The internet poses a unique challenge to traditional models of government. Its transnational nature presents lawmakers with distinct regulatory problems. As a result, public officials must navigate through issues of cybersecurity and internet surveillance without the influence, guidance, or limitations of political and legal precedent.
Congress’s latest rollback of privacy protections set by the Federal Communications Commission is the first measure in what will certainly be a significant overhaul of net neutrality and privacy rights. This marks a victory for internet service providers who were at a disadvantage against edge providers like Facebook and Google (which are regulated by the Federal Trade Commission, and thus subject to less privacy regulation). It also raises pressing concerns about the future of online privacy, concerns that are only underscored by further potential changes under the Trump administration.
Thus, this repeal is not to be analyzed as an isolated policy change, but rather as a move towards a more fragmented internet. The current cyberspace climate is highly volatile, with many tech companies calling for major reforms. Issues of how nations and corporations interact with one another online is of particular concern for these companies, with some going as far as recommending the application of a Digital Geneva Convention. Such an agreement would bar governments from targeting critical infrastructure and the private sector. It would also require them to disclose vulnerabilities in computer systems and commit to the nonproliferation of cyber weapons.
These attempts to shape the internet’s place in civil society have led us to a crossroads in the realm of internet governance. Because of this, many have concluded that this collective set of principles dictating the online actions of cyber stakeholders ought to be reexamined. Recent revelations of pervasive surveillance, sharp rises in cyberattacks, and non-disclosure of vulnerabilities in consumer products render former policy insufficient. They also compel us to question what steps to take towards a better internet – one that is secure, sensitive to privacy, and accessible to all. As many experts have agreed, online peace and security heavily depends on a reforming the frameworks for government surveillance.
PERVASIVE SURVEILLANCE ERODES DEMOCRACY AND HUMAN RIGHTS
In 2016, the Global Commission on Internet Governance released a report sketching three possible scenarios for the web of the future. First comes a model of unprecedented progress linked to the development of smart cities, internet-supported technologies, energy solutions, and a strong government-tech industry complex. The second scenario displays stunted growth. In this case, a fraction of the world population reaps disproportionate shares of “digital dividends” while others are still restricted from internet access. In the third case, we are presented with a dangerous and highly fragmented internet. Here, legal frameworks persistently fail to be in lockstep with cyber threats. Governments refuse to collaborate with technology enterprises to patch vulnerabilities. This augments the scope and detail of legally collectable data, thereby destroying user privacy and escalating the risk of international cyber conflict.
While the final scenario is a particularly bleak one, it should not lead us to conclude that government surveillance is fundamentally wrong. Surveillance, whether it be sponsored by states or corporations, has afforded unparalleled opportunities for economic growth, international security, and scientific innovation. Algorithms that treat “big data” often allow us the opportunity to leverage it in new ways. This is especially true in sectors such as healthcare, where aggregate information helps in narrowing down the right treatment for patients.
But existing frameworks for government collection of personal information are not consistent in their attempts to safeguard privacy and security. The task of data collection belongs to intelligence agencies whose sensitive work tends to be protected by a veil of secrecy. This allows them to eschew typical accountability mechanisms such as judicial oversight. That lack of regulation enables the violation of privacy rights, often occurring through the collection of information about individuals, and outside the mandate of the law. There have been many instances of this, the most notable of which were brought into the public eye by Edward Snowden in 2013.
In the United States, the now-defunct PATRIOT Act’s Section 215 gave the government the ability to obtain court orders requiring communications service providers to share records of individuals relevant to international terrorism. Issued by the Foreign Intelligence Surveillance Court (FISA court), these orders forced providers to hand over information ranging from telephone and email metadata to internet searches to credit card transactions. No matter how relevant targets may have been, the issuance of court requests for dragnet surveillance was constitutionally reprehensible given the Fourth Amendment’s protection against unreasonable searches and seizures. The USA FREEDOM Act of June 2015 amended Section 215’s bulk collection of metadata, and called for more focused collection on part of intelligence agencies.
With Section 702 of the FISA Amendment Act of 2008 up for renewal at the end of this year, Congress will soon have the opportunity to curb excessive data collection. Section 702 allows government to acquire ad libitum foreign intelligence by targeting non-U.S. persons “reasonably believed” to be outside U.S. borders. The act prohibits the targeting of persons actively known to be in the United States in an effort to minimize collection of U.S. persons’ information. However, the Snowden revelations proved that Section 702 was construed by the National Security Agency (NSA) to build a vast database on U.S. persons. “Foreign intelligence information” was interpreted as any data running through servers located in the United States (and thus under U.S. jurisdiction), therefore validating programs such as the notorious PRISM. While collection of U.S. persons’ information is deemed “incidental,” it is nonetheless retained by the NSA. Though Congress will surely reauthorize the bill, experts must still push towards stricter privacy safeguards for U.S. citizens. For this to happen, radical interpretations of the law must be halted.
SURVEILLANCE CREATES SIGNIFICANT SECURITY GAPS
Surveillance doesn’t just threaten privacy and civil liberties; it also undermines the security and stability of the internet. Whether it be in the kinetic world or the cybersphere, governance and security are inextricably linked. So, when governments make use of surveillance programs that exploit vulnerabilities or break security protocols in consumer products, it only follows that citizens respond with concern. In such cases, questions surrounding legality, disclosure, and even the desire to exploit such vulnerabilities ought to be tackled on a large scale.
A hot topic in cyber law, the Vulnerabilities Equities Process (VEP) made its way into mainstream debate following Wikileaks’ publication of Vault 7, a cache of hacking tools developed by the CIA’s Engineering Development Group. Indeed, the degree to which governments stockpile and exploit zero-days without disclosing to manufacturers has created a new “hunting” economy for computer vulnerabilities. Sellers track down vulnerabilities for financial gain rather than patching, and big buyers seeking to develop hacking or surveillance apparatus (such as law enforcement or intel agencies) have strong interests in seeing these vulnerabilities remain unpatched.
We also observed this in the ever so stale dispute between Apple and the FBI over decrypting data from the iPhone 5C of a shooter of the 2015 San Bernardino terrorist attack. After an arduous legal battle, the Bureau withdrew its request for a cryptographic backdoor. This came only after it bought a zero-day to brute-force the iPhone’s passcode without triggering security measures. When Apple requested disclosure, the Bureau claimed it lacked enough information on the nature of the vulnerability for the VEP to review it. While vulnerabilities may have strong intelligence value, the VEP’s current bias towards non-disclosure leaves consumers in the hands of anyone who may exploit them. Without sensitive oversight of how these vulnerabilities are collected or disclosed, we stray further from a model where government and communication service providers collaborate to protect the internet from pervasive surveillance.
Human rights advocates and technologists have concurred that government efforts to obtain exceptional access to secure systems (on which the internet depends) come at the expense of creating large-scale security vulnerabilities. These vulnerabilities can be exploited by anyone, and are a threat to every nation’s interests.
SURVEILLANCE IN THE AGE OF CYBER INSECURITY
The rise of an “Internet of Things” (IoT) will enable new vectors for surveillance and cyberattacks. Think of health trackers, smart locks, AI personal assistants, public WiFi hotspots – these devices are all enabled with sensors that collect and share extremely specific and personal information about their users. As current data collection practices have demonstrated, how metadata is interpreted – whether it be by law enforcement, marketers, or malicious actors – draws a crystal clear picture about a target demographic. IoT devices are a mother lode for surveillance agents.
Reports indicate that the majority of IoT devices fail to abide by rudimentary privacy and security practices, once again creating a considerable security gap for consumers. This has already been exploited. Last October, the “Mirai” botnet hit critical telecommunications infrastructure with unprecedented distributed denial of service (DDoS) attacks. A DDoS attack involves an attacker infecting multiple computer systems with malware, and linking them together to form an army of bots – a botnet. That botnet is operated by a command and control server, which redirects all compromised systems’ traffic to a single target in an attempt to overflow its servers. The servers subsequently crash, denying access to legitimate users. The Mirai botnet was different. It scanned the internet for IP addresses of insecure IoT devices (which create far more traffic than traditional computer systems) to carry out extremely powerful DDoS attacks. These attacks hit critical telecommunications infrastructure like OVH (French cloud computing company) and Dyn, a Domain Name System provider that hosts Spotify, eBay, Netflix, Reddit, and the New York Times, among others. That attack on Dyn shut down all of its services for almost 24 hours on the entire East Coast of the United States.
Mirai’s most destructive attack, however, occurred in Liberia. It targeted critical internet infrastructure in the country, taking down its entire web access for almost a week. Attacks such as these are bound to become more common as IoT devices proliferate. There is a foreboding element to this, enhanced by the rather ironic meaning of the Japanese word Mirai: “future.”
The dilemma for government surveillance is strong here. Though law enforcement and intelligence agencies would prefer having unfettered or court-mandated access to IoT-generated data, it would come at the expense of well-needed security for these highly exploitable devices. Bruce Schneier, a leading technologist and senior fellow at the Harvard Berkman-Klein Center astutely wrote: “Someone has been probing the defenses of the companies that run critical pieces of the Internet. [...] We don't know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses.” Therein lies the problem for federal surveillance of the Internet of Things. In spite of this, it wouldn’t be farfetched to see new legislation (or even an amendment of Section 702) incorporate IoT devices into the scope of state-sponsored surveillance.
Indeed, the effects of surveillance go far beyond questions of ethics and civil liberties, lying at the crux of future internet governance. Surveillance will redefine not only the internet of today, but also the future role of technology in our daily lives and in our strongest institutions. The need for stronger privacy protections, accountability mechanisms, and judicial oversight will only increase. Surveillance is a salient cybersecurity issue that requires greater collaboration between lawmakers, government, and the security community. The emergence of the Internet of Things presents opportunities for significant innovation, but it also gives rise to more complicated debates regarding governmental access to IoT data. As the Global Commission on Internet Governance’s report highlighted, failure to stymie unlawful collection of information could render privacy protections obsolete. At a time when internet governance is evolving from the superstructure to the infrastructure of modern society, increased collaboration between lawmakers, government and the security community couldn’t be of greater importance.