Schneier on Security
A blog covering security and security technology.
« What the NSA Can and Cannot Do |
| NSA Eavesdropping on Google and Yahoo Networks »
October 30, 2013
The Battle for Power on the Internet
We're in the middle of an epic battle for power in cyberspace. On one side are the traditional, organized, institutional powers such as governments and large multinational corporations. On the other are the distributed and nimble: grassroots movements, dissident groups, hackers, and criminals. Initially, the Internet empowered the second side. It gave them a place to coordinate and communicate efficiently, and made them seem unbeatable. But now, the more traditional institutional powers are winning, and winning big. How these two sides fare in the long term, and the fate of the rest of us who don't fall into either group, is an open question -- and one vitally important to the future of the Internet.
In the Internet's early days, there was a lot of talk about its "natural laws" -- how it would upend traditional power blocks, empower the masses, and spread freedom throughout the world. The international nature of the Internet circumvented national laws. Anonymity was easy. Censorship was impossible. Police were clueless about cybercrime. And bigger changes seemed inevitable. Digital cash would undermine national sovereignty. Citizen journalism would topple traditional media, corporate PR, and political parties. Easy digital copying would destroy the traditional movie and music industries. Web marketing would allow even the smallest companies to compete against corporate giants. It really would be a new world order.
This was a utopian vision, but some of it did come to pass. Internet marketing has transformed commerce. The entertainment industries have been transformed by things like MySpace and YouTube, and are now more open to outsiders. Mass media has changed dramatically, and some of the most influential people in the media have come from the blogging world. There are new ways to organize politically and run elections. Crowdfunding has made tens of thousands of projects possible to finance, and crowdsourcing made more types of projects possible. Facebook and Twitter really did help topple governments.
But that is just one side of the Internet's disruptive character. The Internet has emboldened traditional power as well.
On the corporate side, power is consolidating, a result of two current trends in computing. First, the rise of cloud computing means that we no longer have control of our data. Our e-mail, photos, calendars, address books, messages, and documents are on servers belonging to Google, Apple, Microsoft, Facebook, and so on. And second, we are increasingly accessing our data using devices that we have much less control over: iPhones, iPads, Android phones, Kindles, ChromeBooks, and so on. Unlike traditional operating systems, those devices are controlled much more tightly by the vendors, who limit what software can run, what they can do, how they're updated, and so on. Even Windows 8 and Apple's Mountain Lion operating system are heading in the direction of more vendor control.
I have previously characterized this model of computing as "feudal." Users pledge their allegiance to more powerful companies who, in turn, promise to protect them from both sysadmin duties and security threats. It's a metaphor that's rich in history and in fiction, and a model that's increasingly permeating computing today.
Medieval feudalism was a hierarchical political system, with obligations in both directions. Lords offered protection, and vassals offered service. The lord-peasant relationship was similar, with a much greater power differential. It was a response to a dangerous world.
Feudal security consolidates power in the hands of the few. Internet companies, like lords before them, act in their own self-interest. They use their relationship with us to increase their profits, sometimes at our expense. They act arbitrarily. They make mistakes. They're deliberately -- and incidentally -- changing social norms. Medieval feudalism gave the lords vast powers over the landless peasants; we're seeing the same thing on the Internet.
It's not all bad, of course. We, especially those of us who are not technical, like the convenience, redundancy, portability, automation, and shareability of vendor-managed devices. We like cloud backup. We like automatic updates. We like not having to deal with security ourselves. We like that Facebook just works -- from any device, anywhere.
Government power is also increasing on the Internet. There is more government surveillance than ever before. There is more government censorship than ever before. There is more government propaganda, and an increasing number of governments are controlling what their users can and cannot do on the Internet. Totalitarian governments are embracing a growing "cyber sovereignty" movement to further consolidate their power. And the cyberwar arms race is on, pumping an enormous amount of money into cyber-weapons and consolidated cyber-defenses, further increasing government power.
In many cases, the interests of corporate and government powers are aligning. Both corporations and governments benefit from ubiquitous surveillance, and the NSA is using Google, Facebook, Verizon, and others to get access to data it couldn't otherwise. The entertainment industry is looking to governments to enforce its antiquated business models. Commercial security equipment from companies like BlueCoat and Sophos is being used by oppressive governments to surveil and censor their citizens. The same facial recognition technology that Disney uses in its theme parks can also identify protesters in China and Occupy Wall Street activists in New York. Think of it as a public/private surveillance partnership.
What happened? How, in those early Internet years, did we get the future so wrong?
The truth is that technology magnifies power in general, but rates of adoption are different. The unorganized, the distributed, the marginal, the dissidents, the powerless, the criminal: they can make use of new technologies very quickly. And when those groups discovered the Internet, suddenly they had power. But later, when the already-powerful big institutions finally figured out how to harness the Internet, they had more power to magnify. That's the difference: the distributed were more nimble and were faster to make use of their new power, while the institutional were slower but were able to use their power more effectively.
So while the Syrian dissidents used Facebook to organize, the Syrian government used Facebook to identify dissidents to arrest.
All isn't lost for distributed power, though. For institutional power, the Internet is a change in degree, but for distributed power, it's a qualitative one. The Internet gives decentralized groups -- for the first time -- the ability to coordinate. This can have incredible ramifications, as we saw in the SOPA/PIPA debate, Gezi, Brazil, and the rising use of crowdfunding. It can invert power dynamics, even in the presence of surveillance, censorship, and use control. But aside from political coordination, the Internet allows for social coordination as well -- to unite, for example, ethnic diasporas, gender minorities, sufferers of rare diseases, and people with obscure interests.
This isn't static: Technological advances continue to provide advantage to the nimble. I discussed this trend in my book Liars and Outliers. If you think of security as an arms race between attackers and defenders, any technological advance gives one side or the other a temporary advantage. But most of the time, a new technology benefits the nimble first. They are not hindered by bureaucracy -- and sometimes not by laws or ethics, either. They can evolve faster.
We saw it with the Internet. As soon as the Internet started being used for commerce, a new breed of cybercriminal emerged, immediately able to take advantage of the new technology. It took police a decade to catch up. And we saw it on social media, as political dissidents made use of its organizational powers before totalitarian regimes did.
This delay is what I call a "security gap." It's greater when there's more technology, and in times of rapid technological change. Basically, if there are more innovations to exploit, there will be more damage resulting from society's inability to keep up with exploiters of all of them. And since our world is one in which there's more technology than ever before, and a faster rate of technological change than ever before, we should expect to see a greater security gap than ever before. In other words, there will be an increasing time period during which nimble distributed powers can make use of new technologies before slow institutional powers can make better use of those technologies.
This is the battle: quick vs. strong. To return to medieval metaphors, you can think of a nimble distributed power -- whether marginal, dissident, or criminal -- as Robin Hood; and ponderous institutional powers -- both government and corporate -- as the feudal lords.
So who wins? Which type of power dominates in the coming decades?
Right now, it looks like traditional power. Ubiquitous surveillance means that it's easier for the government to identify dissidents than it is for the dissidents to remain anonymous. Data monitoring means easier for the Great Firewall of China to block data than it is for people to circumvent it. The way we all use the Internet makes it much easier for the NSA to spy on everyone than it is for anyone to maintain privacy. And even though it is easy to circumvent digital copy protection, most users still can't do it.
The problem is that leveraging Internet power requires technical expertise. Those with sufficient ability will be able to stay ahead of institutional powers. Whether it's setting up your own e-mail server, effectively using encryption and anonymity tools, or breaking copy protection, there will always be technologies that can evade institutional powers. This is why cybercrime is still pervasive, even as police savvy increases; why technically capable whistleblowers can do so much damage; and why organizations like Anonymous are still a viable social and political force. Assuming technology continues to advance -- and there's no reason to believe it won't -- there will always be a security gap in which technically advanced Robin Hoods can operate.
Most people, though, are stuck in the middle. These are people who don't have the technical ability to evade large governments and corporations, avoid the criminal and hacker groups who prey on us, or join any resistance or dissident movements. These are the people who accept default configuration options, arbitrary terms of service, NSA-installed back doors, and the occasional complete loss of their data. These are the people who get increasingly isolated as government and corporate power align. In the feudal world, these are the hapless peasants. And it's even worse when the feudal lords -- or any powers -- fight each other. As anyone watching Game of Thrones knows, peasants get trampled when powers fight: when Facebook, Google, Apple, and Amazon fight it out in the market; when the US, EU, China, and Russia fight it out in geopolitics; or when it's the US vs. "the terrorists" or China vs. its dissidents.
The abuse will only get worse as technology continues to advance. In the battle between institutional power and distributed power, more technology means more damage. We've already seen this: Cybercriminals can rob more people more quickly than criminals who have to physically visit everyone they rob. Digital pirates can make more copies of more things much more quickly than their analog forebears. And we'll see it in the future: 3D printers mean that the computer restriction debate will soon involves guns, not movies. Big data will mean that more companies will be able to identify and track you more easily. It's the same problem as the "weapons of mass destruction" fear: terrorists with nuclear or biological weapons can do a lot more damage than terrorists with conventional explosives. And by the same token, terrorists with large-scale cyberweapons can potentially do more damage than terrorists with those same bombs.
It's a numbers game. Very broadly, because of the way humans behave as a species and as a society, every society is going to have a certain amount of crime. And there's a particular crime rate society is willing to tolerate. With historically inefficient criminals, we were willing to live with some percentage of criminals in our society. As technology makes each individual criminal more powerful, the percentage we can tolerate decreases. Again, remember the "weapons of mass destruction" debate: As the amount of damage each individual terrorist can do increases, we need to do increasingly more to prevent even a single terrorist from succeeding.
The more destabilizing the technologies, the greater the rhetoric of fear, and the stronger institutional powers will get. This means increasingly repressive security measures, even if the security gap means that such measures become increasingly ineffective. And it will squeeze the peasants in the middle even more.
Without the protection of his own feudal lord, the peasant was subject to abuse both by criminals and other feudal lords. But both corporations and the government -- and often the two in cahoots -- are using their power to their own advantage, trampling on our rights in the process. And without the technical savvy to become Robin Hoods ourselves, we have no recourse but to submit to whatever the ruling institutional power wants.
So what happens as technology increases? Is a police state the only effective way to control distributed power and keep our society safe? Or do the fringe elements inevitably destroy society as technology increases their power? Probably neither doomsday scenario will come to pass, but figuring out a stable middle ground is hard. These questions are complicated, and dependent on future technological advances that we cannot predict. But they are primarily political questions, and any solutions will be political.
In the short term, we need more transparency and oversight. The more we know of what institutional powers are doing, the more we can trust that they are not abusing their authority. We have long known this to be true in government, but we have increasingly ignored it in our fear of terrorism and other modern threats. This is also true for corporate power. Unfortunately, market dynamics will not necessarily force corporations to be transparent; we need laws to do that. The same is true for decentralized power; transparency is how we'll differentiate political dissidents from criminal organizations.
Oversight is also critically important, and is another long-understood mechanism for checking power. This can be a combination of things: courts that act as third-party advocates for the rule of law rather than rubber-stamp organizations, legislatures that understand the technologies and how they affect power balances, and vibrant public-sector press and watchdog groups that analyze and debate the actions of those wielding power.
Transparency and oversight give us the confidence to trust institutional powers to fight the bad side of distributed power, while still allowing the good side to flourish. For if we're going to entrust our security to institutional powers, we need to know they will act in our interests and not abuse that power. Otherwise, democracy fails.
In the longer term, we need to work to reduce power differences. The key to all of this is access to data. On the Internet, data is power. To the extent the powerless have access to it, they gain in power. To the extent that the already powerful have access to it, they further consolidate their power. As we look to reducing power imbalances, we have to look at data: data privacy for individuals, mandatory disclosure laws for corporations, and open government laws.
Medieval feudalism evolved into a more balanced relationship in which lords had responsibilities as well as rights. Today's Internet feudalism is both ad-hoc and one-sided. Those in power have a lot of rights, but increasingly few responsibilities or limits. We need to rebalance this relationship. In medieval Europe, the rise of the centralized state and the rule of law provided the stability that feudalism lacked. The Magna Carta first forced responsibilities on governments and put humans on the long road toward government by the people and for the people. In addition to re-reigning in government power, we need similar restrictions on corporate power: a new Magna Carta focused on the institutions that abuse power in the 21st century.
Today's Internet is a fortuitous accident: a combination of an initial lack of commercial interests, government benign neglect, military requirements for survivability and resilience, and computer engineers building open systems that worked simply and easily.
We're at the beginning of some critical debates about the future of the Internet: the proper role of law enforcement, the character of ubiquitous surveillance, the collection and retention of our entire life's history, how automatic algorithms should judge us, government control over the Internet, cyberwar rules of engagement, national sovereignty on the Internet, limitations on the power of corporations over our data, the ramifications of information consumerism, and so on.
Data is the pollution problem of the information age. All computer processes produce it. It stays around. How we deal with it -- how we reuse and recycle it, who has access to it, how we dispose of it, and what laws regulate it -- is central to how the information age functions. And I believe that just as we look back at the early decades of the industrial age and wonder how society could ignore pollution in their rush to build an industrial world, our grandchildren will look back at us during these early decades of the information age and judge us on how we dealt with the rebalancing of power resulting from all this new data.
This won't be an easy period for us as we try to work these issues out. Historically, no shift in power has ever been easy. Corporations have turned our personal data into an enormous revenue generator, and they're not going to back down. Neither will governments, who have harnessed that same data for their own purposes. But we have a duty to tackle this problem.
I can't tell you what the result will be. These are all complicated issues, and require meaningful debate, international cooperation, and innovative solutions. We need to decide on the proper balance between institutional and decentralized power, and how to build tools that amplify what is good in each while suppressing the bad.
This essay previously appeared in the Atlantic.
EDITED TO ADD (11/5): This essay has been translated into Danish.
Posted on October 30, 2013 at 6:50 AM
• 83 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Sort of on this topic, this week there were stories about something someone - apparently Google - is building in San Francisco, which appears to be a floating data center. There was much speculation. My thought is that Google is planning to take the thing into international waters, where it's theoretically out of the reach of governmental subpoenas. It could be compared with the ship where L. Ron Hubbard reportedly lived out the last years of his life.
This ties in with the feudal view: They're establishing a beachhead external to any of the existing feudal entities.
Can I submit this to the movie plot contest?
I would say it's not so much "but we have increasingly ignored it in our fear of terrorism and other modern threats" as rather "those who have the power have realized that they can (and would very much like to) use it in ways that they know full well the public would disapprove of, and so have leveraged that power to keep their own execution of their powers secret".
It doesn't scan as well, though.
"The more we know of what institutional powers are doing, the more we can trust that they are not abusing their authority."
No-no-no, Bruce. Recall that the current spying dust-up arose as a direct result of our learning what the NSA has been doing. The more I learn about NSA's modus operandi the less I trust NSA not to trash my privacy.
I think what you meant to say is, "The more we know of what institutional powers are doing, the more basis we have for assessing whether or not they are abusing their authority."
Wow, what an essay! Looks like you essentially merged several into one. Packed with good points, yet still consistent. It will take a while to digest but I'm already forwarding the link to some people. ;)
The Google data-center-on-a-barge is for cheap real estate and ready cooling. In order for a data center to be useful, it must have connectivity, which it wouldn't have if it weren't moored to the dock. The regulations for stuff on a barge is completely different for a building on the land. Basically, if the barge floats and doesn't pollute, you're fine with whatever you do. On land you have all kinds of laws for practically everything, so it's just cheaper to shove it on a barge and call it good. I'm sure that the data barges will become common, where they can be safely moored with adequate power.
Institutional authority will always be abused, including outright public attack on citizens (Hoover vs. the Bonus army). In the area of data, of course we see a feudal system. Nobody gets anything for free, so of course the data hosters are the data lords. And nothing stops you from hosting your own data! It's the individual's initiative that breaks the system, and it's the individual's sloth that reinforces the system.
Like the XKCD Instagram comic, your stuff isn't in your garage. So when Chad scans your mail or hands it over to the powers that be, remember that you were the one who left it in Chad's garage. If you want your public data on the net to be unchallengeable, then do your own hosting. If you want your data to be private, don't deliberately stuff it in someone else's machine.
And if you live in a republic, then get out and vote, and that includes recall elections.
Bruce have you seen the development technology that Open Suse (and presumable Novell but also a German company) have a hand in. I was commenting to a Google developer who was arguing that for Chrome OS development, it was important to make the application full screen,i.e take away the user's abiltity to control his native applications in favor of the Chrome application that Suse developer's corner looked like the future to me. https://susestudio.com/#login
What implications does Suse's new developer's corner have on the future of open source software I'm not a software developer but I an see how this could make software development for specific use of software packages easy to package. Suse even has an application to allow you to portal it over to Amazon's cloud and selll your build to Amazon users. It looks like the future to me. But what do I know?
Heck, I moved to Seattle in 1994 hoping to land a job with Microsoft. Because when I saw that the first browser with pictures had come out and was going to change the game, particularly the usenet folk music archives I was take with. Bill Gates still hadn't figured that out. Long story, but after to ear operatioos I had to leave Seattle. But the Suse Studio has some fascinating open source technologies available I hadn't seen anywhere before now. .Cloud based largely. What's that going to to to Linux and open source.
And of course, Suse itself has been selling a commereical package only in Germany.
There are 100's of questions I have about this technology because it fascinates the heck out of me.
At my noseyparkerunit site on twitter (the Unit's philosophy is: breaking iinto and spying on other people's computer's and personal private computeers is wrong - Snowden was wrong, but we are forgiving him for breaking open the secret that shows thousands more like him engaging in similar bad behavior. Thus his Thoreau style civil disobedience is not something we encourage, but to fight wrong, we will tolerate it temporarily until the new Magna Charta arrives and is put into place by the lords although the Magna Charta must benefit the serfs equally as well as the serfs, to put it in your language).
Well, anyway, I don't expect an immediate respoonse. You['re probably not familiar with the Suse developer's corner, I just stumbled upon it and I[m blad I did. But the unit's comment (we're not Nosey Parker, we're a unit devoted to advocating against him).
Lastly, Open Suse comes out first in a commercial package for Germans only for a price. American readers can only get the technolgy later.
And I[ve the unit has argued, the German's know the downside of surveillance states and surveillance technologies. Is Open Suse a potential platform to do more damage than the combined efforts of Microsoft, NSA and Snowden, a particularly lethal combination to American technology interests.
I don[t have the language to ask these questions in your cyber-security language nor in software developer's language. I'm a lapsed lawyer who was overwhelmed by the American system of gulag's and a former participant on the defense side. I am one of those cogs that decided to quit cogging, although perhaps I should have lain down on the gears to put it in the words of the Berkeley Free Sppech movement's Mario Savio.
And have those German's, or at least one of their development companies, set up something that could topple American dominance of the internet?
I have thousands of questions here an this is one question I'd do better in group conversation with other's about the potential shape shifting nature of Open Source combined with the cloud and those devilish Germans starting up something that could reshape the world. Just don't let them fire up Krupps AG again and it could turn out alright.
But this feudal battle is not one that just America is participating in. We could lose software and technology dominance. And I am not for that, IF the NSA can get itself (and particularly it's contractors, who are motivated all too well by what B. Traven wrote about in "The Treasure of the Sierra Madre) straightened out and learn what the Germans presumably now know all too well about the downsides of the surveillance state and the surveillance corporation.
For some historical fictiion on the nature of European surveillance, written by a master of words who fled Germany and corporate power there, take a look at the book The death ship by B. Traven. That book illustrates the nature of the European surveillance stat4e and also why people left Europe to come to America. We're creating the exact circumstances that our European forbears hoped to never live in again and Traven captures it perfectly in his book.
Traven's "Treausure of the Sierra Madre is also a good look at the nature of greed and a good commentary on the US financial problems of the last couple of decades. The movie follows the book, almost word for word, as close as any movie made form the book that I know of. Always a good read and watch if you're interested in human psychology and human motivation about money and the flaws in human nature that often lead to our downfall. The nature of parnaoia created by wealth is also examined in great detail in the book.
The Death Ship is the book I think that is particularly relevant now though. Traven captures European surveillance states and their nature perfectly in that book, at least as they existed 100 years ago.The book illustrates how little has changed over time in that arena quite well. And it also demonstrates why people once left Europe to come to America. And why we may be making ourselves, through the creation of a surveillance state that mirrors those that Kafka wrote about, or have already done so, as a not very attractive place to come to.
I'm just throwing out ideas and I hope this is not too disjointed and rambling. But it does illustrate the oft asked question asked by Tolstoy, Lenin and Gar Alperovitz most recently, What then must we do, http://www.amazon.com/... or What is to be done https://en.wikipedia.org/wiki/What_Is_to_Be_Done%3F_%28Tolstoy%29 or some other book written under a similar title. Incidentally, I'm collecting the names of books written with a similar title as a side project that has no purpose other than it just interests me. Send me a comment on Twitter if you know of a similarly titled book or essay.
the rise of cloud computing means that we no longer have control of our data
I think it's Software as a Service rather than cloud computing in general that puts people's data outside of their control.
The recent discussion about secession in high-tech circles is related to this as well. The article on NetworkWorld called it "Isolationist", but that's false. Non-intervention is not isolation, secession is not revolution.
Even the title is wrong, it's not "be alone", it's "be left alone".
Those corporate entities lack the one thing that govts have: "legitimate" coercion. Unlike the IRS, no matter how big Facebook gets they cannot force me to use their service.
I would much rather have to deal with a bunch of over-reaching corporations than any govt, because of that coercion.
I disagree with this entirely:
"The more we know of what institutional powers are doing, the more we can trust that they are not abusing their authority."
We "know" what hackers do, what they are capable of doing, etc... and there are ethical ones and not-so-ethical ones that abuse their power.
As it pertains to institutional powers, we've known what they are doing since Ellsberg at least (if not before). The institutional powers were abusing their powers then, and they've been doing so since then.
So, we know more of what they are doing, yet we can't trust them anymore then we can throw them. There are ethical people within these organizations for sure, but there are also unethical folks that abuse their power...
... whether we know what they are doing or not.
James Clapper directly, on camera, lied to Congress (and the American public)... and should have instantly been fired for doing so. That was months ago now.
Yet, I still have to hear about his resignation or other disciplinary action.
This NSA surveillance is the most blatant, "in our faces" violation of everything we hold dear in this country... and it has taken months to even begin any sort of accountability (assuming this "USA Freedom Act" is all it's being reported to be).
We know what they are doing, and really, we have "known"... perhaps we just weren't ready to accept what we knew as the truth.
I know I wasn't until Snowden revealed what he did.
What's the source for the assertion that Disney uses facial recognition at their theme parks?
I did some searches but have only found second-hand speculations that they must/might use facial recognition. I've also read that casino security folks say facial recognition isn't good enough yet for general tracking of people in the crowd. So I'm a little dubious of the Disney claim.
Responsibility costs, whether that cost is measured in money, or sweat equity. People don't think about the costs that come with free. This is the same issue at the core of America's current decline. Everyone demands access to their rights, but rail against the responsibilities that empower those rights. Everyone wants free or cheap apps, but rail against the data taken by those apps as an invasion of privacy. All of those stupid Facebook apps are the exact same thing - data mining ops where by liking, playing, or joining, you get to enjoy leisure time or be part of a group, but give up more data than realized.
The only way to fight it is for people to take responsibility. Whether it's the responsibility to better educate themselves as to technology and the internet, prioritizing their spending so they pay for software and hard drive space to keep control of their data, or vote out state and national legislators who haven't actively worked for their privacy (the laisse fair go-along-with-the-crowd behavior of several congresspersons, including my own should also be held against them).
Everyone who doesn't take responsibility shouldn't have the right to complain.
Everyone demands access to their rights, but rail against the responsibilities that empower those rights. Everyone wants free or cheap apps, but rail against the data taken by those apps as an invasion of privacy
In what alternate universe did "everyone" receive a choice in this matter? I've long wanted to be able to make mini-payments for useful online services and would happily have done so....... rather than be required to relinquish my personal data for "free" access to useful tools.
In most cases, I've never had a choice of doing so, and I see no changes in the offing. (Don't cite all the weird little under-advertised options out there. They aren't normative or readily available. They are -- presently -- just the exceptions that prove the rule.)
Is there a pay-per-use version of Facebook that would let me interact with all my less savvy and sensitive friends, on my terms? Is there a pay-per-use version of Amazon or Google that would let me opt out of their data mining, while still having the option of buying towels at 11:30 PM PDT?
In light of the extreme absence of options in the mainstream online world, your contempt for the average user is ill-considered. To be kind about it.
This is an outstanding piece.
Bruce would appreciate any comments you might have on Disconnect.me.
Apparently blocks a good bit of your data from going out of the browser, the best according to Lifehacker. But a private company and also created by Google former employees. https://disconnect.me/
Free if you want it to be but I sent a donation to encourage this kind of development. Although I know they are getting all that data. Are they delivering what they promise. It's a shame we have to ask that but in the software world. if it's closed source, it's hard to know otherwise.
I believe "everyone" in this case refers to the amount of consumers interested in a product for it to be in the economic interest of the company to produce it. The "average user."
If enough consumers demanded such products from companies and were willing to withhold their use of the product they don't like, then the company would be forced to alter their product. But people don't give these companies an economic incentive to change anything because they refuse to stop using the old product.
The amount of people who would pay for or support the options you have listed is most likely extremely small right now. It may change as we choose to become more responsible for our own data as a society.
I would argue that his depiction of the average user is accurate, and the "average user" is who gets marketed to.
For me, any group, large or small, that offers a rationale for behavior(s) going forward, will be judged as naive, no matter what the proposal.
Banks will be naive in thinking they are immune to citizen's ire. At some level of theft, the citizenry will retaliate.
Governments are naive in thinking they have the power because they control the military, so their actions will prevail. Think Egypt's present situation.
Progressives are naive in thinking conservatives and liberals will eventually see the way, and will one day find out that may not be the case.
Conservatives are naive in thinking market forces work best when free of government restraint. Think Chernobyl, poisoned aquifers, etc....
And so on across ten thousand more examples.
So what might work is for a large enough mass within the corpus (a social movement) to choose the most naive, and perhaps beneficial, approach to saving(?) humanity and to strive collectively to realize the agreed upon course of action. This is where both communications and large data can be employed to stop the rush to the precipice.
Just what that course of action will be remains to be seen. But, what is certain, it must level the playing field globally, and keep the blindfold on justice.
I wonder if we could use dumb steganography by drowning our emails inside a jumble of terrorism words. It would get you flagged by NSA but how useful would it be to them ?
Re: Disconnect DOT me
Conservatives are naive in thinking market forces work best when free of government restraint. Think Chernobyl, poisoned aquifers, etc....
What do market forces have to do with a Soviet state nuclear reactor? The reactor melted down because they ran the same test that melted down other reactors: drain out all of the water, and see how well it functions. That had nothing to do with market forces.
For me, any group, large or small, that offers a rationale for behavior(s) going forward, will be judged as naive, no matter what the proposal.
So therefore all groups are naive.
Everybody makes a guess, and then goes and does something. E.g., the poem, "Here I sit brokenhearted / Tried to s*** / But only farted," fits your definition. Proposal: go s***. Rationale: feel like it. Results: see above.
Bruce writes, "But they are primarily political questions, and any solutions will be political."
I do not agree. The problem is that technology has changed the world so much that politics is helpless to manage it. This isn't because politics is bad or that political solution can't make a difference; they can. It is because technology is broader than politics. Politics is a subset of technology and not the reverse. To continue your analogy from feudalism times: seeking political solutions in this mess is like the bourgeois of the 14th century appealing to the Catholic Church to save them.
A good example of the limits of politics currently is the debate over "revenge porn." Even in the states in America where it has been outlawed such laws have been ineffective. Once the porn is made it is out of the users control. All that revenge porn laws actually do is remove a subset of internet forums from the quiver of the person seeking revenge. Now is that arguably an improvement? Yes. But it is a far cry form a "solution" to the problem. Those pictures still exist on P2P, they still exist on the hard drives of people who have already DL them, they will resurface again and again on the internet entirely on the whims of strangers. Passing laws against revenge porn hasn't stopped revenge porn; it has only shown how weak political solutions are in the face of technology.
The fact is that the American political system is designed to be a system to promote stability and not change. The on-the-ground realities of technological advancement make it impossible for our system of governance to do anything but play catch up. All political "solutions" are going to be post-hoc and ineffective.
Bruce: excellent article - linked to.
The bottom line is that we need to start the debate. What is the best format for a debate on this subject? IS there a particular forum suited for this? I don't think just comment sections are enough. Github style debates?
This is one of the things that bothers me the most about the net. Many of the interactions in more complex conversation, discussion, and debate is limited by the mechanisms it flows through. So I used to like slashdot, semi-like reddit, very much like hacker news, and also like the simple system on this blog...but none of them seem to encourage public, lengthy, complex discussion...
I don't have a subscription so I can't read this, Scientific American article, but if you have access to it and the time, would appreciate your comments on the material outlined in this summary of an article in Scientific American. Can a security researcher such as yourself ever really know all the science to insure that computers are truly secure? Obviously no one knows all science and perhaps encryption may not be as powerful tool as we are sometimes led to believe.
Good read, long but good. I always think of this, becuase most folks just do not care anymore, if they ever did.
You can’t handle the truth! …Son, we live in a world that has walls, and those walls have to be guarded by men with guns. Who’s gonna do it? You? You, Lt. Weinburg? I have a greater responsibility than you could possibly fathom. You weep for Santiago, and you curse the marines. You have that luxury. You have the luxury of not knowing what I know. That Santiago’s death, while tragic, probably saved lives. And my existence, while grotesque and incomprehensible to you, saves lives. You don’t want the truth because deep down in places you don’t talk about at parties, you want me on that wall, you need me on that wall. We use words like honor, code, loyalty. We use these words as the backbone of a life spent defending something. You use them as a punchline. I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very freedom that I provide, and then questions the manner in which I provide it. I would rather you just said thank you, and went on your way. Otherwise, I suggest you pick up a weapon and stand a post. Either way, I don’t give a damn what you think you are entitled to.
Most of these folks in GOV, start out thinking they are doing good, and then they rationalize everything they do.
They forget what is right and wrong. In Biz its greed.
Zack's point is spot on to where I was going. People choose the bad option over no option. I will skip the wasteful consumption problem that goes along with that, but even when pay options show up people won't use them.
And Fluffy, you emphasize my point, that you are willing to make mini-payments. However, startups and small companies can't thrive off of mini payments until a certain user base exists, they need the capital. The reason all the little unknown underutilized examples are unknown and underutilized is because of that inability for the average user - and many educated users - to accept the cost that comes with that service. The people and groups who want to do what we believe is right in the way of privacy and security don't have Facebook like money to throw at it. So yes, the consumers who don't do the research, and won't pay the money (because it's only worth a microtransaction) get exactly what they deserve. You buy your convenience with your data.
> The same facial recognition technology that Disney uses in its theme parks can also identify protesters in China and Occupy Wall Street activists in New York.
Now what is the attack vector for a state? I would say that currently means are still limited.
However that's different for countries with significant state owned sectors of the economy;
The state is in control when it is your owner.
In the Soviet block countries the state was the owner of everything, in the 70ies actually few dissidents were jailed,
So the things that the state could do was to
- fire one from his job, one would then be limited to blue collar jobs.
- throw your kids out of high school, block them from higher education
- well the worst thing they could do is to put you into closed psychiatric institution, that would have been bad.
Now nowadays an older person working for a government agency would be very sensitive to hints about the future of his job; I guess younger people who can find work elsewhere are less pliant
I guess the responses of a state are mainly determined by the perceived threat level.
Why is Cameroon now threatening the Guardian directly? Its because continued revelations are now beginning to harm foreign relations, adversely affecting the 'soft power' and the ability to deal with foreign governments. That's real damage that is forcing him to react in real ways.
I guess if the 'Occupy' protests where much stronger then that would have resulted in a stronger response by the state. So probably current surveillance measure are done in order to be prepared against eventualities.
We have already lost any hope of control. The governments and corporations, the line between them has blurred, own the Internet. All we can do is try to limit the further expanse of limitations and censorship.
Thank you so much for this article. I think it is a definitive analysis of the problem.
You nailed it.
Now, on to solutions.
The Corporation gives convenience and take power over us in return.
The Government takes power simply because they can, ...and do.
And yes, they will not back down a bit.
Neither should those who are capable of understanding this power struggle. Those who can must show the rest how we are being degraded, dehumanized and abused. It's a matter of fundamental human rights and humanity.
Those who can see the problem must respond with a viable technological strategy and tough tactics. Also, a political perspective is needed. (Feudal networks, moated and gated, have been suggested, for example.)
Where's Robin Hood when you need him?
Reply to Roxanne re: "a floating data center."
I wonder if it's a corporate/government partnership to tap cable(s) out past the international limit. Let's remember Google gave up the disguise of "don't be evil" quite awhile ago.
A tap in international water would not be subject to American laws.
"We're in the middle of an epic battle for power in cyberspace."
The term 'cyberspace' is an elastic one.
The broadest interpretation of 'cyberspace' spans a large extent -- everything from the firing of neurons in each individual's brain, through their fingers, to their keyboards, across the net, to everyone else, and to all automated devices that produce and use data. All of the visual, audio, and tactile impressions that can be conveyed by computer. All computer mediated experience.
When the NSA says their mission is to dominate cyberspace, what they aim to do is dominate people.
Becoming the man in the middle gives the NSA the ability to control and shape how people think.
I can't help thinking that the might of multi governmental departements become untouchables, especially when they cooperate with each other. Even worse with organizations working with/for "defence" and "intelligence".
Afaik, if a government abide by the rather silly idea of "openness" (self enforced transparency I guess), it stamps matters of international relations as "secret" as a rule, as a courtesy to that government.
In other words, I would worry that international relationships is sort of purported as nobody's business, not even in the name of "democracy".
There is a solution and it starts with money. NSA can't live with out money. Cut the funds and they die. Do it yesterday. Don't think. Just cut, cut, cut.
You can’t handle the truth! …Son..
They forget what is right and wrong
They don't forget; they are taught that! No right, no wrong, no good, no evil. Only Self interest -- whatever form it takes. Could be National security, could be National interest,...
Personally, I see government and corproate power as temporary until we have the technology to achieve a post-scarcity society (which I suspect is coming sooner than I expect... or something). The way I see it, once we reach that point, the current power structure will become obsolete; with nanoassemblers in the home, capitalism becomes obsolete; money, and the corporation with it, ceases to exist. With this, we will also see an end to poverty and inequality, transforming society for the better, eliminating the need for people to commit crime. Traditional threats and needs that government addresses will no longer exist, and a large centralized government will become obsolete.
I'm guessing we will see something much more resembling anarcho-communism than anything else. Inventors will look more like free software developers, governments replaced by localized agreements between and direct democracy within communities. The only threats that will exist are those that are from pure malice, not desperation; however, these threats will be potentially more harmful than those before (it only takes one jerk to turn 50,000 spaceships into grey goo), so it could be a perfectly horrible utopia.
Admittedly, I'm kind of idealistic.
Beam me up Scotty there is no intelligent life left on this planet. ;.)
Zack if you want to send Microsoft the message that you don't like them collecting too much personal data, try Bleachbit for Windows. Also, see how you do with the beta. Bleachbit has been available for years in the open source community, and using it now on Windows will definitely send Microsoft a message about collecting too much personal data. and making it incomprehensible in the OS . There are also some new apps out that I saw on a legal news website that will read and interpret Microsoft logs for you. Those look like they might be very helpful in determining what Microsoft is collecting. Might also give Microsoft employees a break in having to handle more data than they care too. A guy at Badattitudes.com/MTyears ago said he knew a number of Microsoft employees who absolutely hated their jobs. Maybe the data collection is part of it. It was an anecdotal comment. but we know from Snowden that Microsoft was doing all that others have reported and more. And that it's encryption products were useless in protecting your data from certain corporate and government actors.
“Historically, no shift in power has ever been easy. Corporations have turned our personal data into an enormous revenue generator, and they're not going to back down. Neither will governments, who have harnessed that same data for their own purposes. But we have a duty to tackle this problem.” -Bruce S.
Capital is an enormous power lever. The ability to make laws is also a huge lever (and the ability to make secret laws). Currently, the government has both.
Worse the government is hiring Black hats and Grey hats to do their bidding. Big tech corporations sold out to the government because their Revenue/advertising/data mining model did not work well.
Their choice was to sell their customer's intimate data to the government (and it doesn’t help to be forced to turn your medical records over to the government or their proxies – medical records will be data mined and eventually given to the government – which will become another power lever). The government is clearly winning. I agree there must be a debate, on items such as the current value of Smith v. Maryland Supreme Court decision and section 702. Things must change.
“Oversight is also critically important, and is another long-understood mechanism for checking power. This can be a combination of things: courts that act as third-party advocates for the rule of law rather than rubber-stamp organizations, legislatures that understand the technologies and how they affect power balances, and vibrant public-sector press and watchdog groups that analyze and debate the actions of those wielding power.” – Bruce S.
Unfortunately, transparency, oversight, and the press have become been perverted. The press, which in the past, put checks and balances on the government is now a slave of the government. Until, the press changes other fundamental changes will be difficult or impossible.
“…Those with sufficient ability will be able to stay ahead of institutional powers. Whether it's setting up your own e-mail server, effectively using encryption and anonymity tools… there will always be technologies that can evade institutional powers.” –Bruce S
That is true for small and nimble. But, larger targets of the government like Lavabit and Slientcircle have been trampled by NSA letters and gag orders. The only way to avoid this is by moving out of the jurisdiction of the US government (and maybe even the 5-Eyes countries).
Lastly, the government has the ability to track most financial transactions giving the government power to track and shut-down email providers like Lavabit and so on. The question is how to get around this tracking to provide secure communications to the people who are “stuck in the middle?”
I would like to hear some solutions that can be used in present situation.
I really hate the fact you keep telling Businesses they need to adopt a feudal Lordship stance, looking at the Cycle of Body Politic, and applying that to the status quo, is that truly the best approach?
Words have a precise meaning, and the best way to con people is to subvert their knowledge, or create words with imprecise meaning.
"The Internet" should be called something very long, such as "the interconnexion of privately owned computers and networks using a collection of common protocols and standards".
Sure, it is not practical, but once you state it, it puts forth the truth that the internet is nothing more than a bunch of privately owned machines.
Thus, limiting communitations between privately owned machine is fundamentally limiting communication between people and "contracts bundles" we call "corporations".
Meddling with the "internet" is nothing more than meddling with freedom of communication and exchange of ideas.
And this could NEVER have been achieved as easily if the packaged name "internet" had not been pushed on un-thinking people. A longer name would automatically have made them reflect on the nature of what they are doing, and on what is being pushed on them.
From the perspective of those in power there is no problem.
We are seeing the (rapid) decline of the use of the general purpose
programmable personal computer.
That will do.
According to some new revelations NSA broke into Google's and Yahoo's data centers.
If this is the case then Ed Snowden was not necessarily lying when he said that NSA has direct access to Google.
On another hand it also would mean that Google was not necessarily at fault.
Report: NSA broke into Yahoo, Google data centers
The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, the Washington Post reported Wednesday, citing documents obtained from former NSA contractor Edward Snowden.
A secret accounting dated Jan. 9, 2013, indicates that NSA sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency's Fort Meade, Maryland, headquarters. In the last 30 days, field collectors had processed and sent back more than 180 million new records—ranging from "metadata," which would indicate who sent or received emails and when, to content such as text, audio and video, the Post reported Wednesday on its website.
The latest revelations were met with outrage from Google, and triggered legal questions, including whether the NSA may be violating federal wiretap laws.
@bp -- Re: "Zack if you want to send Microsoft the message that you don't like them collecting too much personal data, try Bleachbit for Windows."
If you get skanky-tasting cheeseburgers at Joe's Burger Shack, the answer is not to spray them with Acme Bad Taste Masker... it's to never spend your money at Joe's
THAT's the message to send to Microsoft.
The core of your post highlights what seems to be a controversy in Bruce's position on technology in relation to politics.
In this talk Bruce seems to have an opposite view of what he portrays in the current essay, and he also reinforces that contradictory view by citing or paraphrasing general M. Hayden.
"Give me the box to operate in and I'll go to the very edges of that box, and I will push the edges of that box"
Bruce then clarifies the point made by making darn sure people get it.
"Technology increasingly grows the box.
So you've got the box, and there are laws regulating the box.
The box gets bigger, and there are no laws1, and the NSA2 is going to rush out to the edges of the [now expanded] box, so they will move faster than laws can"
Essentially he seems to in fact be saying that laws and by extension politics will always be trailing technology, which is quite different from the stance he takes in the essay above.
 .. where technology has created new space.
 or more generically, the specific interest controlling the new technology. It needn't be the NSA initially leading the technological charge as history has shown, though they seem to be pretty darn fast in catching up and taking control of the new spaces that have appeared so far during the incremental technological advances or skips.
Words do indeed have implicit and explicit meanings as well as others ascribed to them by a few who wish to hide their motives and activites by idiomatic use that will not be found in any common dictionary.
This is especialy noticable in politics and it's kith and kin of civil and military service.
Back in 1946 George Orwell noted this with a short essay on the subject,
"Son, we live in a world that has walls, and those walls have to be guarded by men with guns..."
Well brainwashed view. The only walls there are, are the ones in our heads. Put there while we are growing up. Togethere with other patriotic BS.
This is an impressively thought provoking piece , on par with your equally provocative arguments concerning 215 collection (even though I disagree with them). At least someone in the snowden camp is capable of making a reasoned, non-sensationalistic argument on occasion.
What is your point?!
(Of course, in any modern Western(*) society cutting edge technology will be beta tested on the market, and hence almost everyone including the creator/engineers will be 'trailing that technology, insofar as the possibilities and implications in the short and long term are impossible to oversee)
*) why does that word these days connotate so well with the movie genre by the same name...?
@ all here gathered
Bruce Schneier and Noam Chomsky seem to compliment one another to a high degree. Esp. the present article brings that home once more. I can really recommend Chomsky as well; YouTube has a host of his lectures.
I've spent the past year alsmost every night having one or two of his lectures 'on', while doing some serious programming (I find it not at all hard to multitask the programming and following his exposes and line of thought).
@ Bauke Jan Douma
Whose to say one didn't influence the other. ;) I finally got around to watching Manufacturing Consent. That was a nice piece of work. I think some of his work is quite debatable, but his work I've seen on media influencing democracy is excellent. Got me thinking really hard about some things. That's when you know your listening to a real intellectual, eh? ;)
Phew, that was a long post.
You said it. You fear it, but it's the logical conclusion.
We need to make all of the data public. No more secrets. If privacy's that dead, it has to be for everyone.
Information is naturally a public property, just has to be broken out of the fences.
This is a good summary of your recent thoughts on the matter. While I agree with you on most points, I think you are being too optimistic.
Look what happened to the telecommunication world during the last centuries, as Tim Wu puts it (http://www.amazon.com/The-Master-Switch-Information-Empires/dp/0307390993) the Internet is next in line to fall victim to corporations and governments.
Once regulations are in place to provide business and national security, you lose freedom. And you can never get it back, at least not for the masses. Transparency might help, but if we try to cooperate we will also need to provide transparency into our lives and habits, at that point it's not even a fight for our privacy, we give it up and trust each others. What you are slowly driving us to is a world of cooperation where we gave up that freedom you seem so eager to defend.
I advocate the use of darknets (not the crap that runs on Java, more like decentralized VPNs with open standards), we need a new secure layer on the Internet, it will stand above corporate and political spheres of influence, use its own currency and know no frontier at all.
Is the "get worse" link broken? I think you've left out a ":" after the https.
It redirects me to homeimprovement.com.
"Ubiquitous surveillance" and "also increasing too". The href's for them are "http://https://www.schneier.com...."
One good result of the inevitable collapse of the dollar will be the end of most government and corporate surveillance of the internet, that is if there is even an internet left.
Based on the comments, that was a fine Rorschach test posting.
Sorry, but the surveillance is exactly for the prolongation of the inevitable collapse during the end phase of monetary cycles. The governments need debt money but cannot get it from the privately owned banks (who created the mess with silent agreement from the politicians). Instead, they take it from the surveillanced masses and pension funds in form of insane taxation -- A rational citizen would call this theft or robbery, but the establishment defines the words and rules. And so the media notifies us that Merkel was spied out, whereas the citizens are merely surveillanced for their own protection and safety against terrorism. Private citizen-owned property will soon cease to exist and be replaced with licenses which regulate every aspect of our future lifes. Modern slavery does not utilize chains but uses total surveillance instead.
Amazing essay, Bruce!! So many great constructions...
Reply to Optic,
Re: "Transparency might help...."
Transparency is not only helpful in a true democratic society, it is essential. I do not see the poltical-corporate leadership interested in transparency at all. Indeed they seem to thrive on mass, deep secrecy.
"Everything secret degenerates, even the administration of justice; nothing is safe that does not show how it can bear discussion and publicity." ~Lord Acton
(In that case, the Brits have become bigger degenerates than us in my opinion.)
Re: "decentralized VPNs with open standards..." Yes, that's an excellent idea.
Why can't everyone be a part of a TOR like internet? Why can't all connections have solid un-corrupted encryption, why cannot everyone establish a secure "cloud" within their own home? A key feature of any future hardening will be to understand corporations and the government consider us to be the electronic enemy now.
We should do likewise.
Darkmail may be the solution. They use the right key words: Diffie Helman, XMPP and so on. Traditional email stored on central servers cannot work. The solution is instant messaging with an encryption wrapper and that seems to be where they are headed.
@ Bauke Jan Douma
The point was only to show that Bruce himself seems uncertain on which leg to stand on and point of view to put forth on that specific subject.
Trying to rein in exploitation of technological advances by means of blacklisting is a fool's errand.
At best it's a continuous excercise in whack-a-mole that has the potential of consuming all available resources while not being able to assure its goal.
My own view is that social reform ("revolution" if you like) will be needed and that it needs to happen before burden of proof is flipped, the latter which I predict won't be too far off.
Until the day when government flips the burden of proof, politics and laws will be blunt instruments in containing progress aimed at either good or evil.
"Evil" like those in power having the sole desire to keep and expand that power will continue to exploit the aforementioned weakness, by inflicting whatever arbitrary harm they want to cause those with less power (citizen of lesser standing), as the evil-doers will only continue to change some detail in how they do or argue for their abuses. Thus easilly and nimbly avoiding the [legal] hammer that's trying to hit one of their specific instances of abuse, leaving them free to continue doing whatever the heck they want without accountability and consequence.
However since government and big corps aren't the only actors that can exploit this weakness, supporters for good can also exploit the same weakness, in order to ensure free communication and thinking is possible in at least the time frame needed to organize and take action.
To put it bluntly; There is tremendous possibility and value for ethical, intelligent and opportunistic members of the populace to continue the effort of coming up with ever new ways of communicating privately, as there will always be a certain window in which such means will provide effective. But since the ephemeral conversation is dead, anything discussed in that window (say 1-2 years) will eventually become known to the adversaries, and at that time those in power will have yet more rope to hang whomever they consider poses a threat to their status. As such I believe it will always be possible to privately organize, contrary to what Bruce seems to believe, but the stakes to communicate privately will rise sharply and a need for action action will soon be implied of those choosing to risk free communication and exchange of ideas.
For many years I shared your view, but if you think a bit further you'll see why such means will only provide a short window of opportunity for speaking privately.
Imagine (we'll you no longer have to) an adversary that is embedded at almost every layer in the communication fabric. That entity will be able to grab everything flowing across the "wires".
Now also also "imagine" that they can convert to plain text anything gathered, regardless of whether it's using common protections schemes or not (e.g. SSL or other key based encryption) as they also possess the keys to decipher data obscured by common confidentiality enhancing schemes. They have tools that automatically (or with slight manual assistance) connect the dots and allows them to drop any kind of attribute query of interest into their gigantic social network and communication graph, and anything of primary, secondary or accidental interest will surface about any one or set of individual(s). This is the state today1
You invent some new layer of encryption or anonymity, but we all know that most design ideas are flawed and implementations specifically are plagued with bugs. Additionally it may only take one weakness to make the house of cards crumble and allow the adversary to get a foot hold in this layer as well, so you must, just as a locksmith, assume that the protection mechanism will only be effective for a short period of time.
During the time that the protection is assumed effective the data flowing in the layered network may be opaque to the adversary, but it can still capture and store that opaque data, as it knows that time is on its side and that it'll eventually find the inevitable crack it needs. At that time it'll simply overlay the now deciphered historical information with the already known information and whatever you said or communicated on the at-the-time shielded network will be overlayed / added to your profile graph. At that point there may be yet more rope to hang you with, should the adversary ever want to.
As I wrote in the previous post, I still see great value in what you propose, but to exploit it under what may soon evolve into a fascist state will carry huge risk and may be the last thing you do, so you'd better make sure what you discuss either is of immense social import, or that it's followed up by distinct action such that the adversary doesn't have time to retaliate.
 I used to sell some of that spooky stuff and nowadays you no longer even need to look hard to see some of that tech trickling into the public view in for example finance, insurance and less classified police work.
If the internet is rebuilt, I hope it is more secure against being controlled by those with agendas. That goes for governments and those trying to sell us questionable things.
Control of the internet is being fought by:
1. scammers that know too much about it
2. politicians that invented it but know too little of how it works
3. government agencies that want more access
4. webmasters trying to get it to work in Windows Explorer
5. the public wanting to watch cat videos for free
From a practical stand point there has to be some symmetry or locus that leverages the greatest amount of support for changing what is obviously in the interest of anyone concerned with democratic principles. Unless people are willingly (not unwittingly) prepared to give up all their rights--one of which is the access to the future--co-opting those that have a "vested" interest must be engaged.
To simplify, I suggest that those with a financial interest (we don't need the Fortune 1000) such as the mid-size businesses and organizations be enjoined as this group probably has the most to lose. This group would probably be the most impacting from a support perspective.
From an organizational perspective it would be useful to co-opt a well know socio-political organization. It has to be an organization that can survive attack and does not bring with it baggage that allows for the organization to be marginalized. For example, Greenpeace versus the Sierra Naturalists Group; Greenpeace is highly effective but can be easily marginalized by blacklist (terrorist listing) members.
I'm afraid that a more serious effort to "re-balance" popular (not by perception) democratic systems is something that will require more than what I have witnessed here. Keyboard commandos are one thing, revolutionary (from a practical and ideological perspective) will need to leave their leather captain's chairs to make a difference. Additionally, the coherency absent this type of ad-hoc ruminations is fun but I don't see it as practical. I can see how the Romans subsume Greek society, but that's not to say that it happens again.
Keyboard commandos are one thing, revolutionary (from a practical and ideological perspective) will need to leave their leather captain's chairs to make a difference.
--I've come to a different conclusion, like \Daniel/ stated, politics is a slow, bureaucratic, very predictable process. Very frustrating for people who want to see things happen and happen now. In very short, political solutions will be retarded or flat out insincere, basically. Read the laws, they're all BS that allow the gov't to commit crimes and criminalize individuals standing up for themselves.
So, maybe "keyboard commandos" programming and using prior software for testing may actually be more effective than going out protesting and getting arrested for trying to express the falsehoods that are "human rights". They've all been violated and I'm not so naively stupid to think something barring a violent revolution or uncontrollable digital hacking will actually change. Meaning, all the NSA databases become public knowledge, then all the information just lost a huge amount of value and everyone can blackmail everyone.
dear walls: read the whole post..I was in the gov with a TS, I know the BS first hand. its full of nuts that are crazy about the flag. Some of us are real folks that know too much power in 1 hand is BAD.
"legitimate" coercion. Unlike the IRS, no matter how big Facebook gets they cannot force me to use their service.
Peer pressure utilizes that need for them.
Can peer pressure seize your assets, imprison you, or murder you? Legal use of violence is the differentiator between government and private operations. The government's agencies can and do destroy both individuals and companies directly for various reasons. From opponent's capabilities to your defence options, the difference between an online service provider and the likes of FBI/IRS/NSA are difference between night and day. These differentiators are why government getting certain data is more dangerous that private companies.
(And cooperation of private and government groups on data gathering is even worse.)
Feudalism didn't transform into a government of laws without violence. Part of what made that possible was surprise by the attackers. We have a real shift here - there is and never will be surprise again, you can't organize, and at any rate, see first sentence. This won't be done without violence if history is any guide. I'm not aware of exceptions.
I wish I wasn't right. But being optimistic when the facts are utterly otherwise is a bit of a stretch for me.
The weapons of the future will not shoot anything. Every problem you solve becomes a step to solving another problem.
Again, failure isn't the an option--it's the plan.
Agreeing with Bruce's position on the InfoSEC landscape where players (corporate) do the minimum to address privacy and security in the operation of their products. Just the EULA's alone should be the guidepost. Whatever it says, specify the opposite.
1.) Products and service should focus on robust solutions in the totality of the products operation. I know, I said totality, getting "ideal" solutions is a fools errand but what we have is far from ideal. Harping on Microsoft is an exercise in stupidity, when I was running a 32bit operating system when Windows 3 was released told me that consumer electronics is just that.
2.) Answers to issues will consist of courts, law enforcement, lawsuits, insurance, and more crappy products. This is the WRONG answer.
3.) Unless cooler, and smarter, heads prevail we will not be better off and we can see a future where systems are embroiled in constant conflict. This serves no one as far as I am concerned--yeah I know, the MIC issue is not unknown to me but that does not make it right.
"while the Syrian dissidents used Facebook to organize, the Syrian government used Facebook to identify dissidents to arrest."
Where is this claim coming from? I was in Syria a few years ago and Facebook was blocked. Is there any evidence Syria subsequently opened up access to Facebook?
OK, apparently Facebook was unblocked by Syria in 2011.
I would just take issue with Schneier's view which seems to place all governments in the same category of against the "people." The fact is that the Syrians and Chinese are far more likely to try and install malware on your computer than the NSA (unless you are working on building a nuke in Iran).
Schneier ignores the fact that the Tor project has received funding from the U.S. government, apparently because that doesn't fit the story line of U.S. government malice. The U.S. government has also been working hard to minimize the extent to which the internet gets balkanized under the "national sovereignty" argument. That balkanization is not going to help ordinary people, but all these stories about the perfidy of the Americans are just going to create more excuses for these national networks which increase costs and increase the power of national governments to control information.
You are right indeed, and I never presumed that darknets would keep the NSA to read the traffic.
This is how we can take back control over the Internet, as people fork projects (NetBSD/OpenBSD, BusyBox/ToyBox), we can fork the Internet by migrating all the services we want protected on our own infrastructure. This way, we increase significantly the cost of eavesdropping, which is what Bruce suggests we do anyways.
1. Decentralized VPN
3. Frameworks to develop distributed services
4. BitCoints or alternative
You could just say "Oh well, I don't know where my users' data is sorry.". Or "I can't provide you with the keys, it's handled by the VPN/Framework".
In the end, we need to design protocols and software to protect users, developers and hosting providers.
Tor is slow, so slow. And it's often blocked. We don't need to struggle to access services on the Web, we just need to access services within the private anonymous network of user managed nodes. Tor was a nice PoC, but not worthy of a solution.
Pirate browser is the future with a distributed web using torrent files to distribute the web.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.