Ungraceful Degradation

The NSA war on Internet integrity

[This piece appeared at Asia Times Online in a slightly different form on October 15, 2013.  It can be reproduced if China Matters is credited and a link provided.  This article is a companion piece to an article appearing in an upcoming issue of CounterPunch magazine, which discusses the NSA's across-the-board, intensive commitment to overcoming the greatest obstacle to its surveillance activities--and the bulwark of Internet system integrity for commercial and individual users: the access of non-state actors to strong encryption products.  Interested readers can subscribe to CounterPunch Magazine at this link: http://store.counterpunch.org/subscriptions/ ]

The US government has taken a pretty decent open network idea - the Internet - and turned it into a security nightmare.

In one of life's many ironies, the US was forced to degrade the security functions and overall integrity of the Internet because the US Constitution, law, and public and techie opposition combined to impede legal US government surveillance access to communications over the Internet.

Instead of accepting these limits, the US government sought to evade them - by weakening the encryption and security regimes that are at the heart of secure Internet communications for businesses and innocent civilians, as well as for the usual suspects invoked to justify subversion of Internet privacy: terrorists, criminals, and pedophiles.

The role of US IT corporations in crippling the security and privacy functions of the Internet is an awkward and relatively unexplored question.

So far, the most overt naming and shaming has taken place concerning cooperation of the IT bigs in the National Security Agency's PRISM program - which involved controlled, legally colored access to unencrypted materials on corporate servers. Under PRISM, the NSA apparently installed equipment at corporate sites to process government requests for unencrypted user data if it involved people that the NSA was "51%" sure weren't US persons.

Included in the Snowden documents was a slide showing the accession of the US IT heavyweights to the PRISM regime, starting with Microsoft in 2007 and including Yahoo!, Google, Facebook, Youtube, Skype, AOL, and Apple. PRISM looked something like exploitation of the CALEA (Communications Assistance for Law Enforcement Act) mandated backdoors in US telecommunications equipment, albeit with the disturbing realization that these backdoors could be exploited by anonymous NSA analysts without a FISA court order for a week and, when the free week was up, upon resort to the notoriously rubber-stamp FISA court (without the need to show probable cause as is the case when applying to get a warrant to spy on a US citizen).

The Washington Post's Bernard Gellman spoke of NSA efforts to suppress the names of the nine companies named on the PRISM slide:

Speaking at a Cato Institute conference on Wednesday, Gellman said The Washington Post has a practice of talking to the government before running stories that may impact national security. According to Gelman, there were "certain things" in the PRISM slides that they agreed raised legitimate security concerns. But, he said:
The thing that the government most wanted us to remove was the names of the nine companies. The argument, roughly speaking, was that we will lose cooperation from companies if you expose them in this way. And my reply was "that's why we are including them." Not in order to cause a certain result, or to get you to lose your cooperation but if the harm that you are describing consists of reputational or business damage to a company because the public doesn't like what it's doing or you're doing, that's the accountability we are supposed to be promoting.

Gellman believes that it's because the names were released that many of those technology companies started to be vocal advocates of greater transparency about the program. While they "previously had very little incentive to fight for disclosure because it wasn't their information that was being collected and there was no market pressure," he said, these companies "are now, because they are suffering business damage and reputational harm, pushing very hard in public debate and in lawsuits to disclose more about how the collection program works," which current FISA Court orders prohibit them from telling the public about. [1]

The NSA Nine, perhaps alerted to the upcoming PR firestorm, went public with defenses that sought to give a picture of limited, by-the-book, almost grudging cooperation. There was a lot of generous reporting about the struggles of Google, Facebook, Yahoo! et al to buck their NSA gag orders so they could reveal to an eager world how hard they have struggled to protect user privacy. Also, the PRISM revelations were explained and excused in the public media since they involved responses to FISA court warrants with specific, identified targets and, for that matter, were targeting "non-US persons", ie non-US citizens residing outside the United States.

What IT professionals found more disturbing than government backdoors into corporate servers, however, was Snowden's revelations of the NSA's war on encryption.

As I describe in an article in the upcoming print edition of Counterpunch, the NSA has aggressively acquired capabilities and resources in pursuit of its goal to crack encrypted e-mail, virtual private networks (VPNs), and mobile device communications.

Possible corporate collusion in the apparent NSA campaign to undermine the integrity of encryption and, for that matter, degrade the systemic security functionality of the Internet has received relatively little attention.

It can be speculated that some US IT corporations may have cooperated with the NSA in weakening security standards, installing backdoors, and botching implementation, perhaps with the idea that these were vulnerabilities that probably only the NSA could exploit.

Some of the most egregious NSA shenanigans have been in the arcane area of fiddling with the random number generators that lie at the heart of encryption. If the randomness is compromised incrementally, cracking becomes easier. And the more networked computers an attacker has, and the more messages are stored for analysis, the more important the reduced randomness of the encryption becomes.

It can be seen how US corporations might go along with the US government's machinations in this area; after all, the possibility of a non-NSA actor acquiring all those capabilities to exploit random number generator flaws seems vanishingly small.

At least up until now, there seems to be a code of techie omerta (and maybe the well-founded fear of a lawsuit) that precludes calling out IT bigs for climbing into bed with the NSA on the encryption issue.

Edward Snowden and China

[Edited this post lightly for clarity/typos after I sent out the e-mail notice.  Be warned!]

First, why Hong Kong?

My answer: Because he’s a spook.

There has been no end of sniggering from the liberal Colonel Blimps that Snowden chose to reveal his identity in Hong Kong.

As in (from the Twitter feed of a journalist who relentlessly works the "unfree China" side of the street):

“Seeking refuge in Hong Kong out of devotion to free speech is a bit like seeking refuge in Tibet out of devotion to Buddhism.”

Here’s what I think:

Snowden, in addition to his career as an IT grunt, had worked on the covert operations side in Geneva.

When he thinks about what happens to him, he assumes his identity is going to be revealed.  He looks at the situations of Bradley Manning and Julian Assange.  Definitely doesn’t want to stay in the United States (Manning).  Definitely doesn’t want to take up residence in a liberal democracy which happens to be a US security partner (Assange).

He wants to control the circumstances of his exposure and obtain maximum press exposure to shape international perceptions of him and rally support before the legal hammer comes down.

He doesn’t want to take the risk of getting quickly jacked up by the legal system of a nation allied to the United States on any charge, trumped up, plausible, or genuine.

Iceland?  Pretty, snowy, let-Internet-freedom-ring-a-ding-ding Iceland?

One more problem.

He doesn’t want the local authorities and local spooks working enthusiastically with the US spooks to surveil him, harass him, help make a case against him, and button him up.  He doesn’t want to get rendered.  He would like not to get bumped off.

What countries would a CIA analyst believe to have the lowest level of cooperation with the CIA and the most pervasive counterintelligence capabilities?  Russia maybe.  China maybe. 

So he looks at a jurisdiction that a) has a liberal legal system with good protections and process and b) keeps its US spooks on a short leash.

In other words, Hong Kong.

Second, were his revelations timed to coincide with the Sunnylands summit?

I guess so, for maximum hypocrisy exposure (Snowden) and media heat (Greenwald).  My personal feeling is that it is not going to affect US-China cyberbitchslapping too much.  Both sides already have a pretty good idea of each other’s capabilities.  In fact, I would think it would be better for Xi Jinping not to take the Snowden embarrassment as an excuse to take lightly President Obama’s demands.  This is just the sort of situation in which the United States drops the hammer in order to demonstrate that it’s still the biggest bully on the block.

Third, will the PRC arrange for Snowden to be extradited to the United States?

Probably, though I think their inclination will be to let the Hong Kong legal system grind ahead with all deliberate speed, perhaps with a few discrete shoves from behind the scenes, in order to preserve Hong Kong’s reputation for judicial independence.  If President Obama can bring himself to ask really, really nicely, the PRC might resort to some sort of extraordinary intervention.

But I think Snowden knows he’s coming home, sooner or later.

Fourth, why are Snowden, Greenwald, and the Washington Post receiving anything other than the thanks of a grateful nation for revealing, not the details of individual covert operations, but information on US surveillance capabilities which are known or suspected by most insiders but unknown only to the public at large?

I have no answer for that. 

It is a rather disturbing fact that the evolution of 21st century society is driving us into a deeper awareness and appreciation of the work of that famous and famously difficult to understand French philosopher, Michel Foucault.

I will outsource this observation to the excellent Bernard over at Moon of Alabama:

Edward Snowden points to a different danger of such secret data accumulation:

[Snowden] said the [analysts and governments] labored under a false premise that “if a surveillance program produces information of value, it legitimizes it. . . . In one step, we’ve managed to justify the operation of the Panopticon.”

The Panopticon is a architectural concept for a prison where the guards can watch, unseen by the inmates, from a tower in the middle into all cells build in a circle around the tower. It leaves the inmates in a perceived state of permanent surveillance. The French philosopher Michel Foucault described the effect:

Hence the major effect of the Panopticon: to induce in the inmate a state of conscious and permanent visibility that assures the automatic functioning of power. So to arrange things that the surveillance is permanent in its effects, even if it is discontinuous in its action; that the perfection of power should tend to render its actual exercise unnecessary; that this architectural apparatus should be a machine for creating and sustaining a power relation independent of the person who exercises it; in short, that the inmates should be caught up in a power situation of which they are themselves the bearers.

The original Panopticon, like the digital version the NSA is building, takes away all feeling of privacy. Even when one is not watched, knowing that the possibility of being watched is always there, creates uncertainty and leads to self disciplining and self censorship. It is certainly a state the powers that be would like everyone, except themselves, to be in.

Well, I'll add this.  For those of you unfamiliar with concepts of penal architecture, the Panopticon was a proposal by the 18th century philosopher Jeremy Bentham.  No true Panopticons were ever constructed for reasons of technical difficulty.  The nearest thing to a true Panopticon was built in Cuba in the 1920s:

Here is the requisite ironic postscript from Wikipedia:

[T]he essential elements of Bentham's design were not only that the custodians should be able to view the prisoners at all times (including times when they were in their cells), but also that the prisoners should be unable to see the custodians, and so could never be sure whether they were under surveillance or not.

This objective was extremely difficult to achieve within the constraints of the available technology, which is why Bentham spent so many years reworking his plans. Subsequent 19th-century prison designs enabled the custodians to keep the doors of cells and the outsides of buildings under observation, but not to see the prisoners in their cells. Something close to a realization of Bentham's vision only became possible through 20th-century technological developments – notably closed-circuit television (CCTV) – but these eliminated the need for a specific architectural framework.