- (Summer 2014 edition, 2600 magazine)
Since Snowden's 2013 disclosures confirmed longstanding assumption that the NSA and other Western spy agencies have secretly constructed a massive global surveillance infrastructure - at a cost of well in excess of $50 billion - much focus has been brought to bear on techniques, technologies, and tactics capable of protecting individual citizens against this snoopware monstrosity. And, as a direct result of Snowden's heroic whistleblowing, we now have a generally good sense of what does - and does not - work when it comes to protecting data-in-transit from these spy regimes. Or, more formally, we know which tools are more and less successful in increasing the cost and difficulty of a successful surveillance attack: given the TAO and their near-bottomless arsenal of 0days, we don't look for perfect security but rather tools robust against the widest range of automated attack vectors.
That's all well and good. Understanding which tools really "work," and which are simply ineffective - or backdoored... (or both) - is necessary. However, we can also see clearly that this necessary work is not in itself sufficient to accomplish the goal of undermining the astonishingly apocalyptic capabilities that such global surveillance infrastructures represent. For, in the wrong hands (or even in the "right" hands seeking the wrong ends), the power of such systems that can spy secretly on any non-encrypted electronic communications anywhere in the world - and, worse yet, dig back into enormous archived troves of intercepted/stolen data to run historical queries against any desired 'selectors' - is so great that eventual systematic abuse is all but inevitable. Human beings have not shown themselves to be very good, in historical terms, at making wise use of supremely powerful weapons designed specifically to be used against other human beings. And, as we all know, spy systems are designed to be used against targets: human beings who, for whatever reason, are defined as "enemies" of a given government. The hacker community knows all too well how easy it is to find ourselves labelled as "enemies" of this or that state entity - whether such label is justified, or not. Fair warning, indeed.
What's required, in the words of Evgeney Morozov, is an approach to these illegal, secret spy regimes that promises to "sabotage the system" at the most fundamental level: something that will make the systems themselves inoperable, ineffective, inefficient, or some combination of all three. Without doing so - without sabotaging the system - the system will inevitably, in due course, come to be used for evil ends, by evil people... and as William Binney and others have pointed out with forceful, well-founded warnings, once put in place such systems are nothing short of "turnkey totalitarian states." There is no undo button; by the time they're locked-in and fully functional, any resistance - any attempt at defiance - will prove too little, too late... and too easily squashed by the all-seeing eye of Sauron.
It is not enough to protect ourselves, individually, from this surveillance nightmare. Indeed, many readers of this article will already have the expertise, knowledge, and capability for self-protection to a high degree of success. Nevertheless, even if as individuals we can (and, I most certainly hope, do) protect ourselves... we must do more. We must also protect ourselves, collectively, as a society and a species. We must sabotage the system. But how?
The Surveillance Monkeywrench
To begin, we can easily see how individual activists can use encryption and obfuscation technologies to protect data-in-transit. Such tools are inexpensive, well-established, and in many cases have been shown via Snowden's whistleblowing to be effective against automated NSA attack vectors. That's great: Alice can talk with Bob, and Snooping Uncle Sam can't see what they're saying. As Snowden has said, the maths work. He's correct. We all, by now, surely know & understand this.
Building up from there, is it enough for individual citizens - due to their technical capabilities and knowledge - to protect ourselves, one at a time? Metaphorically, is microeconomic theory enough to explain the great forces of global markets? In a word: no, it's not. Those of us with that capability are similar to winners of the "privacy lottery" - we have the luxury of privacy, but the vast majority of other players will lose. The collective result is that the global surveillance regimes sink deeper and deeper roots into our planet's collective future. The lucky winners do ok; the world overall goes down a bad path indeed.
To understand why that's so, it's useful to think on the problem from a slightly different angle...
The Econometrics of Spy Regimes
It is said that, at the apogee of the Stasi's reign of terror within the former East Germany, fully 1 in 6 citizens was acting as a Stasi informant on their friends, neighbours, and colleagues. This was in a time before cheap, fast computing technology - which required all those snitch-reports to be filed manually, by hand. The paperwork burden was concomitantly enormous, and the efficiency of the system ground to a halt. It's literally impossible, in practice, for that big a chunk of a country's population to be effectively snitching on the rest: the swamp of paperwork becomes too much, and the result is a version of Kafka's impenetrable, dysfunctional, amoral bureaucracy made real.
Unfortunately, when we add in fast, cheap computing power things change dramatically.
Yes, it's true that the NSA (& other spy cartels) spend billions like it's water through their fingers. With those billions, they get enormous bang for their (well, our) bucks: they're able to free-query datasets comprised of many trillions of data points. Fast, accurate, and above all else cheap on a per-query basis. Any analyst with a workstation - even an outside consultant working from an underground bunker in Hawaii - can hit the DB again, and again, and again with no technical constraint holding him back. Worse, the cost-per-query is infinitesimally small. Those data are accessible, cheap, and eternal. They never go away.
Make It Cost
This enormous drop in the cost of accessing & organizing data is what drives the frightening power of the modern surveillance regimes... but it's also their weak spot. Just as Achilles had his heel - the one place on his body vulnerable to damage - so it is that the cost metrics of spying are the most easily-accessible point of attack for activists who work to ensure that these spy monstrosities don't blanket our planet with a future of monochrome, standardized, unchanging totalitarian horror.
In practical terms, the reason these costs are so low - and going lower every day - for spy regimes is automation. Data are collected automatically, collated automatically, and added to existing DBs automatically. Once a new "input program" is initiated - by stealing data illegally from companies, illegally tapping fibre optic channels, or illegally coercing companies into handing over data "voluntarily" - the process is automated. Without automation, it's utterly infeasible to add hundreds of billions of data points per day, and of course impossible to query across them. Automation is the key.
That is precisely, exactly where Achilles is uniquely vulnerable.
Break the efficiency of automation, and we break the cost leverage of these spy machines. To do this - to break the machine - we need only increase the cost of automation. This, as we see below, is trivially easy to accomplish... not only for individual activists, but for vast swaths of the human population on the planet today. Automation thrives on certain assumptions, and certain regularities of structure within underlying data sets. Remove those regularities, complicate the data model, inject stochasticity & uncertainty into the pool of underlying information... and automation breaks down entirely. Cause, and effect.
Jacob Applebaum has forcefully - and wisely - argued that we don't need to make data-in-transit crypto "perfect" or "unbreakable" in order to have a devastatingly effective impact on illegal surveillance regimes (such an observation should serve as no excuse to deploy encraption, of course). Even if encryption only makes the administration of those spy regimes more expensive, we will have success. The costs of running such systems don't rise linearly with increases in cost driven by data complexity - they accrete exponentially (perhaps even non-polynomially) as per-datum costs rise. Any systems architect is familiar with such a dynamic: systems complexity is rarely a linear metric.
When one studies the Snowden documents thus far available, in detail, the importance of "selectors" becomes clear. Selectors, in spy-speak, are variables used to mould queries (congruent with SQL nomenclature, in a sense). One selector that comes up over and over as a crucial cross-domain bridge - a join key, as it were - is physical IP address. Physical IP address can (and does) tie together webmail, IM chats, video streams, cloud-based storage access, website visits... one's physical IP can often be the skeleton-key fingerprint identifying an unique individual. Of course there's all sorts of corner-states where such is not the case, but for an awfully large percentage of folks using the interwebs, their IP address is their unique identifier as they go about their online lives (in this we speak of short-term durations, pace DHCP et al.).
So, we must break that selector. Fortunately, we know exactly how to do that.
There's an endless list of tools that serve to decouple one's physical access IP address from one's online activities. Beginning with the most feebly secure "free" proxies and adware-based "VPN services," and continuoing all the way up through Tor's robust architecture and cryptostorm's token-based model, these tools are widely available & generally dirt cheap if not outright free to use. For automated spy systems, the use of these tools introduces a frustratingly opaque layer of uncertainty in cross-domain selector searches: IP addresses are decoupled from individual activities, in a way that's variable and unpredictable over time. The spies' data warehouses fill up with oceans of data... but one of the crucial connectors amoungst all those tidbits if intel is lost. IP address becomes a broken key.
Encrypt All The Datas
Taken a step further, cryptographically-secured methods of decoupling IP addresses from online activity add vastly more leverage to our efforts to make global spy systems cost-prohibitive to adminster. This is trivially easy to see, in fact: imagine all those encrypted packets, flowing into Bluffdale's rows and rows of SAN'd hard disks... each packet a bitter little pill for data administrators. Perhaps vulnerable to eventual brute-force decryption (or quantum-based attacks, someday), in the meantime those packets cost money to store and yield zero benefit for the spies (assuming competent header data obfuscation and/or encryption, to mask protocol details and so on). Sure, the cost-per-packet for storage is infinitesimally small... but add up a few hundreds of trillions of 'em & things get interesting.
Better yet, the cost of encrypting those packets is so small as to be essentially zero. A bit more electricity burned on the client-side machines, perhaps... and a bit more wear & tear on the logic gates of CPUs and swap memory. For each of us, those costs won't ever add up to a cup of coffee or a packet of ramen over an entire lifetime of crypto-caution... but for the spy cartels, an ever-expanding bolus of indigestable encrypted packets is a bad (read: costly) thing indeed.
Yes, of course the TAO can attack individual packets, or packet streams, or targeted individuals. But TAO doesn't scale, and never will. If even 0.01% of the global human population were to be TAO'd - subjected to manual, TAO-level attack - the TAO itself would need to include hundreds of thousands of warm bodies. That's impossible, as TAO relies on unique skills not to mention a total contempt for "the rule of law" - neither of which can be boosted up to entire cities' worth of human beings doing the work. The entire model breaks down at scale.
Ned Ludd's Lessons
One need not have any particular attraction to the philosophical underpinnings of Ned Ludd's campaigns against the automation of cotton milling in Industrial Revolution-era England in order to benefit from a study of its tactical underpinnings. The core lesson of the Luddites (in tactical terms) is something different, perhaps even universally applicable: if we want to effectively attack a complex technological system, we seek a way to do so which requires minimal complexity and cost, in order to wreak maximum long-term damage. In other words, the monkeywrench.
Throwing a monkeywrench into a complex, delicate, interconnected system of gears and levers working at high RPMs causes spectacular, massive, permanent damage to the mechanism. The damage expands, building on itself: a gear breaks, and the broken pieces in turn smash other gears. An axle shears, its shattered components tearing out control mechanisms in their death throes. All from one small, cheap, anonymous monkeywrench.
Encryption is the systematic monkeywrench for modern surveillance machines. Not just any encryption, but widespread data-in-transit encryption coupled with IP-decoupling technologies & techniques. Together, these two joined approaches to network data security are deadly for highly-automated, top-heavy, billion-dollar global spy architectures. They serve to break the key conditions for such spy systems to work, making the systems vastly more expensive and unwieldy to manage and scale. They make such systems brittle, unworkable white elephants... too costly to run continuously, too ponderous to upgrade in the face of agile, crypto-based sabotage.
For the win.
It is easy enough to become despondent in the face of spy cartels demonstrating sneering, hypocritical contempt for civilian laws - and for democracy itself. How can a ragged band of data activists ever hope to face off against surveillance machines built with tens of billions of dollars, sheltered in military secrecy, spanning the entire globe? Isn't it hopeless from the start? And shouldn't we just keep writing letters to our congressdrones, begging them to "regulate" these un-regulatable spy cancers with laws they'll then contemptuously use (yet again) as mere toilet paper?
No, it's not hopeless. In fact, beating the power-mad spy-voyeurs is both easy and free of any need to break laws along the way. By viewing these systems as fundamentally economic (h/t @ioerror again), we can see right away where they're most vulnerable. Change their cost dynamic - make automation difficult/expensive - and they become useless relics of a bygone era. Sure, they'll keep eating tens of billions of dollars per year - they'll keep growing and chowing through data - but the outputthey provide will become increasingly brittle, imprecise, uncertain, and useless. They can keep throwing queries at the DBs, but if we feed the DBs garbage then we all know what comes out...
Despite the obvious, inescapable logic of such an analysis - I'm hardly the first to propose it, nor I hope the last - one rarely if ever sees these perspectives discussed outside of specialised, anti-surveillance technology circles. Why is that? Because, in a word, this analysis works. It provides a tangible, actionable, risk-free path towards our goal: viz, to "sabotage the system." As such, this approach brings fear to the hearts of military spy cartel kingpins & their enablers worldwide. Those of us who promote, publicize, and enable the deployment of solutions based on such approaches face harassment, persecution, and extra-legal attacks for doing so. That, too, rather elegantly demonstrates just how effective these approaches are. Indeed, when our enemies ignore us, we're not perceived as a threat. But, when our enemies react to our efforts wildly, violently, and with panicked overreach... when this happens, we know we're doing something right. We know that we're bringing to them the fear of their own defeat. Just so.
Spread the word. Spread the technology. Spread awareness of how it works. Put your grandfather up on a secure network service of your choice. Set up your aunt's router with a good, opensource OS & Torify its connection. Stick some solid SOCKS proxy addys in your buddy's browser settings. Spread the love, compa! The more we encrypt (& IP decouple) comms traffic online, the more we throw a nice, chunky, proud monkeywrench into the sick dreams of spymasters worldwide. Sabotage the system... so we can have a future that's free, open, diverse, and above all else healthy for our planet.
- - on behalf of Baneki Privacy Labs