EU Politician Wants Internet Surveillance Built Into Every Operating System
from the they-just-haven't-thought-this-through dept
"Think of the children" has become the rallying cry of politicians around the world trying to push for ever-increasing Internet surveillance powers. Since nobody wants to run the risk of being branded as soft on crimes like paedophilia, resistance to such measures is greatly reduced as a result.
This approach was used in the "Declaration of the European Parliament of 23 June 2010 on setting up a European early warning system (EWS) for paedophiles and sex offenders" which:
2. Asks the Council and the Commission to implement Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and extend it to search engines in order to tackle online child pornography and sex offending rapidly and effectively;
The two European politicians behind the Declaration, which seeks to extend the already intrusive Data Retention Directive, were Tiziano Motti and Anna Zaborska. Motti now wants to go even further by monitoring and storing all Internet activity in the European Union.
The press release about the launch of this new initiative was entitled "Data Retention Directive: the fight against paedophiles and sexual predators on the net, respecting citizens' right to privacy"; it explained:
3. Calls on the Member States to coordinate a European early warning system involving their public authorities, based on the existing system for food safety, as a means of tackling paedophilia and sex offending;
The press conference will focus on the most discussed part of the Data Retention Directive, which is under revision, and on the 'Motti Resolution' approved by Parliament in 2010, asking to extend this Directive to content providers (social networks etc) in order to identify more easily those who commit crimes, including paedophilia through sexual harassment on the Net (recognised as a crime by the legislative Resolution to be voted at the next plenary session in Strasbourg). This is a request which does not regard specifically the online content, which falls under the Regulation of wiretapping, but to the traffic data developed by the person uploading material of any kind on the net: comments, pictures, videos.
As this indicates, in order to forestall the usual accusations of technical cluelessness, Motti was joined by Fabio Ghioni, described by the press release as "World Expert on security and non-conventional technologies, author of the book 'Hacker Republic'". Ghioni's site carries more details about the ambitious plans, reproducing an article (in Italian) that comes from the web site of Famiglia Cristiana (Christian Family).
During this press conference, Mr Motti will present the solutions that can make possible the enforcing of the Resolution approved in June 2010, through a study provided by computer expert Fabio Ghioni, and he will answer to the objections, especially from northern Europe, to the Resolution asking for the broadening of the Directive.
Strangely, there Ghioni's project is presented not as a way to catch paedophiles, but as being about keeping personal data safe. The article talks about the fact that users willingly hand over all kinds of information to Facebook but have no control over what the company's employees might do with it. Because of this, Famiglia Cristiana says:
it is worthwhile to evaluate the system developed by Ghioni, which is called LogBox and provides data storage for two years with features that aim to ensure fundamental rights and freedoms of citizens.
It's not exactly clear from the article how a black box that logs all your online activities and stores the data for two years will ensure those fundamental rights and freedoms, but the general drift seems to be that you will have a record of everything that you did, which you could use in court, for example, if you are wrongly accused of some misuse of the computer. What this overlooks, of course, is that it will also be a tempting target for governments who want to keep a tight rein on their citizens, or for companies that want to enforce copyright laws by monitoring alleged file sharing activities.
The LogBox system devised by Ghioni encrypts data, placing the decryption key in the hands of the authorities, a notary [lawyer] and the user of the system. Thus the digital certificate is guaranteed by the three entities, including the user, who is in control.
That sounds as if a digital hash of the connection data is encrypted with one or three separate keys - it's not entirely clear. In theory, having three different keys, all of which were required to decrypt, could be quite secure, but it's no proof against court orders demanding your decryption key. On the other hand, having only one shared key would be an invitation for the police to snoop through your online logs all the time. And yet the article insists:
Let's be clear that this has nothing to do with interceptions: here we are talking about digital data, not contents. Currently the two main issues that result in a "wild west Internet" are digital identity and authentication of both the users and the service providers. Let's take the example of social networks: currently anyone can create a fake personal profile. Let's take the example of online paedophiles: they can be traced only if they use their own account but if, as is easy to do, they connect from a different IP address in some other country, they will never be held responsible for the criminal actions they carry out.
From this it seems that one of the key features of the black box is to make pseudonymous or anonymous activity online impossible. Again, it's hard to see any benefits whatsoever for users – in what way is this "respecting citizens' right to privacy"? - but plenty for governments and the copyright industry.
Even more surprising is exactly how Ghioni wants the black box idea implemented:
The LogBox system would clarify these issues through a precise mechanism that involves the "collaboration" of the operating systems. Therefore the help of Windows, Apple, Linux will be needed. The operating systems will have to store the characteristics of all the activity logs (in practice, tables) generated by the computer that is running the operating system. That's no small thing, because the logs would be signed digitally in such a way as to relate to a specific computer and its user. And this will be independent of any attempt to anonymize illegal activities. Ghioni insists that the costs of this operation will be extremely low.
Cost is hardly the issue. Even if the EU were to insist that Microsoft and Apple implement this black box "feature" in their products, this is simply unworkable for GNU/Linux-based systems. By its very nature, open source lets you hack the code, and so removing any such digital black boxes – even assuming they were put there in the first place by the likes of Red Hat and Canonical – would be relatively easy. Hacked versions would circulate online almost immediately.
The only way to stop that happening would be to forbid people from installing "unauthorised" versions or from making "unauthorised" changes to the system code once installed – which would effectively make open source operating systems illegal in Europe. Given that the Linux kernel was created in Finland, that would be ironic to say the least.
There are other problems that will make this approach unworkable. Already people are accessing the Internet increasingly through mobile devices and e-readers; that presumably means that these too will require black boxes to track users' every online move. In the longer term, we are moving to an Internet of things, which means that many objects in our home will have an IP address and be hooked up to the Net: does that mean there will be a black box for our toasters, perhaps?
And then there is the fact that a 2 Terabyte portable external hard drive costs around $100, making the sharing of vast numbers of files trivial even without the Internet. Do we add black boxes to hard drives? What about USB drives?
What's worrying is that a politician can be naive enough to believe that solving this complex problem is really as easy as adding a few lines of code to an operating system – and that he hopes to convince the European Parliament to mandate such a thing. Far better to stop invoking the "think of the children" mantra as a way to short-circuit rational discussion and instead to encourage a rational, mature debate about how these serious problems can be solved with real-world solutions.