Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

News & Supplemental  

Knock, Knock. Who’s there? The Clipper Chip and Four Horsemen.

This is a LONG post so here’s a short summary:
Angela Merkel made an ominous announcement last week. She wants to move ahead with walling off the EU’s web traffic and begin a “massive” counter-espionage campaign against the US and its Five Eyes partners. There’s also a new German anti-NSA state-backed email service. Similarly, Brazil is moving ahead with its plans to remake the internet, including local data storage requirements and possibly state-encrypted web services. So domestic spying could be on the rise, the internet itself is at risk, state-encyption services are now being offered as an anti-NSA panacea, and the future of encryption standards are up in the air. Simultaneously, Kim Dotcom is working on making unbreakable encryption mainstream and easy to use.

With both state-backed anti-NSA encryption and unbreakable mainstreamed strong encryption on the horizon, it looks like an old enemy of privacy, the Clipper Chip, is back in the new form and the Clipper Chip’s own arch-nemeses, the Four Horsemen of the Infopocalypse, are back too. Should we welcome these guests? The Cypherpunks thinks so. But these aren’t easy guests to have around and there are no obvious ways to uninvite them without a LONG talk.


In the mean time, while data-localization are laws gaining momentum, no governments are offering state-backed encryption services that even the state itself can’t break, including Germany and Brazil. Crises in trust can get weird and ugly fast:

McClatchy in Berlin

Edward Snowden revelations prompt crisis of trust in Germany

European experts question whether they can rely on US computing models or whether they need to develop their own fail-safe equipment

PUBLISHED : Monday, 17 February, 2014, 5:02am
UPDATED : Monday, 17 February, 2014, 6:22am

When Germany’s federal criminal police office needs to share sensitive information these days, employees type the particulars and get them hand-delivered.

Last year, agents would have trusted the security of e-mail. But that was before Edward Snowden and the revelations about the US National Security Agency’s PRISM electronic intelligence-gathering programme. After Snowden, it’s a new digital world.

Note that the German police that previously thought their email was totally secure were probably rookies.

Continuing…


“We’re now carrying our information to our allies on foot,” said Peter Henzler, vice- president of the Bundeskriminalamt, known as the BKA. He was speaking recently at a German Interior Ministry discussion on the country’s digital future. The focus of the panel was how to counter US surveillance measures and what it will take for Germans to be safe again on the web. “We’re no longer using the open internet,” he said.

The message is clear: No longer can the US be trusted to honour the privacy of German life and policy.

Henzler’s concerns weren’t isolated. The worries appear to reflect the wider German, and even European, frustration with the reach of the NSA’s surveillance programme.

Hardly a week passes in Berlin without some new revelation about the dastardly depths to which the American spy programme invaded German privacy, or at least a new way in which to react to the scandal.

Last week, news broke that the United States had tapped the mobile phone of Gerhard Schroeder when he was German chancellor from 1998 to 2005. This came four months after news broke that the same American surveillance programme was tapping the mobile phone of the current chancellor, Angela Merkel.

There are many more examples beyond news stories. Thirty-two per cent of Germans told pollsters that they had either quit or cut their time on Facebook because of spying fears. German television ads note the peace of mind and freedom that comes with e-mail that doesn’t leave European servers. Providers now say that they encrypt all e-mail.

Such thoughts aren’t limited to Germany. A US$900 million French deal with the United Arab Emirates for two new intelligence satellites appears to be in doubt after the buyers noticed US components in the French satellites that they feared could compromise their data.

Florian Glatzner, a policy officer with the German Federal Consumer Protection Agency, says the office is fielding many consumer questions about how to ensure that communications and data are safe from the NSA.

“A lot of the trust in the big internet companies is gone,” he says. “And most of the big internet companies were based in the United States.”

Thomas Kremer, a data privacy board member for Deutsche Telekom, the German phone giant, recently noted that: “Regardless of what one thinks of Edward Snowden, he created an awareness of internet security and we should be grateful for that.”

Experts note that there may be no better place to find the effect of this distrust than in the emerging cloud computing market. Before Europe met Snowden, the continent was moving fast to an American-dominated cloud computing future.

The American dream of total cloud domination might be drifting away. There are signs of that: By 2016, US companies are expected to lose US$21 billion to US$35 billion in new contracts that they’d been expected to collect, according to some estimates.

German cloud companies are posting better-than-expected earnings. There have been signs that some US tech companies might be suffering. Network equipment maker Cisco, for instance, noted government issues when it predicted a revenue drop for the current quarter.

The new reality for some critics is that data that passes through the United States isn’t safe.

“A year ago, a German cloud was a bad idea,” says Daniel Castro, a senior analyst for the Information Technology & Innovation Foundation in Washington. “German business didn’t want a German product to help them in a global market. They wanted the best product. Today, even if businesses still believe a German cloud is a bad idea, they’re accepting it as a necessary idea.”

There’s even a new initiative, “German Cloud”, backed by a variety of German tech companies. The motto is “My company data stays in Germany.”

Castro noted that this is a bad time for the American brand to lose lustre. The market is growing rapidly. Castro wants hard evidence that confirms his earlier predictions that the international market share of US cloud providers should fall by 5 per cent this year, and up to 20 per cent by 2016, because of the spying allegations.

The news could be even worse for American companies. The recent Interior Ministry panel showed just how fearful Germany has become. Reinhold Achatz, head of technology and innovation at the German steel giant ThyssenKrupp, noted that “whoever can read data is also likely to be able to change data.”

“For example, they could switch off a power station,” he said. “So from my point of view, it wouldn’t be surprising if someone came up with the idea of switching off Germany. I’m serious about that.”

Note that ThyssenKrupp actually tried to get cyberattack insurance in 2012 over stuxnet concerns. It didn’t sound like the insurance industry was very interested.

Continuing…


Christian Stoecker, editor of Spiegel Online, the web version of Germany’s most prestigious news magazine, noted: “Before Snowden, I did not know that the NSA intercepts hardware shipped to European telecommunications companies by US manufacturers and swaps the BIOS to make the equipment usable for NSA purposes.” BIOS is the basic operating system that starts up a personal computer.

“The NSA practically turned the internet into a weapons system,” Stoecker says. “If we want to change things, we have to enter into disarmament talks.”

A round of surveillance “disarmament talks” should be quite a sight. Maybe it’ll be one big sweeping gesture at a UN-level or a series of bilateral talks. Either way, it’s going to by complicated and almost doomed to fail if its just “disarmament talks” between the US and Germany. A single bilateral no-spy agreement just isn’t that useful in a world of joint intelligence-sharing agreements:

Christian Science Monitor
Hyperbole in NYT report on Australia and NSA spying on Indonesia

A New York Times story about how Australian intelligence might have passed information involving a US law firm and Indonesia is heavy on the drama.

By Dan Murphy, Staff writer / February 16, 2014

James Risen and Laura Poitras at the New York Times have the latest scoop from the steady drip drip drip of National Security Agency files that former NSA contractor Edward Snowden stole and has been distributing to reporters since the middle of last year.

They report the news breathlessly, but there’s far less there there than their presentation would lead a casual reader to believe. They write:

A top-secret document, obtained by the former N.S.A. contractor Edward J. Snowden, shows that an American law firm was monitored while representing a foreign government in trade disputes with the United States. The disclosure offers a rare glimpse of a specific instance in which Americans were ensnared by the eavesdroppers, and is of particular interest because lawyers in the United States with clients overseas have expressed growing concern that their confidential communications could be compromised by such surveillance.

Scary, huh? No. Not at all. Here’s my summary of the key assertions in the article, stripped of spin, drama, and adjectives:

“A 2013 memo leaked by Edward Snowden shows that Australia’s version of the NSA, while engaged in electronic surveillance of an Indonesian trade delegation, came across communications between the Indonesian officials and a US law firm the country had hired for help with trade talks. Australia informed the NSA liaison office in Canberra that intelligence it was collecting and willing to share with the US might infringe on US attorney-client privilege laws. The liaison referred the matter to the NSA general counsel in the US and some sort of legal guidance was sent back. The memo does not say, nor has the Times been able to learn by other means, what that guidance was.”

Foreign governments hire US law firms and lobbyists all the time and it would be foolish to assume that US and foreign government signal intelligence collection operations targeting foreign governments don’t frequently come across communication between the targets and the US companies in their employ. Yet here’s an instance of what can safely be presumed to be a routine occurrence in which US ally Australia – not bound by any US law in its intelligence collection – immediately notified the US of a potential legal problem with intelligence sharing.

The guidance the US sent back (for all we know – the Times doesn’t) may well have been: “Feed us the stuff the Indonesian officials say but redact anything involving any American citizens who were involved.” Or it could have been: “Give us everything – our lawyers have determined that all of this is legal for us to collect.”

In fact, an NSA spokeswoman quoted in the article – if you read down to the 13th paragraph – says the agency takes attorney client privilege very seriously. The NSA’s Vanee M. Vines told the paper that in cases like the one described in the article that the agency’s legal office could recommend steps including “requesting that collection or reporting by a foreign partner be limited, that intelligence reports be written so as to limit the inclusion of privileged material and to exclude U.S. identities, and that dissemination of such reports be limited and subject to appropriate warnings or restrictions on their use.”

This all strikes me as very positive and a far cry from the Times’ recommendation in the story’s first paragraph to add “American lawyers… (to) the list of those caught up in the global surveillance net cast by the National Security Agency and its overseas partners.”

The article provides evidence that legal concerns are front and center when intelligence sharing comes up. And while Australia may be the junior partner in the defense relationship with the US, they punch far above their weight when it comes to neighbor Indonesia, the world’s fourth largest country. Australia has more linguists and specialists and resources focused on Indonesia than the US does and Australia’s willingness to share intelligence about the country of relevance to US interests is evidence of how the so-called “Five eyes” alliance (intelligence sharing between Australia, New Zealand, Canada, the UK and the US) is a two-way street.

To some, all US intelligence cooperation with foreign governments is nefarious. Take Glenn Greenwald, who’s been the most prominent of the reporters receiving documents from Snowden and has emerged as a sort of unofficial spokesperson and cheerleader for both the man himself and the supposedly earth-shattering implications of everything he has revealed. This was his response to the Times’ story on Twitter:

Glenn Greenwald@ggreenwald
There’s almost no separation between Five Eyes alliance on spying: Australian spying on US law firm w/NSA knowledge http://www.nytimes.com/2014/02/16/us/…
9:07 AM – 16 Feb 2014
——————————————-
Eavesdropping Ensnared American Law Firm

A top-secret document, obtained by the former N.S.A. contractor Edward J. Snowden, shows that an American law firm was monitored while representing a foreign government in trade disputes with the… The New York Times @nytimes

What is his point here? It would be better if Australia was conducting its spying activities while keeping the US in the dark? That America has some power to demand Australia rein in its intelligence targeting of Indonesia – one of the country’s two most important intelligence targets?

As for “almost no separation” what is actually shown is… separation. Australia, not as familiar with US laws as the NSA is – let the US know what was going on and asked for guidance.

The Five Eyes no-spy pro-spy agreement
When the above author asked the question “it would be better if Australia was conducting its spying activities while keeping the US in the dark?” it raises another aspect about creating a spy-free world: For instance, if two nations are to enter into a ‘no-spy’ agreement, they presumably are simultaneously entering into a ‘trust us to share with you any relevant info and also trust us to spy on our populace and identify threats so you don’t feel the need to spy on us”-agreement. It raises the question of how, for example, the relationship between the US and Germany would have changed in the wake of 9/11 if the US and Germany already had a ‘no-spy’ agreement with the US after the Hamburg cell was discovered? Would 9/11 have been used as an excuse to elevate the domestic surveillance in Germany? Maybe not, but the fact remains that a ‘no-spy’ world is unprecented so a lot of tricky and unprecedented questions might get raised as we enter into the No-Spy World Order. Fortunately (for procrastinators) those unprecendented questions may not need to be asked for the foreseable future:

February 13, 2014 11:14 am
Germany gives up on no-spy deal with US

By Jeevan Vasagar in Berlin

The German government has given up hope of a bilateral no-spy agreement with the US, according to a senior aide to chancellor Angela Merkel.

Phillipp Missfelder, Berlin’s co-ordinator for transatlantic relations, told a press briefing on Thursday that he did not expect talks would lead to a legally binding agreement.

He said: “I am realistic that we can’t expect a no-spy agreement that will be binding in international law. The Americans are not prepared to curtail their security measures.”

Germany has been pushing for a relationship similar to the “five eyes” agreement between the US and four English-speaking allies, including the UK. This carries an understanding that they will not spy on each other.

There were reports of a stalemate in talks between Berlin and Washington last month, but until now the official line from Germany has been that discussions are ongoing.

Mr Missfelder said: “The Americans base their predominant position in the world not on economic or on military grounds, but on moral superiority. That is undermined when friends are spied upon. When were Gerhard Schröder or Angela Merkel a threat to US national security? Never.”

Mr Missfelder leavened his criticism with praise for President Barack Obama for giving an interview to a German broadcaster following his NSA speech. He added: “We are friends, we remain friends, and Snowden can’t change that.”

At a joint press conference with French president François Hollande on Tuesday, Mr Obama said there was no country with which the US has a no-spy agreement. He added the US endeavours to protect privacy rights as it gathers foreign intelligence.


It might sound surprising that President Obama announced that there was no country in the world with which the US as a no-spy agreement. After all, isn’t is the ‘Five Eyes’ agreement and its ‘no-spying’ membership perk that Angela Merkel has been coveting all along? Well, not exactly. The ‘Five Eyes’ aren’t supposed to spy on eachother’s citizens without permission but, as one might expect, that’s really more of a suggestion:

NSA considered spying on Australians ‘unilaterally’, leaked paper reveals
2005 draft directive says citizens of ‘5-Eyes’ countries may be targeted without knowledge or consent of partner agencies

James Ball and Paul Farrell
theguardian.com, Wednesday 4 December 2013 22.29 EST

The US National Security Agency has considered spying on Australian citizens without the knowledge or consent of the Australian intelligence organisations it partners with, according to a draft 2005 NSA directive kept secret from other countries.

The draft directive leaked by the US whistleblower Edward Snowden reveals how the NSA considered the possibility of “unilaterally” targeting citizens and communication systems of Australia, New Zealand and Canada – all “5-Eyes” partners which it refers to as “second party” countries.

a) (S//SI//NF) Under the British-U.S. Communications Intelligence Agreement of 5 March 1946 (commonly known as the United Kingdon/United States of America (UKUSA) Agreement), buoth governments agreed to exchange communications intelligence products, methods and techniques as applicable so long as it was not prejudicial to national interests. This agreement has evolved to include a common understanding that both governments will not target each other’s citizens/persons. However, when it is in the best interest of each nation, each reserved the right to conduct unilateral COMINT action against each other’s citizens/persons. Therefore, under certain circumstances, it may be advisable and allowable to target Second Party persons and second party communications systems unilaterally when it is in the best interests of the U.S. and necessary for the U.S. national security. Such targeting must be performed exclusively within the directions, procedures and decision processes outlined in this directive.

“Under certain circumstances, it may be advisable and allowable to target second party persons and second party communications systems unilaterally when it is in the best interests of the US and necessary for US national security,” says the directive, which was classified as “NF” for No Foreign and is titled Collection, Processing and Dissemination of Allied Communications.

“Such targeting must be performed exclusively within the direction, procedures and decision processes outlined in this directive.”

Australia is one of the countries acting in partnership with Britain, the US, New Zealand and Canada to share intelligence and conduct surveillance operations around the world. These 5-Eyes states form part of the UKUSA agreement, which was believed to limit the ability of the partner countries to spy on each other. The Australian Signals Directorate maintains a close partnership with the NSA.

On Monday Guardian Australia revealed that the Defence Signals Directorate – now the Australian Signals Directorate – had offered to share citizens’ personal data in a 2009 meeting. Last month an officer responsible for federal parliament’s IT systems left open the possibility that parliamentarians could be subject to US surveillance through a Microsoft operating system vulnerability.

The draft 2005 directive, which was published in the Guardian in November, goes on to state that the US could conduct the targeting without the knowledge of Australian, Canadian or New Zealand authorities, and even if the countries had rejected a “collaboration proposal” for the operation.

b) (S//NF) Uniliterally by the Signals Intelligence Directorate:
When sharing the planned targeting information with a second party would be contrary to US interests, or when the second party declines a collaboration proposal, the proposed targeting must be presented to the signals intelligence director for approval with justification for the criticality of the proposed collection. If approved, any collection, processing and dissemination of the Second Party information must be maintaine in NOFORN channels

“When sharing the planned targeting information with a second party would be contrary to US interests, or when the second party declines a collaboration proposal, the proposed targeting must be presented to the signals intelligence director for approval with justification for the criticality of the proposed collection.”

The original 1946 UKUSA agreement between the US and Britain was previously designed only for “foreign intelligence” operations. The draft memo appears to indicate that the agreement has changed.

“[The 1946 UKUSA] agreement has evolved to include a common understanding that both governments will not target each other’s citizens/persons. However, when it is in the best interest of each nation, each reserved the right to conduct unilateral Comint [communications intelligence] action against each other’s citizens/persons.”

In a later part of the draft cleared for release to the 5-Eyes countries, the document suggests there may be circumstances in which Australia, Canada and New Zealand should co-operate to allow the US to target their citizens.

b) (S//SI//REL to UK, CAN, AUS, NZ and USA) There are circumstances when targeting of Second party persons and communications systems, with the full knowledge and co-operation of one or more second parties, is is allowed when it is in the best interests of both nations,” the 2005 document says. “This targeting will conform to guidelines set forth in this directive.”

“There are circumstances when targeting of second party persons and communications systems, with the full knowledge and co-operation of one or more second parties, is allowed when it is in the best interests of both nations,” the 2005 document says. “This targeting will conform to guidelines set forth in this directive.”

It says this type of collaborative targeting is most commonly achieved “when the proposed target is associated with a global problem such as weapons proliferation, terrorism, drug trafficking or organised crime activities”.

Yes, the much vaunted ‘No spying’-feature in the ‘5 Eyes’ club actually appears to be a moot point within a larger ‘Pro spying’ agreement. Or, more precisely, it appears to be a ‘please don’t spy on us without asking first and we’d likely be more than happy to help…unless we don’t want to help, in which case go ahead and spy on us anyways’-club that fosters the collection and sharing of intelligence including the intelligence on ‘5 Eyes’ citizens.

I spy you spying on me spying on you
So if the ‘5 Eyes’ treaty doesn’t actually prevent spying, why would Angela Merkel be putting such an emphasis on extracting a ‘No Spy’ agreement out of the US by joining a pro-spying intelligence ring? Well, one reason Merkel might want to gain entry into the ‘5 Eyes’ – a move that presumably entails a great deal of data-sharing with the ‘5 Eyes’ partners – is simply because Germany’s intelligence agencies are already in club with the NSA and already sharing large volumes of data and who doesn’t like an upgrade on their club membership status?:

Portrait of the NSA: no detail too small in quest for total surveillance
The NSA gathers intelligence to keep America safe. But leaked documents reveal the NSA’s dark side – and show an agency intent on exploiting the digital revolution to the full

Ewen MacAskill and James Ball
The Observer, Saturday 2 November 2013 12.13 EDT

Barack Obama hailed United Nations secretary general Ban Ki-moon as a “good friend” after the two had sat down in the White House in April to discuss the issues of the day: Syria and alleged chemical weapons attacks, North Korea, Israel-Palestine, and climate change.

But long before Ban’s limousine had even passed through the White House gates for the meeting, the US government knew what the secretary general was going to talk about, courtesy of the world’s biggest eavesdropping organisation, the National Security Agency.

One NSA document – leaked to the Guardian by whistleblower Edward Snowden just a month after the meeting and reported in partnership with the New York Times – boasts how the spy agency had gained “access to UN secretary general talking points prior to meeting with Potus” (president of the United States). The White House declined to comment on whether Obama had read the talking points in advance of the meeting.

Spying on Ban and others at the UN is in contravention of international law, and the US, forced on the defensive this week over the Snowden leaks about worldwide snooping, ordered an end to surveillance of the organization, according to Reuters.

That the US spied on Ban is no great surprise. What is a revealing is that the disclosure is listed in the NSA’s ‘top-secret’ weekly report from around the world as an “operational highlight”.

It sits incongruously alongside other “operational highlights” from that week: details of an alleged Iranian chemical weapons program; communications relating to an alleged chemical weapons attack in Syria and a report about the Mexican drug cartel Los Zetas.

Bracketing the benign, US-friendly Ban alongside drug traffickers and weapons in the Middle East and Central Asia points to a spy agency that has lost its sense of proportion.

The incident is consistent with the portrait of the NSA that emerges from the tens of thousands of documents leaked by Snowden. Page after page shows the NSA engaged in the kind of intelligence-gathering it would be expected to carry out: eavesdropping on Taliban insurgents planning attacks in remote Afghanistan valleys, or listening in on hostage-takers in Colombia.

But the documents reveal, too, the darker side of the NSA. It is indiscriminate in the information it is collecting. Nothing appears to be too small for the NSA. Nothing too trivial. Rivals, enemies, allies and friends – US citizens and ‘non-Americans’ – are all scooped up.

The documents show the NSA, intent on exploiting the communications revolution to the full, developing ever more intrusive programmes in pursuit of its ambition to have surveillance cover of the whole planet: total command of what the NSA refers to as the ‘digital battlefield’.

The 5-Eyes

The NSA operates in close co-operation with four other English-speaking countries – the UK, Canada, Australia and New Zealand – sharing raw intelligence, funding, technical systems and personnel. Their top level collective is known as the ‘5-Eyes’.

Beyond that, the NSA has other coalitions, although intelligence-sharing is more restricted for the additional partners: the 9-Eyes, which adds Denmark, France, the Netherlands and Norway; the 14-Eyes, including Germany, Belgium, Italy, Spain and Sweden; and 41-Eyes, adding in others in the allied coalition in Afghanistan.

The exclusivity of the various coalitions grates with some, such as Germany, which is using the present controversy to seek an upgrade. Germany has long protested at its exclusion, not just from the elite 5-Eyes but even from 9-Eyes. Minutes from the UK intelligence agency GCHQ note: “The NSA’s relationship with the French was not as advanced as GCHQ’s … the Germans were a little grumpy at not being invited to join the 9-Eyes group”.

Significantly, amid the German protestations of outrage over US eavesdropping on Merkel and other Germans, Berlin is using the controversy as leverage for an upgrade to 5-Eyes.

Yes, Angela Merkel and the German government is “long protested at its exclusion, not just from the elite 5-Eyes but even from 9-Eyes”. So Germany isn’t just a second-tier partner in this global spying partnership, its actually a third-tier member and a rather disgruntled one at that. And it’s a third-tier spying partner with top-tier spying ambitions:

Tech Dirt
Germany’s Spies Have NSA Envy: Currently Working To Build Their Own Comprehensive Snooping System
from the it’s-not-actually-a-competition dept
by Glyn Moody

Wed, Jun 19th 2013 11:08pm

One unfortunate knock-on effect of the revelations about the extent of NSA information gathering seems to be that the spies in other countries are starting to feel under-informed by comparison. Of course, many of them already knew about what was going on: in addition to the British and the Dutch, there are now reports that Germany was also kept informed at the highest levels (original in German.) That would probably explain the revelation by the news magazine Der Spiegel that Germany has been trying to beef up its own snooping capabilities for a while:

Last year, [Germany’s foreign intelligence agency] BND head Gerhard Schindler told the Confidential Committee of the German parliament, the Bundestag, about a secret program that, in his opinion, would make his agency a major international player. Schindler said the BND wanted to invest €100 million ($133 million) over the coming five years. The money is to finance up to 100 new jobs in the technical surveillance department, along with enhanced computing capacities.

Small beer compared to the NSA, but it’s a start. Der Spiegel’s article provides some details on how they do it in Germany:

The largest traffic control takes place in Frankfurt, in a data processing center owned by the Association of the German Internet Industry. Via this hub, the largest in Europe, e-mails, phone calls, Skype conversations and text messages flow from regions that interest the BND like Russia and Eastern Europe, along with crisis areas like Somalia, countries in the Middle East, and states like Pakistan and Afghanistan.

But the BND still has a long way to go before it attains NSA-like levels of snooping:

In contrast to the NSA, though, the German intelligence agency has been overwhelmed by this daunting wealth of information. Last year, it monitored just under 5 percent, roughly every 20th phone call, every 20th e-mail and every 20th Facebook exchange. In the year 2011, the BND used over 16,000 search words to fish in this data stream.

As in the US, the idea is that this targets foreigners:

German law allows the BND to monitor any form of communication that has a foreign element, be it a mobile phone conversation, a Facebook chat or an exchange via AOL Messenger. For the purposes of “strategic communications surveillance,” the foreign intelligence agency is allowed to copy and review 20 percent of this data traffic. There is even a regulation requiring German providers “to maintain a complete copy of the telecommunications.”

Here’s how the BND tries to achieve that:

If e-mail addresses surface that end in “.de” (for Germany), they have to be erased. The international dialing code for Germany, 0049, and IP addresses that were apparently given to customers in Germany also pass through the net.

Of course, as in the US, it doesn’t quite work out like that:

At first glance, it’s not evident where users live whose information is saved by Yahoo, Google or Apple. And how are the agencies supposed to spot a Taliban commander who has acquired an email address with German provider GMX? Meanwhile, the status of Facebook chats and conversations on Skype remains completely unclear.

Given this evident desire to create its own snooping apparatus, coupled with the fact that Germany has doubtless benefited from NSA spying, perhaps it’s no surprise the German government’s protests about its citizens being subject to extensive NSA surveillance have been muted….


I spy on you spying on me and now I’m pissed
Yes, protestations by the German government when the Snowden documents initially hit the news were indeed rather muted…at least before the hacking of Angela’s Merkel’s cell phone was made public. Now, it’s pretty clear that Germany’s government is very intent on changing how the spy games are played one way or another. Of course, changing how spy games are played in the age of global digital communications might actually change how global communications work too. It might also increase spying:

The Independent
Surveillance revelations: Angela Merkel proposes European network to beat spying by NSA and GCHQ

Tony Paterson
Berlin

Sunday 16 February 2014

Chancellor Angela Merkel of Germany has announced plans to set up a European communications network as part of a broad counter-espionage offensive designed to curb mass surveillance conducted by the US National Security Agency and its British counterpart, GCHQ.

The move is her government’s first tangible response to public and political indignation over NSA and GCHQ spying in Europe, which was exposed last October with revelations that the US had bugged Ms Merkel’s mobile phone and that MI6 operated a listening post from the British Embassy in Berlin.

Announcing the project in her weekly podcast, Ms Merkel said she envisaged setting up a European communications network which would offer protection from NSA surveillance by side-stepping the current arrangement whereby emails and other internet data automatically pass through the United States.

The NSA’s German phone and internet surveillance operation is reported to be one of the biggest in the EU. In co-operation with GCHQ it has direct access to undersea cables carrying transatlantic communications between Europe and the US.

Again, note that German intelligence works closely with the NSA on the surveillance of German phone and internet. It’s a theme these days.

Continuing…


Ms Merkel said she planned to discuss the project with the French President, François Hollande, when she meets him in Paris on Wednesday. “Above all we’ll talk about European providers that offer security to our citizens, so that one shouldn’t have to send emails and other information across the Atlantic,” she said. “Rather one could build up a communications network inside Europe.”

French government officials responded by saying Paris intended to “take up” the German initiative.

Ms Merkel’s proposals appear to be part of a wider German counter-espionage offensive, reported to be under way in several of Germany’s intelligence agencies, against NSA and GCHQ surveillance.

Der Spiegel magazine said on Sunday that it had obtained information about plans by Germany’s main domestic intelligence agency, the Federal Office for the Protection of the Constitution, for a “massive” increase in counter-espionage measures.

The magazine said there were plans to subject both the American and British Embassies in Berlin to surveillance. It said the measures would include obtaining exact details about intelligence agents who were accredited as diplomats, and information about the technology being used within the embassies.

Last year information provided by the whistleblower Edward Snowden revealed that US intelligence agents were able to bug Ms Merkel’s mobile phone from a listening post on the US Embassy roof. Investigations by The Independent subsequently revealed that GCHQ ran a similar listening post from the roof of the British Embassy in Berlin.

Intelligence experts say it is difficult if not impossible to control spying activities conducted from foreign embassies, not least because their diplomatic status means they are protected from the domestic legislation of the host country.

Der Spiegel said Germany’s military intelligence service, (MAD) was also considering stepping up surveillance of US and British spying activities. It said such a move would mark a significant break with previous counter-espionage practice which had focused on countries such as China, North Korea and Russia.

Germany’s counter-espionage drive comes after months of repeated and abortive attempts by its officials to reach a friendly “no spy” agreement with the US. Phillip Missfelder, a spokesman for Ms Merkel’s government, admitted recently that revelations about NSA spying had brought relations with Washington to their worst level since the US-led invasion of Iraq in 2003.

Yep, you read that right: Angela Merkel’s big plan for thwarting NSA and GCHQ spying is a dramatic escalation of German spying on the US and UK and walling off Europe’s internet. It’s certainly a gesture filled will symbolism, albeit confusing symbolism given the decades of extensive close intelligence cooperation between the US and Germany, but symbolism nonetheless. But will it be effective? Will potentially breaking the internet by walling it off actually obtain some degree of additional digital privacy for Europeans? Well, according to Bruno Kramnm, a German ‘Pirate’ that presumably cares quite deeply about maximizing digital privacy protections, no, breaking the internet won’t actually help and will just make things worse:

RT
Merkel’s mirage: ‘This new old idea of a Schengen net is basically a step back’
Published time: February 17, 2014 14:50

The idea of the internet with borders means that national states will be able to put much more mass surveillance on their own people, Bruno Kramm from the Pirate Party told RT.

RT: What kind of future do you see for this proposal of Angela Merkel to create a pan-European communications network that would prevent private data from leaking across the Atlantic?

Bruno Kramm: Actually, for this proposal I don’t see any future. For me it’s just another symbol of the way how Chancellor Merkel is doing her politics. It’s symbolism, nothing else, especially when it comes to net politics, and when we look into the whole NSA affair, what happened recently about the mass surveillance, there had been no measurements at all, and no actions at all, and now she comes up with this new old idea of a Schengen net, what is basically a step back and nobody wants that and this will definitely not happen.

RT: It’s been revealed last summer that the US is spying on Europe. How come it took EU officials so long to go from anger to action?

BK: Actually, they are still not having any kind of action on the whole thing. Of course, they tried to play, to be a little bit more [active], because the people on the street are really angry about the mass surveillance. Why it takes so long, we have several reasons. First of all, it is that all the secret agencies, also in Germany, are doing massive surveillance on the people, on the privacy. There has been a breach of democracy rights long time ago, and therefore, they are just now trying to clean out what has happened so far and to find a new definition. But basically, actual measurements haven’t been done so far.

As we look back, there had been that wish of Merkel to start this kind of a no-spy agreement with the US. Of course, the US were not accepting that; it would have helped nothing, because when you have a no-spy agreement it doesn’t mean that for example some other state from the Five Eyes, these five countries who do mass surveillance, won’t then do the espionage, so basically this doesn’t help. What we need is a complete new law about data, security, and this needs to be implemented internationally. And in fact we have a good chance when we look at Transatlantic Trade and Investment Partnership (TTIP), we could start putting this into it right now.

RT: British and German intelligence agents have reportedly been collaborating with the NSA. If that cooperation remains, how would that affect the proposed European network?

BK: Well, basically as long as Tempora, this British espionage is going on, nothing would change, especially with this idea of Schengen net. But basically to explain why it is not working, to create these national networks is just quite simple. Today all the data flows constantly around the world, we work with big data, we need to do like this internet travel between many accounts, through all borders. So you cannot create a kind of a national network. In fact, it’s quite sad that the NSA especially with this whistleblowing leaks from Snowden, it helps at the moment most of the national states to think about an internet with borders. What this basically means is that they can put much more mass surveillance on their own people. We can see this in Russia, we can see this in China, we can see this most likely now as a try also in Europe. And basically this is really sad because that is a step-back from the great opportunities what the internet gives all the people in the world, when we start now putting borders around it. It doesn’t help us at all, it just helps states to better control their people.

As we have recently seen what a kind of infiltration ways the US and NSA have, starting from Malware starting to copying all kind of communications from cell phones, from smart phones, from WLAN routers, from everywhere, I think that this kind of measurement would not help at all. Just look at the Germany, two of the big international mass surveillance stations of the NSA are right here in Germany.

RT: The proposal ultimately suggests fracturing the internet into independent zones. Would this change the World Wide Web as we know it?

BK: Of course, it would change it. In fact, in the last ITU conference there was a large discussion about fracturing the internet more and more, especially for states. If you look at the Far East, where [the countries] have much more control there over their people, over their citizens because they are afraid that some revolution like the Arab Spring could happen, they like to have more and more of these kinds of measurement. The sad the story is that most of the software from this is developed inside the Europe. In fact, we have a lot of programs on the European side, which help better to do this mass surveillance in the internet, which is fragmented in national states. And we, as a party, we fight really strictly against it because it means that the freedom which we all have voted for, the idea of the future which was put it into basic seed of the internet would be destroyed by a national totally controlled internet. And in fact, I don’t think that the people of the world would accept this. It is just at the moment we call it somehow that wet dream of some politicians, who like to have better control over their citizens but this, I hope, is over, and I think people in Europe would go to the street if something like this would happen.


Uh oh! So, at least according to this particular Pirate Party representative, Angela Merkel’s plan to wall off the European internet will not only do nothing to prevent foreign surveillance, but it might also cause a restructuring of the internet around a state-based borders paradigm that could make it even easier for governments to control and surveil their citizens. But at least he sounds quite confident that no such internet-balkanization plan will ever come to fruition.


So what’s an actual solution that can balance privacy and security? What does Edward Snowden have to say on these topics? Might strong cryptography that no one can break be the answer:

The Daily Beast
Edward Snowden: Not All Spying Is Bad
In an online Q&A, the fugitive leaker rejected a plea deal and issued some surprising statements on state surveillance.
01.24.14
Jacob Siegel

Edward Snowden may be under constant supervision in Russia, unable to return to the United States or travel freely, but the 30-year-old has never been more powerful.

President Obama’s announcement last Friday of reforms to the United States surveillance program was addressed to the American public but the speech was also an answer to Snowden. The former NSA contractor’s massive leak of classified intelligence documents set in motion the public debate about federal spying that led to the proposals in President Obama’s speech and the even more extensive overhauls recommended by an independent agency on Thursday.

Yesterday Snowden had his chance to respond, fielding selected questions sent by Twitter using the hashtag #AskSnowden.

Though Snowden gave some surprising answers, his exchange with the public was also notable for the questions he did not address, most notably the terms of his asylum or anything else to do with his hosts in Russia.

Here are the Five Biggest Revelations from Snowden’s Twitter Symposium:

He won’t take a plea deal to return to the U.S.

After the United States Attorney General Eric Holder rejected clemency but suggested the possibility of a plea deal yesterday, Snowden flatly ruled it out in a response to CNN’s Jake Tapper. Answering Tapper’s question, “Under what conditions would you agree to return to the U.S.?” Snowden stated that repatriation wasn’t possible due to the inadequacy of whistleblower protection laws in America, which he said would mean, “no chance to have a fair trial, and no way I can come home and make my case to a jury.”

“I never stole any passwords, nor did I trick an army of co-workers.”

Snowden denied reports that he had gained access to some of the classified files he leaked by tricking coworkers into giving up their passwords in order to access their accounts. This point is significant because, in Snowden’s telling, it was the daily exposure to evidence of surveillance overreach in the course of doing his own job that led to his disillusionment and inspired his breach. If it’s true that Snowden deceived co-workers to access their accounts, it suggests that he went out of his way to find documents rather than coming across them in the course of his routine work, as he’s said.

Not all spying is bad

Answering a question about the appropriate scope of the U.S. national security program and whether any spying is justified, Snowden said, “Not all spying is bad. The biggest problem we face right now is the new technique of indiscriminate mass surveillance, where governments are seizing billions and billions and billions of innocents’ communication every single day.” What Snowden didn’t address is the kind of spying that he considers legitimate. More on that later.

Most spooks are good people; it’s the one percent that’s out to get you

“People at the working level at the NSA, CIA, or any other member of the IC are not out to get you. They’re good people trying to do the right thing,” Snowden said before warning that “the people you need to watch out for are the unaccountable senior officials authorizing these unconstitutional programs.”

We need a world body to oversee surveillance programs

Snowden, who twice contributed money to Ron Paul’s election campaign, and is reported to have supported Paul’s call for a currency tied to the gold standard, seems highly out of step with the libertarian line on this one. How exactly a world body made up of states with competing interests and independent surveillance programs would agree to rules of spying is left a mystery, though Snowden does say that the key would be “the development of security standards that enforce our right to privacy not through law, but through science and technology.”

Woah!? Did uber-Libertarian Edward Snowden call for a global body to oversee global surveillance programs? That’s a disarmingly optimistic goal and yet kind of weird. How exactly would that work since surveillance is not supposed to be detected? Will this world body have really power counter-espionage abilities and just operate everywhere to make sure no spying takes place? Will the UN get an ‘un-NSA’ ‘ to de-spy everything? Let’s take a closer look at Snowden’s ‘world body’ idea:

freesnowden.is

Live Q&A with Edward Snowden: Thursday 23rd January, 8pm GMT, 3pm EST

@mperkel #ASKSNOWDEN They say it’s a balance of privacy and safety. I think spying makes us less safe. do you agree?

Intelligence agencies do have a role to play, and the people at the working level at the NSA, CIA, or any other member of the IC are not out to get you. They’re good people trying to do the right thing, and I can tell you from personal experience that they were worried about the same things I was.

The people you need to watch out for are the unaccountable senior officials authorizing these unconstitutional programs, and unreliable mechanisms like the secret FISA court, a rubber-stamp authority that approves 99.97% of government requests (which denied only 11 requests out of 33,900 in 33 years http://www.motherjones.com/mojo/2013/06/fisa-court-nsa-spying-opinion-reject-request. They’re the ones that get us into trouble with the Constitution by letting us go too far.

And even the President now agrees our surveillance programs are going too far, gathering massive amounts of private records on ordinary Americans who have never been suspected of any crime. This violates our constitutional protection against unlawful searches and seizure. Collecting phone and email records for every American is a waste of money, time and human resources that could be better spent pursuing those the government has reason to suspect are a serious threat.

I’m going to stop here. My deepest thanks to everyone who sent questions, and whether or not we agree on where the lines should be drawn, I encourage you to contact your members of congress and tell them how you feel about mass surveillance. This is a global problem, and the first step to tackling it is by working together to fix it at home.

If you’d like to more ideas on how to push back against unconstitutional surveillance, consider taking a look at the organizations working together to organize https://thedaywefightback.org/.

Note Snowden’s statement, “This is a global problem, and the first step to tackling it is by working together to fix it at home”. This is an important underlying tension at work in crafting policy solutions to the problems of mass-surveillance. Like many global problems, mass-surveillance in an age where technology increasingly enables mass-surveillance abuses is going to require some sort of ‘mass’ response. A global response of fixes at home. But as is also the case with many global problems, nations that unilaterally attempt to implement a solution (curtailing surveillance, in this instance) are potentially going to find themselves at a disadvantage if their neighbors don’t follow suit. Yes, global problems require global solutions and global solutions which is why so few global problems actually get solved.

Skipping down…

@LukasReuter #AskSnowden How should the community of states react to the new information concerning surveillance? What actions have to be made?

We need to work together to agree on a reasonable international norm for the limitations on spying. Nobody should be hacking critical-to-life infrastructure like hospitals and power stations, and it’s fair to say that can be recognized in international law.

Additionally, we need to recognize that national laws are not going to solve the problem of indiscriminate surveillance. A prohibition in Burundi isn’t going to stop the spies in Greenland. We need a global forum, and global funding, committed to the development of security standards that enforce our right to privacy not through law, but through science and technology. The easiest way to ensure a country’s communications are secure is to secure them world-wide, and that means better standards, better crypto, and better research.

@midwire How quickly can the NSA, et. al. decrypt AES messages with strong keys #AskSnowden Does encrypting our emails even work?

As I’ve said before, properly implemented strong encryption works. What you have to worry about are the endpoints. If someone can steal you keys (or the pre-encryption plaintext), no amount of cryptography will protect you.

However, that doesn’t mean end-to-end crypto is a lost cause. By combining robust endpoint security with transport security, people can have much greater confidence in their day to day communications.

@savagejen Do you think it is possible for our democracy to recover from the damage NSA spying has done to our liberties? #AskSnowden

Yes. What makes our country strong is our system of values, not a snapshot of the structure of our agencies or the framework of our laws. We can correct the laws, restrain the overreach of agencies, and hold the senior officials responsible for abusive programs to account.

Yes, we can “correct the laws, restrain the overreach of agencies, and hold the senior officials responsible for abusive programs to account” in the US. Hypothetically. And maybe even across Europe. But as Snowden pointed out above, ending mass surveillance is a global problem that requires a global political solutions. But, of course, there’s nothing stopping a government from secretly spying even if they claim they aren’t, so technical solutions are also required if we really want to create a spy-free world. As Snowden put it:

A prohibition in Burundi isn’t going to stop the spies in Greenland. We need a global forum, and global funding, committed to the development of security standards that enforce our right to privacy not through law, but through science and technology. The easiest way to ensure a country’s communications are secure is to secure them world-wide, and that means better standards, better crypto, and better research.


Yes, we can hold as many ‘global forums’ as we want, but setting up global regulations on surveillance is kind of like trying to get governments to promise not to lie: how we enforce those rules isn’t exactly obvious, especially given the secretive nature of spying. An easier, and much more effective approach to thwarting spying, would be to develop the hardware, software, and encryption standards that are virtually unbreakable. For example, if agencies like the NSA didn’t find loopholes and exploits our digital infrastructure for the purpose of spying but instead found these vulnerabilities and then informed the public and manufacturers about the vulnerabilities and helped fix them we would actually have a much much more secure internet. Everything could be truly encrypted. So we just need folks to develop strong encryption software tools and then fix up the backdoors in the hardware and everyone can have strongly encrypted digital communications, right? Well, not quite. We already have stronge encryption tools that no one can defeat. At least not that we know of. But it’s not a “if you build it, they will come scenario”…it’s more of a ‘ignorant chicken and apathetic egg’ scenario:

The Washington Post
NSA-proof encryption exists. Why doesn’t anyone use it?

By Timothy B. Lee
June 14, 2013 at 10:50 am

Computer programmers believe they know how to build cryptographic systems that are impossible for anyone, even the U.S. government, to crack. So why can the NSA read your e-mail?

Last week, leaks revealed that the Web sites most people use every day are sharing users’ private information with the government. Companies participating in the National Security Agency’s program, code-named PRISM, include Google, Facebook, Apple and Microsoft.

It wasn’t supposed to be this way. During the 1990s, a “cypherpunk” movement predicted that ubiquitous, user-friendly cryptographic software would make it impossible for governments to spy on ordinary users’ private communications.

The government seemed to believe this story, too. “The ability of just about everybody to encrypt their messages is rapidly outrunning our ability to decode them,” a U.S. intelligence official told U.S. News & World Report in 1995. The government classified cryptographic software as a munition, banning its export outside the United States. And it proposed requiring that cryptographic systems have “back doors” for government interception.

Make a mental note of the “cypherpunk” movement. Also note the US government’s concerns over encryption tools overtaking government’s code-breakers and the proposal to require “back doors”. We’re going to be returning to those topics a lot later.

Continuing…


The cypherpunks won that battle. By the end of the Clinton administration, the government conceded that the Internet had made it impossible to control the spread of strong cryptographic software. But more than a decade later, the cypherpunks seem to have lost the war. Software capable of withstanding NSA snooping is widely available, but hardly anyone uses it. Instead, we use Gmail, Skype, Facebook, AOL Instant Messenger and other applications whose data is reportedly accessible through PRISM.

And that’s not a coincidence: Adding strong encryption to the most popular Internet products would make them less useful, less profitable and less fun.

“Security is very rarely free,” says J. Alex Halderman, a computer science professor at the University of Michigan. “There are trade-offs between convenience and usability and security.”

Most people’s priority: Convenience

Consumers have overwhelmingly chosen convenience and usability. Mainstream communications tools are more user-friendly than their cryptographically secure competitors and have features that would be difficult to implement in an NSA-proof fashion.

And while most types of software get more user-friendly over time, user-friendly cryptography seems to be intrinsically difficult. Experts are not much closer to solving the problem today than they were two decades ago.

Ordinarily, the way companies make sophisticated software accessible to regular users is by performing complex, technical tasks on their behalf. The complexity of Google, Microsoft and Apple’s vast infrastructure is hidden behind the simple, polished interfaces of their Web and mobile apps. But delegating basic security decisions to a third party means giving it the ability to access your private content and share it with others, including the government.

Most modern online services do make use of encryption. Popular Web services such as Gmail and Hotmail support an encryption standard called SSL. If you visit a Web site and see a “lock” icon in the corner of your browser window, that means SSL encryption is enabled. But while this kind of encryption will protect users against ordinary bad guys, it’s useless against governments.

That’s because SSL only protects data moving between your device and the servers operated by Google, Apple or Microsoft. Those service providers have access to unencrypted copies of your data. So if the government suspects criminal behavior, it can compel tech companies to turn over private e-mails or Facebook posts.

That problem can be avoided with “end-to-end” encryption. In this scheme, messages are encrypted on the sender’s computer and decrypted on the recipient’s device. Intermediaries such as Google or Microsoft only see the encrypted version of the message, making it impossible for them to turn over copies to the government.

Software like that exists. One of the oldest is PGP, e-mail encryption software released in 1991. Others include OTR (for “off the record”), which enables secure instant messaging, and the Internet telephony apps Silent Circle and Redphone.

But it’s difficult to add new features to applications with end-to-end encryption. Take Gmail, for example. “If you wanted to prevent government snooping, you’d have to prevent Google’s servers from having a copy of the text of your messages,” Halderman says. “But that would make it much harder for Google to provide features like search over your messages.” Filtering spam also becomes difficult. And end-to-end encryption would also make it difficult for Google to make money on the service, since it couldn’t use the content of messages to target ads.

A similar point applies to Facebook. The company doesn’t just transmit information from one user to another. It automatically resizes users’ photos and allows them to “tag” themselves and their friends. Facebook filters the avalanche of posts generated by your friends to display the ones you are most likely to find the most interesting. And it indexes the information users post to make it searchable.

These features depend on Facebook’s servers having access to a person’s private data, and it would be difficult to implement them in a system based on end-to-end encryption. While computer scientists are working on techniques for creating more secure social-media sites, these techniques aren’t yet mature enough to support all of Facebook’s features or efficient enough to serve hundreds of millions of users.

Other user headaches

End-to-end encryption creates other headaches for users. Conventional online services offer mechanisms for people to reset lost passwords. These mechanisms work because Apple, Microsoft and other online service providers have access to unencrypted data.

In contrast, when a system has end-to-end encryption, losing a password is catastrophic; it means losing all data in the user’s account.

Also, encryption is effective only if you’re communicating with the party you think you’re communicating with. This security relies on keys — large numbers associated with particular people that make it possible to scramble a message on one end and decode it on the other. In a maneuver cryptographers call a “man in the middle” attack, a malicious party impersonates a message’s intended recipient and tricks the sender into using the wrong encryption key. To thwart this kind of attack, sender and recipient need a way to securely exchange and verify each other’s encryption keys.

“A key is supposed to be associated closely with a person, which means you want a person to be involved in creating their own key, and in verifying the keys of people they communicate with,” says Ed Felten, a computer scientist at Princeton University. “Those steps tend to be awkward and confusing.”

And even those who are willing to make the effort are likely to make mistakes that compromise security. The computer scientists Alma Whitten and J.D. Tygar explored these problem in a famous 1999 paper called “Why Johnny Can’t Encrypt.” They focused on PGP, which was (and still is) one of the most popular tools for users to send encrypted e-mail.

PGP “is not usable enough to provide effective security for most computer users,” the authors wrote.

Going with the flow

Felten argues that another barrier to adopting strong cryptography is a chicken-and-egg problem: It is only useful if you know other people are also using it. Even people who have gone to the trouble of setting up PGP still send most of their e-mail in plain text because most recipients don’t have the capability to receive encrypted e-mail. People tend to use what’s installed on their computer. So even those who have Redphone will make most of their calls with Skype because that’s what other people use.

Halderman isn’t optimistic that strong cryptography will catch on with ordinary users anytime soon. In recent years, the companies behind the most popular Web browsers have beefed up their cryptographic capabilities, which could make more secure online services possible. But the broader trend is that users are moving more and more data from their hard drives to cloud computing platforms, which makes data even more vulnerable to government snooping.

Strong cryptographic software is available to those who want to use it. Whistleblowers, dissidents, criminals and governments use it every day. But cryptographic software is too complex and confusing to reach a mass audience anytime soon. Most people simply aren’t willing to invest the time and effort required to ensure the NSA can’t read their e-mail or listen to their phone calls. And so for the masses, online privacy depends more on legal safeguards than technological wizardry.

The cypherpunks dreamed of a future where technology protected people from government spying. But end-to-end encryption doesn’t work well if people don’t understand it. And the glory of Google or Facebook, after all, is that anyone can use them without really knowing how they work.

Edward Snowden called for the use of “end-to-end crypto” to secure everyday communications in the question and answer session above:

“However, that doesn’t mean end-to-end crypto is a lost cause. By combining robust endpoint security with transport security, people can have much greater confidence in their day to day communications.”

But as we just saw, truly strong encryption requires peer to peer implementation to remain truly strong. If Bob wants to send an email to Alice they can both do so in a manner that no one should be able to thwart, but only if it’s only Bob and Alice setting up the enrypted communication. Once Bob and Alice start using a third party service to handle these steps, that encryption is now only as strong as the trustworthiness of that third party.

And then then there’s the fact that an ever growing list of cryptographic keys have to be safely stored by the individual and if those keys are lost no one can ever get that data again. As Cryptolocker has been teaching a growing number of people, it kind of sucks when your data gets encrypted and you don’t have the keys.

And if you do end up managing to find a third-party you trust to manage your strong NSA-proof encryption, that third party isn’t going to be able to provide any useful services with the encrypted information – things like spam filtering or text searching – while still maintaining the pretense of “strong encryption”. Although this might be changing. If you can find a way to convince yourself that Kim Dotcom is trustworty you might be able to use text searchable strongly enrypted email services that even the goverment can’t read

ZDNet
Mega to fill secure email gap left by Lavabit

Summary: Kim Dotcom’s privacy company Mega prepares a ‘cutting-edge’ email encryption service.
By Rob O’Neill | August 11, 2013 — 06:40 GMT (23:40 PDT)

Kim Dotcom’s “privacy company” Mega is developing secure email services to run on its entirely non-US-based server network as intense pressure from US authorities forces other providers to close.

Last week, Lavabit, which counted NSA leaker Edward Snowden as a user, closed and Silent Circle closed its secure email service. Lavabit’s owner, Ladar Levison, said he was shutting it down to avoid becoming “complicit in crimes against the American people”.

Last week, Mega chief executive Vikram Kumar told ZDNet that the company was being asked to deliver secure email and voice services. In the wake of the closures, he expanded on his plans.

Kumar said work is in progress, building off the end-to-end encryption and contacts functionality already working for documents in Mega.

“The biggest tech hurdle is providing email functionality that people expect, such as searching emails, that are trivial to provide if emails are stored in plain text (or available in plain text) on the server side,” Kumar said.

“If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side. [That’s] not quite impossible, but very, very hard. That’s why even Silent Circle didn’t go there.”

A big issue is handling emails to and from non-encrypted contacts when Mega’s core proposition is end-to-end encryption, Kumar said.

“On this and other fronts, Mega is doing some hugely cutting-edge stuff,” he said. “There is probably no one in the world who takes the Mega approach of making true crypto work for the masses, our core proposition.”

Kumar said Mega is taking theoretic sounding technology such as Bloom filters, and making them work for the masses. Work is also under way to keep Mega secure, even if SSL/TLS is compromised.

“[It’s] exciting stuff, but very hard, so I think it will take months more to crack it,” he said. “But Mega will never launch anything that undermines its end-to-end encryption core security proposition and doesn’t work for the mythical grandmother.”

Meanwhile, Kim Dotcom has said that he may have to pull parts of Mega out of New Zealand if new surveillance legislation is passed into law.

Dotcom told TorrentFreak that the US government and the other Five Eyes partners, the UK, Canada, Australia, and New Zealand, are pushing new spy legislation to provide backdoors into internet services.

“The NZ government is currently aggressively looking to extend its powers with the GCSB [Government Computer Services Bureau] and the [Telecommunications Interception Capabilities] Act, which will force service providers with encryption capabilities to give them secret decryption access,” Dotcom said.

He added that it might force some relocation of Mega’s network to other jurisdictions, such as Iceland.

Dotcom explained that by design, Mega doesn’t hold decryption keys to customer accounts and “never will”.

Lavabit’s Levison said: “This experience has taught me one very important lesson: Without congressional action or a strong judicial precedent, I would — strongly — recommend against anyone trusting their private data to a company with physical ties to the United States.”

So there might indeed be true “end-to-end” encryption that even the NSA can’t break coming to the masses for services like email that, for the the first time, actually include features like text searching. And it will also overcome a key hurdle of getting everyone to use the same strong enryption tool. It doesn’t sound like it will be easy but it’s possible.

Kim Dotcom’s new plans are also a reminder that “end-to-end” encryption is only as good as the “ends”. In this case, it sounds like the plans for incorporating real service functionality, like searching, is all going to happen on the “client-side” (the user’s own computer) so if the end user’s computer is hacked, the emails are still being read by the NSA anyone else with access to the systsem. Encryption inherently complicates using and processing informatino. It’s not just a balance of privacy vs security. It’s also a balance of privacy vs utility. This is part of why the entire global discussion about this whole slew of topic is such mess: it’s inherently complicated. There are issues of access to data (like Germany’s plans to balkanizing the internet and encouraging domestic internet service providers), issues about whether or not you can do anything with the data even if you get your hands on it (encryption and government/private backdoors), and partly about something that encryption can’t do anything about: bugs in hardware and software design that inevitably pop up and can be exploited by anyone. And then there’s the realpolitik and whether or not governments should have the rights to spy on one another at all.


Jacob Appelbaum’s anti-NSA
But it’s never really been about the right of the average person to have access plug-and-play access to fully encrypted digital technology that is beyond the reach of all third parties, public or private, because in order to make average people protected, you’d have to see governments working to basically prevent themselves from being able spy on any digital communication at all. Imagine the NSA working to stop all of the tricks and vulnerabilities it finds.

That’s actually of the solutions recommended by one of the key figures in the Snowden affair, Jacob Appelbaum. Appelbaum, a cyber-anarchist member of Wikileaks and the creator of Tor, first interacted with Edward Snowden when he was used by Laura Poitrois to verify Snowden’s technical expertise in mid-May of 2013 (although questions about that timeline have been raised). Appelbaum brought up the topic of encrypting everything and even getting the NSA to public announce and help fix all the expoits it finds during his recent presentation on advanced NSA surveillance at the 2013 Chaos Communication Congress. Turn the NSA into the anti-NSA. The entire presentation is available here. It’s just over an hour long and worth watching. The transcript of the entire talk is also available here:

Naked Capitalism
Transcript: Jacob Appelbaum at 30c3: To Protect And Infect, The Militarization of the Internet
Posted on January 5, 2014 by Lambert Strether

Lambert here: A few days ago, Yves posted on Jacob Appelbaum’s talk on the NSA at 30c3 computing conference, and said:

You must watch this talk, even if some parts are a bit technical for mere mortals. No matter how bad you think the NSA’s information surveillance and capture is, I can just about guarantee that this will show you that it’s an order of magnitude worse than you imagined.

This post is a transcript of Appelbaum’s talk, including the 50-odd slides, and some reference material from Der Spiegel. Note that if you click on a slide, you are taken to the point in Applebaum’s talk where the slide appears. (For more information on the slides, see “Notes on transcript slides” at the end of the transcript.)

By the transcriber, with editorial assistance from Cujo359, flora, hipparchia, jcasey, panicboy, weldon, and an unknown individual who threw their own transcript over the transom, at Corrente.

30c3: To Protect And Infect, Part 2 The militarization of the Internet

YouTube published on Dec 30, 2013 by: Jacob “@ioerror” Applebaum

Audio file on Soundcloud

The Transcript

Act One

Jacob Appelbaum: So recently we heard a little bit about some of the low-end corporate spying that’s often billed as being sort of like the hottest, most important stuff, so the FinFisher, the Hacking Team, the VUPEN and sort of in that order it becomes more sophisticated and more and more tied in with the National Security Agency. There are some Freedom of Information Act requests that have gone out that actually show VUPEN being an NSA contractor, writing exploits, that there are some ties there.

Skipping down to ~17 minutes into the talk…


This is a Close Access Operations box. It is basically car metasploit for the NSA, which is an interesting thing. But basically they say that the attack is undetectable, and it’s sadly a laptop running free software. It is injecting packets. And they say that they can do this from as far away as eight miles to inject packets, so presumably using this they’re able to exploit a kernel vulnerability of some kind, parsing the wireless frames, and, yeah. I’ve heard that they actually put this hardware, from sources inside of the NSA and inside of other intelligence agencies, that they actually put this type of hardware on drones so that they fly them over areas that they’re interested in and they do mass exploitation of people.

Now, we don’t have a document that substantiates that part, but we do have this document that actually claims that they’ve done it from up to eight miles away.

So that’s a really interesting thing because it tells us that they understand that common wireless cards, probably running Microsoft Windows, which is an American company, that they know about vulnerabilities and they keep them a secret to use them. This is part of a constant theme of sabotaging and undermining American companies and American ingenuity. As an American, while generally not a nationalist, I find this disgusting, especially as someone who writes free software and would like my tax dollars to be spent on improving these things, and when they know about them I don’t want them to keep them a secret because all of us are vulnerable. It’s a really scary thing.

Skipping down to ~25 minutes into the talk…

So this is important, because members of the U.S. Congress, they have no clue about these things. Literally, in the case of the technology. Ask a Congressman about TCP/IP. Forget it. You can’t even get a meeting with them. I’ve tried. Doesn’t matter. Even if you know the secret interpretation of Section 215 of the PATRIOT Act and you go to Washington, D.C. and you meet with their aides, they still won’t talk to you about it. Part of that is because they don’t have a clue, and another part of it is because they can’t talk about it because they don’t have a political solution. Absent a political solution, it’s very difficult to get someone to admit that there is a problem.

Well, there is a problem, so we’re going to create a political problem and also talk about some of the solutions.

The Cypherpunks generally have come up with some of the solutions when we talk about encrypting the entire internet. That would end dragnet mass surveillance in a sense, but it will come back in a different sense even with encryption. We need both a marriage of a technical solution and we need a political solution to go with it, and if we don’t have those two things, we will unfortunately be stuck here.

But at the moment the NSA, basically, I feel, has more power than anyone in the entire world – any one agency or any one person. So Emperor Alexander, the head of the NSA, really has a lot of power. If they want to right now, they’ll know that the IMEI of this phone is interesting. It’s very warm, which is another funny thing, and they would be able to break into this phone almost certainly and then turn on the microphone, and all without a court.

And, finally, Skipping down to ~50 minutes into the talk…


Here’s a hardware back door which uses the I2C interface because no one in the history of time other than the NSA probably has ever used it. That’s good to know that finally someone uses I2C for something – okay, other than fan control. But, look at that. It’s another American company that they are sabotaging. They understand that HP’s servers are vulnerable and they decided, instead of explaining that this is a problem, they exploit it. And IRONCHEF, through interdiction, is one of the ways that they will do that.

So I want to really harp on this. Now it’s not that I think European companies are worth less. I suspect especially after this talk that won’t be true, in the literal stock sense, but I don’t know. I think it’s really important to understand that they are sabotaging American companies because of the so-called home-field advantage. The problem is that as an American who writes software, who wants to build hardware devices, this really chills my expression and it also gives me a problem, which is that people say, “Why would I use what you’re doing? You know, what about the NSA?” Man, that really bothers me. I don’t deserve the Huawei taint, and the NSA gives it. And President Obama’s own advisory board that was convened to understand the scope of these things has even agreed with me about this point, that this should not be taking place, that hoarding of zero-day exploits cannot simply happen without thought processes that are reasonable and rational and have an economic and social valuing where we really think about the broad-scale impact.

As Jacob Appelbaum and Edward Snowden both acknowledge, dramatically increasing encryption standards would go a long way towards curtailing spying, but even perfect encryption wouldn’t stop surveillance because there are all sort of other ways to gain access to the data once its decrypted on your computer. But the mass dragnet-style spying could, at least in theory, be heavily curtailed if spy agencies actually set out to pre-emptively close off the vulnerabilities they find, but encrypting the internet won’t stop the Spywarepocalypse.

Now, take a moment and imagine the scenario where the public in nations demanding that their spy agencies publicly announce any secret backdoors those agencies find. It’s a political solution that forces the implementation of a technical solution to the problem of spying that intelligence agencies probably aren’t inclined to implement on their own. It’s also one heck of a political solution to the problem of states surveillance abuses because it entails nations intentionally defanging their ability to know what’s going on in the world. But it’s a useful possibility to imagine because it highlights the fact that – should we ever acheive a world without want, need, poverty, extremism, and ecological collapse, and all the other factors that lead to major conflicts – we could actually create a world were there’s no need to spy and no need to fear embracing the anti-spy agency. Now take another moment and compare that vision of a world without want, need, poverty, extremism, and ecological collapse, and all the other factors that lead to major conflicts and compare that vision to the world we live in. It’s a reminder that meaningful guarantees of privacy for the public at large can’t easily be separated from world peace and prosperity in the modern age.

Weaponized privacy?
But what if some countries aren’t willing to turn their spy agencies into anti-spy agencies and aren’t willing to stop “sabotaging” their domestic software by either refusing to inform the public of exploits its agencies find or even forces the inclusion of secret backdoors? There is one thing that could prevent the proliferation of spyware and backdoor exploits: labeling companies like Microsoft that work with governments to set up secret backdoors as sabtours and no just no long using that software. Just boycott all software developed in countries with governments that mandate backdoors and never use any web services by comanies operating in those countreis. That would work. After all, Appelbaum notes, why would people want to buy software developed in the US when everyone knows the NSA can hack it?

These are valid question to be asking, but the idea of turning the NSA into an anti-spying agency raises a number of questions that don’t get asked enough. For instance, let’s imagine a hypothetical country that was very intent on securing all of its communications from external and internal surveillance. Let’s call this country Jermanee. What if Jermanee developed and sold virtually unhackable hardware and software that was made extra-secure with the help of Jermanee’s intelligence services. And what if this software was sold all over the world as a safe, secure alternative to global competitors and user-friendly enough to really catch on for mainstream use and overcome the “chicken and egg” problem currently facing strong encryption. No one can spy on anyone, at least not on their digital communications if they’re using these hardware and software platforms. Governments can’t spy on other their citizens’ digital communtications or on other governments. Hackers effectively become obsolete. And, simultaneous, no one can censor anyone too. People could, in theory, swap whatever content they want safely and anonymously even under repressive regimes as long as they can obtain this super-hardware and software. And this security would be government-backed, at least to the best abilities of Jermanee’s government services

That sort of describes a dream scenario, right? Well, it does sound really nice, but it raises questions. Questions like: what happens when there’s forms of digital content that are genuinely harmful that we’de actually really like to censor because its just devastating to individuals if it isn’t somehow interdicted and censored after we’ve encrypted the internet? What happens when we’ve established the infrastructure that makes it effectively impossible to know who is sending what to whom and gain legal access to that data when legitimate law enforcement or national security operations are underway? What are the implications of that kind of choice in technology and what are our options at that point in dealing with harmful digital content?

The answers to these questions aren’t at all obvious but that didn’t stop Jacob Appelbaum, Julian Assange, and two of their cypherpunk peers from addressing many of these questions in their book Cypherpunks: Freedom and the Future of the Internet. As mentioned above, the Cypherpunks and affiliated anarchists have been fixated on these issues for decades. That’s partly because it was the early cypherpunk community of the early 90’s that was helping to ensure strong encryption tools were going to be available to the public at all:

The Verge
Cypherpunk rising: WikiLeaks, encryption, and the coming surveillance dystopia

By R. U. Sirius on March 7, 2013 10:32 am

In 1989, when the internet was predominantly ASCII-based and HyperCard had yet to give birth (or at least act as a midwife) to the world wide web, R.U. Sirius launched Mondo 2000. “I’d say it was arguably the representative underground magazine of its pre-web day,” William Gibson said in a recent interview. “Posterity, looking at this, should also consider Mondo 2000 as a focus of something that was happening.”

Twenty years ago, it was cypherpunk that was happening.

And it’s happening again today.

Early cypherpunk in fact and fiction
Cypherpunk was both an exciting new vision for social change and a fun subculture dedicated to making it happen

Flashback: Berkeley, California 1992. I pick up the ringing phone. My writing partner, St. Jude Milhon, is shouting down the line: “I’ve got it! Cypherpunk!”

Jude was an excitable girl and she was particularly excitable when there was a new boyfriend involved. She’d been raving about Eric Hughes for days. I paid no attention.

At the time, Jude and I were contracted to write a novel titled How to Mutate and Take Over the World. I wanted the fiction to contain the truth. I wanted to tell people how creative hackers could do it — mutate and take over the world — by the end of the decade. Not knowing many of those details ourselves, we threw down a challenge on various hacker boards and in the places where extropians gathered to share their superhuman fantasies. “Take on a character,” we said, “and let that character mutate and/or take over.” The results were vague and unsatisfying. These early transhumanists didn’t actually know how to mutate, and the hackers couldn’t actually take over the world. It seemed that we were asking for too much too soon.

And so I wound up there, holding the phone away from my ear as Jude shouted out the solution, at least to the “taking over” part of our problem. Strong encryption, she explained, will sever all the ties binding us to hostile states and other institutions. Encryption will level the playing field, protecting even the least of us from government interference. It will liberate pretty much everything, toute de suite. The cypherpunks would make this happen.

For Jude, cypherpunk was both an exciting new vision for social change and a fun subculture dedicated to making it happen. Sure, I was skeptical. But I was also desperate for something to hang the plot of our book on. A few days later I found myself at the feet of Eric Hughes — who, along with John Gilmore and Tim May, is considered one of the founders of the cypherpunk movement — getting the total download.

This was my first exposure to “The Crypto Anarchist Manifesto.” Written by Tim May, it opens by mimicking The Communist Manifesto: “A specter is haunting the modern world, the specter of crypto anarchy.” In a fit of hyperbole that perfectly foreshadowed the mood of tech culture in the 1990s — from my own Mondo 2000 to the “long boom” of digital capitalism — May declared that encrypted communication and anonymity online would “alter completely the nature of government regulation, the ability to tax and control economic interactions, the ability to keep information secret.” The result would be nothing less than “both a social and economic revolution.”

Just as a seemingly minor invention like barbed wire made possible the fencing-off of vast ranches and farms, thus altering forever the concepts of land and property rights in the frontier West, so too will the seemingly minor discovery out of an arcane branch of mathematics come to be the wire clippers which dismantle the barbed wire around intellectual property.

Those words were written way back in 1988. By 1993, a bunch of crypto freaks were gathering fairly regularly in the San Francisco Bay Area. In his lengthy Wired cover story, Steven Levy would describe them as mostly “having beards and long hair — like Smith Brothers [cough drops] gone digital.” Their antics would become legendary.

John Gilmore set off a firestorm by sharing classified documents on cryptography that a friend of his had found in public libraries (they had previously been declassified). The NSA threatened Gilmore with a charge of violating the Espionage Act, but after he responded with publicity and his own legal threats, the NSA — probably recognizing in Gilmore a well-connected dissident who they couldn’t intimidate — backed down and once again declassified the documents.

Phil Zimmermann’s PGP (Pretty Good Privacy) software was being circulated largely thanks to cypherpunk enthusiasts. According to Tim May’s Cyphernomicon, PGP was “the most important crypto tool” available at the time, “having single-handedly spread public key methods around the world.” It was available free of charge for non-commercial users, and complete source code was included with all copies. Most importantly, May wrote, “almost no understanding of how PGP works in detail is needed,” so anyone could use its encryption to securely send data over the net.

In April 1993, the Clinton administration announced its encryption policy initiative. The Clipper Chip was an NSA-developed encryption chipset for “secure” voice communication (the government would have a key for every chip manufactured). “Not to worry,” Phil Zimmermann cuttingly wrote in an essay about PGP. “The government promises that they will use these keys to read your traffic only ‘when duly authorized by law.” Not that anyone believed the promises. “To make Clipper completely effective,” Zimmermann continued, “the next logical step would be to outlaw other forms of cryptography.” This threat brought cypherpunks to the oppositional front lines in one of the early struggles over Internet rights, eventually defeating government plans.

The Clipper Chip is a piece of history that deserves extra attention these days because its pretty much the 1993-94 analogue to today’s debate over whether or not anything or everything should be mandatorially hackable for law enforcement purposes. Would intimidating transparency – like the public enforcement of a “Clipper Chip” in everyone’s communication device – be a catalyst for improving surveillance oversight and reforming the legal system? This is where parallel universes would be handy. We’re going to be returning to the topic of the Clipper Chip.

Continuing…

John Gilmore summed up the accomplishments of the cypherpunks in a recent email: “We did reshape the world,” he wrote. “We broke encryption loose from government control in the commercial and free software world, in a big way. We built solid encryption and both circumvented and changed the corrupt US legal regime so that strong encryption could be developed by anyone worldwide and deployed by anyone worldwide,” including WikiLeaks.

As the 1990s rolled forward, many cypherpunks went to work for the man, bringing strong crypto to financial services and banks (on the whole, probably better than the alternative). Still, crypto-activism continued and the cypherpunk mailing list blossomed as an exchange for both practical encryption data and spirited, sometimes-gleeful argumentation, before finally peaking in 1997. This was when cypherpunk’s mindshare seemed to recede, possibly in proportion to the utopian effervescence of the early cyberculture. But the cypherpunk meme may now be finding a sort of rebirth in one of the biggest and most important stories in the fledgeling 21st century.

I am annoyed
This is beginning to sound very much like a dystopian fantasy

Flashback: 1995. Julian Assange’s first words on the cyperpunk email list: “I am annoyed.”

Of course, Julian Assange has gone on to annoy powerful players all over the world as the legendary fugitive editor-in-chief and spokesperson for WikiLeaks, publisher of secret information, news leaks, and classified media from anonymous sources. And while the mass media world has tracked nearly every aspect of Assange’s personal drama, it’s done very little to increase people’s understanding of WikiLeaks’ underlying technologies or the principles those technologies embody.

In the recent book Cypherpunks: Freedom and the Future of the Internet, Assange enlists the help of three fellow heroes of free information to set the record straight, aligning those principles with the ideas that Tim May dreamed up in 1989 with “The Crypto Anarchist Manifesto.”

Note that the ideology of Tim May, godfather of the cypherpunks, is discussed quite a bit in Robert Manne’s 2011 article The Cypherpunk Revolutionary – Julian Assange. Quite the optimist, May “thought the state to be the source of evil in history. He envisaged the future as an Ayn Rand utopia of autonomous individuals dealing with each other as they pleased. Before this future arrived, he advocated tax avoidance, insider trading, money laundering, markets for information of all kinds, including military secrets, and what he called assassination markets not only for those who broke contracts or committed serious crime but also for state officials and the politicians he called “Congressrodents”. He recognised that in his future world only elites with control over technology would prosper. No doubt “the clueless 95%” – whom he described as “inner city breeders” and as “the unproductive, the halt and the lame” – “would suffer, but that is only just”. May acknowledged that many cypherpunks would regard these ideas as extreme.”

Continuing…


The book is based on a series of conversations filmed for the television show The World Tomorrow while Assange was on house arrest in Norfolk, England during all of 2011. Attending were Jacob Appelbaum, the American advocate and researcher for the Tor project who has been in the sights of US authorities since substituting as a speaker for Assange at a US hackers conference; Andy Müller-Maguhn, one of the earliest members of the legendary Chaos Computer Club; and Jérémie Zimmerman, a French advocate for internet anonymity and freedom.

The conversation is sobering. If 1990s cypherpunk, like the broader tech culture that it was immersed in, was a little bit giddy with its potential to change the world, contemporary cypherpunk finds itself on the verge of what Assange calls “a postmodern surveillance dystopia, from which escape for all but the most skilled individuals will be impossible.”

How did we get here? The obvious political answer is 9/11. The event provided an opportunity for a vast expansion of national security states both here and abroad, including, of course, a diminution of protections against surveillance. The legalities involved in the US are a confusing and ever-shifting set of rules that are under constant legal contestation in the courts. Whatever the letter of the law, a September 2012 ACLU bulletin gave us the essence of the situation:

Justice Department documents released today by the ACLU reveal that federal law enforcement agencies are increasingly monitoring Americans’ electronic communications, and doing so without warrants, sufficient oversight, or meaningful accountability.

The documents, handed over by the government only after months of litigation, are the attorney general’s 2010 and 2011 reports on the use of “pen register” and “trap and trace” surveillance powers. The reports show a dramatic increase in the use of these surveillance tools, which are used to gather information about telephone, email, and other Internet communications. The revelations underscore the importance of regulating and overseeing the government’s surveillance power.

“In fact,” the report continues, “more people were subjected to pen register and trap and trace surveillance in the past two years than in the entire previous decade.”

Beyond the political and legal powers vested in the US intelligence community and in others around the world, there is the very real fact that technology once only accessible to the world’s superpowers is now commercially available. One example documented on WikiLeaks (and discussed in Cypherpunks) is the Zebra strategic surveillance system sold by VASTech. For $10 million, the South African company will sell you a turnkey system that can intercept all communications in a middle-sized country. A similar system called Eagle was used in Gadhafi’s Libya, as first reported by The Wall Street Journal in 2011. Sold by the French company Amesys, this is a commercial product, right down to the label on the box: “Nationwide Intercept System.” In the face of systems designed to scoop up all electronic communication and store it indefinitely, any showcase civil libertarian exceptions written into the surveillance laws are meaningless. But the threat isn’t limited to the surveillance state. There are more than a few self-interested financial players with $10 million lying around, many of whom would love to track all the private data in a several thousand mile radius.

All of this is beginning to sound very much like a dystopian fantasy from cyberpunk science fiction.
Total surveillance

If, in 1995, some cypherpunks had published a book about the upcoming “postmodern surveillance dystopia,” most commentators would have shrugged it off as just a wee bit paranoid and ushered them into the Philip K. Dick Reading Room. Now, it is more likely that people will shrug and say, “that ship has already sailed.”

David Brin seems to think so. The author of The Transparent Society is well known for his skepticism regarding the likelihood of maintaining most types of privacy as well as his relative cheerfulness in the face of near universal transparency. In an email, I asked him about the cypherpunk ethic, as expressed by Julian Assange: “privacy for the weak and transparency for the powerful.”

Brin’s response was scathing. The ethic, he says, is “already enshrined in law. A meek normal person can sue for invasion of privacy, a prominent person may not.” He’s just getting started:

But at a deeper level it is simply stupid. Any loophole in transparency ‘to protect the meek’ can far better be exploited by the mighty than by the meek. Their shills, lawyers and factotums will (1) ensure that ‘privacy protections’ have big options for the mighty and (2) that those options will be maximally exploited. Moreover (3) as I show in The Transparent Society, encryption-based ‘privacy’ is the weakest version of all. The meek can never verify that their bought algorithm and service is working as promised, or isn’t a bought-out front for the NSA or a criminal gang.

Above all, protecting the weak or meek with shadows and cutouts and privacy laws is like setting up Potemkin villages, designed to create surface illusions. Anyone who believes they can blind society’s elites — of government, commerce, wealth, criminality and tech-geekery — is a fool…

In other words, cypherpunk may be doing a disservice by spreading the illusion of freedom from surveillance.

I posed a similar question to Adrian Lamo, who reported Bradley Manning to federal authorities. Not surprisingly, Lamo is even more cynical.

“Privacy is quite dead,” he responded to me in an email. “That people still worship at its corpse doesn’t change that. In [the unreleased documentary] Hackers Wanted I gave out my SSN, and I’ve never had cause to regret that. Anyone could get it trivially. The biggest threat to our privacy is our own limited understanding of how little privacy we truly have.”

In Cypherpunks, Assange raises an essential point that at least partly refutes this skepticism: “The universe believes in encryption. It is easier to encrypt information than it is to decrypt it.” And while Appelbaum admits that even strong encryption can’t last forever, saying, “We’re probably not using one hundred year (safe) crypto,” he implies that pretty good privacy that lasts a pretty long time is far better than no privacy at all.

Assuming that some degree of privacy is still possible, most people don’t seem to think it’s worth the effort. The cypherpunks and their ilk fought to keep things like the PGP encryption program legal — and we don’t use them. We know Facebook and Google leak our personal online habits like a sieve and we don’t make much effort to cover our tracks. Perhaps some of us buy the good citizen cliché that if you’re not doing anything wrong, you don’t have anything to worry about, but most of us are just opting for convenience. We’ve got enough to deal with day to day without engaging in a privacy regimen. Occasionally, some slacker may lose his job because he posted a photo of himself cradling his bong or the like, but as with civil liberties more generally, as long as the daily outrages against individuals don’t reach epic proportions, we rubberneck in horror and then return to our daily activities.

Beneath this complacent surface lies a disquieting and mostly unexamined question. To what degree is the ubiquity of state surveillance a form of intimidation, a way to keep people away from social movements or from directly communicating their views?

Do you hesitate before liking WikiLeaks on Facebook?

As Jacob Appelbaum said, “we’re probably not using one hundred year (safe) crypto,” (encrpytion is so strong that it’ll take computers 100 years from now to decrypt) but pretty good privacy that lasts a pretty long time is far better than no privacy at all. And that’s certainly true under most circumstances. But what about the Cypherpunk proposals to “encrypt the internet”? Appelbaum pointed out in his Chaos Communication Congress talk that encrypting the the internet (and just generally maximizing encrpytion standards) cannot thwart all spying, and a political component is necessary because future exploits can alway be found as long as you have agencies with vast resources dedicated to learning how to spy more effectively. In other words, the public needs to demand the political reforms that basically turn spy agencies into anti-spy agencies. A sort of ‘no-spy’ agreement for everyone.

The Cypherpunks and The Four Horesment of the Infopocalypse
But if we do embrace strong encryption for the masses – making it the default setting for hardware and software – what about the kind of stuff Tim May was advocating that could be enabled with an unhackable digitial infrastructure? Stuff like “insider trading, money laundering, markets for information of all kinds, including military secrets, and what he called assassination markets not only for those who broke contracts or committed serious crime but also for state officials and the politicians he called “Congressrodents”.” How do we balance the need for privacy with the need not to have truly anonmyous assassination markets? And what happens of an assassination market operating in Country A is successfully used against politicians in Countries B and C? Is that an act of war if the Country A’s laws specifically protect the assassination markets? And what about child pornography? Is it just open season at that point?

Well, we get quite a few answers in Cypherpunks: Freedom and the Future of the Internet. The entire four-way conversation was filmed and is available online (the book is basically a transcript of the conversation). The uncut version is broken up into two parts (part 1 and part 2) and it gives us an idea of what kind sacrifices have to be made if a society that embraces strong encryption. The whole thing is about 3 1/2 hours long and it’s certainly worth viewing. Many of the questions asked during the 3 1/2 are actually important issues that society should have been asking itself years ago. And as you’ll find out when you hear their answers to these difficult questions, privacy isn’t free.

For example, jump to ~31 minutes into part 1 and you’ll hear a discussion about the balance between the need for privacy vs legitimate law enforcement needs. Keep listening for the next 5 minutes or so. At ~34 minues Julian Assange interjects that, in theory, society with the technological infrastructure that allow mass surveillance but, in practice, such a system would be so technologically complext that there is no way possible that any society could restrain abuse through policies. In other words, policy solutions might be nice in theory but are also impossible. Keep in mind that Assange is an anarchist, but it does also suggest that in Assange’s view the political and technical solutions where governments regulate themselves aren’t really possible.

Now jump to ~57 1/2 minutes on part 1 where Assange draws parallels between the the US 2nd Amendment and cryptographic tools. Similar to the idea that the right to bear arms prevents tyranny in the US because the populace can engage in an armed revolt is, Assange sees the for the public to develop cryptographic tools to wage a digital revolt and retake control of digital privacy by force. ~59 minutes, Jacob Appelbaum jumps in to make an important point that one difference in the analogy between guns and encryption tools is that encryption tools are inherently resistant to violence: no matter how powerful a government might be, if it can’t solve the math problem encrypting the data it can’t see it. No matter what. This is an important point that must be reiterated: we can design encryption that no existing entity can crack. Maybe in the future it’ll be cracked, but, at least in theory, virtually unbreakable-for-a-period-of-time encryption should be possible.

This reality of the potential for unbreakable encryption, again, raises the question: what do we do about things like terrorism-related communcations, money-laundering, or child pornography that suddenly become much harder to stop? Well, jump to ~1 hour 7 minutes into part 1 and you’ll hear Jacob Appelbaum’s answer: we should just accept that these things will be super-encrypted and accept that as the price paid for unbreakable digital privacy.
And in case Appelbaum wasn’t clear enough in his answer, jump to ~1 hour 19 minutes in part 2 where Jeremie Zimmermann discusses child pornagraphy as an example of the type of data that even Cypherpunks would agree must be actively removed from servers. But they didn’t all agree. Jacob Appelbaum actually said that Zimmermann’s attitude towards child pornography made him want to vomit because it would be an act of erasing history and that historical information could help catch the perpetrators (this topic is apparently a pet peeve of Appelbaum’s). Julian Assange then chimes in with an anecdote suggesting that the removal of child pornography also has the unfortunate effect of reducing the public drive to crack down on it and catch the perpetrators.

While few would probably expect an internet built to the whims of cyber anarchists to be very child-friendly, it may be a little surprisingto learn just how child-unfriendly the encrypted internet might be. Unless, of course, Assange and Appelbaum are correct in their assumption that a world that legalizes child pornography would actually lead to less abuse (again, this is where parallel universes would be nice). It’s a strangely optimistic outlook for such cynics. But when you’re a cyber anarchist – where all governments are deemed to be inherently untrustworthy, all censorship leads to out of control abuse of power, and, more generally, all potential abuses of power will eventually transpire – risks will have to be taken by society and sacrifices will have to be made. Sometimes child sacrifices.

So what Merkel’s solution? How about we all get chipped?
So, let’s take a moment to review some of what we’ve learned so far about relationship between spying, encryption, the barriers facing the creation of a truly private and useful global digital infrastructure, and the associated with creating that world. And then let’s try and relate it to Angela Merkel’s proposal to wall off the EU internet and begin an agressive counter-espionage campaign. So we’ve learned:

1. The German public is freaking-out about NSA spying while the government feins ignorance.

2. The Five-Eyes spying alliance don’t spy on each other without permission.

3. Merkel wants in on the Five-Eyes alliance in order to obtain a no-spy agreement.

4. Oh wait, the Five-Eyes actually spy on each other without permission.

5. Germany is already in the 14-Eyes and Merkel was already really pissed about not getting “upgraded” to the 9-Eyes.

6. Germany already has plans to significantly expand their surveillance capabilities.

7. In response to not getting a no-spy agreement, Merkel is proposing an EU-intranet and agressive counter-espionage against the US and UK. It would also break the internet.

8. German Pirate Bruno Kramm views this EU-intranet scheme as theatrics that would do little to prevent surveillance and might actually make it easier for oppressive regimes to censor and surveil their populaces. Only international treaties can truly stop the spying.

9. Edward Snowden asserts that better cryptography world-wide is the key to greater privacy and end-to-end cryptography is still usefull.

10. End-to-end cryptography that is anti-NSA proof does indeed already exist. It’s free. It’s a pain in the ass to use. It’s only useful if the other other people you’re communicating with are also using it. And it mostly breaks the functionality of most of the software that actually makes that data you want encrypted worth having in the first place.

11. German data-storage king Kim Dotcom is planning on developing fully-functional, NSA-proof email services using client-side (end user) tools to carry out the useful features on the data. It’s expensive, but possible.

12. Wikileaks hacker and co-reporter on the Snowden documents, Jacob Appelbaum, is also advocating much stronger encryption standards as the primary tool for prevent surveillance abuses. He also wants to see the NSA turned into the anti-NSA.

13. Appelbaum, Julian Assange, and two other Cypherpunks published a manifesto that strongly predicted the current global debate and all four largely agree that extremely strong cryptographic tools are, indeed, required. There was, however, some disagreement on whether or not every form of digital content should be legalized in order to avoid even the possibility of censorship.

Now, looking at all that, there’s a REALLY BIG question: What on earth does Angela Merkel have in mind? Is this entire EU-firewall plan purely symbolism that will accomplish nothing in terms of enhances privacy as Bruno Kramm suggests? Could the German government actually be planning on developing an entire new suite of unhackable hardware and software? After all, if the new EU-intranet is still hackable what’s the point? But it it really was unhackable, wouldn’t Germany and the entire EU become become some sort of digital crime safehaven? How can the EU set up an internet that the NSA can’t hack but EU law enforcement can? Is that even possible?

It is indeed possible, at least in theory. There happens to be a solution that is both technical and political. It’s the same solution the NSA was pining for and the Cypherpunks successfully fought against in the early 90’s. Yep! Remember the Clipper Chip mentioned above? That’s the political and technical solution that Germany and the EU needs. Instead of making encryption publicly available (thus forcing the NSA and other law enforcement agencies to secret backdoors around the encryption), the Clipper Chip solution takes a very different approach: the decryption keys for all encrypting hardware and software are escrowed away by a government agency, only to be used when needed for law enforcement purposes. That way, incredibly strong encryption can be employed by public at large without worry about random hackers but governments are still able to decrypt the data when neccesary. It’s certainly not an ideal solution if it’s a government agency that can’t be trusted, but, at least in theory, such an approach could limit the spying to only the governments that have access to that decryption key database. Sound tempting? No? Kind of creepy and Orwellian? Yeah, that’s how Americans felt about the ‘Clipper Chip’ idea two decades ago when the NSA was trying to convince everyone to get chipped:

Wired
Don’t Worry Be Happy

The National Security Agency states its case for why key escrow encryption – aka the Clipper Chip – is good for you. A Wired exclusive.

By Stewart A. Baker
Issue 2.06 | Jun 1994

With all the enthusiasm of Baptist ministers turning their Sunday pulpits over to the Devil, the editors of Wired have offered me the opportunity to respond to some of the urban folklore that has grown up around key escrow encryption — also known as the Clipper Chip.

Recently the Clinton administration has announced that federal agencies will be able to buy a new kind of encryption hardware that is sixteen million times stronger than the existing federal standard known as DES. But this new potency comes with a caveat. If one of these new encryption devices is used, for example, to encode a phone conversation that is subject to a lawful government wiretap, the government can get access to that device’s encryption keys. Separate parts of each key are held by two independent “escrow agents,” who will release keys only to authorized agencies under safeguards approved by the attorney general. Private use of the new encryption hardware is welcome but not required. That’s a pretty modest proposal. Its critics, though, have generated at least seven myths about key escrow encryption that deserve answers.

MYTH NUMBER ONE: Key escrow encryption will create a brave new world of government intrusion into the privacy of Americans.

Opponents of key escrow encryption usually begin by talking about government invading the privacy of American citizens. None of us likes the idea of the government intruding willy-nilly on communications that are meant to be private.

But the key escrow proposal is not about increasing government’s authority to invade the privacy of its citizens. All that key escrow does is preserve the government’s current ability to conduct wiretaps under existing authorities. Even if key escrow were the only form of encryption available, the world would look only a little different from the one we live in now.

In fact, it’s the proponents of widespread unbreakable encryption who want to create a brave new world, one in which all of us — crooks included — have a guarantee that the government can’t tap our phones. Yet these proponents have done nothing to show us that the new world they seek will really be a better one.

In fact, even a civil libertarian might prefer a world where wiretaps are possible. If we want to catch and convict the leaders of criminal organizations, there are usually only two good ways to do it. We can “turn” a gang member — get him to testify against his leaders. Or we can wiretap the leaders as they plan the crime.

I once did a human rights report on the criminal justice system in El Salvador. I didn’t expect the Salvadorans to teach me much about human rights. But I learned that, unlike the US, El Salvador greatly restricts the testimony of “turned” co-conspirators. Why? Because the co-conspirator is usually “turned” either by a threat of mistreatment or by an offer to reduce his punishment. Either way, the process raises moral questions — and creates an incentive for false accusations.

Wiretaps have no such potential for coercive use. The defendant is convicted or freed on the basis of his own, unarguable words.

In addition, the world will be a safer place if criminals cannot take advantage of a ubiquitous, standardized encryption infrastructure that is immune from any conceivable law enforcement wiretap. Even if you’re worried about illegal government taps, key escrow reinforces the existing requirement that every wiretap and every decryption must be lawfully authorized. The key escrow system means that proof of authority to tap must be certified and audited, so that illegal wiretapping by a rogue prosecutor or police officer is, as a practical matter, impossible.

MYTH NUMBER TWO: Unreadable encryption is the key to our future liberty.

Of course there are people who aren’t prepared to trust the escrow agents, or the courts that issue warrants, or the officials who oversee the system, or anybody else for that matter. Rather than rely on laws to protect us, they say, let’s make wiretapping impossible; then we’ll be safe no matter who gets elected.

This sort of reasoning is the long-delayed revenge of people who couldn’t go to Woodstock because they had too much trig homework. It reflects a wide — and kind of endearing — streak of romantic high-tech anarchism that crops up throughout the computer world.

The problem with all this romanticism is that its most likely beneficiaries are predators. Take for example the campaign to distribute PGP (“Pretty Good Privacy”) encryption on the Internet. Some argue that widespread availability of this encryption will help Latvian freedom fighters today and American freedom fighters tomorrow. Well, not quite. Rather, one of the earliest users of PGP was a high-tech pedophile in Santa Clara, California. He used PGP to encrypt files that, police suspect, include a diary of his contacts with susceptible young boys using computer bulletin boards all over the country. “What really bothers me,” says Detective Brian Kennedy of the Sacramento, California, Sheriff’s Department, “is that there could be kids out there who need help badly, but thanks to this encryption, we’ll never reach them.”

If unescrowed encryption becomes ubiquitous, there will be many more stories like this. We can’t afford as a society to protect pedophiles and criminals today just to keep alive the far-fetched notion that some future tyrant will be brought down by guerrillas wearing bandoleers and pocket protectors and sending PGP-encrypted messages to each other across cyberspace.

MYTH NUMBER THREE: Encryption is the key to preserving privacy in a digital world.

Even people who don’t believe that they are likely to be part of future resistance movements have nonetheless been persuaded that encryption is the key to preserving privacy in a networked, wireless world, and that we need strong encryption for this reason. This isn’t completely wrong, but it is not an argument against Clipper.

If you want to keep your neighbors from listening in on your cordless phone, if you want to keep unscrupulous competitors from stealing your secrets, even if you want to keep foreign governments from knowing your business plans, key escrow encryption will provide all the security you need, and more.

But I can’t help pointing out that encryption has been vastly oversold as a privacy protector. The biggest threats to our privacy in a digital world come not from what we keep secret but from what we reveal willingly. We lose privacy in a digital world because it becomes cheap and easy to collate and transmit data, so that information you willingly gave a bank to get a mortgage suddenly ends up in the hands of a business rival or your ex-spouse’s lawyer. Restricting these invasions of privacy is a challenge, but it isn’t a job for encryption. Encryption can’t protect you from the misuse of data you surrendered willingly.

What about the rise of networks? Surely encryption can help prevent password attacks like the recent Internet virus, or the interception of credit card numbers as they’re sent from one digital assistant to another? Well, maybe. In fact, encryption is, at best, a small part of network security.

The real key to network security is making sure that only the right people get access to particular data. That’s why a digital signature is so much more important to future network security than encryption. If everyone on a net has a unique identifier that others cannot forge, there’s no need to send credit card numbers — and so nothing to intercept. And if everyone has a digital signature, stealing passwords off the Net is pointless. That’s why the Clinton administration is determined to put digital signature technology in the public domain. It’s part of a strategy to improve the security of the information infrastructure in ways that don’t endanger government’s ability to enforce the law.

MYTH NUMBER FOUR: Key escrow will never work. Crooks won’t use it if it’s voluntary. There must be a secret plan to make key escrow encryption mandatory.

This is probably the most common and frustrating of all the myths that abound about key escrow. The administration has said time and again that it will not force key escrow on manufacturers and companies in the private sector. In a Catch-22 response, critics then insist that if key escrow isn’t mandated it won’t work.

That misunderstands the nature of the problem we are trying to solve. Encryption is available today. But it isn’t easy for criminals to use; especially in telecommunications. Why? Because as long as encryption is not standardized and ubiquitous, using encryption means buying and distributing expensive gear to all the key members of the conspiracy. Up to now only a few criminals have had the resources, sophistication, and discipline to use specialized encryption systems.

What worries law enforcement agencies –what should worry them — is a world where encryption is standardized and ubiquitous: a world where anyone who buys an US$80 phone gets an “encrypt” button that interoperates with everyone else’s; a world where every fax machine and every modem automatically encodes its transmissions without asking whether that is necessary. In such a world, every criminal will gain a guaranteed refuge from the police without lifting a finger.

The purpose of the key escrow initiative is to provide an alternative form of encryption that can meet legitimate security concerns without building a web of standardized encryption that shuts law enforcement agencies out. If banks and corporations and government agencies buy key escrow encryption, criminals won’t get a free ride. They’ll have to build their own systems — as they do now. And their devices won’t interact with the devices that much of the rest of society uses. As one of my friends in the FBI puts it, “Nobody will build secure phones just to sell to the Gambino family.”

In short, as long as legitimate businesses use key escrow, we can stave off a future in which acts of terror and organized crime are planned with impunity on the public telecommunications system. Of course, whenever we say that, the critics of key escrow trot out their fifth myth:

MYTH NUMBER FIVE: The government is interfering with the free market by forcing key escrow on the private sector. Industry should be left alone to develop and sell whatever form of encryption succeeds in the market.

In fact, opponents of key escrow fear that businesses may actually prefer key escrow encryption. Why? Because the brave new world that unreadable encryption buffs want to create isn’t just a world with communications immunity for crooks. It’s a world of uncharted liability. What if a company supplies unreadable encryption to all its employees, and a couple of them use it to steal from customers or to encrypt customer data and hold it hostage? As a lawyer, I can say it’s almost certain that the customers will sue the company that supplied the encryption to its employees. And that company in turn will sue the software and hardware firms that built a “security” system without safeguards against such an obvious abuse. The only encryption system that doesn’t conjure up images of a lawyers’ feeding frenzy is key escrow.

As encryption technology gets cheaper and more common, though, we face the real prospect that the federal government’s own research, its own standards, its own purchases will help create the future I described earlier — one in which criminals use ubiquitous encryption to hide their activities. How can anyone expect the standard-setting arms of government to use their power to destroy the capabilities of law enforcement — especially at a time when the threat of crime and terror seems to be rising dramatically?

By adopting key escrow encryption instead, the federal government has simply made the reasonable judgment that its own purchases will reflect all of society’s values, not just the single-minded pursuit of total privacy.

So where does this leave industry, especially those companies that don’t like either the 1970s-vintage DES or key escrow? It leaves them where they ought to be — standing on their own two feet. Companies that want to develop and sell new forms of unescrowed encryption won’t be able to sell products that bear the federal seal of approval. They won’t be able to ride piggyback on federal research efforts. And they won’t be able to sell a single unreadable encryption product to both private and government customers.

Well, so what? If companies want to develop and sell competing, unescrowed systems to other Americans, if they insist on hastening a brave new world of criminal immunity, they can still do so — as long as they’re willing to use their own money. That’s what the free market is all about.

Of course, a free market in the US doesn’t mean freedom to export encryption that may damage US national security. As our experience in World War II shows, encryption is the kind of technology that wins and loses wars. With that in mind, we must be careful about exports of encryption. This isn’t the place for a detailed discussion of controls, but one thing should be clear: They don’t limit the encryption that Americans can buy or use. The government allows Americans to take even the most sophisticated encryption abroad for their own protection. Nor do controls require that software or hardware companies “dumb down” their US products. Software firms have complained that it’s inconvenient to develop a second encryption scheme for export, but they already have to make changes from one country to the next — in language, alphabet, date systems, and handwriting recognition, to take just a few examples. And they’d still have to develop multiple encryption programs even if the US abolished export controls, because a wide variety of national restrictions on encryption are already in place in countries from Europe to Asia.

Times sure have changed! Except they haven’t. Until the the early 90’s, when digital communications and the internet to the mainstream for the first time in history, we never really had to ask ourselves “should we create the infrastructure that makes unbreakable encryption routine for everyone” before. And we still haven’t really answered the question. Sure, the public pretty resoundingly rejected the Clipper Chip solution, with the proposal dead by 1997, but the public has also never accepted the idea that there should be digital content that is outside of the reach of a law enforcement. And that’s not really changed, even after all of the Snowden revelation. If you look at the general state of the debate over privacy and security these days, there’s seem consensus that people don’t like the government even having the capacity to spy on themselves but they don’t really like the idea of a government that can’t spy on, say, the mafia either.

That’s sort of the default view point that most people would probably have on these kinds of topics, but it’s not a viable one because there really is a choice that has to be made: if you don’t want governments to have the capacity to engage in mass-surveillance in an age when everyone’s connecting up their computers together in giant global networks and sending gobs of information back and forth you need unbreakable personal encryption to somehow become standardized and that means unbreakable encryption for the mafia too. As Jacob Appelbaum puts it in the Cypherpunks discussion, the Four Horsemen of the Infopocalypse (terrorists, pedophiles, drug dealers, and organized crime) are preferable to state-sanctioned spying but it’s not at all clear that the public at large shares those priorities.

How about we all get chipped and break the internet too!
Then again, the question over what kind of solutions the public would prefer are somewhat moot because the driving force in how the internet and digital security norms evolve going forward is clearly coming from the governments of Germany and Brazil and there are absolutely no indications that either government has any plans at all of fostering the developing of standardized unbreakable digital communications. Instead, the only plans are to make an anti-NSA infrastructure that fixes NSA-exploits. And one way to do that while still maintaining the abilities of Brazillian and German governments to continue spying on all the traffic flowing through their networks is to break the internet:

The Verge
Will the global NSA backlash break the internet?

Brazil and Germany make moves to protect online privacy, but experts see a troubling trend toward Balkanization

By Amar Toor on November 8, 2013 10:30 am

The NSA’s ongoing surveillance has spurred many governments to pursue stronger data-protection laws, but there are growing concerns that this backlash could divide the internet along national borders, threatening the principles of openness and fluidity that it was founded upon.

In September, Brazil announced plans to build a fiber-optic cable that would route internet traffic away from US servers, theoretically keeping its citizens’ data away from the NSA. The policy has yet to be implemented, and many question whether it will actually be effective, but others appear to be following Brazil’s lead.

In Germany, telecommunications companies are working to create encrypted email and internet services that would keep user data within the country’s borders, and Switzerland’s Swisscom has begun building a domestic cloud-service to attract companies that may have grown leery of American spying.

The idea is that such country-based networks will keep user data within national borders and away from the NSA, which would be forced to comply with governments’ privacy laws. But experts fear that they may lead to greater “Balkanization” — a term derived from the division of the Balkan Peninsula in the 19th century — transforming the unified web into a fragmented collection of national internets.

Note that the promises by the German government and their new “email mad in Germany” system will keep the traffic in Germany should not be confused with the claim that the newly proposed German internet (and now EU internet) won’t get spied on by the German government. We’ll take a closer look at that below.

Continuing…

“The US has done a disservice to netizens everywhere — forcing people to choose between interconnectivity and privacy,” Sascha Meinrath, director of the Open Technology Institute at the New America Foundation, said in an email to The Verge. In an editorial published last month, Meinrath likened internet Balkanization to the European railway system, where an array of different signaling technologies leads to “delays, inefficiencies, and higher costs” as trains cross borders.

The concept of a national internet is hardly new, though it has traditionally been associated with more repressive regimes. China’s so-called “Great Firewall” has effectively censored the internet for years, and Iran began laying the groundwork for its own state-controlled web earlier this year. But the NSA controversy appears to have reignited and legitimized debates over national web sovereignty, raising the specter of an internet divided by firewalls and border controls.

“A Balkanized internet will look like the online world through the lens of the Chinese firewall or Iran’s Halal Internet,” Meinrath says. “It will be functionally stunted, less interoperable, more expensive to build and maintain, and full of unexpected pitfalls.”

But there have been lingering tensions over America’s web hegemony.Several countries called for a more globally representative governance system at a summit last year in Dubai, and the NSA scandal that ignited seven months later only amplified calls for change.

“What the NSA has shown is that countries can still exert a great amount of force over the internet,” says Friedman, who authored a paper last month on how governments can use web regulations to erect trade barriers. “It’s also shown that there are very different types of power, and it’s not distributed equally.”

Not surprisingly, the two countries to react most strongly to the NSA scandal — Brazil and Germany — are also the two spearheading calls for regulatory change. This week, the two countries formally proposed a UN resolution calling for stronger internet privacy protection, echoing an impassioned speech that Brazilian president Dilma Rousseff delivered to the organization in September, after it was reported that the NSA had been conducting surveillance on her office.

“The concentration of power in the hands of a very few large companies — Facebook, Google — that’s what’s driving Balkanization,” says Geert Lovink, founding director of the Institute of Network Cultures research center in Amsterdam. “That actually is Balkanization.”

“Balkanization is seen as an atavism — something of the past that returns,” he continues. “But that is really not the case.”

Lovink acknowledges that American hegemony may have made the web more fluid and interoperable, though he says the NSA scandal has proven that “usability” isn’t the only thing citizens value. He welcomes the conflict that Brazil and Germany have introduced because it signals a shift away from a web dominated by the US “engineering class.”

What this new internet would look like remains uncertain. Some say further fragmentation may only make it easier for governments to flex their online muscles, leading to more of the surveillance and espionage that Brazil and Germany are looking to combat. In the absence of a governance structure based on consensus and openness, they say, regimes could lord over their domestic networks with impunity.

“The problem with internet governance is that the Americentric model is the worst one, except for all the others,” says Meinrath, channeling Winston Churchill. “I would like to see legal clarity — domestically and internationally — that re-establishes rule of law over surveillance and monitoring.”

“Otherwise, we create a new international norm whereby acceptable behavior includes widespread spying and hacking that detrimentally impacts us all.”

What’s going to follow the Americentric model and a web dominatd by the US “engineering class”? That’s the question of the day for the digital age. Brazil and Germany, in particular, presumably have something pretty specific in mind after calling for that upcoming conference on the future of the internet and we know its going to involve preventing NSA spying (or at least that will be the public spin). But it’s also obviously going to allow countries to continue spying on their own citizens as much as they want. And we know it President Rouseff is very interested in keeping as much of the internet traffic and data storage within Brazil as much data. But is that it? We’re going to potentially fragment the internet just to make it somewhat harder for countries to get their hands on the raw data flows? Nothing else much will change? Won’t governments just set up secret data-sharing agreements and/or find new ways to tap those cables?

Could there be something else in mind? Could that something else possibly be a global balkanized Clipper Chip/key escrow system for a global balkanized internet? Might governments perhaps try to ensure that the hardware and software run inside their country have keys they only they have access to but no other government or entity has access to? Might a national hardware and software key escrow system at least be getting its foot in the door in Brazil?

Al Jazeera America
On Internet, Brazil is beating US at its own game
by Bill Woodcock September 20, 2013 2:45PM ET
Analysis: Brazil’s official response to NSA spying obscures its massive Web growth challenging US dominance

U.S. National Security Agency documents from 2012 revealed this month by Glenn Greenwald show that the intelligence agency recorded email and telephone calls of Brazilian and Mexican heads of state as well as the Brazilian state oil producer Petrobras and other energy, financial and diplomatic targets. It is unsurprising that a national intelligence agency would attempt to gather such information, and it can be argued that it was, however overzealously, doing the job American taxpayers are paying for. But it is also a disappointing, though illuminating, commentary on the state of the Internet that it was successful.

In response to the revelations, on Tuesday Brazilian President Dilma Rousseff announced measures to protect the privacy of Brazil’s citizens from NSA spying:

* Increase domestic Internet bandwidth production

* Increase international Internet connectivity

* Encourage domestic content production

* Encourage use of domestically produced network equipment

Rousseff could make these significant announcements not because of any government resolution or investment but because they are, by and large, successful existing Brazilian private-sector initiatives that have been under way for many years. Only those who haven’t been paying attention to Brazil’s phenomenal Internet development mistook the announcement for news; it was opportunistic spin on what Brazil has already been successfully doing for most of the past decade.

Nor is Brazil’s plan a repudiation of the United States. Brazil is following the path of Internet development that has been proven in the U.S. and is advocated by the U.S. State Department. What’s interesting about Brazil is not that it’s defying the United States’ under-the-table agenda but that it’s doing so by executing moves from the U.S.’s above-the-table playbook so masterfully.

Encouraging domestic content

Regardless of where the cables run, users’ Internet traffic and stored data are not private if users select services that are provided from jurisdictions that do not respect their privacy. For instance, if a Brazilian user has a Hotmail email address and uses the Google-owned Orkut social-networking site, her email and social-network data are stored on servers in the United States and are thereby accessible to the NSA. Encouraging the formation and use of domestic alternatives allows Brazilian users’ communications to remain on Brazilian domestic infrastructure and their data to reside on hard disks in data centers in Sao Paulo and Rio de Janeiro rather than Redmond, Wash., and Portland, Ore.

Users follow the fickle winds of fad, however, and it is notoriously difficult for unhip governments to attract the attention of youth. So it may be difficult for the Brazilian government to pick a winner in the domestic social-networking space and promote its success. More likely, continuing to decrease the cost of domestic Internet traffic routing through infrastructural initiatives like IXPs and fiber-optic cable systems will create a strong economic incentive for all content providers, foreign and domestic, to host Brazilian users’ data within Brazil and thus within Brazilian regulatory jurisdiction. This appears to be where the Brazilian government is heading: toward a common understanding with the European Union on data privacy, harmonizing with its standards of protection for users’ personally identifiable information, or PII. Brazil hopes to compel companies that provide services to Brazilians to do so from servers in Brazil — which would subject them to Brazilian privacy regulation.

The president’s office has asked Correios, the Brazilian public postal service, to provide an encrypted email system to the public at no cost by next year. This comes less than a year after the postal service shuttered CorreiosNet, its prior hosted email offering. Coincidentally, the U.S. Postal Service operated the first such publicly hosted email system, E-COM, from 1982 to 1985, though with little success. Government-operated email systems can, however, succeed; the French Minitel system was wildly popular, serving 25 million people for 34 years. The proposed Brazilian system has the distinct advantage of being free, so it may succeed. If executed well, it could employ strong encryption, potentially with Brazilian governmental key-escrow, which would allow Brazilian law enforcement access but effectively deny access to foreign intelligence agencies.

Domestic network equipment

Perhaps the most controversial portion of the Brazilian plan is to encourage private-sector network operators in Brazil, whether foreign or domestic, to use only Brazilian-designed and -produced telecommunication equipment in their networks. This is intended to address the fear that “back doors” will come installed in equipment sourced internationally, making it vulnerable to wiretapping by foreign intelligence agencies. This same precaution has led some countries to ban the use of Chinese-produced Huawei and ZTE gear from sensitive networks, but it also seems to penalize products from Cisco and Juniper that have not shown similar vulnerabilities.

The near-term winners from any such policy are likely to be Datacom and Padtec (based in Rio Grande do Sul and Sao Paulo, respectively), which are the current suppliers of networking equipment for Brazilian government networks. This is likely to backfire in the long term, however, when those manufacturers try to grow beyond the Brazilian domestic market.

Like the satellite-development deal, this policy follows Brazil’s well-established pattern of using high tariffs to displace foreign imports with domestic products. This strategy has worked brilliantly for Brazil in the past in the automotive and aerospace sectors and has been notably successful for many Asian economies. Nevertheless, stratospheric import tariffs on high-tech electronics have failed to jump-start a Brazilian electronics industry and have created substantial friction with international computer and networking-equipment producers.

Unlike the automotive and aerospace industries, computer-networking and information technologies scale with the network effect: Their value is partly determined by their relationship with other technology products and their users. Such products are entirely dependent on seamless interoperability between them and equipment made by different companies. So if Datacom and Padtec profit from Brazilian governmental protectionism in the near term, they will pay the price in the long term when they try to expand into international markets, since they will face the suspicion of other governments that the reason the Brazilian government favors them is that they incorporate unique Brazilian back doors. In other words, this form of protectionism leads to the problems that Huawei and ZTE face today.

A free state-sponsored email system using strong encryption run out of the post office that could use government key escrows? Encouraging private-sector network operators to use Brazilian-designed and-produced telecommunication equipment in their networks? That sure sounds a lot like the “hey, we think you all should use this new Clipper Chip!”-approach that the US government was trying 20 years ago. Only instead of the internet being this fun new toy in 1994 that only seemed like it could be scary, it’s now 2014 and we know the internet is scary kind of scary with all sort of real life boogie men. And now that the NSA is the official global boogie-man-in-chief, the selling points of a Brazilian-Clipper Chip-like system that’s purportedly NSA-proof are more compelling than ever. These days, as long as it’s anti-NSA it sort of takes the the sting off of knowing the government has all those keys in escrow.

Worried about Brazil? Don’t be. They’re going to be protecting their privacy, European-style.
So could we be seeing the start of a Brazilian campaign on selling the idea of state-sponsored encryption services to the public? It’s starting to look like that sure looking like that. And it won’t be too surprising if the idea catches on, because who likes the idea of the NSA rooting around through their stuff. But it still be kind of surprising that there isn’t more concernt from privacy advocates over these plans with potentially global ramifications because Brazil isn’t just planning on offering voluntary state-sponsored excryption in response to the NSA scandal. As the above article points out, Brazil is also about to pass a law that mandates the local storage of personal data by internet firms like Google and Facebook and the Brazilian parliament just passed an amendment to the upcoming Brazilian ‘Bill of Rights’ law that mandates internet service providers store personal data for 6 months no matter what.

So why aren’t there growing concerns that that the new Brizilian Bill of Rights will lead to widespread privacy abuses against Brazilians by the Brazilian government? Oh, right, Brazil’s new ‘Internet Bill of Rights’ and new European-style data protection framework. That’s why no one is concerned:

PrivacyTracker.org

Will the New Year Bring New Privacy Laws to Brazil?
By The Hogan Lovells Privacy Team
01.28.14

The World Cup is not the only event to look out for in Brazil this year. Brazil has been developing two significant pieces of privacy legislation since the late 2000s, and it looks like they may be voted on soon. The Marco Civil da Internet (“Civil Internet Bill”) would establish what some have called an “Internet Bill of Rights” that includes data protection requirements and the preservation of net neutrality. The Data Protection Bill would establish a comprehensive, European-style data protection framework governing the processing of all personal data. The proposed laws would replace Brazil’s current sector-specific privacy framework. Brazil is the fifth largest country in the world, and the number of Brazilian Internet and smartphone users is growing rapidly. The new laws would therefore have a significant impact on organizations offering digital products or services to Brazilian consumers. We here provide background on the proposed laws and insights as to their potential impacts.

Brazil’s Civil Internet Bill would do more than just establish online privacy protections. The draft legislation effectively establishes an Internet Bill of Rights for Brazilians. These rights include privacy protections along with a fundamental right to access the Internet and a mandate for net neutrality. The law also regulates the enforcement of digital copyright issues and the online collection of evidence in criminal and civil investigations. In recent months, President Rousseff and members of the Worker’s Party have added new provisions to the Civil Internet Bill. The most controversial of these is a data localization rule, which would give Brazil’s executive branch the right to force operators of online services to store Brazilian data only in Brazilian data centers. Other amendments to the Civil Internet Bill include requiring service providers to obtain express consent from users prior to processing personal data online and providing that companies violating the Bill would be subject to suspension of Brazilian data collection activities or fines of up to 10% of the organizational revenues.

Critics have argued that the Civil Internet Bill, especially with its localization requirements, would raise operating costs significantly for companies doing business in Brazil. Several industry groups have noted that the localization requirements would undermine the decentralized nature of the Internet, which has facilitated the growth of global digital trade.

Brazil’s Data Protection Bill is modeled primarily on the European Data Protection Directive and would regulate the online and offline processing of personal data. The bill would give Brazilians the rights to access, correct, and delete personal data and require that organizations generally obtain express, informed consent prior to processing a Brazilian’s personal data. The Data Protection Bill would create a data protection authority, the National Data Protection Council. In the event of a data breach, companies would be required to notify the Council and sometimes the media. Like the EU data protection framework, the Data Protection bill would generally prohibit organizations from transferring personal data to countries not providing adequate protections for personal data. Although the Data Protection Bill does not specify which countries do provide adequate protections, it is likely that the Data Protection Council would not deem the United States to be one of those countries. Organizations violating the Data Protection Bill would face penalties of up to 20% of organizational revenue.

If one or both of these bills are passed into law, companies with Brazilian operations would likely have to implement significant changes to their privacy and security practices. Data localization requirements and cross-border transfer restrictions would have a substantial effect on business operations with questionable privacy and security benefits. For example, cyberattacks can occur no matter where data is stored.

In spite of the arguments being raised against the bills, however, the desire to establish Brazil as a leading player in the Global Multistakeholder Meeting on the Future of Internet Governance to be held in São Paulo on April 23-24 may well prompt the Brazilian legislature to pass one or both laws in the next few months. Some reports indicate that the Civil Internet Bill will be voted on in February. A vote on the Data Protection Bill is likely to happen soon after. We will be watching the developments closely and evaluating how the changes may effect Brazilian companies as well as Latin American and global trade.

European-syle data-protection laws are coming to Brazil! That should be quite an exciting set of new rules for Brazilian internet users to anticipate once the EU finally decides ( via a secret trilogue) what those laws are going to look like. And it sounds like those new rules will also cut off data transmission to the United States over concerns over US spying, although, presumably Google, Facebook and other US firms that set up operations on Brazilian soil will continue to be able to offer services. It raises the question of what other countries will be cut off from Brazil over data-privacy concerns. China and Russia must certainly be on the no-go list and the rest of the Five Eyes would almost have be excluded. EU companies may not need to open branches in Brazil because they will presumbly already be compliant with Brazil’s new data-privacy laws (since those laws are supposed to be based on the “European-style” data privacy). But will any other nations on the planet be compliant? Micro-nations without intelligence agencies might be, but anyone else? What if Iceland turns itself into Kim Dotcom’s The Pirate Bay? How about Sweden?

And why is there so little outcry over the over the fact that Brazil is trying to get all this personal data stored locally using Brazilian-government sponsored hardware and software? The previous article mentions concerns that this plan for encouraging Brazilian hardware and software could end up hurting the international brand for those Brazilian products specifically out of fears of Brazilian government backdoors. Why wouldn’t those fears exist? Is Brazil’s government planning on cutting itself off from ever accessing its own citizen’s digital data by building government-implemented strong-encryption that it can’t even decrypt itself? The recent amendment to Brazil’s Internet Bill of Rights calling for 6 months of data retention certainly doesn’t suggest Brazil suddenly decided to turn itself into The Pirate Bay (not that some aren’t trying). Doesn’t local data retention put Brazilians at greater risk of privacy abuses simply due to the possibility that the government will violate the new Bill of Rights after forcing its relocation to Brazilian servers? Did Brazil’s government suddenly obtain non-corruptibility credibility? It’s often argued that we should assume that if the NSA can violate your privacy it definitely will, regardless of the rules. That’s a core belief of the Cypherpunks (they are mostly anarchists, after all).

Oh, you thought European-style data-privacy included strong encryption? Uhhh…
Shouldn’t that skepticism apply to all intelligence organizations? For instance, when Germany set up its own “Email made in Germany” as an “anti-NSA” alternative to US email services, shouldn’t we be assuming the BND is spying on the new ‘anti-NSA’ “Email made in Germany” system since that ‘secure’ email service leaves the email completely unencrypted on Germany servers? Maybe? Maybe perhaps?

Art Technica
Crypto experts blast German e-mail providers’ “secure data storage” claim
GPG developer calls move a “great marketing stunt at exactly the right time.”

by Cyrus Farivar – Aug 10 2013, 7:08am CDT

In the wake of the shutdown of two secure e-mail providers in the United States, three major German e-mail providers have banded together to say that they’re stepping forward to fill the gap. There’s just one problem: the three companies only provide security for e-mail in transit (in the form of SMTP TLS) and not actual secure data storage.

GMX, T-Online (a division of Deutsche Telekom), and Web.de—which serve two-thirds of German e-mail users—announced on Friday that data would be stored in Germany and the initiative would “automatically encrypt data over all transmission paths and offer peace of mind that data are handled in compliance with German data privacy laws.” Starting immediately, users who use these e-mail services in-browser will have SMTP TLS enabled, and starting next year, these three e-mail providers will refuse to send all e-mails that do not have it enabled.

“Germans are deeply unsettled by the latest reports on the potential interception of communication data,” said René Obermann, CEO of Deutsche Telekom, in a statement. “Our initiative is designed to counteract this concern and make e-mail communication throughout Germany more secure in general. Protection of the private sphere is a valuable commodity.”

These companies have dubbed this effort “E-mail made in Germany,” and tout “secure data storage in Germany as a reputable location.” In practice, that appears (Google Translate) to simply mean that starting in 2014, these providers will “only transport SSL-encrypted e-mails to ensure that data traffic over all of their transmission paths is secure.”

Germany has notoriously strong data protection laws—likely the strongest in the world. But those laws do have law enforcement exceptions for security agencies, like the BND, Germany’s equivalent to the National Security Agency. The BND likely can easily access e-mails stored unencrypted on German servers with little legal or technical interference. Clearly, forcing users (particularly less tech-savvy ones) to use SMTP TLS provides a modicum of better protection for data in transit, but it’s hardly anywhere close to improved security for stored data.

Law enforcement can still get stored e-mail

German tech media and the well-respected Chaos Computer Club have lambasted this approach, dismissing it as “pure marketing.”

“The basic problem with e-mail is that it’s a postcard readable by all—[this] changes nothing,” wrote Andre Meister on the noted Netzpolitik.org blog (German).

Lukas Pitschl of GPGTools told Ars this was merely a “marketing stunt,” which would “not add real value to the security of e-mail communication.”

“If you really want to protect your e-mails from prying eyes, use OpenPGP or S/MIME on your own desktop and don’t let a third-party provider have your data,” he told Ars. “No one of the ‘E-Mail made in Germany’ initiative would say if they encrypt the data on their servers so they don’t have access to it, which they probably don’t and thus the government could force them to let them access it.”

The Chaos Computer Club practically laughed (Google Translate) at this new announcement:

“What competitors [have had] for years as standard—a forced encryption when accessing a personal e-mail account—is now sold promotionally as a new, effective technological advancement,” the group wrote. “The NSA scandal has shown that centralized services are to be regarded as not trustworthy when it comes to access by secret [agencies].”

Oh wow, does this mean Germany isn’t turning its government-built email service into The Pirate Bay either? Well that’s sure unexpected.

Still, it could be argued that one should feel safer having the BND controlling thier personal data vs the NSA if one was given the choice. But it’s unclear why the BND would be deemed more acceptable since, as the Snowden Documents demonstrate, the BND has already been caught handing off “massive amounts” of phone data to the NSA and Germany is clearly very interested in dramatically expanding its surveillance capabilities. And, perhaps more importantly, the moves by Brazil and now the EU to wall off and balkanize internet traffic and potentially mandate local data storage are actually removing the choice where your data is held. This is currently being hailed as a necessary measure to protect citizen’s privacy but, again, it’s really unclear why that’s the case:

indexoncensorship.org
Don’t gerrymander the internet

By Leslie Harris / 4 November, 2013

We can partially blame gerrymandering for the current gridlock in the U.S. Congress. By shaping the electoral map to create politically safe spaces, we have generated a fractious body that often clashes rather than collaborates, limiting our chances of resolving the country’s toughest challenges. Unfortunately, revelations about the global reach of American security surveillance programs under the National Security Agency (NSA) are leading some to propose what amounts to gerrymandering for the internet in order to route around NSA spying. This will shackle the internet, inherently change its technical infrastructure, throttle innovation, and likely lead to far more dangerous privacy violations around the globe.

Nations are rightly upset that the communications of their citizens are swept up in the National Security Agency’s pervasive surveillance dragnet. There is no question the United States has overreached and violated human rights in its collection of communications information on innocent people around the globe; however, the solution to this problem should not, and truly cannot, be data localization mandates that restrict data storage and flow.

The calls for greater localization of data are not new, but the recent efforts of Brazil’s President, Dilma Rouseff, to protect Brazilians from NSA spying reflected the view of many countries suddenly faced with a new threat to the privacy of the communications of their citizens. Rouseff has been an advocate for internet freedom, so undoubtedly her proposal is well intentioned, though the potential unintended repercussions are alarming.

First, it’s important to consider the technical reasons why data location requirements are a really bad idea. The Internet developed in a widely organic manner, creating a network that allowed data to flow from all corners of the world – regardless of political boundaries, residing everywhere and nowhere at the same time. This has helped increase the resilience of the internet and it has promoted significant efficiencies in data flow. As is, the network routes around damage, and data can be wherever it best makes sense and take an optimal route for delivery.

Data localization mandates would turn the internet on its head. Instead of a unified internet, we would have a fractured internet that may or may not work seamlessly. We would instead see districts of communications that cater to specific needs and interests – essentially we would see Internet gerrymandering at its finest. Countries and regions would develop localized regulations and rules for the internet to benefit them in theory, and would certainly aim to disadvantage competitors. The potential for serious winners and losers is huge. Certainly the hope for an internet that promotes global equality would be lost.

Data localization may only be a first step. Countries seeking to keep data out of the United States or that want to exert more control over the internet may also mandate restrictions on how data flows and how it is routed. This is not far-fetched. Countries such as Russia, the United Arab Emirates, and China have already proposed this at last year’s World Conference on International Telecommunications.

Most important though, is the potential for fundamental harm to human rights due to data localization mandates. We recognize that this is a difficult argument to accept in the wake of the revelations about NSA surveillance, but data localization requirements are a double-edged sword. It is important to remember that human rights and civil liberties groups have long been opposed to data localization requirements because if used inappropriately, such requirements can become powerful tools of control, intimidation and oppression.

When companies were under intense criticism for turning over the data of Chinese activists to China, internet freedom activists were united in theirs calls to keep user data out of the country. When Yahoo! entered the Vietnamese market, it placed its servers out of the country in order to better protect the rights of its Vietnamese users. And the dust up between the governments of the United Arab Emirates, Saudi Arabia, India, and Indonesia, among others, demanding local servers for storage of BlackBerry messages in order to ensure legal accountability and meet national security concerns, was met with widespread condemnation. Now with democratic governments such as Brazil and some in Europe touting data localization as a response to American surveillance revelations, these oppressive regimes have new, albeit inadvertent, allies. While some countries will in fact store, use and protect data responsibly, the validation of data localization will unquestionably lead to many regimes abusing it to silence critics and spy on citizens. Beyond this, data server localization requirements are unlikely to prevent the NSA from accessing the data. U.S. companies and those with a U.S. presence will be compelled to meet NSA orders, and there appear to be NSA access points around the world.

Data localization is a proposed solution that is distracting from the important work needed to improve the Internet’s core infrastructural elements to make it more secure, resilient and accessible to all. This work includes expanding the number of routes, such as more undersea cables and fiber runs, and exchange points, so that much more of the world has convenient and fast Internet access. If less data is routed through the U.S., let it be for the right reason: that it makes the Internet stronger and more accessible for people worldwide. We also need to work to develop better Internet standards that provide usable privacy and security by default, and encourage broad adoption.

Protecting privacy rights in an era of transborder surveillance won’t be solved by ring fencing the Internet. It requires countries, including the U.S., to commit to the exceedingly tough work of coming to the negotiating table to work out agreements that set standards on surveillance practices and provide protections for the rights of privacy and free expression for people. Germany and France have just called for just such an agreement with the U.S. This is the right way forward.

In the U.S., we must reform our surveillance laws, adopt a warrant requirement for stored email and other digital data, and implement a consumer privacy law. The standards for government access to online data in all countries must likewise be raised. These measures are of course much more difficult in the short run that than data localization requirements, but they are forward-looking, long-term solutions that can advance a free and open internet that benefits us all.

So, at least in theory, some countries might store, use, and protect data responsibly once we transition to a local storage paradigm. But also, in theory, these same countries could mandate local data storage, set up fancy privacy laws, and then proceed to violate them. Clearly we should all hope that the former scenario is what will actually take place, but which scenario should we actually expect? Is Brazil going to abide by its new Internet Bill of Rights? Will Germany actually abide by its notoriously strict privacy laws? How about the rest of the EU? How about the rest of the world?

Now, here’s twisted possibility: Could it be that Germany and Brazil are currently trying to gain access to data on their own citizens that only NSA and/or US tech firms have access to and isn’t sharing? After all, we keep hearing about how Angela Merkel wants to establish a ‘no spy’ agreement. But, as we’ve seen, the Five Eye’s agreement that Angela Merkel wants to join isn’t a no spy agreement. It’s a pro-spy agreement. So, could it be that the Snowden affair is being used as an opportunity to mandate that citizens in Brazil, Germany, and now the entire EU must leave virtually all of their online digital data on servers that are fully accessible to those governments? And might the move to develop non-US hardware and software in order to thwart the NSA’s actions simultaneously be maximixing access to personal data by those exact same governments using their own government backdoors and key escrows? Could the balkanization of the internet actually lead to a concentration of personal data storage in everyone’s home country. Maybe?

And might Angela’s proposal to wall off the EU and begin engaging in counter-espionage actually be an attempt to drive people away from US-based technology and into the arms of EU and Brazilian hardware manufacturers that with new, fancy, all-exclusive back-doors? Are there any indications that these governments are planning on building hardware and software that even their own security services can’t hack? Or might the anti-NSA backlash also be acting as a backdoor for selling the globe on the new Clipper Chip 3.0 paradigm? We’ve already seen the Clipper Chip 1.0 get rejected by the public. The seemingly endless technical exploits that can attack any system that the Snowden Documents are exposing are basically Clipper Chip 2.0. It’s like a meta-Clipper Chip. Could this new wave anti-NSA hardware and software (and the breakup of the internet) be the rollout of Clipper Chip 3.0? The anti-NSA meta-Clipper Chip all sorts of new exploits in supposedly newly secured platforms?

It’s Back to the Future. Specifically, it’s Back to 1993-94 and then the Future
These are just a handful of the questions that have been raised about how we’re going to balance privacy and security. They’re critical questions to ask not only because we actually need answers to them to know how to move forward but also because the global debate seems to be taking place as if these questions have already been answered and the Cypherpunk solution of standardizing unbreakable strong encryption is the global public’s choice. The CCC laughed off Germany’s “Email made in Germany” service because law enforcement could still access the content and across the world people are shocked that the NSA can hack into just about anything. And the public at large naturally recoils at the idea of something like a Clipper Chip that makes so easy for governments to hack into you personal data. But was the US’s public rejection of the Clipper Chip in the 1990’s, when the internet was still in its infancy, an open embrace of the Four Horesmen of the Infopocalyse? Because that’s how the topic is generally treated…if the NSA or any intelligence or law enforcement agency is discovered to have found or built-in a vulnerability that is seen, by default, as a horrible threat to society that will surely be abused. At the same time, nearly everyone seems to agree that there are legitimate reasons for spying. Even Snowden.

So how exactly do we create the world where legitimate spying takes place if we also decide to create a world where strong encryption become routine and standardized? Sure, as we saw above, actually making strong encryption routine and standardized is costly and time-consuming, but it’s possible. What model, other than the Clipper Chip/government key-escrow model run by a trustworthy government, actually satisfies those conditions? Are there any other models? The above article ends with some very good advice:


Protecting privacy rights in an era of transborder surveillance won’t be solved by ring fencing the Internet. It requires countries, including the U.S., to commit to the exceedingly tough work of coming to the negotiating table to work out agreements that set standards on surveillance practices and provide protections for the rights of privacy and free expression for people. Germany and France have just called for just such an agreement with the U.S. This is the right way forward.

In the U.S., we must reform our surveillance laws, adopt a warrant requirement for stored email and other digital data, and implement a consumer privacy law. The standards for government access to online data in all countries must likewise be raised. These measures are of course much more difficult in the short run that than data localization requirements, but they are forward-looking, long-term solutions that can advance a free and open internet that benefits us all.

Now, it was probably a mischaractization to describe what Germany and France called for as a common set of standards that will “provide protections for the rights of privacy and free expression for people” since they clearly want in on the pro-spying Five Eyes club. But the larger point is absolutely critical: There really is no long-term solution to balancing privacy and security that doesn’t involve governments engaging in self-restraint and acting for the greater good. In other words, The real challenge is electing the kind of elected officials that appoint the kind of public officials that appoint the kind of senior officers that hire that kind of professionals that you would trust to baby sit your kids and just generally be good and decent. THAT’s the challenge of the surveillance age. Creating governments you can trust. Everywhere. Yeah, that’s a really hard soultion to implement, but it’s also our only real choice in the long run because it’s the only solution that can help fix all of the other horrible problems facing humanity and life on earth over the next century. Help us, Obi-Wan Kenobie high-quality democratic societies working together, you’re our only hope.

One of the reasons it’s so important to take a step back and question some of the underlying assumptions on this topic is that the Cypherpunk perspective is basically leading the global discussion on these matters and that perspective assumes that accountable goverments are simply impossible. At least, that’s the perspective that appears to be held by folks like Jacob Appelbaum and Julian Assange (and presumably Edward Snowden, given his political leanings). But, at the same time, we keep hearing from folks like Snowden, Appelbaum, and Assange that we’ll need technical and political solutions to the challenges of balancing privacy and security. The technical solution offered by the Cypherpunks is clear: strong encryption that no one can break for the masses. The political solution offered by Snowden seem to revolve around fixing the laws on warrants and prosecuting senior US officials involved with setting policy. Similarly, Jacob Appelbaum thinks “it’s important to find out who collaborated and who didn’t collaborate. In order to have truth and reconciliation, we need to start with a little truth.” And as we saw above, he also wants the NSA to become the anti-NSA.

Now, that would be pretty sweet if we had an actual truth and reconcilition commission on anything because, wow, the odds of that happening for any topic anywhere are so tiny its sad and there are a lot of different area of reality that need truth and reconciliation. But is the prosecution of senior US officials and widespread implementation of strong encryption that even the NSA can’t break a realistic set of long-term solutions? Has the public really internalized the idea of embracing standardized unbreakable strong excryption and accepting the Four Horesmen of the Infopocalypse as the price to be paid for digital privacy? Until the global public actually engages in that debate for real in the global internet age we’re not really going to be able to come up with solutions and that the public can get behind. And if we can’t get real solutions that the public can get behind that means crappy solutions that enable more spying by even more governments and break the internet are more likely to succeed. Real privacy is going to require real sacrifices. Right now, the US’s solution appears to involve shifting data storage to the private-sector. Is that an improvement? Are you sure?

Maybe we have to begin talking about how we’re going to deal with the Four Horsemen of the Infopocalypse: terrorists, drug-dealers, money-launderers, and pedophiles. At least one of those Horesmen can be dealt with pretty easily: End the insane war on drugs and treat it as a medical issue. That would sure help with some privacy concerns. It would probably help out a lot with the money-laundering too. But those last two Horsemen, terrorists and pedophiles…it’s not at all obvious that the public is going to ever accept enabling those activities regardless of the cost to their privacy. Can you blame them?

So how can we come up with solutions to the issues of privacy, security, and managing this global internet thing that the global community can actually accept when the prevailing assumption is that state-sanctioned backdoors are to be abolished, strong encryption is to be mainstreamed, and the consequence of those two actions are that at least two of the Four Horsemen of the Infopocalypse show up (plus the much-feared pedo-terrorists)? One answer is that we come up with confused solutions that don’t actually address our needs or expectations. Solutions that seem like they’re protecting privacy, like mandating local data-storage, but actually end up shifting around who is doing the spying and potentially breaks the internet in the process. Solutions that governments around the world might love right now, but people around the world may not really appreciate in the long-run.

Another part of solution is to the actually have that Clipper Chip debate again because the issue of unbreakable encryption has been forced again. Brazil and Germany have have it pretty clear that state-sponsorship of encryption is now a global product so we might as well start talking about these things again. Do the Chinese want a China-chip? Do Americans want a Five-Eyes Chip? Now that Angela Merkel has announced plans for an aggressive counter-espionage campaign against the US (presumably using exploits described in the Snowden Documents) might that be used to sell the US populace on a Clipper Chip of its own. It’s a very creepy solution but it would also allow the transmission of data across the planet without the fear of other nations spying on that traffic. Just your nation-of-choice that built the chip could spy (and anyone they share the keys with..anyone else that breaks the code). Something like that could avoid breaking up the internet and the topic is being forced anyways so should we talk about it?

And should we also start talking about how to handle the mainstreaming of unbreakable encryption? Because one of the consequences of the Snowden Affair is that we might suddenly get a lot closer to having truly unbreakable encryption go mainstream again. These secret exploits that are being exposed held off the Four Horesmen for two decades but they’re back, knocking on the door again. Don’t forget: the whole point behind all the NSA’s exploits are that it can’t defeat these algorithms through brute force if they are implemented correctly. The NSA needs to cheat. It’s raw math at that level. Depending on how things change, we could build the infrastructure where encryption really is effectively unbreakable and cheating is effectively impossible.

Ok, so what’s the balance? Ever since the Clipper Chip debate got resolved in the 90’s, the public has been having its cake and eating it too on the costs and benefits of making near-absolute data privacy tools readily available. Or at least it thought it was having its cake. The blue pill is delicious after all. Since the NSA and other spy agencies were secretly finding or creating exploits the whole time, the public was able to maintain a pretense that the bad guys got their data hacked as a routine course because the government hackers are super bad ass. But, curiously, we also seemed to assume that our our own personal hardware and software wasn’t, like, a giant rube-goldberg machine of hardware and software exploits. These weren’t really compatible assumptions. Remember all the shock when it was discovered that *gasp* even BlackBerry is hackable? Both the iPhone and BlackBerry were considered NSA-proof until recently and, ominously in retrospect, the government wasn’t complaining.

So we’ve never really had the debate over the costs and benefit of absolute encryption because we’ve never really had absolute encryption. It was sort of assumed we had strong encyption available except most of us simultaneously assumed the NSA could hack everything. It was a weird headspace, those pre-Snowden days of yore.

Today, it’s a different kind of weird headspace. We’re having a global discussion over a maelstrom of intertwined topics that almost require a replay of the Clipper Chip debate and the key figures and assumptions in this global debate almost all come from the Cypherpunk perspective. Except for the assumption that we need all have security needs. That same Clipper Chip debate is back because it never really went away. So it’s Back to the Future time: if we can somehow resolve the Clipper Chip debate of 1993-94, the present can move forward into the future.

Now, will the public actually accept the Clipper Chip solution? Does everyone want to get chipped? Well, no, the idea of official back doors is so creepy that the public probably isn’t going to be much more receptive today than it was two decades ago but at least we’ll be having a meaningful debate about the implication of mainstreaming unbreakable encryption. And while we’re having that debate, let’s not kid ourselves: no matter how this debate over the digital privacy gets resolved, digital privacy is only one element of privacy that’s at growing risk these days. It may seem like we’re living on the internet, but we’re aren’t Tron yet. Unless we also start dialogues on privacy topics that extend well beyond the realm of digital privacy, that annoying fly on the wall is probably getting an upgrade.

Discussion

16 comments for “Knock, Knock. Who’s there? The Clipper Chip and Four Horsemen.”

  1. Oh look, Deutsche Telekom’s new anti-NSA phone was recently panned by critics as hackable. Why? Well, one reason is that it uses non-open sourced encryption that hasn’t been subject to peer review. Might there be a BND backdoor hiding in there? Maybe?

    Deutsche Welle
    Critics slam Simko: Deutsche Telekom’s secure ‘Merkelphone’

    After the NSA spying scandal, Deutsche Telekom says its “secure mobile platform” SiMKo protects users from tapping. But critics say it’s too expensive and still vulnerable to hacking.

    Date 03.12.2013
    Author Michael Scaturro
    Editor Sonya Diehn

    The German telecommunications company says its Simko phones offer the same level of security to government and corporate clients as the Simko device that Telekom made for German Chancellor Angela Merkel. It hopes its platform will become a standard that other European Union governments – and perhaps the EU itself – can use to thwart spying.

    Secure connection

    “The idea behind Simko is to project your own infrastructure,” said Michael Bartsch, head of mobile security at Deutsche Telekom. The company is making its network secure, Bartsch said. The phones then link up to the secure network through an encrypted gateway, he explained.

    Bartsch said that Simko should allow, for example, a German businessman in Africa and his colleague in Paris to talk, email, and chat securely.

    The Simko phones do this via an encrypted connection to a company’s network. That network then connects the calls by means of a server in Germany. This is intended to assure that only trusted devices can interact with one another.

    Previous versions of the Simko platform used iterations of the Android or Windows Mobile operating systems. Telekom’s newest release, SiMKo 3, uses Samsung Galaxy S3 phones, and allows encrypted voice calls through over Wi-Fi and 3G.

    Bartsch said only militaries or governments sought encrypted voice communications, until about three or four years ago.

    “It’s new for the consumer market,” Bartsch said. While the service works in cities, where mobile networks are robust, the connection is not as good in the countryside, he conceded.

    Modified Galaxy

    Telekom says European governments and companies approached it in search of non-US secure mobile communications services. The company says one of Simko’s biggest selling points is anonymity – it says it doesn’t store any user data on its servers.

    The company doesn’t even know who is using the devices, Bartsch added: “It could be the CEO or it could be the porter. We don’t know.”

    Overpriced and hackable?

    But critics of Telekom’s platform point out that it is extremely expensive: each device costs about 1,700 euros ($2,310). A company would have to buy more than one, plus pay thousands in consulting and hosting services from Telekom, to use Simko3.

    A German tech industry CEO contacted by DW said he thought Simko had its merits, but felt that app-based secure chat and voice programs – like RedPhone or SilentCircle – were more cost-effective alternatives.

    “Microphone logging could be an issue through a backdoor in the Android or Apple iOS – in that case, Silent Circle wouldn’t help you. But most business people will never have to worry about this problem,” the CEO said.

    Privacy advocates in Germany and the U.S. also faulted Telekom for not using encryption technology that has been subjected to peer analysis.

    Christopher Soghoian of the American Civil Liberties Union said that in the wake of the NSA scandal, and allegations of government backdoors in some encryption techniques, the only systems that users should trust are those that are open source.

    “Think of it this way: seeing backdoors and seeing mistakes are two different things,” Soghoian said. “No one can write 50,000 lines of perfect code. The NSA and other intelligence agencies employ sophisticated hackers to find these mistakes.”

    Posted by Pterrafractyl | February 24, 2014, 3:13 pm
  2. This is fascinating: former US cyberczar Richard Clarke was giving the keynote address at the Cloud Security Alliance Summit and he seems to be simultaneously dismissing the idea that the governments pushing data-localization proposals are actually interesting in protecting their citizen’s information from NSA spying and suggested that it would do nothing meaningful in terms of securing the data anyways.

    But Clarke also suggested that the NSA needs to almost become the anti-NSA, like Jacob Appelbaum has suggested, and inform the public of vulnerabilities it finds instead of stashing them away for use later. And they should back out of involvement with encryption standards altogether.

    As the article also points out, “perhaps the best route to data security is implementing trusted encryption standards for data in transmission, in use and at rest”, so if the NSA really did remove itself from encryption standards altogther and allowed for the development of unbreakable encryption, and then cloud services standardize the use of that encryption for data-transmission, data storage, and data usage, are the cloud services, themselves, are going to the sole holders of those encryption keys? Is handing off data exclusively to the private sector the compromise solution we’re heading towards?

    Search Security
    Richard Clarke: NSA revelations show potential for police state
    Brandan Blevins, News Writer Published: 24 Feb 2014

    SAN FRANCISCO — Revelations about NSA monitoring activities over the last year show the potential for a police state mechanism, according to the former U.S. cybersecurity czar, but there is still time to avoid the dire consequences.

    At the 2014 Cloud Security Alliance Summit, unofficial RSA Conference opener Richard Clarke, chairman of Washington, D.C.-based Good Harbor Consulting LLC, spoke to a packed audience. The former cybersecurity advisor to President Barack Obama discussed his involvement in the December 2013 report reviewing the data collection and monitoring capabilities at the National Security Agency, Central Intelligence Agency and the Federal Bureau of Investigation.

    Clarke said that the reaction to leaks by former NSA contractor Edward Snowden has perhaps been overblown, because he described the employees at the three-letter agencies as “incredibly intelligent people” who are focused on combating terrorism and punishing violations of human rights. As part of the review process, Clarke and his group were given what he called carte blanche security clearances to review all of the agencies’ intelligence-gathering capabilities.

    Those employees are not currently listening to random phone calls and reading email, Clarke said, but that doesn’t mean U.S. citizens should ignore the agencies’ growing capabilities.

    “In terms of collecting intelligence, they are very good. Far better than you could imagine,” Clarke said. “But they have created, with the growth of technologies, the potential for a police state.”

    Clarke said such concerns are hardly new, pointing to the government committee headed by Sen. Frank Church in the 1970s. Church warned at the time that the technologies at intelligence agencies were developing at such an alarming rate that, if they were all turned on, the U.S. would never be able to turn them off, effectively creating a permanent police state in which the entire popular would be under constant surveillance.

    Though such warnings seem dire, Clarke noted that the seemingly endless scope of current government surveillance activities stemmed largely from a lack of strict guidance from policy makers. He said a major aspect of the report to the White House was simply prompting the questions that were previously unasked: What are our intelligence agencies collecting? What should they be collecting? If we should be collecting data, how do we safeguard it? If we’re collecting data, how do we stay consistent with U.S. traditions of privacy and government oversight?

    Clarke warned that such measures are needed sooner rather than later. Harkening back to the terrorist attacks on September 11, 2001, which triggered a rash of security-focused legislation such as the Patriot Act that laid the foundation for the intelligence-gathering capabilities the U.S. government has today, he said another large terrorism event could push the country further toward a police state.

    “The NSA, despite all the hoopla, has been a force of good. It could, with another president or after another 9/11, be a force not for good,” Clarke said. “Once you give up your rights, you can never get them back. Once you turn on that police state, you can never turn it off.”

    U.S. cloud providers losing market share

    Much of the discussion around the NSA revelations rightfully has been around civil liberties and personal privacy, but according to Clarke, the “policy mistakes” that led to widespread data surveillance are also having a negative impact on the business of U.S. cloud providers.

    Though the scope is unclear, Clarke said that rival cloud providers in Europe and particularly Asia are successfully playing up the fears of potential NSA back doors in U.S.-based cloud services to their clients. Such selling points are laughable, he noted, considering government agencies around the world are engaged in many of the same activities as the NSA.

    “The hilarious part is [U.S. cloud providers] don’t have those back doors, but some of the Asian products do,” said Clarke.

    He also warned that calls from the European Union and elsewhere for data localization — basically, measures to ensure that data is only stored within servers that are physically located in certain countries or regions — are largely being driven by “economic considerations.” Those countries want local companies to be more competitive against international cloud providers, Clarke said. Those countries have no real concern for whether such measures will mitigate surveillance activities.

    “If you think that by passing a law requiring data localization stops the NSA from getting into those databases, think again,” Clarke said. “It’s being pushed by the bottom line.”

    Instead of relying on data localization, Clarke instead suggested that companies focus on actually securing their respective cloud environments, including taking steps to implement the standards provided by the Cloud Security Alliance.

    Clarke did not absolve the U.S. government of responsibility, however. He said there are recommendations in the report to the White House that have yet to be adopted, but would improve the trust of U.S.-based cloud providers.

    For example, government spy agencies should notify the world anytime they discover a potential zero-day vulnerability, according to Clarke, instead of stashing them away in an arsenal for future use. He said such measures are needed to protect U.S. companies against a barrage of nation-state-sponsored hackers and cybercriminal cartels, many of which rely on a growing black market of zero days to compromise organizations, ultimately costing the economy “hundreds of billions of dollars.”

    Clarke also recommended that the government appoint a strong and independent advisory board to oversee issues of privacy and civil liberties. A group known as the P Club does already exist within the government, he noted, but it currently lacks the needed authority to provide true oversight over intelligence agencies. U.S. citizens need a visible, accountable presence to be reassured that such matters are being tended to, said Clarke.

    Perhaps the most vital area where the government needs to regain confidence is that of encryption, Clarke suggested, especially after reports surfaced late last year showing that the NSA may have paid security vendor RSA $10 million to implement a purposefully weakened random number-generation algorithm as the default option in its Bsafe line of products.

    This is especially true in cloud environments, where perhaps the best route to data security is implementing trusted encryption standards for data in transmission, in use and at rest.

    “Not much really happened, but enough happened so that the trust in encryption has been greatly eroded,” Clarke said. “The U.S. government has to get out of the business of f—ing with encryption standards.”

    If we do go down this path, it’ll be interesting to see which companies suddenly decide to jump into the cloud services markets.

    Posted by Pterrafractyl | February 26, 2014, 2:26 pm
  3. Be sure to check out this fabulous article that gives a great overview of many of the issues surrounding mass surveillance, encryption, potential balkanization of the internet, and other possible approaches to making data NSA-proof. It’s a long article but well worth the read:

    TidBITS
    06 Dec 2013
    Are We Ready for the Post-Snowden Internet?

    by Geoff Duncan

    It has been nearly six months since government surveillance revelations from Edward Snowden began to be published in the Guardian, Washington Post, and other outlets. Snowden turned over as many as 200,000 classified documents to journalists, and they’ve revealed a myriad of intelligence-gathering tools and operations aimed squarely at our electronic lives, regardless of location, citizenship, activities, or legal status. And the hits keep coming: nearly every week sees new details published from Snowden’s cache, momentum that has stirred up many independent revelations. Some have been minor, but others — like PRISM, tapping internal network links at services like Google and Yahoo, and collecting location data on mobile phones worldwide — have been astonishing.

    It’s easy to enjoy “Snowden schadenfreude.” (Or perhaps “Snowdenfreude?”) Who doesn’t like seeing the powers-that-be taken down a notch or two? It’s also easy to believe the ongoing scandals don’t matter to ordinary people. After all, who cares if the NSA knows about your online pizza order last Saturday?

    The disclosures are clearly impacting government policy and diplomacy, but may also change the fundamental architecture of the Internet. A broad range of countries and companies are openly talking about forming isolated and compartmentalized networks to protect themselves (and their citizens) from surveillance regimes.

    And that might break up the Internet.

    It Just Works — It seems obvious, but the Internet’s greatest strength is interoperability. If you can get an IP “dialtone” on any of the Internet’s 40,000+ networks, you can access any site, app, or service anywhere else in the world. Sure, there are practical concerns: you might not have much bandwidth, access might be expensive, your device or software may not be compatible, a site might be down or blocked, your connection might be unreliable, et cetera. But that fundamental interoperability is the heart and soul of why the Internet has become humanity’s dominant communications medium, and has made things ranging from smartphones to the Arab Spring possible.

    This year’s mass surveillance revelations — and the legal frameworks behind them — may represent the biggest interoperability challenge the Internet has faced. Now, being part of the Internet community means being subject to monitoring by the Five Eyes — the intelligence agencies of the United States, the United Kingdom, Canada, Australia, and New Zealand — in addition to lawful intercept and domestic surveillance conducted by national and local governments. Countries can pass laws to monitor communications amongst their own people or within their own borders — most countries have — but those same countries almost certainly consider the activity of the Five Eyes an infringement on their sovereignty. And they’re not happy about it.

    Slouching Towards Balkanization — The human reaction to external threats is predictable: circle the wagons, bar the gates, hide the children, and raise the drawbridge. In the extreme, a country could block Internet access at its borders, creating a walled garden. Internet services would work domestically, but be disconnected from (or even incompatible with) the global Internet, keeping out the Internet’s broadest dangers and the Five Eyes.

    Few nations would risk the economic damage that would come from disconnecting from the global Internet. A more realistic option is requiring Internet behemoths like Google, Facebook, Yahoo, Amazon, and Apple to locate services and store data within a country’s borders — where they would be subject to the country’s laws. The Five Eyes’ surveillance regime is effective because so much everyday Internet traffic is routed through data centers in North America and Europe — where major Internet companies are headquartered — and subject to those countries’ laws. As of January 2013, more than 100 countries had no domestic Internet exchanges, meaning they were entirely dependent on foreign services. Requiring major providers to locate data centers within a country’s borders means local traffic would stay local, theoretically beyond the reach of the NSA’s legal and clandestine tentacles into American companies.

    It’s not a new idea. China mandates that Internet businesses comply with the censorship and data handover requirements of the so-called “Great Firewall.” It’s not just a pro-forma requirement: China has imprisoned a number of dissident bloggers, some on the basis of information turned over by Yahoo’s Chinese subsidiary, and in 2010 Google moved its Chinese search engine from Beijing to Hong Kong to sidestep Chinese censorship requirements. The same year, countries like India, Saudi Arabia, and Indonesia moved to shut down the BlackBerry service unless they were granted a way to intercept messages. BlackBerry kept running, most likely by parking servers in those jurisdictions where they can be monitored without involving international law. Of course, Internet users may not be comfortable with what their governments do and don’t allow within their online borders: according to the latest World Wide Web Foundation’s Web Index (founded by Web creator Sir Tim Berners-Lee), 30 percent of the world’s nations engage in moderate to extensive blocking of online content and services they deem objectionable or sensitive.

    Some of these examples predate recent surveillance disclosures. Who might be next? Consider Brazil. Brazil had previously pondered its own national secure email service (through its post office), but is now getting serious, with President Dilma Rousseff laying out proposals to bolster Brazil’s domestic bandwidth (keeping Brazilian traffic in Brazil), require Internet companies to locate data centers within its borders, and encourage network operators to use networking equipment designed and produced in Brazil.

    The notion of Brazilian-designed networking gear could be important. In the next two years Brazil is scheduled to light up five new undersea fiber links to Africa, Europe, and Asia, (and, yes, to the United States), potentially enabling Brazil (and its overseas partners like China and South Africa) to bypass the Five Eyes. If those links — or Brazil’s expanded networks — eventually work only with Brazilian gear, the country could become the Internet’s largest walled garden. But Rousseff sees the moves as a way to protect values that historically have been championed by the United States.

    “In the absence of the right to privacy, there can be no true freedom of expression or opinion, and therefore no effective democracy,” she told the UN General Assembly. Then, driving her point home, Rousseff announced (ironically, via Twitter) that Brazil will be hosting an ICANN summit on Internet privacy and security in April 2014, and cancelled a state dinner with the Obamas.

    Brazil is not alone in considering carving away from the Five Eyes. In the European Union, France and Germany have been highly critical of recent surveillance revelations. The EU’s internal market commissioner Michel Barnier has called for a “European data cloud”, and EU justice commissioner Viviane Reding characterized the European Parliament’s vote on data protection regulations as a declaration of independence, requiring non-EU companies to “deal responsibly” with user data or be fined up to 5 percent of their annual worldwide revenue. If EU member states adopt the policies, Internet users will see warnings when their personal data is about to leave servers covered by EU data protection laws.

    Some “Email Made In Germany” services piggybacking on popular concern over NSA surveillance already do something similar. Raising the ante, Deutsche Telekom is currently proposing an “all-German” domestic Internet with an eye towards encompassing the whole Schengen Area, twenty-six European countries that have mutually set aside passport and immigration controls. (The UK and Ireland opted out.)

    Think Global, Act Local — If Internet balkanization can protect privacy, is it a bad thing? On some levels, keeping user information, data processing, and communication within a country or region is just common sense. Do we need to use a server halfway around the world to send a quick message across town? It certainly isn’t efficient, purely on the basis of resource consumption, electricity, network infrastructure, and complexity.

    The flip side is that balkanization — even when well-intentioned — can impact the interoperability and communicative power of the Internet. Requiring companies to run separate facilities in each country in which they operate is both expensive and cumbersome. Those costs could impede innovation if companies have to choose between setting up a data center in (say) Austria or investing in R&D.

    Sometimes Internet services pick up their most loyal followings in unexpected places — that would be far less likely to happen with a balkanized Internet. Remember Orkut, Google’s early experiment in social networking? Most people don’t, but it was huge in Brazil and India for years — and Google eventually moved it to Brazil entirely. Similarly, Canadian instant messaging service Plurk never managed to rival Twitter, but it became so popular in Taiwan it accepted millions to relocate there in early 2013. How about San Francisco’s social/gaming service Hi5? It’s now part of Tagged, but its biggest audience has always been in Latin America.

    Can social networks and modern apps survive in a world with online border checkpoints? Imagine installing a new collaborative music app or game from the App Store, only to find you can’t use it with your friends because it hasn’t been approved in their jurisdiction. Want to share a tagged photo? Maybe you can’t because your preferred social network doesn’t support a “right to be forgotten.” Maybe you’re travelling and want to check back in with family via FaceTime, but it’s blocked because Apple has not granted the local government a back door to tap into video chats. Or maybe all these services will work great once you register your devices, verify your identity, and pay a fee to another country. A global patchwork of Internet regimes — each with its own quirks and requirements — quickly undermines the free exchange of data and information on which the modern Internet has thrived.

    Perhaps most importantly, countries that decide to require Internet services host and process data locally will have the capability to monitor that data much more closely — and decide what can and cannot flow across their borders, what they will and won’t collect. This might not be a major issue in democratic countries like Brazil and Germany — although they operate their own sophisticated intelligence regimes. However, authoritarian states may decide to engage in (more) internal censorship and surveillance. Further, some firms will choose not to operate in particular countries — like Google in China — due to legal requirements, technical complexity, or the burden setting up subsidiaries. What if Facebook and Twitter had been required to run data centers in Tunisia, Egypt, or Yemen under the thumb of those countries’ former governments? Could the Arab Spring have taken place without the extra-territorial communications channels made possible by Facebook and Twitter?

    Slouching Towards Transparency — Encryption alone is no guarantee data will be safe from the NSA’s prying eyes, but, done well, broader use of strong encryption can at least reduce weak points being leveraged by the NSA or others.

    So what about all those other bugs and exploitable problems that compromise encryption and security? There’s no easy answer other than fixing those problems and making better systems. Most companies handle this process behind closed doors (if they handle it at all), often considering the details proprietary. But the Internet industry as a whole might be able to move forward via transparency and certification authorities — if only companies would get on board.

    In general terms, transparency would mean companies being open not only about problems and errors in their software and hardware products, but also about how they create their products so customers can understand their risks. For hardware makers, that might include information about design, parts, supply chain, firmware, and physical security at manufacturing facilities; for software makers, it might include what libraries and tools they use or license and details of how their software communicates. The idea is not just to let users (and customers) know whether products are vulnerable to a known problem (rather like the widely used CVE system that catalogs security vulnerabilities) but also to identify whether manufacturing or development processes are vulnerable to the end-runs the NSA seems to prefer.

    When problems turn up — and they always do — solutions and case studies can be made available to the entire industry to be refined or perhaps adopted as a best practice. Such a process will inevitably look like the cat-and-mouse game software makers have played with hackers and virus writers for years, except it could be the global Internet and telecommunications industries going up against the NSA and its partners. And, like the fight against malware, it would probably be never-ending.

    A big question is who would manage all this. No organization currently acts as a clearinghouse for digital security threats — aside, perhaps, from the NSA — and it’s a gargantuan task. Organizations and frameworks like the ISO, the ISA Security Compliance Institute, Common Criteria, and the National Institute of Standards and Technology (NIST) could play a role here — although NIST is working to regain trust in the computer security community following recent reports the NSA got a backdoor into a NIST encryption standard. (NIST immediately launched a review.) The Internet Engineering Task Force (IETF) appears ready to engage in a long-term effort to re-evaluate the security of many of the Internet’s core technologies. At least it’s a start.

    Internet, mobile, and telecommunications industries could take a cue from standards bodies in other industries like aerospace, healthcare, and safety — consider government agencies like the National Transportation Safety Board and companies like Underwriters Laboratories. Standards bodies and certification agencies identify risks, establish best practices, and develop tests and compliance programs that confirm products meet security standards. NIST has issued a preliminary cybersecurity framework aimed at critical infrastructure, but it includes an appendix on privacy and civil liberties.

    Telecommunications giant Huawei is also trying to get the ball rolling on international cybersecurity standards: it recently published a white paper detailing its own internal practices — so far as I can tell, that’s a first for the industry. Huawei is the world’s largest telecommunications gear maker but is essentially barred from the U.S. market over allegations that its equipment might contain secret backdoors for the Chinese government. Thus, Huawei’s call for standards may be self-serving, but the company’s semi-pariah status might enable it to take a leading role. After all, among companies in its industry, Huawei has the fewest connections to the U.S. government and Internet companies at the heart of this year’s mass surveillance revelations.

    “We’re not saying that we have all the answers,” said Huawei USA Chief Security Officer Andy Purdy in a phone interview this October, “but we’ve got to come up with some areas of agreement and we have to have product assessment. That feedback loop is essential for the global industry generally. We know it’s hard — we have thousands of suppliers — but we’ve got to raise the bar.”

    Cybersecurity standards and certification could become extremely important if countries like Brazil and Germany — and anyone who wants to partner with them — begin separating themselves from the global Internet and preferring infrastructure and gear designed and produced in their own countries.

    It’s Complicated — If there were an easy solution to the conflict between individual privacy, personal and national security, and the mass surveillance being carried out by western powers, we would have figured it out by now. The reality is that these issues have been with us for years; solutions are going to be incomplete, long-term, and messy; and conflict will only become more pronounced with our dependency on the Internet and modern communications.

    It’s a shame. From a humble beginning more than four decades ago, the Internet has developed into perhaps humanity’s most powerful tool for spanning cultural divides, expanding access to information and education, enabling freedom of expression, protecting human rights, and — despite the trolls — broadening the human experience. Let’s hope we don’t destroy it to spite ourselves.

    As the article highlights, there are a number of approaches the global community can take to thwart Five Eyes spying that take very different forms. Nations or regions (like the EU) could split up the internet by setting up their own separate encryption standards and basically mimicking the ‘Great Firewall’ of China. As the author points out, if Brazil goes ahead and creates an internet that only works with Brazilian gear, it could create the internet’s largest “walled garden”. Or we could see the international IT industry attempt to assemble new international bodies for establishing security standards for IT hardware and software designed to keep the NSA out of everyone’s data. It would be like the ‘cat and mouse’ game already played between the IT industry and hackers and criminals, but now the Five Eyes would be added to the list of digital miscreants.

    And why not both solutions? Balkanize the internet and then set up new international standards and institutions that are specifically designed to keep the Five Eyes out. Will that combo protect our privacy? Of course not since, as the article points out, such approaches do NOTHING to stop domestic intelligence agencies from legally requiring access to our personal data and the data localization laws simply enable domestic snooping. So balkanizing the internet and reestablishing security standards won’t really do anything unless you trust your own government or somehow prevent domestic surveillance too.

    And, of course, there’s also the issue of non-NSA intelligence agencies also snooping on international traffic flows. The article also makes a key point on this matter: “As of January 2013, more than 100 countries had no domestic Internet exchanges, meaning they were entirely dependent on foreign services.” This is important because internet exchange points are where your data gets passed off from one ISP to another and they’re critical for the creation of a domestic-only internet. One reason Brazil can even talk about walling off its internet is because it’s building exchange points at an incredible pace. Internet exchange points are needed to make the internet actually work efficiently because they’re what gives the data multiple options to get from point A to point B. This is why so many of the issues around balkanizing the internet involve the loss of network efficiency because walling off your nation’s internet also involves restrictions on how exchange points can route the traffic. So, as we enter this period where profound changes to how the internet works might be coming, keep in mind that the poorest nations of the world don’t have the infrastructure necessary to fully exploit those changes, for good or ill. But also keep in mind that this is also just a temporary state of affairs. Internet exchanges are eventually going to be built everywhere and but not yet so we might not see the full impact of balkanization of the internet for the medium term.

    This also means that the balkanization of the internet will probably end up manifesting itself in a quasi-continental manner instead of nations all suddenly deciding to route traffic nationally. Instead, those regions that currently possess a large number of exchange points become replacements for the role the US and UK have traditionally played in routing global traffic. Because if you want to avoid routing your traffic through the US or UK but you also want to have the efficiencies that come with having a global internet, you’re going to have to send your traffic somewhere with lots of exchange points when your citizens want to communicate with the outside world. When Brazil and the EU push for walled off internets on the grounds that they are protecting their domestic traffic from Five Eyes surveillance, they are implicitly recommending that the rest of the world start using Brazil and the EU as the new international data-traffic hubs.

    For instance, check out this map of global exchanges and note that ALL of Brazil’s neighbors have only one exchange point and the rest are all in Brazil. This means Bazil basically IS the South American internet for the time being. As we saw before, Brazil is already the internet exchange point hub for ALL of South America and that intra-South American data traffic will have to continue flowing in and out of primarily Brazil until the rest of Brazil’s neighbors build their own large networks of internet exchange points. Similarly, take a look at the number of internet exchange points in Europe. There are so many that Europe really is a sort of mini-internet in and of itself. So as we talk about the balkanization of the internet, keep in mind that Brazil and the EU are currently the only internet exchange point global hubs other than the Five Eyes nations. It raises the question: if Brazil develops its own hardware standards and those standards the heart of South American walled off internet, will the South American hardware and software manufacturers set up institutions specifically designed to set up standards that keep out Brazil’s intelligence agencies? How about the EU? No? Might the European Telecommunications Standards Institute actually work to ensure surveillance capabilities exist in the EU’s architecture? Quite possibly?

    IEEE Spectrum
    NSA Surveillance Sparks Talk of National Internets
    Germany takes the lead in making the Internet local
    By John Blau
    Posted 23 Jan 2014 | 15:00 GMT

    Just imagine the “network of all networks,” the globe-spanning Internet, becoming a loose web of tightly guarded, nearly impermeable regional or even national networks. It seems antithetical to the mythology surrounding the Internet’s power and purpose. But ongoing revelations about the extensive surveillance activities of the U.S. National Security Agency (NSA) are pushing countries like Germany and Brazil to take concrete steps in that direction.

    Within the 28-member European Union, Germany is taking the lead in pushing for measures to shield local Internet communications from foreign intelligence services. That should come as no surprise. For Germans from the formerly Communist-ruled part of the country, NSA spying sparks bitter memories of eavesdropping by the Stasi, the secret police agency of the former East Germany. Because of that history, Germany has one of the strictest data privacy regimes in the world. On more than one occasion, the country has forced Google and other Internet companies to amend their data collection and usage practices.

    Leslie Daigle of the Internet Society writes that the Internet “was not designed to recognize national boundaries” but rather for resiliency, which is “achieved through diversity of infrastructure: Having multiple connections and different routes between key points ensures that traffic can route around network problems and nodes that are off the air because of technical, physical, or political interference, for example.”

    That said, Pohlmann argues that the Internet community still needs “a common global infrastructure that ensures a high level of IT security, even if no one can guarantee 100 percent security.” He calls on users to rely on end-to-end encryption and virtual private networks, which would make spy-agency snooping difficult.

    But Jacob Appelbaum, a developer of the Tor Project, warns that even secure systems like virtual private networks can be rendered useless through misuse of so-called backdoors. Backdoors are essentially software designs in networks that allow authorities to conduct “deep packet” inspection to monitor and intercept data. The European Telecommunications Standards Institute, for instance, works closely with operators, government, and law enforcement agencies to integrate surveillance capabilities into communications networks. But many operators are concerned about how access to the backdoor “keys” is regulated, and, in the case of some equipment vendors—notably China’s Huawei Technologies Co.—about whether secret backdoors are built into network systems without operators’ knowledge.

    Deutsche Telekom’s Obermann acknowledges the problem. “We need strong and secure networks in Europe,” he says. “Maybe that means we need to make the technology ourselves, or that the technology we buy doesn’t provide backdoors.”

    But don’t expect intelligence forces to ever give up trying to penetrate security systems, no matter how advanced they may be, cautions Neelie Kroes, vice president of the European Commission, which is responsible for Europe’s digital agenda. “Spying is the world’s second oldest profession,” she said in Bonn. “Let’s not be naive—it won’t ever stop. We just need to be able to protect ourselves better.”

    Yikes! The European Telecommunications Standards Institute works to integrate surveillance capabilities into communications networks? Should we perhaps take Jacob Appelbaum’s advice about turning the NSA into the anti-NSA and applying that the the EU? Maybe the newly proposed EU spy agency could play the role of ensuring that all of EU’s national spy agencies can’t read any data flowing through the entire EU. At least, if the EU is to become a global internet exchange point hub an anti-EU spy agency would be necessary if we’re going to adhere to our new global expectation of data privacy, right?

    Posted by Pterrafractyl | March 1, 2014, 4:41 pm
  4. Edward Snowden provided testimony to the EU parliament. It looks like Snowden and the EU parliament are going to take the “the NSA was secretly bullying the EU members into helping it spy on their citizens”-angle It’s not a surprising angle since this is a testimony to the EU parliament about how all their national governments were secretly setting up these agreements designed to allow surveillance of their citizens in plausibly deniable ways. So the EU MEPs might as well try to plausibly deny that stuff like thing went on with their knowledge. It’s worth shot!

    PC World
    NSA created ‘European bazaar’ to spy on EU citizens, Snowden tells European Parliament
    Loek Essers @loekessers

    Mar 7, 2014 5:43 AM

    The U.S. National Security Agency (NSA) has turned the European Union into a tapping “bazaar” in order to spy on as many EU citizens as possible, NSA leaker Edward Snowden said.

    The NSA has been working with national security agencies in EU member states to get access to as much data of EU citizens as possible, Snowden said in a testimony sent to Members of the European Parliament (MEPs) published Friday.

    The European Parliament had invited Snowden to provide testimony for an inquiry into the electronic mass surveillance of EU citizens. That surveillance, often instigated by the NSA but carried out with help of EU member states, is quite extensive, he wrote.

    The NSA has been pressuring EU member states to change their laws to enable mass surveillance, according to Snowden. This is done through NSA’s Foreign Affairs Division (FAD), he said, adding that lawyers from the NSA and GCHQ work very hard “to search for loopholes in laws and constitutional protections that they can use to justify indiscriminate, dragnet surveillance operations that were at best unwittingly authorized by lawmakers,” he said.

    The efforts to “interpret new powers out of vague laws” is an intentional strategy to avoid public opposition and lawmakers’ insistence that legal limits be respected, he said.

    Recently, the FAD has used such pressuring techniques on Sweden and the Netherlands as well as on New Zealand, according to Snowden. Germany has also been pressured to modify a law on the secrecy of post and telecommunication correspondence to appease the NSA, eroding the rights of German citizens under their constitution in the process, Snowden said.

    “Each of these countries received instruction from the NSA, sometimes under the guise of the U.S. Department of Defense and other bodies, on how to degrade the legal protections of their countries’ communications,” he said. The ultimate result of this NSA guidance is that the right of ordinary citizens to be free from unwarranted interference is degraded, and systems of intrusive mass surveillance are being constructed in secret within otherwise liberal states, he said, adding that this often happens without the full awareness of the public.

    Ultimately, each national spy agency is independently hawking domestic access to the NSA and others “without having any awareness of how their individual contribution is enabling the greater patchwork of mass surveillance against ordinary citizens as a whole,” according to Snowden.

    Once the NSA has dealt with legal restrictions on mass surveillance in partner states, it pressures them to perform operations to gain access to the bulk communications of all major telecommunications providers in their jurisdictions, Snowden said. “Sometimes the NSA provides consultation, technology, or even the physical hardware itself for partners to ‘ingest’ these massive amounts of data in a manner that allows processing, he added.

    “By the time this general process has occurred, it is very difficult for the citizens of a country to protect the privacy of their communications, and it is very easy for the intelligence services of that country to make those communications available to the NSA—even without having explicitly shared them,” Snowden wrote.

    The deals between the NSA and foreign partners are set up in such a way as to provide the NSA with a means of monitoring a partner’s citizens without informing the partner, and to provide the partner with a means of plausible deniability, he said.

    “The result is a European bazaar, where an EU member state like Denmark may give the NSA access to a tapping center on the (unenforceable) condition that NSA doesn’t search it for Danes, and Germany may give the NSA access to another on the condition that it doesn’t search for Germans. Yet the two tapping sites may be two points on the same cable, so the NSA simply captures the communications of the German citizens as they transit Denmark, and the Danish citizens as they transit Germany, all the while considering it entirely in accordance with their agreements,” Snowden said.

    Snowden, who said that he’s still seeking asylum in the EU, also provided solutions to solve the mass surveillance problem.

    It is easy to make mass surveillance more expensive through changes in technical standards, he said. “Pervasive, end-to-end encryption can quickly make indiscriminate surveillance impossible on a cost effective basis,” he said, adding that the result is that governments are likely to fall back to traditional, targeted surveillance founded upon an individualized suspicion.

    This traditional method is more effective than mass surveillance, according to Snowden. “I believe that spying serves a vital purpose and must continue,” he said.

    Note that Snowden reiterated that the solution is “pervasive, end-to-end encryption” that will “quickly make indiscriminate surveillance impossible on a cost effective basis” while adding both that spying is important and also that governments will be forced to revert to traditional, targeted surveillance founded upon an individualized suspicion once pervasive encryption is employed. Part of what makes these suggestions interesting is that targeted surveillance has traditionally relied on techniques like wiretapping. But the “pervasive, end-to-end encryption” that Snowden refers to obviously assumes encyption that intelligence agencies can’t break (otherwise what’s the point?). At least, if it’s strong encryption that’s being pervasively implemented, it should be basically unbreakable even to agencies with immense resources for decades to come.

    Sure, law enforcement and intelligence agencies can always to plant spyware on your computer to grab the data after it’s been decrypted. That’s what FinFisher and the other super-spyware toolkits were all about. But as Jacob Appelbaum suggests in the opening comments his recent talk at the Chaos Communication Congress:

    The Transcript

    Act One

    Jacob Appelbaum: So recently we heard a little bit about some of the low-end corporate spying that’s often billed as being sort of like the hottest, most important stuff, so the FinFisher, the Hacking Team, the VUPEN and sort of in that order it becomes more sophisticated and more and more tied in with the National Security Agency. There are some Freedom of Information Act requests that have gone out that actually show VUPEN being an NSA contractor, writing exploits, that there are some ties there.

    [see slide]

    This sort of covers the sort of, the whole gamut I believe, which is that, you know, you can buy these like little pieces of forensics hardware, and just as a sort of fun thing I bought some of those and then I looked at how they worked and I noticed that this “Mouse Jiggler,” you plug it in and the idea is that it like keeps your screen awake. So have any of you seen that at all? This piece of forensics hardware so your screensaver doesn’t activate. So I showed it to one of the systemd developers and now when you plug those into a Linux box that runs systemd, it automatically locks the screen when it sees a USB ID.

    [applause]

    So when people talk about free software, free as in freedom, that’s part of what they’re talking about.

    So there are some other things which I’m not going to really talk a lot about it because basically this is all bullshit that doesn’t really matter and we can defeat all of that. This is the individualized things we can defend against. But I want to talk a little bit about how it’s not necessarily the case that because they’re not the most fantastic, they’re not the most sophisticated, that therefore we shouldn’t worry about it.

    That’s the opening segment of Appelbaum’s talk. Notice that he refers to something like FinFisher as “bullshit that doesn’t really matter and we can defeat all of that. This is the individualized things we can defend against”. In other words, if you really know what you’re doing, the individualized attacks are “bullshit” that you can defend against. It’s the things like the NSA secretly fiddling with encryption standards (the indirect secret Clipper Chip analogue) that security experts can’t easily get around because use of standards is hard to avoid.

    Appelbaum goes on to talk about an investigative journalist that wasn’t at all a security expert and who was seriously violated by lower-lever cyberattacks to make the point that things like FinFisher are indeed a very real threat to non-experts. So the solution that Edward Snowden appears to be recommending is mainstream strong encryption under the assumption that targeted surveillance will still be an option for legitimate spying purposes. And, in most cases, that will be true because, in most cases, random targets of surveillance are not going to have the knowledge required to protect their data after it’s been decrpyted even if you set up the strong “end-to-end” encryption for the internet. Future FinFishers and other forms of spyware will still be very formidable dangers for most random people. But if Appelbaum’s “this is all bullshit” sentiment reflects a reality that security experts really can protect against individualized attacks once the NSA’s “bugs” get hammered out of the encryption standards, we could be entering another form of social bifurcation: random non-security experts will probably still be subject to mass-digital surveillance via sophisticated back doors in the software on your computer. But security experts and those wealthy enough to have experts manage their data content might end up being able to maintain unbreakable data-anonymity. The Four Horsemen of the Infopocalypse only gets selectively unleashed for use by those with the resources to do so but there’s still a continuation of endless spyware for the rabble? As David Brin suggests:

    But at a deeper level it is simply stupid. Any loophole in transparency ‘to protect the meek’ can far better be exploited by the mighty than by the meek. Their shills, lawyers and factotums will (1) ensure that ‘privacy protections’ have big options for the mighty and (2) that those options will be maximally exploited. Moreover (3) as I show in The Transparent Society, encryption-based ‘privacy’ is the weakest version of all. The meek can never verify that their bought algorithm and service is working as promised, or isn’t a bought-out front for the NSA or a criminal gang.

    Above all, protecting the weak or meek with shadows and cutouts and privacy laws is like setting up Potemkin villages, designed to create surface illusions. Anyone who believes they can blind society’s elites — of government, commerce, wealth, criminality and tech-geekery — is a fool…

    Societies should probably start talking about how we can avoid the future Brin describes because we just might be heading towards it.

    Posted by Pterrafractyl | March 9, 2014, 5:39 pm
  5. Hopefully there’s going to be some followup questions on this topic…

    Germany rejects Snowden claim it bowed to NSA
    By FRANK JORDANS, Associated Press
    March 10, 2014 Updated: March 10, 2014 12:01pm

    BERLIN (AP) — Germany on Monday dismissed a claim by NSA leaker Edward Snowden that it had bowed to U.S. demands to water down privacy rights for German citizens.

    Snowden told the European Parliament in a statement published Friday that Germany was pressured to modify its legislation on wiretapping and other forms of lawful telecoms surveillance. The former National Security Agency contractor didn’t elaborate on how the laws were changed or when, but suggested it was standard practice for the NSA to instruct friendly nations on how to “degrade the legal protections of their countries’ communications.”

    “Laws are made by the German parliament and it doesn’t give in to outside pressure, certainly not from foreign spy agencies, and that’s true in this case too,” government spokesman Steffen Seibert said.

    Snowden’s claim is particularly sensitive for Germany. While Chancellor Angela Merkel’s government has been among the loudest critics of the NSA’s reported surveillance of foreign citizens — including Merkel herself — domestic critics say German spy agencies collaborated closely with their American counterparts in ways that may have breached Germany’s strict data protection laws.

    Snowden claims the NSA took advantage of different legal systems across Europe to eavesdrop on calls and emails across the continent.

    Posted by Pterrafractyl | March 10, 2014, 1:24 pm
  6. Here’s the latest cryptographic call to arms:

    The New York Times
    Snowden Tries to Rally Tech Conference to Buttress Privacy Shields
    March 10, 2014, 12:09 pm
    By JENNA WORTHAM and NICOLE PERLROTH

    AUSTIN, Tex. — Edward J. Snowden wants the technology industry to get serious about protecting the privacy of its users and customers.

    “When we think about what is happening at the N.S.A. for the last decade, the result has been an adversarial Internet,” Mr. Snowden told a crowd of developers and entrepreneurs at the South by Southwest conference here on Monday, speaking by videoconference.

    “They are setting fire to the future of the Internet,” he added. “You guys are all the firefighters. We need you to help us fix this.”

    Mr. Snowden, the former National Security Agency contractor who leaked classified documents that revealed a vast network of government surveillance, told the audience that they “can enforce our rights for technical standards.”

    Mr. Snowden said he chose the conference, known as SXSW, to speak directly to people with the skills to make mass surveillance significantly more expensive for government agencies — if not impossible. For the past decade, Mr. Snowden said, the N.S.A. had been given free rein to make the Internet less secure by engaging in large-scale sweeps of data.

    Mr. Snowden fled the United States last summer and is living at an undisclosed location in Russia, where he has been granted temporary asylum. He faces charges in the United States of violating the Espionage Act.

    Mr. Snowden appeared remotely at the conference with Christopher Soghoian, the principal technologist of the American Civil Liberties Union, and Ben Wizner, director of the A.C.L.U.’s Speech, Privacy and Technology Project and Mr. Snowden’s legal adviser, both of whom were on site in Austin. The event was a rare live interview for Mr. Snowden, conducted by Mr. Wizner.

    Using technology to mask his whereabouts, Mr. Snowden appeared through a Google Plus videoconference — the irony of which was not lost on Mr. Snowden or others, who joked about the fact that Google was involved in many of Mr. Snowden’s revelations.

    Appearing before a green screen that had been programmed to display the American Constitution, Mr. Snowden addressed a rapt audience that often broke into applause and cheers. Hundreds packed into an exhibition hall to hear him speak and those who could not find seats stood along the wall or sat on the floor.

    At various points during the event, the Internet access in the convention center buckled under the burden of all the people trying to use their devices to tweet or go online. And at times, Mr. Snowden’s connection dropped, in part because of the anonymity software he used to mask his location.

    Mr. Snowden said he hoped to raise a call to arms to developers, cryptographers and privacy activists to build better tools to protect the privacy of technology users. The goal, he said, was that encryption would ultimately be considered as a necessary, basic protection, and not something easily dismissed as an “arcane black art.

    Ultimately, Mr. Snowden said, that will “allow us to reclaim the open and trusted Internet.”

    He was referring to the many digital encryption protections that are cheap and widely available, but exceedingly difficult for people to use properly.

    Mr. Snowden noted that encryption services like Pretty Good Privacy, or PGP software, and anonymity services, like Tor, are available, but are not as easy to use as Google’s Gmail service or Chrome browser.

    He also praised services like Open WhisperSystems, a suite of applications that aims to make secure communications tools usable, and commonly use.

    Ultimately, the tech industry can help fix the problem of security, Mr. Soghoian said. “Most regular people are not going to download some obscure security app,” he said. “They’re going to use the tools they already have,” like Google, Facebook and Skype.

    Mr. Snowden repeatedly emphasized that he didn’t want to block government agencies from doing their job to protect citizens, but was instead concerned about unwarranted surveillance. He said that if the American government and its technology industry are not held accountable for unwarranted oversight, foreign companies and agencies might feel free to adopt similar mass surveillance tactics and policies.

    When companies collect data, he said, they should only “hold it for as long as necessary.”

    Mr. Snowden’s comments Monday echoed his testimony to members of the European Parliament, released Friday, in which he said targeted surveillance was acceptable.

    At one point here in Austin, Mr. Snowden answered a question sent via Twitter about whether any data was ever truly safe, from a malicious hacker or an agency like the N.S.A.

    “Let’s put it this way,” he said with a bit of a laugh. “The United States government has assembled a massive investigation team into me personally, into my work with journalists and they still have no idea you know what documents were provided to the journalists, what they have, what they don’t have, because encryption works.”

    So Snowden repeatedly emphasized that he didn’t want to block government agencies from doing their job to protect citizens and also pointed out that “the United States government has assembled a massive investigation team into me personally, into my work with journalists and they still have no idea you know what documents were provided to the journalists, what they have, what they don’t have, because encryption works.” Hmmmm….so it’s increasingly sounding like brute force decryption could be the method of choice for future of intelligence and law enforcement activities simply because it’ll be the only choice…at least when they’re investigating someone that knows what they’re doing. Let’s hope those brute force techniques remain in the digital realm.

    Posted by Pterrafractyl | March 11, 2014, 12:24 pm
  7. It’ll be interesting to see how many people will be able to afford digital space in a Swiss vault as the industry for ultra-private data centers continues to grow:

    MIT Technology Review
    For Swiss Data Industry, NSA Leaks Are Good as Gold

    Here’s how the Swiss promise to keep your data safe.

    By Russ Juskalian on March 18, 2014

    There is data security, and then there is Swiss data security.

    The difference was explained to me by Stéphan Grouitch in a conference room deep within a mountain in the Swiss Alps, lit by a subterranean buzz of fluorescent lights. To get to here, under more than 3,000 feet of stone and earth, I showed my passport (something I didn’t have to do to enter the country from Germany), had my finger scanned repeatedly, and passed under security cameras and motion detectors. A blast door, thicker than my forearm is long, is said to protect this old Cold War bunker against a 20-megaton bomb.

    “The country has always stored valuables for people all around Europe—even before money,” says Grouitch, CEO of Deltalis, the company that owns the bunker. When Deltalis first looked into acquiring the facility from the Swiss military, it considered storing gold bullion here. Instead, it now runs a farm of computer servers where data is safeguarded by strict privacy laws and a unique culture of discretion. To legally access someone’s data here, you’ll need an order from a Swiss judge.

    A Swiss play in data security has been under way for around a decade, mostly in connection to banking. But the controversy around global surveillance by the U.S. National Security Agency is “a huge development,” says Franz Grüter, CEO of Green, an Internet service provider whose state-of-the-art data center in the village of Lupfig is being filled out “years ahead of schedule.”

    To get a sense of the opportunity, one need only look at the projected losses the U.S.-based cloud services industry (including Google, Microsoft, and IBM) is facing because of anxiety and indignation over U.S. wiretapping. Estimates of lost market share through 2016 range from $35 billion to $180 billion (according to Forrester Research).

    European companies, according to Grüter, now routinely question where data is physically stored—and are declining U.S. offers. One result is that a cluster of privacy companies is forming in Switzerland. ID Quantique makes the Centauris CN8000, one of the world’s first commercial encryption systems using quantum mechanics. And Blackphone, a secure handset launched by U.S. privacy pioneer Phil Zimmerman, will store subscribers’ telephone numbers in Swiss servers.

    Altogether, Switzerland has around 1,440,000 square feet of data-center space. While that is far less than is available in countries like the U.S. and Germany, it’s a lot relative to Switzerland’s population of eight million.

    Richard Straub, head of market development at ID Quantique, says Swiss innovations are backed by strong research at universities like EPFL in Lausanne, ETH-Zürich, and the University of Geneva. They also benefit from local demand. When ID Quantique took its products to market, it found early, and eager, customers in the banking industry and in government. Officials in Geneva have used its technology to help transmit federal election results since 2007, and in online voting for citizen initiatives since 2009.

    So who can you trust with your data? Grouitch thinks Switzerland’s appeal should be obvious. “This country really is a vault in the center of Europe,” he says.

    “When ID Quantique took its products to market, it found early, and eager, customers in the banking industry and in government”. Yeah, that’s probably what we should expect everywhere.

    Posted by Pterrafractyl | March 18, 2014, 1:52 pm
  8. Well, that’s one way to put it:

    ABC News
    Bill Clinton Calls Edward Snowden An ‘Imperfect Messenger’

    By Erin Dooley
    Apr 8, 2014 7:31pm

    NSA leaker Edward Snowden has been characterized as a traitor, a hacker and a whistleblower. Bill Clinton prefers to think of him as an “imperfect messenger.”

    The former president — who in previous interviews has appeared hesitant to criticize Snowden — weighed in on the surveillance debate during remarks at the Naval Academy in Annapolis, Md., Tuesday afternoon.

    “The Snowden case has raised all these questions about whether we can use technology to protect national security without destroying the liberty which includes the right to privacy of basically innocent bystanders,” he said.

    Clinton even suggested that the privacy-versus-security debate creates a “false choice,” and argued that with a big enough investment, the U.S. could design technology that would allow both aims to coexist.

    “It seems to me clear, based on the people that I talk to, that we could be designing these systems – if we’re prepared to spend the money to do it – in a way that dramatically enhances both … privacy and our national security,” he added.

    “We cannot change the character of our country or compromise the future of our people by creating a national security state which takes away the liberty and privacy we propose to advance,” he continued. “Don’t kill the goose that laid the golden egg.”

    During his speech to the midshipmen at the academy, Clinton didn’t discuss his wife’s presidential ambitions. However, he did reflect on his own path to the White House.

    Presumably Bill’s technology design plans that allows privacy and security to co-exist include some sort of cheap free energy device that leads to global prosperity and an end to socioeconomic strive. A universal translator perhaps? Portals to parallel universes? Skynet? It’s Skynet, isn’t it. Whatever it is, let’s hope he shares it with the world soon:

    The Sydney Morning Herald
    Man who introduced serious ‘Heartbleed’ security flaw denies he inserted it deliberately

    Date
    April 10, 2014 – 10:37PM

    Ben Grubb

    Exclusive

    The German software developer who introduced a security flaw into an encryption protocol used by millions of website globally says he did not insert it deliberately as some have suggested.

    In what appears to be his first comments to the media since the bug was uncovered, Robin Seggelmann said how the bug made its way into live code could “be explained pretty easily”.

    The encryption flaw, called Heartbleed, has exposed large swathes of the internet to malicious exploitation, prompting some security experts to warn internet users against even using the web for the next few days.

    The bug introduced a flaw into the popular OpenSSL software, which is used by many popular social networking websites, search engines, banks, and online shopping sites to keep personal and financial data safe. It allowed those who knew of its existence to intercept usernames, passwords, credit card details, and various other sensitive information from a website’s server in plain text.

    It also allowed for a server’s private encryption keys to be stolen. Once stolen, these keys can be used by criminals to decrypt data sent between a website’s server and a user of that website.

    “On a scale of one to 10, it is an 11,” renowned security expert Bruce Schneier said of the bug.

    ‘Unfortunately’ missed

    Mr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

    “I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.

    “In one of the new features, unfortunately, I missed validating a variable containing a length.”

    After he submitted the code, a reviewer “apparently also didn’t notice the missing validation”, Mr Seggelmann said, “so the error made its way from the development branch into the released version.” Logs show that reviewer was Dr Stephen Henson.

    Mr Seggelmann said the error he introduced was “quite trivial”, but acknowledged that its impact was “severe”.

    Conspiracy theories

    A number of conspiracy theorists have speculated the bug was inserted maliciously.

    Mr Seggelmann said it was “tempting” to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.

    “But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said.

    “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”

    Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.

    “It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Mr Seggelmann said.

    Benefits of discovery

    If anything had been demonstrated by the discovery of the bug, Mr Seggelmann said it was awareness that more contributors were needed to keep an eye over code in open source software.

    “It’s unfortunate that it’s used by millions of people, but only very few actually contribute to it,” he said.

    “The benefit of open source software is that anyone can review the code in the first place.

    “…the more people look at it, the better, especially with a software like OpenSSL.”

    Well, nobody’s perfect, right? So, assuming there’s really nothing shady going on, the guy is right: one of the benefits of this security nightmare is that at least the public is going to be much more aware of just how few people might be involved in maintaining and reviewing open source software, including critical software used by large swathes of the internet. Note that one person reviewed this guy’s code that was about to be used all over the world. One.

    It’s a reminder that if we want to enjoy the benefits of an open source world, we need to create societies where lots of people have both the educational background required to engage in this kind of volunteer work and the free time to actually do it. Hopefully that’s something the people Bill talks to are thinking about.

    Posted by Pterrafractyl | April 10, 2014, 11:24 am
  9. This is kind of interesting: You can see the origin of the “Heartbeat” feature that led to “Heartbleed” in Robin Seggelmann’s doctoral thesis. It’s section 7.2 the “Heartbeat Extension”.

    We’re also learning that the NSA knew about the Heartbleed bug for the past two years. This is, of course, leading to an uproar in the security community. And since this was a bug in open source code that anyone could have detected, it also raises the question of what other intelligence agencies knew about this “feature” and why they didn’t also alert the public about this problem. Did they not find it? Did the 9-Eyes get to learn the secret? The 14-Eyes? Or was the NSA the only spy agency to find a bug in critical, widely used open source code?

    NSA Said to Exploit Heartbleed Bug for Intelligence for Years
    By Michael Riley Apr 11, 2014 1:58 PM CT

    The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

    The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

    Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.

    Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.

    Controversial Practice

    “It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

    Vanee Vines, an NSA spokeswoman, declined to comment on the agency’s knowledge or use of the bug. Experts say the search for flaws is central to NSA’s mission, though the practice is controversial. A presidential board reviewing the NSA’s activities after Edward Snowden’s leaks recommended the agency halt the stockpiling of software vulnerabilities.

    The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets.

    The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

    Free Code

    While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.

    In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

    The NSA has faced nine months of withering criticism for the breadth of its spying, documented in a rolling series of leaks from Snowden, who was a former agency contractor.

    The revelations have created a clearer picture of the two roles, sometimes contradictory, played by the U.S.’s largest spy agency. The NSA protects the computers of the government and critical industry from cyberattacks, while gathering troves of intelligence attacking the computers of others, including terrorist organizations, nuclear smugglers and other governments.

    Serious Flaws

    Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization.

    “If you combine the two into one government agency, which mission wins?” asked Pescatore, who formerly worked in security for the NSA and the U.S. Secret Service. “Invariably when this has happened over time, the offensive mission wins.”

    “If you combine the two into one government agency, which mission wins?…Invariably when this has happened over time, the offensive mission wins.” Yep! Hopefully at some point the global security industry is going to internalize the fact that the best possible path to true security is global peace and prosperity and accountable governments everywhere run by citizens that have absolutely no interest in messing with the affairs of other countries. Only helping. No war or economic conquest or any of that. Everywhere. There won’t be much need to spy at that point! Plus, if today’s “Heartbleed” is giving you chest pains, just imagine what the Heartbleed of the future is going to feel like:

    New Scientist
    DNA nanobots deliver drugs in living cockroaches

    12:30 08 April 2014 by Sarah Spickernell
    For similar stories, visit the Nanotechnology Topic Guide

    It’s a computer – inside a cockroach. Nano-sized entities made of DNA that are able to perform the same kind of logic operations as a silicon-based computer have been introduced into a living animal.

    The DNA computers – known as origami robots because they work by folding and unfolding strands of DNA – travel around the insect’s body and interact with each other, as well as the insect’s cells. When they uncurl, they can dispense drugs carried in their folds.

    DNA nanorobots could potentially carry out complex programs that could one day be used to diagnose or treat diseases with unprecedented sophistication,” says Daniel Levner, a bioengineer at the Wyss Institute at Harvard University.

    Levner and his colleagues at Bar Ilan University in Ramat-Gan, Israel, made the nanobots by exploiting the binding properties of DNA. When it meets a certain kind of protein, DNA unravels into two complementary strands. By creating particular sequences, the strands can be made to unravel on contact with specific molecules – say, those on a diseased cell. When the molecule unravels, out drops the package wrapped inside.

    A bug’s life

    The team has now injected various kinds of nanobots into cockroaches. Because the nanobots are labelled with fluorescent markers, the researchers can follow them and analyse how different robot combinations affect where substances are delivered. The team says the accuracy of delivery and control of the nanobots is equivalent to a computer system.

    This is the first time that biological therapy has been able to match how a computer processor works,” says co-author Ido Bachelet of the Institute of Nanotechnology and Advanced Materials at Bar Ilan University.

    “Unlike electronic devices, which are suitable for our watches, our cars or phones, we can use these robots in life domains, like a living cockroach,” says Ángel Goñi Moreno of the National Center for Biotechnology in Madrid, Spain. “This opens the door for environmental or health applications.”

    DNA has already been used for storing large amounts of information and circuits for amplifying chemical signals, but these applications are rudimentary compared with the potential benefits of the origami robots.

    Commodore cockroach

    The team says it should be possible to scale up the computing power in the cockroach to that of an 8-bit computer, equivalent to a Commodore 64 or Atari 800 from the 1980s. Goni-Moreno agrees that this is feasible. “The mechanism seems easy to scale up so the complexity of the computations will soon become higher,” he says.

    An obvious benefit of this technology would be cancer treatments, because these must be cell-specific and current treatments are not well-targeted. But a treatment like this in mammals must overcome the immune response triggered when a foreign object enters the body.

    Bachelet is confident that the team can enhance the robots’ stability so that they can survive in mammals. “There is no reason why preliminary trials on humans can’t start within five years,” he says.

    Snapshots from the future:
    Ack, why is my heart pounding so hard? Do I have a virus?

    Posted by Pterrafractyl | April 11, 2014, 2:48 pm
  10. Here’s an article from 2008 that’s a reminder that the Four Horsemen of the Infopocalypse are going to be knocking at your door sooner or later. Physics demands it. Specifically quantum physics:

    SwissInfo.cm
    Beam me up, Geneva

    December 16, 2008 – 08:11

    Star-Trek-style human teleportation may still be years away, but scientists in Geneva have made a key breakthrough in the field of quantum teleportation.

    Researchers at Geneva University have developed a “quantum memory”, capturing a single particle of light (a photon) in a crystal and then reproducing and retransmitting it.

    The findings, published in last week’s edition of the academic journal Nature, could translate into important applications in the field of quantum cryptography, guaranteeing highly secure communication, and quantum computers that will run billions of times faster than today’s machines.

    Quantum teleportation is the transmission of key properties from one particle to another without a physical link. It relies on an aspect of physics known as “entanglement”, whereby the properties of two particles can be tied together even when they are far apart. Albert Einstein called it “spooky action at a distance”.

    The Geneva-based team managed to stop a light particle in a tiny one-millimetre crystal cooled to a temperature of minus 270 degrees Celsius.

    The photon’s properties were then passed on to some ten million atoms inside the crystal, explained Professor Nicolas Gisin, head of the Group of Applied Physics at Geneva University. He said this produced an echo, like in a cave, re-emitting the photon with the same characteristics.

    “We physicists have played with photons for years. It has always been a fascinating challenge to try to stop a photon and hold it for a while – to stop it without destroying it and release it with the same quantum states,” he told swissinfo.

    Secure speedy communication

    But their research also has a practical application. While their work seems to have little to do with Scotty’s famous teleportation machine, it represents a crucial stage in overcoming the distance problems which affect quantum cryptography today.

    The findings will form the basis of a quantum repeater, which will make it possible to develop secure, long-distance quantum communication networks.

    Today information is sent via fibre-optic networks as a series of light pulses. A quantum communication system also uses a fibre-optic cable, but a photon’s specific information can be teleported instantaneously.

    “The problem with this technology is that the fragile entanglement between two photons is lost over very long distances,” explained Gisin.

    After travelling through tens of kilometres of optic fibre, 99 per cent of photons are lost.

    Quantum repeaters would tackle this problem by enabling flagging photons to be reactivated, conserving their precious information as they are transmitted, say the scientists.

    And the interception of data transmissions encrypted using this technique appears to be impossible – spying on the photons would effectively destroy them.

    Commercial applications for quantum cryptography already exist in the banking sector and for secure e-voting. The Geneva firm idQuantique successfully tested a quantum cryptography system for the federal elections in October 2007.

    Quantum repeaters involving photons trapped in frozen diamonds! Neat! And that was back in 2008. They’re only going to get better. For instance, one repeater approach announced in 2012 could lead to possible quantum storage capacities. And just days ago another set of researchers announced a method involving electrons trapped in frozen diamonds that reportedly allows for 100% accuracy in the data transmitted (you can be the secret diamond cartel is secretly smiling somewhere). It was a potentially huge accomplishment because if you wanted to replace the global fiber optic lines with quantum networks you’re going to have to send that information through a lot of repeaters:

    The New York Times
    Scientists Report Finding Reliable Way to Teleport Data

    By JOHN MARKOFFMAY 29, 2014

    Scientists in the Netherlands have moved a step closer to overriding one of Albert Einstein’s most famous objections to the implications of quantum mechanics, which he described as “spooky action at a distance.”

    In a paper published on Thursday in the journal Science, physicists at the Kavli Institute of Nanoscience at the Delft University of Technology reported that they were able to reliably teleport information between two quantum bits separated by three meters, or about 10 feet.

    They report that they have achieved perfectly accurate teleportation of quantum information over short distances. They are now seeking to repeat their experiment over the distance of more than a kilometer. If they are able to repeatedly show that entanglement works at this distance, it will be a definitive demonstration of the entanglement phenomenon and quantum mechanical theory.

    Succeeding at greater distances will offer an affirmative solution to a thought experiment known as Bell’s theorem, proposed in 1964 by the Irish physicist John Stewart Bell as a method for determining whether particles connected via quantum entanglement communicate information faster than the speed of light.

    “There is a big race going on between five or six groups to prove Einstein wrong,” said Ronald Hanson, a physicist who leads the group at Delft. “There is one very big fish.”

    In the past, scientists have made halting gains in teleporting quantum information, a feat that is achieved by forcing physically separated quantum bits into an entangled state.

    But reliability of quantum teleportation has been elusive. For example, in 2009, University of Maryland physicists demonstrated the transfer of quantum information, but only one of every 100 million attempts succeeded, meaning that transferring a single bit of quantum information required roughly 10 minutes.

    In contrast, the scientists at Delft have achieved the ability “deterministically,” meaning they can now teleport the quantum state of two entangled electrons accurately 100 percent of the time.

    They did so by producing qubits using electrons trapped in diamonds at extremely low temperatures. According to Dr. Hanson, the diamonds effectively create “miniprisons” in which the electrons were held. The researchers were able to establish a spin, or value, for electrons, and then read the value reliably.

    In addition to the possibility of an impregnable quantum Internet, the research holds out the possibility of networks of quantum computers.

    To date, practical quantum computers, which could solve certain classes of problems far more quickly than even the most powerful computers now in use, remain a distant goal. A functional quantum computer would need to entangle a large number of qubits and maintain that entangled state for relatively long periods, something that has so far not been achieved.

    A distributed quantum network might also offer new forms of privacy, Dr. Hanson suggested. Such a network would make it possible for a remote user to perform a quantum calculation on a server, while at the same time making it impossible for the operator of the server to determine the nature of the calculation.

    Impregnable internet here we come! At least within a few decades it could be a reality. Maybe a lot sooner depending on how the research progresses.

    And that means all the governments of the world, and not just the US government, are going to have to make a decision about how this kind of technology gets implemented (they’ll probably mess around with repeater nodes to enable wiretapping). As we’ve seen with the Snowden Affair, the main strategy for governments around the world for addressing these kinds of touchy issues with the public is to ignore it and/or talk about NSA spying capabilities. How are governments going to respond when telecom operators can start laying down quantum-protected cables that their own law enforcement and security agencies can’t possibly decrypt if that’s where the technology progresses? Which governments will embrace it and for which segments of their populace? This could be quite a conundrum for the majority of governments around the world that either currently have or desire to have surveillance capabilities. Which governments will embrace quantum communications (all of them perhaps?).

    You also have to wonder how well a quantum internet would interface with the existing non-quantum internet hardware. Interestingly, Los Alamos Labs announced last year that it had been using a quantum network for over two years and is trying to develop the technology for use in home networks. It still faces the hurdle of how to handle quantum routing, which requires quantum repeating but other technologies too, in a way that isn’t at all scalable and has a central vulnerability where the messages get read for routing information at a central hub so it’s not a full quantum network. But the solution involved demonstrates how a quantum internet could potentially turn introduce mathematically unbreakable encryption on to the traditional internet.

    The Los Alamos Labs approach uses a “hub and spoke” approach. Nodes in the network would still all be randomly connected to each other traditionally, but they’ll also all have a direct quantum-capable connection to a central hub (this is for a local network, where fiber optic cables can be used for the quantum connection). The quantum technology allows for the generation of truly random numbers and that allows for the generation of truly random “one-time pad” encryption keys that, if implemented correctly and truly randomly, allows for theoretically mathematically unbreakable encryption. Not quantum encryption that depends on entangled photons or electrons but just the standard mathematically encryption techniques currently used. The central hub receives and sends out the “one-time pad” to the nodes and the the nodes use that pad to encrypt the messages and communicate with each other over the traditional non-quantum network. So as long as the central hub is secure, the entire communication loop could be effectively unbreakable because it’s both unbreakable at a quantum level over the quantum network and a mathematical level over the traditional network:

    MIT Technology Review
    Government Lab Reveals It Has Operated Quantum Internet for Over Two Years
    May 6, 2013

    A quantum internet capable of sending perfectly secure messages has been running at Los Alamos National Labs for the last two and a half years, say researchers

    One of the dreams for security experts is the creation of a quantum internet that allows perfectly secure communication based on the powerful laws of quantum mechanics.

    The basic idea here is that the act of measuring a quantum object, such as a photon, always changes it. So any attempt to eavesdrop on a quantum message cannot fail to leave telltale signs of snooping that the receiver can detect. That allows anybody to send a “one-time pad” over a quantum network which can then be used for secure communication using conventional classical communication.

    That sets things up nicely for perfectly secure messaging known as quantum cryptography and this is actually a fairly straightforward technique for any half decent quantum optics lab. Indeed, a company called ID Quantique sells an off-the-shelf system that has begun to attract banks and other organisations interested in perfect security.

    These systems have an important limitation, however. The current generation of quantum cryptography systems are point-to-point connections over a single length of fibre, So they can send secure messages from A to B but cannot route this information onwards to C, D, E or F. That’s because the act of routing a message means reading the part of it that indicates where it has to be routed. And this inevitably changes it, at least with conventional routers. This makes a quantum internet impossible with today’s technology

    Various teams are racing to develop quantum routers that will fix this problem by steering quantum messages without destroying them. We looked at one of the first last year. But the truth is that these devices are still some way from commercial reality.

    Today, Richard Hughes and pals at Los Alamos National Labs in New Mexico reveal an alternative quantum internet, which they say they’ve been running for two and half years. Their approach is to create a quantum network based around a hub and spoke-type network. All messages get routed from any point in the network to another via this central hub.

    This is not the first time this kind of approach has been tried. The idea is that messages to the hub rely on the usual level of quantum security. However, once at the hub, they are converted to conventional classical bits and then reconverted into quantum bits to be sent on the second leg of their journey.

    So as long as the hub is secure, then the network should also be secure.

    The problem with this approach is scalability. As the number of links to the hub increases, it becomes increasingly difficult to handle all the possible connections that can be made between one point in the network and another.

    Hughes and co say they’ve solved this with their unique approach which equips each node in the network with quantum transmitters–i.e., lasers–but not with photon detectors which are expensive and bulky. Only the hub is capable of receiving a quantum message (although all nodes can send and receiving conventional messages in the normal way).

    That may sound limiting but it still allows each node to send a one-time pad to the hub which it then uses to communicate securely over a classical link. The hub can then route this message to another node using another one time pad that it has set up with this second node. So the entire network is secure, provided that the central hub is also secure.

    The big advantage of this system is that it makes the technology required at each node extremely simple–essentially little more than a laser. In fact, Los Alamos has already designed and built plug-and-play type modules that are about the size of a box of matches. “Our next-generation [module] will be an order of magnitude smaller in each linear dimension,” they say.

    Their ultimate goal is to have one of these modules built in to almost any device connected to a fibre optic network, such as set top TV boxes, home computers and so on, to allow perfectly secure messaging.

    Having run this system now for over two years, Los Alamos are now highly confident in its efficacy.

    Of course, the network can never be more secure than the hub at the middle of it and this is an important limitation of this approach. By contrast, a pure quantum internet should allow perfectly secure communication from any point in the network to any other.

    Another is that this approach will become obsolete as soon as quantum routers become commercially viable. So the question for any investors is whether they can get their money back in the time before then. The odds are that they won’t have to wait long to find out.

    As we can see, while quantum computing could be a massively powerful tool for breaking mathematical encryption, quantum technology also potentially provides truly random numbers that can be used to create theoretically unbreakable keys and the means of transmitting the keys securely. But only once quantum routing arrives will this become scalable for the whole internet. But it’s coming.

    Will quantum routers make this “one-time pad” technique obsolete? Maybe, in the long run. But in the short run, the “one-time pad” method is an example of how quantum networks could transform not only the rules of how we communicate but also how we use the existing communications technology and infrastructure, at least regionally at first where you can have a connected quantum network that can act as a hub for passing “one-time pad” keys. Once the transmission of quantum data is enabled over longer distances and quantum routers are invented, we’re not going to see the traditional internet suddenly get replaced. That’s going to take a while because all of that physical infrastructure needs to be replaced. But with the “one-time pad” method we could see the adoption of a basic quantum network skeleton used to transmit one-time pad keys for unbreakable encryption over the traditional internet, which will handle the volume of the actually traffic.

    So concerns over government spying and all other spying are poised to change quite a bit as the technological landscape changes in truly fundamental ways and it might happen sooner than you expect. Quantum communications could be wonderful for protecting critical infrastructure. But it won’t just be critical infrastructure getting protected. Eventually, everyone else will be using the quantum internet too. And since it’s potentially going to be ushering in a new era of truly unbreakable communications, you can bet its usage will be watched very carefully by governments around the globe as is becomes a commercial reality. In addition to militaries and other government agencies adopting aggressively adopting quantum technology, as we would expect, it’ll be interesting to see who else ends up using it first. We’ll find out.

    And will quantum code making beat quantum code breaking? We’ll find that out too. But first, we need the quantum router. Once that’s available, things could be getting increasingly “spooky” on the internet. Hackers will still exist, but they’ll have to get increasingly spooky too.

    Posted by Pterrafractyl | June 1, 2014, 1:36 am
  11. It’s probably a good time to change your passwords. Or maybe not. It’s unclear at this point but you should probably change your passwords anyways:

    PC World
    Massive Russian hack has researchers scratching their heads
    Martyn Williams @martyn_williams

    Aug 6, 2014 5:10 PM

    Don’t worry, you’re not the only one with more questions than answers about the 1.2 billion user credentials amassed by Russian hackers.

    Some security researchers on Wednesday said it’s still unclear just how serious the discovery is, and they faulted the company that uncovered the database, Hold Security, for not providing more details about what it discovered.

    “The only way we can know if this is a big deal is if we know what the information is and where it came from,” said Chester Wisniewski, a senior security advisor at Sophos. “But I can’t answer that because the people who disclosed this decided they want to make money off of this. There’s no way for others to verify.”

    Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at US$120 per year. Individual consumers can find out through its identity protection service, which Hold Security says will be free for the first 30 days.

    Hold Security didn’t respond to email and telephone requests for comment Wednesday, though it may have been inundated with inquiries.

    To recap, Hold Security said Tuesday it had obtained a massive database of stolen credentials amassed by a gang of Russian hackers. The database contains 1.2 billion unique “credential pairs”—made up of a user ID (mostly email addresses) and an associated password. Looking at email addresses alone, there are “over half a billion,” the company said, since some email addresses correspond to multiple passwords.

    To assess how serious the discovery is, researchers want to know how old the credentials collected by the Russian gang are, where they came from, and how well-protected the passwords are by “hashing,” which scrambles the passwords but can be vulnerable to brute force attack.

    The age is important because the older they are, the more likely they are to be disused and less valuable, said Gary Davis, chief consumer security evangelist at McAfee.

    Hold Security acknowledged in its announcement that “not all” the credentials are “valid or current,” with some associated with fake email addresses, closed accounts or even passwords a decade old.

    It’s also unclear how many of the login and password credentials were culled online recently by the hacker group, and how many were acquired on the black market from previous hacks.

    Hold Security said the hackers began by buying credentials from previously attacked accounts, and then did some hacking work of their own. But it’s unclear how many of the 1.2 billion credentials came from previous hacking incidents, and which incidents those were.

    “If you take Sony, LinkedIn, eBay and Adobe,” said Wisniewski, naming four of the biggest recent password breaches, “that’s already 500 million accounts.”

    Regarding the question of how many of these credentials were purchased on the black market vs how many were directly stolen by this hacker group, note that Hold Security is the same firm that reported a massive theft of 360 million stolen credentials back in February. And in that case, those 360 million stolen credentials were for sale on a massive and growing black market

    360 million newly stolen credentials on black market: cybersecurity firm

    By Jim Finkle

    BOSTON Tue Feb 25, 2014 6:36pm EST

    (Reuters) – A cybersecurity firm said on Tuesday that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access.

    The discovery could represent more of a risk to consumers and companies than stolen credit card data because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.

    Alex Holden, chief information security officer of Hold Security LLC, said in an interview that his firm obtained the data over the past three weeks, meaning an unprecedented amount of stolen credentials is available for sale underground.

    “The sheer volume is overwhelming,” said Holden, whose firm last year helped uncover a major data breach at Adobe Systems Inc in which tens of millions of records were stolen.

    Holden said he believes the 360 million records were obtained in separate attacks, including one that yielded some 105 million records, which would make it the largest single credential breaches known to date.

    He said he believes the credentials were stolen in breaches that have yet to be publicly reported. The companies attacked may remain unaware until they are notified by third parties who find evidence of the hacking, he said.

    “We have staff working around the clock to identify the victims,” he said.

    He has not provided any information about the attacks to other cybersecurity firms or authorities but intends to alert the companies involved if his staff can identify them.

    The massive trove of credentials includes user names, which are typically email addresses, and passwords that in most cases are in unencrypted text. Holden said that in contrast, the Adobe breach, which he uncovered in October 2013, yielded tens of millions of records that had encrypted passwords, which made it more difficult for hackers to use them.

    The email addresses are from major providers such as AOL Inc, Google Inc, Microsoft Corp and Yahoo Inc and almost all Fortune 500 companies and nonprofit organizations. Holden said he alerted one major email provider that is a client, but he declined to identify the company, citing a nondisclosure agreement.

    Heather Bearfield, who runs the cybersecurity practice for accounting firm Marcum LLP, said she had no information about the information that Hold Security uncovered but that it was plausible for hackers to obtain such a large amount of data because these breaches are on the rise.

    Part of what makes these kinds of massive security breaches so frustrating is that so many of these breaches are basically the result of successful spear phishing attacks and not only the stolen data is often perfect for for even more spear phishing, but it’s very unclear what can prevent even more spear phishing because its an attack based on overcoming human minds, not IT systems.

    Posted by Pterrafractyl | August 6, 2014, 6:18 pm
  12. Have you ever thought about how much more awesome the internet would be if the domain name “cuteoverload.com” went to the site everyone knows and loves in some countries, but went to a a very different site in other countries? Or how about having multiple internets available to you to choose from where the different internets sometimes share the same domain-name-to-website association, but not always. And what if more and more of these alternative internets could develop all the time, so there isn’t just one major internet but a global network of internets. Does that sound appealing or more like a logistical nightmare? If you said “sign me up” then you’re in luck. The anti-ICANN movement has already arrived:

    The Hindu
    ‘U.S. monopoly over Internet must go’
    Sep 2, 2014 01:18 AM , By Vidya Venkat

    DEFINING IDEAS: Most of Pouzin’s career has been devoted to the design and implementation of computer systems, most notably the CYCLADES computer network.
    Interview with Louis Pouzin, a pioneer of the Internet and recipient of the Chevalier of Légion d’Honneur, the highest civilian decoration of the French government

    Louis Pouzino is recognised for his contributions to the protocols that make up the fundamental architecture of the Internet. Most of his career has been devoted to the design and implementation of computer systems, most notably the CYCLADES computer network and its datagram-based packet-switching network, a model later adopted by the Internet as Transmission Control Protocol (TCP)/Internet Protocol (IP). Apart from the Chevalier of Légion d’Honneur, Mr. Pouzin, 83, was the lone Frenchman among American awardees of the Queen Elizabeth Prize for Engineering, given to the inventors of Internet technology in its inaugural year, 2013.

    Ahead of the ninth annual meeting of the Internet Governance Forum (IGF) from September 2-5 in Istanbul, Mr. Pouzin shared his concerns regarding the monopoly enjoyed by the U.S. government and American corporations over the Internet and the need for democratising what is essentially a global commons. Excerpts from an interview, over Skype, with Vidya Venkat.

    What are the key concerns you would be discussing at the IGF?

    As of today, the Internet is controlled predominantly by the U.S. Their technological and military concerns heavily influence Internet governance policy. Unfortunately, the Brazil Netmundial convened in April, 2014, with the Internet Corporation for Assigned Names and Numbers (ICANN), following objections raised by [Brazilian] President Dilma Rousseff to the National Security Agency (NSA) spying on her government, only handed us a non-binding agreement on surveillance and privacy-related concerns. So the demand for an Internet bill of rights is growing loud. This will have to lay out what Internet can and cannot do. Key government actors must sign the agreement making it binding on them. The main issue pertaining to technological dominance and thereby control of the network itself has to be challenged and a bill of rights must aim to address these concerns.

    What is the way forward if the U.S. dominance has to be challenged?

    Today, China and Russia are capable of challenging U.S. dominance. Despite being a strong commercial power, China has not deployed Internet technology across the world. The Chinese have good infrastructure but they use U.S. Domain Naming System, which is a basic component of the functioning of the Internet. One good thing is because they use the Chinese language for domain registration, it limits access to outsiders in some way.

    India too is a big country. It helps that it is not an authoritarian country and has many languages. It should make the most of its regional languages, but with regard to technology itself, India has to tread more carefully in developing independent capabilities in this area.

    As far as European countries are concerned, they are mostly allies of the U.S. and may not have a strong inclination to develop independent capabilities in this area. Africa again has potential; it can establish its own independent Internet network which will be patronised by its burgeoning middle classes.

    So you are saying that countries should have their own independent Internet networks rather than be part of one mega global network?

    Developing independent networks will take time, but to address the issue of dominance in the immediate future we must first address the monopoly enjoyed by ICANN, which functions more or less as a proxy of the U.S. government. The ICANN Domain Naming System (DNS) is operated by VeriSign, a U.S. government contractor. Thus, traffic is monitored by the NSA, and the Federal Bureau of Investigation (FBI) can seize user sites or domains anywhere in the world if they are hosted by U.S. companies or subsidiaries.

    ICANN needs to have an independent oversight body. The process for creating a new body could be primed by a coalition of states and other organisations placing one or several calls for proposals. Evaluation, shortlist, and hopefully selection, would follow. If a selection for the independent body could be worked out by September 2015, it would be well in time for the contract termination of the Internet Assigned Numbers Authority (IANA) with the U.S. government.

    The most crucial question is should governments allow citizens to end up as guinea pigs for global internet corporations?

    Breaking that monopoly does not require any agreement with the U.S. government, because it is certainly contrary to the World Trade Organization’s principles. In other words, multiple roots [DNS Top Level Domains (TLD)] are not only technically feasible; they have been introduced in the Internet back in 1995, even before ICANN was created. This avenue is open to entrepreneurs and institutions for innovative services tailored to user needs, specially those users unable to afford the extravagant fees raked in by ICANN. The deployment of independent roots creates competition and contributes to reining in devious practices in the domain name market.

    The U.S. government is adamant on controlling the ICANN DNS. Thus, copies (mirrors) should be made available in other countries out of reach from the FBI. A German organisation Open Root Server Network is, at present, operating such a service. To make use of it, users have to modify the DNS addresses in their Internet access device. That is all, usage is free.

    But would this process not result in the fragmentation of the Internet?

    Fragmentation of the Internet is not such a bad thing as it is often made out to be. The bone of contention here is the DNS monopoly.

    On August 28, nearly 12 millions Internet users subscribing to Time Warner’s cable broadband lost connectivity due to a sudden outage in one day. In a world of fragmented Internet networks, such mass outages become potentially impossible. The need of the hour is to work out of the current trap to use a more interoperable system.

    In this context, a usual scarecrow brandished by the U.S. government is fragmentation, or Balkanisation, of the Internet. All monopolies resort to similar arguments whenever their turf is threatened by a looming competition. Furthermore, the proprietary naming and unstable service definitions specific to the likes of Amazon, Apple, Facebook, Google, Twitter, and more, have already divided the Internet in as many closed and incompatible internets of captive users.

    Recently, the Indian External Affairs Minister had objected to U.S. spying on the Bharatiya Janata Party. Can governments like India use a forum like IGF to raise concerns relating to surveillance?

    Even if governments do attend IGF, they do not come with a mandate. A major problem with the Internet governance space today is that they are under the dominance of corporate lobbies. So it is a bit hard to say what could be achieved by government participation in the IGF. This is a problem of the IGF: it has no budget or secretary general, it is designed to have no influence and to maintain the status quo. That is why you have a parallel Internet Ungovernance Forum which is not allying with the existing structure and putting forth all the issues they want to change. Indian citizens could participate in this forum to raise privacy and surveillance-related concerns.

    Do you feel Internet governance is still a very alien subject for most governments and people to engage with?

    Unfortunately, the phrase “Internet governance” is too abstract for most people and governments to be interested in. The most crucial question is what kind of society do you want to live in? Should governments allow citizens to end up as guinea pigs for global Internet corporations? The revelations by NSA contractor Edward Snowden have proved beyond doubt that user data held by Internet companies today are subject to pervasive surveillance. Conducting these intrusive activities by controlling the core infrastructure of the Internet without obtaining the consent of citizen users is a big concern and should be debated in public. Therefore, debates about Internet governance are no longer alien; they involve all of us who are part of the network.

    Could competing DNS top level domains be part of the future of the internet? It’s looking like a possibility. So to get a better idea of what that might mean, here’s a 2012 interview of Pouzin on the Open Root alternative that gives us a better idea of just how open the Open Root internet could be:

    TechWeek europe
    Open Root: The Grandfather Of The Internet Takes On ICANN

    FRANCE: Louis Pouzin invented a precursor to the Internet’s TCP/IP’s protoool, and now he wants to break ICANN’s monopoly on top level domains

    On October 29, 2012 by TechWeekEurope Staff 0

    Little known to the general public, Louis Pouzin is a real IT legend. Back in 1971, the French government tasked him with designing Cyclade, the French answer to the American ArpaNet.

    Later, Pouzin and his team created the datagram protocol which Vinton Cerf and Robert Kahn used as the basis for the Internet’s TCP/IP protocol, in 1974. In just a few years, the new communication standard would be adapted by the majority of computer networks in the world.

    The grandfather of the Internet

    The 81 year old engineer, who is a longtime member of Internet Society (ISOC), is officially retired, but he still wants to influence the future of the Internet – and in particular wants to see it freed from domination by US organisations. To this end, he has been involved in the movement for Alternative DNS roots, which offer an alternative to the Domain Name System (DNS) roots provided under the control of ICANN, the Internet’s ruling body.

    Although the Internet is public, decentralised and independent of any state in its day-to-day operations, the network remains under the control of ICANN (Internet Corporation for Assigned Names and Numbers), an American organisation that has been responsible for linking domains (assigned names) and IP addresses (numbers) since 1996.

    Specifically, it is ICANN and its many affiliates (AFNIC in France, Nominet in the UK) that control the root servers of the Internet and allow over two billion Internet users to find their way among millions of servers hosting data.

    Although this year it has somewhat softened its grip, ICANN has long imposed a US character set (ASCII) on billions of people natively using other alphabets (Russian, Chinese, Arabic, Indian). In addition, it operates a business model which some find questionable: rental of domain names.

    “ICANN, with its self-proclaimed monopoly, says that there is only one root – Verisign – which operates under contract with the US Department of Commerce (DOC). Changing this root must be approved, first by ICANN, and then DOC. While in actuality, there are many roots created by other organisations, to allow access to sites which, for various reasons, have TLD (Top Level Domains) that do not exist in the ICANN root servers,” Pouzin told Silicon.fr.

    The octogenarian doesn’t want to simply denounce the monopoly and Americano-centric vision of ICANN, but offer an alternative design. alongside other Alternative DNS activists, he set up a French site, called Open Root, to provide an alternative to ICANN’s root servers.

    Open the Root

    While ICANN is a monopoly controlled by the US government, Pouzin wants Open Root aims to be an association (EUROLINC) under the control of users. While ICANN requires the use of the Americanised Latin alphabet, Open Root provides support for all alphabets and ideograms currently existing on the planet. While ICANN proposes leasing domain names, Open Root offers the outright sale of a domain name at a minimal price.

    “Open Root should be independent of the ICANN root, a sanctuary for users rejected by ICANN, or refusing the conditions imposed by the organisation. (…) Another group of interest is the citizens of countries whose languages are not supported by ICANN,” said Pouzin.

    However, the initiative is not to the liking of AFNIC, the organisation responsible for domain names in France. “We welcome any initiative to promote innovation and competition. Nevertheless, it seems essential to guarantee the uniqueness of the domain names already in use. Multiplication roots, although they may offer new features in each case, are a path that we do not want to take,” said Julien Naillet, a spokeswoman for AFNIC.

    The Internet Architecture Board (IAB) has issued a stern warning against alternative roots in an Internet standard document, called RFC 2826 (the Internet standards are laid down by “Request for Comment” or RFC documents).

    The objection boils down to ambiguity: because extensions like .com or .biz might be duplicated in different roots, users would have to know which rout server to use to look for a given site, or else they could go to the wrong place. “Deploying multiple public DNS roots would raise a very strong possibility that users of different ISPs who click on the same link on a web page could end up at different destinations, against the will of the web page designers,” says the informational RFC.

    Branding issues

    The monopoly of the ICANN root servers effectively guarantees the uniqueness of domain names. After all, there is only one database associating a domain name (like TechWeekEurope.co.uk) to the IP address of the server hosting the website. But is this unity an illusion, and is it really a benefit?

    Proponents of Alternative DNS systems think ICANN’s resistance to the multiplication of extensions might have something to do with the amount of money it charges for creating new domain names for big brands.

    In what Pouzin sees as rampant commercialism, ICANN has finally allowed new “generic” top level domains (gTLDs) outside the normal list of country names and extensions such as .com – and is charging heavily for them. When the $185,000 cost of applying is added to the annual cost of $25,000 and the back-end registry and consulting, ICANN believes the total cost to someone renting a new domain could be over $500,000

    Even if Open Root doesn’t attract more than a handful of users, Pouzin thinks it will be invaluable in starting a debate about Internet governance. After all, this network now connects billions of human beings, and soon will do the same for tens of billions of objects.

    Pouzin acknowledges the difficulty that Alternative DNS roots would allow multiple sites with the same address (URL). He points out that already there are multiple sites for a word like “tube”, although in practice tube.com, tube.net and tube.org may all be rented by the same organisation, as a defensive measure.

    “In the open roots framework, in case there exists several .tube, they will be distinguished by the root selected by the user,” the OpenRoot site explains, so surfing the web becomes an activity where users have to take even more control over what they are doing.

    Well this certainly is a fascinating plan: It sounds like the “Open Root” model Pouzin advocates would basically allow for the creation of a number of competing mini-internets that all still rely on the same underlying hardware infrastructure (the global telecommunication infrastructure shuttling all the traffic) but operate within their own domain-name bubbles. The bubbles could, and presumably would, be heavily overlapping in most cases but not necessarily. Why do we want this? Well, it’s unclear from a general user-friendliness standpoint except that it makes it harder for an existing domain name to be blocked by ICANN. And the potentially to expand the language character sets is actually quite nice for many people.

    Of course, such a system also potentially makes it much easier for governments or private entities operating their own root servers to block specific domain names on their own mini-internets and any users that aren’t tech savvy enough to jump around from root server to root server might just be out of luck. And there’s no guarantee that the most “free” root servers (free in terms of non-blocked site) will actually be free because there’s no reason a for-profit alternative DNS roots could be set up too (CompuServ shall rise again!).

    So it’s sort of of wash in terms of the additional freedoms gained (more options, more headaches) which raises the question of why we would want to destroy the existing ICANN monopoly in order to make way for the Alternative DNS root system Pouzin proposes since the ICANN monopoly already co-exists with the OpenRoot system Pouzin championing. You can buy your own Alternative Top Level Domain server and buy all the domain names you’d like from Mr. Pouzin’s Open-root service. Here’s the rates.

    And then there’s the bitcoin-esque gold rush aspect to it all. Remember: Pouzin’s system doesn’t involve renting domain names. You buy it permanently for a particular root (again, here’s the rates). Remember the domain-name gold-rushes of yesteryear? What would the new gold rush be like if we suddenly splintered the internet and then started offering permanent domain names for sale. Because even if all alternative DNS providers like Open-Root strived to maintained affordable rates for the sale of permanent ownership of a domain name for a given root, unless there’s a rule against secondary sales it’s hard to see why the exorbitant prices currently charged for some domain names wouldn’t continue to be charged in the secondary markets under Pouzin’s fragmented internet model where permanent ownership of a domain is what’s for sale. And it might even get more expensive in the long run because you would potentially have to buy “mysite.com/org/biz” for multiple domain name roots.

    Still, the Open Root model sounds like it has quite a few niche uses and it wouldn’t be all that surprising if national or private domain name roots proliferate in the future. Child-friendly roots, for instance, could be a great tool for parents.

    But, again, since all of these services can already exists, with or without ICANN, destroying ICANN and ditching the only “default” root for the globe just to make accessing The Pirate Bay after it gets block even easier than it already is seems like quite a big risk to the connectivity that makes the internet great for some relatively minor gains, especially since the US is already set to give up control of ICANN so reasons to fret over the outsized US influence over which sites get blocked by ICANN are set to fade anyways. Unless, of course, you happen to be in the business of creating and selling custom roots and domains in which case this is clearly one of the greatest ideas ever. And there’s a lot of different groups that could make a lot of money if we broke up ICANN and suddenly fragmented domain names around the globe (Namecoin hoarders should rejoice) so there’s probably going to be a growing number of people that see this as the great idea ever and that means we shouldn’t be surprised if this idea catches on going forward. of course, that also means we shouldn’t be surprised if cuteoverload.com suddenly becomes a little more NSWF going forward. The age of root-awareness is almost upon us.

    Posted by Pterrafractyl | September 3, 2014, 7:08 pm
  13. David Golumbia recently wrote a fabulous piece about the technocratic nature of the ideals behind the Tor Project and the variety of fundamentally undemocratic, political and ideological assumptions that are used to justify its development, including the invocation of natural law arguments by Tor’s lead developer, Roger Dingledine. Given Edward Snowden’s promotion of Libertarian/Cypherpunk ideals as a global pro-human rights/pro-democracy rallying cry, and the inevitable growth of technocratic temptations as technological advances continue, it’s critical reading:

    Uncomputing.org
    Tor, Technocracy, Democracy

    By David Golumbia | Published: April 23, 2015

    As important as the technical issues regarding Tor are, at least as important—probably more important—is the political worldview that Tor promotes (as do other projects like it). While it is useful and relevant to talk about formations that capture large parts of the Tor community, like “geek culture” and “cypherpunks” and libertarianism and anarchism, one of the most salient political frames in which to see Tor is also one that is almost universally applicable across these communities: Tor is technocratic. Technocracy is a term used by political scientists and technology scholars to describe the view that political problems have technological solutions, and that those technological solutions constitute a kind of politics that transcends what are wrongly characterized as “traditional” left-right politics.

    In a terrific recent article describing technocracy and its prevalence in contemporary digital culture, the philosophers of technology Evan Selinger and Jathan Sadowski write:

    Unlike force wielding, iron-fisted dictators, technocrats derive their authority from a seemingly softer form of power: scientific and engineering prestige. No matter where technocrats are found, they attempt to legitimize their hold over others by offering innovative proposals untainted by troubling subjective biases and interests. Through rhetorical appeals to optimization and objectivity, technocrats depict their favored approaches to social control as pragmatic alternatives to grossly inefficient political mechanisms. Indeed, technocrats regularly conceive of their interventions in duty-bound terms, as a responsibility to help citizens and society overcome vast political frictions.

    Such technocratic beliefs are widespread in our world today, especially in the enclaves of digital enthusiasts, whether or not they are part of the giant corporate-digital leviathan. Hackers (“civic,” “ethical,” “white” and “black” hat alike), hacktivists, WikiLeaks fans, Anonymous “members,” even Edward Snowden himself himself walk hand-in-hand with Facebook and Google in telling us that coders don’t just have good things to contribute to the political world, but that the political world is theirs to do with what they want, and the rest of us should stay out of it: the political world is broken, they appear to think (rightly, at least in part), and the solution to that, they think (wrongly, at least for the most part), is for programmers to take political matters into their own hands.

    While these suggestions typically frame themselves in terms of the words we use to describe core political values—most often, values associated with democracy—they actually offer very little discussion adequate to the rich traditions of political thought that articulated those values to begin with. That is, technocratic power understands technology as an area of precise expertise, in which one must demonstrate a significant level of knowledge and skill as a prerequisite even to contributing to the project at all. Yet technocrats typically tolerate no such characterization of law or politics: these are trivial matters not even up for debate, and in so far as they are up for debate, they are matters for which the same technical skills qualify participants. This is why it is no surprise that amount the 30 or 40 individuals listed by the project as “Core Tor People,” the vast majority are developers or technology researchers, and those few for whom politics is even part of their ambit, approach it almost exclusively as technologists. The actual legal specialists, no more than a handful, tend to be dedicated advocates for the particular view of society Tor propagates. In other words, there is very little room in Tor for discussion of its politics, for whether the project actually does embody widely-shared political values: this is taken as given.

    This would be fine if Tor really were “purely” technological—although just what a “purely” technological project might be is by no means clear in our world—but Tor is, by anyone’s account, deeply political, so much so that the developers themselves must turn to political principles to explain why the project exists at all. Consider, for example, the Tor Project blog post written by lead developer Roger Dingledine that describes the “possible upcoming attempts to disable the Tor network” discussed by Yasha Levine and Paul Carr on Pando. Dingledine writes:

    The Tor network provides a safe haven from surveillance, censorship, and computer network exploitation for millions of people who live in repressive regimes, including human rights activists in countries such as Iran, Syria, and Russia.

    And further:

    Attempts to disable the Tor network would interfere with all of these users, not just ones disliked by the attacker.

    Why would that be bad? Because “every person has the right to privacy. This right is a foundation of a democratic society.”

    This appears to be an extremely clear statement. It is not a technological argument: it is a political argument. It was generated by Dingledine of his own volition; it is meant to be a—possibly the—basic argument that that justifies Tor. Tor is connected to a fundamental human right, the “right to privacy” which is a “foundation” of a “democratic society.” Dingledine is certainly right that we should not do things that threaten such democratic foundations. At the same time, Dingledine seems not to recognize that terms like “repressive regime” are inherently and deeply political, and that “surveillance” and “censorship” and “exploitation” name political activities whose definitions vary according to legal regime and even political point of view. Clearly, many users of Tor consider any observation by any government, for any reason, to be “exploitation” by a “repressive regime,” which is consistent for the many members of the community who profess a variety of anarchism or anarcho-capitalism, but not for those with other political views, such as those who think that there are circumstances under which laws need to be enforced.

    Especially concerning about this argument is that it mischaracterizes the nature of the legal guarantees of human rights. In a democracy, it is not actually up to individuals on their own to decide how and where human rights should be enforced or protected, and then to create autonomous zones wherein those rights are protected in the terms they see fit. Instead, in a democracy, citizens work together to have laws and regulations enacted that realize their interpretation of rights. Agitating for a “right to privacy” amendment to the Constitution would be appropriate political action for privacy in a democracy. Even certain forms of (limited) civil disobedience are an important part of democracy. But creating a tool that you claim protects privacy according to your own definition of the term, overtly resisting any attempt to discuss what it means to say that it “protects privacy,” and then insisting everyone use it and nobody, especially those lacking the coding skills to be insiders, complain about it because of its connection to fundamental rights, is profoundly antidemocratic. Like all technocratic claims, it challenges what actually is a fundamental precept of democracy that few across the political spectrum would challenge: that open discussion of every issue affecting us is required in order for political power to be properly administered.

    It doesn’t take much to show that Dingledine’s statement about the political foundations of Tor can’t bear the weight he places on it. I commented on the Tor Project blog, pointing out that he is using “right to privacy” in a different way from what that term means outside of the context of Tor: “the ‘right to privacy’ does not mean what you assert it means here, at all, even in those jurisdictions that (unlike the US) have that right enshrined in law or constitution.” Dingledine responded:

    Live in the world you want to live in. (Think of it as a corollary to ‘be the change you want to see in the world’.)

    We’re not talking about any particular legal regime here. We’re talking about basic human rights that humans worldwide have, regardless of particular laws or interpretations of laws.

    I guess other people can say that it isn’t true — that privacy isn’t a universal human right — but we’re going to keep saying that it is.

    This is technocratic two-stepping of a very typical sort and deeply worrying sort. First, Dingledine claimed that Tor must be supported because it follows directly from a fundamental “right to privacy.” Yet when pressed—and not that hard—he admits that what he means by “right to privacy” is not what any human rights body or “particular legal regime” has meant by it. Instead of talking about how human rights are protected, he asserts that human rights are natural rights and that these natural rights create natural law that is properly enforced by entities above and outside of democratic polities. Where the UN’s Universal Declaration on Human Rights of 1948 is very clear that states and bodies like the UN to which states belong are the exclusive guarantors of human rights, whatever the origin of those rights, Dingledine asserts that a small group of software developers can assign to themselves that role, and that members of democratic polities have no choice but to accept them having that role.

    We don’t have to look very hard to see the problems with that. Many in the US would assert that the right to bear arms means that individuals can own guns (or even more powerful weapons). More than a few construe this as a human or even a natural right. Many would say “the citizen’s right to bear arms is a foundation of a democratic society.” Yet many would not. Another democracy, the UK, does not allow citizens to bear arms. Tor, notably, is the home of many hidden services that sell weapons. Is it for the Tor developers to decide what is and what is not a fundamental human right, and how states should recognize them, and to distribute weapons in the UK despite its explicit, democratically-enacted, legal prohibition of them? (At this point, it is only the existence of legal services beyond Tor’s control that make this difficult, but that has little to do with Tor’s operation: if it were up to Tor, the UK legal prohibition on weapons would be overwritten by technocratic fiat.)

    We should note as well that once we venture into the terrain of natural rights and natural law, we are deep in the thick of politics. It simply is not the case that all political thinkers, let alone all citizens, are going to agree about the origin of rights, and even fewer would agree that natural rights lead to a natural law that transcends the power of popular sovereignty to protect. Dingledine’s appeal to natural law is not politically neutral: it takes a side in a central, ages-old debate about the origin of rights, the nature of the bodies that guarantee them.

    That’s fine, except when we remember that we are asked to endorse Tor precisely because it instances a politics so fundamental that everyone, or virtually everyone, would agree with it. Otherwise, Tor is a political animal, and the public should accede to its development no more than it does to any other proposed innovation or law: it must be subject to exactly the same tests everything else is. Yet this is exactly what Tor claims it is above, in many different ways.

    Further, it is hard not to notice that the appeal to natural rights is today most often associated with the political right, for a variety of reasons (ur-neocon Leo Strauss was one of the most prominent 20th century proponents of these views). We aren’t supposed to endorse Tor because we endorse the right: it’s supposed to be above the left/right distinction. But it isn’t.

    Tor, like all other technocratic solutions (or solutionist technologies) is profoundly political. Rather than claiming it is above them, it should invite vigorous political discussion of its functions and purpose (as at least the Tor Project’s outgoing Executive Director, Andrew Lewman, has recently stated, though there have yet to be many signs that the Tor community, let alone the core group of “Tor People,” agrees with this). Rather than a staff composed entirely of technologists, any project with the potential to intercede so directly in so many vital areas of human conduct should be staffed by at least as many with political and legal expertise as it is by technologists. It should be able to articulate its benefits and drawbacks fully in the operational political language of the countries in which it operates. It should be able to acknowledge that an actual foundation of democratic polities is the need to make accommodations and compromises between people whose political convictions will differ. It needs to make clear that it is a political project, and that like all political projects, it exists subject to the will of the citizenry, to whom it reports, and which can decide whether or not the project should continue. Otherwise, it disparages the very democratic ground on which many of its promoters claim to operate.

    There’s a lot to digest there, but part of what makes the development of Tor and the technocratic approach to defending ‘natural law’-endowed universal human rights such an intriguing development is the inevitability of it. Right now, the potential applicabilty of Tor’s technocratic approach to other aspects of the social contract is somewhat limited outside of the digital privacy domain. How many other rights can be theoretically protected through technology (This is ignoring all the evidence that spy agencies can crack Tor)?. Assume Tor – plus some super-encryption – can provide a real guarantee of internet traffic anonymity to pretty much anyone. Are there any other domains of rights, other than digital privacy rights, where something analogous to Tor is possible? Medical technologies that are potentially readily accessible to anyone, like medicinal herbs you can grow, are one example of where people secure their rights to life or happiness on their own although action. Although, in many cases, the Drug War says otherwise. The ubiquity of cellphone cameras has certainly made a difference in recording civil rights abuses. And if you’re the type of person that views fiat currency and central banking as a violation of your natural rights, Bitcoin could be considered an example of another technocratic solution. The blockchain will free us all! But it’s hard to think of many other examples outside of the digital domain where something that could be considered a “natural right” could be protected by a bunch of people getting together and creating a technological platform. Still, that’s going to change.

    Interestingly, it’s the rights that involve how we treat each other or rights (rights that prevent unfair and harmful discrimination) or rights involving public services and guarantees that don’t often lend themselves to technocratic ‘solutions’ like Tor (although cellphone cameras that record abuses are one notable exception). And these also tend to be the kinds of rights the right-wing would rather become optional and are highly vulnerable to things like the Libertarian/qausi-anarcho-capitalist ideologies that we find in the Cypherpunk/Libertarian movements from policy standpoint.

    So, since it’s looking like we’re entering a period where Cyberlibertarians is going to have an elevated profile on the global stage for the foreseeable future, we’re probably going to see a lot more appeals to technocratic solutions in general, even when one doesn’t exist or make sense. And something that could make the growing popularity of technocratic solutions especially impactful, and harmful, is the number of conceptual parallels between the ideas embraced by Tor’s lead developer Roger Dingledine and the Libertarian/”let’s let the market run everything” neoliberal approach to running the world that’s embraced by not only the GOP but at a constitutional level in the European Union and eurozone. The “free market” is just one big tool for everything!

    Sure, one would hope that an elevation of discussions of “natural rights” wouldn’t, by default, descend into something like what Peter Thiel notoriously penned in 2009 Cato Unbound piece about how democracy and freedom are incompatible. But as Golumbia points out, it’s hard not to notice that the appeals to “natural rights” that transcend man-made government is generally something you hear on the right these days when they want to transcend some sort of progressive laws and regulations:


    We should note as well that once we venture into the terrain of natural rights and natural law, we are deep in the thick of politics. It simply is not the case that all political thinkers, let alone all citizens, are going to agree about the origin of rights, and even fewer would agree that natural rights lead to a natural law that transcends the power of popular sovereignty to protect. Dingledine’s appeal to natural law is not politically neutral: it takes a side in a central, ages-old debate about the origin of rights, the nature of the bodies that guarantee them.

    That’s fine, except when we remember that we are asked to endorse Tor precisely because it instances a politics so fundamental that everyone, or virtually everyone, would agree with it. Otherwise, Tor is a political animal, and the public should accede to its development no more than it does to any other proposed innovation or law: it must be subject to exactly the same tests everything else is. Yet this is exactly what Tor claims it is above, in many different ways.

    Further, it is hard not to notice that the appeal to natural rights is today most often associated with the political right, for a variety of reasons (ur-neocon Leo Strauss was one of the most prominent 20th century proponents of these views). We aren’t supposed to endorse Tor because we endorse the right: it’s supposed to be above the left/right distinction. But it isn’t.

    That’s all part of why the complications the Tor-style technocratic approach to civil rights protection is probably going to extend beyond the problems associated with using technology, itself, as a safeguard for civil rights as a work around to the democratic process. The promotion of technocracy as a means of guaranteeing our ‘nature rights’ is the kind of Pandora’s box that could get very dicey very fast in part because many visions of the ‘natural order’ that define those ‘nature rights’ are kind of Old World Order-ish in a bad way:

    Salon
    Conservatives’ history problem: Why they’re doomed by their own “Golden Age”
    Compare the heydays of progressives and conservatives — and it’s clear which one fared better for Americans

    Michael Lind
    Monday, Mar 30, 2015 04:59 AM CST

    “He who controls the past, controls the future,” George Orwell wrote in 1984. One of the greatest weapons in the arsenal of a political movement is what the literary critic Van Wyck Brooks called “a usable past” and what the historian William McNeill calls “mythistory.” The most potent political narrative in any country on earth goes something like this: “The past was a glorious Golden Age, and the present is dismal. Follow us, and we will create a future as glorious as the Golden Age in the past!”

    Until recently, neither the center-left nor the center-right in American politics had agreed-upon historical narratives. But recently each movement has moved toward a greater consensus in its view of America’s past, present and future.

    The center-left consensus today holds that the New Deal era of the 1930s through the 1970s, and perhaps its Progressive Era prelude, constituted the Golden Age. The present dismal Bronze or Iron Age began with Ronald Reagan in 1980–or, more accurately, in 1976 with Jimmy Carter elected as the first of three weak, center-right Democratic presidents—Carter, Clinton and Obama–who have followed the last liberal president, Lyndon Johnson. The Glorious Future, according to the emergent progressive consensus, will take the form of a “new New Deal” which, by some combination of policies, will check or reverse growing inequality and plutocracy, in the spirit of the New Deal and its echo, the Great Society.

    This new center-left historical consensus marks the defeat of the alternate historical visions of both New Left radicals and New Democrat neoliberals.

    A similar move toward a new consensus about American history seems to be taking place on the American right. The new right-wing historical consensus illustrates the growing intellectual homogeneity of the movement.

    As recently as the 1990s, the American right was divided among neoconservatives, theoconservatives, paleoconservatives, Straussians and libertarians. Each subculture within the right had its own distinct theory of history, including a theory of the date at which American history took a wrong turn.

    Neoconservatives (I was one, until the early 1990s) began as New Deal/Great Society liberals who were alienated by the New Left’s rejection of the Cold War liberal containment strategy and its utopian radicalism. The first-wave neocons accepted and endorsed the New Deal and the Civil Rights revolutions; for them, American history took a wrong turn with the campus radicalism of the late Sixties.

    Shorter neocon history: Yay 1932! Yay 1964! Boo 1968!

    This kind of neoconservatism died in the mid-1990s. The second-wave neocons like Robert and Donald Kagan and Irving Kristol’s son Bill, editor of the Rupert Murdoch magazine The Weekly Standard, abandoned or downplayed domestic liberalism and specialized in promoting a post-Cold War American empire. The mutation of what had been Cold War liberalism into perpetual warmongering helped to drive me (and other former neoconservatives including Francis Fukuyama and Mark Lilla) out of the right altogether. Neocon militarists still have some influence in the GOP, but after the bloody failures in Iraq, Afghanistan and Libya, the right is likely to be more hawkish in rhetoric than in practice.

    At the other extreme from the neoconservatives were those whom Jacob Heilbrunn called the theoconservatives or “theocons” of the religious right. Most theocons argued that the Founders intended to establish a “Christian” or “Judeo-Christian nation.” But an even more extreme minority of neo-Calvinist “reconstructionists” argued that America went downhill after Cotton Mather. The Enlightenment was really the “Endarkenment” and Thomas Jefferson was an infidel whose ideal of separation of church and state was an abomination. The Reverend Pat Robertson, whose conspiracy theories I exposed in the New York Review of Books in 1995,, claimed that Freemasons and Illuminati and international bankers were manipulating American foreign policy on behalf of Satan. (After two decades of U.S. foreign policy fiascos, I wonder whether I was too quick to dismiss this theory).

    Many mainstream conservative politicians and intellectuals disgraced themselves by opportunistically kow-towing to crackpot preachers with mass followings like Pat Robertson and the late Jerry Falwell for a couple of decades. But their ideas never had an audience outside of evangelical Protestantism. The religious right went has gone into steep decline in this century, as younger generations of Americans become more socially liberal and secular.

    The paleoconservatives in the 1980s and 1990s tended to be apologists for the Old South like the late historian M. E. “Mel” Bradford, whom the neoconservative Bill Bennett displaced as Reagan’s choice to head the National Endowment for the Humanities. For many paleocons, the date at which American history took a wrong turn was 1865. It was the bloodthirsty tyrant Abraham Lincoln, not Woodrow Wilson or Franklin Roosevelt, who destroyed the Constitution, crushed the Old Republic and fastened big government on the American body politic.

    Shorter paleocon history: Yay 1776! Boo 1865!

    Like theoconservatism, paleoconservatism is all but extinct as an intellectual force, though some of its elderly votaries still have sway in some Republican primaries. The decline of neoconservatism, theoconservatism and paleoconservatism has left Straussianism and libertarianism as the most influential intellectual currents on the American right.

    Straussians are disciples of the German émigré philosopher Leo Strauss, who taught that modern “natural rights” theory represented a break with ancient and medieval “natural law” philosophy. Because the American republic was founded on natural rights, attitudes toward the American founding among Straussians depend on whether they think the replacement of natural law by natural right was progress or not. “East Coast Straussians” tend to be equivocal about modernity, the Enlightenment and the American Founding, while “West Coast Straussians” embrace all three. There is some overlap among Straussians and neocons, but equating them is a mistake.

    The intellectual leader of the West Coast Straussians was Harry Jaffa, author of “Crisis of the House Divided” (1959), who died in January of this year. Jaffa argued against pro-Confederate paleocons that the American right should embrace the figure of Lincoln. In Jaffa’s account Lincoln vindicated the timeless and true natural rights ideals of the American Founding against Southerners who repudiated natural rights in order to defend slavery.

    Jaffa seems to have won the debate on the right. Rich Lowry, the editor of National Review, has recently published a book in which he attempts to draft Lincoln for conservatism. And in 2001 David Boaz, vice-president of the libertarian Cato Institute, in an essay entitled “Don’t Put Slavery in the Flag,” argued that the South’s institution of chattel slavery was a greater offense to freedom than the North’s high tariffs. This thesis was and is controversial among libertarians.

    The Straussians also have shaped the contemporary right’s views of the twentieth century. While Lincoln is in, Theodore Roosevelt, candidate of the Progressive Party for president in 1912, is out. Straussian scholars, many of them associated with the conservative Claremont Institute, have argued that both TR and Woodrow Wilson betrayed the ideals of the American Founding in favor of historicist and relativist philosophies imported from Bismarck’s Germany. Glenn Beck helped to transmit this theory from the classrooms to the chat rooms.

    According to the new conservative consensus, the Founders and Lincoln are heroes of “constitutional conservatism.” The ideals of the American Founding and Lincoln’s second Founding, having earlier been betrayed by proslavery Southerners, were betrayed again by Republican and Democratic Progressives alike. American history took a wrong turn with the election of 1912, in which a majority of Americans voted for one of two progressive candidates, Roosevelt and Wilson.

    Shorter Straussian history: Yay 1776! Yay 1865! Boo 1912!

    As “usable pasts” go, the new conservative history is commendably simple, coherent and straightforward. But as an ex-conservative known for kindly, constructive criticism of the right, I feel obliged to point out a major weakness.

    If your theory as a conservative is that everything after the Progressive Era and the New Deal has been a disaster, and you don’t want to idealize the Old South, then you are stuck with making the period from 1865 to 1912 your glorious past. In other words, the Golden Age was the Gilded Age.

    As we can see, the Venn diagram of ideological ‘Golden Ages’ includes a lot of overlap, but quite a bit of disagreement amongst the various dominant strains of US political thought and that disagreement doesn’t just reflect disagreements in how best to establish and protect our human rights but also deep disagreements over who gets what rights. Few things exemplify the inherent dangers associated with trying to balance universal human rights through undemocratic means than this:


    And in 2001 David Boaz, vice-president of the libertarian Cato Institute, in an essay entitled “Don’t Put Slavery in the Flag,” argued that the South’s institution of chattel slavery was a greater offense to freedom than the North’s high tariffs. This thesis was and is controversial among libertarians.

    As we’ve seen with some prominent Libertarian figures like Hans Hermann-Hoppe, when you take Libertarian strains of thought to their logical extremes, monarchy would really lead to much greater levels of ‘freedom’ vs democracy since democracy has an inherently de-civilizing nature. That’s the kind of territory we enter when everyone gets to make up their own definitions of what constitutes “natural law”. Neoreactionary territory. And that’s why democracy is so important to the upholding of everyone’s rights: Even when you make upholding universal rights one of your goals, it’s still possible to justify pretty some sort of fascist plutocracy or maybe even a new monarchy. Or, quite possibly, a technocracy.

    One of the take away lessons from all this is that the when we’re dealing with issues like protecting human rights, we are dealing with a topic filled with so many tensions and internal contradictions that the idea of falling back on a technocracy for the protection of our rights quickly becomes approach that can systematically resolve those tensions is simply untenable. And that’s exactly why the democratic process is so vital for the protection human rights: clean, elegant solutions like “let’s just have a bunch of people independently create super-encryption tools to protect our universal right to privacy in the digital realm” aren’t actually clean or elegant because, even if we all agreed on what those universal rights are, they aren’t always compatible with each other under all situations. While Tor, itself, can be use for make very positive purposes, it’s also available for use by the Four Horesmen of the Infopocalypse and they aren’t known for respecting many rights beyond the right to digital privacy. That’s why democracy is the best solution: when rights come into conflict and compromises, judgement calls, and priorities are required, technocracy is a solution without long-term legitimacy.

    Still, despite the complicated conundrums technologies like Tor present to the public, David Golumbia was spot on when he said:


    Tor, like all other technocratic solutions (or solutionist technologies) is profoundly political. Rather than claiming it is above them, it should invite vigorous political discussion of its functions and purpose

    At the end of the day, Tor and the issues that is raises are really quite fascinating! We’re inevitably going to face more and more complicated “liberating” technologies like Tor in the future so the need for more conversations about how to use this or that double-edged techno-sword could be used to protect against this or that government abuse is only going to grow. Just wait for personal microdrone swarms. You could protect a lot of your personal rights with a personal microdrone swarm.

    Something else to keep in mind: If you think about it, if we go down the path of embracing Libertarian technocratic solutions like Tor to difficult problems, where the top technical masters become the architects of the technologies that we rely on to protect rights, in the not too distant future those people developing with a deep knowledge of how it works and possible vulnerabilities aren’t going to be people. There’s no natural law that says the top technocrat can’t be technology.

    Posted by Pterrafractyl | May 3, 2015, 6:21 am
  14. Here’s a reminder that advertising in the digital age via smart devices is probably going to be less about getting information out to consumers and more about taking information about those customers back to the advertisers. Also, you pets probably aren’t going to appreciate some of the latest trends:

    Ars Technica
    Beware of ads that use inaudible sound to link your phone, TV, tablet, and PC
    Privacy advocates warn feds about surreptitious cross-device tracking.

    by Dan Goodin – Nov 13, 2015 12:00pm CST

    Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person’s online behavior across a range of devices, including phones, TVs, tablets, and computers.

    The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

    Cross-device tracking raises important privacy concerns, the Center for Democracy and Technology wrote in recently filed comments to the Federal Trade Commission. The FTC has scheduled a workshop on Monday to discuss the technology. Often, people use as many as five connected devices throughout a given day—a phone, computer, tablet, wearable health device, and an RFID-enabled access fob. Until now, there hasn’t been an easy way to track activity on one and tie it to another.

    “As a person goes about her business, her activity on each device generates different data streams about her preferences and behavior that are siloed in these devices and services that mediate them,” CDT officials wrote. “Cross-device tracking allows marketers to combine these streams by linking them to the same individual, enhancing the granularity of what they know about that person.”

    The officials said that companies with names including SilverPush, Drawbridge, and Flurry are working on ways to pair a given user to specific devices. Adobe is developing similar technologies. Without a doubt, the most concerning of the companies the CDT mentioned is San Francisco-based SilverPush.

    CDT officials wrote:

    Cross-device tracking can also be performed through the use of ultrasonic inaudible sound beacons. Compared to probabilistic tracking through browser fingerprinting, the use of audio beacons is a more accurate way to track users across devices. The industry leader of cross-device tracking using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices.

    The user is unaware of the audio beacon, but if a smart device has an app on it that uses the SilverPush software development kit, the software on the app will be listening for the audio beacon and once the beacon is detected, devices are immediately recognized as being used by the same individual. SilverPush states that the company is not listening in the background to all of the noises occurring in proximity to the device. The only factor that hinders the receipt of an audio beacon by a device is distance and there is no way for the user to opt-out of this form of cross-device tracking. SilverPush’s company policy is to not “divulge the names of the apps the technology is embedded,” meaning that users have no knowledge of which apps are using this technology and no way to opt-out of this practice. As of April of 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones.

    SilverPush’s ultrasonic cross-device tracking was publicly reported as long ago as July 2014. More recently, the company received a new round of publicity when it obtained $1.25 million in venture capital. The CDT letter appears to be the first time the privacy-invading potential of the company’s product has been discussed in detail. SilverPush officials didn’t respond to e-mail seeking comment for this article.

    Cross-device tracking already in use

    The CDT letter went on to cite articles reporting that cross-device tracking has been put to use by more than a dozen marketing companies. The technology, which is typically not disclosed and can’t be opted out of, makes it possible for marketers to assemble a shockingly detailed snapshot of the person being tracked.

    “For example, a company could see that a user searched for sexually transmitted disease (STD) symptoms on her personal computer, looked up directions to a Planned Parenthood on her phone, visits a pharmacy, then returned to her apartment,” the letter stated. “While previously the various components of this journey would be scattered among several services, cross-device tracking allows companies to infer that the user received treatment for an STD. The combination of information across devices not only creates serious privacy concerns, but also allows for companies to make incorrect and possibly harmful assumptions about individuals.”

    Now that SilverPush and others are using the technology, it’s probably inevitable that it will remain in use in some form. But right now, there are no easy ways for average people to know if they’re being tracked by it and to opt out if they object. Federal officials should strongly consider changing that.

    “As of April of 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones.”
    It turns out headphones have been more privacy enhancing than we may have realized in recent years:


    The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices.

    Well, at least it doesn’t sound like advertisers have been turning our devices into Batman-style sonar devices that use ultrasound to create 3D maps of our local environments. Although if there was ultrasound bouncing getting emitted from our devices for 3D mapping purposes we might hot hear much about it:

    Slate
    This Technology From The Dark Knight Could Become Reality

    By Jason Bittel
    June 19 2013 10:41 AM

    Remember in The Dark Knight when ol’ Bats turns every cellphone in Gotham City into a “high frequency generator” and you rolled your eyes as if that were somehow less realistic than the magical rolling wheels of the Bat Bike? Well, new research is showing that the acoustic mapping capabilities of such devices aren’t quite as futuristic as you might think.

    Using just an advanced algorithm and a handful of microphones, researchers at the Swiss Federal Institute of Technology in Lausanne have successfully mapped the dimensions of a closed area by measuring “room impulse responses.” At the most basic level, they blast a noise out of a speaker and then use the microphones to record what happens when the sound waves bounce off of the room’s walls, ceiling, floor, and any other objects. In this way, it’s really similar to how a bat, dolphin, or superhuman uses echolocation.

    Given the many recent revelations about the National Security Agency’s willingness and capability to snoop, the Batman application of all this seems a little more threatening than it might have a month ago. For instance, if the government can monitor domestic phone calls—without a warrant, by the way—then what’s to stop them from running a similar mapping algorithm to peer inside your home? With microphones of their own, home computers, tablets, and smart TVs could hypothetically provide other data sets for the algorithm to munch on. (Again, such notions would all be firmly within the realm of coo-coo conspiracy theory if we didn’t keep learning things like this.)

    So I asked Ivan Dokmanic, an electrical engineer and one of the paper’s authors, point-blank: Are smartphone microphones sensitive enough to detect acoustic echoes?

    “Comparison with The Dark Knight is not absurd at all, but we need to start small,” Dokmanic told me. “The level of detail obtained in Batman is a bit unrealistic for many good theoretical reasons, but I believe there is potential to get some idea about the space.” Dokmanic also said that while cellphone microphones could do the job, most models out there today are actively working against the type of background noise necessary for acoustical mapping. (Apple has even used this in their advertising.)

    Batman aside, Dokmanic’s research will likely have more immediate applications in virtual reality, architectural acoustics, audio forensics, teleconferencing, and indoor localization. This last one could be really cool, since the algorithm can be reversed if the building’s dimensions are already known. So don’t be surprised if someday soon there’s an orientation app that uses acoustic vibrations to guide you around a museum, office building, or airport.

    The NSA saga has got us all antsy about surveillance and privacy, but let’s not forget that in today’s world of GPS, Google Street View, and Facebook check-ins, more often than not we want to be found.

    “With microphones of their own, home computers, tablets, and smart TVs could hypothetically provide other data sets for the algorithm to munch on”
    Yep, the iPhone sonar ruler app might be getting an upgrade someday. Let’s hope the app developers that could someday be using this technology all have Bruce Wayne’s general outlook on upholding the common good. And since devices are already sending out bursts of ultrasonic sounds that are intended to be picked up by other random devices, just think about the kind of fascinating details and 3D spatial information that could take place in a future environment of an ever-growing “internet of things”, including the near future environment.

    Still, as scary as a sonar spyware-app sounds, it could be worse. So much worse…

    Posted by Pterrafractyl | November 15, 2015, 9:16 pm
  15. Now that a vengeful lunatic is set to become president of the United States and Steve Bannon, a vengeful white nationalist advisor known for pursuing the destruction of his enemies, is whispering in the president-elect’s ear, we probably shouldn’t be surprised that Edward Snowden is pushing technology solutions like encryption as a key tool for surviving the Trump era. After all, one of the main sales pitches of the Cypherpunk revolution was supposedly that people could use encryption as a tool for organizing political resistance under repressive regimes, so a Trump victory would certainly be the kind of event that we should expect to trigger a surge in Cypherpunk calls for more encryption technology. Especially after an FBI far-right faction basically worked in coordination with Steve Bannon’s Brietbart news to swing the election.

    But as the article below points out, that’s not actually the message Snowden is pushing in the wake of a Trump victory. Yes, he is still pushing encryption as a key civic tool for the Trumpian age. But not for the purpose of advancing an political agenda that can counter and undo the damage full-spectrum Trump/GOP control will do to the nation and world. No, Snowden actually recommends that we avoid politics. As Snowden sees it, “If you want to build a better future, you’re going to have to do it yourself. Politics will take us only so far. And if history is any guide, they are the least effective means of seeing change we want to see”:

    Gizmodo

    Edward Snowden Is a Fucking Idiot

    Matt Novak
    11/17/2016 10:16am

    Today, Edward Snowden is wrong about almost everything. Yes, he’s a patriot, and yes, I believe that what he did in 2013 to reveal dangerous elements of our surveillance state was important and commendable. But Snowden is completely oblivious to the challenges that we face as we move into the year 2017—a perilous fucking time for our country, to say the least.

    On Tuesday, I had the pleasure of attending the Real Future Fair in Oakland, which featured some amazing speakers like Mae Jamison, the first American woman of color in space. It was a fascinating conference, but there was one speaker that made me incredibly frustrated: Edward Snowden, who joined us in Oakland via teleconference robot from Russia. And I’ve come to the conclusion that he’s promoting an idiotic worldview that’s completely devoid of answers for how to effectively combat the threat that Donald Trump and his neo-fascist goons pose to our democracy.

    What got me so riled up about Snowden’s talk? He firmly believes that technology is more important than policy as a way to protect our liberties. Snowden contends that he held this belief when Obama was in office and he still believes this today, as Donald Trump is just two months away from entering the White House. But it doesn’t make him right, no matter who’s in office.

    “If you want to build a better future, you’re going to have to do it yourself. Politics will take us only so far. And if history is any guide, they are the least effective means of seeing change we want to see,” Snowden said on stage in Oakland from Russia, completely oblivious to how history might actually be used as a guide.

    Snowden spoke about how important it is for individuals to act in the name of liberty. He continually downplayed the role of policy in enacting change and trotted out some libertarian garbage about laws being far less important than the encryption of electronic devices for the protection of freedoms around the world.

    “Law is simply letters on a page,” Snowden said. It’s a phrase that’s still ringing in my ears, as a shockingly obtuse rejection of civilized society and how real change happens in the world.

    How do we advance the cause of liberty around the world? Encrypt your devices, according to Snowden. Okay, now what? Well, Snowden’s tapped out of ideas if you get beyond “use Signal.” The closest he got to advocating for anything involving policy change was when he told people they could donate to the Freedom of the Press Foundation which, it should probably be noted, he currently works for.

    Imagine if advocates of human rights held this same worldview fifty years ago. What would the American civil rights movement have looked like in the 1950s and 60s if you didn’t believe changes in policy mattered? If you truly think that laws are irrelevant and that securing your communications from government surveillance is the only force for liberty, then your biggest problem with the FBI’s persecution of Martin Luther King Jr. was that they tapped his phone lines. King’s use of his phone was a means to an end, just as the FBI’s surveillance of King was a means to an end. The end, as far as civil right leaders were concerned, was enacting policy. Shielding your communications from government surveillance is merely a tactic to allow you to operate and organize without government interference. Encryption doesn’t fight against injustice all by its lonesome.

    What about the 1964 Civil Rights Act, a crowning achievement of the civil rights movement that brought about real change to a system built on systemic racism? The Civil Rights Act didn’t end racism, and it, along with its legal cousin the Voting Rights Act of 1965, are currently being butchered beyond recognition after a devastating Supreme Court decision. But the answer to progressive losses in the courts isn’t “encrypt your phone.” The answer is to bring about policy changes through local and national laws to ensure that human rights are protected. Encrypt your data all you like—it’s an important, if admittedly flawed, way to help organize and protest. (Privacy tools like Tor are leaking like a sieve and there are a hundred different ways for the state to access your communications even if you have the most advanced opsec in the world.) But don’t tell me that policy doesn’t matter.

    If you earnestly put forward this idea that fighting for policy is somehow irrelevant and that laws are “simply letters on a page” you have very little to offer modern society. You’re surrendering to living in a fundamentally broken world and are ignoring the methods by which history actually evolves to meet the needs of a civilized society. Every time someone like Snowden says “encrypt your phone” our response must be, “okay, now what do we do?” And Snowden doesn’t have an answer.

    “Technology works differently than law. Technology knows no jurisdiction,” Snowden said via video conference in Russia, seemingly oblivious to the fact that a change in policy would be necessary for his return to the United States, not stronger encryption of his communications.

    In Oakland, Snowden also addressed his tweet from October 21st in which he said that, “There may never be a safer election in which to vote for a third option.” Snowden told us that he more or less stands by his tweet and that anything else “freezes us into a dynamic of ‘you must always choose between two bad options’” which is a “fundamentally un-American idea.”

    This might be the “glass half full or glass half empty” for our times. People like Snowden subscribe to the belief that the lesser of two evils is still evil. I subscribe to the belief that the lesser of two evils is still less evil. When you’re talking about someone as dangerous to democracy as Donald Trump and the fucking knobs he’s surrounding himself with who are more loyal than they are intelligent, these competing worldviews matter.

    If you’re looking for NSA docs about the surveillance state, Snowden is your man. If you’re looking for guidance on how to make the world a more just place, we have to look elsewhere and listen to people who believe in the only thing that can possibly influence the world for the better: Radical changes in policies that touch the lives of everyone around the globe.

    “In Oakland, Snowden also addressed his tweet from October 21st in which he said that, “There may never be a safer election in which to vote for a third option.” Snowden told us that he more or less stands by his tweet and that anything else “freezes us into a dynamic of ‘you must always choose between two bad options’” which is a “fundamentally un-American idea.””

    Yes, in Snowden’s world, voting for ‘the lesser of two-evils’ is a “fundamentally un-American idea.” No, the patriotic thing to do is abandon policy and law as simply “letters on a page” and abandon politics in general as “the least effective means of seeing change we want to see”. Self-empowerment by removing yourself from politics, that’s the ticket! Now hand over that US-intelligence-establishment-funded privacy technology so we can effectively organize against the coming Trump repression so we can hopefully avoid any Trump repression by completely obscuring our politics, taking no stand at all that would alert the Trump administration about our opposition to its fascist agenda, and just sort of waiting this out. Or something. Freeeedom!

    Posted by Pterrafractyl | November 17, 2016, 3:59 pm
  16. Here’s an article that points towards a social phenomena that’s worth keeping in mind as the digital economy continues to grow and make hacking potentially more and more lucrative: traditional organized crime syndicates are finally getting into the hacking business in a big way, and as a consequence the type of young individuals that’s getting recruited into these organization fits a different profile from the mobsters of the past:

    Financial Times

    Organised crime finally embraces cyber theft
    European police struggle to keep up as the Godfathers go digital, writes Misha Glenny

    March 7, 2017 3:56 pm by Misha Glenny

    One overriding message will emerge from Europol’s Serious and Organised Crime Threat Assessment 2017 to be published this week: the Godfathers have finally gone digital. Drones, tracking devices, social engineering, hacking, encrypted communication have in a short space of time been added to the villain’s bag of tricks alongside the crowbar, the knuckle-duster and the gold chains.

    This is a development that law enforcement agencies dealing with transnational organised crime around the world have been dreading. For much of the past 15 years, traditional organised crime and cyber crime have been two discrete branches of elite malfeasance.

    According to the SOCTA, Europol is now combating 5,000 international crime groups within the EU, 1,400 more than in 2013. But there are many others operating outside the territory while selling their illicit goods and services into the EU.

    Less than a decade ago, a Swedish cyber criminal described how he had tried to interest his father’s organised crime operation in Malmö in online credit and debit card fraud.

    “The returns were much higher and the risks much lower,” he explained to me, “but they just couldn’t get their heads round the technology. They preferred to stick with what they knew best — baseball bats, Semtex and stockings over their heads.”

    His response hinted at the gulf that has kept apart old-style crime and the new world of criminal hackers: the use of violence. In the world of mafia organisations, if you cannot deploy or credibly threaten intimidation, you don’t make the starting grid. Violence is the sine qua non of traditional organised crime. But in cyber crime, the physical is not an issue: you can hatch a crime in Astana with your victim in LA while organising the cash-out in Dubai.

    As a consequence, cyber crime has attracted perpetrators with a wholly different social profile from the hitmen of Sicily, the sicarios of Pablo Escobar or the fingerless enforcers of the yakuza. They often start very young. More experienced cyber criminals monitor the activity of youngsters with aptitude on the dark net and recruit them by gently enticing them into criminal activity — a process that begins before the young hacker has a developed moral compass.

    The hackers and malware writers are often geeks with limited social skills and rarely any record of thuggery. Meanwhile, the front line of cyber crime is waged by people known as social engineers — modern confidence tricksters who persuade you to do things on your computer which you will later regret.

    But now traditional organised crime has understood that embracing technology can lead to spectacular profits. In one court case in Brussels, a Dutch-Turkish group importing heroin from South America persuaded two techies to hack into the port of Antwerp and manipulate the unique nine-digit PIN numbers that every seagoing container is allotted. Using this they were able to digitally mark the containers with cocaine as having been customs cleared.

    Europol anticipated this shift four years ago by establishing its cyber unit, EC3. But with encrypted communications, which are virtually unbreakable, now becoming the standard for crime groups, the revolution in technology is often seen as much as a curse as a benefit by law enforcement around the world.

    “As a consequence, cyber crime has attracted perpetrators with a wholly different social profile from the hitmen of Sicily, the sicarios of Pablo Escobar or the fingerless enforcers of the yakuza. They often start very young. More experienced cyber criminals monitor the activity of youngsters with aptitude on the dark net and recruit them by gently enticing them into criminal activity — a process that begins before the young hacker has a developed moral compass.”

    Mobster hacker grooming. Yikes.

    And note the sudden jump in organized crimes since 2013, the year Edward Snowden made hacking a global topic of conversation:


    According to the SOCTA, Europol is now combating 5,000 international crime groups within the EU, 1,400 more than in 2013. But there are many others operating outside the territory while selling their illicit goods and services into the EU.
    ..

    Who knows if that jump is related to all the attention the Snowden affair gave to digital vulnerabilities, but it’s a reminder that a lot people probably think “hey, I should be doing that too!” whenever there’s a big new expose on government hacking capabilities. And if it’s traditional organized criminal groups without existing in-house hacking capabilities getting excited about getting into the cybercrime business they’re going to have recruit someone which means it’s probably been a REALLY good time to be an up and coming young hacker over the past few years. There doesn’t appear to be a shortage of demand.

    So now you know: if you’re hanging out on the Dark Web bragging about your hacking skills and someone gently starts giving you fun criminal hacking ideas, it just might be a mobster who wants to recruit you, so be sure not to demonstrate a moral compass because that probably won’t help.

    If, on the other hand, you are enticed into solving one of the most difficult puzzles ever created as part of a hacker recruitment scheme for a mysterious group dedicated to the Cypherpunk ideology and wants to build tools that would lead to the automatic release of sensitive information if a whistle-blower or researcher is indisposed of for a period of time (like an automated version of Edward Snowden’s “Dead man’s switch”), that’s probably not a mobster trying to recruit you. Or maybe it is. No one really knows:

    Rolling Stone

    Cicada: Solving the Web’s Deepest Mystery

    How one teenage whiz kid found himself in a world of international intrigue

    By David Kushner
    January 15, 2015

    Marcus Wanner needed a little adventure in his life. A skinny 15-year-old brainiac with wire-frame glasses and wavy brown hair, he was the eldest of five, home-schooled by their mother, a devout Catholic, near Roanoke, Virginia. Shuttling Marcus between home, church and the Boy Scouts seemed like the best way to keep him away from trouble (and girls). “I missed out on a lot,” he recalls with a sigh. “I didn’t get out much.”

    Though Marcus was gifted with computers, his mom and dad, an electrical engineer, also locked him down online. He couldn’t send an e-mail or register on a website without their permission. To make sure he was abiding, he was restricted to the living-room computer, which they could see. “It was the Big-Brother-eye-over-the-shoulder thing,” he says. But his parents only had so much power. “There was no way we could check what he was up to if he covered his tracks,” his mother admits. “He’s light-years ahead of us.” Marcus was a good kid, dependable, hardworking, the leader of his Boy Scout troop, just a project away from Eagle Scout. But he could only take so much. “Until a point, I tried to go with the flow,” he says. “And then I was like, ‘Aw, fu ck it.’?”

    Fu ck It Day came January 7th, 2012. His parents had recently caved in and let him get a laptop. Dressed in a T-shirt and his green Boy Scout cargo shorts (the only kind he wore), he was sitting on his bed, surreptitiously surfing the science and math board on 4chan, the notorious underground forum, when he came across a strange image that had appeared on the site three days earlier. It contained a message written in a thin white font against a black background. “Hello,” it read. “We are looking for highly intelligent individuals. To find them, we have devised a test. There is a message hidden in this image. Find it, and it will lead you on the road to finding us. We look forward to meeting the few that will make it all the way through. Good luck.” It was signed “3301.”

    For all Marcus knew, it could have been another dumb 4chan prank. He’d never been one for games like this. With the exception of the Rubik’s Cube, which he could solve in under a minute, puzzles were dull. But it was late and he was bored. Someone on 4chan had created an Internet Relay Chat channel where people were logging in to discuss the bizarre message. Marcus tried to imagine himself asking his parents for permission to chat with strangers on a site that had made a picture of a guy stretching open his ass hole the Net’s grossest meme. Then again, he thought, maybe it was time he didn’t ask permission. With one click on the IRC link, Marcus said fu ck it and went inside – not knowing what or whom he’d find.

    Tekk doesn’t want to give his real name. Or his full handle. Or where he grew up. Or the name of the university where he recently started as a freshman, or where we meet for pizza one night this past fall. He’s been feeling paranoid ever since he stumbled upon 3301, which is how he met Marcus. This is clear when someone accidentally drops a plate nearby us and Tekk, a pasty, scruffy 18-year-old with thick black hair and glasses, whips around in a panic. “Sorry,” he tells me. “I’m still a bit twitchy.”

    The twitchiness began January 5th, 2012. At the time, he was just another sheltered 15-year-old nerd in suburbia, webmaster for his high school paper, and an earnestly goofy coder (one of his sites allows visitors to send virtual fruit to one another). But his life took an unexpected turn that day when a friend in robotics lab showed him a mysterious image he’d seen on 4chan. “Dude, you can’t be on 4chan on school computers – that’s not wise!” Tekk recalls saying. “That’s like the chamber pot of the Internet.”

    But the challenge to find what was hidden in this picture intrigued him. He stared intently at the image. Someone on the IRC had heard rumors that terrorist groups encrypt secret notes in image files, ones that could be retrieved by opening the file in a different format. Running a text–editing program called Notepad, he opened the image and, sure enough, saw a strange string of words and garbage characters at the end: “TIBERIVS CLAVDIVS CAESAR says ‘lxxt>33m2mqkyv2gsq3q=w]O2ntk.’?”

    Tekk harrumphed with satisfaction. Caesar, he knew, was one of the most ancient forms of encryption, dating back to Julius Caesar, who used the cipher to safeguard military secrets. It works by taking the alphabet and then counting down each letter based on a designated number (say, replacing letters with ones three letters down the alphabet). When Tekk Googled Tiberius Claudius Caesar, he learned this was the fourth Roman emperor. Moving each character down four spots, the string of letters and numbers became a website address. When he clicked the link, it took him to a page with an image of a wooden duck and another cryptic message: “WOOPS just decoys this way. Looks like you can’t guess how to get the message out.”

    When I ask Tekk how he felt upon seeing this riddle, he laughs and says, “It kind of rhymes with ‘what the duck?’?” He joined the conversation among the puzzle solvers on the IRC. To Tekk, many seemed like the usual 4chan miscreants. But one guy totally knew his shit: Marcus.

    Marcus and Tekk had a lot in common. They were both 15, savvy online and self-reliant. “He was a leader and, like myself, a bit of a control freak,” Marcus says. And they were both already hooked on cracking the mystery. “We just kind of figured, ‘OK, we’re in this together,’?” Tekk says. “And other people just weren’t doing as well as we were.”

    Splitting off from the 4chan scrum, they formed their own private IRC channel, and cherry-picked other bright solvers to join them. They called their team #decipher. It consisted of about 10 like-minded 4channers around the world. There was Wakeen, a 16-year-old Chilean-born math prodigy, who, as he puts it, “obsesses about cryptography.” There was John Henrik Guttorm, a 26-year-old hacker in the Arctic circle of Norway, who did sound and lights for local concerts during the long sunless days. “If you ask someone here what he does, he says, ‘Fishing and fucking,’?” Guttorm tells me. “?’And in the winter, less fishing.’?”

    As Team #decipher knew, cryptographic mind-benders have been around for centuries. The most legendary is the Voynich manuscript (a handwritten codex carbon-dated to the 15th century and thought to have originated in Central Europe), which cryptographers have still yet to solve. In the past decade, so-called alternate-reality games – which took players on elaborate scavenger hunts online and off – had been used to market The Dark Knight, Halo 2 and the Nine Inch Nails record Year Zero.

    More romantically, spy masters have used riddles and puzzles as a recruitment technique going back at least to World War II, when British cryptographer Alan Turing used an extremely challenging crossword to help find agents who could crack Nazi codes. Recently, corporations have also found ciphers useful for scouting. In 2004, a billboard appeared in Silicon Valley with just the cryptic phrase “{first 10-digit prime found in consecutive digits of e}.com.” The answer, 7,427,466,391 – with the .com added – led to a Web page with another mind-numbing math problem, which ultimately landed on the homepage of Google Labs, the testing wing of the online behemoth. “One thing we learned while building Google is that it’s easier to find what you’re looking for if it comes looking for you,” the message on the site read. “What we’re looking for are the best engineers in the world. And here you are.”

    In 2011 and 2013, one of Britain’s intelligence agencies, the Government Communications Headquarters, carried on Turing’s tradition and posted complicated cryptographic puzzles online to attract young talent. “The aim was to appeal to a wider and different audience than the more traditional campaigns, in order to reach individuals with technical, analytical and mathematical skills,” a GCHQ spokesperson told me in a statement. “Both campaigns were successful.”

    Perhaps 3301 was Google, the solvers speculated, or some other corporation, or government, or hacker group – they had no idea. The meta-mystery of 3301’s identity made this riddle all the more compelling. “Usually with puzzles in a book or on a website, you know the driving force behind it,” says Kenny Paterson, a cryptographer and professor of Information Security at the University of London. “But here no one knows what the goal is, what you get, how you know when you won.”

    But whatever it was, the #decipher crew wanted to master it. As they discussed the duck-decoy clue in IRC, they realized that the message – “looks like you can’t guess how to get the message out” – contained the words “out” and “guess,” which, when combined, formed the word outguess, the name of a steganography program. Steganography dates back to around 440 B.C. Greece, and entails hiding a message or image within another one. When they ran the duck-decoy image through OutGuess, they rejoiced in unearthing another clue. “Here is a book code,” it read, and listed 75 combinations of numbers: 1:20, 2:3, 3:5, etc.

    Using the book code from the decoy image to analyze “The Lady of the Fountain,” they found another hidden message. Marcus had become the secretary of #decipher and described it in his notes. “The first code is ‘1:20,’?” he typed. “Taking the 20th character of the first line of decoded text, we get ‘C.’ Continuing with the second line (2:3), an ‘A’ is found.” By the end, he had stitched together another message: “Call us at telephone number two one four three nine oh nine six oh eight.” One thought flashed through Marcus’ mind as he sat on his bed in his Boy Scout shorts, and it rhymed with “what the duck?”

    Tekk was already feeling out of sorts. The puzzle, which the #decipher team was now calling Cicada, had become all-consuming. “Solving things is kind of addictive,” he says. “It kind of felt like National Treasure.” He was staying up until four in the morning, dragging himself to school, all the while hiding his secret digital life from his parents. “If I had delved into what he was solving and known it was from an unknown source, it would have caused me much more stress at the time,” his mother tells me. “It would have freaked them out,” Tekk says. “Meeting with strangers on the Internet to solve puzzles sounds a little sketch.”

    It got sketchier when the solvers called the mysterious telephone number with a Dallas area code. “Very good. You have done well,” said the computerized voice on the recording. Then it doled out another clue. “There are three prime numbers associated with the original final.jpg image. 3301 is one of them,” the message went on. “You will have to find the other two. Multiply all three of these numbers together and add a .com to find the next step. Good luck. Goodbye.”

    The final.jpg image referred to the first one in the puzzle – the white-font message against the black background. The group struggled to figure out what other two numbers could be gleaned, until eventually someone tried looking at the height and width: 509 by 503 pixels, both prime. When multiplied with 3301, they got 845,145,127, and added a .com, which led them to another website, with a picture of a cicada, wings unfurled. Beneath the picture was a countdown clock. Running the image through OutGuess revealed a message: “You have done well to come this far,” it read. “Patience is a virtue. Check back at 17:00 on Monday, 9 January 2012 UTC.”

    Inside his bedroom, Marcus checked his chunky black watch: one day to go, noon Roanoke time. He had a Boy Scout meeting on the night of January 9th, but spent that morning in his room anxiously awaiting zero hour. As 12 p.m. struck, he hit refresh on his Web browser and then saw 13 pairs of numbers fill his screen:

    52.216802, 21.018334
    48.85057059876962,
    2.406892329454422

    And so on.

    Marcus scribbled the numbers and their prime factors on a stray piece of cardboard, and felt coldness creep across his chest. Until now, this mystery had been confined to the Internet, an invisible journey with a faceless troop across the ether. But Cicada had just broken the fourth wall and flown into the real world. “Find our symbol at the location nearest you,” the message concluded. The numbers were coordinates.

    When the Cicada coordinates hit the Web, it set off a furious scavenger hunt as solvers punched the locations into Google maps. There was no way of knowing exactly how many people were on the case, but scores now filled the active Cicada discussion forums. To the astonishment of the solvers, 3301 had somehow planted clues around the world. There were more than a dozen, spread over four continents. The Street View images seemed random: a narrow street near the University of Warsaw, a parking lot on a busy intersection of Seoul, a country road on the North Shore of Oahu. One location came up in front of a prominent doctor’s house in a wealthy section of Seattle. (When RS called the doctor, he said that he had never heard of Cicada 3301.)

    Solvers mobbed the IRC, crowd-sourcing anyone close to the locations who could head to the spots. Tekk, increasingly spooked, found the whole thing “creepy,” he says, and his imagination ran wild. “They could have been, like, sitting there with knives at night,” he says. “Just waiting to stab someone who went out. We had no idea what we were doing.” Marcus, however, was less concerned, and game. After a childhood feeling isolated, he identified with the intellectual breadth and depth of 3301. “I saw a kindred spirit in whomever made the puzzles,” he says. “I didn’t have any fear of it.” Unfortunately, he didn’t have any way to travel. “I didn’t have car privileges,” he says. “And it wasn’t like I could say, ‘Mom, the Internet told me to drive to Seattle.’?”

    While Marcus looked for deeper meaning in the coordinates, Tekk had news of his own. One of the guys in #decipher had a brother, Bongo, who lived in Sydney and was heading out to the Australia coordinates. Bongo arrived on a leafy, residential street, where he found a poster with a cryptic black drawing taped to a telephone pole: a cicada. Below it was the square black matrix of a QR code (often used in advertising to quickly link to websites and product info). Before long, similar posters were found around the world: Warsaw, Poland; Fayetteville, Arkansas; Paris; Seoul; Seattle; Miami.

    When scanned with a QR reader, the codes led to one of two different riddles, each with a book cipher. The first was the Encyclopedia Britannica 11th Edition. The other correlated to “Agrippa,” a 1992 poem by sci-fi novelist William Gibson, which was distributed on a floppy disk and coded to encrypt itself after one read so that it could never be accessed again. Both clues included a somewhat chilling note from 3301 that suggested they were both aware of and not keen on the solvers’ collaboration. “You’ve shared too much to this point,” the note read. “We want the best, not the followers. Thus, the first few there will receive the prize.”

    As the solvers busied themselves with the new puzzles, paranoia spread. “Cicada attracts a fair bunch of loonies and paranoid people,” says Martin Wehrmeyer, a solver who helps run the Uncovering Cicada forum. This wasn’t feeling like just a game anymore. How much information had they given away? How closely were they being tracked? And who was doing the tracking? Some thought it was the CIA, the NSA or even William Gibson himself (although when I ask Gibson if he’s the one, he laughs, shakes his head no and says, “I would hope that if I were doing something like that, it would be funnier”).

    Others wondered if it was a criminal hacker group, looking for pawns in some nefarious plan. Wakeen, the Chilean prodigy, got frightened after receiving a call at 2 a.m. that just had an emergency test tone on the other line. On the Cicada forums, he and the others began noticing that active members seemed to be dropping out of the action. “That got me paranoid,” he says, “so I had a contingency plan with a friend where, if I disappeared, I would try to leave behind evidence.”.

    Even the more math-minded skeptics who never considered themselves part of the tinfoil-hat crowd couldn’t help feeling freaked. The competitive aspect of solving the puzzle first also increased, heightening everyone’s tension. To throw others off the 3301 trail, the #decipher team began planting false clues online.

    No one seemed more rattled than Tekk. He and others began questioning people in the #decipher IRC to see if they were moles. They adopted the motto “Everyone except you is Cicada.” Marcus was among those who got fed up with Tekk’s drama. “Tekk was really secretive,” he recalls. “At one point, it felt like too much.” One afternoon, Tekk logged on to find that someone had unearthed his true identity and posted pictures of his family along with his home address. Tekk was shattered. “It just made me more wary of the Internet in general,” he says.

    As more complicated puzzles came their way and more rumors mounted, the number of solvers in the forums dwindled – from frustration, boredom and fear. But there was one of them who was still fully committed: Marcus. “It was my only life,” he says. And since he was home-schooled, he had the luxury and curse of being able to spend as much time on Cicada as he wanted. “That was all I did,” he says.

    On February 6th, one long month after seeing the first clue, he received an e-mail from 3301. “Congratulations,” it read. “Your month of testing has come to an end. Out of the thousands who attempted it, you are one of only a few who have succeeded. There is one last step, although there will not be any hidden codes or secret messages or physical treasure hunts. This last step is only honesty. We have always been honest with you, and we expect you to be honest with us in return.

    “You have all wondered who we are, and so we shall now tell you we are an
    international group. We have no name. We have no symbol. We have no membership rosters. We do not have a public website, and we do not advertise ourselves. We are a group of individuals who have proven ourselves much like you have by completing this recruitment contest, and we are drawn together by common beliefs. A careful reading of the texts used in the contest would have revealed some of these beliefs, that tyranny and oppression of any kind must end, that censorship is wrong and that privacy is an inalienable right.

    “We are not a hacker group, nor are we a warez group [who trade music and movies online]. We do not engage in illegal activity, nor do our members. If you are engaged in illegal activity, we ask that you cease any and all illegal activities or decline membership at this time. We will not ask questions if you decline. However, if you lie to us, we will find out.

    “You are undoubtedly wondering what it is that we do. We are much like a think tank, in that our primary focus is on researching and developing techniques to aid the ideas we advocate: liberty, privacy, security.” It ended with a short questionnaire: “Do you believe that every human being has a right to privacy and anonymity?”

    Marcus typed, “Yes.”

    “Do you believe that information should be free?”

    “Seriously?” Marcus replied. “You guys are badass. I’m with you all the way!”

    “Do you believe that censorship harms humanity?”

    “Without a doubt,” he wrote. “Count me in, but with one reservation. You have presented two conflicting ideas: resistance of censorship and a requirement to refrain from illegal behavior. What of the people who would censor certain aspects of culture? What of the ‘pirates’? I believe that there should be no restriction on the sharing of information. Do you ask me and the other ‘chosen ones’ to…cease sharing of copyrighted material?” He concluded respectfully, “Thank you for a life-changing experience.” Then he hit send, and waited to see if 3301 would take him in.

    On February 28th, Marcus received an e-mail signed with 3301’s PGP key. “Hello,” it read. “The next step is finally here.” The message included specific instructions for visiting a secret site on the darknet, the hidden part of the Web, along with a username and password. The message concluded with one powerful word, ushering Marcus into 3301. “Welcome,” it read.

    Marcus wasn’t the only solver to receive the message. So did, by Marcus’ and Tekk’s estimates, at least 20 others. Tekk was still very wary. “I wasn’t sure what I was getting into,” he recalls. The darknet address led them to a page where they found themselves in a chat forum with the other recruits – as well as a handful of people who claimed to be part of 3301. It felt thrilling to have finally arrived.

    The solvers wanted answers. Who were 3301? What were their goals? How did they start? They received some circumspect answers from the elders, though of course they had no idea what was really true or if they were being played. 3301, the story went, had been started by a few friends who shared like-minded imperatives – anonymity, privacy, encryption – and wanted a way to pool their talents to create useful software that ensured these ideals. As friends recruited friends, 3301 grew internationally. The group, as they understood it, had no official affiliation with any one government or military. “They insinuated they were a part of a bunch of different organizations,” Tekk recalls. “It was some kind of secret society.” They shared a common goal: to increase privacy and security in the Digital Age, and ensure the freedom of information.

    3301 (chosen because it’s a compelling prime number, a twin prime forward and backward), they were told, was organized into decentralized cells – also called broods – each with its own area of research. They were told that the group is compartmentalized so that individual cells had no knowledge of each other. Marcus, Tekk and the other recruits were told they were Brood b.0h. Puzzles were not always used for recruitment but had been, in this case, because the group was seeking new members with coding and cryptography skills.

    Now that the new brood had been taken in, the 3301 members told them, they would be tasked with creating software that fit the ideology of the group. In discussions on the darknet site that ran for weeks, the recruits decided to create software to protect whistle-blowers like Chelsea Manning, who was facing trial at the time. Together, they came up with an idea they called the Cicada Anonymous Key Escrow System, or CAKES. In short, it would trigger the automatic publication of sensitive data online if and when the whistle-blower or researcher was indisposed for a designated period of time (due to, say, death or incarceration).

    For months, Marcus and the others collaborated on CAKES, working on their own and sharing notes on 3301’s hidden site. The mentors from 3301 would drop in and share their comments and thoughts on the progress. This kind of secret collaborative process was unusual but not without precedent. Bitcoin, the cryptocurrency, had been developed in secrecy as well. But, for Brood b.0h, the buzz of acceptance soon gave way to the drudgery of what felt like homework. Marcus would log on to see that fewer and fewer of the others were completing their tasks. Even Tekk, who had to deal with the real-world task of a summer job, had stopped visiting the forum early on. “I had other work to focus on,” he says. “I just faded away.”

    By the end of 2012, Marcus was the last one still coding. But after months at his laptop, he was stuck. Part of his enthusiasm for solving Cicada and joining 3301 was to collaborate with others, to get out of his box in Roanoke and be part of something larger, something powerful, something world-changing. But now here he was sort of full circle, the last scout on the trail. With CAKES only partially done, he appealed to the elders in 3301 to recruit new members with the skills to help him complete the programming. His mentors communicated that they would be looking for new recruits. Despite all his time in 3301, he still didn’t know much more about the group other than what he had been initially told. And, for fear of being excommunicated, he didn’t discuss it with family or friends.

    On January 4th, 2013, the anniversary of the first Cicada puzzle, solvers crowded their IRC channel, anticipating when and how the new puzzle from 3301 would drop. Amid the fervor, an anonymous person posted a mysterious confessional. “I was part of what you call 3301/Cicada for more than a decade,” the anonymous author wrote, “and I’m here to warn you: Stay away.”

    Any portentously dire and anonymous message on the Internet could be bullsh it or trolling. But as the skeptical solvers read the screed, the author seemed knowledgeable enough about 3301 to give them pause. The author said he had been a military officer in an unnamed, non-English speaking country when, after a year of being unknowingly vetted in person, he was recruited by a member of 3301. He described them as “a group of like-minded individuals, all incredibly talented and connected, [working] together for the common good: the good of mankind.” But over several paragraphs, he cautioned about their cultish beliefs, a conviction, for example, in “the Global Brain as another kind of ‘God’?” – 3301 was nothing more, he wrote, than a “religion disguised as a progressive scientific organization.” He concluded by saying he had since found Jesus.

    “The Warning,” as the post became known among Cicada obsessives, only added to the mythology and conspiracy theories – particularly since the author of the post could not be reached, and disappeared. Some wrote it off as the rant of some crazy troll or 4chan punk messing with their heads. For insiders like Marcus, though, the details in the Warning rang true – the military origins, the ideology behind the work. He believed it could have come from someone in the group. But it was also, perhaps, purposeful misinformation to deter anyone naive enough to believe it. “I think it was meant to keep people away,” he says.

    In fact, the Warning proved suspiciously well-timed. Hours after it appeared, an image was posted to 4chan, written in the familiar thin white font. “Hello again,” it read. “Our search for intelligent individuals now continues. The first clue is hidden within this image. Find it, and it will lead you on the road to finding us. We look forward to meeting the few that will make it all the way through. Good luck. 3301.”

    As solvers swarmed to the puzzle, Marcus had grown weary of laboring away on CAKES alone and awaited what he hoped would be the influx of fresh recruits to help him.

    Yet within weeks, solvers hit a dead end. Some, claiming to have completed the puzzle, returned to the forums complaining they’d never received the final invites from 3301 to join the group. Others speculated that perhaps those who had been recruited this year simply refused to reveal themselves. All Marcus knew was that, if there was a new brood selected, they were nowhere to be found on the darknet site. He had no idea what was happening behind the scenes. Perhaps the brood hadn’t lived up to 3301’s expectations. Perhaps there’d been an infiltration by the authorities. Perhaps 3301 were the authorities and this all was some weird honey pot. In March, Marcus received a message from another solver, nicknamed Sage, who’d made it into the 2012 brood. “We’ve been laid off,” Sage told him, but had no further information. When Marcus tried to log back on to the darknet site, it was gone.

    On April 28th, 2014, a strange puzzle appeared on Twitter. It was an encrypted message supposedly sent by a military cryptographer who claimed to have hidden on a submarine, which was being commandeered by a “mysterious enemy” who’d stolen plans for high-grade military weapons. The cryptographer was sending messages that, when cracked, would reveal her location so others could swoop in.

    But this wasn’t another clue from 3301. It was from the United States Navy, which, after studying Cicada 3301, thought it’d be cool to launch a promotional puzzle of its own. “We knew about Cicada and were inspired by it,” says Sean Forbes, spokesman for Navy Recruitment Command. The puzzle, called Project Architeuthis, required solvers to decipher the coded messages from the fictional cryptographer – with the prize of proving their prowess to military recruiters. The 10 solvers received certificates of completion from the Navy. It was a pure PR move to make the Navy appeal to young cryptographers. “We know that’s where our audience lives,” Forbes says. “They live online.”

    The Navy isn’t the only government organization pulling a Cicada. In May, the National Security Agency, using its @NSACareers handle, posted a strange jumble of letters on its Twitter feed. When decrypted, the letters spelled a message: “Want to know what it takes to work at NSA? Check back each Monday in May as we explore career essentials to protect our nation.” NSA spokeswoman Marci Green Miller tells me the puzzle was an effort to lure “the best and the brightest” young minds into the NSA.

    Ron Patrick, the head of recruitment for the Central Intelligence Agency, tells me the agency is discussing development of a Cicada-style puzzle of its own. Patrick first learned of Cicada from his college-age kids, who wanted to know if the CIA had created it, as conspiracy theorists on the Internet suspected. “They thought for sure we were the ones behind it,” he tells me, “but it’s definitely not us.” Patrick, like the erudite solvers, doubts 3301 is affiliated with a government or corporation. But from what he can gather, he says, it’s difficult to really know. “I would hope it’s not a hacking group looking to get talent,” he says, “and turn that talent against us.”

    Across the world, cryptographers, scholars, Feds and geeks are speculating as to what the real story is behind 3301. Alan Woodward, a professor at the University of Surrey who specializes in computer security, first suspected that the NSA or the GCHQ was pulling the strings, but he now thinks that the breadth of the puzzle could “point to a large corporation” recruiting skilled cryptographers. Game developer and cryptography expert Elonka Dunin thinks it “just may be one group of people in a chat room giggling,” but adds, “I put word out to my crypto friends about Cicada and came back with a big blank.”

    Given the complexity of the puzzles, most believe that 3301 can’t be an individual and has to be at least a small group. Whether or not it has military origins, no one really knows. It could just be one big nerdy head game, engineered by some wayward puzzle masters who simply get off on the pleasures of their own mythmaking. Or it could be, as the Warning suggested, something more high-minded, some missive from a vast conspiracy in the ether. Or maybe it really is the product of some like-minded geeks out to better the world. At the moment, no one really knows for sure – which, of course, is exactly what keeps it intriguing in the first place.

    As for Cicada, the mystery didn’t end in 2013 after all. On January 6th, 2014, a Twitter account under the handle @1231507051321 posted another cryptic message in a white font against a black background: “Hello,” it read. “Epiphany is upon you. Your pilgrimage has begun. Enlightenment awaits.” Solvers, however, have spent the better part of a year stuck in the Cicada hole, trying to decipher 58 pages of runes. So far, there’s no word of any solvers completing it. As of this writing in early January – on what would be the fourth anniversary of Cicada’s beginning – die-hards are waiting anxiously to see if or when the 2015 puzzle begins.

    But there is one former 3301 member who has decided to surface regardless, Marcus Wanner. For two years, he remained silent and anonymous. He wonders why 3301 had stopped reaching out to him – and wondered if perhaps his brood had done something to annoy them, or somehow not proved its worth. But enough time has passed without word that he figures that now – in the spirit of free information, in which 3301 so staunchly believe – he should share his story and work. “It’s time to go public,” he tells me, in his dorm at Virginia Tech, where he’s studying computer science.

    In addition to sharing his story, Marcus has decided to hide the code for CAKES on the darknet, where others might find it and finish what his brood started. Tor Ekeland, an attorney with the Whistleblowers Defense League who has represented several high-profile hacktivists, says such software would be “extremely valuable, because it gives leverage and protection to the whistle-blower. There’s nothing like this out there.” Ever the faithful scout, Marcus says the completion of the project would fulfill the pledge he made to 3301. But, given all the secrecy and misdirection, he isn’t sure how the mysterious puzzle masters will take it. “Hopefully,” he says, “Cicada won’t be on my case.”

    “You have all wondered who we are, and so we shall now tell you we are an
    international group. We have no name. We have no symbol. We have no membership rosters. We do not have a public website, and we do not advertise ourselves. We are a group of individuals who have proven ourselves much like you have by completing this recruitment contest, and we are drawn together by common beliefs. A careful reading of the texts used in the contest would have revealed some of these beliefs, that tyranny and oppression of any kind must end, that censorship is wrong and that privacy is an inalienable right.

    Yep, that group is apparently recruiting incredibly skill problem solvers. Or at least was recruiting (they had another recruitment round in 2016). How is it? Who knows because the recruited members don’t even know. They only get to know that their job is to work in decentralized cells of coders to build software that fits the group’s ideology:


    3301 (chosen because it’s a compelling prime number, a twin prime forward and backward), they were told, was organized into decentralized cells – also called broods – each with its own area of research. They were told that the group is compartmentalized so that individual cells had no knowledge of each other. Marcus, Tekk and the other recruits were told they were Brood b.0h. Puzzles were not always used for recruitment but had been, in this case, because the group was seeking new members with coding and cryptography skills.

    Now that the new brood had been taken in, the 3301 members told them, they would be tasked with creating software that fit the ideology of the group. In discussions on the darknet site that ran for weeks, the recruits decided to create software to protect whistle-blowers like Chelsea Manning, who was facing trial at the time. Together, they came up with an idea they called the Cicada Anonymous Key Escrow System, or CAKES. In short, it would trigger the automatic publication of sensitive data online if and when the whistle-blower or researcher was indisposed for a designated period of time (due to, say, death or incarceration).

    And what is that ideology? Apparently ppposing tyranny and oppression of any kind (with a particular fixation on censorship and privacy) sounds nice, it also sounds a lot like the hyper-Libertarian ideology of the Cypherpunks. And as the mysterious alleged ex-member warned, it’s also rather cultish:


    Any portentously dire and anonymous message on the Internet could be bullsh it or trolling. But as the skeptical solvers read the screed, the author seemed knowledgeable enough about 3301 to give them pause. The author said he had been a military officer in an unnamed, non-English speaking country when, after a year of being unknowingly vetted in person, he was recruited by a member of 3301. He described them as “a group of like-minded individuals, all incredibly talented and connected, [working] together for the common good: the good of mankind.” But over several paragraphs, he cautioned about their cultish beliefs, a conviction, for example, in “the Global Brain as another kind of ‘God’?” – 3301 was nothing more, he wrote, than a “religion disguised as a progressive scientific organization.” He concluded by saying he had since found Jesus.

    A “Global Brain as ‘God'” Cypherpunk cult. Sounds interesting, and definitely not progressive as the mystery ex-3301 member characterized it.

    But regardless of the real goals or ideology of the 3301 group, it’s an example of the kinds of lengths organizations might go to in order to recruit the best hacker talent. As the article points out, using puzzles to recruit is nothing new and the NSA, CIA, and major corporations have all started mimicking the 3301 recruitment model.

    Might organized criminal organization use similar techniques? Well, it seems unlikely a group that doesn’t already have a very talented set of hackers or cryptologists would have the capacity to develop such elaborate puzzles, although the idea of decentralized cells of coders working independently towards building sophisticated and totally new software tools and have no idea who they’re actually working for does seem like the kind of thing an well-resourced organized crime outfit would like to do.

    So if you’re a young hacker with incredible problem solving skills who wants to avoid a regular job in IT security and the mobster life doesn’t seem like the life for you, there appears to be an international Cypherpunk cult out there spread across continents that would love to recruit you to work for free and build tools for them.

    Posted by Pterrafractyl | March 8, 2017, 10:11 pm

Post a comment