For anyone following cybersecurity and digital privacy, 2013 has been a whirlwind.
When former National Security Agency (NSA) contractor Edward Snowden took the lid off of U.S.’ cybersurveillance activities this past June, unleashing what’s amounted to a Pandora’s box of revelations, the world was stunned to learn just how much data the NSA had been collecting on private citizens.
Ron Deibert, director of the Citizen Lab at the Munk School of Global Affairs at the University of Toronto, has been researching and writing about digital security and privacy for years. The Citizen Lab is known for uncovering Ghostnet, an alleged cyberespionage ring based in China. It infected more than 1,200 computers around the world, surreptitiously collecting data from them and even wresting control away from users without their knowledge.
Deibert’s book, Black Code: Inside the Battle for Cyberspace, was recently named to the longlist for the 2014 B.C. National Award for Canadian Non-Fiction. The book recounted the stories of governments and hackers’ groups that have been trying to seize control of the Internet for their own purposes.
IT Business.ca caught up with Deibert for a phone interview, hearing his thoughts on the state of privacy and cybersecurity at the end of 2013. Here’s our Q and A with Deibert, where he explains that he sees an Internet of global communications as the only way for humanity to survive.
To hear an audio clip of the interview, click on the Soundcloud file below.
IT Business.ca: So your book, [Black Code], has been out for a couple of months now. And it explored how governments and groups are not using the Internet to bolster freedom, but more to spy on their own citizens. And I think the timing of Black Code was really fortuitous when it came out … So why is it that in the last little while … people are putting more emphasis on this than they ever have?
Deibert: Well, I think the obvious reason is Edward Snowden and the revelations that continue to stream out and put it on the front page on almost a daily basis. I certainly think a lot of people are learning more about the role of signals intelligence agencies, like the NSA, from those revelations. So that’s one thing.
Secondly, I think there’s been so much steady progress towards social media, cloud computing, mobile that it was really inevitable that we’d start to see some of the darker sides of it, and some of the drawbacks to the conveniences we take for granted, and how maybe some of the data that we give away can end up putting us in jeopardy or at risk. And so, I think it’s just an accumulation of experiences that are starting to build up. But most importantly, it’s the Snowden revelations.
ITB: So we’ve heard a lot of things coming out recently, from Google, Facebook, Apple, Microsoft, all those companies, as well as a lot of authors that are trying to put out a digital bill of rights – that idea has been floated around. How likely do you think it’s going to be, that that kind of effort will make any impact?
Deibert: Well, it’s making an impact for sure, in terms of awareness and promoting certain principles so that they gain wider acceptance. But I think realistically, there’s only so far that something like an international digital bill of rights will go. If you look at existing international law, there is [an] international convent on civil and political rights that already has articles within it about free speech and privacy, that tens of countries, dozens of countries have signed onto, including some of the more notable ones that we would maybe not expect to. And yet they don’t abide by it. So just putting out a new agreement, I don’t think, will solve anything. I think we have to recognize the fact that governments don’t always do what they say they’re going to do.
With respect to the companies, sure, that’s a great step. But I think in the day that we live in, where so much data is entrusted to third parties and private companies, we have to hold companies themselves accountable for what they do with that data in the same way we hold governments accountable.
Of course, the companies talk a lot about government surveillance, but they don’t talk much about corporate surveillance. A lot of the NSA surveillance would not be possible, were it not for the fact that companies like Google vacuum up enormous amounts of data and essentially track us, not for security purposes, but to sell us things, or to sell our behaviours or habits to advertisers. And I think that is something we need to take into account when we start thinking about rights and freedoms in the digital age.
ITB: There was something interesting you wrote last summer in a report about how Canada does have some kind of cyberspace policy set up – some kind of framework for that. But I think you wrote the policies were too thin, and they didn’t look at, what exactly are we securing in cybersecurity? What is the goal of this?
So this is more than a year on, and more has been shared since then about Edward Snowden, and apparently even more revelations are to come about Canada, judging by what Greenwald has said. What do you think the state of things is here in Canada, in terms of our cybersecurity posture?
Deibert: So, like many countries right now, the focus is on public safety and traditional notions of security. And that reflects a deeper world view that ultimately, in my opinion, is incompatible with an open, global, seamless network of communications that is essential for the future of the species on the planet. So it’s almost like a paradigm clash between governments and national security apparatuses, and the mindset that goes along with that, which is primarily derived from a tradition of statecraft that goes back to the Cold War and well beyond that, which privileges security agencies, secrecy, building borders around national jurisdictions. All of that, you can see that very much in play in the Canadian approach to cybersecurity right now.
But in the long run, that’s going to be harmful for Canadian citizens. The clash of those two world views, I think, is something that we’re going to have to grapple with in the next decades as we start to understand that in order to deal with all those problems on the planet as a whole, we really need to have a seamless, globally integrated network of communications.
And that means we can’t have security agencies of one country using it as a platform to project their national interests vis-à-vis other countries. So it’s just a mindset right now that is evident in the way that Canada approaches cybersecurity that I think is, whether you call it thin, or short-sighted, or wrong-headed, it’s one of those.
ITB: But to be honest, Ron, I can’t really envision a situation where countries are noble enough to be like, oh great! So we’re going to stop worrying about our own interests and worry about the interests of everybody … Is that something you see as plausible?
Deibert: Well, it’s certainly not realistic in the short term, but it’s something that is essential if we’re going to survive – that’s the way I look at it. You have a situation where over centuries, governments have built up armed capabilities that got to the reductio ad absurdum of nuclear weapons, where an entire civilization could be destroyed, and that’s a logical outcome of that mindset.
And I think the cybersecurity paradigm is driving a lot of governments’ approach [in] this space that’s in accordance with that. And I think ultimately, it’s incompatible with a broader approach to security that starts at the globe as a whole, and a vision where citizens are citizens of multiple communities – city, province, country, and of course the globe.
That’s my vision of security. It’s not just mine, it’s not an unusual one, even. It’s one that many progressive people around the world share. And I think in part, it’s a generational thing. I think that over time, people’s attitudes will shift accordingly, especially as you look at problems like climate change. You have these huge threats that threaten all of us. And we have to deal with that.
The only way to deal with that properly is by starting with the assumption that you need a shared communications medium through which citizens can debate and exchange ideas freely. And we had that briefly with the Internet. But it’s now being threatened through censorship, surveillance, and even militarization. So we somehow have to bring that all back in check.
That doesn’t mean that we won’t have security issues to deal with, collectively. We have major issues having to do with terrorism, weapons of mass destruction are very real, and there really are no absolute controls over them. So we’re going to have law enforcement. We can’t have rights without having agencies whose job it is to enforce the laws that protect those rights, which means we have to have surveillance. We can never go back to a time without surveillance. But none of that is incompatible with the paradigm I’m talking about on a broader scale.
ITB: But to get all those changes in place, I think we’d need to see more people paying more attention. I look at the Internet laws in Britain, for example, and people clamping down there and being like, oh well, we’re trying to do this to rid the Internet of child porn. And some citizens think this is a great idea … they don’t seem to mind the idea of censorship. How much do you think people are waking up to this?
Deibert: Well, there’s a lot of lethargy and apathy, and people are generally easily distracted by surface-level stuff. You know, cute kittens and things on the Internet that are funny on YouTube and all of that. But ultimately, as it always does, it boils down to a large constituency of stakeholders who – I wouldn’t want to call them elites – but they’re the people who understand the stakes involved and have a direct role in being a stakeholder in governance of the Internet.
And I think right now, when we get back to Internet and IT-related issues, that’s the big challenge here. On the one hand, you have proposals and policies out there that seek to carve up the Internet into national spaces. Some of them are under the rubric of the protection [against] child porn, some of them are broader, like in Saudi Arabia, where if you even criticize the government, it’s now considered terrorism under national laws. And that includes people blogging about criticism of the government or tweeting about it.
So you have on the one hand, this kind of carving up the Internet versus a broader community of stakeholders – and I would include most of your readership in this category – of engineers, computer scientists, physicists, scientists, who understand that we need to have a baseline, a commons of information and communication that is open and accessible to all in an impartial manner. And we’re striving to build that together.
So that means we’re bumping up against national interests, military rivalries, you know, special interests around big business, and they want to carve it up in various ways, so the challenges are getting steeper. I’m quite pessimistic about it, but I don’t think we can ever lose sight of that vision.
ITB: Good point … [Your work with] Ghostnet happened about three or four years ago, and it was all about cyberespionage in China. Given all that’s happened with the NSA … How do you anticipate the next year or so unfolding?
Deibert: Well, I think we’re at a critical stage for Internet governance. The debate that I mentioned between, broadly speaking, these two communities – national interest community versus the global Internet community – is at a critical point, I would say.
And I think the Snowden revelations have kind of thrown a wrench into that discussion, meaning a lot of governments are using the Snowden revelations as an excuse to stiffen or tighten national controls. We can see that in Brazil, in India, we can see it in the logic around detaching from the Internet, or U.S. infrastructure, however well-meaning that is.
So as these revelations continue to stream out, those of us who care about a global Internet, that’s free and secure and open, need to articulate a broader set of principles around how to govern this space that is based on what I call distributed security. So not thinking of security of the Internet in a national hierarchal fashion, but rather broadly speaking, in a distributed fashion, meaning that you distribute as far as possible and as wide as possible, the number of stakeholders that have a hand in securing this space at a grassroots level so that [the Internet] remains open and free for all.
And we’re at a critical stage right now, in the next year, around the various meetings that are coming up – one in Brazil, there’s [The Internet Corporation for Assigned Names and Numbers] meetings, international telecommunications union meetings – all of these will be important for the future of Internet governance.