by Jérémie Zimmermann
La Quadrature Du Net
Snowden revelations shed light on facts that force us to ask ourselves important questions and to take action that might be essential for the future of our online societies and for the very structure of our political systems. These documents confirm what many hackers and citizens suspected: a generalized surveillance by the NSA and other intelligence services of all personal communications over the Internet. What was a few month ago often dismissed as “conspiracy theory” or “paranoïa” turns out to be actually much less than the crude reality. The most important fact we’ve learned from the Snowden revelations is the massive aspect of the surveillance: The figure of 97 billions bits of information collected for the month of March 2013 alone (only for the PRISM program that is only one program of the NSA!) gives a view of how global is the spying on citizens of the world. The poor defense by the US administration that “don’t worry, only non-US citizens are targeted” has to be balanced by the fact that targeting is determined by an assessment of “at least 51% chance of non-foreignness”, basically tossing a coin plus 1%… If you happen to know someone who happens to know someone who might be doing something considered wrong, then it is likely that all your personal communications are being spied upon. Whether you’re a journalist attempting to protect your sources, a lawyer or a doctor protecting medical secrets, a politician, etc. then you are in. The other most meaningful fact is the active collaboration of Google, Facebook, Apple, Microsoft and other such giant Internet corporations: Whether they are forced to cooperate by the secret implementation of a law and a court operating in secret or do it willfully does not matter much. What matters is that it is now obvious that these companies are mere extensions of US intelligence agencies completely out of control, in a paranoid drift that endangers the civil liberties of citizens all around the world. By using their services and products everyone is exposed to becoming transparent, listened at, looked at, every keystroke potentially recorded.The PRISM revelations tell us that these companies, their products and services cannot be trusted. They illustrate what free/libre software advocates and other defenders of online freedom have been saying for a long time: the very technological and economic models of these centralized services turn them into gigantic spying machines. The very nature of these closed-source centralized software and systems turns them into instruments of control. Also of primary importance is the sabotage of every commercial security product providing encryption technology. 250M$/y were spent on the “Bullrun” program to weaken commercial cryptography, practically leaving open holes in the whole world’s security infrastructure, whether it’s checking your email, communicating with an administration or a company, shopping or online banking. Finally, and to dismiss any attempt at justifying mass surveillance by the argument that it might be efficient and proportionate in fighting terrorism, we learned that the NSA spied upon the communications of Petrobras, the main Brazilian energy company, and upon the personal communication of Dilma Rousseff, the Brazilian president herself. Furthermore, the figures published for data collected in various democratic countries demonstrate that it was the society as a whole that was an object of surveillance. It is now obvious that this massive globalized surveillance is also used for economic intelligence and political surveillance, in order to serve the interests of the US and its corporations. All these elements taken together tell us a lot about the current state of technology and the link between tech companies and the US government. We should now be asking ourselves how to regain control over our personal communications and data, how to evade unjustifiable massive surveillance and how to regain our digital sovereignty. Building an alternative to this Orwellian surveillance will for sure take time. But it is an endeavour that must be undertaken for the sake of future societies where our fundamental right to privacy will mean something. It is an endeavour of political and legislative nature indeed, but also technological, and (if not mostly) social. On a purely political side, it is obvious that US law must change and that the US citizens must regain control over the NSA. The fact that whole parts of public policies, a special court, its decisions and special interpretations of the law are kept secret from the public isn’t compatible with a democratic society abiding by the rule of law and the separation of powers. For us, mere citizens of “more than 51% foreignness” to the US, it might be an objective out of reach… all we can do is to increase political pressure on the US government and help US activists working towards it. Here in the EU, Snowden’s revelations call for a strong political reaction from policymakers, who so far have been very tame… For instance, as each and every obligation allowing the “Safe Harbour” – the agreement that exonerates US companies from abiding by the EU law regarding protection of personal data – has obviously been breached, the EU is now technically able to revoke it. This would allow to negotiate a new agreement with an upper hand for the EU, while slapping hardly US companies responsible for surveillance (which could in turn benefit EU companies). Such a bold political move seems so far nowhere in sight. We must also urge policymakers to enact a strong effective protection of our personal data. The data protection regulation currently being debated in the EU parliament, risks to be voided of its substance, under deep influence by the very same companies caught red-handed with engaging in massive surveillance. Citizens must invite themselves in this public debate, to ensure that strong barriers will be put to the export of their data to foreign jurisdictions where they are not safe, and that effective tools will be put in their hands to gain back control over their personal data and communications. On another hand EU citizens must demand from their policymakers new legal protections for whistleblowers and for freedom of expression and communication in general, as the persecution of Manning, Assange, and now Snowden show that such actions which are obviously of general interest are being taken at a tremendously disproportionate cost to their own lives. Lastly we must urge our policymakers, in the EU and in various Member States to enact strong industrial policies that encourage, promote and fund technologies that liberate individuals rather than technologies that control and spy on them. This technological aspect is key. We now have a clear view of the design patterns for technologies that control individuals: centralized services (based on aggregating as much data as possible), closed down proprietary software and systems, and unreliable encryption where trust is left in the hands of third parties. All these patterns lead to technologies that expropriate us from our personal data, and leave our communications at the mercy of the NSA, its partners and its hundred of private contractors. On the other hand, Snowden revelations give us a vivid illustration that Richard Stallman and others have been right all these years. We actually have on the table already the design patterns for technologies that instead of controlling individuals can make them more free:
- Decentralized services: Ideally hosting our data ourselves, or at least at the human scale of a bunch of friends, a company, a university, an association, a community etc. It is at this price that we will not participate in forming aggregates making these companies tremendously powerful and structurally part of the surveillance state.
- Free/libre software: By giving to the whole world the same freedoms that its initial author has on it, it is the only way for humans to have a potentiality to control their machine, and not the other way around. Free software turns the sharing of knowledge and skills into digital common goods. As “Bullrun” shows, cryptography and other security tools that are not built according to the principles of free software can never be trusted, period. (The question of getting access to the specifications of the hardware we run this software on has indeed to be asked, as the increasing use of black-boxed hardware make it easy to insert backdoors that may be used against us. Government agencies could force manufacturers to disclose key specifications. Maybe we can someday build open hardware we can trust…)
- End-to-end encryption where mathematics guarantee that only the user and the people he or she communicates with will be able to access and read the content of their communications, with the exclusion of third parties such as Google, Facebook, Skype, Apple, etc. This implies that users can get to understand the core concepts and get to manage their keys, which, we’ve seen in the last decades is not as obvious as it sounds…
So in the end, the political and the technological dimensions of building a world where technology will make users and societies more free rather than controlling and spying on them could maybe in practice only be articulated through a third, social dimension. It is probably only if we manage to build a momentum in order to guide our colleagues, friends and society as a whole to understand why it is crucial to leave the centralized, closed-down services and products and shift to technologies that liberate, only if we manage to put enough pressure on policy-makers, only if we, as individuals and communities begin to care about the underlying architectural principles of our communication infrastructure and technologies, that we can achieve this objective. It may sound difficult, but it is not unachievable, as this is probably one of the most crucial undertakings for the future of our societies one in which we all have a part to play.