Almost everyone's outraged to one degree or another by the latest Edward Snowden revelations. I have my problems with some of the claims, but others are clearly disturbing. What are we to do about it?
Bruce Schneier is a famous and respected cryptographer and analyst of security more generally. He has been working with Glenn Greenwald of The Guardian and has his own advice for how people should protect themselves in light of the news. Some of this seems a bit overwrought to me, but it's all meant to be practical advice.
His other essay yesterday was less practical. In fact, it's anything but practical. His idea that we, by whom he means engineers, should redesign the Internet so that it is less amenable to the sorts of abusive surveillance we are seeing from the US government. And it's the US government he calls out. I guess any features of the Internet abused by China don't concern him as much.
I'm really quite amazed at how ridiculous an idea this is. I imagine it felt good to write, but let's think through the implications.
- The new, secure and free Internet would probably have to be incompatible with the old one. Making it compatible would, if nothing else, increase the complexity of it to the point of compromising the security. Better that it's simple.
- There could be gateways between the new and old Internets, but many types of content wouldn't necessarily be transferrable.
There are many other interesting points I could make about it, but those two are enough to satisfy me that such an Internet has no chance of gaining enough adherents to be worth using. Without scale, it's going to go nowhere. Will Amazon.com do the substantial re-engineering necessary to support the new Internet? Will Netflix? Will Comcast and Verizon and AT&T offer service for it? Only if they see money to be made.
In fact, it's not just silly, it's offensive in a way. If the weaknesses in the Internet that make widespread crime against innocent 3rd parties by freelance criminals is unworthy of a complete redesign, why is government surveillance worthy of it?
About 10 years ago I wrote my own column toying with this idea. My focus was e-mail, as the standards efforts were heating up to try to make email authentication practical and widespread. Even then it was clear that it would be a massive problem, and 10 years later it's accomplished very little.
Nobody serious considered making a new, parallel and incompatible email system, even if it were to be immune from the numerous problems we have with e-mail. At least nobody spent real money on it. If you could never convince people to replace e-mail, an important protocol which everyone agrees was built with fundamental errors with which we are stuck, how could you start the whole Internet over?
Schneier's call for rethinking Internet governance is similarly utopian. He sees himself that other governments and International bodies (the ITU in particular) are no solution, so that does that leave? Surely governments could find ways to subvert the IETF and other such bodies. If Schneier can't think of an answer, maybe it's because there are no benevolent overlords we can go to.
He also doesn't consider, at least initially, the downsides to so secure a network. Sometimes it's good, for instance, for police to be able to track down criminals. Do we really always want to impede that, even if there's a legal process for obtaining the access?
He does make some good points. It would be good if engineers did not stay silent about government pressure to subvert the security of their products. Whistleblowing about this sort of thing seems honorable to me. More broadly, we do need to think about what to do, because the current situation is not acceptable.
But there's no way to get around governments on this. The answer to the problem of surveillance by the US government has to be reform through US political processes. There is a constituency for this. If engineers, or even mere mortals, think something should be done about it, the ballot box is the place to do much of it.