By the logic of surveillance, and given the government’s enthusiasm for the agendas of security agencies and the copyright industry, an attack on privacy may be coming that will dwarf the government’s current data retention proposal. Soon, internet anonymity and encryption may be in the firing line.
The attack, already developing in the US and the UK, has been driven by two key changes: the attempts by major IT and online companies to reassure customers about their privacy in the wake of the Edward Snowden revelations, and the growing use of encryption and anonymity tools by ordinary internet users.
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
With their reputations for protecting their customers from government surveillance in tatters, the United States’ biggest IT and internet companies have now moved to offer greater privacy protections. Overnight, WhatsApp announced it was embedding end-to-end encryption in its messaging service, making messages unreadable even by the company itself. Earlier this month, Facebook pledged support for Tor, the anonymisation service. In September, Apple revealed encryption on iPhone 6s and new iPads would be in place by default and the company would not hold the encryption keys, so it would be unable to provide them to security agencies. Google soon followed with a similar announcement about the next version of Android. In August, Yahoo announced it was working on end-to-end encryption, using the OpenPGP standard, for its webmail service with Google, so that Yahoo and Gmail users will be able to email one another securely. In July, Microsoft announced it would improve encryption in Outlook and that it would make its code available so that governments could inspect it to check there were no NSA backdoors in it — though unlike WhatsApp, iPhone and Android encryption and (depending on where keys are stored), Yahoo Mail and Gmail from next year, Microsoft can still provide access to user data to security agencies, if they have the appropriate legal authority.
Webmail encryption is tricky, and potentially unappealing to users (you have to keep your key somewhere) but the option will be there for those who want to protect their privacy, and there appears to be a growing appetite for that. Usage of Tor spiked in 2013 in the wake of the Snowden revelations, and since then has plateaued at a level twice that of pre-2013, despite constant claims it has been successfully tapped by security agencies. In Australia, around 30,000 users are connecting to Tor at the moment, three times the 2013 level, and the number is rising; US numbers show the same pattern, but with an extra zero. In May, Essential Research found at least 30% of Australians were taking some measures to stay anonymous online. But concern about surveillance and privacy isn’t the only, or maybe even the main, driver for the growing use of Virtual Private Networks to encrypt and anonymise traffic. One survey claims 32% of male and 22% of female internet users worldwide use proxy servers or VPNs to access geoblocked content; another recent report suggests a quarter of internet users are doing so.
None of the tools listed above are complete protection against determined intelligence agencies: if a government agency decides to place you under surveillance, it will manage to do it one way or another. But for the 99.99% of Western citizens who aren’t identified terrorists, pedophiles or organised crime figures, more, default and easier encryption and anonymisation tools make it significantly harder and more resource-intensive for law enforcement agencies to track what you’re doing, and in some cases prevent it altogether. And anonymisation tools such as VPNs (especially those that don’t log traffic and have nothing to retain anyway) or Tor also render data retention pointless for online traffic.
“The problem now facing security agencies is one entirely of their own creation.”
Security agencies aren’t happy about this. Outgoing Attorney-General of the Obama administration and lead whistleblower-persecutor Eric Holder recently accused unnamed companies — viz, Apple and Google — of, in essence, helping kidnappers and sexual predators with encryption (in the same way, presumably, car manufacturers help criminals who use cars). Holder wanted a “backdoor” built into encryption to allow governments to access users’ data, an idea quickly demolished by security experts, who pointed out a backdoor could and would be used by anyone, not just police (which has happened).
FBI director James Comey had also accused Apple of marketing a product that allowed people to “place themselves above the law”. And the new director of the UK’s spy agency GCHQ went entirely over the top, accusing firms like Apple and Google of “facilitating murder or child abuse” and accusing companies offering encryption of, in effect, helping terrorists. Some commentators are now talking about a new “crypto war”; in a hilariously dumb editorial, The Washington Post backed law enforcement, declaring that while a “backdoor” in encryption was undesirable, “perhaps Apple and Google could invent a kind of secure golden key they would retain”, as if a “golden key” would be in any way different to a backdoor.
The problem now facing security agencies is one entirely of their own creation. The mass surveillance systems the NSA and GCHQ created were an example of wild, do-it-because-we-can overreach, which led to massive abuse and then exposure by a brave whistleblower. As is now a matter of public record, such mass surveillance was unnecessary for preventing terror attacks. Now, this overreach has prompted a reaction as both companies and consumers look to protect themselves better against mass surveillance. In doing so, agencies have now created a very real version of their long-running complaint about “going dark” on phone data, only internet users are the ones taking their data beyond the gaze of authorities and retention schemes.
The copyright cartel, which is similarly hostile to anonymisation tools, is also pushing back. It has pressured Netflix to stop Australians using VPNs to get around its geoblock (Hulu has already shut down access to well-known VPN nodes). And in a submission to the government’s copyright inquiry earlier this year, BBC Worldwide demanded that ISPs assume VPN users were pirates.
Where does that leave Attorney-General George Brandis and Communications Minister Malcolm Turnbull, who have repeatedly demonstrated their willingness to give security agencies and the copyright cartel whatever they demand? According to a report this week by Fairfax’s Ben Grubb, the government will shortly consider a proposal to allow the copyright cartel to force ISPs to censor internet sites they claim are responsible for file sharing. Such a censorship scheme, which has demonstrably failed overseas, would be effortlessly thwarted by VPNs. Indeed, such a move would simply exacerbate the new “going dark” problem as the consumers who hadn’t done so move onto VPNs (VPN companies’ providers will be desperately hoping for Brandis and Turnbull to get their way.) And security agencies know that VPNs render data retention pointless for online metadata.
As with data retention, which took several years to finally reach parliament in Australia, the push to Do Something about encryption and anonymisation may not happen immediately. Until recently, it’s not been clear senior security agency officials fully understood what they were facing: in 2012, then-secretary of the Attorney-General’s Department Roger Wilkins declared that the problem posed by Tor could be met simply by “demanding the encryption keys”, when there are no permanent Tor encryption keys. The push is thus likely to grow stronger over time. But eventually, the same warnings of marauding sex predators and unsolved kidnappings and murders will be produced by police forces, the same dire warnings of coming terrorist attacks will be uttered by senior spies; the same mainstream media national security stenographers will run the same arguments as for data retention. And all for a problem created by security agencies themselves.