

Time for Internet Engineers to Fight Back Against the “Surveillance Internet” - kshatrea
http://www.technologyreview.com/view/521306/time-for-internet-engineers-to-fight-back-against-the-surveillance-internet/

======
selmnoo
I want to reiterate one line of thought that's been seen here before but bears
repeating: you should not give your data to Google, Facebook, or any other
commercial entity just as much as you don't want NSA to have it. While NSA may
have political motives and thus may use illegally obtained information for
political ends, Facebook et al. could use it for reasons that serve their
economic gain. That's a conclusion that's just as undesirable (if not moreso)
than NSA using it.

I don't see a very good future of fighting the 'surveillance internet' if we
don't face the notion that once data is out there -- of lots of people, in one
place -- NSA will always be interested in it and will probably get it.
Pragmatically speaking, pulling out of Facebook, Google, etc. is the only
surefire way to fight the surveillance internet.

~~~
spindritf
Does Google kidnap people? Confiscate their equipment? Harass travellers at
the airports? Send IRS after their competition? No?

Can Facebook maybe deny me a business license? Cancel my passport? Is there a
Facebook commando that would break down my doors if I did something Mark
Zuckerberg didn't like? No?

Can we then stop pretending like corporations and governments play even
remotely in the same league?

What can Google actually do? Target me with ads? I won't so much as see them.

And I don't use facebook, it barely raises an eyebrow. I couldn't _try_ that
with a national ID because I wouldn't be able to do anything.

~~~
Nursie
>> What can Google actually do?

Give everything to the NSA, IRS or anyone else that asks.

~~~
hfsktr
Wouldn't the upside be that at least they'd have to ask? Just saying there is
a difference even if they get the data either way. Well, there should be at
least.

~~~
sp332
Did you miss the recent news about the NSA tapping Google's internal server-
to-server communications in real time? They don't have to ask anymore.

Edit: this one
[https://news.ycombinator.com/item?id=6680763](https://news.ycombinator.com/item?id=6680763)

~~~
wooter
and that is the purpose of the Constitution. Eventually, governments can force
their way into anything. Which is why the Fourth Amendment is so explicit.
They are breaking the law.

A few months ago they were using the "metadata" argument. Where are the
prosecutions now that thats obviously BS?!

------
smackay
There are plenty of ideas for addressing the surveillance problem but perhaps
it is time to take a step back and look at the "big picture". In any conflict,
no matter how big or small, there is considerable advantage in having advance
knowledge of your opponent's intentions. In military conflicts the invention
of telegraph, radio, aircraft and satellites has more or less solved the
problem with blindly marching into an area and getting annihilated. Nobody
ever suggested that these technologies should be banned in order to create a
level playing field.

It is going to be the same patttern with all forms of electronic
communication. The spectre of weapons of mass destruction (anything that can
kill more than one person at a time) is the justification/motivation for
government and law enforcement to monitor everything online. Whether it has
merit is kind of besides the point. It is an advantage, perceived or
otherwise, that is not going to be given up, under any circumstances.

Another part to this is whether conspiring online actually constitutes a
crime. People can chat all day about terrorist plots but until someone
actually goes out and starts building a bomb or procuring weapons has a crime
really taken place? Only when a society can decide on the answer to this
question will it be possible to address online surveillance.

~~~
tokenizer
> _There are plenty of ideas for addressing the surveillance problem but
> perhaps it is time to take a step back and look at the "big picture"._

The "big picture" for me are the effects of the loss of privacy. What was once
one of the most horrendous forms of punishment/torture, is now mainstream.
Also, this only gives more power to already too powerful of people (you
already mentioned the nukes). I think we've already proven we don't need mass
surveillance to not blow ourselves up.

> _Another part to this is whether conspiring online actually constitutes a
> crime._

""To be classified as a crime, the act of doing something bad (actus reus)
must be usually accompanied by the intention to do something bad (mens rea),
with certain exceptions (strict liability)."" \-
[http://en.wikipedia.org/wiki/Crime](http://en.wikipedia.org/wiki/Crime)

In other words, it's up to the most powerful, who are also in control of the
surveillance to decide this, not us. Also, the "big picture" issues here
aren't really surveillance itself, but MASS surveillance, SECRET courts, and
CLASSIFIED evidence.

------
logn
I think the best approach is P2P decentralized and mesh-networked apps running
locally, licensed under the Affero GPL. That way there is no profit (or gov't)
center which can collect data. And any user with the app can get the source
code (per the Affero GPL). Developers can monetize their apps either with paid
support/development services or by accepting cash (in lieu of a 'proof of
work' by solving hashes) to be let on the mesh networks for their apps.

~~~
mark_l_watson
+1 mesh networks are important for future privacy and security (e.g., after
Huricane Sandy, mesh networks helped people communicate.)

I would give you another +1 for mentioning the AGPL, if I could.

------
dil8
While is support premise of the article, I have difficulty in accepting the
fact that our democratically elected and funded government will continue to
spy on us and is beyond our control.

~~~
bediger4000
What, exactly, makes you think the government is democratically elected?

I mean, if the NSA/CIA/FBI can get away with this kind of surveillance, and
seeing the scope of "Tailored Access", why wouldn't they have rigged the last
few elections, too? Clearly the security around voting machines isn't nearly
as tight as that of Level 3,

~~~
malandrew
Good essay about this in the Atlantic recently.

[http://www.theatlantic.com/politics/archive/2013/11/the-
surv...](http://www.theatlantic.com/politics/archive/2013/11/the-surveillance-
state-puts-us-elections-at-risk-of-manipulation/281232/)

------
diafygi
FYI, you can start helping right away! There's the Aaron Swartz Memorial
Hackathon starting tonight that has topics focusing on privacy and anonymous
publications.

[https://www.noisebridge.net/wiki/Worldwide_Aaron_Swartz_Memo...](https://www.noisebridge.net/wiki/Worldwide_Aaron_Swartz_Memorial_Hackathon_Series)

------
unclebucknasty
While we are playing cat-and-mouse with our own government, why don't we also
make the NSA's activities illegal and/or enforce existing laws which already
state as much?

Articles like these presume that it is OK for the government to access
whatever it can technically get its hands on, in spite of Constitutional
constraints and laws that do or should state otherwise.

~~~
ywyrd
Because that amounts to leaving a note in the cookie jar that says we really,
really promise not to take any cookies unless we absolutely need to.

~~~
unclebucknasty
Do you really believe that it is wise to treat our government as a virus
writer and put ourselves in the position of antivirus software writers? Do you
want them in the exploit business while we, the citizenry, resolve to simply
apply patches? Do you really want them to have legal carte blanche to use
their unlimited resources (including your own tax dollars) to do as they
please, then scurry off to try to erect some defense against whatever you
_think_ they are doing next?

When the NSA approaches Google, I want Google's General Counsel to deny the
request with solid legal standing. Likewise with backbone providers and on
down the line.

We are either a nation of laws or we're not. Our government is either beholden
to those laws or they are not. Had we the proper laws and commitment to our
Constitution, then Snowden's revelations would have resulted in trials and
prosecutions. Instead, too many seem to be ceding to the government the right
to surveil its citizens with impunity, and are instead focusing on technical
defenses against their own government.

It's lunacy, and if the primary emphasis is not on legal redress, then we have
already lost.

~~~
swombat
In case you didn't get the news, the NSA already does not bother to approach
Google. They just install secret taps on Google's private lines between data
centres, and siphon off all the replication traffic.

The NSA is a rogue agency that does not respect laws (or reinterprets them as
they see fit). Going through the legal process to shut it down is certainly
worthwhile, as is throwing its criminal elements in jail, particularly those
that are happy to lie in congress.

However, the reality is that a rogue agency can evolve in the dark corners of
the government, and that therefore it is likely that it will happen again. And
even if it never happens in the US again, there are other countries out there,
you know?

A strong technological solution that makes large-scale snooping impractical is
a sine-qua-non no matter what happens on the legal side.

~~~
unclebucknasty
> _In case you didn 't get the news, the NSA already does not bother to
> approach Google..._

I got the news. They approach Google AND they plug into private lines. The
latter case is what I referred to when I mentioned "backbone" providers.
Again, I want any private entity to have legal standing to refuse NSA
requests.

> _The NSA is a rogue agency that does not respect laws (or reinterprets them
> as they see fit)_

I agree that if an agency goes rogue, then laws are only retroactive. That is,
laws provide a penalty that is triggered only after an offense has occurred.
But, _clear_ (i.e. not ambiguous) laws with clear penalties can be a powerful
deterrent. Whistle-blowers like Snowden are then empowered to stop abuses and
illegal activity. They are automatically branded as heroes instead of traitors
who must flee the country or worry for their safety. As it is, the good guys
like Snowden are being put on the wrong side of the law and vice-versa. This
must change.

> _However, the reality is that a rogue agency can evolve in the dark corners
> of the government, and that therefore it is likely that it will happen
> again._

That's true and always has been. But, we don't just say "well, laws will be
broken, so let's not bother having them". It's really the entire point: to
prescribe what is acceptable behavior and provide penalties for violations.

> _A strong technological solution that makes large-scale snooping impractical
> is a sine-qua-non no matter what happens on the legal side._

We actually agree to some extent. I don't advocate that we not implement
technical measures. Where we depart is on priority. The wording of your last
sentence signals this departure. I would flip "technical solution" with "legal
side".

Ultimately, if the emphasis is on technical solutions, then we will all be
pwned with impunity. Period. Are you going to write your own firmware?
Manufacture your own chips? Are you going to personally write all of the
security and other endpoint software in your stack, including the OS? Even if
you did, would you be able to guarantee zero vulnerabilities in your own code?

Checking rogue agencies, providing more oversight and enforcing clear laws are
the only way out. Technological solutions are but a backstop that we hope will
provide us with some defense in the event that a rogue agency goes undetected
for some period.

~~~
swombat
I agree with your response on the whole, but one point is worth quibbling
with:

> _I got the news. They approach Google AND they plug into private lines. The
> latter case is what I referred to when I mentioned "backbone" providers._

As far as I understand, these were not lines provided by "backbone providers".
These were private lines laid and paid for and owned by Google. There was no
third party who bent - Google got pwned directly, in secret, with impunity.

------
PakG1
I understand that these guys are different from a random group of guys part of
Anonymous or something like that, but still, is this comment relevant at all
to the situation? As in, is the end result inevitable?

[https://news.ycombinator.com/item?id=4100100](https://news.ycombinator.com/item?id=4100100)

------
001sky
_“Fundamentally, surveillance is a business model of the Internet. The NSA
didn’t wake up and say: ‘Let’s just spy on everybody, it said: ‘Wow,
corporations are spying on everybody, let’s get ourselves a copy,’ ”_

~~~
001sky
[http://paulgraham.com/say.html](http://paulgraham.com/say.html)

~~~
0xdeadbeefbabe
What a divisive essay. Thanks :)

------
ihsw
It would be interesting to see Glenn Greenwald's new media organization take
to being TOR-only and financed only by BTC.

------
mtgx
There are ways to make the Internet much more secure than it is today, and
implement them _tomorrow_ , with existing protocols and encryption methods.
It's just a matter of browser vendors, hosting companies and websites agreeing
to do it.

That being said, I hope IETF starts working on a new highly secure Transport
layer protocol to replace TCP, within the next 5 years, and I hope they use
Dan Bernstein's CurveCP [1] for inspiration.

We need the Internet encrypted and secure _by default_ , and I don't care what
Google or other advertising companies have to say about it. Adapt or die.
Security of the web and the protection of the human right to privacy is way,
way more important in my book. If they choose to fight such a move, instead of
adapting and actually supporting it, then they will have become the _enemy_ ,
and they'll end up on the wrong side of history.

So IETF's goal should be to get everyone to switch to these more secure,
already existing protocols, and implement them within a year, or two at most.

In the meantime work on replacing TCP within the next 5 years, and also think
about ways to create a new secure-by-default and easy to implement, IP-level
protocol, to be used within 10-15 years.

If we are to "take the Internet back", then it needs to stop being such an
easy tool for mass surveillance, so in a way, we need to replace all of its
insecure parts.

[1] - [http://curvecp.org/](http://curvecp.org/)

------
rgbrgb
Don't hide, you're beautiful.

