Don't Spy On Us Day of Action
I have not found any recording of this talk published anywhere. Please add a link if you do!
7 June 2014
One year since whistleblower Edward Snowden revealed the scale of the NSA and GCHQ’s mass surveillance of our communications, the Don’t Spy On Us campaign held a day of action to defend our freedom to read and write online.
The talk was transcribed by Andy Walpole, with permission from Cory Doctorow. Copied here with permission.
This talk was transcribed by Andy Walpole, with permission from Cory Doctorow. Copied here with permission.
Our computers, which have microphones and cameras, can see us; they can hear us; they accompany us to the bathroom, they accompany us to the bedroom. They know where we are all the time, they know who are friends are and what our friends say to us. They can clean out our bank accounts and they can sabotage our careers and interfere with personal relationships.
Nerds understood how powerful computers are and how dangerous they can be and so nerds developed tools that they use to be secure. But for a year now there has been a ballooning number of non-nerds who have an appreciation of what is at stake and we are finally seeing a demand for privacy tools from everyday people.
Which is great news even if you are a nerd, even if you are using every one of these tools, and you don’t use Gmail and you wouldn’t touch Facebook with a ten foot barge pole. It doesn’t matter because if all your mates are Gmail users then you are a Gmail user too because all your emails end up in their inbox when you send it. And it doesn’t matter if you are not a Facebook user because if all your mates are tagging away on their pictures then you are on Facebook too.
The internet is a fixture in our lives and it’s time to stop debating over whether or not the internet makes you more free or less free. It’s clear that the internet is well suited to be either of one of these. The question today is the challenge: how do we amplify the parts of the internet that makes us free and dampen the parts that take our freedom away?
Ross Anderson at Cambridge had a very important paper published last month called Privacy versus government surveillance: where network effects meet public choice. He describes the weird economics of networks and how it impacts on privacy. Our networks were built to be robust and resilient; to be decentralized and not have bottlenecks and single points of failure where somebody can take out a whole nations internet access. But over and over again throughout the history of networks and computers we see centralization as a recurring tendency.
Centralization is one of the key factors that makes surveillance possible. GCHQ can’t bribe or threat millions of companies into letting them have access into their data centers, but as we learned this week they can get a considerable fraction of the worlds communication just by bribing two companies, BT and Vodaphone, to help them tap into a few centralized undersea cables.
Now Ross proposed that the centralization is down to two factors. The first is the network effect and the fact that as more people use the network the more valuable it becomes. So networks that are a little bigger than the others tend to become much bigger very quickly. If you have one fax machine then it isn’t much use but when you have more fax machines they become more useful until they become indispensable and suddenly fax machines are everywhere.
But the network is accelerated by something called lock-in. When the companies set up their systems they made sure that you can’t switch to a competitor without it costing you more than you save by staying with the same product. And that might be something like designing your Playstation so it can’t run games on an Xbox, or designing a mobile phone that is locked to a particular carrier so you can’t take it with you when your contract runs out.
Lock-in means that once a company starts to rig the market it can rig the game so that it never losses and it grows and grows.
And a lock-in is a bit weird from a technical perspective because a lock-in is not that hard to defeat, technologically speaking. For a lock-in to work you need to have a computer that is capable of disobeying its owner. You say to the computer, Let me run this game; and the computer says, I can’t let you do that, Dave. For the “I can’t let you do that Dave” program to work it has to be somewhere on your computer, it has to be somewhere on your hard drive. In theory you could just drag it into the trash.
And many factors go into hiding the Hal 9000 app on your computer, but lots of programmers who are much smarter than you and have the same computer and are in the same situation will become bored enough to write an app and release a set of instructions for deleting Hal 9000.
So we have a means of protecting ourselves on a technical level but global networks are laws. In 1996 the United Nations passed a treaty which became in the US the Millennium Copyright Act and all over the world they have adopted these models in keeping with this treaty that protect the Hal 9000 programs.
They made it a crime to remove digital locks even from your own computer, even if you are not breaking any other laws. And they would make it a crime to tell people information that would help them remove a digital lock.
Now this is a very powerful force for lock-in. But the relationship between digital locks (or as it is sometimes called Digital Rights Management or DRM) and surveillance is much more direct than just this lock-in effect. Because the way you get malicious spyware onto someones computer is by exploiting a bug in the software and it is against the law to report bugs in software that acts as a digital lock because those bugs could be used to remove the digital rights software.
So it is against the law to tell people that they have a flaw in their DRM which prevents them from running a Playstation game or switching carriers because that flaw might help them do it but it is also the place where you insert the spyware.
For many of us the most shocking revelation in the Snowden documents was not the scale of the spying but the scale of the sabotage done in the name of spying. The NSA and GCHQ had been spending £250m a year on programs called BULLRUN in the United States and EDGEHILL here in the UK, through which they sabotage the security of everyday technologies from standards in cryptography all the way to operating systems and communication apps that you use everyday.
Now the sabotage tools were built on the basis that they would only be used by the good guys and not by the bad guys. The NSA called them “no buts”: nobody can use them but us. Which is rubbish. Exploits described by the National Security Agency have been independently recreated by security experts and we also have to assume that they have been independently created by crooks who are merrily dancing through your bank account right now.
Which means your digital life - which means your whole life these days because everything you do today involves the internet and everything you do tomorrow will require the internet - your digital life is being made deliberately vulnerable to every spy, crook, identity thief, gangster, pervert and voyeur on the internet which is all of them because everybody is on the internet.
The entertainment industry is stepping up its efforts to demand digital locks everywhere. They want to make sure that if we watch a Netflix movie we can’t save it to the hard drive, and or when you are using the iPlayer you can’t watch a show for more than 7 days. So taking their case to the standards body that oversees the web, the World Wide Web Consortium, or W3C, they demanded that this will be made standard for the web itself; which is to say, they demanded that everything that has a browser-based interface has to be designed to disobey its owner using software that’s illegal to research and describe flaws in; meaning that everything that uses a browser is about to become a reservoir of vulnerabilities sitting there waiting to be used by the NSA, GCHQ, foreign spies, extortionists, criminals and crooks.
And the worst of it is that the W3C has said that they are going to do it. So I have a challenge for them: Don’t leave our browsers, our phones, our cars, our homes, our appliances vulnerable to spies and crooks. If you must standardize Digital Rights Management at the W3C, then at least follow the lead that you yourself set back when you were discussing software patents on the web. Because when the World Wide Web Consortium first started back in the early days of the web there were companies all around getting silly software patents on things that were key to the web. They would go to the standards bodies and say, We think that this should be the standard way the web runs so every time somebody uses a browser and every time somebody serves a web page we get a faction of a penny. And the World Wide Web Consortium said, Look it is not our business to adjudicate whether software patents are good or bad or whether your patent is good or bad, we are in the business making standards anybody can implement without legal jeopardy, without having to pay a fee. So the deal is that if you come to us to make a standard you have to promise not to sue people who practice your patents in the process of following that standard.
That is the condition in make a standard you have to do everything in your power to make that standard usable by everyone.
And it is easy to see how they could apply that to digital rights framework. They could say to the BBC, they could say to Netflix, yes we can standardize patent technology, we don’t take a position on whether patent technology is right or wrong but you have to promise us as a condition of your participation: you have to sign a covenant saying that you won’t sue people who implement our standard and you won’t sue people who talk about vulnerabilities in the standard because we are in the business of making a web that people want and the web that people want is a web where you don’t get sued for making web stuff and you don’t get sued for telling people the ways that that web can attack them.
But the W3C is just a patsy. It is companies like Netflix and the BBC that are driving for DRM to be added to all new technologies and the most ironic part is they don’t even care that this has any nexus with spying on us. The reason they want this out there is they want to make sure we watch telly the right way and the fact that their preferred method of telly watching opens us up to mass surveillance is neither here nor there but if we let them do it we are hustling our way into the full Orwell.
It looks grim but I have hope because the thing the internet does better than anything else is let us co-operate with each other to make stuff and get stuff done. Think of Kickstarter and all that is has enabled and how we might apply that to something like politics.
Take the Greens for example. I live around here and the local safe-seat Labour candidate is the architect of the ID card and she wins every election, but if you look at the actual numbers then the Greens, the minority party, always come in second. And it’s easy to see why they come in second because nobody wants to vote for a candidate that can’t possibly win. But imagine that if you are the great door bell ringer and you knocked on my door and instead of saying, I’m here to convince you to waste your vote on somebody that has no hope of winning; he could say, All I want you to do is register on this website that you will vote for this minority candidate if 10,000 of your neighbors sign up and vote for her too. All of a sudden you would get alternative voting without having to worry about the referendum. All of a sudden you have a means by which people can join forces to take on someone with a seemingly unstoppable encumbrancy and overturn it.
You could apply it to fracking, people who fight fracking around their homes. Instead of everybody spending a thousand pounds mitigating flaming water coming out of the fossetts, they all agree that they are going to put their money together and pool it on a website where they advertise for any solicitor who agrees to reduce the fracking firms to penury as long as 10,000 of their neighbor agree to do the same.
And once all those pledges are there for the solicitors to see you will have QCs begging to represent them against the biggest firms in the country.
Almost every form of corruption, from surveillance, to pollution, to bogus clinical trials that have the NHS spending hundreds of millions are a result from an in-balance in externalities. The polluter, ATOS, BT surveillance arm make a little profit by dumping all the crap on us and it costs us much more to clean up the resulting mess. But that cost is diffused amongst all the victims and the perpetrators get a tiny profit which they can turn around and use to support parliament to make rules so that their profits can grow. The internet lets us reverse that dynamic, it has the power to force governments to be accountable to their people. With a free and open internet, equipped with the cryptographic tools that let anybody talk to anybody else without being spied on we can win this fight and the fights that are to come.
It costs the NSA and GCHQ less than a penny to add somebody to their surveillance dragnets. If the bill for each spied upon person was a $10k cost then mass surveillance would be a thing of the past. Spies would have to limit their spying to those that they had a damned good reason to want to spy on. So it is our job to see to that that the technical, legal and commercial obstacles on the ground raise the cost of spying to that level. Whether you are a lawyer or a lawmaker, a business person or a customer, a toolmaker or a tool user, it is incumbent on you and every one all of us to make the cost of spying as high as possible.