Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

January 08 2014

How did we end up with a centralized Internet for the NSA to mine?

I’m sure it was a Wired editor, and not the author Steven Levy, who assigned the title “How the NSA Almost Killed the Internet” to yesterday’s fine article about the pressures on large social networking sites. Whoever chose the title, it’s justifiably grandiose because to many people, yes, companies such as Facebook and Google constitute what they know as the Internet. (The article also discusses threats to divide the Internet infrastructure into national segments, which I’ll touch on later.)

So my question today is: How did we get such industry concentration? Why is a network famously based on distributed processing, routing, and peer connections characterized now by a few choke points that the NSA can skim at its leisure?

I commented as far back as 2006 that industry concentration makes surveillance easier. I pointed out then that the NSA could elicit a level of cooperation (and secrecy) from the likes of Verizon and AT&T that it would never get in the US of the 1990s, where Internet service was provided by thousands of mom-and-pop operations like Brett Glass’s wireless service in Laramie, Wyoming. Things are even more concentrated now, in services if not infrastructure.

Having lived through the Boston Marathon bombing, I understand what the NSA claims to be fighting, and I am willing to seek some compromise between their needs for spooking and the protections of the Fourth Amendment to the US Constitution. But as many people have pointed out, the dangers of centralized data storage go beyond the NSA. Bruce Schneier just published a pretty comprehensive look at how weak privacy leads to a weakened society. Others jeer that if social networking companies weren’t forced to give governments data, they’d be doing just as much snooping on their own to raise the click rates on advertising. And perhaps our more precious, closely held data — personal health information — is constantly subject to a marketplace for data mining.

Let’s look at the elements that make up the various layers of hardware and software we refer to casually as the Internet. How does centralization and decentralization work for each?

Public routers

One of Snowden’s major leaks reveals that the NSA pulled a trick comparable to the Great Firewall of China, tracking traffic as it passes through major routers across national borders. Like many countries that censor traffic, in other words, the NSA capitalized on the centralization of international traffic.

Internet routing within the US has gotten more concentrated over the years. There were always different “tiers” of providers, who all did basically the same thing but at inequitable prices. Small providers always complained about the fees extracted by Tier 1 networks. A Tier 1 network can transmit its own traffic nearly anywhere it needs to go for just the cost of equipment, electricity, etc., while extracting profit from smaller networks that need its transport. So concentration in the routing industry is a classic economy of scale.

International routers, of the type targeted by the NSA and many US governments, are even more concentrated. African and Latin American ISPs historically complained about having to go through US or European routers even if the traffic just came back to their same continent. (See, for instance, section IV of this research paper.) This raised the costs of Internet use in developing countries.

The reliance of developing countries on outside routers stems from another simple economic truth: there are more routers in affluent countries for the same reason there are more shopping malls or hospitals in affluent countries. Foreigners who have trespassed US laws can be caught if they dare to visit a shopping mall or hospital in the US. By the same token, their traffic can be grabbed by the NSA as it travels to a router in the US, or one of the other countries where the NSA has established a foothold. It doesn’t help that the most common method of choosing routes, the Border Gateway Protocol (BGP), is a very old Internet standard with no concept of built-in security.

The solution is economic: more international routers to offload traffic from the MAE-Wests and MAE-Easts of the world. While opposing suggestions to “balkanize” the Internet, we can applaud efforts to increase connectivity through more routers and peering.

IaaS cloud computing

Centralization has taken place at another level of the Internet: storage and computing. Data is theoretically safe from intruders in the cloud so long as encryption is used both in storage and during transmission — but of course, the NSA thought of that problem long ago, just as they thought of everything. So use encryption, but don’t depend on it.

Movement to the cloud is irreversible, so the question to ask is how free and decentralized the cloud can be. Private networks can be built on virtualization solutions such as the proprietary VMware and Azure or the open source OpenStack and Eucalyptus. The more providers there are, the harder it will be to do massive data collection.

SaaS cloud computing

The biggest change — what I might even term the biggest distortion — in the Internet over the past couple decades has been the centralization of content. Ironically, more and more content is being produced by individuals and small Internet users, but it is stored on commercial services, where it forms a tempting target for corporate advertisers and malicious intruders alike. Some people have seriously suggested that we treat the major Internet providers as public utilities (which would make them pretty big white elephants to unload when the next big thing comes along).

This was not technologically inevitable. Attempts at peer-to-peer social networking go back to the late 1990s with Jabber (now the widely used XMPP standard), which promised a distributed version of the leading Internet communications medium of the time: instant messaging. Diaspora more recently revived the idea in the context of Facebook-style social networking.

These services allow many independent people to maintain servers, offering the service in question to clients while connecting where necessary. Such an architecture could improve overall reliability because the failure of an individual server would be noticed only by people trying to communicate with it. The architecture would also be pretty snoop-proof, too.

Why hasn’t the decentralized model taken off? I blame SaaS. The epoch of concentration in social media coincides with the shift of attention from free software to SaaS as a way of delivering software. SaaS makes it easier to form a business around software (while the companies can still contribute to free software). So developers have moved to SaaS-based businesses and built new DevOps development and deployment practices around that model.

To be sure, in the age of the web browser, accessing a SaaS service is easier than fussing with free software. To champion distributed architectures such as Jabber and Diaspora, free software developers will have to invest as much effort into the deployment of individual servers as SaaS developers have invested in their models. Business models don’t seem to support that investment. Perhaps a concern for privacy will.

November 27 2012

U.S. Senate to consider long overdue reforms on electronic privacy

In 2010, electronic privacy needed digital due process. In 2012, it’s worth defending your vanishing rights online.

This week, there’s an important issue before Washington that affects everyone who sends email, stores files in Dropbox or sends private messages on social media. In January, O’Reilly Media went dark in opposition to anti-piracy bills. Personally, I believe our right to digital due process for government to access private electronic are just as important.

Why? Here’s the context for my interest. The silver lining in the way former CIA Director David Petraeus’ affair was discovered may be its effect on the national debate around email and electronic privacy, and our rights in a surveillance state. The courts and Congress have failed to fully address the constitutionality of warrantless wiretapping of cellphones and the location of “persons of interest.” Phones themselves, however, are a red herring. What’s at stake is the Fourth Amendment in the 21st century, with respect to the personal user data that telecommunications and technology firms hold that government is requesting without digital due process.

On Thursday, the Senate Judiciary Committee will consider an update to the Electronic Communications Privacy Act (ECPA), the landmark 1986 legislation that governs the protections citizens have when they communicate using the Internet or cellphones. (It’s the small item on the bottom of this meeting page.)

If you somehow missed the uproar online last week, the tech policy world went a bit nutty when CNET’s Declan McCullagh broke a story about Senator Patrick Leahy (D-VT) rewriting the text of his ECPA amendment.

By the end of the day, Senator Leahy said he would not support that proposal, but what the draft reflected is pressure from law enforcement and federal regulatory agencies to not only keep warrantless access open but to enshrine it in law.

Today, Senator Leahy’s office posted a manager’s amendment and summary of changes for the committee’s consideration.

“The manager’s amendment is vastly improved, as compared to the controversial one last week,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology and the director of its Project on Freedom, Security & Technology, in a phone interview.

“We support the manager’s amendment, and will support the bill,” he said. “It will establish a clear, consistent standard for law enforcement access to content. It will require a warrant going forward. This is a huge improvement over current law and will bring ECPA into the modern age.”

In a post on the amendment at CDT.org, Nojeim reiterated CDT’s support. “It will protect consumer privacy, remove the uncertainty law enforcement currently faces, and foster the growth of U.S. cloud computing companies, which will be able to promise their clients that the information they store in cloud will be as secure against government access as information stored locally,” he wrote.

Verify, then trust

This week, the senators on the Judiciary Committee are likely to continue be under some pressure to suggest changes to this amendment that would weaken the protections in it. The manager’s amendment already contains some concessions to law enforcement, with respect to extending the time periods after which the federal government must notify an individual that government has obtained electronic communications, or that a service provider must wait to inform that individual that those records have been obtained.

There’s also clarity that the search warrant requirement in this amendment does not apply to federal anti-terrorism laws, specifically the Foreign Intelligence Surveillance Act (FISA).

“We believe that they’ve kept the central protection in the manager’s amendment, that law enforcement must obtain a warrant to read private communications or digital content, such as documents stored in the cloud,” said Chris Calabrese, legislative counsel for the ACLU, in a phone interview. “That’s a huge privacy win, and we’re glad to see that that’s stayed in.”

Senator Leahy’s statement, however, does leave room for debate:

“I welcome the upcoming Senate Judiciary Committee debate on updating the Electronic Communications Privacy Act (ECPA) to better protect Americans’ digital privacy rights. Today, this critical privacy law is significantly outdated and out-paced by rapid changes in technology and the changing mission of our law enforcement agencies.

“When I led the effort to write the ECPA more than 25 years ago, no one could have imagined that emails would be stored electronically for years or envisioned the many new threats to privacy in cyberspace. That is why I am working to update this law to reflect the realities of our time and to better protect privacy in the digital age. I join the many privacy advocates, technology leaders, legal scholars and other stakeholders who support reforming ECPA to improve privacy rights in cyberspace. I hope that all members of the Committee will join me in supporting the effort in Congress to update this law to protect Americans’ privacy.”

The other side of the issue is represented by a diverse coalition of digital rights advocates that spans traditional ideological labels. Notably, Americans for Tax Reform and the American Civil Liberties Union (ACLU) agreed that electronic privacy deserves a bipartisan upgrade.

The coalition is urging people to go to VanishingRights.com to tell their senators to support warrants for personal electronic communication.

I think they’re on the right side of history.

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl