While many suspected, the revelations of Edward Snowden confirmed that entire populations are under dragnet surveillance, compromising our rights to privacy, freedom of association and expression. We now understand that backdoors into software and hardware have rendered much of our physical infrastructure – from cell phone devices to server stacks, vulnerable to attack.
We know now that our browsers are infected and that encryption standards have been deliberately weakened, that placing backdoors into hardware and software has become routine. We also know that submarine cables are tampered with and that even offline devices can be ‘illuminated’ and their data read.
Most Internet and other telecommunication traffic flow through the USA. There are historical reasons for this, however, the effect is that information flowing through the US becomes subject to US law, and is easy for the US to control, surveil and own private data. We now understand the legal and political implications of this image:
In theory, the Internet is a distributed decentralized network. In reality there are 13 places on the planet that contain the most important Internet exchanges, ten in the US and the others are on the territory of US allies – the Netherlands, South Korea and Sweden.
In theory, the Internet naming system is distributed. In reality, the Domain Name System is hierarchical, with the root domain controlled and operated by two US based corporations – ICANN, a California based corporation created by the US Department of Commerce and Verisign Inc. The entities that control the root domain have the power to control all the domains on the planet, essentially an on/off switch.
In theory email, the most popular application on the Internet with 2.5 billion users, is designed with a decentralized protocol. In reality and practice, email is extremely centralized. Several hundred million people use Google’s Gmail; several hundred million more use Microsoft’s Hotmail and Yahoo. Suddenly we are up to 1 billion users and all of these services are based, and data physically stored in the US and consequently under US legislation.
The technology that is supposed to protect our security on the Internet through encryption – HTTPS – is not widely used and the algorithm has also been compromised. Passwords, private communication and credit card information has been shown to be even more vulnerable by the Heartbleed bug.
What can be done?
Democratize Internet Governance: To fix the Internet, the theoretical decentralization of the Internet needs to become a reality. It is neither sustainable nor equitable for one country to have overwhelming control over the global Internet. We need essential communications services that protect privacy, ensure safe payment processes, non-hierarchical transport and naming systems, and access to free software and hardware alternatives for everything we do.
Take action to protect human rights: The right to privacy is not recognized because it sounds good, but because it is necessary. Democracy cannot function without privacy. Freedom of speech and association cannot be enjoyed without allowing for privacy and anonymity. Without these, many other freedoms become meaningless. Actual harm is done to populations under surveillance through forced change in behaviour and methods of public participation. We need to fight against violations of privacy because of what we know from history and the evidence we now have.
Learn encryption: Cryptography works so long as we do it correctly. When it comes to cryptography there are two rules that are extremely important. First, don’t do it yourself. Use well tested cryptographic libraries whose algorithms sustained and survived attack. Second, adhere to Kerchkoffs’s principle – all of the security of a cryptographic system has to be in the key. None of the security can be in the algorithm. This is an extension of the thinking behind free software. If you keep the algorithm secret, sooner or later that algorithm will be public and can be attacked as well. If you have kept it secret, it also hasn’t been subjected to the research that makes it strong.
Use a password manager: If you can remember all of your passwords, it’s likely that none of them are strong enough. We need long passwords and a different one for each service . The only way to use passwords safely is with a password manager. It allows you to remember one password for each service. It helps you generate passwords that are strong and random, and finally it helps you remember all of the places that you have services and which remember information about you.
Use Free and Libre Open Software and Hardware: Unless software is open, we can’t verify that it is not corrupted or hiding surveillance and control measures. While software doesn’t have to be peer to peer, it does need to be decentralized so that information is not in one place and vulnerable to surveillance. Only Free and Open Software and Hardware implementing Open Standards can give us the chance to weed out backdoors, allowing complete auditability and interoperability.
Use The Onion Router (TOR): TOR protects online privacy by preventing traffic analysis of your location and tracking of the websites you visit. Anyone can use TOR, which doesn’t just protect the privacy and security of what your own communications and web browsing, but helps to protect activists elsewhere.
Use ad blockers: Ads are one way that a lot of information is collected; use plugins that blocks ads.
While policy and legal frameworks are required to ensure a reformed and internationalized Internet, many of the solutions for the future of Internet governance are technical, and without a technical grounding many of the policy and legal frameworks might be meaningless.