Technical and political challenges for a secure Internet

21/05/2015
  • Español
  • English
  • Français
  • Deutsch
  • Português
  • Opinión

Identifiant Scald invalide.

-A +A
Article published in ALAI’s magazine No. 503: Hacia una Internet ciudadana 28/04/2015

Human society, we might say, is in the “infancy phase” of our digital future.  As more and more of our activities incorporate a digital aspect, the division between the physical and the virtual domains becomes increasingly blurred.  How this digital future is managed, under what criteria and priorities the technology is developed, and what public policies are put in place, will to a great extent determine the shape of that future and its implications for security, human rights, democracy and social justice.

 

Our “digital infancy” in many aspects shows enormous promise and it certainly holds many charms; but a more ugly side of what that future could be is also emerging: insecurity, pervasive surveillance, loss of privacy, concentration of wealth, centralized control and power of manipulation… and the list is getting longer.

 

The ubiquitous expansion of these technologies means that these issues are becoming too important to just leave it to specialists to decide on solutions, whether at the technical or the political level.

 

However, for the great majority of citizens, the effort to understand what we can do both to improve our own security and privacy, and to influence how this new digital world develops, seems quite daunting.  Edward Snowden’s revelations have shaken our faith in the big tech giants and the reliability and security of the software, hardware, apps and services they provide; but they also leave us feeling more impotent to know what to do to change this trend or even how to opt out.

 

Two of the most worrying technical trends at present are insecure technology and the “Internet of things”, according to Ola Bini, a Swedish researcher on security, privacy and anonymity, working with the software company Thoughtworks, who conversed with ALAI in Quito on these challenges.  “The Internet is built on foundations that are very insecure,” he asserts.  “For example, for connecting to banks and to other secure websites, we’re using ways of communicating that are actually not as secure as they should be.”  High-profile attacks, such as stolen credit card numbers, are accelerating.

 

A second big issue is the proliferation of connected devices: what is now known as “the Internet of things”; for instance the “smart home”, where devices such as controls for fire-alarms, heating and lights are connected to the Internet and to each other, so you can control them remotely.  “It sounds fantastic until you realize that the way these things are built right now is without any security whatsoever”, Bini laments.  He quoted recent examples of an error in a system update that left numerous homes without heat or lighting; or a luxury hotel in China with Ipads for all guests to control the parameters for their room, until it was discovered they might control any room in the hotel.

 

“But the thing I’m most scared of is actually cars,” comments Bini, “because they’re now computers on wheels.  A typical car has over a thousand small computers in it, with over 500 million lines of code.  In the software industry, we know that in a code-base of 500 million lines of code, you can expect maybe 5 million bugs.  That’s a conservative figure”.  Most of them may not be problematic, but even 10 bugs that might cause the car to crash is really scary, and even more so – he adds –  when other people might be able to use them to attack your car.

 

Centralization and balkanization

 

From the political side, the security researcher is mostly concerned about the trend towards stronger centralization, but also “balkanization” of the Internet.  “Both of these trends reinforce the current economic structures, which means that the US has an inordinate power over what happens on the Internet right now.  And even though the Internet is built in such a way that it could be decentralized all over the planet, in reality that isn’t the case; the Internet is centralized, and the US has complete power over basically everything that happens”.

 

As for balkanization, Ola Bini points to two aspects.  “The first one is that it’s happening as a response to the centralization of the US and also the Snowden revelations, so countries like Brazil and Russia are in different stages of introducing legislation that requires data centres to be physically located in the country where the data is stored for that user”.  This would mean that a company like Facebook would have to store information about Russian users on a computer in Russia.  Facebook might have the resources to set up its own data centres, even in a large number of countries; but if many countries adopt similar legislation, a small start-up would find it very difficult to create applications for use in more than one country.  “So the problem is that it doesn’t scale, which actually could make the centralization even worse,” he adds.  As a more extreme example, “Brazil has been talking about creating their whole complete separate Internet where most of the services you’re using today are actually Brazilian services.  But from a purely economic perspective it’s very hard to duplicate all the services that exist on the Internet right now”, so that could create a disadvantage for Brazilians.

 

The security researcher considers that the Internet in its best form should allow people around the world to connect and to provide services to each other, irrespective of where they are located, and to do so in a decentralized way where no single country can stop all of this from taking place.  But the present trends towards centralization and balkanization are going in the exact opposite direction.

 

Given this situation, we asked Ola Bini what sort of innovations or policies could help us move towards a more decentralized Internet.  “There are a lot of things you could do,” he answered.  “One example is net neutrality, which is a short-term fix.  In the long term we need technical fixes that actually make net neutrality irrelevant.  But in the short term we need to make sure that a company can’t buy preferential service”.  Both the US and several Latin American countries are introducing measures around net neutrality, which will oblige ISPs to treat all traffic on the Internet equally, with no fast lane for those who pay for it.

 

A different issue is legislation around data retention, which has more to do with surveillance.  Most countries are obliging Internet service providers (ISPs) to retain data (that is, the metadata about who we are talking to) for between 6 and 24 months.  This is expensive for the ISP, which disadvantages the smaller providers; and they could be required to hand over data to intelligence services.  “In comparison to net neutrality, the fight over data retention is actually going the wrong way,” says Bini.

 

On the application level, he considers that the most important innovation we need is more decentralization of services.  “We need to encourage, say, alternatives to Facebook that are actually spread all over the planet and where the data is stored close to you instead of close to Facebook.”  At the physical level, connectivity maps of undersea cables and traffic flows show that the topology is very US-centric, which also makes it cheaper to route traffic through the US.  Contrary to what one might expect, much national traffic in Latin America is routed through Miami and back to the country.  This requires changing the physical infrastructure: “we need to have stronger and wider pipes between other countries, between the global South countries, so that we can do routing without having to go through the global North.”

 

We pointed out that one of the obstacles to decentralizing is the so-called network effect, where most users flow towards the service that’s most popular, which contributes to further centralization.  Ola Bini recognizes that that is something very hard to counteract.  “It means I’m using Skype because my parents are using Skype and I’m using Facebook because all my friends back in Sweden are using Facebook”.  However, he considers it possible to build applications that work the way Facebook works, but “without having all the data in one big clump in Facebook’s servers.”  It could have a similar functionality, except that personal data would be stored close to the user, under their own control, maybe even on their own devices; they would decide what data they want to expose, say, to Facebook, and it would still be accessible to their friends.  Facebook could run algorithms on it, but most importantly, it wouldn’t belong to Facebook.

 

The problem, according to Bini, is that, although it is already possible to build such decentralized systems, “there are no economic incentives to do that, and a big part of that is the ad driven nature of the Internet.”  He hopes that in a few decades, people will look back on the present ad-driven Internet and think of it as the dark ages, because “when a company’s funded by ads, that means that you are not the user, you are the product.”  So for Google or Facebook, the real incentive to provide good service is not to the user, but to the ad networks.  “As long as that is happening it’s going to be very hard to dislodge these centralized models because they’re based on the idea that in order to sell more ads that are better suited to you, they will have to use more and more personal information to make that happen.”  So, he says, the alternatives are that we might have to go back to pay for services, or we might go to a model where the government takes part and provides these kind of things as public services.

 

Technological and political solutions

 

One of the on-going debates in the technical community is about what problems can or cannot be solved through technical architecture, and which can or cannot be better addressed through public policy.  Bini agrees it is complex.  “Many of these things, especially when it comes to surveillance and the topography of the Internet, which are connected issues, need to be solved on the technical side, with public policy to support many of these innovations”.  He refers to the net neutrality example, where regulation is necessary in the short term, but for the long term he considers we need an Internet that technically makes it impossible to differentiate what kind of traffic is being transmitted, so that it is impossible to treat one type of traffic preferentially.  Another difficulty he mentions is that market pressures and other social pressures lead people, companies or organisations to do what is technically possible, irrespective of whether it is legal or not.

 

We asked whether, given the present lack of economic and market incentive to change the technology, it will be possible to give users better security or decentralized services, if it is not through legislation and regulation.  The researcher admits that is a hard question; indeed, he says, while many new products coming out now claim security – as in the post-Snowden era, many companies feel it’s a good selling point – the real security they offer varies greatly from one product to another, so many supposedly “secure” messaging apps are coming out that are not secure at all.  The solution, he thinks, would be for companies or organizations that really want to change the status quo to build solutions that create a good user experience, and then introduce security and decentralization as part of it.  “I don’t see any other way we can get the public uptake we need for these kinds of solutions,” he adds, though he admits that it will not be easy; however, there are already people working on such solutions.  “I hope we will succeed, but it’s not impossible that we will fail and that the future will be a very US-centric, corpo-cratic, ad-driven, total surveillance, totalitarian Internet.  And in extension, that’s the whole world, since Internet is becoming part of our natural life.”

 

Meanwhile, there are some fairly simple steps that ordinary users can take to improve their own privacy and security (see box).  “It’s very important not to give up,” insists Bini.  “This is a grim situation but we can fight back.  It’s important not to despair and to educate yourself.  We need more people to understand these issues and think about them and be aware of them,” he concludes.

 

Article published in: Latin America in Movement 503, ALAI, April 2015.  “Towards a people’s Internet” http://www.alainet.org/en/revistas/169787

 

Tips for a more secure use of the Internet

 

“Nothing can make you 100% secure,” Ola Bini admits, but for most people the following fairly simple measures could mean a significant step upwards.  They may not protect you against the NSA, but they will against the most common types of security risk.  (Most of the extensions recommended, once installed, run in the background so you don’t have to learn to use them).

 

1) For Windows users, switch the browser to Firefox.

 

2) Install the Firefox extensions NoScript and AdBlock.  No Script makes it possible to control what webpages do to you.  AdBlock blocks most ads from loading

 

3) The Privacy Badger plugin stops many day-to-day privacy leaks.

 

4) Take care with passwords: 8 or 9 hard to remember letters and digits is not a good password. It is better to use a “pass-phrase”, i.e. a string of 5 or 6 words:  It is easier to remember and harder for a computer to crack.

 

5) Use a password manager, such as 1password, LastPass or Keepass, that remembers your passwords for you (so you only have to remember one).  It makes it easier to use different passwords for different websites, which increases safety.

 

6) Install the Https Everywhere plugin (for Firefox or Chrome), which ensures you use the https secure system on websites that support it. Thus most of your Internet traffic will be scrambled, so it can’t be intercepted.

 

At a more complex level, users who need greater security can use TOR (for anonymous web browsing) or encryption for email and messaging, but they are still difficult to learn to use correctly, particularly encryption, so it’s recommended to learn them with qualified technical help.

 

 

https://www.alainet.org/fr/node/169796?language=en

Clasificado en

Publicado en Revista: Hacia una Internet ciudadana

 alai503
S'abonner à America Latina en Movimiento - RSS