The Internet is Under Attack: Ron Deibert on the Closed-Down Web

The Citizen Lab director speaks with Wired columnist and New York Times Magazine contributing writer Clive Thompson about cybercrime, online surveillance, and why we might need a new Internet.

Clive Thompson is a contributing writer for the New York Times Magazine, and a columnist for Wired. His book Smarter Than You Think: How Technology is...

||Walter Scott

Ron Deibert has seen the future of the Internet, and it’s freaking him out.

Deibert is the head of the Citizen Lab, a Toronto-based institute that studies how the Internet and online communications affect society and human rights. In his new book Black Code: Inside the Battle For Cyberspace, he argues that our global network is in danger. The Internet, he notes, began life as an open system run by academics, characterized by trust. In those early days, you could have sent spam or pried into another person’s private info, but you didn’t do it because everyone trusted one another. Once the Internet became mainstream, this open, trusting environment was quickly abused and hijacked. Hucksters flooded inboxes with spam, criminals began stealing and selling data, and “denial of service attacks” took down web sites. Meanwhile, corporations, governments and spy agencies became so unsettled by the open network—where anyone could say or do almost anything—that they began passing laws and setting up technologies to curtail this explosive burst of everyday-citizen activity.11To mark the publication of Black Code we assembled this timeline of cyber-shenanigans.

Black Code is a catalogue of what this shutdown looks like. He tours Internet server farms and sees the wiretaps installed by governments. His group uncovers criminals who unleash “trojan horses” on Facebook to ensnare users, and the Chinese creators of “Ghostnet”, a global online spying network. And he surveys the “next billion digital natives”—the people coming online in countries where the governments have even less desire for open communications.

When I spoke to Deibert, we dove deeply into how and why our online world is being squeezed shut.

In your book, you say something like: “Fifty years from now, future historians may look back and say ‘You know, there was that brief window in the 1990s and 2000s when citizens came close to building that planetary library, a global public sphere, but then let it slip from their grasp.’” When the original architects of the Internet put the system together, they made it very open—any node could talk to any other node, and you could write any code you wanted and put it online without needing to vet it with any authorities. This created a ton of amazing phenomena, like blogging or Wikipedia or even just email. But it assumed that everyone who would use the Internet was a trusted actor—that people online would behave well, right?

Although a lot of people talk about the Silicon Valley libertarian norms around the Internet, as important—maybe even more important—was the fact that the Internet was primarily borne within universities and based on the university culture of peer networking, and peer-to-peer trust. It’s a non-hierarchical organization, for the most part. But when it expanded it became the infrastructure for planet Earth and everything involved in it.

Which is when bad actors started flooding in—and, as you write, they started abusing this open system. This is the “Black Code” you talk about. Some if it is criminal activity—cybercriminals plundering your financial info online—or even corporate activity that’s legal but just creepy, like tracking your activities online so they can profile you and sell you ads. And some of it is powerful forces that are upset by how open the system is: Governments that pass laws limiting what people can do online, spy agencies using the openness to do surveillance, or Internet providers preventing people from using tools like Bittorrent because Hollywood is worried that people are stealing movies.

It’s “black” in the sense of criminal forces subverting that system of trust. That’s definitely a part of it. And that has been there from the beginning. When e-mail was invented, it wasn’t long after you had spam. Then there are states, and especially defence-intelligence agencies who are traditionally known as black—Deep Black, Black Ops—the agencies which you might have said were on the precipice of extinction at the end of Cold War, but have suddenly assumed predominance over this domain. If you look around the world today, cyber security ranks high [as a priority] in most countries, certainly in the United States, and these three letter agencies are now positioning themselves to be the primary agencies dealing with cyber security.

Another meaning of black code is an ominous looking-forward that ties it all together, that where we’re headed is actually down a path that will subvert the original intentions of this network. I have a quote from H.G. Wells at the end of the book about the “world brain,” where he kind of anticipated this global library that would be accessible to everyone. That’s Wikipedia! But we take it for granted, and I see dark clouds on the horizon.

You argue that the big intelligence agencies so prominent in the Cold War—like the National Security Agency (NSA) and CIA—didn’t have much of a mandate after the Cold War was over, but they’ve come roaring back, doing tons of online surveillance. What was the tipping point, the moment when they realized this was the area they ought to be spying into?

I really think the consequences of 9/11 cannot be overestimated. It was so dramatic that all of us who lived through it remember that existential moment, and if you look within weeks of 9/11 happening, most countries passed legislation that was seen as an emergency measure. “We need to roll back civil liberties, give intelligence agencies powers that they don’t have.” Remember, at the time the primary conclusion drawn was that there had been a failure to connect the dots, and that there was a failure to share information between law enforcement and intelligence. They had these barriers between them to protect civil liberties, hampering investigations and could have led to—you know, if only someone had spotted a rental car purchased here, an illegal visa, and so on.

That cleared the way so to speak, but standing in the wings were the agencies themselves. During the Cold War, the massive data collection apparatuses and globe-spanning satellites of the United States and the Soviet Union were primarily focused on each other. So the NSA, what was it trying to listen in on? Russian telemetry tests and Politburo conversations. After the Cold War, and especially after 9/11, the threat environment changed to a distributed non-state actor. Basically, all of society. Simultaneous with that was the rise of the Internet, and then the Internet of things, and the world of big data, which has basically led to this voracious, almost there is no end to it, this desire to…

Accumulate data.

And again there is another factor here, and that is in an era of financial austerity, the one big market opportunity right now is in cyber security. So a huge cyber security industrial complex has sprouted around big data analytics. All of that together, 9/11-style Patriot Act security legislation, threats being dispersed in society, the traumatic event of 9/11 coming from non-state actors, big data analytics and the market for it the has led to a kind of contingent, accidental coming together of this huge set of actors that now are positioning to essentially monitor and control cyberspace.

And we’re leaving a lot of trails online for them to spy into. A lot of our social activities take place in public—and on the servers of for-profit corporations like Facebook or Twitter or mobile-phone networks.

One [revolution] that is overlooked but is happening now, and started only within the last five to seven years, is the volume of data that we now entrust to third parties, especially private companies, data that either didn’t exist before or was locked away in a filing cabinet or kept in our bedrooms. It was made possible by the rise of social networking, mobile, and cloud computing. The obvious part of that is people socially share so much that they never did before, it’s kind of a new set of mores.

But what people don’t see is the data about the data: The metadata that we share. Right now I’m sitting here with my cell phone in my pocket, it’s constantly emitting a beacon. That beacon sends data to either the Wifi router here in the lab or the cell phone tower that is somewhere down the street on a building. Within that metadata is data about my phone, my ownership of the phone, header information, maybe time, date, location, GPS, and so on. And that’s me. Extrapolate that to maybe billions of people who use the Internet on a daily basis and suddenly you have this turning of our lives inside out. Even our unconscious lives.

And that information doesn’t go off into the ether, it doesn’t go off into space. It exists somewhere in a material sense. That’s another part of my book, what I’ve been trying to do over the course of my career, to peel back the layers of the deep infrastructure that we don’t see, that we take for granted, from the wires and cables all the way up to the satellites in space.

An interesting aspect of the Arab Spring was how much of the activists’ communications took place on corporate spaces like Facebook, Twitter, or YouTube. But there were all these interesting collisions between corporate policy and the needs of political subversion and activism. When Wael Abbas, an Egyptian journalist and activist, would film instances of police brutality or get sent films he would upload them to YouTube. But then YouTube—and this was before the Arab Spring—would occasionally delete stuff because it was too graphic; it contravened their policies. It took a long time for Abbas to get in touch with someone at YouTube to explain what was going on. Then, as Clay Shirky has said, these companies realized that like it or not, they had to have a foreign policy.

Some of the companies have developed a foreign policy, Google among them, and I’ve had longstanding relations talking to Google executives about this. I generally applaud what they’ve done in this space with transparency reports and the global networking issue. Unfortunately, companies like that are extraordinarily rare, especially in the telecommunications sector.

Spy agencies have a long record of working with for-profit companies and using their tools for spying, so today’s online world fits into that historic pattern.

There’s a comfortable relationship between intelligence agencies in the private sector, the CIA, and startup companies. The more interesting relationship to spot is with telecommunications companies, going back even to the telegraph, Western Union. Intelligence agencies like the NSA. The culture of the telecommunications industry—the AT&Ts, Verizons, BlackBerrys even of the world—the mobile sector, is much different than the Silicon Valley world. They have decades-long experience working very closely with law enforcement, defence, and intelligence agencies.

And now they’re moving into jurisdictions where the vast majority of their user base is going to come from countries that don’t have the same basic protections, assuming we still even have them. We’re rolling them back, but at least we still have a semblance of a memory of them. Whereas in countries like India where it is highly chaotic, or repressive, autocratic regimes like that of China, Russia, and Indonesia, or corrupt regimes, failing states—there cyber security is at the top of their agenda. They are looking to private companies to police the Internet on their behalf, which is creating huge human rights problems. There really isn’t much of a tradition of corporate social responsibility among telecommunications companies.

In Evgeny Morozov’s book The Net Delusion, he criticizes the notion that the Internet’s early culture of openness and free speech would transform repressive governments—because some of the time the effect is in the opposite direction. The repressive needs of despotic regimes abroad wind up influencing what the free market, the makers of the technology, and Europe and the US, are willing to do. In your book, you document how repressive governments worldwide—and non-repressive Western ones—are all using spying software and hardware created by companies like Nokia or Cisco. Cisco’s stuff was used pretty heavily to build the Great Firewall of China. “You need technology to track and bust activists? Yeah, we’ve got that. We can do that.”

And this is interesting, because as you point out, the culture of the Internet is going to change as it becomes less and less Western. The next billion or more users are will be in places like Russia, India, and China. That is going to create a powerful new centre of gravity on the way that network technologies work.

Absolutely. I was just at a meeting where someone conveyed a statistic from China: 546 million Internet users, 75 percent of them mobile. That is phenomenal. There is a conceit in the West that technology will be used in a certain way, that it comes built with certain properties mind. I think there is a deeper point here to be made that the culture of cyberspace reflects the users. And the users as much as the rulers of those countries may approach it in an entirely different way.

If you look at that next billion, most of them are coming from failed, autocratic, repressive regimes, that’s one part of it. But they’re also coming from cultures where religion plays a much greater role, culture in general plays a much greater role. They may not share our assumptions about libertarianism and access to information, especially the people who grew up here in the West with the Internet. We think of the Internet as a natural expression of our desire for basic human rights. They might come at it with completely different notions of rights, and that eventually will begin to bear down on the architecture of cyberspace. We’re seeing it already in the way that countries like Iran, looking to build a Halal Internet. And in some places like Mexico, organized crime is actually the dominant shaper of cyberspaces.

Since 2003, the Open Net Initiative has been trying to answer the question: When you’re sitting in Canada and you access the Internet, is it the same Internet you access in Saudi Arabia or Iran? The average user in Indonesia, they’re not coming into a cyberspace in which a computer connects them to a network that connects them to the very same network I have access to. Instead, they are signing up usually to a mobile provider, and those mobile providers have licensing agreements with governments for whom cyber security is at the top of the agenda.

That is a critical difference with when we came online—our governments didn’t have an Internet policy at all, it was actually laissez-faire, hands-off. We do have to give Al Gore and his colleagues credit. Now, in Indonesia it’s the exact opposite. Not only is it not laissez-faire, there is a very comprehensive cyber security policy, a part of which is to restrict certain types of content, and to monitor what you’re doing. Practically speaking, a BlackBerry user in Indonesia—there are now data centres there run by BlackBerry—all their web browsing is filtered through that data centre where there are content filters. You’re experiencing a different Internet than you are here in Canada. People use the term Balkanization for this, but it’s really about carving up and colonizing the global public sphere.

[pagebreak]Speaking of organized crime, in the book you go through a list of what it costs to get nasty things done online. It’s only $30 to $70 to hire someone to run a “denial of service attack” that shuts down a web site, or $162 to hack a Gmail account. It was surprisingly cheap! So now it’s really, really easy for any one—any stateless actor—to disrupt what people are doing. Anonymous does this for activist purposes, and criminals do it for illicit profit.

There is a flip side to that. A market has emerged to essentially take the techniques and tradecraft of cybercrime, which is so easy to purchase off the shelf, and package them—and I mean literally packaged in glossy brochures—to sell to defence, law enforcement, and intelligence agencies.

So is the Internet fated to be an increasingly closed system, where governments and corporations place ever more limits on what we do online? Or is there any pressure that could help balance things out?

At the very end of your book you try to tackle this question, and suggest a few principles that could restore sanity. One of the principles you talk about is restraint: government and corporations and individual users need to react with restraint in the face of their desires to control things. It sounds nice in theory, but how exactly one would convince governments and corporations that “restraint” would be in their self-interest.

Many people look around and think, “We must need some new theory or some new cyber virtual reality, some new political construct that will match the greatness of this system that has been created and the magnitude of all of it around us.” Here, I’m a political scientist and theorist, a historian. The way I approach this is to look at both sides. On the one hand you have the security crowd, and whenever anything gets securitized there is a tendency to some sort of realist paradigm, hierarchy, realpolitik, closure, secrecy. And then there is another reaction to it, usually on the libertarian side, and you can see that in Anonymous and other activists that I fit very comfortably with, who say, “We need to do away with government” at every turn but they don’t want to talk about security.

When I say that we need a security theory it’s not anything new. The core of it goes back to theorists of ancient Greece, and the Roman republic; it’s found in Machiavelli and the Venetian trading systems, and in the founding of the United States. It’s about mixture, division, and restraint, and we’re losing sight of them. If we want to create a planetary network that protects and preserves basic human rights like access to information, freedom of speech, privacy, association, and so on, we need to somehow build this from the ground up. That means checks and balances on concentrated power. You need to have multiple constituents requiring consultation—that’s mixture. And you divide political authority as you do in the early founding of the United States, with no one agency or branch being able to determine anything without the cooperation of the others, and lastly having that restraint.

We’ve lost sight of the idea of oversight and accountability. In Canada, there’s a signals intelligence agency whose budget has at least quadrupled since 9/11. They’re building a new headquarters in Ottawa that looks like a massive airport terminal, and very few Canadians have even heard of it. Oversight around that agency is miniscule. It’s not appropriate to the powers that the agency has and I would argue it is the same for the National Security Agency in the United States.

We have to go back and read Machiavelli as far as I’m concerned, and study the founding of the United States, and remind ourselves how to protect our liberty and secure ourselves from threats. Republicanism is what I’m talking about.

Republicanism as in “the formation of a republic.”

Mixture, division, restraint, we’re talking about that being the best set of practices when it actually comes to securing the Internet and critical infrastructure. We can’t centralize things. Secrecy is bad. You need to have multiple points of control, with redundancy built into the network. We’re losing sight of that because with the national security crowd on the one hand and the anarchist mindset on the other, the extremes are dominating the debate right now.

I see what you mean about this technology field being filled with libertarians who regard with disdain the entire concept of governance. They regard it as something to be ignored at best.

There is a thing for public authority in general, when in fact public authority is essential for the preservation of liberties. You need a state. The state needs to be restrained, and that is the beauty of the model. Unfortunately, it’s eroding very quickly with this world that we’re heading into. And you have people like John Perry Barlow saying “get out government, we don’t want you here, you don’t belong,” when in fact he is missing a much bigger point. You wouldn’t have had the opportunity if it weren’t for the state in the first place.

Or maybe there’s another solution to the closed-down Internet: Create a new one. Two years ago I was listening to John Perry Barlow talk; it was around the time of the Arab Spring, when the Egyptian government was shutting down the Internet because they were so unsettled by what was happening, and there all these were revelations about how Western corporations had sold Egypt and Tunisia the technology they used to spy on activists.

Barlow made a point that I’ve heard several times since: “Maybe we need to be looking at a competition here. There is only one Internet, maybe there should be a couple.” He was suggesting that maybe activists need to start building their own networks that are local and eventually global, so they can communicate without needing to travel over the fiber and switches and software owned and controlled by governments and corporations. Some local communities are already doing this—like the local “mesh” networks in Spain and Greece where thousands of households trade messages just by hopping from house to house via Wifi.

But is this just a pipe dream?

You can understand why it is intuitively appealing, and I applaud ingenuity from the margins. I like mesh networks, when people are coming up with alternative things. But you cannot avoid political structure, and thinking about the political architecture around this. You may succeed in evading it for a while, you might reach a certain point where it succeeds, but the problem is one of scale. Once you get to a point where it matters, where it’s not a marginal entity, something that actually hits the radar, you can’t avoid it. You have to start dealing with political issues, meaning what is the proper architecture of authority that governs this space.

I think people are so put off by politics today, they’ve lost a sense of enthusiasm about why politics is important in the first place. We need to have political authority. It’s a way of organizing life so that we don’t descend into chaos or live in a complete dictatorship. That is why you have political theory, and I think we need to apply some basic political theory to the constitution of this domain as a whole. If it was properly done there would be much greater latitude for innovation from the margins.

One thing I should emphasize is that this book is about the Citizen Lab. The Citizen Lab is not just any old NGO, it’s based at a university. And universities are critical to all that we’ve been talking about here, and they’re not doing their job right now. The Internet was born in the university system, as we talked about at the outset—a lot of basic principles of the Internet were borne from traditions that come from the university. Right now the Internet is under threat and universities have to step up to the plate. They have a stake and a voice when it comes to cyber security, and universities themselves are under threat. I would like to see, in the next ten years, an inter-university network that would really stake out some of these principles. Reaffirm them and include people, some of those grandfathers of the Internet, that would surely understand this, to talk about why something like a global communications system that is distributed, like the Internet was designed, is essential for the future of human knowledge. That really boils down to universities understanding that their own existence is staked on the Internet.

--
Find Hazlitt on Facebook / Follow us on Twitter

Clive Thompson is a contributing writer for the New York Times Magazine, and a columnist for Wired. His book Smarter Than You Think: How Technology is Changing Our Minds for the Better will be published by Penguin in September. He can be reached at [email protected].