Face It: Privacy is Dead
But do we accept that or build a better internet?
Face It: Privacy is Dead
But do we accept that or build a better internet?
Key to both security cracks is that there are no known protections against them.
One researcher said, “We are currently unaware of a practical solution to this problem.”
“There’s no real way to fix it,” said another.
There might be eventual workarounds, but researchers are finally hitting the fundamental, unsolvable insecurity of the Internet, which the military never designed to be secure or to protect user identities.
Self-described “cypherpunks” — like Julian Assange and technology activist Jacob Appelbaum (among many others) — see the internet as a public good that should never be monitored, regulated, or exploited by governments. Yet their most standard complaint, summarized as “the militarization of cyberspace,” is completely disconnected from cyberspace’s origins as a military program.
The internet began in a 1966 program called Resource Sharing Computer Networks. Started by the Advanced Research Projects Agency (the precursor to DARPA, where the “D” stands for “Defense”), this network was meant to decentralize data storage to protect it from a nuclear strike. Over time, ARPANET grew to become the Internet we know and love today. Whatever the utopian wishes of the Internet’s most ardent evangelists, there is no escaping that it began as a military research project.
In fact, the military has always been active on the Internet. Fourteen years ago, reports emerged of a vast NSA surveillance network called ECHELON. Created in 1971, ECHELON reportedly collected every satellite communication, almost all phone calls, and, according to some estimates, nearly 90 percent of traffic on the Internet.
That such a vast, longstanding surveillance system for the Internet exists makes perfect sense when one considers that the military invented the Internet, and thus knows how to monitor it the most effectively. It was never meant to be secure, because the Pentagon never imagined it would grow beyond the scale of safeguarding government data (along with some universities doing research) to become the pervasive presence it is today. The internet’s insecurity is why the U.S. government built alternate internets, called SIPRNet and JWICS — it was the only way to keep secret communications private.
Now we face a conundrum: The internet is not just used for research and storing government data away from nuclear strikes but for everyday things, like communicating, buying toys and groceries, banking, reading the news, and paying bills. The security of the internet never caught up to all of those things we take for granted. New systems meant to safeguard people’s privacy and data have been tacked on top of it, but the internet itself is so inherently insecure that those improvised security systems have holes that will eventually be discovered.
Apart from identifying the arms race that security research has become, there is a deeper question becoming clear, especially in light of the public debate over NSA surveillance: Do we even have a reasonable expectation of privacy anymore?
It sounds almost rhetorical, but that question is important to the debate about what the government can or should do with easily accessible data. Even supposedly anonymous systems, like TOR (The Onion Routing network, which was birthed by the U.S. Navy and gets over half its money from the U.S. government), can get cracked open by government agencies and their contractors to uncover criminal conduct, such as the distribution of child pornography. There are workarounds, like using email with strong cryptography, but they’re difficult to use. Most average people either can’t be bothered or can’t understand it.
The NSA isn’t the only agency capable of monitoring everything you do. Google tracks an incredible amount of data about its users (are you one of the 53 percent of Internet users on Chrome?), as does Facebook and Microsoft (the latter through its ubiquitous chat program Skype). One of the most fascinating aspects to the reaction against the NSA has been the seeming comfort with allowing for-profit corporations to strip mine personal data while reserving opprobrium when the government does the same thing for law enforcement.
The two poles — the internet’s inescapable long-term militarization and its inherent insecurity — suggest that a difficult choice is approaching. Either we accept that our online lives are subject to invasion should we become targeted — raising the stakes for anyone with a bank account or who is high-profile, the target of bullies, or a political dissident — or we build something that is more secure.
But can we even do that? Many, if not most, security systems are dependent on denying anonymity. Verified identities make it difficult (though not impossible) to access data without authorization. These tend to be difficult to create, hostile to casual users, and mind-numbingly slow. On the other hand, average users wouldn’t necessarily flock to a totally anonymized system, either, since normal activities like paying their bills aren’t compatible with anonymity. Any new internet-like system would almost certainly be subject to greater legal restrictions, since most governments would have a stake in not creating a totally secure, anonymous communications network.
Norms about privacy are changing, too. Polls suggest young people still care about their privacy, in some cases even more than their elders do. But rather than seeing privacy as a black box where secrets are hidden from everyone, they regard it as the right to regulate who gets access to their information. Moderating control to information is a much more nuanced prospect than an all-or-nothing approach, but it is also harder.
The internet is too embedded in our daily lives to change dramatically (which would also incur heinous cost). But that doesn’t mean we’ll all be left wide open to the nearest hacker.
Chris Soghoian, the principal technologist at the Speech, Privacy, and Technology Project at the American Civil Liberties Union, said that one “silver lining” to the NSA disclosures is that they are “going to inspire a lot of interesting research into privacy protections.”
When people really want to keep their data secret, they invest heavily in the infrastructure to do so. The intelligence community went to the expense of building its own alternate networks to keep their data safe (so long as they’re not broken by construction crews in Tyson’s Corner, VA). It also forbids the use of cell phones, cameras, and even CD players in its intel facilities. When they were not prohibited, like at Bradley Manning’s base in Iraq, a massive breach occurred.
Yet that sort of security is not available to an average person. What we’ll see is something cheaper and probably less effective.
Look at your own home as an analogy. Your home is not terribly secure — anyone with sufficient know-how and some moderately priced equipment can break in without your ever knowing about it. (There was even a popular Discovery Channel show about it.) Most people don’t rely on having an impenetrable house to safeguard their privacy. Instead, we rely on norms against breaking and entering, along with laws that punish perpetrators to deter theft.
We’ve also built better doors and locks, lower-cost alarm systems to scare off casual thieves, and increased the capacity of local police to forensically examine a broken-into house for clues. It wasn’t just a question of changing technology and expectations, but also of evolving law enforcement and deterrence.
But even that isn’t enough to prevent home invasion and theft. Despite advances in home security, we cannot prevent all crime because security is not 100 percent perfect. Most of us lock our doors and close our windows when we leave the house; even if a break-in is going to happen, there’s no need to make it easy.
A similar change in mindset is slowly taking hold among the average internet-using population. We are finally starting to grapple with the fact that Google and the NSA are mining our lives for national security secrets and selling targeted advertisements. They don’t represent the same kind of threat that hacking schemes or identity thieves do, but they do represent the pinnacle of the internet’s capacity to invalidate any expectation of privacy. So will we discard them both? Or will we eventually adapt and internalize routine invasions as the cost of being online? The answer to that is not clear right now — and that is perhaps most disturbing of all.