So here I am at long last. Forgive my delay. I have been meaning to write this, my first ever blog, for the last month or so now but have so far failed spectacularly. As my little bio explains I am a PhD student but I have spent the last three months on an internship, which has kept me rather occupied. More on that next time; seriously, I have gone from having no blogs written to literally piles of them (three), all planned out and ready to go…
PRISM, evidently, was just the tip of the iceberg. It now appears that the US National Security Agency and the British counterpart GCHQ have been funneling significant portions of their budgets into programmes designed to defeat encryption of electronic communications of all kinds.
The respective enterprises of the NSA and GCHQ that the latest batch of leaked documents outline – projects ‘Bullrun’ and ‘Edgehill’ respectively, tellingly named after American and British civil war engagements – raise a large number of issues. For the everyday Internet user, what they represent is the undermining, by government agencies, of the safety and security of (potentially) all of our online communications. I say ‘everyday’ specifically and I will return to this shortly. All personal, sensitive information that you might share via online channels is compromised by these proactive anti-encryption initiatives. Put it this way: you know the padlock that appears on a website when you’re inputting your card details? The NSA and GCHQ are cutting the key that unlocks it.
Don’t underestimate the scale and drive behind this; the NSA allegedly forks out $250 million per annum for Bullrun and has spent a total of $800 million since 2011. The projects have been described by a number of computer science and cryptography specialists as the worst hypothetical scenario come true. However, if there is one positive sign we can take from this it is that the British analysts behind the related program ‘Cheesy Name’ at least have a good sense of humour. Next time I’m hoping for ‘Insert Catchy Name Here’.
Thinking back to when the story broke in May about PRISM, I was less surprised than might be expected. Yes, it was a serious issue but these are perhaps the two most sophisticated intelligence agencies in the world – what do you expect them to be doing? Internet communication is nothing new (it is of course ever-expanding); the history of intelligence is one of monitoring domestic and foreign communications and consequently the potential for large-scale harvesting of such data is there for all to see. The private sector does it in droves – but to be fair to them they haven’t been tapping into undersea fibre-optic cables.
No, what struck me as important issues were two things. First, the lack of regulation of these powers particularly given that they were, in a diluted form, being requested under the Communications Data Bill at the end of 2012. It was a good sign that this Bill was sent back to the government with a stamp of disapproval but it also shows that the powers being requested were already well established in some areas. The second thing that struck me was the complicity of private corporations in the surveillance activities of the NSA and GCHQ.
Bullrun and Edgehill confirm these previous revelations. With the attempt to decrypt online traffic, several Internet giants – Facebook, Google, Hotmail and Yahoo – have been obliged to comply. Precisely to what extent ‘backdoors’ into the security of these service providers exist for the sole access of the intelligence agencies is unclear but it is reasonable to assume some level of cooperation, however uncomfortable it may be for the private sector. Even so, I grudgingly stress as we are talking about intelligence here, it has long been the case that market/commercial intelligence has been intertwined with domestic and international security.
OK, so we should probably think about pressing the big red panic button right about now. Right? I would encourage you to.
Here is where I have a particular investment in this story. I am interested in the relationship between surveillance and resistance. That is why I said above it was a ‘good sign’ that the CDB was sent packing earlier this year; it demonstrated the impact a concerned British public can have in shaping surveillance practice. The CDB was poorly thought through. The blanket data retention programme it proposed would have been the foundation for intrusive monitoring of our online communications, which suddenly sounds all too familiar. What I am therefore interested to see is what the response will be to these various revelations about our intelligence services.
We could envisage a response in two forms, both of which would sit happily side-by-side; collective and individual-level. Collective resistance can work – supporting advocacy groups for example, helping them to translate public concerns and deliver the message where it can have an impact – but for this to be effective, people need to be motivated to get involved and for that they need an issue they can understand and from which they can see the benefits of their participation (I can perhaps write separately about the issue of ‘privacy’ and why it is a difficult bandwagon to jump on). The continued presence in the national press of this story is a positive sign – I admit I was sceptical at first about how long it would remain in the public eye.
Leading towards the second form of resistance, there is also the issue here of what we might call ‘abstracted surveillance’. It is easier for the public to understand surveillance when it comes in its most obvious form of CCTV; it is visible and occupies our physical space, it is intrusive in a more corporal sense. Digital/online/electronic/Internet surveillance, whatever you want to call it, is largely invisible and in the context of state-sanctioned attempts to break the encryption of electronic communications is difficult to translate for ‘everyday’ Internet users (and I do not discount myself from that group).
Individual-level resistance to these forms of surveillance can work. What I have noticed over the past few months is a number of articles (like the recent complement to the Bullrun/Edgehill article from Bruce Schneier) that aim to instruct readers about measures that can be taken to protect oneself and one’s communications online. This is encouraging because it helps both to put the power to do something more directly in people’s hands and also helps to start the process of making these forms of surveillance understandable. The problem, as Schneier rightly points out, is that for your everyday Internet user many of these measures are impossible. They are technical fixes that require varying levels of competence possessed by a minority. Do you use Tor and if so, can you use it correctly? Can you setup GNU Privacy Guard to encrypt your emails? Do you know what it means to ‘prefer conventional discrete-log-based systems over elliptic-curve systems’? Did you even know these words could be put together into a sentence? The answer to all of these questions for most people is ‘no’; the answer to three and a half of them for me is also ‘no’. Aye, there’s the rub.
As a fledgling academic I find this all fascinating. As a regular citizen I find it all rather worrying. Stories of requests to remove blog posts about the issue are also disheartening for me in both of these roles. I am not a fan of the ‘let us decide what is best’ approach. It undermines trust – trust which is seemingly in short supply within the agencies themselves, where analysts were told not to ask about methods or sources of data connected to Bullrun. It is an over-used axiom but knowledge is power and there is an imbalance there that needs to addressed. As long as Snowden’s revelations continue, and people start to take the message on board that this is relevant and affects us all, this is a possibility.