Monday, January 25, 2010

Enabling Surveillance and Censorship

In an op-ed on CNN security technologist Bruce Schneier states that the US Government inadvertently create a situation that allowed Chinese hackers to eavesdrop on GMail. Schneier writes,

In order to comply with government search warrants on user data,Google created a backdoor access system into Gmail accounts.

This feature is what the Chinese hackers exploited to gain access.Google's system isn't unique. Democratic governments around the world -- in Sweden, Canada and the UK, for example -- are rushing to pass laws giving their police new powers of Internet surveillance, in many cases requiring communications system providers to redesign products and services they sell.

Many are also passing data retention laws, forcing companies to retain information on their customers. In the U.S., the 1994 Communications Assistance for Law Enforcement Act required phone companies to facilitate FBI eavesdropping, and since 2001, the National Security Agency has built substantial eavesdropping systems with the help of those phone companies.

Systems like these invite misuse: criminal appropriation, government abuse and stretching by everyone possible to apply to situations that are applicable only by the most tortuous logic. The FBI illegally wiretapped the phones of Americans, often falsely invoking terrorism emergencies, 3,500 times between 2002 and 2006 without a warrant. Internet surveillance and control will be no different.

Official misuses are bad enough, but it's the unofficialuses that worry me more. Any surveillance and control system must itself be secured. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and by the people you don't.

China's hackers subverted the access system Google put in place to comply with U.S. intercept orders. Why does anyone think criminals won't be able to use the same system to steal bank account and credit card information, use it to launch other attacks or turn it into a massive spam-sending network? Why does anyone think that only authorized law enforcement can mine collectedInternet data or eavesdrop on phone and IM conversations?

The entire piece is worth the read.


Marisa said...

This issue confounds me because I do not see a clear solution, if one exists, given both the proliferation of information available and the governmental attempts to monitor it. It seems a catch-22: in attempting to protect citizens by monitoring information for terrorist activity and they like, they are also making these same citizens susceptible to attack by virtue of the stored cache of information.
I was in China over the winter break and was told by the State Department before going to exercise extreme caution and be aware of the potential that any electronics I brought could have malware installed and people would be checking up on what we did. Never would I have expected that such events could happen to users within the states. Especially when the Chinese government refuses calls for action from the U.S. government ( hard questions are raised.
What is the happy medium? Does it exist? Is this simply a matter of Google needing to take further protective measures? Of the failure of the governmental system?IS this an isolated incident that should not spark paranoia? Not sure if there are answers to these questions, but they continue to occupy me.

Marisa W said...

On reading the article I had a similar feeling, because it seems that there is no easy way out to this problem. I think the paradox here is in how security and privacy can coexist in times when cyber warfare is rampant. Government control over telecommunication companies and the internet is increasing but without offering a more secure environment for its clients and users. If Google's compliance with government search warrants on user data inadvertently helped hackers in China access its system, it looks as though we have hit a revolving door. More control, though beneficial in certain circumstances, has proven to be detrimental in terms of security and privacy issues. If more control invites misuse, then how much power should the government have? Surveillance infrastructure that discloses personal information is a hazard if unofficial authorities can breach the system. However, it is because of laws like these that terrorists, child pornographers and hackers are also discovered. It seems that therein lies the difficulty of how much control the government should exercise over telecommunications companies. In the article, it says members of Congress are reviving a bill that bans tech companies from working with governments that spy on its citizens. I find it slightly alarming that a bill is being passed in which the US government is inadvertently being regulated. But how should the government go about to create a more secure cyber environment, one that does not put its users at risk? If more control equals less security, how detached should official authorities be from tech companies?

Katherine Scholle said...

The author of the article made a point that really resonated with me -

"In the aftermath of Google's announcement, some members of Congress are reviving a bill banning U.S. tech companies from working with governments that digitally spy on their citizens. Presumably, those legislators don't understand that their own government is on the list."

I think what's becoming increasingly evident is the fact that the US does not have a proper policy, domestic or foreign, fit for the digital age. Ned pointed me to a NYT article for my final paper that outlines this issue-

The author talks about the fact that Internet companies need to develop their own foreign policy to compensate for the United States' struggle to develop their own coherent and comprehensive one. This is particularly true for transnational companies as influential as Google, which has had to assume the role of virtual state actor in the whole China debacle. It's pretty novel that with issues that have come out of this new digital age, our governments aren't necessarily the best people to be dealing with them and/or protecting us.