Page 488

Power and the Internet

All disruptive technologies upset traditional power balances, and the Internet is no exception. The standard story is that it empowers the powerless, but that’s only half the story. The Internet empowers everyone. Powerful institutions might be slow to make use of that new power, but since they are powerful, they can use it more effectively. Governments and corporations have woken up to the fact that not only can they use the Internet, they can control it for their interests. Unless we start deliberately debating the future we want to live in, and the role of information technology in enabling that world, we will end up with an Internet that benefits existing power structures and not society in general.

We’ve all lived through the Internet’s disruptive history. Entire industries, like travel agencies and video rental stores, disappeared. Traditional publishing—books, newspapers, encyclopedias, music—lost power, while Amazon and others gained. Advertising-based companies like Google and Facebook gained a lot of power. Microsoft lost power (as hard as that is to believe).

The Internet changed political power as well. Some governments lost power as citizens organized online. Political movements became easier, helping to topple governments. The Obama campaign made revolutionary use of the Internet, both in 2008 and 2012.

And the Internet changed social power, as we collected hundreds of “friends” on Facebook, tweeted our way to fame, and found communities for the most obscure hobbies and interests. And some crimes became easier: impersonation fraud became identity theft, copyright violation became file sharing, and accessing censored materials—political, sexual, cultural—became trivially easy.

Now powerful interests are looking to deliberately steer this influence to their advantage. Some corporations are creating Internet environments that maximize their profitability: Facebook and Google, among many others. Some industries are lobbying for laws that make their particular business models more profitable: telecom carriers want to be able to discriminate between different types of Internet traffic, entertainment companies want to crack down on file sharing, advertisers want unfettered access to data about our habits and preferences.

On the government side, more countries censor the Internet—and do so more effectively—than ever before. Police forces around the world are using Internet data for surveillance, with less judicial oversight and sometimes in advance of any crime. Militaries are fomenting a cyberwar arms race. Internet surveillance—both governmental and commercial—is on the rise, not just in totalitarian states but in Western democracies as well. Both companies and governments rely more on propaganda to create false impressions of public opinion.

In 1996, cyber-libertarian John Perry Barlow issued his “Declaration of the Independence of Cyberspace.” He told governments: “You have no moral right to rule us, nor do you possess any methods of enforcement that we have true reason to fear.” It was a utopian ideal, and many of us believed him. We believed that the Internet generation, those quick to embrace the social changes this new technology brought, would swiftly outmaneuver the more ponderous institutions of the previous era.

Reality turned out to be much more complicated. What we forgot is that technology magnifies power in both directions. When the powerless found the Internet, suddenly they had power. But while the unorganized and nimble were the first to make use of the new technologies, eventually the powerful behemoths woke up to the potential—and they have more power to magnify. And not only does the Internet change power balances, but the powerful can also change the Internet. Does anyone else remember how incompetent the FBI was at investigating Internet crimes in the early 1990s? Or how Internet users ran rings around China’s censors and Middle Eastern secret police? Or how digital cash was going to make government currencies obsolete, and Internet organizing was going to make political parties obsolete? Now all that feels like ancient history.

It’s not all one-sided. The masses can occasionally organize around a specific issue—SOPA/PIPA, the Arab Spring, and so on—and can block some actions by the powerful. But it doesn’t last. The unorganized go back to being unorganized, and powerful interests take back the reins.

Debates over the future of the Internet are morally and politically complex. How do we balance personal privacy against what law enforcement needs to prevent copyright violations? Or child pornography? Is it acceptable to be judged by invisible computer algorithms when being served search results? When being served news articles? When being selected for additional scrutiny by airport security? Do we have a right to correct data about us? To delete it? Do we want computer systems that forget things after some number of years? These are complicated issues that require meaningful debate, international cooperation, and iterative solutions. Does anyone believe we’re up to the task?

We’re not, and that’s the worry. Because if we’re not trying to understand how to shape the Internet so that its good effects outweigh the bad, powerful interests will do all the shaping. The Internet’s design isn’t fixed by natural laws. Its history is a fortuitous accident: an initial lack of commercial interests, governmental benign neglect, military requirements for survivability and resilience, and the natural inclination of computer engineers to build open systems that work simply and easily. This mix of forces that created yesterday’s Internet will not be trusted to create tomorrow’s. Battles over the future of the Internet are going on right now: in legislatures around the world, in international organizations like the International Telecommunications Union and the World Trade Organization, and in Internet standards bodies. The Internet is what we make it, and is constantly being recreated by organizations, companies, and countries with specific interests and agendas. Either we fight for a seat at the table, or the future of the Internet becomes something that is done to us.

This essay appeared as a response to Edge’s annual question, “What *Should* We Be Worried About?

Tags: , ,

Posted on January 31, 2013 at 7:09 AMView Comments

"People, Process, and Technology"

Back in 1999 when I formed Counterpane Internet Security, Inc., I popularized the notion that security was a combination of people, process, and technology. Back then, it was an important notion; security back then was largely technology-only, and I was trying to push the idea that people and process needed to be incorporated into an overall security system.

This blog post argues that the IT security world has become so complicated that we need less in the way of people and process, and more technology:

Such a landscape can no longer be policed by humans and procedures. Technology is needed to leverage security controls. The Golden Triangle of people, process and technology needs to be rebalanced in favour of automation. And I’m speaking as a pioneer and highly experienced expert in process and human factors.

[…]

Today I’d ditch the Triangle. It’s become an argument against excessive focus on technology. Yet that’s what we now need. There’s nowhere near enough exploitation of technology in our security controls. We rely far too much on policy and people, neither of which are reliable, especially when dealing with fast-changing, large scale infrastructures.

He’s right. People and process work on human timescales, not computer timescales. They’re important at the strategic level, and sometimes at the tactical level—but the more we can capture and automate that, the better we’re going to do.

The problem is, though, that sometimes human intelligence is required to make sense of an attack, and to formulate an appropriate response. And as long as that’s the case, there are going to be instances where an automated attack is going to have the advantage.

Tags:

Posted on January 30, 2013 at 12:20 PMView Comments

Who Does Skype Let Spy?

Lately I’ve been thinking a lot about power and the Internet, and what I call the feudal model of IT security that is becoming more and more pervasive. Basically, between cloud services and locked-down end-user devices, we have less control and visibility over our security—and have no point but to trust those in power to keep us safe.

The effects of this model were in the news last week, when privacy activists pleaded with Skype to tell them who is spying on Skype calls.

“Many of its users rely on Skype for secure communications—whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends,” the letter explains.

Among the group’s concerns is that although Skype was founded in Europe, its acquisition by a US-based company—Microsoft—may mean it is now subject to different eavesdropping and data-disclosure requirements than it was before.

The group claims that both Microsoft and Skype have refused to answer questions about what kinds of user data the service retains, whether it discloses such data to governments, and whether Skype conversations can be intercepted.

The letter calls upon Microsoft to publish a regular Transparency Report outlining what kind of data Skype collects, what third parties might be able to intercept or retain, and how Skype interprets its responsibilities under the laws that pertain to it. In addition it asks for quantitative data about when, why, and how Skype shares data with third parties, including governments.

That’s security in today’s world. We have no choice but to trust Microsoft. Microsoft has reasons to be trustworthy, but they also have reasons to betray our trust in favor of other interests. And all we can do is ask them nicely to tell us first.

Tags: , , ,

Posted on January 30, 2013 at 6:51 AMView Comments

Complexity and Security

I have written about complexity and security for over a decade now (for example, this from 1999). Here’s the results of a survey that confirms this:

Results showed that more than half of the survey respondents from mid-sized (identified as 50-2500 employees) and enterprise organizations (identified as 2500+ employees) stated that complex policies ultimately led to a security breach, system outage or both.

Usual caveats for this sort of thing apply. The survey is only among 127 people—I can’t find data on what percentage replied. The numbers are skewed because only those that chose to reply were counted. And the results are based on self-reported replies: no way to verify them.

But still.

Tags: , ,

Posted on January 29, 2013 at 6:32 AMView Comments

Dangerous Security Theater: Scrambling Fighter Jets

This story exemplifies everything that’s wrong with our see-something-say-something war on terror: a perfectly innocent person on an airplane, a random person identifying him as a terrorist threat, and a complete overreaction on the part of the authorities.

Typical overreaction, but in this case—as in several others over the past decade—F-15 fighter jets were scrambled to escort the airplane to the ground. Very expensive, and potentially catastrophically fatal.

This blog post makes the point well:

What bothers me about this is not so much that they interrogated the wrong person—that happens all the time, not that it’s okay—but rather the fighter jets. I think most people probably understand this, but just to make it totally clear, if they send up fighters that is not because they are bringing the first-class passengers some more of those little hot towels. It is so they can be ready to SHOOT YOU DOWN if necessary. Now, I realize the odds that would ever happen, even accidentally, are very tiny. I still question whether it’s wise to put fighters next to a passenger plane at the drop of a hat, or in this case because of an anonymous tip about a sleeping passenger.

[…]

According to the Seattle Times report, though, interceptions like this are apparently much more common than I thought. Citing a NORAD spokesman, it says this has happened “thousands of times” since 9/11. In this press release NORAD says there have been “over fifteen hundred” since 9/11, most apparently involving planes that violated “temporary flight restriction” areas. Either way, while this is a small percentage of all flights, of course, it still seems like one hell of a lot of interceptions—especially since in every single case, it has been unnecessary, and is (as NORAD admits) “at great expense to the taxpayer.”

Tags: ,

Posted on January 28, 2013 at 1:25 PMView Comments

Violence as a Contagious Disease

This is fascinating:

Intuitively we understand that people surrounded by violence are more likely to be violent themselves. This isn’t just some nebulous phenomenon, argue Slutkin and his colleagues, but a dynamic that can be rigorously quantified and understood.

According to their theory, exposure to violence is conceptually similar to exposure to, say, cholera or tuberculosis. Acts of violence are the germs. Instead of wracking intestines or lungs, they lodge in the brain. When people, in particular children and young adults whose brains are extremely plastic, repeatedly experience or witness violence, their neurological function is altered.

Cognitive pathways involving anger are more easily activated. Victimized people also interpret reality through perceptual filters in which violence seems normal and threats are enhanced. People in this state of mind are more likely to behave violently. Instead of through a cough, the disease spreads through fights, rapes, killings, suicides, perhaps even media, the researchers argue.

[…]

Not everybody becomes infected, of course. As with an infectious disease, circumstance is key. Social circumstance, especially individual or community isolation ­—people who feel there’s no way out for them, or disconnected from social norms ­—is what ultimately allows violence to spread readily, just as water sources fouled by sewage exacerbate cholera outbreaks.

At a macroscopic population level, these interactions produce geographic patterns of violence that sometimes resemble maps of disease epidemics. There are clusters, hotspots, epicenters. Isolated acts of violence are followed by others, which are followed by still more, and so on.

There are telltale incidence patterns formed as an initial wave of cases recedes, then is followed by successive waves that result from infected individuals reaching new, susceptible populations. “The epidemiology of this is very clear when you look at the math,” said Slutkin. “The density maps of shootings in Kansas City or New York or Detroit look like cholera case maps from Bangladesh.”

I am reminded of this paper on the effects of bystanders on escalating and de-escalating potentially violent situations.

Tags: , ,

Posted on January 28, 2013 at 6:07 AMView Comments

← Earlier EntriesLater Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.