Security Algorithms Need to be More Transparent

I wrote a piece for The Conversation, “It’s time to shine a light on the unseen algorithms that power ‘Big Brother’”. I try to make the point that we as citizens know very little about the algorithms that power the security services (not to mention all sorts of other things too). Which is troubling as there is a great potential for them to discriminate, or plane get things wrong. This is both potentially damaging to us, but it also makes them less useful. I also draw a comparison between these analytical algorithms and cryptographic algorithms, which are often deliberately opened up to ensure there strength. Analytical algorithms that have the power to refuse someone entry to a country, or potentially assist with putting someone behind bars, should also be open.It’s time to shine a light on the unseen algorithms that power ‘Big Brother’








Book Publication

I have been trying to get a book off the ground for a couple of weeks. I don’t want to give too much away but it will (I hope) be about who has access to knowledge and for what purpose. Its a book that I have been planning in my head for a while. Problem is that it doesn’t sit neatly into a theme of academic publishing, it sort of sits between themes. Therefore getting the proposal to the right editor at the right publisher is proving difficult.

William Hague Statement on Snowden Leaks 10th June 2013

I’m going to collect together important reports and parliamentary discussions etc on political response to the Snowden leaks. Partly for my own research into the leaks, but also as I think its useful to dig these things out into one place.

This is the statement from, and questions to William Hague MP (foreign security at the time) on the 10th of June 2013. The whole debate has an air of, “nothing to see here”. Interesting as before William Hague MP, Kenneth Clarke MP talks about his visit to a Bilderberg group meeting. Also has a humorous, “nothing to see here”, feeling to it.

The statement misses the point, spending a lot of the time praising good work of the security agencies. They do much good work, but it doesn’t justify the extreme level of invasion into our private lives by home and foreign security agencies. Or the systematic undermining of the security of the internet. Which could be exploited by organisations that aren’t there to look after us.

30C3 my highlights…

The following talks were my highlights… (in no particular order). I don’t really intend to present much of an opinion here, its just a list of talks that I think were particularly interesting and important. I might go into more detail on what I actually think in individual blog posts later.

Do You Think That’s Funny? by lizvlx. Things have got much harder for anti-establishment artists over the last few years. It would seem that even art isn’t immune to over reaching by anti-terror laws. I found it interesting how artists are grappling to understand the consequences of the Summer of Snowden. Which leads me strange onto the next talk I really enjoyed.

Hello World(video file) by Aram Bartholl. Some really interesting work. The fake Google car was very funny. Something I wished I had managed to go and take part in was the chance to make a shielded mobile phone pouch out of copper material. A good way to ensure that your phone isn’t transmitting when you don’t want it to be.

07KINGSTON25 JAMAICA: MALARIA UPDATE Dispatches from Fort Meade(video file) by Alexa O’Brien. The case of Chelsea Manning is distressing to say the least. Not only was she treated very badly whilst awaiting trial, the court case was then largely held in secret. Most of the evidence used to put her away from 35years was only disclosed to the public 18months into the trial proceedings. The first of the more disturbing presentations.

Sysadmins of the World Unite by Jacob Appelbaum and Julian Assange with surprise guest Sarah Harrison. This didn’t work so well, but it was always going to be a tricky one to pull off. Sarah Harrison essentially opened with a statement from Wikileaks. It was interesting but almost had a polished propaganda feel to it. There was then an attempt for Jacob, Julian and Sarah to have a discussion centred around the role sysadmins have in keeping the activities of agencies and companies in check. It was framed as sysadmins having a moral duty to monitor (and if necessary presumably leak) the activities of the companies they are involved in. While in principle I think whistle-blowers are important, but just because a sysadmin is managing data that doesn’t mean they really understand what they are looking at. So encouraging mass leaks might back fire horribly if people don’t understand the consequences of the information that they release. Problem is, perhaps you don’t understand the consequences of not leaking something. Very tricky, I don’t envy anyone with this type of moral dilemma.

ID Cards in China: Your worst nightmare by Kate Krauss. Very interesting talk about how China is using ID cards to store very detailed information about its population. China’s ID cards store your political views, HIV status, mental health situation, names of your parents… and much more. (Things might be bad in the west, but not this bad.) This data can be used to discriminate against or persecute individuals or groups on mass.

The 30C3 Keynote by Glenn Greenwald. It was always going to be a full house for this talk. Covered the ground you would expect, from the Snowden and the NSA to the complicity of the mass media (Mr Greenwald is not fond of the British media). It should be watched.

EUDataP: The State of the Union by Jan Philipp Albrecht. The EU Data Protection plan is something that EU citizens should be keeping a close eye on but is also detailed and complex and therefore hard to keep an eye on. It is somewhat reassuring that there were a number of people from the European Parliament at the congress. That at least shows that there are people interested in looking beyond the mass media and the normal information channels to get a more complete picture of what it happening.

Through a PRISM Darkly by Kurt Opsahl (Senior Staff Attorney with the Electronic Frontier Foundation). More information one how the NSA goes about spying on, well just about everyone it would seem. Including, how long they keep the information, what they choose to actually look at, and how a target becomes a target. Essential information that helps make sense of what we are hearing in the news.

SOPA NSA and the New Internet Lobby by Elizabeth Stark. Elizabeth was one of the key individuals involved in the stop SOPA campaign and she tried to shed some light onto how you manage a campaign of that nature. Particularly how you capture the imagination of people to get them on-board. I got the impression that she wasn’t exactly sure how you do that, how you create a social Tipping Point. This isn’t a criticism, I study tipping points in society and I’m not sure either. She did say that it probably requires something tangible to rally against. This opens up the interesting possibility that SOPA defeated itself.

No Neutral Ground in a Burning World by Quinn Norton and Eleanor Saitta. A provocative title for a talk that I felt held back a little bit. I was expecting to be told at the time for apathy was over that not intervening (or failing to get involved), was as much an intervention as direct action. That battles for the future of the internet and digital privacy were not some abstract concern of a bunch of geeks, but would directly effect the real lives of everyone on the planet. The talk almost did this, so its worth watching.

The TOR Network by Jacob Appelbaum and Roger Dingledine (The TOR dream teem). An update on TOR; funding, technology and the future. Also dispelled a couple of myths. One being that the NSA have loads of nodes/bridges, and the other being that most of the traffic on TOR was/is generated by child pornography or the Silk Road website.

To Protect and Infect 1 by Claudio Guarnieri and Morgan Marquis-Boire. The start of disclosures around the militarisation of the internet. See part 2.

To Protect and Infect 2 by Jacob Appelbaum. Following on from part 1, Jacob picked up the thread of how and the extent to which we are being watched online. The revelations in these two talks are amazing in many ways. The technology they have is mind blowing, to the point where I started to wonder (wish) if its all some sort of big joke. This talk gave details on what in 2007(ish) was cutting edge technology that was essentially available in a catalogue at the NSA. You can read more at Das Spiegel.


30C3 Day 1 First Impressions

Getting from Northern England to Hamburg on Boxing day is by no means as easy as it should be. For a start there aren’t any trains. It was was worth it because the first day of 30C3 has lived up to the promise of one of the most eventful years in the history of the internet, digital rights, and privacy. The conference opening talk called it by reminding us all that we have woken up from a bad dream to find we are living a nightmare. A nightmare that goes beyond simply loosing are privacy to mass global surveillance. We have lost control of the internet, and the very technology and protocols that it is built on. Can it be won back or have we lost it forever to a small number of massive multinationals and a growing number of government agencies?

Here comes the two-tier internet?

The government want to control what we do on the internet. They want to make us all safe by controlling what we can see and recording everything that we do. Its for our own good, we need to be kept safe. Think of the children!

Ok, so that’s a rather flippant response to two big issues but I think there is a sinister truth within. Leaving aside the apprent fact that much of our online lives are either accessable to the security services, or being recorded, I want to focus more on David Cameron’s war on pornography. Or rather, the idea and practicalities of filtering the internet. Internet pornography is a particularly difficult subject in a number of ways. Child exploitation and abuse is without question horrible, and its right that every effort should be made to remove it from society and the Internet. Consensual pornography is a less clear cut issue, one that there has been a lot of debate about, and will continue to be debated perhaps forever. Is pornography always exploitative? If all parties are consenting what is the problem with its production and viewing? Should pornography be protected as a form of expression? Where is the line drawn between pornography and art? I want to leave these questions for others and move on instead about filtering the internet.

To me the Internet (or perhaps the whole World Wide Web) is a decentralised, uncontrolled, bastion of freedom. One that seems to be under threat in a number of different ways. More and more of the infrastructure of the Internet is control by a small number of large companies. Google, Facebook, Amazon, Yahoo!, Microsoft, Rackspace and others host, route or provide access to increasing amounts of the content on the Internet. The dream of a truly decentralised Internet of millions of servers providing hosting, mail, or search fertilities seems to be over or at least under threat. Filtering seems to be the next big assault on my bastion of freedom.

Filtering the Internet entails blocking users’ access to certain websites, either via host-name blocking, or perhaps IP blocking. This is what David Cameron is proposing to do, by default he wants UK ISPs to block porn sites and only allow access if people actively choose to opt-out of filtering. The problem with filtering (leaving aside the issues around freedom of expression etc) is that is rubbish and doesn’t work very well. Filtering can operate at the level of Domain Name Servers (DNS). DNS servers are essentially an index, when I try to reach I am requesting the IP address of the computer hosting off a DNS server. If filtering is in place, instead of getting the IP address of the computer I would be redirected to a page telling me that I was trying to reach naughty content that I am not allowed to see.

The other possibility is blocking access to particular IP addresses. I suspect that this would be done at the point of Network Address Translation (NAT), or while routing traffic. Essentially an ISP could keep a list of IP that are banned, and refuse to route you to that computer. This is more problematic because the IP address of a website can change independently of the host name. So even if the IP is blocked you could reach the site, or a ‘safe’ site could be blocked accidentally. Also, it is possible to host a number of websites on one computer, therefore all under the same IP address, block one you block them all. So IP filtering is a very blunt instrument.

These methods of filtering can be circumvented in a number of different ways. DNS filtering for example can easily be sidestepped by changing your DNS server. By default your home router will be set up to use your ISPs DNS servers, filtering and all. Don’t like it? Change it to one of the public DNS servers that are free. This can be done on your router, or just for individual computers or even browsers. You could also use a Virtual Private Network (VPN). This is slightly more difficult but not much. Here you establish an encrypted link between your computer and another one elsewhere (perhaps in a different country). All the network traffic out of your computer is then sent to this other computer that then deals with it, by forwarding it on to DNS servers etc. It looks like you are that other computer, and if that computer is outside of the filtering then you are unfiltered. You could also use TOR. TOR was designed to protect against network surveillance and traffic analysis. How it works is an article (at least) on its own, but needless to say if you use it you wouldn’t be filtered.

So filtering is rubbish… so what next? Perhaps governments will give up on filtering, trusting adults to make there own minds up about what they want to access, and instead focus on catching the people that are breaking the law and leave filtering children’s access to the internet to parents? Not likely. My fear is that in a quest for increasing control (to make us all safe) of what the Internet is they will create a two-tier internet.

What is this two-tier Internet? An island analogy will work here. If you leave on an island you can easily drive around on the island and visit all the shops, people etc. However if you want to go off the island you have to drive down the one bridge to the rest of the world. It could be possible to build an Internet island. By default this is what everyone is given access too and you aren’t allowed to cross the bridge. Under this model all the websites accessible on the island would have to be pre-registered and vetted, if you attempt to access any other website (or indeed computer) you would be blocked. Public DNS wouldn’t work, that would require going down the bridge, same for a VPN that is outside the island. You just can’t get there. Unless, that is, you have requested to be able to cross that bridge. It would be easy then to monitor who wanted to get off the island, and in some cases what they brought back with them. Just asking to get off would make you a person of ‘interest’. Why would any normal, law abiding person want to get off our safe internet island?

How likely is this? Well you would not need to alter the existing infrastructure of the internet. It could be implemented with existing technology, some countries have already attempted to unplug their entire population from the rest of the internet for periods of time. The model changes from one of allow with exceptions, to block with exceptions, ISPs could be forced to connect to what would essentially be a subnet of the of the WWW with a router controlling that bridge to the mainland. The only way round the filtering would then be building your own bridge!

International safe zones could be connected, with some sort of international body acting as oversight, deciding what makes the safe list. How is this different from what we have now? Well currently anyone can setup a DNS server and add hostnames to the index. There is no central control, DNS servers are distributed and hosting servers for websites pop up all the time. Anyone can get an IP address for an internet device and get access to other computers. That could easily change, its already changing.

What troubles me is that these changes could creep up on us. Some people will like the idea of a filtered internet. They would be happy to think that their children can’t get to unsavoury content while they are surfing in their bedrooms, or on their phones. What is more, they a could start getting upset when the filters fail, and start putting pressure on the government to change things, force the ISPs to do it better. Could this lead to vetting and a two-tier internet? I think it could, and it might not look like a bad thing for a while. Those who want to get down the bridge are allowed to do so, and what they do isn’t recorded without good reason. The problem is that good reason today might look very different in 10 years, and future governments might not be so benign (how benign are present day governments?).