To arrive at the edge of the world's knowledge, seek out the most complex and sophisticated minds, put them in a room together, and have them ask each other the questions they are asking themselves.
Published on Edge.org (http://www.edge.org)

Home > Code Is Law
Frank Schirrmacher [11.7.11]
Topic:
TECHNOLOGY
Intro By: John Brockman

The Staatstrojaner (literally "state trojan", colloquial German term for the government malware) whose self-destruct function obviously failed, was discovered, reverse-engineered and analyzed by Chaos Computer Club hackers. The findings, if the CCC's analysis is correct, are conclusive and alarming: The government surveillance software not only contains illegal functionality, it also appears to be so significantly flawed, that anyone who can encrypt the key can also hack all similar versions and control them remotely. Should evidence captured this way have any legitimacy in a court of law? And, first and foremost: What does it mean when, as demonstrated by the CCC, anyone that knows the IP address of the infected computer can install fake "evidence" without leaving so much as a trace or little chance of acquittal?... 

But there's more: Computers are not only instruments of communication, they are instruments of thought. A series of screenshots taken every second (forwarded to the United States and from there back to Germany) of someone creating a text – never emails or digital monologues – shadows the thought process itself. What is happening here makes your hair stand on end.

Introduction
by John Brockman

Every few years Frank Schirrmacher, co-publisher and Feuilleton editor of the German national newspaper Frankfurter Allgemeine Zeitung, startles Germany with an audacious piece of publishing. Last month, he devoted the entire of the Sunday Feuilleton to an expose that included page after page of malware software code reverse-engineered by computer hackers from "the Staatstrojaner surveillance program" code that the German government has been illegally inserting into users' computer system. "The findings are alarming," notes FAZ. "The trojan can read our thoughts and remote control our computers." 

Such trojan-horse key-logging software, known as a RAT (remote administration tool) is hardly new. The FBI, supposedly with legal search warrants, has been doing this since at least 2000.  In 2009, John Markoff broke the story in The New York Times about "Ghostnet", a vast electronic spying operation that infiltrated computers and stole documents from hundreds of government and private offices in 103 countries. The system was controlled from computers based almost exclusively on a Chinese offshore island, although there was no conclusive evidence that the Chinese government was involved. Adding to the still unsolved mystery is the fact that the only major country not a victim of the infiltration was the United States.

What is unique in the case of German State Trojan horse is that the center-right national newspaper, with the aid of the German hacker community, has caught the government red-handed in the illegal activity of spying on, and as some might say, controlling their own citizens. 

So here we are, a month away from celebrating the centenary of Alan Turing, the man who is identified with the idea of computation itself, and what do we have?

"I think it is an amazing piece that opens entire 55-gallon drums of worms," says George Dyson, author of the forthcoming Turing's Cathedral, a history of the birth of the digital age. "It reminds me of the scene in The Lives of Others where you get to see inside the Stazi's secret bunker that held the thousands of glass jars with the captured scent of all suspicious people—and you know this is just the tip of the iceberg. Can you imagine what's going on in China, or the USA? Not just "reading our thoughts" but, as we do more and more of our thinking with our devices, getting closer and closer to writing our thoughts as well.  Do we want to continue to live in a world where we're completely comfortable with cameras everywhere, all the time, and all our e-mail is retrievable forever? It's becoming the new normal now and Schirrmacher's piece is a wake up call." 

While most of the Turing Centenary celebrations already in the works will no doubt paint a rosy picture of the impact of the computational idea, Schirrmacher reminds us of a much darker side to what Turing has wrought. There's more to consider—much more—than Steve Jobs's personality, Facebook privacy settings, Arab springs, Google search algorithms, Amazon ebook pricing, Twitter revolutions, smartphone patent wars.

Click here to download the English-language pdf of the FAZ Feuilleton edition.

Comments?

— JB

Conversation: John Markoff, Douglas Rushkoff, Clay Shirky, Nicholas Carr, Evgeny Morozov

Code Is Law [1]

[2]

Nicholas G. Carr
Author, The Shallows and The Big Switch

Jounralist; Author, The Shallows; The Big Switch

"As every man goes through life he fills in a number of forms for the record, each containing a number of questions," wrote Solzhenitsyn in Cancer Ward. "A man's answer to one question on one form becomes a little thread, permanently connecting him to the local center of personnel records administration." By automating the spinning of such informational threads, the Net relieves us of the nuisance of filling out forms while giving those who might profit from the threads—corporations, governments, criminals—a much denser fabric of data to work with. Frank Schirrmacher argues that the very movements of our thoughts are now captured for the record, while George Dyson offers the even more disturbing suggestion that the fabric may be a medium not only for data collection but for thought control, that it may be writing our thoughts as well as reading them.

The decentralized structure of the internet was once celebrated as a powerful guarantor of personal freedom, but what we're discovering is that the structure, far from thwarting the exercise of central control, allows such control to be exercised from anywhere. The net is a twilight medium, its powerful liberating energies forever shadowed by its potency as a system for monitoring and manipulating its users. At least Solzhenitsyn's Everyman was "permanently aware of his own invisible threads" and hence had a sense of "the people who manipulate the threads." On the net, we rarely see either the threads emanating from us or those who hold them. (FAZ's publication of the Staatstrojaner is the exception that proves the rule.) Perhaps the code can be changed in such a way as to make the collection of information transparent to us, to give us access to the record, both as it's written and after it's stored. Until then, it might be wise to do a good bit of our thinking offline. In an overly connected world, disconnection can be a form of freedom.

Clay Shirky
Social & Technology Network Topology Researcher; Adjunct Professor, NYU Graduate School of Interactive Telecommunications Program (ITP); Author, Cognitive Surplus

Social & Technology Network Topology Researcher; Adjunct Professor, NYU Graduate School of Interactive Telecommunications Program (ITP); Author, Cognitive Surplus

What Frank Schirrmacher has done, in the best tradition of journalism since there was anything worth the name, is to make it harder for institutions to treat citizens differently than we expect to be treated. And the mechanism by which he has done this is the ancient one — exposing secrets to scrutiny.

To quote Pierre Rossanvallon's Counter-Democracy, on the subject of the problem of trusting the government to self-police: "The problem is that in fact there is a structural tendency toward dysfunctionality, if only at the margin. That is why there is always a need for vigilant oversight that public institutionsoperate as they are intended to."

Schirrmacher has reminded us of this, forcefully. Institutions will always tend to act on capabilities they have, as long as the price of doing so is not too high. If we do not want governments infecting our computers with worms that spy on us, there are only two conceivable solutions — make it impossible to do so, or make the cost of doing so too high.

In a digital world, there is no chance of effecting the former strategy — as long as computers are general-purpose symbol manipulators, it will be possible to write worms and viruses. (As Cory Doctorow puts it "All Complex Ecosystems Have Parasites.") And so we must abandon the fantasy of secret self-policing, of the watchmen watching themselves. So we must accept that the structural tendency towards dysfunctionality now includes a tendency to gather spectacular, staggering, life-altering (and potentially life-ruining) amounts of data on each one of us.

With the old barrier of impracticality out of the way, the only other possibility to to raise the cost of spying, ex post facto. We need mechanisms — several overlapping mechanisms — for raising the cost of a government spying on its own citizens. Some of these costs can be making doing so without a warrant a criminal act (and of course the warrants themselves can't be secret.) Some of the costs can be in improving transparency and citizen oversight. But our last resort —as always—are people like Schirrmacher, willing to step in and expose government behavior when all of the other mechanisms have stopped working.

Douglas Rushkoff
Media Analyst; Documentary Writer; Author, Present Shock

Media Analyst; Documentary Writer; Author, Life, Inc.

What surprises me most about the revelation of the Staatstrojaner program is that it should surprise anyone. We must simply get used to the fact that our digital activities are archival in nature. It's like being surprised that people can read the things we write with spray paint on a wall, or hear the things we shout at the top of our lungs in a crowded room. Every character we type into every email is more permanent and more accessible than if we had chiseled it onto the Parthenon. Whenever we are online, we are leaving a data trail behind us as palpable and traceable as if we were walking on fresh cement. 

The less we understand about our technologies and networks, the more we will have to trust governments and corporations to both defend our rights and tell us the truth. But by the same token, the less we understand about our technologies and networks, the less governments and corporations will be compelled to do either.  Government agencies, being who and what they are, will utilize whatever capabilities they have to maximize their knowledge and minimize unpredictability. The question is never about what limits we can legislate; it is always about what limits can we create and defend. 

If our privacy is dependent on the good graces of government, then we have no privacy at all. 

And as our privacy erodes, statistical modeling becomes more precise. The big money now is in "big data," through which companies and governments can mine seemingly innocuous data (purchases, email frequency, phone calls, text message length) for statistical "tells" of much more private information. 

The people who understand and care about these growing compromises to our liberties are busy working on alternative tools. They building inexpensive, safe, encrypted, and authenticated communications technologies—such as the FeedomBox  and Freedom Tower—which allow for secure connectivity. Ironically, the extent to which such new media solutions become available to us will depend on our vulnerability to much older media styles and propaganda, where the right to communicate in privacy will be equated with the right to perpetrate terror. 

But to be fair we must remember: to many of the folks working in government, a free and open communications network on the scale of the Internet is terror. 

John Markoff
Science Journalist; Covers cyber-security for The New York Times; Author, What the Dormouse Said; Co-author, Takedown.

Science Journalist; Covers cyber-security for The New York Times; Author, What the Dormouse Said; Co-author, Takedown.

My first reaction to the detailed Frankfurter Allgemeine Zeitung article about the revelation that German law enforcement is using Trojan Horse software of dubious legality was to invoke Scott McNealy. The former Sun Microsystems chief executive outraged privacy activists everywhere in 1999 when he suggested: “You have zero privacy anyway. Get over it.”

Of course privacy cultures and traditions are very different in Europe and the U.S., and so there has been relatively little reaction in this country to the use of similar technology by a variety of law enforcement agencies including the F.B.I. going back for more than a decade. 

In fact, it’s not just law enforcement who are remotely controlling our computers and “reading our thoughts” as the Germans described the keystroke loggers that capture complete profiles of user’s behavior in front of their PCs. 

This is done routinely by computer Black Hats of all stripes. Indeed there are tens of millions of zombie personal computers now controlled by programs called botnets which routinely send keystroke logs capturing login and password information and whatever else is desired by the intruders. They do a far better job than law enforcement could ever hope to, and this menace has hardly cuased a ripple of protest.

The situation is so bad, in fact, that several years ago, the more sophisticated malware infections began coming equipped with their own antiviral programs to sweep away their Black Hat competitors’ programs when they infiltrate a new machine. It’s so bad that there are now malware traffic jams!

Moreover, its not just Big Brother who is reading our thoughts. The very economic viability of modern search engines and all kinds of interactive Internet advertising is predicated on their ability not just to discern our most inner thoughts—but our desires as well. Huge databases of digital profiles are being assembled by jackal-like packs of Little Brothers who Hoover up our clickstreams as we move around in both cyber and meat space.

Cyberpunk science fiction writers nailed all of this decades ago. Wasn’t Vernor Vinge’s “True Names” required reading for everyone interested in understanding cyberspace? Vinge assumed a world of infinite bandwidth and infinite processing power and realized that in that brave new world, what you had to hide at all costs was your real name. 

It’s only gotten worse sense then. If you wanted to understand where cyberspace was going then you could read Stephenson, Gibson and Sterling. Now you should read Charlie Stross. Go ahead. Read the first 50 pages of “Accelarando” to figure what you should be worrying about now. Cybernetic lobster brains. The Singularity. Open source economics run amuck.

Trojan Horse Software. That’s so last decade. 

Evgeny Morozov
Contributing Editor, Foreign Policy; Syndicated Columnist; Author, The Net Delusion

Commentator on Internet and politics; Syndicated Columnist; Author, The Net Delusion

The FAZ essays illustrate numerous pitfalls in our thinking about the future of online surveillance.

Up until very recently, the debate about the future of online surveillance has been dominated by two options. First, governments could require that ALL providers of software and hardware incorporate backdoors into their products by design, i.e. become "wiretappable" in the same way that phones have been required to be "wiretappable". The major arguments against this option are that it may stifle innovation in the technology sector and actually decrease security, as third party hackers can manipulate ubiquitous backdoors.

The second option is to build spying software that, instead of exploiting built-in backdoors in a particular software (e.g. Skype), would compromise the security of just one computer—the one belonging to the suspect. This way, there is no need to require technology companies to build products that are faulty by design. The risks to national security are also minimized, as the spying operation would be highly targeted. Civil liberties advocates are also happy: this solution doesn't give governments the kind of infrastructure to spy on anyone they like: when Skype, Gmail and Facebook all have default backdoors, this temptation may be too great to resist, especially in the middle of the war on terror. In fact, this is why many smart technologists—including free speech advocates at the Electronic Frontier Foundation—have preferred this second approach to backdoors.

One major downside to this plan has become obvious earlier this year. The unregulated use of such spying software indirectly ends up empowering dictators in authoritarian states: we have seen examples of Western governments creating new industries to arm them with such spying software—on the assumption that its use will be constitutionally regulated—only to discover that such software ends up on secondary market somewhere in Egypt, Libya or Syria, where, of course, no strong constitutional protections apply.

As the FAZ piece cogently demonstrates, we have been wrong to trust Western governments to use such software within the limits of the constitution in the first place. As the decision of a German court discussed in the FAZ essay indicates, there is—in theory—nothing wrong with using such software provided it is done with surgical precision and with no collateral damage to the constitution and the rights of suspects and non-suspects alike. This was clearly not the case; the spying software used by German authorities did far more than it was allowed to do and it did it in an embarrassingly insecure manner. Whatever the standard for best practices in online surveillance, this software definitely breached it.

I'm not an expert on German law but it seems to me that the way forward—provided we find ways to limit the export of such tools to dictatorships—is to set up a consultative body that would oversee and scrutinize the development and implementation of such spying tools. By design, such body has to feature members of the public—preferably with the requisite technological expertise—so they can (having first signed a slew of non-disclosure agreements) ensure that prospective surveillance technologies embraced by the governments do not overreach. The second best option would be to have a member of the judiciary opine on such matters—but this, alas, requires the kind of technical expertise that most judges do not have.

The big challenge for anyone scrutinizing such software is not only to understand what it does—but to actually ensure that it does no more than it claims to. This was the problem with the software described in the FAZ piece: it did everything it claimed to – it just happened to do so much more—and poorly! This is clearly impossible without having a firm grasp on technical matters—the kind of expertise available to members of CCC and probably unavailable to members of the judiciary and, perhaps, even parts of the German police itself.

The ultimate irony of the FAZ story is that the ineptitude of German authorities has actually made it possible to scrutinize what it is they are doing. Imagine authorities as smart as members of the Computer Chaos Club: it would be impossible for the general public to trace anything. (Which is, perhaps, why we rarely hear about such stories happening in the US: National Security Agency only hires top hackers!).

This brings up an interesting set of ethical issues with regards to the ways in which hackers are supposed to cooperate with the law enforcement agencies, especially when the latter are clearly bending rules and regulations in their favor. It may seem oxymoronic but it's time we start seriously pondering how the hacking community can better articulate and enforce a set of values among its members. CCC is probably way ahead of most organizations here, so perhaps they can help guide the process of creating a highly public Hippocratic Oath that would guide hackers' work with authorities, ostracizing them from the profession if they breach it.

Links:
[1] http://www.edge.org/conversation/code-is-law
[2] http://www.edge.org/3rd_culture/FAZ2011/Trojaner_englisch.pdf