The Internet is Under Attack: Ron Deibert on the Closed-Down Web
May 21, 2013
The Citizen Lab director speaks with Wired columnist and New York Times Magazine contributing writer Clive Thompson about cybercrime, online surveillance, and why we might need a new Internet.
Ron Deibert has seen the future of the Internet, and it’s freaking him out.
Deibert is the head of the Citizen Lab, a Toronto-based institute that studies how the Internet and online communications affect society and human rights. In his new book Black Code: Inside the Battle For Cyberspace, he argues that our global network is in danger. The Internet, he notes, began life as an open system run by academics, characterized by trust. In those early days, you could have sent spam or pried into another person’s private info, but you didn’t do it because everyone trusted one another. Once the Internet became mainstream, this open, trusting environment was quickly abused and hijacked. Hucksters flooded inboxes with spam, criminals began stealing and selling data, and “denial of service attacks” took down web sites. Meanwhile, corporations, governments and spy agencies became so unsettled by the open network—where anyone could say or do almost anything—that they began passing laws and setting up technologies to curtail this explosive burst of everyday-citizen activity.11To mark the publication of Black Code we assembled this timeline of cyber-shenanigans.
Black Code is a catalogue of what this shutdown looks like. He tours Internet server farms and sees the wiretaps installed by governments. His group uncovers criminals who unleash “trojan horses” on Facebook to ensnare users, and the Chinese creators of “Ghostnet”, a global online spying network. And he surveys the “next billion digital natives”—the people coming online in countries where the governments have even less desire for open communications.
When I spoke to Deibert, we dove deeply into how and why our online world is being squeezed shut.
In your book, you say something like: “Fifty years from now, future historians may look back and say ‘You know, there was that brief window in the 1990s and 2000s when citizens came close to building that planetary library, a global public sphere, but then let it slip from their grasp.’” When the original architects of the Internet put the system together, they made it very open—any node could talk to any other node, and you could write any code you wanted and put it online without needing to vet it with any authorities. This created a ton of amazing phenomena, like blogging or Wikipedia or even just email. But it assumed that everyone who would use the Internet was a trusted actor—that people online would behave well, right?
Although a lot of people talk about the Silicon Valley libertarian norms around the Internet, as important—maybe even more important—was the fact that the Internet was primarily borne within universities and based on the university culture of peer networking, and peer-to-peer trust. It’s a non-hierarchical organization, for the most part. But when it expanded it became the infrastructure for planet Earth and everything involved in it.
Which is when bad actors started flooding in—and, as you write, they started abusing this open system. This is the “Black Code” you talk about. Some if it is criminal activity—cybercriminals plundering your financial info online—or even corporate activity that’s legal but just creepy, like tracking your activities online so they can profile you and sell you ads. And some of it is powerful forces that are upset by how open the system is: Governments that pass laws limiting what people can do online, spy agencies using the openness to do surveillance, or Internet providers preventing people from using tools like Bittorrent because Hollywood is worried that people are stealing movies.
It’s “black” in the sense of criminal forces subverting that system of trust. That’s definitely a part of it. And that has been there from the beginning. When e-mail was invented, it wasn’t long after you had spam. Then there are states, and especially defence-intelligence agencies who are traditionally known as black—Deep Black, Black Ops—the agencies which you might have said were on the precipice of extinction at the end of Cold War, but have suddenly assumed predominance over this domain. If you look around the world today, cyber security ranks high [as a priority] in most countries, certainly in the United States, and these three letter agencies are now positioning themselves to be the primary agencies dealing with cyber security.
Another meaning of black code is an ominous looking-forward that ties it all together, that where we’re headed is actually down a path that will subvert the original intentions of this network. I have a quote from H.G. Wells at the end of the book about the “world brain,” where he kind of anticipated this global library that would be accessible to everyone. That’s Wikipedia! But we take it for granted, and I see dark clouds on the horizon.
You argue that the big intelligence agencies so prominent in the Cold War—like the National Security Agency (NSA) and CIA—didn’t have much of a mandate after the Cold War was over, but they’ve come roaring back, doing tons of online surveillance. What was the tipping point, the moment when they realized this was the area they ought to be spying into?
I really think the consequences of 9/11 cannot be overestimated. It was so dramatic that all of us who lived through it remember that existential moment, and if you look within weeks of 9/11 happening, most countries passed legislation that was seen as an emergency measure. “We need to roll back civil liberties, give intelligence agencies powers that they don’t have.” Remember, at the time the primary conclusion drawn was that there had been a failure to connect the dots, and that there was a failure to share information between law enforcement and intelligence. They had these barriers between them to protect civil liberties, hampering investigations and could have led to—you know, if only someone had spotted a rental car purchased here, an illegal visa, and so on.
That cleared the way so to speak, but standing in the wings were the agencies themselves. During the Cold War, the massive data collection apparatuses and globe-spanning satellites of the United States and the Soviet Union were primarily focused on each other. So the NSA, what was it trying to listen in on? Russian telemetry tests and Politburo conversations. After the Cold War, and especially after 9/11, the threat environment changed to a distributed non-state actor. Basically, all of society. Simultaneous with that was the rise of the Internet, and then the Internet of things, and the world of big data, which has basically led to this voracious, almost there is no end to it, this desire to…
And again there is another factor here, and that is in an era of financial austerity, the one big market opportunity right now is in cyber security. So a huge cyber security industrial complex has sprouted around big data analytics. All of that together, 9/11-style Patriot Act security legislation, threats being dispersed in society, the traumatic event of 9/11 coming from non-state actors, big data analytics and the market for it the has led to a kind of contingent, accidental coming together of this huge set of actors that now are positioning to essentially monitor and control cyberspace.
And we’re leaving a lot of trails online for them to spy into. A lot of our social activities take place in public—and on the servers of for-profit corporations like Facebook or Twitter or mobile-phone networks.
One [revolution] that is overlooked but is happening now, and started only within the last five to seven years, is the volume of data that we now entrust to third parties, especially private companies, data that either didn’t exist before or was locked away in a filing cabinet or kept in our bedrooms. It was made possible by the rise of social networking, mobile, and cloud computing. The obvious part of that is people socially share so much that they never did before, it’s kind of a new set of mores.
But what people don’t see is the data about the data: The metadata that we share. Right now I’m sitting here with my cell phone in my pocket, it’s constantly emitting a beacon. That beacon sends data to either the Wifi router here in the lab or the cell phone tower that is somewhere down the street on a building. Within that metadata is data about my phone, my ownership of the phone, header information, maybe time, date, location, GPS, and so on. And that’s me. Extrapolate that to maybe billions of people who use the Internet on a daily basis and suddenly you have this turning of our lives inside out. Even our unconscious lives.
And that information doesn’t go off into the ether, it doesn’t go off into space. It exists somewhere in a material sense. That’s another part of my book, what I’ve been trying to do over the course of my career, to peel back the layers of the deep infrastructure that we don’t see, that we take for granted, from the wires and cables all the way up to the satellites in space.
An interesting aspect of the Arab Spring was how much of the activists’ communications took place on corporate spaces like Facebook, Twitter, or YouTube. But there were all these interesting collisions between corporate policy and the needs of political subversion and activism. When Wael Abbas, an Egyptian journalist and activist, would film instances of police brutality or get sent films he would upload them to YouTube. But then YouTube—and this was before the Arab Spring—would occasionally delete stuff because it was too graphic; it contravened their policies. It took a long time for Abbas to get in touch with someone at YouTube to explain what was going on. Then, as Clay Shirky has said, these companies realized that like it or not, they had to have a foreign policy.
Some of the companies have developed a foreign policy, Google among them, and I’ve had longstanding relations talking to Google executives about this. I generally applaud what they’ve done in this space with transparency reports and the global networking issue. Unfortunately, companies like that are extraordinarily rare, especially in the telecommunications sector.
Spy agencies have a long record of working with for-profit companies and using their tools for spying, so today’s online world fits into that historic pattern.
There’s a comfortable relationship between intelligence agencies in the private sector, the CIA, and startup companies. The more interesting relationship to spot is with telecommunications companies, going back even to the telegraph, Western Union. Intelligence agencies like the NSA. The culture of the telecommunications industry—the AT&Ts, Verizons, BlackBerrys even of the world—the mobile sector, is much different than the Silicon Valley world. They have decades-long experience working very closely with law enforcement, defence, and intelligence agencies.
And now they’re moving into jurisdictions where the vast majority of their user base is going to come from countries that don’t have the same basic protections, assuming we still even have them. We’re rolling them back, but at least we still have a semblance of a memory of them. Whereas in countries like India where it is highly chaotic, or repressive, autocratic regimes like that of China, Russia, and Indonesia, or corrupt regimes, failing states—there cyber security is at the top of their agenda. They are looking to private companies to police the Internet on their behalf, which is creating huge human rights problems. There really isn’t much of a tradition of corporate social responsibility among telecommunications companies.
In Evgeny Morozov’s book The Net Delusion, he criticizes the notion that the Internet’s early culture of openness and free speech would transform repressive governments—because some of the time the effect is in the opposite direction. The repressive needs of despotic regimes abroad wind up influencing what the free market, the makers of the technology, and Europe and the US, are willing to do. In your book, you document how repressive governments worldwide—and non-repressive Western ones—are all using spying software and hardware created by companies like Nokia or Cisco. Cisco’s stuff was used pretty heavily to build the Great Firewall of China. “You need technology to track and bust activists? Yeah, we’ve got that. We can do that.”
And this is interesting, because as you point out, the culture of the Internet is going to change as it becomes less and less Western. The next billion or more users are will be in places like Russia, India, and China. That is going to create a powerful new centre of gravity on the way that network technologies work.
Absolutely. I was just at a meeting where someone conveyed a statistic from China: 546 million Internet users, 75 percent of them mobile. That is phenomenal. There is a conceit in the West that technology will be used in a certain way, that it comes built with certain properties mind. I think there is a deeper point here to be made that the culture of cyberspace reflects the users. And the users as much as the rulers of those countries may approach it in an entirely different way.
If you look at that next billion, most of them are coming from failed, autocratic, repressive regimes, that’s one part of it. But they’re also coming from cultures where religion plays a much greater role, culture in general plays a much greater role. They may not share our assumptions about libertarianism and access to information, especially the people who grew up here in the West with the Internet. We think of the Internet as a natural expression of our desire for basic human rights. They might come at it with completely different notions of rights, and that eventually will begin to bear down on the architecture of cyberspace. We’re seeing it already in the way that countries like Iran, looking to build a Halal Internet. And in some places like Mexico, organized crime is actually the dominant shaper of cyberspaces.
Since 2003, the Open Net Initiative has been trying to answer the question: When you’re sitting in Canada and you access the Internet, is it the same Internet you access in Saudi Arabia or Iran? The average user in Indonesia, they’re not coming into a cyberspace in which a computer connects them to a network that connects them to the very same network I have access to. Instead, they are signing up usually to a mobile provider, and those mobile providers have licensing agreements with governments for whom cyber security is at the top of the agenda.
That is a critical difference with when we came online—our governments didn’t have an Internet policy at all, it was actually laissez-faire, hands-off. We do have to give Al Gore and his colleagues credit. Now, in Indonesia it’s the exact opposite. Not only is it not laissez-faire, there is a very comprehensive cyber security policy, a part of which is to restrict certain types of content, and to monitor what you’re doing. Practically speaking, a BlackBerry user in Indonesia—there are now data centres there run by BlackBerry—all their web browsing is filtered through that data centre where there are content filters. You’re experiencing a different Internet than you are here in Canada. People use the term Balkanization for this, but it’s really about carving up and colonizing the global public sphere.