The US government has betrayed the Internet. We need to take it back

http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying

The US government has betrayed the Internet. We need to take it back

The NSA has undermined a fundamental social contract. We engineers built the
Internet – and now we have to fix it

Bruce Schneier

The Guardian, Thursday 5 September 2013 20.04 BST

Internet business cables in California.

'Dismantling the surveillance state won't be easy. But whatever happens,
we're going to be breaking new ground.' Photograph: Bob Sacha/Corbis
Government and industry have betrayed the Internet, and us.

By subverting the Internet at every level to make it a vast, multi-layered
and robust surveillance platform, the NSA has undermined a fundamental social
contract. The companies that build and manage our Internet infrastructure,
the companies that create and sell us our hardware and software, or the
companies that host our data: we can no longer trust them to be ethical
Internet stewards.

This is not the Internet the world needs, or the Internet its creators
envisioned. We need to take it back.

And by we, I mean the engineering community.

Yes, this is primarily a political problem, a policy matter that requires
political intervention.

But this is also an engineering problem, and there are several things
engineers can – and should – do.

One, we should expose. If you do not have a security clearance, and if you
have not received a National Security Letter, you are not bound by a federal
confidentially requirements or a gag order. If you have been contacted by the
NSA to subvert a product or protocol, you need to come forward with your
story. Your employer obligations don't cover illegal or unethical activity.
If you work with classified data and are truly brave, expose what you know.
We need whistleblowers.

We need to know how exactly how the NSA and other agencies are subverting
routers, switches, the Internet backbone, encryption technologies and cloud
systems. I already have five stories from people like you, and I've just
started collecting. I want 50. There's safety in numbers, and this form of
civil disobedience is the moral thing to do.

Two, we can design. We need to figure out how to re-engineer the Internet to
prevent this kind of wholesale spying. We need new techniques to prevent
communications intermediaries from leaking private information.

We can make surveillance expensive again. In particular, we need open
protocols, open implementations, open systems – these will be harder for the
NSA to subvert.

The Internet Engineering Task Force, the group that defines the standards
that make the Internet run, has a meeting planned for early November in
Vancouver. This group needs to dedicate its next meeting to this task. This
is an emergency, and demands an emergency response.

Three, we can influence governance. I have resisted saying this up to now,
and I am saddened to say it, but the US has proved to be an unethical steward
of the Internet. The UK is no better. The NSA's actions are legitimizing the
Internet abuses by China, Russia, Iran and others. We need to figure out new
means of Internet governance, ones that makes it harder for powerful tech
countries to monitor everything. For example, we need to demand transparency,
oversight, and accountability from our governments and corporations.

Unfortunately, this is going play directly into the hands of totalitarian
governments that want to control their country's Internet for even more
extreme forms of surveillance. We need to figure out how to prevent that,
too. We need to avoid the mistakes of the International Telecommunications
Union, which has become a forum to legitimize bad government behavior, and
create truly international governance that can't be dominated or abused by
any one country.

Generations from now, when people look back on these early decades of the
Internet, I hope they will not be disappointed in us. We can ensure that they
don't only if each of us makes this a priority, and engages in the debate. We
have a moral duty to do this, and we have no time to lose.

Dismantling the surveillance state won't be easy. Has any country that
engaged in mass surveillance of its own citizens voluntarily given up that
capability? Has any mass surveillance country avoided becoming totalitarian?
Whatever happens, we're going to be breaking new ground.

Again, the politics of this is a bigger task than the engineering, but the
engineering is critical. We need to demand that real technologists be
involved in any key government decision making on these issues. We've had
enough of lawyers and politicians not fully understanding technology; we need
technologists at the table when we build tech policy.

To the engineers, I say this: we built the Internet, and some of us have
helped to subvert it. Now, those of us who love liberty have to fix it.

• Bruce Schneier writes about security, technology, and people. His latest
book is Liars and Outliers: Enabling the Trust That Society Needs to Thrive.
He is working for the Guardian on other NSA stories

Nonsense. This is not a technical issue, it's a socio-political issue. It’s both naive & distracting to try & solve this set of problems with code and/or silicon, when it must in fact be addressed within the civic arena.

There are no purely technical solutions to social ills. Schneier of all people should know this.

I believe you are correct, whatever technical hurdles we put in place will be overcome by policy. As long as you can legally require me to make my network intercept able for "lawful" purposes and are able to prevent me from explaining these purposes to my users any security that I would put in place is effectively neutered.

I give up trying to resist, I am now firmly in the tin foil hat club.

Sam

We engineers built the Internet – and now we have to fix it

There are no purely technical solutions to social ills.

no. there are many issues in many arenas. but we are responsible for
cleaning up our side of the street.

randy

That and ignoring it will only continue to affect the code/silicon arena.
Social problems are always affected by who throws the biggest fit.

Who's going to pay for the cleanup? The same people who are/were paid to
create the mess? Clearly many of the "tin foil hat" theories are now
becoming common place. I really don't know if there is any way out of this
stateside, it's legislated.

We need to think bigger than "whatever it takes to get along to the end of the quarter....:

The US government has betrayed the Internet. We need to take it back

Who is we ?

-J

The US government has betrayed the internet. We need to take it back | Bruce Schneier | The Guardian
>
> The US government has betrayed the Internet. We need to take it back
>

Who is we ?

If you bothered to read the 1st paragraph you would know.

From: Sam Moats [mailto:sam@circlenet.us]

I give up trying to resist, I am now firmly in the tin foil hat club.

And therein lies the problem.

Its like you have to abandon USA based encryptation systems that are
closed source. But I dunno, maybe open source solutions can have
problems.

http://xkcd.com/221/
http://en.wikinews.org/wiki/Predictable_random_number_generator_discovered_in_the_Debian_version_of_OpenSSL

I think the encryptation world will think about this, and will
recommend a group of products (like PGP) that are almost sure safe.

The NSA can spy on underwater internet cables, but they can't abolish
Math. If you have a encryptation system that is not backdoored and is
cryptographically strong enough the NSA or anyone will have a hard
time to uncover your secrets.

> The US government has betrayed the Internet. We need to take it back

> >
>
> Who is we ?

If you bothered to read the 1st paragraph you would know.

I read all of it, the original article and other references to it.

IMHO, there is no amount of engineering that can fix stupid people doing
stupid things on both sides of the stupid lines.

By trying to fix what is perceived an engineering issue (seems that China
doing the same or worse for many years wasn't an engineering problem) the
only result you will obtain is a budget increase on the counter-engineering
efforts, that may represent a big chunk of money that can be used in more
effective ways where it is really needed.

My .02
-J

Yes but there is engineering to ensure that they have the opportunity
to do the right thing in the first place. If we (IETF) naively
engineer out the ability to have privacy, it doesn't matter if those
people are stupid or not.

So when do we riot? I've been waiting for months now.

I don't suggest a riot. I do believe in the rule of law, as a member of a democracy
I need to accept that I will not always agree with the laws that are enacted. If we
lived in China or somewhere else where there was no method to change laws that were
unfair or unjust then yea I would support the civil disobiedence approach whole heartedly

I do love my country, always have and I firmly believe in the concept of government
by the consent of the governed. These rules were made by the people we choose, perhaps
these were bad choices but they were are collective choices.

Perhaps we should educate our user base so that in the future they make better choices.
I suggest in an only half snarky way we just push out the standard DOD warning banner
to them all. Since it now seems to apply...

Below is a sample banner (IS is information System)

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential.

Sam

I don't suggest a riot. I do believe in the rule of law, as a member of
a democracy
I need to accept that I will not always agree with the laws that are
enacted.

Well that's all nice and all, but what you're missing here is that this
has very little to do with "laws that are enacted". When an author of
the PATRIOT Act is filing amicus briefs indicating that the collection
of data being done is not what Congress intended, and when the
intelligence community is busy subverting the common definitions of words
so that they can bend a law that says one thing when read in plain
language but something very different when they use their own private
definitions, then we're pretty far outside the scope of "law."

We've been hearing for some years now that the way in which the PATRIOT
Act has been interpreted was alarmingly expansive. If you choose to
start redefining words, you can probably find a way to make the
Constitution say "every child has a right to a puppy." Doesn't actually
mean that it actually says that though.

Feingold must be having such an "I told you so" moment.

... JG

There's no legislation that says you're not allowed to enable OpenSSL
perfect forward secrecy on your website, and fix the layout so HTTPS Everywhere
is able to work on it.

The error in this whole conversation is that you cannot "take it back" as an engineer. You do not own it. You are like an architect or carpenter and are no more responsible for how it is used than the architect is responsible that the building he designed is being used as a crack house. Do Ford engineers have a "social contract" to ensure that I do not run over squirrels with my Explorer, will they "take it back" if I do so? The whole "social contract" argument is ridiculous. You have a contract (or most likely an "at will" agreement") with your employer to build what they want and operate it in the way that they want you to. If it is against your ethics to do so, quit. The companies that own the network have a fiduciary responsibility to their investors and a responsibility to serve their customers. If anyone is really that bent out of shape by the NSA tactics (and I am not so sure they are given the lack of political backlash) here is what you can do.

In the United States there are two main centers of power that can affect these policies, the consumer and the voter.

1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care).

2. The Congress passes the laws that govern telecom and intelligence gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure.

3. The companies that are consenting to monitoring (legal or illegal) are stuck between two powers. The federal government's power to regulate them and the investors / consumers they serve. Apparently they are more scared of the government even though the consumer can put them out of business overnight by simply not using their product any more. If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies.

If a social contract exists at all in the United States, it would be to hold your government and the companies you do business with to your ethical standards. Another things to remember is that the NSA engineers were probably acting under their "social contract" to defend the United States from whatever enemies they are trying to monitor and also felt they were doing the "right thing". The problem with "social contracts" is that they are relative.

As far as other countries are concerned, you can affect their policies as well. US carriers are peered with and provide transit to Chinese companies. If the whole world is that outraged with what they do, they just need to pressure the companies they do business with not to do business with China.

Steven Naslund
Chicago IL

+1 I couldn't have said it any better.
Sam

[snip]

1. We vote in a new executive branch every four years. They control and

appoint the NSA director. Vote them out if you don't like how they run
things. Do you think a President wants to maintain power? Of course they
do and they will change a policy that will get them tossed out (if enough
people actually care).

2. The Congress passes the laws that govern telecom and intelligence

gathering. They also have the power to impeach and/or prosecute the
executive branch for misdeeds. They will pass any law or do whatever it
takes to keep themselves in power. Again this requires a lot of public
pressure.

Historically speaking, I'm not convinced that a pure political solution
will ever work, other than on the surface. The need for surveillance
transcends both administrations and political parties. Once the newly
elected are presented with the intel available at that level, even their
approach to handling the flow of information and their social interaction
have to change in order to function.

Daniel Ellsberg's attempt to explain this to Kissinger is insightful. It's
a pretty quick read, with many layers of important observations. (It's
Mother Jones, but this content is apolitical):

I think that Schneier's got it right. The solution has to be both
technical and political, and must optimize for two functions: catch the bad
guys, while protecting the rights of the good guys.

When the time comes for the political choices to be made, the good
technical choices must be the only ones available.

Security engineering must pave the way to the high road -- so that it's the
only road to get there.

Royce