Congress Can Give You Back the Internet
By Elizabeth Weingarten
More than 150 years after Bull Run—the long, bloody battle that foretold of a long, bloody Civil War—a new Bull Run is the symbol of a very different, bloodless fight.
"Bull Run" is code for a National Security Agency program that asks U.S. Internet security providers to poke holes in their systems (also known as "back doors")—and to keep those requests—and weaknesses—a secret. "The conceit here is that only the NSA can exploit this vulnerability," and gain access to encrypted Internet traffic, explained computer security and privacy specialist Bruce Schneier at a recent NSA surveillance briefing convened by the Open Technology Institute on Capitol Hill.
But that's a flawed conceit. More often than not, "these vulnerabilities are found out by criminals or other countries, and exploited."
Seeing this hole in the NSA's logic is key to understanding the crucial gap in how Washington policymakers are tackling the agency's overreach—and why the latest bills to increase transparency and limit surveillance only the beginnings of a solution to the problem. As Schneier pointed out, this is no longer a discussion about a spectrum of vulnerability; the decision is now binary. "We don't get to pick and choose who eavesdrops," Schneier said. "We get to pick and choose whether eavesdropping is possible—or whether it's not possible."
That's because we've constructed an inherently insecure Internet, he told the audience (think back to those backdoors that allow for unchecked surveillance). So the choice going forward is: Do we build an Internet that's vulnerable to all attackers, or an Internet that's secure for all users?
In other words, our challenge is not to limit the NSA, but rather to fundamentally alter the nature of the Internet.
That's a massive, technical task. One that many members of Congress—who grew up learning diplomatic protocols, rather than http protocols—aren't prepared to undertake.
Representative Zoe Lofgren is the exception. A steward of Washington's technology policy world, she's been working on issues of online security and freedom since 1995. She stopped by the Hill briefing to talk about her latest bipartisan effort to rein in NSA overreach: the Surveillance Order Reporting Act.
Congress, she said, is partly responsible for checking NSA behavior in three ways that the Act addresses: 1. It needs to limit bulk collection of information—spying on every American can't be necessary for national security. 2. Congress should ensure the government can't use the Foreign Intelligence Surveillance Act (FISA) to circumvent the requirement that it obtain a warrant to access information about citizens. 3. Lastly, what happens in FISA court shouldn't always stay in FISA court. The actions there should be more transparent—and litigants should be able to see the government's arguments and judicial rulings.
The Surveillance Order Reporting Act, which has nine co-sponsors, would also allow Internet companies to report on how many data requests they've received from the government; right now, those companies can't disclose the number of court orders they comply with, nor the amount of data they're sending, she explained.
"This is a business competition issue for American companies," she argued. "Try and compete in Europe when Europeans think their data isn't secure with you."
Countries like Brazil and Germany are already talking about storing all of their data in-country, a trend that some technologists worry could lead to a Balkanization of the Internet. (Schneier, for the record, isn't sure if those dreams of data autonomy are even technically possible).
But let's back up for a second. Will any of Lofgren's measures help American businesses and citizens feel any safer, given Schneier's recasting of the problem?
Actually yes. Although some fixes may ultimately come from places like the Internet Engineering Task Force, Schneier also acknowledged the importance of legislation: Bills like the Surveillance Order Reporting Act could create more transparency, oversight and accountability—all critical ingredients to any functioning Internet security system.
But, before we jump on the legislation bandwagon, there are two caveats: Tech tools tend to change quickly, outpacing the laws created to regulate them. And Congress isn't comprised entirely of Zoe Lofgrens, people who know how to craft an intelligent piece of tech legislation.
"There's a belief among technologists that legislators don't get it," Schneier said. "They're like my father—it's not that they're stupid, they just weren't born into the Internet. There is this disconnect."
That disconnect worries Schneier. What if Congress passes a law that's moot within a year—or easily circumvented by bad actors?
Evergreen solutions could come from leveraging " technologically invariant" factors, like economics, physics and math, he said. We could start by changing the economics of data collection. Bulk collection of data—through Google, Facebook and Yahoo, for example, has become cheaper than targeted collection, Schneier pointed out. "We just need to change that."
And even in this Congress, change could be possible.
"This issue cuts across traditional political divides," said Sascha Meinrath, the Director of the Open Technology Institute and moderator of the briefing. " It shifts a lot of the dynamics."
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.