There is some press nowadays about the controversial cybercrime bill the government is trying to push through. This effort, which lurked in the background for the most part, is now suddenly thrust into mainstream consciousness thanks to the government’s embarrassing showdown with Blackberry.
There have been several critiques of the government stance since then, primarily focusing on the argument for human rights, vague terminology in the bill, and the potential for abuse of legal authority. These concerns are very valid, but — from the perspective of an information security researcher — they merely scratch the surface. If one digs deeper into the technical and political aspects, almost every single assumption behind the government’s position is flat-out wrong.
Here is a brief rundown of some cold, hard truths, well known in the network security community.
First, the costs of surveillance are asymmetrical. This essentially means that the cost of imposing surveillance is much greater than what it would cost for a moderately tech-savvy villain to effectively defeat this surveillance. A useful analogy here is that of a needle in a haystack — it is orders of magnitude easier for a villain to hide the needle in the hay and near impossible for the government to find it.
Considering costs, the government will have to pay for a very expensive technical infrastructure and a small army of highly trained manpower to operate this system and sift through the mountains of intelligence that comes in. These assets will also have to be secured against foreign intrusions, a job at which even the most technologically advanced countries like the US fail regularly. These costs will also be running: surveillance is a continuous arms race, anti-surveillance and hacking tools will constantly evolve, and the government will need to invest in new technologies every so often to catch up.
There are also immense non-tangible costs for the government: civil liberties will have to be hijacked, there will be a lot of bad press and consequent distrust and ill will. We’ll feature in the international hall of shame alongside other repressive regimes.
The technical sector will certainly suffer. Blackberry was just the first casualty but there will be more.
On the other hand, what does it cost for an individual to defeat this surveillance system? If he’s moderately good with computers, it probably won’t cost him anything at all.
There are several freely available tools, commonly understood to be NSA-proof, which can be found with a simple Google search. ProPublica, in partnership with cybersecurity experts, recently published a comparative study of the best encrypted messaging programmes on the internet. Micah Lee at The Intercept has published a detailed tutorial on the privacy tools he used to connect whistle-blower Edward Snowden with journalist Glenn Greenwald. In fact, even the Islamic State (IS) now maintains a 24-hour online help-desk to assist potential jihadists with secure technologies and it distributes video tutorials.
The underlying encryption techniques themselves are taught in undergrad and higher level courses in universities around the world, including within Pakistan. There is no way the government can put the encryption genie back into the bottle.
Plus, experienced villains, the serious ones, know better than to trust online communications anyway. For over a decade, terrorists have simply chosen to go dark to evade detection. In his last few years, Osama bin Laden relied exclusively on human couriers.
Second, surveillance actually makes us vulnerable. As 14 of the world’s top cryptographers pointed out recently in a public paper, inserting backdoors into specialised systems will facilitate misuse. Foreign actors and criminals can easily tap into these systems using these same backdoors and steal secret information. The Chinese, Americans, Russians and Israelis have been doing it to each other for over a decade now. Even amateur hackers could break into these systems and wreak havoc.
Furthermore, we can be very certain that the legislation itself will be abused to intimidate journalists, activists and opposition parties. We’ve seen it happen with the Patriot Act in the US. And the dust has barely settled from the Paris terrorist attacks, and the emergency measures passed to combat terrorism are already being used to harass and detain climate change activists.
Last, and most important, surveillance won’t make us safer — because at the end of the day, government incompetence trumps surveillance. In the biggest terror attacks to date, everything was actually done in plain sight, governments had amassed considerable intelligence prior to the attacks, and they still messed it up big time.
The 9/11 attacks are the best example. A Congressional investigation, covered by PBS, revealed that the 9/11 hijackers had been on the NSA and CIA’s radar well before the actual attacks. The NSA had about 33 imminent warnings of a big attack being planned for 2001. PBS also documents in a 2009 documentary, The Spy Factory, that the NSA actually monitored all phone calls of two of the hijackers for some two years prior to 9/11 while they communicated with al Qaeda command centers in Yemen, even when they moved inside the US. In fact, in the final month before the attack, the hijackers actually set up their main base of operations — flying people in, working out logistics, planning everything — in Laurel, Maryland. Laurel is a small city of about 20,000 people, it’s only claim to fame being that it is the same city where the NSA is headquartered.
The recent Paris attacks follow this template. As per the Wall Street Journal, the plot was “hatched in plain sight”. The terrorists were known to intelligence services well before the attacks. The mastermind was fingered in a raid in Belgium earlier. The Belgian paper, RTL Info, dubbed him “the most wanted man in Europe” in January 2015, and his picture was splashed all over the media. He later described his travails in an interview to a glossy IS magazine, also discussing his jihadist ambitions to “to travel to Europe in order to terrorise the crusaders waging war against the Muslims”. The group itself travelled in clear sight and made hotel bookings in their own names. During the whole attack they coordinated over Facebook and unencrypted ‘vanilla’ SMS messages.
Going through these backstories, one can only shake one’s head at the sheer incompetence of intelligence agencies. This is the key reason for the seeming paradox: Western nations, right now, are the most heavily surveilled societies in the world, and yet have never been more vulnerable to terrorism than they are today.
These then are the hard facts: surveillance costs a lot and is trivially easy to defeat. Legislation aimed at combating terrorism will actually be used to antagonise free-thinking citizens. And terrorists typically succeed, not because of encrypted communications, but because intelligence agencies bungle big time.
Published in The Express Tribune, December 31st, 2015.