Black Code
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 126 | |
| Author | ||
| License | CC Attribution - ShareAlike 3.0 Germany: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
| Identifiers | 10.5446/33415 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
re:publica 201431 / 126
15
19
22
26
29
31
33
34
35
41
42
49
50
58
68
71
72
74
78
84
87
88
89
91
93
97
100
102
105
106
107
108
109
110
112
119
121
122
123
125
126
00:00
Data acquisitionCodeDirectory serviceLeakComputer animationLecture/Conference
00:47
Shared memoryOnline helpShape (magazine)Lecture/Conference
01:25
FreewareSensitivity analysisHypermediaRight angleExpressionBasis <Mathematik>WebsiteInternetworkingInformationYouTubeLecture/Conference
02:11
Uniformer RaumHill differential equationPhysical systemPhysical systemInternetworkingFirewall (computing)Set (mathematics)Uniform resource locatorSound effectPlastikkarteLecture/Conference
03:12
Firewall (computing)Projective planeBlock (periodic table)Dependent and independent variablesSeries (mathematics)Remote procedure callPhysical systemWeb pageDesign by contractPort scannerTask (computing)Self-organizationSoftware testing
03:53
Self-organizationMathematical analysisDependent and independent variablesPhysical systemCodeEquivalence relationFingerprintIP addressDomain nameSystem administratorLoginDomain nameComputer animationLecture/Conference
04:34
QuicksortSystem administratorFingerprintConnected spaceTraffic reportingHypermediaEvent horizonOcean currentSelf-organizationProjective planeLecture/ConferenceComputer animation
05:20
ResultantOpen setSystem callHypermediaDisk read-and-write headStaff (military)Self-organizationEmailGroup actionRight angleLecture/Conference
06:05
Right angleFilter <Stochastik>Dependent and independent variablesLocal ringLine (geometry)Physical lawWeightType theorySystem callLecture/Conference
06:49
InternetworkingType theoryDenial-of-service attackComputing platformRevision controlRight angleLecture/Conference
07:26
Physical systemExecution unitField (computer science)Information securityCybersexRight angleSoftwareCyberspaceWeightOpen setProjective planeInternetworkingComputer sciencePattern languageLecture/Conference
08:07
Projective planeOpen setInternetworkingWeightDigitizingSpywareService (economics)Physical systemHorizonComputer networkProduct (business)Context awarenessData conversionBitForcing (mathematics)Lecture/Conference
08:48
Social softwareForcing (mathematics)Sign (mathematics)CyberspaceInternetworkingContext awarenessInformation and communications technologyRight angleMathematicsMobile WebBasis <Mathematik>Cloud computingHypermediaLetterpress printingLecture/Conference
09:53
InformationComputer fileDisk read-and-write head1 (number)EmailTwitterLecture/Conference
10:40
Enterprise resource planningPulse (signal processing)2 (number)Router (computing)Endliche ModelltheorieForm (programming)Operating systemGeometryOperator (mathematics)SpacetimeUniform resource locatorCartesian coordinate systemMultiplication signLecture/Conference
11:21
Internet der DingeServer (computing)NeuroinformatikTelecommunicationEmailCartesian coordinate systemDigital photographyInternetworkingLecture/Conference
12:05
InternetworkingInformationContext awarenessPoint (geometry)Direction (geometry)2 (number)State of matterCyberspaceComputer animationLecture/Conference
12:45
CyberspacePower (physics)Archaeological field surveyCyberspaceInternetworkingQuicksortCybersexInformation securityGraph coloringState of matterPoint (geometry)Right angleLecture/Conference
13:39
Acoustic shadowProgramming paradigmInformation securityMathematicsGame theoryState of matterLecture/ConferenceMeeting/Interview
14:26
Programming paradigmHorizonShift operatorMereologyEnvelope (mathematics)Type theoryMathematicsArithmetic meanInformation securityPhysical lawCatastrophismRule of inferenceDot productRight angleLecture/Conference
15:39
MathematicsMultiplication signCyberspaceDomain nameArmSign (mathematics)Software developerForcing (mathematics)Sound effectComputer virusLecture/ConferenceComputer animation
16:45
Complex (psychology)Dynamical systemForcing (mathematics)CybersexState of matterInformation securityInternetworkingArithmetic meanSource codeComputer animationLecture/Conference
17:27
Pattern recognitionFacebookMereologyComputer networkHypermediaExploit (computer security)Computer animationLecture/Conference
18:17
Forcing (mathematics)Confluence (abstract rewriting)FamilyError messageScaling (geometry)Power (physics)Multiplication signVirtual machineComputer animation
19:00
Data conversionShift operatorDesign by contractOrder (biology)ExistenceForcing (mathematics)CyberspaceGravitationInternetworkingSurface of revolutionControl flowLecture/Conference
19:50
InternetworkingMathematicsInternetworkingState of matterLecture/Conference
20:33
Multiplication signCyberspaceState of matterComputer networkEndliche ModelltheorieProduct (business)Information securityPower (physics)Service (economics)Exploit (computer security)CybersexLecture/Conference
21:13
InternetworkingView (database)Dynamical systemError messageLine (geometry)Electronic GovernmentCyberspaceEndliche ModelltheorieGame controllerCoalitionLecture/Conference
22:15
System callLocal ringInternetworkingLecture/Conference
23:02
InternetworkingComputing platformEvent horizonShared memoryPressureBit rateTheory of relativityTable (information)Software developerComputer animation
23:58
InternetworkingWordPhysical systemTable (information)Information securityCartesian coordinate systemEvent horizonRevision controlEntire functionCASE <Informatik>Functional (mathematics)Centralizer and normalizerElectronic mailing listLecture/Conference
25:06
Cartesian coordinate systemInternetworkingSpring (hydrology)Mobile WebMathematicsSubsetGroup actionSpywareRight angleSource codeCASE <Informatik>Software development kitMalwareSoftware bugOpen sourceSelf-organizationNumeral (linguistics)Multiplication signProgramming paradigmRule of inferenceSource code
26:25
Software bugIncidence algebraServer (computing)Game controllerProduct (business)Right angleTotal S.A.Backdoor (computing)SoftwareBoundary value problemProjective planeRow (database)Subject indexingComputer animation
27:24
Content (media)Data miningSurfaceField (computer science)Product (business)Computer networkTrailIdentifiabilityLimit (category theory)Spring (hydrology)Template (C++)InternetworkingComputer animationLecture/Conference
28:16
TwitterInternet service providerRevision controlPrisoner's dilemmaBasis <Mathematik>Archaeological field surveyDigitizingCASE <Informatik>Task (computing)Traffic reportingPole (complex analysis)In-System-ProgrammierungLecture/Conference
29:33
Normal (geometry)Dependent and independent variablesShared memoryTelecommunicationEndliche ModelltheoriePhysical lawInterpreter (computing)Order (biology)Multiplication signDisk read-and-write headLecture/Conference
30:45
Information privacyDifferent (Kate Ryan album)PlotterData dictionaryFormal languageRight angleRule of inferenceLie groupBasis <Mathematik>Computer animationLecture/Conference
31:33
Multiplication signStrategy gameAreaMathematicsTerm (mathematics)Information privacyOrder (biology)Open sourceRight angleTheoryLecture/Conference
32:21
Extension (kinesiology)Division (mathematics)Mixture modelInformationArmComplex (psychology)Form (programming)Core dumpCybersexProcess (computing)Channel capacityType theoryInformation securityLecture/Conference
33:16
CryptographyRegulator geneInternetworkingStandard deviationCommunications protocolInformation securityArithmetic meanDecision theoryResultantCyberspaceLecture/Conference
34:02
SurfaceDivisorPhysical lawCyberspaceClosed setInternetworkingMathematicsState of matterLecture/Conference
34:44
Civil engineeringInternetworkingType theoryEuler anglesSurfaceRight angleData recoveryCyberspaceMultiplication signLevel (video gaming)Lecture/Conference
35:29
Open sourceSoftwareMultiplication signPoint (geometry)FreewareRight angleResultantHypermediaConnected spaceExtension (kinesiology)Lecture/ConferenceMeeting/Interview
37:03
Self-organizationCyberspace1 (number)Right angleScaling (geometry)Group actionPrice indexLecture/ConferenceSource code
37:42
Directory serviceOpen setStatisticsNumberChemical equationCoalitionInformation securityBasis <Mathematik>InternetworkingGoodness of fitLecture/ConferenceMeeting/InterviewSource code
38:23
10 (number)Computer programmingComputer networkChemical equationNumberPoint (geometry)Database normalizationLecture/Conference
39:06
Point (geometry)NumberFile formatInternetworkingTable (information)Meeting/InterviewLecture/ConferenceSource code
39:45
Point (geometry)Chemical equationOrder of magnitudeDifferent (Kate Ryan album)Source code
40:25
Projective planeUniverse (mathematics)Data miningInternetworkingDependent and independent variablesMultiplication signSoftwareCommunications protocolInformationMereologyLecture/ConferenceSource codeMeeting/Interview
41:37
Fiber bundleRepository (publishing)QuicksortInformationUniverse (mathematics)InternetworkingPhysical systemComputer scienceEngineering physicsChemical equationFile archiverLecture/Conference
42:37
Computer scienceComputer programmingUniverse (mathematics)Single-precision floating-point formatConnectivity (graph theory)SurfaceNeuroinformatikDegree (graph theory)DivisorLecture/Conference
43:21
Computer virusInternetworkingPresentation of a groupFamilyPhysical systemRight angleComputer architectureProcess (computing)Goodness of fitPoint (geometry)Software frameworkNumberException handlingSelf-organizationExtension (kinesiology)Meeting/Interview
44:41
Self-organizationInternetworkingRepresentation (politics)ProteinInstance (computer science)OnlinecommunityComputer architectureLecture/ConferenceMeeting/Interview
45:20
Real numberCivil engineeringProjective planeFiber bundlePressureTerm (mathematics)Right angleLecture/Conference
46:10
LogicForm (programming)Office suiteType theoryPhysical systemMobile appParameter (computer programming)Address spaceFunctional (mathematics)Lecture/ConferenceMeeting/Interview
46:57
Term (mathematics)State of matterDependent and independent variablesInternetworkingMultiplication signRight angleAreaPresentation of a groupCivil engineeringPosition operatorForcing (mathematics)Group actionQuicksortLecture/Conference
47:45
Process (computing)Type theoryCybersexEvent horizonRepresentation (politics)Lattice (order)Point (geometry)Information securityLecture/Conference
48:28
Hill differential equationDomain nameMultiplication signRight angleInformation securityOffice suiteLecture/Conference
49:17
Data acquisitionLecture/ConferenceComputer animation
Transcript: English(auto-generated)
00:27
Hello, everybody. Thank you for coming. I'm really glad to be here in Berlin. I'm going to begin with Edward Snowden. All eyes are on Snowden, of course, and what can you say? This is the biggest intelligence leak in all of human history.
00:45
As I understand it, many millions of documents were taken, so we're going to be living in the world and the aftermath of the world that Edward Snowden has helped shape for many years to come. Now, notwithstanding the importance of this topic, I'm not actually going to go through the revelations in any detail.
01:03
In fact, I'm going to start somewhere far, far away in Pakistan. Now, as many of you know, I think Pakistan is a country with more than its share of problems. It's a country that has a corrupt government. There are major governance challenges,
01:22
insurgencies throughout the country. It faces, almost on a weekly basis, drone strikes from the air that have major collateral damages to civilians, many casualties which inflame already a tense situation around religious sensitivities.
01:43
It's also one of the world's worst places for human rights and free expression. Journalists are routinely harassed, many are kidnapped and tortured, media headquarters are bombed, and it's also one of the world's worst sensors of the internet. All of YouTube is blocked, for example, in Pakistan,
02:02
as are many websites having to do with human rights information or information about LGBT issues. Not that long ago, the government of Pakistan put out this tender for proposals for a nationwide internet filtering system. They wanted to solicit proposals from companies
02:22
to build effectively the great firewall of Pakistan. And it was quite a sophisticated set of requirements. They wanted a company that could service up to 50 million URLs a second. And so, this was quite something quite substantial.
02:40
Worldwide public reaction to this was quite inflamed. Many people within the communities that I belong to organized a public advocacy campaign, a letter writing campaign, where they sent letters to the companies that manufacture internet censorship technologies and they said,
03:01
please don't bid on Pakistan's request for proposals. And it actually had some effect. McAfee, the maker of the smart filter system, actually tweeted their response saying, it's official, we're not going to bid on this project. But the system went ahead, and today if you visit Pakistan
03:21
and you get online and you try to access YouTube, this is what you'll see, a block page like this. Now, at the Citizen Lab, which I direct, we look upon this as a kind of challenge, for this is a puzzle that we want to solve. Who are the manufacturers of the technologies
03:43
that are used to do the censorship in Pakistan? Who won the contract? So, we undertook a series of remote scans and in-country tests undertaken by partner organizations in Pakistan. And after our analysis, our researchers came across this,
04:01
which may not mean much to some people in the room, but to the researchers at the Citizen Lab, it's the equivalent of a fingerprint. In the HTML response code alone, we could tell from this who the manufacturer of the filtering system was. But the funny thing was, the filtering system was actually misconfigured,
04:22
such that if you went to the IP address directly, instead of the domain name, you would get this, which is the administration panel for the filtering system itself, including the login prompt. And on the admin panel, you can see all sorts of fingerprints clearly laid out.
04:40
The company is named there, Netsweeper. Now, for those of you who don't know, there's a connection for me to this, because Netsweeper happens to be a company based in Canada. And when we released our report, there was some significant media attention about this in Canada. It made all of the headlines and the major newspapers,
05:00
but then it quickly died off, overtaken by the usual slew of current events. In Pakistan, however, it was only the beginning of the story. One of the organizations in Pakistan with whom Citizen Lab worked on this project, Bytes for All, did not stop with the research, but actually took the Pakistan government to court.
05:23
They've been engaging in public litigation for many months. But unfortunately, Bytes for All has experienced the darker side of Pakistan as a result. Threats and intimidation, open calls on national media for blasphemy charges to be laid against the head of Bytes for All,
05:43
effectively a death sentence, and kidnappings of staff members in the middle of the night. This is the steep price that is paid by advocacy organizations like Bytes for All simply for doing evidence-based research, public litigation, and advocacy in the promotion of human rights.
06:03
Meanwhile, other Pakistan rights groups were puzzled by the fact that Canadian companies supply the technology to do the filtering. And one of them actually wrote to the Canadian government. And remarkably, the Canadian government replied. And this is the letter here. I know you can't read it, but I can tell you the gist of it is,
06:23
yes, in Canada, we believe in human rights. But when it comes to the situation of Net Sweeper in Pakistan, well, the key line is down here. Use of such technologies in Pakistan is the responsibility of the government of Pakistan to manage in accordance with local laws.
06:43
That's what you call having your cake and eating it too, I think is the phrase for that. Now, to me, this is a microcosm of the type of world we are going to see more of in the future when it comes to Internet freedom issues.
07:01
A flawed democracy, riven with internal insurgencies, corruption, and strife, a major violator of human rights, a country where access to platforms of the Internet we take for granted in places like Germany are filtered using high-grade technology supplied by a Canadian firm.
07:21
Is this the future of the Internet post Snowden? It's also a microcosm of the type of work that we do at the Citizen Lab. Now, for those of you who don't know, the Citizen Lab is an unusual place. We're a research unit at the University of Toronto, and we employ a mixed methods approach to the research that we do.
07:44
We combine the skills of engineers, computer scientists with social scientists. We collaborate with people from all over the world to do the field research that we do, like our partners in Pakistan, and we do this to advance research on global security, cyberspace, and human rights.
08:05
We've uncovered global cyber espionage networks. We've documented patterns of Internet censorship worldwide through projects like the Open Net Initiative, and more recently, we've documented the disturbing growth of what many are calling the market for digital harms,
08:22
products and services for Internet censorship, surveillance, spyware, and computer network attack. We've been a kind of digital early warning system, scanning the horizon, and what we've seen, frankly, has been really disturbing. And what I'm going to do today is describe to you some of what we have seen.
08:41
I'm going to start by putting the conversation in a bit of broader historical context, outlining three major social forces shaping global Internet politics today, and then I'm going to describe some of these warning signs, which we need to take seriously,
09:00
signs of growing censorship, surveillance, and militarization of this global commons that we now call cyberspace, and then I hope to end by saying some suggestions of what we can do about it. But first to the broader historical context. And the first one I think is an obvious one to everyone here in this room,
09:21
but I think it needs to be said. We are going through the most profound change in communication technologies in all of human history right now. That's a bold thing to say when you think about technologies like the printing press, radio, telegraph, television, all very important, but I believe just within the last three to five years,
09:43
we're going through the most transformative purely on the basis of three technologies, mobile, social media, and cloud computing. Now those are different in many ways, but they share one very important characteristic, and that's the amount of private information,
10:03
information that used to be in our desktops, our filing cabinets, even in our heads, that we now entrust to third parties. Most of those third parties are private companies, and many of them are private companies that are headquartered in jurisdictions other than the ones that we are citizens of.
10:24
And this includes data that we are conscious of and deliberate about, like the emails we send and the tweets we post, but it also includes a lot of information that we're completely or mostly unconscious about.
10:41
And I think the best way of describing it lately that people are talking about is metadata. So if you take my mobile phone, even when I'm not using it, it's emitting a pulse every few seconds as a beacon, trying to locate the nearest Wi-Fi router or cell phone exchange, and within that beacon is the make and model of the phone,
11:02
the fact that it's my phone because my name is attached to the operating system, the operating system of the phone, and most importantly, the geolocation of the phone. So all of you have phones in your pocket. We're all connected to each other now in time and space, and that's just the mobile phone.
11:20
Most of us have dozens of applications on our mobile phones that do more or less the same thing, and each of them can give permission to access our communications, our emails, our social networks, even our photographs, and that data doesn't just evaporate into the ether.
11:44
It sits there on the computers, on the servers of the companies that own and operate it, there to be mined or shared perhaps indefinitely. Now all of this is really profound, but with what many people are calling now the Internet of Things,
12:01
it's going to grow exponentially as more and more devices, now it's something like 15 billion, are connected to each other and to the Internet. We are leaving this digital exhaust around us as we go about our daily lives that contains extraordinarily precise information about our lives, our habits,
12:27
our social relationships reduced to trillions of data points that form now this new ethereal layer around the planet that's only growing in all directions. So that's the big first historical context.
12:42
The second is the growing role of the state in cyberspace. Now this will simplify things a bit, but if you go back 20 years or so and did a survey, most governments didn't think about the Internet at all. Very few of them had even Internet policies.
13:00
Fast forward to today, not only are they very involved in Internet issues, but cyber security is at the top of most countries' agendas worldwide. I think in hindsight this was to be expected. With so much technology connected to the Internet, including critical infrastructure, creating all sorts of externalities,
13:25
it was really inevitable that the state would have to get involved. But there was, as often happens in history, a punctuation point that accelerated it and coloured it, and that punctuation point was, of course, 9-11.
13:42
Now it's hard to underestimate the impact that this has had on the technologies that we're all talking about today. We still live in the shadow of 9-11. Several things in the wake of those horrific attacks occurred that we know more about now.
14:03
First, the security paradigm turns inward to all of society. Again, this was something that happened gradually after the end of Cold War. The primary threat paradigm changed from one which was previously a concern mostly about what other states are doing,
14:22
that in the middle of the night a state on the other side of the planet would launch ballistic missiles over the horizon, to one where the paradigm is about the threat being instead someone blowing themselves up in a crowded theatre like this. So the paradigm turns inward.
14:41
You also see a culture shift, especially in the United States, especially in and around Washington, D.C., this idea of all bets are off, an edge-of-the-envelope type thinking, which brings about an urgency to overcome barriers. And you see as part of this culture shift
15:02
an outright irreverence to the rule of law that begins to manifest itself. You also had very important legal changes after 9-11. The Patriot Act and other security and terrorism acts were passed in the United States and most industrialized countries around the world
15:21
that empowered law enforcement and intelligence. And part of this was based on the perception of a failure to connect the dots that led to this catastrophe. So now we need to connect the dots, meaning we have to collect it all, collect the entire haystack.
15:42
You also see at this time an important change in military strategic thinking. Beginning in the 2000s, you have a definition of cyberspace as a domain equal to land, sea, air, and space in Pentagon thinking,
16:00
and the development of offensive capabilities to fight and win wars in this domain. An important Rubicon was crossed with the Stuxnet virus when U.S. and Israeli intelligence agencies targeted nuclear enrichment facilities in Iran. You had, in effect, the first act of war, sabotage, occurring through cyberspace.
16:25
And now, predictably, we have an arms race in cyberspace as dozens of governments are standing up within their armed forces capabilities to fight and win wars that shows no signs of abating.
16:40
And it brings up some interesting questions. First, what does it mean when war is constant, its scope is global, and the battlefield is the realm of ideas and public dialogue? Now, those two historical forces together are generating a new market,
17:01
a new political economy dynamic that I've called the cybersecurity industrial complex. The aims of the Internet economy, on the one hand, and the aims of state security converge and overlap around the same functional needs, collecting and monitoring and analyzing as much big data as possible.
17:25
Not surprisingly, you see many of the same firms servicing both segments of the markets, like companies that market facial recognition technologies, for example, which tend to be dominated by Israeli firms, servicing Facebook on the one hand,
17:42
and the CIA on the other. They reap what we sow. Now, part of the market is much more nefarious. Capabilities are being put in the hands of policymakers. Five years ago, they never imagined that they would have cell phone tracking, social media infiltration, and computer network attack and exploitation.
18:06
Companies that we used to associate with wiring the world and connecting individuals are now turning those wires into secret weapons of warfare and repression. This is where big data meets big brother.
18:26
Now, the confluence of these two social forces happening in this historical era are really breathtaking in scope and scale, and I think require us to step back and think about their historical significance. At the very same time that we're in the midst of turning our digital lives inside out,
18:47
the world's most powerful surveillance machinery is turning inwards on all of us. A surveillance machine whose overarching intention is to shield itself from public scrutiny,
19:01
to barely acknowledge its own existence, to operate in a cloak of secrecy. That, to me, is an apical shift requiring an urgent conversation on the order of a new social contract.
19:21
Now, there's a third historical social force that's happening right now that we need to take into account, and it's way less understood, especially by people living in affluent Western countries, and that is the who of the Internet is changing fast. We're going through a demographic revolution when it comes to cyberspace
19:43
that I believe is perhaps the most important. The centre of gravity of cyberspace is shifting right before our eyes from the north and the west of the planet, where it was invented, to the south and the east. And this change is going to be extraordinary.
20:01
The vast majority of Internet users today and into the future are coming from the developing world. And what does that mean? Well, when you look at it closely, some of the fastest-growing online populations are emerging from the world's weakest states, the failed, the fragile, for whom these technologies are empowering.
20:22
In many of them, like Pakistan, religion plays a more important role in governance than it typically does in the West. Many of them are authoritarian or autocratic regimes, failed states, or slipping into something like authoritarianism. Remember, these countries and their populations
20:42
are quickly entering into what we call cyberspace at a much different time than the early adopters. They're coming after the PRISM revelations, with the model of the NSA in mind, at a time when cybersecurity is at the top of the international agenda,
21:02
and most importantly, when products and services of unparalleled surveillance and computer network exploitation power are being offered commercially. What should we expect then from these next billion digital users as they come online in the post-Snowden era?
21:23
Well, I think we first have to consider the international dynamic. Now, before Snowden, many people had a kind of simplified black and white view of the international governance of the Internet. There was, on the one hand, all of those freedom-loving countries, the United States, Germany, United Kingdom, Canada, and so on,
21:44
called the Freedom Online Coalition, that favoured something like the existing, open, distributed model of Internet governance. And on the other side were all the other countries that favoured a more top-down, state-centric approach,
22:01
greater national controls. What can we expect of the governance in this space in the wake of the Snowden revelations? Well, one thing you can say is that the Freedom Online Coalition is facing a major legitimacy crisis. The full details around the scope of the NSA documents and practices
22:24
and what's been going on with GCHQ and others like them have angered many leaders, understandably, leading to calls for data localisation and detachment from the United States. Here in Germany, of course, calls are very strong,
22:40
Schengen routing, as it's known. Now, data localisation in and of itself is not bad, but one person's data localisation can be another's national censorship regime. Like many, I fear the balkanisation of the Internet will result.
23:00
Will we see countries that prefer a state-governed Internet engaging in partnerships, sharing best practices, jointly developing technical platforms as China and Iran have done? Will we see major events like the Sochi Olympics, which I called PRISM on steroids,
23:21
will we see them used as a kind of showcase development, marketed turnkey style wholesale to countries undergoing rapid development, a kind of surveillance by design for whole urban centres? How will these pressures come to bear on a region like sub-Saharan Africa,
23:43
undergoing growth rates on the order of several hundred percent per year? Remember we used to talk about the Chinese company Huawei having public relations problems for fear of a back door being implanted on their rotors? Well, now the tables are turned and American companies have a Huawei problem of their own,
24:04
which has opened the door for new investment opportunities for companies like this. Will we see the legitimisation of nationwide monitoring systems that seek to duplicate the imperative to collect the entire haystack,
24:20
monitor it all, as appears to be the case in India with the roll out of its so-called central monitoring system? Or the $40 million Nigerian system powered by the Israeli security firm Elbit Systems? Will we come to take for granted that the popular applications
24:42
millions of us now use to chat and socialise and share pictures and even organise politically will have contained within them hidden functionalities of keyword censorship and surveillance uploaded with new lists every week to reflect current events
25:00
as we discovered in the citizen lab in the Chinese version of Skype and the popular instant messaging application line? Will we experience more warnings like this because, well, it's acceptable and that's what everyone does. What about the benefits of the internet for social mobilisation and democratic change?
25:24
A few years ago, many of us celebrated the Arab Spring as the paradigm of what these technologies could do. Remember we called it at the time liberation technologies. They would bring about the end of authoritarian rule. Unfortunately, Syria has become the Arab Spring's dark aftermath.
25:44
Working together, Citizen Lab and EFF researchers have shown how the very means of online organisation could become sources of insecurity as groups sympathetic to the Assad regime have employed off-the-shelf malware crime kits to infiltrate social networks,
26:04
arrest, torture and murder opposition groups and even target their airstrikes. Our research has uncovered numerous cases of human rights activists in places like Bahrain, Ethiopia and elsewhere targeted by advanced spyware manufactured by Western companies.
26:24
If these were isolated incidences, perhaps we could write them off as anomalies. But our global scan of the command and control servers of these products pioneered by Bill Marzak and Morgan Marquis Boire and Claudio Guinero and others
26:42
has produced deeply disturbing evidence of a global market that knows no boundaries. We found command and control servers for fin-spy backdoors in a total of 25 countries including countries with dubious human rights records like Bahrain, Bangladesh, Ethiopia, Qatar and Turkmenistan, among others.
27:07
A subsequent project found that 21 governments are current or former users of hacking team software including nine receiving the lowest ranking authoritarian in The Economist's 2012 Democracy Index.
27:22
Now that's just two companies, their product all over the world, a market that is going to spread far and wide and our research has only picked at the surface of what is a growing major field. Products that provide advanced deep packet inspection, content filtering,
27:42
social network mining, cell phone tracking and even computer network and attack capabilities are being put in the hands of policy makers developed by Western firms and used to limit democratic participation, isolate and identify opposition and infiltrate meddlesome adversaries all over the world.
28:05
Indeed what I worry about most is that the template for the future of the internet is not the Arab Spring at all, it's actually the Green Movement in Iran from a few years prior. Recall how it began with such high hopes, dubbed a Twitter revolution by many
28:22
but it ended in a dark cloud through an Iranian version of PRISM, user data turned over by the largest cell phone provider Nokia Siemens to the Revolutionary Guard. Clearly we want to prevent such abuses from happening but on what basis will we do so?
28:42
What moral grounds will we stand on here to make the case that that is something wrong that shouldn't happen over there? Now I'm a Canadian citizen so I think it's instructive to ask that question with respect to Canada which is what we've been doing lately at the Citizen Lab led by Christopher Parsons.
29:02
He sent out a survey, a detailed questionnaire to around 13 telcos and ISPs in Canada asking them whether, how and how often they share user data, this big ethereal digital exhaust that follows us around with police and intelligence agencies.
29:21
And the answer he got, unfortunately, no comment. There are nothing like transparency reports in Canada, let me tell you that. And then just a few weeks ago we found out it is considered normal practice for Canadian government agencies to routinely share user data with governments
29:46
on the order of millions of times a year all without a warrant. Should it be any surprise then that in Canada our Signals Intelligence Agency which is supposed to be restricted to monitoring activities abroad
30:04
is using all of this data that's being collected to model Canadian communication habits at airports, hotels, places of works and coffee shops. Should that be surprising? Well, perhaps not as surprising as the official response given by CSEC
30:25
which is our NSA in Canada says the government of Canada no Canadian communications were or are targeted, collected or used. All of us were kind of scratching our heads at that. How would that be? It doesn't make sense.
30:42
Maybe they are basing what they are doing on a secret interpretation of a secret law. Maybe they are using a different English language dictionary than the rest of the human race. Or maybe they are following the George Costanza rule of public policy.
31:05
Jerry, just remember, it's not a lie if you believe it. Whichever the answer is, it's not good. If we are turning over user data without judicial oversight
31:22
who are we to hold the moral high ground? On what basis can we credibly criticize those countries abroad when we do no different here at home? Now granted, what I have sketched out here I think is pretty daunting and it may seem at times for those of us who study this area that it's all overwhelming
31:45
but I think we have to have a strategy to bring about change and I think that strategy has to begin at home. After 9-11, the pendulum swung way over here in terms of greater empowerment for law enforcement and intelligence
32:02
and restrictions on privacy rights. We need to restore transparency, accountability and oversight to governments and liberal democratic governments need to start by getting their own houses in order. No new theories are needed for this. We just need to remind ourselves of some basic principles at the heart of democracy,
32:23
mixture, division, restraint. We need to extend oversight and transparency and accountability to the private sector precisely because we hand over so much highly revealing information as never before in human history to private companies.
32:41
We need to find ways to monitor what they are doing and that is going to require new forms of innovation, new watchdog capacities, new types of monitoring that oversees what the private sector is doing especially around the cyber security industrial complex and the dark market of cyber arms.
33:04
We also need to desecuritize and re-insulate the engineering community and by that I mean reverse the process that has happened over the last decade or so where the engineers, the core scientists that effectively run the internet, develop the standards, the cryptography and the regulations
33:24
and the protocols that define how it all works have been gradually usurped into national security rivalries that have tainted their communities and undermined trust and reputation. Somehow we need to get that back.
33:42
We need to give meaning to the empty euphemism of multi-stakeholderism. I can't tell you how often I hear governments spouting that they support multi-stakeholderism but don't practice what they preach. We need to distribute governance as widely as possible
34:01
and make sure decision making about the internet and cyberspace doesn't happen behind closed doors decided upon by states and private sector. We can never let that happen again. And finally, I believe we need a cultural change.
34:20
We need to recover the original sense of what it means to be a hacker, the original hacktivist civic ethic which in many quarters today is synonymous with breaking the law but originally it had a very positive connotation. It meant someone who is interested in technology,
34:40
understanding how it works beneath the surface, not taking it for granted, not just accepting things as shrink-wrapped. I think we need to encourage that type of attitude towards technology as a civic ethic today. We need to not take the internet for granted. We need to lift the lid on it and find out what goes on beneath the surface.
35:05
Now, I'm not idealistic. I realize all of this can happen overnight. It's going to take a very long time but we need to start somewhere and I see this as a long roadmap to recover democracy and human rights in cyberspace
35:25
before it's too late. Thank you very much.
35:44
So, are there any questions? Hi there. I'm Mike Wozniak from Polish Free and Open Source Software Foundation and I agree with those five points completely but I miss a sixth point
36:04
and I think that the sixth point is crucial here. The sixth point being we need to convince the users, we need to convince everybody that they need to support this. This needs support. This needs also financial support.
36:21
This needs also public debate support. This needs supporting the media, etc. And if users do not understand, if users do not see the point, if the users do not see the connection between supporting something and expecting the results, this will not happen. And this has been extremely visible and extremely stark in the heartbeat situation
36:45
where a lot of huge ICT companies and by extension huge swaths of users were using single software developed by 11 guys that were underfunded and this is something that we need to change. Thank you.
37:04
Well, I agree completely. I would add that as another one. I think it is obviously a major challenge for a lot of people, especially the people who really toil tirelessly in the human rights advocacy space and Citizen Lab is a research organization.
37:23
We do not necessarily do advocacy but we work with and admire the ones that do. Groups like EFF and Edry and some of the people that I have met here in Germany doing phenomenal work but you are absolutely right. The scales are imbalanced here. You could look at many indications of that.
37:43
The team that worked on the OpenSSL, I heard some statistic about the funding that they received for the year was something like $2,000. This is ridiculous given that this is used by a huge number of people that rely on it just on the basis of security alone.
38:01
It is ridiculous. Citizen Lab does not take money from any government but I think it is still interesting to think about the imbalance that exists there. When you look at, for example, the funds from the Freedom Online Coalition to support Internet freedom.
38:20
A lot of people are doing a lot of good work using those funds including I believe Tor gets some of its funding from that fund and that is a good thing. We are talking about tens of millions of dollars compared to billions, tens, hundreds of billions of dollars that defines the market for surveillance,
38:42
censorship and computer network attack capabilities and programs that are designed to subvert those very things. There is a huge imbalance right now and we all frankly have to work on rectifying that somehow to change it. It is hard to see from up here so I don't know if anyone is asking.
39:03
My question is kind of red under now but I was going to say on point number 4 you were saying that things shouldn't happen behind closed doors and if I clearly remember, Microsoft pushed through this terrible format through completely open doors by basically priding everyone
39:22
and coercing companies to vote for accepting that terrible format. Again, if you think about the OpenSSL example that you just brought up, the funds that we are against is humongous.
39:42
It is very difficult to fight in such an imbalanced battle and for example the Microsoft one was a really strong one because you could clearly see that there were no valid technical points that we were making. It was just money and I see this going again and again
40:02
so coming up in this kind of problem of imbalance in money coming up very often. I am interested in what are your thoughts on trying to balance this out. At least the order of magnitude that we are talking about, the difference in the order of magnitude is probably like 3, 5 zeros that we are missing.
40:23
So it is quite a lot. Again, it is a very good question. I think it allows me to bring up another pet project of mine, if you will, being a professor at a university. Among the many different things that can be done on these issues, I think universities have a special role to play
40:42
and are not really fulfilling their responsibility. By that I mean it was out of the universities that the Internet was born. Forget about the story about the Defense Advanced Research Project Agency, whatever. I am not talking about that. I am talking about what we take for granted as the basic protocols and so on,
41:01
come out of the university. It is where many of the notions of peer networking and some of the other principles that define the Internet have their origins. It was primarily among university engineers that the Internet was built and designed and effectively run for many decades.
41:22
Unfortunately, now I think universities are not stepping up to the major challenges that exist that we are all talking about now and have been revealed thanks in part to Edward Snowden. The Internet is under threat. The very commons of information that we use to not only engage in shopping
41:45
and all sorts of trivial things, but it has now become the repository of our common knowledge. The university should be standing up and saying, this threat to this system cannot go on. It must not happen because the university, the whole rationale there is the university is the custodian of knowledge
42:04
and it is the Internet where knowledge is shared now and archived. That is why I think universities have a special role to play in taking on this challenge. Unfortunately, you have the same problems there. You have a major imbalance in funding for research that goes towards the very things that we oppose.
42:24
If you go to any engineering sciences department or any computer science department, the vast majority of funds for research come from military intelligence sectors. That needs to change somehow. We need to overcome disciplinary divides within the university as well.
42:41
It is crazy that we live in the society that we live in and you can go through an engineering and computer science program without taking a single social science course or philosophy course. Likewise, in the arts and sciences, we have people going through whole undergraduate degrees and they do not even know what to do inside their computers
43:01
or how the technology actually works beneath the surface. We are neutering our citizens and we need to change that by overcoming these disciplinary divides. I know that will not answer the challenges that you lay out entirely, but it has to be one small component of it.
43:24
Hello. Ron, that was a fantastic presentation and for the record, this is Pranesh Prakash from the Center for Internet and Society. I just had a few questions on these last few points. One is on point number two.
43:41
Despite all the problems we have with governmental accountability, there exist frameworks, there exist systems, there is widely recognized things like the Universal Declaration of Human Rights, etc. For private sector accountability, on the other hand, there isn't any. They are accountable to their shareholders, not to citizens.
44:02
They are accountable perhaps to a slight extent to consumers as well. So, how do you propose getting human rights ideas, which we can enforce against governments, how do we extend that to the private sector? That's one question. The second one kind of merges points three and four,
44:22
which is a widely cited example of good multi-stakeholder processes, of fair one, etc., would be something like the IETF or would be the Internet Architecture Board, etc. Except, I'm not very sure about that.
44:41
I see the IETF as primarily a commercial organization. Most of the things that get pushed through are things that are supported by large commercial organizations. If you look at the Constitution of the Internet Architecture Board, for instance, it has, I think, around 15 people, of which 13 are white males from North America
45:03
and Western and Northern Europe. It's hardly representative of the Internet community, yet that apparently is the most successful multi-stakeholder thing we have today. Would you know of any other examples of where multi-stakeholder practices have actually worked?
45:20
In terms of the first question about the private sector, I don't pretend to have any novel answer in my back pocket about how to do this. I do think, though, that there are some obvious things that we need to do more of that I can see working now. If you look at pressures on companies from,
45:42
you know, people call them name and shame campaigns, but I think that trivializes actually what's involved. So, I'll give you an example at the Citizen Lab. One of the projects that is now being undertaken by Christopher Parsons is to put out there, if you go to the Citizen Lab website right now, you'll see it's the first entry,
46:02
details to citizens on how they can exercise their rights to ask companies what data they keep on them. And I think that alone is a right that very few citizens actually exercise, right? So, what Chris did is he laid out the argument, the rationale why this is important, then he went further and he actually puts out all of the addresses
46:26
for the company officers, and he even puts a form letter together for you, giving you the text that you can use, and going further yet again, he says, well, what happens if they don't reply? Well, here's what you do. Here's how you lodge a complaint, and here's the template letter you can use to lodge the complaint.
46:43
So successful has this been that we're now developing an app that will facilitate this even more quickly. So it's just one example of, I think, the type of distributed watchdog functionalities that can happen, and I think must happen,
47:00
if we're going to hold the private sector responsible. Because you're absolutely right, we can't think about it in terms of just one state, you know, because corporations are very nimble, many of them are transnational, it has to happen in a distributed way, and it has to happen in a new creative manner. The question about multi-stakeholder processes,
47:20
it is very difficult to actually do this in practice. You see this all the time, not in the Internet area, but in climate change governance, right, where you have thousands of stakeholders involved in all sorts of special interests and lobbying, and of course, you know, civil society groups can be manipulated by special forces and lobbyists
47:44
to present positions as if they're coming from civil society. I didn't go to NetMundial in Brazil, but I heard that it was a very successful example of the type of multi-stakeholder process that can happen. I hope so. The issue is we need to start doing this.
48:02
We can't have something like the London cyber process. I was at the first London cyber event, and for those of you who don't know, this was meant to be a major gathering around governance of cyber security, and there was a point at this meeting where the government representatives
48:21
literally went behind a closed door, and it was like, no, it's not a metaphor. They actually did that, and we're not allowed in it. The rest of us all kind of stood there going, they were actually behind a closed door, and we're not allowed to go there. We were talking about this. Like, that just can't happen. You know, this is not the government's domain to shape according to national interests.
48:42
It is, as someone said earlier, what we make of it. It's ours, right? And we need to govern it accordingly. And it just so happens that that turns out to be the best way to ensure that it's secure by distributing it as widely as possible. Any other questions or comments?
49:04
Is there a question? I'm not sure what you're talking about. I'd like to know. No. I think that's it. Thank you. Okay. Thank you very much. Thank you all for coming. Appreciate it.