996, cyber-libertarian John Perry Barlow issued his "Declaration of the Independence of Cyberspace." He told governments: "You have no moral right to rule us, nor do you possess any methods of enforcement that we have true reason to fear." It was a utopian ideal, and many of us believed him. We believed that the Internet generation, those quick to embrace the social changes this new technology brought, would swiftly outmaneuver the more ponderous institutions of the previous era.
Reality turned out to be much more complicated. What we forgot is that technology magnifies power in both directions. When the powerless found the Internet, suddenly they had power. But while the unorganized and nimble were the first to make use of the new technologies, eventually the powerful behemoths woke up to the potential -- and they have more power to magnify. And not only does the Internet change power balances, but the powerful can also change the Internet. Does anyone else remember how incompetent the FBI was at investigating Internet crimes in the early 1990s? Or how Internet users ran rings around China's censors and Middle Eastern secret police? Or how digital cash was going to make government currencies obsolete, and Internet organizing was going to make political parties obsolete? Now all that feels like ancient history.
It's not all one-sided. The masses can occasionally organize around a specific issue -- SOPA/PIPA, the Arab Spring, and so on -- and can block some actions by the powerful. But it doesn't last. The unorganized go back to being unorganized, and powerful interests take back the reins.
Debates over the future of the Internet are morally and politically complex. How do we balance personal privacy against what law enforcement needs to prevent copyright violations? Or child pornography? Is it acceptable to be judged by invisible computer algorithms when being served search results? When being served news articles? When being selected for additional scrutiny by airport security? Do we have a right to correct data about us? To delete it? Do we want computer systems that forget things after some number of years? These are complicated issues that require meaningful debate, international cooperation, and iterative solutions. Does anyone believe we're up to the task?
We're not, and that's the worry. Because if we're not trying to understand how to shape the Internet so that its good effects outweigh the bad, powerful interests will do all the shaping. The Internet's design isn't fixed by natural laws. Its history is a fortuitous accident: an initial lack of commercial interests, governmental benign neglect, military requirements for survivability and resilience, and the natural inclination of computer engineers to build open systems that work simply and easily. This mix of forces that created yesterday's Internet will not be trusted to create tomorrow's. Battles over the future of the Internet are going on right now: in legislatures around the world, in international organizations like the International Telecommunications Union and the World Trade Organization, and in Internet standards bodies. The Internet is what we make it, and is constantly being recreated by organizations, companies, and countries with specific interests and agendas. Either we fight for a seat at the table, or the future of the Internet becomes something that is done to us.
This essay appeared as a response to Edge's annual question, "What *Should* We Be Worried About?"
Posted on January 31, 2013 at 7:09 AM
• 39 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"The Internet's design isn't fixed by natural laws." What about chaos theory? It would seem that the internet would follow some sort of behavioral pattern.
So, Bruce, I'm thinking that you are skeptical about the Bitcoin idealists too?
This is a fascinating and interesting article. I pretty much agree with most of it. I found one thing very ironic. He said, “How do we balance personal privacy against what law enforcement needs to prevent copyright violations?” Before publishers began propagandizing us after the internet became popular, no one ever thought policing copyright violations was a law enforcement issue. It was the responsibility of the copyright holder to detect violations and pursue them with civil action. The writer of the article, obviously a very savvy and observant individual, has himself already succumbed to the very process he is describing in his article. He has already conceded that law enforcement has a need in an area I still believe should still be a civil matter. He has allowed powerful interest groups to frame the discussion in the direction that benefits them most. Why should I pay to protect their copyright?
Does anyone else remember how incompetent the FBI was at investigating Internet crimes in the early 1990s
Many would answer they still are because they still use "the rubber hose" to get results, it's easier to just threaten somebody into submission than it is to go out and actually do the job properly.
All they've got better at is lying to those above and those below them oh and a bit of blackmail on the side.
In fact one word: Wow.
This is great. I hope it will be distributed outside this blog. For sure I will draw the attention of colleagues to this article.
It is a very pessimistic view on the future of the internet: in the end it will be ruled by the already powerful and we will be manipulated and controlled. And we, the powerless citizens - even from the 'free' countries - will not be able to gain back the original freedom of the internet.
Interesting observation about Bruce succumbing to what was described. What I find troubling is that you don't have to be in the wrong to lose in a civil suit to a copyright holder. Even if you win the case, you will spend a lot of money paying your lawyer(s). For those not familiar with the American legal system. All parties are responsible for their own legal fees, regardless of whether they win or lose the case.
Perhaps we have not yet begun to fight.
You are absolutely right in that Internet users need a more powerful lobbyist, one who is also aware of security concerns and is relatively unattached to the commercial interests try to capture control of the resource.
If you won't accept the nomination yourself, can you identify a few candidates?
Clicking on Edge's "View Responses" leads to "Page not found". I guess somebody over there forgot to worry about that...
What this really says to me is (ignoring religion):
The only person/entity that has your best interests at heart is yourself (with the possible exception of family), everyone / everything else has an alterior motive.
...ah, but the "View All Responses" link on the page with Bruce's essay does work.
This is an excellent article! Thanks!
@Thor Carden: Before publishers began propagandizing us after the internet became popular, no one ever thought policing copyright violations was a law enforcement issue.
In the U.S. it is a criminal copyright violation "if the infringement was committed (A) for purposes of commercial advantage or private financial gain; (B) by the reproduction or distribution, including by electronic means, during any 180-day period, of 1 or more copies or phonorecords of 1 or more copyrighted works, which have a total retail value of more than $1,000; or (C) by the distribution of a work being prepared for commercial distribution, by making it available on a computer network accessible to members of the public, if such person knew or should have known that the work was intended for commercial distribution", according to Title 17 Section 506 of the United States Code. This was enacted into law in 1982, well before the rise of widespread file sharing on the Internet.
While you are certainly entitled to hold the position that copyright violations should not be considered criminal offenses, the fact remains that some are. Therefore, criminal copyright violations are a "law enforcement issue." If you disagree with the law, then work to change the law.
Alan they are not going after just commercial violations nor was it a law enforcement effort to enforce the criminal copyright laws. It was till up to the holder. I was tallking about perceptions not the technical details of the law.
So the clear answer then is better organization on the part of the populace, leading to corruption of those organizations, leading to new organizations (or some form of martial law).
It would be nice if the organizations we do have that support the freedoms of the people (EFF and ACLU, for examples) were more supported and more effective. Perhaps the question should be what we need to do to make them so.
Great article, but I recommend using your concluding paragraph as the introduction. It says "this is a problem and it will not fix itself" which creates emotional investment in the reader.
A great essay, summarising well the debate my friends and I had just last night.
It concern me greatly that the tables have turned, as Bruce highlighted, so that the general users are in general less able (or interested!) in controlling the data they create. So many people are simply unaware of the amount of information they create, just by showing up to the online arena.
The dangerous thing is that a lot of the power struggle is so hidden from view that people don't think to fight it.
Good essay. Parrots Evgeny Morozov's "Net Delusion". (Not a bad thing.)
There are only three kinds of power.
Weapons (force) (power)
Government is monopoly of force. Knowledge is up for grabs for anyone to seize. It has turned everything upside down and puts governments into a dither. Understanding how to use words is the key. Words are more powerful than force, they are a weapon but cannot compel. Nor can force compel there is still the word NO.
I read your Applied Cryptography cover to cover when I was in high school. Great book, and one of many inspirations that caused me to go into computer science. Thanks :-)
As for the issue of power it seems obvious that the internet ought to be used for the power of the average person, and that it will be used for political groups instead to protect their corporate sponsors. Honestly, I liked the internet a lot more in the early 90s before it became mainstream. Having a lot of idiots and unidealistic people in the system means there is more room for puppeteers (leaders, politicians, CEOs) to manipulate the masses. If the internet task forces had another decade or two head start we might've made the system much more resilient to governments and corporations, and hence more empowering to individuals.
For the road forward, it makes sense to continue to develop technologies to empower individuals and undermine corporations and governments. It makes sense to play to the advantages of individual actors and technology instead of playing in the realm of politics where the government has all the advantages. So tools worth working on might include: Tor, Bitcoin, low-cost legal and educational services, 3D printing, file sharing, Wikileaks, free/libre software that is less likely to infringe on users' liberties, anonymized smartphones, and so forth.
We need to build a parallel internet with mesh networks that cannot be effectively controlled (at least in an economical sense).
Only then will people be able to say what they want and help the internet develop into whatever its destiny should entail.
--It makes a lot of sense, I wish I wasn't so young when the internet was first invented; I actually wish I was born before the internet so I could've experienced life before it. I'm soo happy I think I'll have access to a 3D printer fairly soon and can see this magic but also get a perfect cover for one of my sensors. I may spazz out if I can get some access to a supercomputer. :)
Bruce, we're over 4 years into Bitcoin and as of 5 months ago (@defcon), you have yet, to my knowledge, acknowledged the disruptive and revolutionary properties of Bitcoin. When jokingly asked at defcon when you'd accept bitcoin, your reply was "when my bank does". Are you really that far out of the loop on this cryptographic wonder?
What does disruptive and revolutionary have to do with trustworthy, reliable, viable and easy?
The criteria for using something is entirely different from the criteria for thinking it's a good idea which is entirely different from acknowledging it's 'revolutionary'.
@Dana ... Internet users need a more powerful lobbyist ...
This line of thinking frankly depresses me. A lobbyist to represent the basic needs of everybody?! No such thing. That's what a politician would ... well, it's in their job description, not that they'd do it, either.
Every lobbyist is attached to a commercial interest. Every last one. The workers of K Street are very wealthy. Not a coincidence.
I'd put more trust in the computer engineers & programmers, if only they could ensure their rules superceded that of the government that rules over them.
The first thing the powerful do with any new technology or medium is throttle access to it and control its price, depose/co-opt the originators and leading champions of it, and write laws governing its use that the powerful never intend to follow.
This has been repeated throughout history.
Those who are concerned about the internet being taken over by powerful interests...don't be. They can't do it. It's impossible. When things get too restrictive, software engineers will build a "second internet" that uses the same carriers. Maybe it'll use a hidden signal within the existing internet, or maybe they'll come up with something different. Thing is, software engineers are a rebellious lot who tend not to trust government or other powerful people, and are happy to stick a thumb in their eye just for the fun of it. I know. I'm one of them. I'm not really concerned now...but I'm watching closely.
The FUSSR had all it could do
to control print media, by making
it illegal to own a press, a zerox
machine, even a typewriter;
Our leaders do not have and
cannot obtain in time enough
power to control the Web,
not when entire States will
offer safe haven to those
who create independent Nets.
Thor Carden wrote: "Before publishers began propagandizing us after the internet became popular, no one ever thought policing copyright violations was a law enforcement issue."
You don't remember seeing the FBI warnings on videotapes? Or law enforcement raids on video pirates in the 80s and 90s?
@ Jim Lippard
"You don't remember seeing the FBI warnings on videotapes? Or law enforcement raids on video pirates in the 80s and 90s?"
Exactly. Back then, I had to be prepared to fast forward through the first few minutes of almost every movie. Some people recorded their legit movies to blank VHS just to cut all the fat out of it. Another reason was to merge several videos to one high capacity VHS in case of sequels and trilogies.
In the digital age, we've seen the same thing happen with DVD's. The content controllers made unskippable copyright scenes the norm. Then, many owners of legitimate DVD's ripped to DivX files, stripped all that crap, optionally burned DivX to discs (up to 6 movies a disc) for watching on big TV, and stashed the actual DVD's in the garage or storage. I've done all of the above.
* These are complicated issues that require meaningful debate, international cooperation, and iterative solutions. Does anyone believe we're up to the task?
I think we are. Also, there is a model of decision making here that assumes that we are all going to agree and come up with a definitive and permanent set of norms. The world doesn't work that way. We'll never agree on everything, but things end up happening because just because we can't agree on everything doesn't mean that we can't agree on anything.
Also who are "we"? I'd imagine that an employee of a movie studio would be very much in favor of strong copyrights. One other flaw is to talk about "the people" versus "special interests" when in fact everyone is involved in some special interest.
For example, it's hardly the "powerless" that found a voice in the early days of the internet.
In my high school you had "geeks" and you had "jocks." What the internet did was for a few years change the balance of power to make the "geeks" more powerful before the "jocks" ended up running things in part because they could buy off the "geeks."
One other thing is that it's part of the legend of any revolution that it's the "unorganized" rebels against authority. It usually doesn't happen at way. For example, Arab Spring happened because some critical organized groups (namely the military and the Islamists) turned against the regime.
Similarly, all of the corporate and government bashing misses the point that corporations and governments were instrumental in setting up the internet. One of the major milestones in the development in the internet was in 1993, when the NSF lifted the prohibition on using its network (which formed a large part of the internet) for commercial purposes.
Funny, all the rhetoric about the 2nd amendment is defense against (our own) government. Maybe the modern Right to Bear Arms should be about a free unfettered internet. Why don’t those founding fathers get their heads screwed on?
Interesting how so much of this discussion is in the abstract, and that people don't know about the actual tangible proposals to institutionalise multi-stakeholder Internet governance on policy issues that go beyond technical standards, and would provide the "meaningful debate, international cooperation, and iterative solutions" that Bruce sees are needed (I agree). I'm writing a new primer on this now, but for an older one see my blog, mainly this entry but here's a short update.
I don't really see the point of have another agency to discuss policy issues, and maybe the way that you "institutionalize" something is to not have another "institution."
One thing about a lot of these institutions is that they are specifically set up to do nothing. One time honored way of getting nothing done is to start a committee which issues reams of reports that no one reads or cares about. The "purpose" of those committees is to keep people busy so that they don't do anything that might actually change things. Requiring consensus is a sure sign that you will get nothing done. The US, Saudi Arabia, and China are just not going to agree to "cooperate" on a lot of internet related issues.
Something that is amazing is to see how quickly things get done, when someone wants something to get done, and how easy it is to block action when people don't want to change things.
One problem with UN policy forums is that *even as debating societies* they aren't very good.
Sure, the US and the US-based Internet technical community has been very effective at blocking things from changing within the WSIS and IGF. Unfortunately, since there are real and pressing global Internet public policy issues that have no home, that has come back to bite them. Whereas they could have allowed the IGF to develop the capacity to issue recommendations (which although non-binding can be persuasive), instead that door was closed and the countries unsatisfied with US hegemony over Internet governance were pushed back to the ITU - which was in nobody's best interests. Read my book at http://press.terminus.net.au/igfbook for much more information.
> How do we balance personal privacy against what law enforcement needs to prevent copyright violations?
We don't. Our government is evil if it tries to restrict your right to copy the number 42, or the string "forty-two", or any larger piece of public information. It makes no difference if our Constitution says our government is allowed to do that; our Constitution also used to say we had the right to own people, and for the same reason ("it's practical") that it says we have the right to own public information. We no more own the products of our minds than we own the products of our loins, despite the effort it takes us to create them, and their value. I can keep my information secret, and you can pay me to publish it, but once it's public, I have no right to prevent everybody and their computers from reading it, memorizing it, and telling their friends.
> Or child pornography?
We don't. We have the technology to easily create and anonymously distribute child porn, but we're also developing the solution to the problem: face recognition. Use our soon-to-be ubiquitous security cameras to get images of children in public, match against the child porn, and arrest the parents or other legal guardians of the children. (If the daycare was responsible, it's the parents' fault for failing to vet the daycare before trusting it.) If you don't want your face on record, then don't walk in front of my camera, or in front of the cameras of millions of other people who configure their systems to cooperate to sound alarms whenever they see faces that match published faces of child porn victims, missing people, and fugitives.
> Is it acceptable to be judged by invisible computer algorithms when being served search results?
If it isn't acceptable to you, then don't use that search engine, and tell your friends and customers not to use it.
> When being served news articles?
Same as above.
> When being selected for additional scrutiny by airport security?
Whether the guards use their own judgment, or delegate judgment to computers, is irrelevant. The only question is whether they have the right to detain and search us in the first place.
> Do we have a right to correct data about us?
If you mean the file on my computer that says "Bruce Schneier is a woman", then no, you don't have the right to correct it, but you're welcome to ask me to correct it. If the file is on your computer, then you have the right to correct it.
> To delete it?
Not from my computer. I have the right to store whatever mistakes and lies (and truths) about you that I want, and you have no right to stop me. The same is true if I'm a company.
> Do we want computer systems that forget things after some number of years?
Presumably you mean for my computer to forget about you. You're welcome to want it, and I have the right to disappoint you.
> These are complicated issues
No, they aren't.
> that require meaningful debate
No, they don't.
> international cooperation
Only to broadcast the pictures of faces of child porn victims, missing people, and fugitives, and broadcast the alarms when people's security cameras see them. Fortunately, we already have the technology to do these broadcasts. And "international cooperation" is needed only in the sense of people cooperating across national borders; governments aren't needed. Court cooperation is needed only for extraditing fugitives.
> and iterative solutions.
> Does anyone believe we're up to the task?
The only major technological challenge is increasing the reliability of face recognition software, but we're making good progress. Ubiquitous surveillance is inevitable, so we might as well put it to good use. It need not even be the privacy disaster that you fear; just as most Tor relay operators abide by the etiquette of not recording traffic, most people will abide by the etiquette of keeping their surveillance recordings private except when alarms are triggered, so nobody can use the surveillance grid to track anybody unless he can convince everybody that the target is somebody who should be tracked.
If some company tries to create its own ubiquitous surveillance grid, then boycott the company, so it can't afford its own grid. If some government tries, then boycott it. If the government attacks you for boycotting it, then you have a much bigger problem than just a surveillance grid: your problem is a planetful of borgified people who support taxation, just as they support "intellectual property", just as until recently they supported slavery. If you can't convince them to stop trying to assimilate you, then resistance is futile, and woe unto you. If you yourself support taxation, then you're part of the problem. It's irrational for you, as a willing drone, to complain about lack of privacy in the collective.
P.S. your comment posting program makes commenting unnecessarily difficult. See your logs for details.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.