A short note, I have just read this blog post in The Official Google Blog and wanted to share it with you as it is related to my previous Freedom vs Security article:
Tag Archives: Security
A big concern nowadays is how certain industries, such as the music one, are lobbying governments to protect their particular interests. I’m not going to discuss this topic today (send me your comments if you want to discuss it) but my position is crystal clear:
- A web shutdown has to be done with warrants / legal mandates.
It’s easy, isn’t it? At the end of the day what I want is to be treated as in the “real” life. If a police officer wants to walk into my home without my consent he needs a search warrant.
In the security industry we don’t usually look at copyright violations, but to cybercriminals that want to steal people’s money and information. The fight takes place in a number of different fields, but we shouldn’t forget that we are not police officers even though we are fighting against the same bad guys.
If I find a website used to host phishing, I will:
- Add that URL in our “blacklist” to protect my users.
- Share the URL with the rest of vendors so they can protect their users.
Should I stop here? I could check who is the owner of the site, report it to the police, talk to the ISP hosting that site, etc.
Everyday thousands of websites shutdowns happen with no warrants or legal mandates. And Law Enforcement is not involved. Why? Well, this is just a description on how things happen:
- Criminals are creating thousands of new malicious sites, with the only purpose of infecting users and stealing their personal information.
- Security researchers from private companies try to stop that, as they have customers to protect. We find them, we ask the owner of the hosting place to remove it (showing proof of it.)
- They remove it, and the criminals will look for a new place.
There are a number of variations (for example, there are bullet-proof hosting services created by criminals for criminals where it’s impossible to have removed any malicious content) but this is the main idea. But why Law Enforcement (LE) is not directly involved in this? A number of reasons:
- The malicious site can be hosted anywhere around the globe, while LE has local jurisdiction.
- Even if it is a local crime, it can take ages to have a warrant while people are falling there and the attack can last a few hours.
- It may be not considered a crime in some countries.
- Victims don’t know yet they are victims, so they don’t report it.
There are even companies which main focus is to perform these shutdowns, as there are a number of companies willing to pay thousands to have those sites removed because their brand is being abused to steal their customers’ money. It’s important to note that everything is not black or white: hosting those phishing sites could be a violation of the ISP rules, and in that case it could be perfectly legal for the ISP to remove them.
There are many people supporting the idea that the end justifies the means. Of course this is not my case, but even for those that support it, it’s obvious that here we don’t get to the right end: one of the major consequences we have to face is that as LE is not involved, they can not investigate it and criminals will walk free and anonymous.
Now many of you will tell me that I should come down to earth 😉 and that in real life things are not that easy. From the point of view of one of the companies that are continuously targeted, such as eBay, PayPal or hundreds of banks and credit unions, it’s easy to understand that they don’t want to wait, they want to have their users protected ASAP. They could claim that LE has not the resources to have the job done, and because of changing the way they act nowadays would make things even more profitable for cybercriminals.
Let’s take a look at a different kind of crime that usually appears in the news: pedophilia. The same kind of actors are involved: criminals, illegal material, websites that have to be shutdown… Ask to a security researcher what happens when he finds a compromised site with this kind of material: all of them will report it to LE, and LE will act fast and coordinately. Content will be removed and people will be arrested. Everything is done with judicial oversight, as it should be done with phishing / malware incidents.
My 2 cents: there is no silver bullet, but more and better LE coordination among countries would work.
Thoughts? Should we look the other way? Should we stop shutting down malicious sites? Should we just report it to LE and forget it? Maybe we should all join and remove all politicians and try to make things with common sense? 😉
PS: Many security companies and security researches have been working for years with different LE agencies. That was for example the Mariposa case, where the Spanish Guardia Civil and the FBI were involved when they were contacted by Defence Intelligence and Panda Security. I could name a number of other cases, where companies such as Microsoft are working hard with LE, and that happens on a daily basis. But at the end of the day, we manage a huge number of cases (we are detecting 73,000 new malware samples a day!) and only in certain cases we contact LE.
There can be no doubt that the Internet has been the most revolutionary invention of the 20th century. Never before has a human invention given so much freedom to so many people: digital access to information of all kind everywhere in the world. Today, more people get their news from the Internet than from newspapers; young people are watching more online video than broadcast TV; everyone can develop their own blogs and let the world know abut their lives, thoughts and opinions.
However, it seems that the Internet as we know it today has its days numbered. Over the next few years we are going to witness several attempts to gag the Net. But, wait a second… We live in a free world, don’t we? Well, sort of, given that if you want to start your own radio or TV station you will have to ask your government for the corresponding license. And yet, today anybody can create a blog, or start an online radio or TV station to voice their opinions without needing to ask anybody’s permission… Isn’t it just intolerable? 😉
But there is more… People are using the Internet to coordinate protests against repressive regimes, and social networking sites like Twitter show the power of the Internet, a place where you can hear other people’s voices and they can hear yours.
Governments are scared. Very scared. Traditional dictatorships have always known how ‘dangerous’ the Internet is, censoring its contents. However, other so-called ‘democratic’ governments famous for shutting down critical radio and TV stations sometimes opt for more subtle methods: for example, the gag law passed in December 2010 by the Venezuelan parliament to restrict, limit and criminalize contents and the free exchange of information.
In 2011 we have seen many examples of governments’ attempts to eradicate this problem once and for all like, for example, when former Egyptian dictator Hosni Mubarak shut down the country’s Internet connection and mobile phone network. A few days later he was forced to step down as president. Even some Western governments have started to consider the possibility of having a ‘kill switch’ to shut down the Internet at will, with the excuse of protecting the country against cyber-attacks.
The issue of freedom vs. security is in everybody’s mouth, and a majority of people believe it is worth giving up some individual rights in exchange for security. Benjamin Franklin expressed his view of the issue many years ago:
“People willing to trade their freedom for temporary security deserve neither and will lose both”
Today many people unfortunately don’t even know who Benjamin Franklin was. What’s more, many of them are very happy to trade their own freedom in exchange for a certain sense of security (whether real or not, the important thing is to think that you are safe). Moreover, if those taking your liberties from you have been democratically elected, then people are more than happy to accept it.
Governments even go as far as saying that any limitations on people’s liberties aren’t actually that, but they are giving citizens more liberty by protecting their security. This is nonsense. However, anybody that listens to 100 99 percent (let’s keep the hope alive) of politicians, however democratic they may seem, will see that their strategy is always similar: They all try to justify themselves by stating that they restrict our liberties to give us more freedom.
On February 15, 2011, Hillary Clinton gave a speech on the Internet, freedom and security at George Washington University. She praised the steps taken to protect global Internet freedom against its enemies -expressly mentioning countries like China, Vietnam, Burma, Egypt, Tunisia and Iran-, and explained how people in those countries were using the Internet to fight their authoritarian governments.
She also reaffirmed the U.S government’s will to defend Internet freedom, and pointed out the following as well:
“Terrorists and extremist groups use the internet to recruit members, and plot and carry out attacks. Human traffickers use the internet to find and lure new victims into modern-day slavery. Child pornographers use the internet to exploit children. Hackers break into financial institutions, cell phone networks and personal email accounts.”
She then went on to say that Internet freedom was a foreign policy priority, although a balance had to be found between liberty and security, this being one of the most important challenges to face over the next few years.
Once we have reached this point I think it is a good idea to quote Lenin’s opinion about freedom in order to avoid past mistakes:
“It is true that liberty is precious, so precious that it must be carefully rationed.”
And that’s exactly the key point. We must stay forever vigilant in preserving our liberties from politicians wanting to control them in the name of security.
If we say that the Internet has no frontiers and laws are designed to prevail over the concept of territory, we are not saying anything new or original. But if we combine those two ideas together and try to apply laws, regulations or any other system that limits or restricts access, freedom of speech or opinion exchange on such a democratic and egalitarian entity as the Internet things start to get complicated.
Besides, it doesn’t work. If authorities temporarily shut down all Internet access in a country, it will only cause more information diffusion and virality. Therefore, if they gave it a second though, they would realize that these measures are actually counterproductive.
So, while governments waste their time worrying about people posting negative comments on forums and online communities or uploading videos to YouTube, citizens have to deal with real problems like online fraud, and thousands of cyber-criminals make a fortune thanks to the lack of any cooperative efforts to uncover and arrest them.
It would seem that governments’ main concern is to limit Internet freedom in order to protect us… Well, really? I am absolutely convinced that that is NOT the case.
All this will eventually change the Internet as we currently know it… for worse at least when it comes to freedom of speech. In a few years’ time, besides protecting ourselves against cyber-attacks we will also have to look for mechanisms that guarantee our rights against government abuse of power. Some people are talking about the introduction of “Internet passports” to identify Internet users. This idea, widely applauded by some security experts, is sincerely nonsensical if not completely ridiculous. Does anybody really think that the existence of passports actually prevents crime, or that not having a driver’s license is going to keep some people from driving? The aim of this measure is to have people under control at all times.
Today our fight for freedom is more important than ever. Nobody should have the power to limit our freedom in the name of security. Whether I am right or wrong, what I truly want is to have the right to choose freely, even if it is just to make a mistake.
I needed some place where I could express myself openly, so I decided to create this blog 5 minutes ago 😉
Here I will write what I want when I want, I will give my personal opinions about anything, focused mainly in freedom and computer security. To start with, I will be publishing today an article I’ve written called Freedom vs. Security, I hope you enjoy it!