On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu

Wednesday, 21 March 2012

Security versus freedom, open versus closed

I was shocked and delighted to attend a cyber security summit where delegates didn't focus solely on control mechanisms to provide a secure online environment.

I've never been an out-and-out "hands off the net" activist, my background in communications security working at Motorola and, before that, a private military research company helps me see how formal control structures are helpful in thwarting some threats.

But I'm worried when expensive and intrusive mass surveillance and control systems are heralded as the mainstay in protecting society from any number of threats.

I'm worried because the value of such systems is yet to be proved - especially since technology is evolving so quickly.  Keeping internet control and surveillance systems up to date will likely descend into a costly arms race.

I'm worried that a focus on such systems could come at the expense of developing community approaches to policing and enforcement - traditional methods translated into the digital space.

Cyber detectives hunting cyber criminals, and doing this using the internet in the "normal way" rather than trying to hook in to the fabric of the internet to create a capability that the good guys have and the bad guys don't have.

Capability-based policing will always rely on a power imbalance and is a long way from how traditional policing methods have evolved in democratic countries: consensual policing.

And I'm worried that a "closed" approach to security will not yield stronger systems in the same way that private encryption algorithms often prove weaker in the long term than public ones.

Whilst this defies common sense - if your attacker knows how you're encrypting he or she can reverse engineer - cryptographers know the opposite to be true: if your algorithm is "out there", the world + dog is trying to break it.  World + dog tend to be quite noisy when they do break something, so you're sure to know about it.

The cryptographic algorithms that survive are either secure, or take the computing resources of a nation state to crack. The sheer effort needed to crack encryption makes the nation state threat irrelevant to all but the most high profile of targets.

Yes it's worrying from a privacy perspective, but there's also a finite limit to the number of communications that can be cracked, meaning encryption can offer a safeguard against the mass generalised surveillance people fear.

Also, as cryptographic history has shown, where nation states do have access to a vulnerability no-one else does, they tend to use it wisely for fear of tipping the enemy to the vulnerability.

With privacy in particular, rather than being at odds with the aims of securocrats it can actually be an enabler for cyber security, as explained in my blog here.

"Economic harm"

Another trend picked up on by some civil rights lobbies is the tendency of governments to bundle economic interest of the nation with national security.

On one hand it's understandable that economic systems such as banking and stock markets are just another piece of our "critical national infrastructure" without which society would struggle to function and citizens would suffer.

On the other hand there is a temptation to misuse the "economic harm" argument and conflate the financial performance of a corporation or group of companies with general economic harm.  Once the state starts propping up preferred economic interests at the expense of others there's a problem.

Anyhow, it turns out there's an "economic harm" argument in support of freedom as I blogged about in Trust bubbles: how security, trust and economic prosperity are interlinked.

Essentially societies which have a high degree of what researchers call 'generalized trust' - essentially trust in strangers - have a higher GDP.  There is a link between trust engrained in society and economic prosperity.

In Trust bubbles I explore the drive to create technical solutions to allow strangers to trust each other online, such as customer review/feedback indicators, and offer the premise that society still needs a foundation of generalised trust to enable economic growth.

And generalised trust essentially comes about from strong foundations such as law & order, a sense of civic responsibility and internalised motivation for citizens to do the right thing.

I don't believe this can be replaced with a technical solution, and unless that solution is perfect it will actually damage our economic prospects rather than help as it will end up encouraging distrust in strangers outside the "trust bubble", essentially creating the online equivalent of a closed community.

The solution to improving online trust and hence economic output will lie in building strong foundations that encourage trust between strangers.  That essentially is enforcing the rule of law and maybe building a few safety nets rather than controlling everything.

Starting off from a position of distrust as many security policies seem to do can only push things in the opposite direction, discouraging "bare trust" outside of the trust bubble and hurting innovation.


No comments:

Post a Comment

Comments will be accepted so long as they're on-topic, do not include gratuitous language and do not include personal attacks or libellous assertions.

Comments are the views of the commentator and not necessarily the view of the blog owner.

Comments on newer posts are not normally pre-moderated and the blog owner cannot be held responsible for comments made by 3rd parties.

Requests for comment removal will be considered via the Contact section (above) or email to editorial@slightlyrightofcentre.com.