The Internet, like other computing resources, operates on a pendulum swing: from centralized to decentralized, from rampant innovation to predictable results, from controlled to transparent processes. Some speakers at this year’s Black Hat conference were publicly concerned about an ever-more-centralized Internet and what we as an industry need to do. Otherwise, they fear, the Internet turns into TV, and the people who least understand the environment will control it.
If you have a mental image of a computing security convention, it might include guys huddled around computers, wearing black t-shirts, slightly disturbing tattoos, and not quite enough deodorant. That’s an element at the Black Hat conference, sure, but the conference also is a venue for thoughtful discussions about trends shaping the computer industry and the effect on us legally, socially, and creatively. One topic this year: the state of the Internet, namely who controls it and who should. What does it mean politically when data is in the hands of relatively few organizations?
The Internet used to be extremely decentralized. Anyone could start a BBS, a blog, an e-commerce site. “Anyone could set things up,” said Matthew Prince, co-founder and CEO of content delivery network (CDN) CloudFlare, in his Black hat session, “The Battle For Free Speech on the Internet.” “That was how you spun up your system.”
Now, Prince pointed out, the industry is engaged in a massive wave of consolidation and centralization. However, that gives the cloud service providers a new level of power, and we all have to be cognizant of the changes it implies. You probably don’t want to host your own Web server internally anymore… but then, Dell doesn’t have a way to snatch WikiLeaks off your in-house server, either.
Prince is uniquely attuned to these issues: CloudFlare hosts several controversial sites that get DDOSed regularly, or experience intense bursts of Internet attacks. That includes WikiLeaks, several top tier financial firms, and the Eurovision Song Contest (the largest non-sporting event by viewership, which he described as “like American Idol with nationalism”) – the latter of which was attacked by Bad Guys when one of the TV show’s final contestants was openly gay. Or popvote.hk, the democracy movement in Hong Kong, which was planning an open election of which the government was not in favor (which eventually yielded over a million votes).
At CloudFlare, their goal is to keep content online, not to judge whether it’s good, bad, or moral. “Almost every organization has a group that is opposite them and they don’t like,” Prince pointed out. “Whose policy should dictate whether that content should be online?”
That role of “being Switzerland” as a content delivery service has made Prince sensitive to the relatively limited number of providers who could become chokepoints. “That content could disappear from the Internet,” Prince said. “So it’s important for us to think about… because they can effectively shut down content online.”
The Dream of Internet Freedom
Prince’s remarks continued a larger conversation begun during the keynote address, “The Lifecycle Of A Revolution,” given by Jennifer Granick, the Director of Civil Liberties at the Stanford Center for Internet and Society. She sees the pendulum swing – currently at “control” and “centralized” – at a dangerous point.
As Granick explained, the dream of the Internet – and all it provides – is and was that we can overcome age, race, class, and gender. That we can communicate with anyone at any time. That it is ethical to tinker with technology, and to use that knowledge to better understand the world around us. The hacker ethic was built into the tech itself, a design principle with an important impact. It empowered people to make their own decisions of what’s right and wrong.
“But this dream of Internet freedom is dying,” Granick said. “It doesn’t look just like it’ll be a lot less revolutionary than we had hoped. It looks worse.”
Technology used to enforce existing power structures, Granick said, but we discovered that people have not learned how to protect themselves. So we have centralized with choke points where regulation can happen. The problem is that, in the next 20 years, these policies will be created by governments with local concerns, not global concerns. And by powerful players with money.
Granick’s message wasn’t that we should return to some mythical, naïve “old days” when everything was trusting. Her remarks certainly did not suggest that the IT industry jettison everything built to protect it from those of ill will – in the year that Qualys CEO Philippe Courtot suggested “may be the year of the mega-breach,” a pivotal year for all of us in security and privacy. “[Security and privacy] represent the digital freedom of ourselves and our children,” said Courtot.
Rather, in this security-heightened climate, Granick’s overall message was a bright yellow “Caution!” light flashing to warn us about the direction in which we all are headed. “We have neglected freedom and openness in pursuit of other values,” she said. For example: We’re seeing a greater exercise of power in the name of security, such as governmental crypto back doors.
Keeping the Gatekeepers Accountable
Inherent in all these desires is a set of dichotomies: the tension of openness versus security, for instance.
“We often talk about security as the opposite of privacy but we know that isn’t true,” said Granick. “But what good is an open network that isn’t secure enough to use?”
All the advantages we appreciate about global communication also create opportunities for misuse: centralization, regulation, and globalization among them. For example, centralization makes it easy for all of us (businesses and individuals) to store data in the cloud, but it also is a cheap and easy point for surveillance and control. And while it’s great to have the Internet reach the farthest corners of the Earth, as we become more global some of the regulations developed will come from governments that lack due process or the rule of law. “The next billion users are coming from countries that don’t have a Bill of Rights,” Granick said.
This isn’t only a concern regarding Internet users in far-flung remote areas. It’s about to impact your company.
One effect of the security and privacy urgency, said Black Hat’s Master of Ceremonies Jeff Moss, is insurance coming on the scene to protect organizations from security breaches. According to Moss, in a few years cyber-insurance will take up 25% of your budget. How are you going to do a good job when so much of your budget is being taken up with insurance? And you should expect more regulation, more insurance, more involvement of the legal system. “If normal legal functions are not inserted into the process we’re just going to have more of the same,” Moss cautioned.
All these organizations can wield a lot of power – and not just in governments. “You can buy an ebook and the content provider can snatch it back from you,” pointed out Prince. We need to make sure that in trusting these providers – including his own CloudFlare, silently sitting in 5-10% of all request streams – we hold them accountable for arbitrary decisions. “We have a responsibly as an infrastructure provider to think about our policies, to be consistent, and not arbitrary.”
“More organizations in this trusted position need to sit and think about these issues,” said Prince. “And it is incumbent on those citizens to hold those organizations accountable.”
“Will computers still liberate us? Is that dream still possible?” asked Granick. Yes: If we – as individuals and organizations – begin to take action. Among her action items:
- Think globally.
- Put our attention on creating technology to serve the next cycle of the revolution.
- Make sure our governments learn to keep their hands off of private technology networks.
- Start being afraid of the right things.
- Modify the computer laws to get better, and do away with secret law.
“We need to keep the Internet from becoming a slick, controlled, closed thing,” Granick said. “And then we need to get ready to smash it apart and make something new and better.”
I’m with her. Are you?
- 5 Black Hat Presentations I Don’t Want to Miss (and Neither Do You)
- Pursuing Digital Ethics: How Not To Mess Up with Technology
- For User Data Privacy: Think Globally, Act Locally