It has been nearly six months since government surveillance revelations from Edward Snowden began to be published in the Guardian, Washington Post, and other outlets. Snowden turned over as many as 200,000 classified documents to journalists, and they’ve revealed a myriad of intelligence-gathering tools and operations aimed squarely at our electronic lives, regardless of location, citizenship, activities, or legal status. And the hits keep coming: nearly every week sees new details published from Snowden’s cache, momentum that has stirred up many independent revelations. Some have been minor, but others — like PRISM, tapping internal network links at services like Google and Yahoo, and collecting location data on mobile phones worldwide — have been astonishing.
It’s easy to enjoy “Snowden schadenfreude.” (Or perhaps “Snowdenfreude?”) Who doesn’t like seeing the powers-that-be taken down a notch or two? It’s also easy to believe the ongoing scandals don’t matter to ordinary people. After all, who cares if the NSA knows about your online pizza order last Saturday?
The disclosures are clearly impacting government policy and diplomacy, but may also change the fundamental architecture of the Internet. A broad range of countries and companies are openly talking about forming isolated and compartmentalized networks to protect themselves (and their citizens) from surveillance regimes.
And that might break up the Internet.
It Just Works -- It seems obvious, but the Internet’s greatest strength is interoperability. If you can get an IP “dialtone” on any of the Internet’s 40,000+ networks, you can access any site, app, or service anywhere else in the world. Sure, there are practical concerns: you might not have much bandwidth, access might be expensive, your device or software may not be compatible, a site might be down or blocked, your connection might be unreliable, et cetera. But that fundamental interoperability is the heart and soul of why the Internet has become humanity’s dominant communications medium, and has made things ranging from smartphones to the Arab Spring possible.
This year’s mass surveillance revelations — and the legal frameworks behind them — may represent the biggest interoperability challenge the Internet has faced. Now, being part of the Internet community means being subject to monitoring by the Five Eyes — the intelligence agencies of the United States, the United Kingdom, Canada, Australia, and New Zealand — in addition to lawful intercept and domestic surveillance conducted by national and local governments. Countries can pass laws to monitor communications amongst their own people or within their own borders — most countries have — but those same countries almost certainly consider the activity of the Five Eyes an infringement on their sovereignty. And they’re not happy about it.
Slouching Towards Balkanization -- The human reaction to external threats is predictable: circle the wagons, bar the gates, hide the children, and raise the drawbridge. In the extreme, a country could block Internet access at its borders, creating a walled garden. Internet services would work domestically, but be disconnected from (or even incompatible with) the global Internet, keeping out the Internet’s broadest dangers and the Five Eyes.
Few nations would risk the economic damage that would come from disconnecting from the global Internet. A more realistic option is requiring Internet behemoths like Google, Facebook, Yahoo, Amazon, and Apple to locate services and store data within a country’s borders — where they would be subject to the country’s laws. The Five Eyes’ surveillance regime is effective because so much everyday Internet traffic is routed through data centers in North America and Europe — where major Internet companies are headquartered — and subject to those countries’ laws. As of January 2013, more than 100 countries had no domestic Internet exchanges, meaning they were entirely dependent on foreign services. Requiring major providers to locate data centers within a country’s borders means local traffic would stay local, theoretically beyond the reach of the NSA’s legal and clandestine tentacles into American companies.
It’s not a new idea. China mandates that Internet businesses comply with the censorship and data handover requirements of the so-called “Great Firewall.” It’s not just a pro-forma requirement: China has imprisoned a number of dissident bloggers, some on the basis of information turned over by Yahoo’s Chinese subsidiary, and in 2010 Google moved its Chinese search engine from Beijing to Hong Kong to sidestep Chinese censorship requirements. The same year, countries like India, Saudi Arabia, and Indonesia moved to shut down the BlackBerry service unless they were granted a way to intercept messages. BlackBerry kept running, most likely by parking servers in those jurisdictions where they can be monitored without involving international law. Of course, Internet users may not be comfortable with what their governments do and don’t allow within their online borders: according to the latest World Wide Web Foundation’s Web Index (founded by Web creator Sir Tim Berners-Lee), 30 percent of the world’s nations engage in moderate to extensive blocking of online content and services they deem objectionable or sensitive.
Some of these examples predate recent surveillance disclosures. Who might be next? Consider Brazil. Brazil had previously pondered its own national secure email service (through its post office), but is now getting serious, with President Dilma Rousseff laying out proposals to bolster Brazil’s domestic bandwidth (keeping Brazilian traffic in Brazil), require Internet companies to locate data centers within its borders, and encourage network operators to use networking equipment designed and produced in Brazil.
The notion of Brazilian-designed networking gear could be important. In the next two years Brazil is scheduled to light up five new undersea fiber links to Africa, Europe, and Asia, (and, yes, to the United States), potentially enabling Brazil (and its overseas partners like China and South Africa) to bypass the Five Eyes. If those links — or Brazil’s expanded networks — eventually work only with Brazilian gear, the country could become the Internet’s largest walled garden. But Rousseff sees the moves as a way to protect values that historically have been championed by the United States.
“In the absence of the right to privacy, there can be no true freedom of expression or opinion, and therefore no effective democracy,” she told the UN General Assembly. Then, driving her point home, Rousseff announced (ironically, via Twitter) that Brazil will be hosting an ICANN summit on Internet privacy and security in April 2014, and cancelled a state dinner with the Obamas.
Brazil is not alone in considering carving away from the Five Eyes. In the European Union, France and Germany have been highly critical of recent surveillance revelations. The EU’s internal market commissioner Michel Barnier has called for a “European data cloud”, and EU justice commissioner Viviane Reding characterized the European Parliament’s vote on data protection regulations as a declaration of independence, requiring non-EU companies to “deal responsibly” with user data or be fined up to 5 percent of their annual worldwide revenue. If EU member states adopt the policies, Internet users will see warnings when their personal data is about to leave servers covered by EU data protection laws.
Some “Email Made In Germany” services piggybacking on popular concern over NSA surveillance already do something similar. Raising the ante, Deutsche Telekom is currently proposing an “all-German” domestic Internet with an eye towards encompassing the whole Schengen Area, twenty-six European countries that have mutually set aside passport and immigration controls. (The UK and Ireland opted out.)
Think Global, Act Local -- If Internet balkanization can protect privacy, is it a bad thing? On some levels, keeping user information, data processing, and communication within a country or region is just common sense. Do we need to use a server halfway around the world to send a quick message across town? It certainly isn’t efficient, purely on the basis of resource consumption, electricity, network infrastructure, and complexity.
The flip side is that balkanization — even when well-intentioned — can impact the interoperability and communicative power of the Internet. Requiring companies to run separate facilities in each country in which they operate is both expensive and cumbersome. Those costs could impede innovation if companies have to choose between setting up a data center in (say) Austria or investing in R&D.
Sometimes Internet services pick up their most loyal followings in unexpected places — that would be far less likely to happen with a balkanized Internet. Remember Orkut, Google’s early experiment in social networking? Most people don’t, but it was huge in Brazil and India for years — and Google eventually moved it to Brazil entirely. Similarly, Canadian instant messaging service Plurk never managed to rival Twitter, but it became so popular in Taiwan it accepted millions to relocate there in early 2013. How about San Francisco’s social/gaming service Hi5? It’s now part of Tagged, but its biggest audience has always been in Latin America.
Can social networks and modern apps survive in a world with online border checkpoints? Imagine installing a new collaborative music app or game from the App Store, only to find you can’t use it with your friends because it hasn’t been approved in their jurisdiction. Want to share a tagged photo? Maybe you can’t because your preferred social network doesn’t support a “right to be forgotten.” Maybe you’re travelling and want to check back in with family via FaceTime, but it’s blocked because Apple has not granted the local government a back door to tap into video chats. Or maybe all these services will work great once you register your devices, verify your identity, and pay a fee to another country. A global patchwork of Internet regimes — each with its own quirks and requirements — quickly undermines the free exchange of data and information on which the modern Internet has thrived.
Perhaps most importantly, countries that decide to require Internet services host and process data locally will have the capability to monitor that data much more closely — and decide what can and cannot flow across their borders, what they will and won’t collect. This might not be a major issue in democratic countries like Brazil and Germany — although they operate their own sophisticated intelligence regimes. However, authoritarian states may decide to engage in (more) internal censorship and surveillance. Further, some firms will choose not to operate in particular countries — like Google in China — due to legal requirements, technical complexity, or the burden setting up subsidiaries. What if Facebook and Twitter had been required to run data centers in Tunisia, Egypt, or Yemen under the thumb of those countries’ former governments? Could the Arab Spring have taken place without the extra-territorial communications channels made possible by Facebook and Twitter?
What About International Law? -- Before we start carving the Internet into separate fiefdoms with unique rules, border guards, and access requirements, isn’t there some legal remedy to the Five Eyes’ increasingly exposed surveillance regime? Perhaps secret U.S. law can enable the NSA to collect metadata on hundreds of millions of Americans, but how can U.S. law legally empower the NSA to collect phone records on hundreds of millions of German, French, Dutch, Italian, and Spanish citizens, and others — not to mention dozens of world leaders? Couldn’t these people — or these nations — just take the United States to court?
The short answer is the mass surveillance regime is probably not legal in many nations where individuals’ data is being collected. The United States can authorize the NSA and other agencies to spy on other nations’ communications under U.S. law, but that does nothing to de-criminalize those acts under other nations’ laws. So the unofficial eleventh commandment of intelligence agencies — “Thou shalt not get caught” — holds true. Because if they’re caught they’ll go to prison.
The long answer is much more complicated. The United States and many other countries have data-sharing and safe-harbor agreements that permit international sharing of communications and business information — these facilitate communications, finance, and business all around the world. Once that information is in the United States (legally) and being processed by U.S. businesses and agencies, it’s subject to U.S. law and, essentially, fair game to intelligence agencies. Further, Internet traffic that transits the United States is subject to U.S. law — and possibly even if it’s handled entirely overseas by U.S. companies. Warrants from the Federal Intelligence Surveillance Court (FISA) are sealed, so we don’t currently know if the United States has extended its reach overseas this way. Maybe future disclosures will tell us.
In addition, the United States and the Five Eyes have a number of intelligence-sharing arrangements. The most significant is with Britain’s GCHQ but the Five Eyes do some sharing with at least a dozen allies ranging from Singapore to Sweden. Few details have been disclosed, but elements of other governments probably have had some knowledge of NSA activity within their borders. If mass surveillance is conducted with a government’s permission — perhaps as a quid pro quo arrangement — it may be legal.
Can mass surveillance be prosecuted under international law? Probably not. Most agreements dealing with surveillance only address government and diplomatic communication, not mass collection of commercial or private data. For instance, the Vienna Convention on Diplomatic Relations of 1961 bars espionage and is the basis for the modern concept of “diplomatic immunity.” It’s ratified by 189 countries but seems to be regularly ignored. Some early disclosures from Snowden include the NSA tapping communications at the United Nations, the Atomic Energy Agency, NATO, and EU offices — almost certainly in violation.
What about the United Nations? The 1966 International Covenant on Civil and Political Rights (ICCPR) lays out specific provisions that prohibit signatories from “unlawful or arbitrary interference” with any person’s privacy, whether by individuals, businesses, foreign countries, or a nation itself. Violations of the ICCPR are handled by the Human Rights Committee, a quasi-judicial group of 18 experts at the UN that meets three times a year.
The ICCPR sounds promising, but the devil is in the details. The ICCPR has been ratified by 74 countries, but the United States got around to it only in 1992 and, curiously, has not made legal changes to meet its requirements. (The U.S. has also refused optional portions that prohibit torture.) In 2006, a Human Rights Committee review all but declared the U.S. in violation — another review could start as early as March 2014. The United States and the UK also don’t accept the right of “individual complaint” under the Covenant, meaning a specific person cannot bring them up before the Human Rights Committee. However, entire nations (or coalitions like Latin America or the EU) could bring inter-state complaints under the ICCPR.
Even nations would find it tricky to bring ICCPR complaints against the Five Eyes. The privacy provision in the Covenant is quite short, and doesn’t include limitations or legal tests. In other words, it’s wide open to interpretation that could keep politicians, diplomats, and lawyers busy for years — and it’s not like the UN or the Human Rights Committee moves quickly even when members are in widespread agreement. The United States and its allies have consistently argued their mass surveillance regime is legal and all about going after international terrorists — and the ICCPR does not apply to espionage.
One option might be changing the ICCPR. Brazil and Germany have just put forward a proposal that would add a right to online privacy to the ICCPR, asserting the “same rights that people have offline must also be protected online, including the right to privacy,” and that “highly intrusive” online surveillance would violate rights to freedom of expression. If it’s ratified, digital privacy could become an international human right alongside things like freedom of movement, freedom of association, and non-discrimination. The United States has already delineated its objections, and the proposal has wiggle room allowing collection of sensitive information in the name of public safety.
What if the United States or the Five Eyes were found in violation of the ICCPR? Despite its worthy ideals, the Covenant is essentially toothless, relying on nations’ goodwill to correct their own behavior. If the Human Rights Committee were to find the United States or its allies violated the Covenant — highly unlikely considering the economic and diplomatic pressure the U.S. can bring to bear — the only requirement is that countries in violation submit updates every three months about how they’re trying to fix the problems. That’s it. The committee cannot invalidate or change U.S. law, assess financial punishments, enact trade sanctions, or anything else. Being in violation would certainly be an embarrassment to the United States and the Five Eyes — one that would be trumpeted loudly and frequently by critics — but that sort of international shaming hasn’t closed the U.S. prison camp at Guantanamo Bay.
The inefficacy of trying to go through the UN is one reason Brazil, Germany, and other nations are taking steps to cordon off their domestic Internet networks from the NSA. It’s a more practical solution under their control.
What About Encryption? -- If balkanization could wreak havoc with the Internet and there’s no realistic legal or international recourse to shut down mass surveillance, what can we little people do? Just accept the Five Eyes (and their friends)? Trust that our small, insignificant lives are beneath their notice, that agencies will never abuse their capabilities, and never make mistakes that matter to us?
One bright spot is data encryption. While documents disclosed by Snowden revealed that the NSA has worked to weaken encryption standards and devised methods to aggressively attack encrypted data, other documents also indicated that well-implemented, strong cryptography can still stymie the NSA — and the math seems to hold up. Sure, the NSA might be able to crack strong encryption, given enough time and resources, but they have to be motivated: it won’t happen for every email message or tweet generated by hundreds of millions of people every day. As a result, the NSA has preferred to conduct its surveillance before data gets encrypted or after it’s decrypted — like in the guts of data centers.
Internet companies are responding. Google was already beginning to encrypt its internal network before the Snowden revelations, and has since sped up the work; Yahoo says all connections in its data centers will be encrypted by April 2014. Disclosed documents indicate Microsoft assisted the NSA in accessing its services — ironic since the company’s new PR campaign claims Google can’t be trusted with private data. That said, although the company has taken flak recently for failing to encrypt data, Microsoft just announced ambitious plans to encrypt user data and its networks by the end of 2014, with many protections already in place. Dropbox, Facebook, Twitter and several others have taken major steps to encrypt communications internally and between each other: the EFF is maintaining a summary. However, most Internet companies must process unencrypted data from or about their users at some point: it’s impossible to run something like Google’s vast online advertising business (and extensive user profiling) and keep all user data encrypted all the time. Securing internal data links may take away one avenue the NSA has used to collect data from major Internet companies, but others almost certainly exist.
Strong encryption is available to everyday people, too: we can encrypt our email, use VPNs or Tor to shield our network connections, and use services that don’t store information about us. Joe Kissell’s “Take Control of Your Online Privacy” goes through the details and suggests real-world strategies for keeping our online lives private, but it focuses more on advertisers, local villains, and big media than on Big Brother.
Slouching Towards Transparency -- Encryption alone is no guarantee data will be safe from the NSA’s prying eyes, but, done well, broader use of strong encryption can at least reduce weak points being leveraged by the NSA or others.
So what about all those other bugs and exploitable problems that compromise encryption and security? There’s no easy answer other than fixing those problems and making better systems. Most companies handle this process behind closed doors (if they handle it at all), often considering the details proprietary. But the Internet industry as a whole might be able to move forward via transparency and certification authorities — if only companies would get on board.
In general terms, transparency would mean companies being open not only about problems and errors in their software and hardware products, but also about how they create their products so customers can understand their risks. For hardware makers, that might include information about design, parts, supply chain, firmware, and physical security at manufacturing facilities; for software makers, it might include what libraries and tools they use or license and details of how their software communicates. The idea is not just to let users (and customers) know whether products are vulnerable to a known problem (rather like the widely used CVE system that catalogs security vulnerabilities) but also to identify whether manufacturing or development processes are vulnerable to the end-runs the NSA seems to prefer.
When problems turn up — and they always do — solutions and case studies can be made available to the entire industry to be refined or perhaps adopted as a best practice. Such a process will inevitably look like the cat-and-mouse game software makers have played with hackers and virus writers for years, except it could be the global Internet and telecommunications industries going up against the NSA and its partners. And, like the fight against malware, it would probably be never-ending.
A big question is who would manage all this. No organization currently acts as a clearinghouse for digital security threats — aside, perhaps, from the NSA — and it’s a gargantuan task. Organizations and frameworks like the ISO, the ISA Security Compliance Institute, Common Criteria, and the National Institute of Standards and Technology (NIST) could play a role here — although NIST is working to regain trust in the computer security community following recent reports the NSA got a backdoor into a NIST encryption standard. (NIST immediately launched a review.) The Internet Engineering Task Force (IETF) appears ready to engage in a long-term effort to re-evaluate the security of many of the Internet’s core technologies. At least it’s a start.
Internet, mobile, and telecommunications industries could take a cue from standards bodies in other industries like aerospace, healthcare, and safety — consider government agencies like the National Transportation Safety Board and companies like Underwriters Laboratories. Standards bodies and certification agencies identify risks, establish best practices, and develop tests and compliance programs that confirm products meet security standards. NIST has issued a preliminary cybersecurity framework aimed at critical infrastructure, but it includes an appendix on privacy and civil liberties.
Telecommunications giant Huawei is also trying to get the ball rolling on international cybersecurity standards: it recently published a white paper detailing its own internal practices — so far as I can tell, that’s a first for the industry. Huawei is the world’s largest telecommunications gear maker but is essentially barred from the U.S. market over allegations that its equipment might contain secret backdoors for the Chinese government. Thus, Huawei’s call for standards may be self-serving, but the company’s semi-pariah status might enable it to take a leading role. After all, among companies in its industry, Huawei has the fewest connections to the U.S. government and Internet companies at the heart of this year’s mass surveillance revelations.
“We’re not saying that we have all the answers,” said Huawei USA Chief Security Officer Andy Purdy in a phone interview this October, “but we’ve got to come up with some areas of agreement and we have to have product assessment. That feedback loop is essential for the global industry generally. We know it’s hard — we have thousands of suppliers — but we’ve got to raise the bar.”
Cybersecurity standards and certification could become extremely important if countries like Brazil and Germany — and anyone who wants to partner with them — begin separating themselves from the global Internet and preferring infrastructure and gear designed and produced in their own countries.
What About Disclosure? -- One of the insidious things about the legal framework of the NSA’s surveillance regime is that it’s covered by gag orders. American companies can be required to turn over data en masse without saying a word. At that point, encryption, standards, and data center design just don’t matter: the NSA gets everything wrapped up with a nice bow. As other countries set up their own national networks, it’s reasonable to assume they’ll use similar legal frameworks to scoop up not just data about their own citizens, but also any other personal data that transits their networks.
It’s a given that the United States will always have national security concerns, and governments will always spy on each other. However, the ongoing outcry from this year’s mass surveillance disclosures may generate political momentum for legal change. President Obama’s response to the initial Snowden disclosure was to reassure the American public that no one was listening to their phone calls and everything was legal. That stance has since shifted substantially: Obama appointed a review panel to make recommendations (due 15 December 2013) on changes in the U.S. intelligence apparatus, and has been openly talking about “legitimate concerns” that technology has outpaced the legal framework governing the NSA’s activities. Few expect major changes overnight, but it might be the start of a broader reform process.
Several dozen Internet companies (including Apple, Facebook, Microsoft, Twitter, and Google) have petitioned the government to let them publish aggregate information about national security-related requests they receive. (Many companies, like Google, publish transparency reports for law enforcement requests.) Apple has taken things one step further in its own first transparency report, becoming the first major tech company to employ a so-called “warrant canary” for orders to turn over data under Section 215 of the PATRIOT Act. Apple says it has not received any such orders; if it does, that assertion should disappear when Apple’s next report comes out in six months. That’s a long delay, but the idea behind a warrant canary is that a gag order can legally keep a company quiet, but cannot compel it to lie. Warrant canaries haven’t been tested in court, but Apple has deep pockets to fund a legal challenge.
It’s Complicated -- If there were an easy solution to the conflict between individual privacy, personal and national security, and the mass surveillance being carried out by western powers, we would have figured it out by now. The reality is that these issues have been with us for years; solutions are going to be incomplete, long-term, and messy; and conflict will only become more pronounced with our dependency on the Internet and modern communications.
It’s a shame. From a humble beginning more than four decades ago, the Internet has developed into perhaps humanity’s most powerful tool for spanning cultural divides, expanding access to information and education, enabling freedom of expression, protecting human rights, and — despite the trolls — broadening the human experience. Let’s hope we don’t destroy it to spite ourselves.