comments 2

Can you out-tech the government?

Over the past years we’ve seen a recurrent theme where Government agencies were attempting to curtail internet freedom in the name of ‘keeping the peace’. From Saudi telcos threatening security experts to help them hijack tweets to governments procuring tools like Finspy to spy on their citizens–usually without any warrant or legal oversight. We’ve seen US federal agencies try to legislate mandatory technical backdoors into software and how the Syrian government treats internet access for its Citizens like candy for their children–you only get it if you behave.

In Pakistan, a wholesale blockade of youtube means their citizens are missing not just Gangnam Style, but Gentlemen as well (although that may not necessarily be a bad thing)–and we all know how much censorship and surveillance is going on in China.

A French court is now asking twitter to hand over account details to identify individual users that tweeted anti-semitic messages, both the Dutch and German police are users of spyware from companies that the are deemed ‘corporate enemies of the internet’ by reporters without borders, and while you may agree that courts have a right to curtail hate speech, just ruminate for a moment how one-sided French law is when they aggressively pursue anti-Semitic messages  but forbid Muslims school girls from wearing a hijab to school because it is supposedly a symbol of oppression. These biases point to deep flaws in our belief that freedom of speech can somehow be regulated by governments–the term regulated freedom of speech is an oxymoron to begin with.

This of course doesn’t just affect the ‘bad’  countries, those with lifetime membership cards to the axis of evil, but countries we’d generally consider good guys as well, those we associate with a respect for personal privacy and citizen rights, so that we did end up like this? To truly appreciate where we are we need to go back to how it all starts.

A false sense of Insecurity

Throughout history it all starts in the name of national security, or keeping the peace. Government agencies ramp up the security concerns and threat levels to grant a false sense of insecurity to its citizens–because it’s only in this environment that citizens are willing to grant such unilateral powers to the government (and its agencies). People aren’t too willing to allow for unilateral government interception of communications–unless of course they perceive that terrorist live among us, and the government requires these powers to protect the innocent.

The track records of governments has never been good. September 11 was a colossal failure of government intelligence, and it’s usually used an example of why governments should do better. What most people don’t know is that a company called Acxiom had data for 11 hijackers, and provided that data to assist in investigations post 9/11, it turns out had the government agencies used Acxiom, they may have had additional security on the planes that crashed into the WTC. The breadth and depth of the information provided to law enforcement has been kept secret–and in the wake of such attacks nobody bothered to ask whether Acxiom was operating within legal limits of collecting and storing that data–worse still people forget that Acxiom itself was hacked leaking private information of millions of Americans. Yes it may have help thwart the attacks on 9/11, but the Acxiom itself became a target of attack shortly after details of its information bounty were published, there are a lot of people who would pay for that kind of information.

Even with the fundamental problems of the government storing such private information–government agencies throughout the world continue to ramp up security concerns in the hope of scaring people into giving up their freedoms. Closer to home we continuously see the ‘threat of sedition’ being used to deny individuals and private citizens their rights. The ‘possibility’ of a repeat of May 13th, is now accepted as a ‘high probability’ even though there is no data to suggest that a repeat is possible let alone probable. Just like courts in France we see a glaring bias in the execution of these sedition laws–and the targets are often pro-opposition rather than pro-government.

The Malaysian government is now being accused of running spyware suites like Finfisher, which incorporates a voyeuristic like ability on the malware owner to spy on the victims. The makers of Finfisher claim their software is only sold to governments–without realizing it’s the governments themselves that are illegally spying on its citizens.

Not since Tom Sawyer tricked his friends to paint his white fence has such levels of deception been seen.

However, the level of deception isn’t what is troubling, it’s the level of apathy among the mainstream society to these revelations that send shivers down my spine. No one from the general public seems perturbed that the very technology that was supposed to advance democracy and free speech in Malaysia is now being used to suppress it.

And we’re not the only ones spying on our citizens…

Government surveillance

In Saudi Arabia for example, the Saudi national telecom company contacted a security expert to get his help in intercepting twitter on their network. Although the expert had no intention to help the Saudis, what he uncovered in his conversations were harrowing, the Saudis had boasted that they’ve already cracked Whatsapp communication and were surprised at how easy it was, and with their Billions of dollars in reserve, at some point they’ll figure how to crack twitter as well.

What would compel the Saudis to even bother asking an expert from the ‘West’, don’t they know that the West upholds core principles of freedom of speech and expression? Well it turns out that’s not the case. Most ‘regimes’ throughout the world rely on Western technology to run their illegal(or legal) surveillance methods. This include manufacturers of the Finspy software who are based in the UK, and the illegal sale of Bluecoat servers to the Syrian government. Uncle Sam wasn’t too happy with the Syrians getting their hands on American technology–and his displeasure was made known. Only after revelations that American tech was being shipped to the Syrian government did Bluecoat conduct an ‘internal review’ of their sales process, one can’t help but wonder who else Blue Coat has sold their sophisticated censorship software to, and which regimes have ‘Western’ technologies kept in power?

But what sort of technology does Uncle Sam have?

Software made specifically FOR governments is reason enough to worry–software made BY governments is a whole new ball game altogether.

If you want to find out what Uncle Sam has in his cyber arsenal, look no further than & Websites that ‘were’ hosted in Malaysia for a short time–which acted as a front for the greatest cyber strike in military history. While they pretended to be a website of sorts, in the background it was the command and control server for Stuxnet, a cyber version of the predator drone.

Stuxnet was a worm, presumably developed by the US Government to target and destroy Iranian nuclear centrifuges–it would leave everything else untouched. What made Stuxnet so potent was the fact that it utilized 4 zero-day exploits. In security jargon, that just means Stuxnet had discovered a flaw in the Windows Operating System that no one knew about–these things are discovered ever so often, usually by extremely talented security researchers or hackers. The startling thing was that Stuxnet had 4 of them in it’s belt–that signified someone was willing to spend money to buy these exploits, or had an army of powerful hackers at their disposals–this wasn’t some criminal underworld creation, this was a federal government. Only a government could afford such an expensive tool–and point it at such a small target for no monetary gain.

Even Mikko Hypponen, the Chief Research Officer admitted in his 2010 wrap-up that Stuxnet would have even infected HIS laptop–let alone the other 1 Billion Windows Users in the world.

Once  a computer was infected, Stuxnet would search for a specific piece of software used to control the centrifuges, if the software wasn’t found–stuxnet did nothing.However, if such system was found, stuxnet would hijack the software, and issue malicious commands to the centrifuges it controlled. More importantly, the commands issued wouldn’t destroy the centrifuge immediately, rather then damage would be spread over a long period of time, making the detection of Stuxnet almost impossible, it would also incorrectly report back to the control systems that the centrifuges were acting normally.

The last piece of the puzzle was the clear ‘damage control’ features of Stuxnet. It was made so that each new generation of Stuxnet couldn’t infect more than 3 machines, and more interestingly all traces of stuxnet were made to delete themselves on a specific date. This last feature has got lawyer written all over it, and this is what separates the criminals from the governments.

Internet surveillance and censorship is technically easy–

Stuxnet showed the world what happens when Governments get in on the action–they raise the stakes to a whole new level. A level so high and unattainable, that no private citizen is ever going to have a fighting chance to fight back. In some ways, the analogy is that a private citizen with a gun is no match for a military helicopter–and the same way, a private citizen with commercial software isn’t going to out-tech the government.

You can’t out-tech someone with infinitely more resources, skills and money than you. You just have to accept that no matter what you do, if the government really wanted to, it could do whatever it pleases to your internet communications.Most of these tools sold to governments go for around USD200,000 to a couple million, which to most governments is chicken feed. The NSA in the US is building a huge data center in Utah, with the aim of cracking AES-256 encryption, that’s the encryption that protects everything from your Google interaction, Facebook interactions even online banking (actually in most cases you would use merely 128-bit encryption).

Interenet Surveilllance and censorship are ridiculously easy if you’ve got a couple million laying around, and so it has gotten to the real point now that I am sure we can never outwit our government in terms of technology. To put it mildly, you can’t out-tech the government.

So how do private citizens fight back for their rights online?

The Answer is definitely not in Technology–it’s unfortunate that in this scenario, we have to turn to that most detested of human inventions–Law!

Legal challenges

To address the technical ease of which governments can access the communications of their citizens, citizens in turn need to fight back–but through a different channel. Trying to go head on with the government on a technical front is a foolish recipe for disaster. So we need legal frameworks in place to prevent the authorities from viewing our communications without due cause, a due cause that is vetted with sufficient oversight and not something that can be executed by an over-zealous government agent.

Unfortunately, in Malaysia we have SOSMA, which grants the Attorney-General the power to access your internet communications without any oversight–and the wording makes it such that if he ‘feels’ you’re a threat to national security, your internet communications can be wire-tapped. On the other hand you have the newly minted evidence act–obviously the worst piece of legislation ever written in the history of badly written legislation. All of this signal a real dark age for the internet in Malaysia, an age where government surveillance is both technically possibly and legally permissible, and age where people have a real fear of publishing their thoughts online, this was not how the internet was supposed to be. Shouldn’t the internet be free of censorship and democratically run–its becoming now an extension of the real-world, government control included.

What’s next?

I don’t know how the internet will evolve or how we might view the next generation of government intervention in policing and regulating the internet. I always viewed the internet as this great proponent of democracy a tool that could be used by the oppressed–I naively didn’t realize that sometimes the oppressor fights back. The reality though is that in some situations a technical solution proves far more effective, but in certain instances we need a proper legal framework governed by a politically astute system. The regulation of the internet is something that definitely falls into the latter category as far as I’m concerned, and while we’ve seen peer-2-peer regulations in things like bitcoin and wikipedia– I think this is just one of those times where we throw our engineering and scientific hats off, and put our lawyer hats on.

The future of the internet is in the hands of lawyers and politicians–unfortunate, but true.


  1. Pingback: PRISM and Upstream