Black Code: Inside the Battle for Cyberspace (16 page)

Not all “other requests” to police the Internet come from government agencies: many come from the private sector, typically under the rubric of intellectual property enforcement. When
Cryptome.org
published a leaked version of Microsoft’s global law enforcement guide, Microsoft sent a Digital Millennium Copyright Act (DMCA) take-down notice to Network Solutions, the DNS and hosting provider for
Cryptome.org
. Network Solutions’ response was to shut down the entire Cryptome website, which had on it thousands of leaked sensitive national security documents having nothing to do with the Microsoft case. In other words, to deal with one potentially diseased apple, Network Solutions decided to raze the entire orchard. As
Wired
magazine’s “Threat Level” put it, “Microsoft has managed to do what a roomful of secretive, three-letter government agencies have wanted to do for years: get the whistle-blowing, government-document sharing site Cryptome shut down.” Although the site was eventually restored, the matter illustrates just how “other requests” can ripple outwards like a percussive wave in the wake of a major blast.

Some instances of “other requests” coming from private actors are used to exploit companies’ terms of service and their willingness to err on the safe side of controversy. In July 2012, Facebook erased a status update of free speech organization Article 19. Article 19’s post linked to a series of satellite images from a Human Rights
Watch report outlining where it suspected Syrian security services were engaging in torture. Without providing any notice, Facebook erased the post. It later said the post was mistakenly removed by a member of its “moderation team” after it received a terms of service violation complaint. Article 19 did not see it that way. Dr. Agnès Callamard, Article 19’s executive director, said, “The deletion shows the looming threat of private censorship. We commend Facebook for creating tools to report abuse, but if your post was wrongly deleted for any reason, there is no way to appeal. Facebook doesn’t notify you before deleting a comment and they don’t tell you why after they have. Facebook acts like judge, jury, and executioner.”

•  •  •

“Other requests”
can land companies between a rock and a hard place: the growing demands by governments, often delivered with a hint of serious consequences for noncompliance, and the prospect of outrage and controversy from an aggrieved public demanding the “right to know” make it a perilous situation. In 2010, Research in Motion (now known just as BlackBerry), the Canadian-based manufacturer of BlackBerry devices, faced
numerous demands by governments to eavesdrop on users of its products and services. The demands started with Middle East countries, including the United Arab Emirates and Saudi Arabia, then spread to Indonesia, India, and others. Each country insisted that RIM give government agencies backdoor access to its encrypted data streams, something RIM claimed was contrary to the technical design of its infrastructure, and thus impossible. Governments, observers, and analysts were confused by the issue, a state of affairs not alleviated by RIM.

On the one hand, the company claimed that its services were so secure that even RIM itself could not decrypt its own encrypted data streams. “RIM would simply be unable to accommodate any request
for a copy of a customer’s encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key,” the company said in a statement. On the other hand, the company also said it respects “both the regulatory requirements of government and the security and privacy needs of corporations and consumers.” But how are these two principles reconciled when governments require access to data for law enforcement and intelligence purposes? RIM considers its negotiations with governments about access to be “confidential,” yet says it doesn’t make special arrangements with one country that aren’t “offered to the governments of all countries.” If that’s the case, why are there confidential negotiations at all? There has also been confusion about which of the many RIM services and products are secure, and which are not. RIM says “customers of the BlackBerry Enterprise Solution can maintain confidence in the integrity of the security architecture without fear of compromise.” Does this mean its much more widely distributed consumer-level product, the basic BlackBerry, is less secure and can be easily monitored?

To help answer these questions, in 2011 the Citizen Lab set up a publicly announced project called RIM Check, a specially designed website in which users of RIM products were encouraged to fill out a series of questions about their usage. The website would collect the IP address and information about the device used, hopefully showing the route the request took based on the type of BlackBerry product being used. Our theory was that if RIM made arrangements with certain countries the exit point from the RIM network might show up on a server in a particular jurisdiction where it should not be. We also monitored for content filtering over the BlackBerry network.

Although rarely mentioned at the time, the RIM controversy went beyond the interception of data. A BlackBerry is also used to surf the Web, and in many of the countries where RIM was being
pressured Internet filtering is de rigueur. A Kuwaiti newspaper reported that RIM agreed to filter access to 3,000 pornographic websites at the regime’s request, and some users reported to us that RIM was already filtering access to Web content in the U.A.E. and Pakistan. Preliminary tests done in Indonesia suggested it might be going on there too. Although the data from the RIM Check project was too unreliable to draw firm conclusions (and we never published a final report for that reason), it did raise critically important questions and considerable public awareness about the issue.

However much our RIM Check project was a thorn in the company’s side, it must have been only a minor irritation compared with the real deal: the demands being made on RIM by governments for access to its encrypted data streams were jeopardizing the company’s “secret sauce,” calling into question one of its most marketable components, its supposedly “unbreakable” communications network. Unfortunately, RIM’S strategy consisted mostly of saying as little as possible in the hope that the controversy would magically disappear, and its attitude about the issue was plainly visible when co-founder Mike Lazaridis petulantly terminated an interview with the BBC after being asked whether the company had secretly made arrangements to share its data with governments in the Middle East, India, and elsewhere. “C’mon, this is a national security issue, turn that off,” Lazaridis barked, ripping off his microphone and leaving his seat while the cameras rolled. Naturally, the video went viral.

•  •  •

Lazaridis’s comments about
the matter being a “national security issue” are telling. The trend towards “other requests” is part of the securitization of cyberspace, the slow transformation of an issue into a matter of national security, with new policies and controls
attached. As the Internet has become an integral part of everyday life, how it is constituted and by whom has become a critical issue. Securitization opens the door to clandestine arrangements, over-classification, and lack of accountability. Often operating in the shadows and not subject to rules and regulations, those in favour of securitization insist that national security requires that governments have the freedom to manoeuvre and make rapid responses to immediate threats, even at the expense of cyberspace users’ rights.

These shifting forces become more pronounced during major events. Terrorist attacks – like 9/11 or the London Underground bombings – are like political earthquakes that unsettle the existing system of checks and balances and trigger an avalanche of legislation that under normal conditions would seem excessive. A few short weeks after 9/11, governments around the world passed anti-terror legislation with most of the statutes featuring similar fundamental components: beefed-up domestic policing powers, relaxed restrictions on the sharing of information between domestic law enforcement and foreign intelligence services; new requirements on the private sector to retain and share with security services the data they control; and, most importantly, a loosening of the requirements for judicial oversight into matters of law enforcement and intelligence. A
June 2012 Human Rights Watch (HRW) report found that 144 countries have passed anti-terror laws since September 11, 2001, most of them covering a wide range of activities far beyond what is generally understood as terrorism and allowing for much wider latitude and action on the part of law enforcement and intelligence agencies. As the report noted, when viewed as a whole these laws “represent a broad and dangerous expansion of government powers to investigate, arrest, detain, and prosecute individuals at the expense of due process, judicial oversight, and public transparency. Such laws merit close attention, not only because many of them restrict or violate the rights of suspects, but also because they can be and have
been used to stifle peaceful political dissent or to target particular religious, ethnic, or social groups.” We still live in the shadow of 9/11 as the endless war on terror proves, and an open cyberspace may become the ultimate victim.

Cyberspace securitization is reinforced by international cooperation: governments and industry leaders share best practices and information, and develop new laws based on mutual experiences. Such international co-operation can lead to greater openness and mutual transparency, but the opposite is just as likely: international institutions can become the loci for the imposition of illiberal policies and greater government control. As HRW found, one of the chief reasons so many countries adopted anti-terror legislation after 9/11 is that the UN Security Council passed several resolutions urging member states to do so. This led to what HRW calls a “flood of new and revised laws that granted special law-enforcement and other prosecutorial powers to the police and other authorities.”

Security and surveillance practices are also reinforced by networks of telecommunications companies that work in collaboration with government agencies, share expertise, develop standards and solutions, and harmonize practices. One such network is the Alliance for Telecommunications Industry Solutions (ATIS), a North America–focused consortium with more than 180 members from law enforcement and industry, including Public Safety Canada, Department of National Defence (Canada), the FBI’S Electronic Surveillance Technology Section, AT&T, Microsoft, Bell Canada, and Verizon.
ATIS hosts a number of committees and subcommittees, some of which focus specifically on developing standards for lawful intercept, such as the cumbersomely titled Packet Technologies and Systems Committee’s Lawfully Authorized Electronic Surveillance (LAES) subcommittee, currently working on standards for Voice over Internet Protocol (VOIP) services. ATIS has
a counterpart in Europe called the European Telecommunications Standards Institute (ETSI), whose meetings are also attended by the world’s largest telecommunications companies, and law enforcement and intelligence agencies such as Public Safety Canada and the United Kingdom’s Government Communications Headquarters. Such regular meetings help explain how and why countries like the United States, Canada, Australia, and the United Kingdom are all tilting towards shared policies around surveillance practices. The inside-the-club nature of the meetings – journalists and regular citizens cannot apply for membership in ETSI – may help explain why they’re also gravitating towards limiting the basic judicial protections at the core of liberal democracy.

The Council of Europe’s Convention on Cybercrime – an international convention meant to coordinate law enforcement practices among member states – is another case in point, and
dozens of governments party to this agreement (including many non-European states like Canada and the U.S.) are in the process of ratifying it through national legislatures. In Britain, the proposed Communications Data Bill – an update to the Regulation of Investigatory Powers Act (RIPA) –
would require ISPs and other telecommunications companies to store a wider range of communication data (such as use of social networking sites, VOIP services, and email) accessed in near-real time by law enforcement without a warrant. Under the bill, ISPs would have to route data via a “black box” that will separate “content” from “header data” and also have the capability to decrypt encrypted communications (such as transmissions over encrypted SSL – Secure Sockets Layer – channels). The bill has been widely criticized across the private sector, civil society, and inside the government itself. Wikipedia’s Jimmy Wales threatened to encrypt all communications to the U.K., and stated: “It is not the sort of thing I’d expect from a Western democracy. It is the kind of thing I would expect from the Iranians or the
Chinese.” Dominic Raab, a Conservative MP, said: “The use of data mining and black boxes to monitor everyone’s phone, email and web-based communications is a sobering thought that would give Britain the most intrusive surveillance regime in the West.”

The necessity to conform to the Convention on Cybercrime has often been cited by Canada’s Conservative government as the impetus behind “lawful access” bills in Canada, the latest manifestation of which was Bill C-30 – the so-called Protecting Children from Internet Predators Act. That bill was politically mishandled, with Public Safety Minister Vic Toews infamously declaring in Parliament that you are “either with us or with the child pornographers,” leading to a major public backlash that included a prominent Twitter “#TellVicEverything” campaign in which users tweeted inane details of their daily lives. While the government shelved the bill, lawful access legislation will invariably return in another guise. The central components of the proposed legislation included expanding police powers, imposing equipment and training costs on telecoms and ISPs, enabling telecoms and ISPs to voluntarily provide consumer information to authorities without a warrant, forcing telecom companies and ISPs to provide detailed subscriber data without a warrant, and imposing gag orders on telecoms and ISPs that comply with lawful access powers. Taken together, it is as if the bill would legislate “other requests” as the domestic and international legal and operational norm.