As everyone should know by now, not quite two weeks ago the latest nugget from Edward Snowden via Glenn Greenwald and co-authors was revealed, and was that the NSA and its UK counterpart the GSHQ “have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails.” The measures used to accomplish this include covertly controlling the setting of encryption standards, more powerful brute force code-cracking, and inserting backdoors into commercial encryption software.
This is very bad, and has led more than one observer to declare that the internet as we know it is dead as a secure medium of communication. That of course leads to the question of what is to be done about it.
One might ask first if it is possible for the NSA to be reformed so that it stops doing such things. To me it appears that the domestic anti-surveillance movement, which looked so promising in late July and early August, is now effectively dead, or at best left to Republicans to mold in accordance with their interests.
That is to say, President Obama proposed that Congress approve a measure he cannot have believed they would, to go to war in Syria, and many progressives responded by dropping everything other than organizing opposition to the war (at times accusing those who declined to follow them of insensitivity to human life), so that any action against the NSA surveillance was put on hold.
True, there is a national protest against the surveillance scheduled for October 26 in Washington, sponsored by the coalition StopWatching.Us, composed of Restore the Fourth, Electronic Frontier Foundation, Fight for the Future, and other organizations. However, in the first place, that date (chosen because it is the anniversary of the Patriot Act) is rather far off. Secondly, the organizers are speaking in terms of “thousands, not hundreds” of protestors. That is, they are not speaking in terms of hundreds of thousands, which is what is needed for a protest to get any appreciable attention on a national scale.
The situation might be better at the international level. In a post a few days ago I noted some developments in Brazil and in Europe, of which the former seems the most promising. President Dilma Rousseff has demanded a meaningful explanation of the recently revealed extensive NSA snooping into her country’s affairs, and threatens to cancel her state visit to the US next month if she does not get it. Other public figures there have spoken in terms of excluding the US from some important commercial transactions.
Yet at this writing the US has evidently not responded beyond some rhetorical gestures, whereas Rousseff has other problems in the country (such as sustained anti-government protests in Rio de Janeiro) that she might ultimately decide have greater priority.
So given the possibility or probability that the spying is going to be left as it is, or perhaps will get even worse, what do we do?
One answer, or at least the outline of one, is given by Rick Falkvinge, the founder of the first of the up-and-coming European Pirate Parties. In an article apparently written on September 12 (that is when its comments thread begins), he avers that the internet must be rebuilt from scratch. As he explains the situation,
When you are going to a website that bills itself as secure, it uses a so-called “security certificate”. Such certificates on the web serve two purposes. One, they encrypt the session between your computer and the web server, so nobody else can listen in, and two, they identify the web server you are talking to and tell you whose web server it is. When you log onto your bank, you will see a little padlock next to the bank’s name in the address bar. The NSA and their ilk have effectively negated both of these security mechanisms.
That is to say, the NSA can, among other things, forge a security certificate and thus impersonate the site you are accessing, thus inserting itself at will into your interactions with that site. This happened in one case of a so-called “man in the middle” attack, where the NSA impersonated no less than Google.
This means that the existing internet is not secure, period, even though people think it is and are thus careless, and that the new one must have a means of providing security certificates that cannot be forged. Falkvinge has one technical suggestion for how to do this that you can read, but allows that there night be others.
To me the question arises here: How in practice is such a new internet going to come about? That is, who is going to set the protocols on such issues as ensuring that security certificates cannot be forged, who is going to build whatever hardware is needed, and where is all this going to happen?
With that question in mind, we can consider another vision, which is offered from the standpoint that the issue is what is actually going to happen naturally. Last Friday the Executive Chairman of Google Eric Schmidt spoke at a forum and suggested that what is going to happen as a result of the surveillance, or of the publicity about it, unfortunately in his view, is that in effect there will be several internets.
The real danger [from] the publicity about all of this is that other countries will begin to put very serious encryption – we use the term ‘balkanization’ in general – to essentially split the internet and that the internet’s going to be much more country specific. That would be a very bad thing, it would really break the way the internet works, and I think that’s what I worry about. There’s been spying for years, there’s been surveillance for years, and so forth, I’m not going to pass judgment on that, it’s the nature of our society.
If we focus on the prediction here rather than the apologetic attitude toward surveillance, we can see that it has some plausibility. As countries work toward better encryption to defeat US surveillance they will be more inclined to let their own citizens in on the finished product than those of other countries, thus leading to the Balkanization.
One new internet or several of them? That might well be the question. My suggestion is that if the second possibility is to be avoided, those who want the first and have the technical ability to implement it (probably residing in Western Europe) had best get started.
Photo by Poster Boy NYC released under a Creative Commons license.