These tools are too powerful for governments not to use. John Boehner, Dick Cheney and Nancy Pelosi – who agree on nothing – have agreed to defend the legality of the NSA program. That’s positive: the rules of surveillance and the supervision of the snoopers might need to be re-written.
Ever since Edward Snowden broke silence and revealed the true scope of the Federal government’s internet surveillance programs the magnitude of the revelations has increased exponentially. Mr. Snowden has implicated an alphabet soup of Federal agencies operating different programs with names like PRISM (NSA), Boundless Informant (NSA), DCSNet (FBI), Carnivore (FBI), Magic Lantern (FBI) and undoubtedly others. Like a stone into water, the ripples have continued to spread until they have encompassed the globe. Julian Assange? Mr. Snowden makes the founder of Wikileaks look like a high school newspaper editor.
The true impact of this information is not yet known and perhaps not yet knowable. After all, much of what Mr. Snowden has revealed is surprising only in its scope. The informed public has known for a long time that American government agencies were conducting electronic and cyber-surveillance both inside and outside the United States with Congressional authorization . There is not much secrecy involved in the construction of the government’s mega-data center in Utah, capable of processing and storing petabytes of data. That the US government has a cyber-warfare center in the Department of Defense is not a secret; nor that American and Israeli intelligence are almost certainly responsible for the implantation of sophisticated cyber-espionage and warfare programs in the systems of unfriendly regimes, like Iran’s. At least, these are all badly kept secrets.
It’s not exactly a revelation either that internet titans like Google, Facebook, YouTube, and Microsoft are cooperating with governments. They are the biggest and best repositories of consumer data in the world and not keen on being regulated by government should they protest too much. These companies have been compiling vast data centers of their own for years as the core of their business model. How exactly do people think these companies make money in an otherwise free internet? It is not by providing the best searches or the nicest interface for chatting with your friends. Those are merely the hooks to gather the necessary critical mass of users. It is not even by selling ad space; though that is certainly a means of generating revenue, but it was only the first stage. The real money is in these companies’ ability through their pervasive presence to gather vast amounts of personal data on their users, including data that is neither voluntarily given nor even placed on the internet by the owner, and to construct frighteningly accurate profiles of consumer habits, preferences, political and religious inclinations, wants, needs, desires – all actionable in almost real time and for sale to the highest bidder.
And most of it is legal.
Perhaps slightly more revelatory is the fact that it is not just the government of the United States which has been snooping on its citizens; in fact, Mr. Snowden reveals that just about every major – and even minor – power on earth has gotten into that game. Britain’s GCHQ has not only admitted to running a program very much like PRISM, called “Tempora” , but with even less supervision and laxer rules than the American program. China has long run “Golden Shield”, its program to monitor the internet use of all Chinese citizens and residents, programmed to detect and track any trace of dissent. This was never a secret. The existence of a sophisticated cyber-espionage and cyber-warfare capability in China’s People Liberation Army has been long suspected and confirmed this year when internet security firm Mandiant officially pointed the finger at Unit 61398, operating out of a nondescript building in downtown Shanghai.
Russia has their programs, one of which is known as SORM; so do France, Canada, Israel, and India. All share the common characteristic of utilizing electronic and cyber-surveillance and advanced data mining algorithms to detect – well, whatever their intelligence agencies want to detect. The real question is which government don’t have these programs in place? Not any governments that matter. And the lack is certainly not due to worries about privacy, but rather a lack of resources.
Mr. Snowden’s “revelations” are disconcerting, not because they tell us something we didn’t know, but because they force us to admit to something we have known all along and to which we have blissfully agreed to turn a blind eye. After all, how many of you have stopped using Facebook or cancelled your Gmail account? I’m going to guess that the number is miniscule. Mr. Snowden has painted a picture, in stark and unavoidable relief, of the world of Big Data, one in which corporations and governments have access to detailed and intimate information on almost every person on the planet. Mr. Snowden has torn down the last thin veil we had left and shown us that our belief in privacy in the new hyper-connected cyber-system we inhabit is an illusion we ourselves had created.
The greatest commons in history
It is worthwhile to pause for a moment and consider what precisely that cyber-system we inhabit actually is. The internet is a commons, perhaps the greatest commons in history. It is accessible to anyone for a very nominal access fee and in many locations for free; it is public domain, though many of the locations within it are private property; it is largely unregulated, lightly taxed and transcends borders and governments. It is – like the ocean, the other great commons – a public highway that can take anyone anywhere.
The internet is essentially a series of interconnected networks that have all agreed to communicate with one another. Not every network is part of the internet – think of secure corporate intranets (i.e. local access networks or LANs) that only connect computers within the same company to each other. Individual users and business LANs then connect to an internet service provider (ISP) through a local Point of Presence (POP). The POP then connects through another trunk line to a higher level Network Access Point (NAP) and so on and so on. As you go from local to regional to national and international levels, the trunk lines get “bigger” i.e. their capacity to move data increases. Most ISP’s belong to the telephone companies, as do most of the trunk lines, but by no means all. ISP’s, lines, routers, servers can all belong to corporations, non-profits, communities, governments or even wealthy individuals. Redundancy is one of the strengths of the internet – there are many ways to arrive at an internet destination! A “map” of a portion of the internet looks more like the neural network in the human brain than any sort of “hub-and-spoke” infrastructure.
The creation of this great man-made commons has brought about a revolution in politics, in religion, in society and in business. It has created vast fortunes and new global brands, while devastating less adaptable companies. It has empowered citizens all over the world as nothing since the printing press has done, allowing them to inform and organize themselves cheaply and efficiently against corporate and government interests. It has expanded trade, created markets, reshaped our vocabulary and our social habits. It has shrunk the world by an order of magnitude.
It is important to emphasize that most of these benefits remain freely accessible to the vast majority of the world’s population. Anyone with a cellphone or a telephone connection and with access to a computer can enjoy the benefits of the global commons. Two decades ago, that was restricted to an small, elite few concentrated in the advanced industrialized nations. No longer: the drive of technology, operating under Moore’s Law , along with the relentless need for expanding markets and profits have driven down the costs of owning a cellphone or computer to the point that it is now a small, disadvantaged minority who do not have access to these ubiquitous tools of modernity.
Who benefits from the existence of a commons? Everyone benefits, because the cost of access is negligible and there are very few barriers to entry or exit, ensuring a great deal of competition. The empowerment that comes from these characteristics accrues mostly to individuals and small businesses, which would not otherwise be able to access or afford privileged information and markets. Without the existence of the commons, it is scarcely conceivable that, for example, a small manufacturer of custom bicycles in Philadelphia, Pennsylvania could have a successful and profitable business competing against major manufacturers and their distribution channels: no one would know about them and the costs of advertising and exporting would be too high. Without the commons, it is hard to imagine the proliferation of civilian resistance movements like Occupy, the Arab Spring, and the Gezi Park protests. It would have been very difficult to inform masses of like-minded individuals and organize them in real-time while avoiding government attempts to curtail dissent.
Who would benefit the most from the “enclosure of the commons”? Big business and government would. Once the commons are neatly fenced, the new proprietor can begin to charge monopolistic rents for access and usage, fees that would exclude those without the financial wherewithal to buy into it. Barriers to entry, sold to the highest bidder, would allow companies with the deepest pockets to exclude their smaller competitors. Everyone would pay, and those who paid the most would get the most, all the while lining the pockets of those who today are providing the same services for free.
Governments would also win out. By erecting national or sub-national barriers, and allowing large corporations to become profit-seeking gatekeepers, governments everywhere would find the task of monitoring, tracing and – in the end – restricting access to the commons a much easier one. Electronic passports and digital IDs would be created; all ostensibly issued to ensure our safety and prevent hackers, phishers and terrorists from placing unwanted and dangerous content on the national net, lest they provide bomb-making instructions, corrupt our youth or disrupt our passivity. All these measures being easily traceable by the issuer, without even the condescending nod at privacy rights.
The criminalization and growing militarization of cyberspace are both driving change as well. The open data flows through the US and Europe make these systems extremely vulnerable to both organized crime, who target consumers and corporations; as well as to even more sophisticated state operators, who steal corporate intellectual property and critical military secrets. Some internet security experts consider China’s Golden Shield to be not only a surveillance and censorship platform, but a far stronger defense against cyber-attack than anything in the West. Others disagree, claiming that the nature of the internet prevents any defense from being absolute. Regardless of these opinions, nations are rapidly ramping up their cyber-warfare and cyber-defense capabilities, which will likely include more and higher “walls”, more surveillance, and more restricted access. At least 12 of the world’s top 15 military powers are aggressively building their cyber-warfare capabilities.
I it is worth remembering two things: that no company at any time has ever liked competition; and that all governments everywhere are more afraid of their own people than they are of other governments. The degree of that fear is in direct proportion to the oppressiveness and brutality of the regime; but even in democracies, the last election’s winner is afraid of losing the next election. That fear is entirely appropriate. As Thomas Jefferson said, “When the people fear their government, there is tyranny; when the government fears the people, there is liberty.” (emphasis mine)
A sign of things to come
I began by asserting that Mr. Snowden’s revelations will have consequences, and I believe that they will be of such great extent as to fundamentally change the nature of the internet. There may be some radical measures, instituted by governments, which would have an immediate impact and tend to fragment the internet. But it is the small, market driven changes that I am most afraid of: those that will grow over time insidiously, tending to increase inequality and to concentrate power.
Author’s disclaimer: I should begin by asserting that I am not a computer scientist or a network engineer, I’m an economist. I may very well be incorrect in my assumptions about the technical and technological implications leading to internet fragmentation.
Many governments, especially those in Europe, have expressed how shocked they are that the NSA is reading the emails of their citizens. That, apparently, is a job for their national intelligence services.
There has been talk in Brussels of bringing the American internet titans to account and to enforce European privacy laws on them. The cynic in me sees this as the perfect excuse that Europeans have been looking for to humble American companies like Google, who are heartily disliked, and to foster national champions. Whatever the motive, such legislation would place multinationals on the horns of a dilemma: do they comply with EU law and face legal action from the US government, or do they continue to collude with American intelligence agencies and face massive recurring fines from the EU for privacy law violations, if not outright market exclusion?
One possibility is that the US government and European governments reach an agreement to share data from the intelligence programs – frightening enough in itself, but without a greater impact on the internet cyber-system. Imagine, however, that no agreement is reached. Internet companies might have to set up a European subsidiary that would be able to comply with EU regulations and in every other jurisdiction that threatened similar action. That would be only the first step; because these companies would have to duplicate a great deal of infrastructure to ensure that pieces of it could be isolated and firewalled along national lines. After all, if an email has to be transmitted via a server in the United States, the US government can and does demand access to that transmission through the server operator or the telecomm operator over which the email was transmitted . To really insulate their citizens’ privacy, governments would have to house the servers, the routers, the nodes, restrict access to Domain Name System servers to authorized users and either reroute or develop secure protocols to control access to international cables, in order to avoid having traffic flow through “unprotected” networks.
Setting up national gateways and firewalls is nothing new. The Chinese have been doing it for years, but they are only the most successful of the bunch. They were successful enough so that Google withdrew from the market to the benefit of the national champion, Baidu . After all, the trunk lines must somehow connect to the regional networks in-country. Wireless and satellite communications complicate matters, but the infrastructure can still be controlled and interdicted at various points. The danger is that the scope and pace of barrier erection will accelerate. Today, dissidents have alternative resources available to them, like Iranian and Arab dissidents organizing via Twitter when other types of internet access were blocked: but there is no guarantee that alternatives will continue to exist in a world where every nation has set up high walls around “their” internet.
Imagine having to use a digital passport to access US websites. Why not? Governments didn’t bother much with real passports until security concerns arising during World War I and the expansion of public welfare services became major concerns. Similarly, electronic keys and digital passports could be the future of internet access. There are many people and companies outside of government that would be in favor of such a measure, starting with victims of intellectual property theft and financial companies hit by financial frauds and scams. Many individuals would favor it as well, if it enhanced national security and personal safety.
I see the smaller changes as more insidious, more dangerous. That is because they seem logical enough; none of them seem like they threaten to overthrow the current system by themselves. Like an evil incarnation of Adam Smith’s “invisible hand” they can and will produce unexpected market dynamics that will always tend to limit access, raise costs, enhance inequality and concentrate power. We will all be colluding for our own impoverishment, though those on top will not see it that way, naturally enough.
I can imagine a very strong demand and growing market for privacy services. How much would you be willing to pay to ensure that your data is shared with no one, that no traces of your activities would be made available to anyone? The answer to that question is in the nature of a demand curve: people with tracks to cover and the means to cover them will pay very well indeed. We will presently see the creation of the “Swiss Internet Account”; off-shore havens will be not just for “tax optimizers” . Secure encrypted trunk lines will lead to offshore servers, or wireless satellite communications will serve the same function, all outside of the jurisdiction of the more intrusive national governments. The intrusive national governments will allow this because the people using the service are not the ones they are worried about: it will be wealthy, entrenched elites not populist agitators. Indeed, it would be surprising if the leaders of most governments were not themselves the very first to sign up for these services.
Lesser mortals will also have access to privacy services, of course. The degree of privacy your data enjoys in the future will depend on whether you can afford the Platinum Service Account, the Gold, or the Silver; or whether your means restrict you to the Frequent Internet Surfer account with the obligatory ads, pop-ups, profiling and data sharing your lack of means condemn you to. Gated communities will proliferate across the internet as they have done across America.
The genie and the bottle
Congress is currently debating whether the NSA has gone too far. The positions cross party lines: the fiercest critic of PRISM is Republican (libertarian) Rand Paul, while John Boehner, Dick Cheney and Nancy Pelosi – who agree on nothing – have agreed to defend the legality of the NSA program. That is a positive development, if only because the rules of surveillance and the supervision of the snoopers need to be re-examined and very possibly re-written. To have a secret agency supervised by a secret court writing secret warrants is altogether too secretive.
John Adams summed up this dilemma over two hundred years ago: “There is danger from all men. The only maxim of a free government ought to be to trust no man living with power to endanger the public liberty.” We have entrusted our lives and our liberty to men who deal with secrets, and President Obama asks us to take his word for their good behavior. To me that seems inadequate. Our founders rightly distrusted good intentions in powerful men.
In America, and in most western countries to be fair, there is little appetite to discuss trade-offs when it comes to cost in human lives. Citizens demand absolute protection, whatever the cost, and governments are happy to promise it, whatever the cost. This is somewhat hypocritical as we then allow the market to make these determinations for us. “We will bankrupt ourselves in the vain search for absolute security,” said Dwight Eisenhower, and Ike knew something about the subject. Of course it is the duty of government to protect its citizens, but why are Americans so willing to suffer massive intrusions in their private lives and of their rights when it comes to terrorism? Between 1985 and 2013, there have been 3,500 fatalities and 11,300 injuries resulting from terrorism in the U.S. with over 80% of those coming from one attack (and another 10% from the Oklahoma City bombing). That is about as many people as died in 2010 from accidental drowning (3,782) or asthma (3,404), but more than those who died of malnutrition (2,790). No doubt the NSA should install cameras and listening devices in all American pools because, of course, no sacrifice is too great for absolute security.
Any meaningful action by Congress must begin by defining how our “real world” rights extend into the cyber-world; it is not always a clear-cut transition. For example, should email be treated the same as postal mail, which has an expectation of privacy and requires a warrant for authorities to open and read? It is not clear that it should: an email sent through a free public web service like Yahoo or Gmail is essentially open to the world, not just the NSA: unprotected, unencrypted and easily accessible with the right know-how. Is a posting in Facebook private, even if we restrict it to “Friends and Family” through the access settings? Before the Fourth Amendment can apply , there must be a reasonable expectation of privacy on the part of the person and of society: it is not at all clear that such an expectation exists for many of the activities we undertake in the internet.
Having Congress define the extension of civil rights into cyberspace is the proper first step, and intimately linked with a second necessary step, which is the establishment of international protocols for privacy rights and data sharing amongst government agencies and private agents. Right now, there is a very wide discrepancy between the strict standards held in Europe, the moderate standards in the United States and the disregard of privacy in many other nations. An international framework would not only give citizens a common set of expectations across a major portion of the world (other countries could join in later); it would have very positive economic benefits. Most importantly it would take the pressure off of the multinational internet and telecomm companies that might be squeezed from both sides otherwise. It would be a key component of a Transatlantic Trade and Investment Partnership, making the signing of such a landmark treaty more likely.
Finally, Congress needs to strengthen the supervisory process over the NSA and other Federal agencies involved in domestic data collection, as well as the rules of what to do with the data that has been collected and analyzed. It is still not clear to the public what mechanisms exist to keep the NSA, FBI and others “honest” in their collection, analysis and storage of data; nor how the FISA Courts’ warrants are issued, reviewed or challenged ; nor how a defendant could reasonably be expected to challenge their accusers when a cloak of secrecy is cast over the evidence and collection methods; nor how the public can have adequate assurances that their rights are not being violated. There is no way for the public to evaluate if the operation of these surveillance programs is in the least effective, or if the trade off in enhanced Federal power is worth the cost.
The genie is nonetheless out of the bottle and there is no way to bottle him up again. Governments will continue to conduct electronic and cyber-surveillance. These tools are too powerful not to use. Rather than blanket opposition to PRISM and similar programs, defenders of civil liberties would be well advised to work with government officials and members of Congress to establish the proper safeguards that will allow both reasonable expectations of privacy within defined areas of the internet, as well as enhanced security for all. The cost of inaction is likely to be felt not only in the erosion of our civil rights, but also in real economic pain and potentially the balkanization of the internet. If the great internet commons were to be destroyed, we would all be substantially poorer and weaker than we were.