The team is joined by Guest Kats Rosie Burbidge, Stephen Jones, Mathilde Parvis, and Eibhlin Vardy, and by InternKats Verónica Rodríguez Arguijo, Hayleigh Bosher, Tian Lu and Cecilia Sbrolli.

Tuesday, 20 May 2014

More on MAPPING: taking a deeper peep or two at the internet

Joe Cannataci
The second session of the MAPPING Assembly (on which see earlier Katpost here) addressed mass surveillance on the internet and the balance between the interests of security and privacy, asking whether there was a need for an international treaty on the topic. Following a discussion during the coffee break, at which this Kat pressed for abrogation of the Chatham House Rule, it was decided that any speaker who is happy to be attributed as the source of his own comments should say so.  First to do so was Joe Cannataci, who gave an engaging talk (the contents of which are to be published) on whether the legal infrastructure of internet governance systems via NETmundial would fade away once consensus among interested parties coalesced. No, said Joe, internet governance systems might be expect to evolve rather than to fade away, particularly where issues like mass surveillance are involved.

There's currently a piece missing in the jigsaw from which an all-embracing internet treaty might be produced: mass surveillance. Has there been any serious discussion of this issue since Edward Snowden's revelations? It appears that the answer is "no".  Should we be sympathising with GCHQ in the United Kingdom's technical surveillance problems, or should we be keeping pressure on them and on other governments with 'extreme' surveillance policies, he asked. Have there been any UN votes in which the US, UK and Australia have been more isolated than that engineered by Brazil and Germany on this topic?

Pangaea: an apt metaphor?
So do we then need a framework convention, which does not regulate the internet but provides a list of rules as to what can or cannot be done? Any convention would be based only the internet as it currently stands -- but things change, technically and otherwise. An unfragmented, interconnected,  interoperable, secure, sustainable internet is what Netmundial calls for, but might not a system of several separate internets not do as well, perhaps with China or Iran taking their own paths and adopting different rules? Might not a fragmented internet be more trust-building, pondered Joe, taking a provocative line, and is there only one way to complete the jigsaw of an internet treaty? "Balkanisation" of the internet is actually nothing new: it has been discussed for almost the past two decades and is to some extent reinforced by our own search engine operations. "Parallel internets" can be run as distinct, parallel universes (see the splinternet entry on Wikipedia). Ultimately, Joe noted, things are cyclical: unification is followed by fragmentation, which in turn is followed by a return to unity, and so on -- like Pangaea.

In conclusion Joe asked us to dream about what an international internet treaty might contain.  It might provide for lawful monitoring, in accordance with specific criteria and procedures.  The physical means of
tapping a fibre-optic cable are the same whether you are enforcing public security or are a private individual, a factor that should be borne in mind when thinking how to control or regulate it.

Answering many questions, Joe amplified on the question of private internets: they might be privately owned or shared by a private-public partnership. The biggest problem facing them is how to appeal to their prospective market. And how do free market principles operate within this market?

The next speaker discussed the evolution of cybercrime. Unlike Joe, he did not avail himself of the Chatham House Rule opt-out, so this Kat will content himself by saying only that he looked very smart in his jacket and tie. This is what he said:

Your Fitbit: your telltale
Old-style surveillance simply doesn't work any more, now that the technology of the smartphone has been introduced. Cyber-criminals recognise the value and the accessibility of information available via the internet, particularly now that we live with the internet of things, things that not only contain our information but learn about us all the time: there are literally thousands of points of vulnerability for each of us.  Fitbits are a good example; their information may not be handy for criminals but they can give away important data for the purposes of espionage.

The speaker's interest in this topic was not limited to use of the internet alone, but covers all technological aids to crime. Three dimensional printing and toy aeroplanes are among other technologies that fall within its scope. Singapore and Dubai -- both business hubs -- are the main target areas for cybercrime. The legionnaires fetch the information, which is then worked on by cyber-analysts who sell it to investors. Information on new products, for example, can lead to the creation of  'inside information; that enables investors to gain a lead over the rest of the market.

The speaker then addressed the use of USB ports, which are increasingly found on aeroplanes. Handy for businessmen, they are even more useful for cyber-criminals. Some 'patching' with security measures has taken place, but there are no technical standards or norms for aviation security, nor any implementation model.

Always a surprise?
Mass surveillance, particularly for safety purposes such as guarding against terrorists at sports events, depends on recording and analysing of communications between criminals. The more devices are used, and the more irrelevant 'trash' is generated, the more difficult it is to detect and deal with threats.  Making an event or system 'safe' is not at all the same thing as making it 'secure'. One has to start from the assumption that one's security is compromised and that it has known vulnerabilities, otherwise it is not possible to deal with threats. Black swan theory is invoked [this deals with the effect of surprise events that are tackled only with the benefit of hindsight], since preventing damage is vastly more useful than addressing it after the event.

There is a sort of nested internet. Beneath our usual internet is the deep web -- which is like a house -- with dark net being like a room in the house. These are difficult to find and even more difficult to penetrate. Dark nets are useful for all sorts of illegal purposes, including commissioning crime and buying false passports.  Payment is usually made through Bitcoin, a decentralised currency based on open source software, leaving no trace of bank accounts, payees etc (there are more than 800 digital currencies at present).  Sites even provide for crowd-funding of assassinations.  Law enforcement agencies are mere spectators unless they can undertake technically intrusive action. The criminals are hard to find: they are young, super-educated and have not been caught before.  Dark nets are self-managed by criminals and are self-hosted, which makes it even more difficult to obtain information about criminals or serve subpoenas on them since there is no legal entitlement which enables the necessary information to be obtained [during questions, it was pointed out that not all dark nets are used for illegal purposes and that the rights of privacy and security of lawful users are entitled to respect, a point which the speaker readily conceded].

The final speaker in this session, who also chose the shelter of the Chatham House Rule, had little time to speak on account of the prolonged questioning of the earlier speaker. He looked at the prospects of a new convention on surveillance, in the context of existing documents such as the OECD guidelines, other non-binding arrangements, provisions relating to security and so forth, and reviewed complementary and conflicting policy issues including privacy, political freedom, business innovation and the use of personal data and the principle of proportionality. He also reviewed the recent ruling of the Court of Justice of the European Union in Google Spain (on which see earlier Katposts here and here), on the presumption in favour of privacy over freedom of information on the internet.

Apology: this blogger could not do justice to this talk, since he had to stop taking notes in the middle of it in order to hunt down somewhere to plug in his depleted laptop.


Anonymous said...

One could ask does the internet need to become more democratic in terms of who controls it? To what extent do Google, Yahoo, YouTube, Facebook need to be regulated to avoid have a commercial advantage/monopoly?

Anonymous said...

Anonymous @ 12:21,

You run smack into a problem of whose law controls the "more democratic" nature of something that is trans-national.

There is no political body that exists and rightly has a rule of law that covers all of the individual sovereign nations using the internet.

Subscribe to the IPKat's posts by email here

Just pop your email address into the box and click 'Subscribe':