Something Changed on the Internet

by Maria on November 19, 2013

It’s only been five weeks since the organisations that manage the Internet’s technical infrastructure dropped the bombshell that they want the oversight of ICANN and IANA to be done by all governments and stakeholders, and not just the US. In a statement made in Montevideo, ICANN, ISOC, the IETF, all the world’s regional Internet registries, the Internet Architecture Board and the World Wide Web Consortium all called out the Snowden revelations as having ‘undermined the trust and confidence’ of users so much that it’s now time to get on and build truly ‘global multi-stakeholder Internet cooperation’.

What does all that mean? Basically, the people who built and run the global Internet no longer trust the US government to be its sole public-interested global steward. Despite a six-month scrum of self-satisfied lobbyists falling over each other to say ‘everyone knew what was going on’ and nothing fundamental has changed since Snowden; everyone only thought they knew what was going on and something fundamental has changed since Snowden.

Whether you think real ethical and legal issues are raised by mass surveillance or that the uproar is just an opportunistic response to one country spying merely too successfully on all the others, it is very clear that the US security services stepped far, far over the line when they took part in IETF technical working groups to purposely undermine the security of the Internet. It’s one thing to play an ‘all’s fair in love and war’ game to exploit networks and business relationships to surveil the population, quite another to knowingly introduce vulnerabilities that your enemies can also exploit. This, and disquiet at how some large US corporations act – forced or willingly – as arms of that state, is the basis of the breach of trust.

You don’t get to invent the Internet, export it around the world as a force for free markets, innovation and human progress, oversee the volunteer organisations that make it work, host the most important companies that deliver and use it, and then say it’s not fair that other countries think you are unfairly exploiting a home advantage. You also don’t get a pass on what Milton Mueller calls out as a strange blindness to the privileged role of your own government when you go around the world proselytising that ‘governments should stay out of running the Internet’.

Before Snowden, Russia’s and China’s paranoia and distrust of Internet freedom as a merely tool of US foreign policy designed to weaken their states could be dismissed as the kind of twisted thinking you expect from authoritarian states that simply can’t imagine not abusing a global common pool resource under their control. That’s how they would behave, so of course they think it’s how we would.

After Snowden, we live in a world where country after country has taken steps to distance itself from the current status quo on who oversees the Internet, and to condemn the US for abusing its role. But neither the US nor its junior partner in electronic surveillance, the UK, has made a concerted public effort to counter the claims of moral equivalence made by our rivals in the battle for Internet control; Russia, China, Iran and Saudi Arabia.

The silence of what are, after all, democratic governments about what legal constraints the UK and US’s spying systems operate within – and how those frameworks can and should be improved – means that rival states are controlling the narrative. Controlling the narrative means getting to decide its ending. Lots of us saw this coming. At a national meeting in September we urged the UK to develop a positive response to its role in global surveillance. Snowden wasn’t even on the agenda. But our governments seemed to slope off to the annual global Internet Governance Forum in Bali with no story to tell about itself, merely the plan to slip a few words in the right ears in the corridors outside public meetings, and to hope for the best.

Meanwhile, the business lobbyists swarmed everywhere repeating the mantra that ‘everyone knew; nothing has changed’, hoping their claim of knowing and worldliness would make anyone who disagreed feel like an ignorant rube, hoping repetition would drown out incredulity. That was both stupid and wrong.

By September, there was a fundamental breach of trust between the US government and the global technical communities, between the US and UK and pretty much every envious middle-income country on earth. But instead of facing up to the problem, the West and its international business community put their fingers in their ears and pretended everything was the same as before, or, at worst, just a little bump on the yellow brick road.

Let’s look at what happens when parts of a powerful institutions go bad and the whole institution ignores, denies and then attacks the accusers; for example, the Catholic Church. First, the people who accused the Church of systematically protecting abusers were written off as kooks. Remember the response to Sinead O’Connor ripping up the picture of the Pope. (Tinfoil hat brigade, anyone? How smoothly those ‘in the know’ transition from laughing at conspiracy theorists to claiming everyone always knew what only paranoids used to claim. But of course we’ve always been at war with Oceania.)

Then came the denials – refusals to cooperate with investigations, claims of special privilege, attacking the victims and accusers and writing them off as ne’er do wells, misfits, the terminally damaged. All that was predictable enough. But the point where the Church really lost its flock – and I’m thinking here specifically of the moment church attendance in Ireland dropped right off the cliff – was when, even though they seemed to be facing up to the need for due process and redress, they just couldn’t fathom the depth of the breach of trust. There was and still is a complete disconnect between what the Church did wrong and what it thinks it did wrong. Many elements of the Church still feel truly hard done by because they fundamentally do not understand why they lost the trust of the people they served. And now it’s too late. People voted with their feet and they’re never coming back.

What the US did to the Internet isn’t the same as the Catholic hierarchy protecting paedophiles, not even remotely. But what is eerily similar is its utter refusal to face up to the fact it they lost the people, it lost the battle, it may just have lost the war.

Getting proxies to run around international meetings saying nothing had changed – and that everyone who thought it had was either knavishly opportunistic or ridiculously naive – was a stupid mistake, a tactical error rooted in an inability to accept that the strategic environment had fundamentally changed. It was a car crash in slow motion. Someone had to do something. Someone did.

More on that anon.

{ 25 comments }

1

John Quiggin 11.20.13 at 2:38 am

I’d add to this, in both cases, the complete failure to get ahead of the story. By this stage, the NSA and its junior partners (Australia is even more junior than the UK) must either have worked out what Snowden has taken or reached the conclusion that he has taken just about everything. Either way, it would make more sense to ‘fess up on the less damaging stuff, release it with your own spin, and try to reduce the impact of further revelations.

But the internal dynamics of both the Catholic hierarchy and the NSA seem to prevent this. It’s not just that they can’t admit the truth to us, they have no way of admitting it to themselves.

2

QS 11.20.13 at 12:36 pm

Pardon my ignorance, but hasn’t the role of the US in overseeing these bodies been a source of controversy for a long while? Is this the first time that the very bodies (ICANN/IANA) themselves have sought to be internationalized?

3

Maria 11.20.13 at 12:50 pm

QS, yes, the debate has rumbled along since the late 1990s, but this is the first time the organisation itself has said it should be globalised and in a context where US allies are no longer going out of their way to support it.

4

otto 11.20.13 at 1:05 pm

Would the proposed change to ICANN and IANA governance structures stop the US from doing the electronic surveillance that Snowden revealed/confirmed that is has been doing?

5

hix 11.20.13 at 2:47 pm

Just Russia China Iran and Saudi Arabia? Just big countries who do more Internet surveilance (maybe not Russia) than the US at home, those are the only ones who have a problem with US dominance at Ican? That does not sound plausible. Merck is certainly not happy at all for a reason completly unrelated to internet surveilance for example.

6

James Wimberley 11.20.13 at 4:48 pm

The ITU, one of the UN family of global organisations – but much older as it goes back to the International Telegraph Convention of 1865 – has been making a bid to host the governance of the Internet. Up to now, the bodies running the Internet have rejected this elderly suitor, and preferred the existing ad hoc structures anchored to international public law only through the patronage of the United States. Does the ITU have a chance now? It would have to write an Internet Convention guaranteeing the professional autonomy of the various bodies and defining the rights of governments and the telecoms operators who provide the infrastructure. The problem may be that the telecoms have too much influence in the ITU already and see it as their club. That looks fixable, easier anyway than surveillance.

7

Peter Hovde 11.20.13 at 5:31 pm

I know someone who is heavily involved in IETF, and has specific people that he suspects of being shills for the NSA, trying to steer protocol development to make surveillance easier.

8

Maria 11.20.13 at 5:44 pm

Peter, I have heard there is a lot of that active suspicion going on over there, and it’s been really destructive.

9

Maria 11.20.13 at 5:48 pm

Otto, the odd thing is that surveillance per se has little or nothing to do with what ICANN’s role. What’s happened is that wider distrust of the US’s ability to constrain itself, alongside its privileged position as progenitor of the Internet and base of most of the biggest ICT companies, has – in the absence of a defensive line that addresses people’s concerns – been channeled into the ongoing efforts to end the USG’s special relationship with Internet names and numbers. That was both unfortunate and unnecessary, but, as JQ points out, integral to the character of the institutions that created the problem in the first place.

10

Maria 11.20.13 at 5:53 pm

James, the ITU’s bid to be the place where governance of the Internet is done is indeed longstanding, and most prominently supported by the least liberal / democratic countries. The reasons include it’s a UN one-country / one-vote organisation, so ostensibly no country is more powerful than any other (and the country with the most client states wins). Also that, compared with the orgs I’ve mentioned that currently coordinate the Internet, the ITU is very closed – it’s paid membership for large corporate telcos, and otherwise only governments get a voice. So it would be curtains for the multistakeholder model. That’s not fixable as it is central to the structure and function of the ITU.

11

William Timberman 11.20.13 at 6:57 pm

I’d always assumed that after the initial flap over U.S. presumption fully revealed, things would pretty much go back to the way they’ve been, and frankly, it’s hard to imagine even now that they won’t. It’s encouraging, though, to see that someone on the inside thinks otherwise. I do hope you’ll keep on reporting here as the situation develops further. There’s nothing more invigorating than having one’s cynicism refuted.

12

Matt 11.20.13 at 8:46 pm

I’d always assumed that after the initial flap over U.S. presumption fully revealed, things would pretty much go back to the way they’ve been, and frankly, it’s hard to imagine even now that they won’t. It’s encouraging, though, to see that someone on the inside thinks otherwise. I do hope you’ll keep on reporting here as the situation develops further. There’s nothing more invigorating than having one’s cynicism refuted.

I think high visibility changes may still be quite limited. There will be no sincere apologies from spying governments, no meaningful oversight or transparency added, no rollback of secret courts and secret rulings. All the interesting leaks will eventually be out and then they won’t make the headlines anymore, and most people (if they ever cared at all) will stop caring.

The important low visibility changes are things like Maria is reporting. The assumption of good faith by Western democracies is revealed incorrect. The paranoid cypherpunks were right about governments. They’re intercepting everyone’s communications, all the time. They’re passing laws in the name of terrorism, going beyond them to fight run of the mill domestic crime, and then submitting fake evidence to judges and juries to hide the illegal snooping. If we want to maintain privacy in 21st century communications, laws passed by public bodies are insufficient, because privacy can still be violated by secret bodies behind the public’s back or in other jurisdictions.

I would say that right now techies are largely united in outrage against mass surveillance and are looking for ways to thwart it. I think it’s important to establish new norms of surveillance resistance while the outrage is still relatively fresh, because for the techies’ ideas to work at all they at least need protection from “all public communications services must enable interception” legislation. I think they have about 3 years in which to establish better technical privacy norms before the security services regain legislative support to hobble privacy.

13

Straightwood 11.20.13 at 11:39 pm

We are seeing the first indications of the twilight of the nation state. The Internet is as global and indivisible as the atmosphere, and it will never succumb to political partitioning. The nation states are dying but dangerous creatures. Global currencies are emerging and will be universally accepted. Global human rights principles will be agreed and enforced. Global environmental standards will be agreed and enforced. The dominant nations states will fight viciously to arrest and reverse these developments, cloaking their actions in patriotism and crime-fighting. They will fail.

14

John Quiggin 11.21.13 at 12:46 am

The blowup between the Australian and Indonesian governments is the first real evidence that things have changed. Ambassador recalled, all forms of co-operation suspended.

15

Peter T 11.21.13 at 2:22 am

While I do not buy Straightwood’s take on global governance, there is an emerging group of mid-strength states that a lot of trends have boosted, it looks like at the expense of the great powers (which seem to be in slow decline). I would put Brazil, Iran, India and Indonesia on that list. These will be the ones driving changes.

16

Straightwood 11.21.13 at 2:56 am

@15

Keep an eye on the emerging Internet currencies, like BitCoin. They will be a major threat to the sovereignty of nations. The ability of Internet citizens to transact business privately, and without government interference, will have far-reaching implications. The prospect of a virtual global government spontaneously emerging from Internet society is something that should be of some interest to political theorists, but they persist in viewing the Internet as subject to nation state control. This will change.

17

The Raven 11.21.13 at 3:10 am

Maria, do you hold out any hope of improvement in internet governance as a result of this? Is it possible we will see some sense, at long last? Or at least that this will die down and matters will return to status quo ante?

The problem of the ITU is the problem of the UN and it is the problem of modern federalism that we have become so familiar with in recent decades: the UN is an organization of nations, not people.

On the other hand, “Researchers from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been improperly redirected to routers at Belarusian or Icelandic service providers,” reports Ars Technica.

Is there any hope we will see more security in the infrastructure of the internet? Because it is clear we desperately need it.

18

Watson Ladd 11.21.13 at 3:36 am

The IETF managed to screw up basic cryptography for 20 years. The NSA doesn’t need to subvert them: the idiots on the committees do a good enough job themselves.

@The Raven RE: the question of routing security, even if you authenticate the sources of routes, ISPs still have the ability to advertise unusual routes. Sometimes this is legitimate: two telecoms might interconnect through a third one some distance away for historical reasons, rather than in the obvious course. A storm or backhoe might switch the way traffic flows when a link goes down. Sometimes it isn’t. But if you ignore the route advertisements you think are suspicious but work, things could break badly.

19

The Raven 11.21.13 at 4:11 am

Watson Ladd@18: “The IETF managed to screw up basic cryptography for 20 years.” Did it ever cross your mind that they might have had help from the NSA?

20

Watson Ladd 11.21.13 at 4:25 am

The Raven: The case I am thinking of was not pushing a standard for seemingly good reasons that later was discovered to be weak. Rather, in 1995 it was known that encrypt-then-MAC was better than MAC-then-encrypt. Rogaway sent an email to the WG saying this, but was ignored. Sure enough, vulnerabilities galore stemmed from that mistake.

You don’t sabotage a standard by bribing people to make an idiotic mistake: too noisy, too many moving parts. Instead you introduce a seemingly-reasonable alternative that has subtle disadvantages, that improves on the current proposal in certain ways, and push it through the front door. See the efforts at the IEEE 745 meetings to abandon guard digits, or the DUAL_EC random number generator. (Yeah, Dual_EC wasn’t that subtle, but work with me here). We also don’t know what standards were compromised: either Snowden doesn’t have that or the reports aren’t reporting it for some reason. But I’ll bet it was much more subtle than the SSL mess.

21

Tim Wilkinson 11.21.13 at 9:08 pm

Straightwood – I find it very hard to believe that bitcoin would survive for long if it were seriously to threaten (certain) states or state-backed interests. In fact to the extent that the responsibility for maintaining the ‘currency’ is decentralised while the actual functioning of the system isn’t (cf., for the latter, widespread delusions about ‘the cloud’), it’s fundamentally ungrounded in anything ‘real’ at all (replying that the reality of a currency is a matter of degree is to rely on a particularly implausible sorites argument). It’s a bubble, or perhaps a Ponzi scheme. I don’t know much about the micro-theory of how it’s supposed to work, but I don’t need to. All you need is a bit of bad money driving out good, a critical mass of hacking or operators going out of business, and the whole thing collapses. There is a lot of superstitious zeitgeisty nonsense talked about decentralised processes and especially spontaneous order (e.g., of course, The Market) and this is one example. IMO.

22

dax 11.22.13 at 2:13 pm

“But neither the US nor its junior partner in electronic surveillance, the UK, has made a concerted public effort to counter the claims of moral equivalence made by our rivals in the battle for Internet control; Russia, China, Iran and Saudi Arabia.”

“between the US and UK and pretty much every envious middle-income country on earth. But instead of facing up to the problem, the West ”

The US and the UK – heck you can throw in Oz, NZ, and Canada – are not the West. The countries of continental Europe, Japan, and a few others, seem to have a large part to do with it.

23

Emily 11.22.13 at 5:02 pm

Great analysis, Maria. Thank you for writing this piece.

I am still stunned at how muted the reaction in the UK and EU has been. At least in the US Congressmen are shouting and thinking up laws to limit the excesses of the security forces. Ed Vaizey’s speech to the IGF was yet another example of why he and the UK Government are hopelessly out of their depth. Whereas the US delegation (whether you believe them or not) said “we’re here to talk about what happened, and to be part of the debate”, Vaizey’s contribution was “My goodness, Bali’s lovely. And people say these Indonesian chappies don’t get the Internet! My a***! The Indonesian President has 3 million Twitter followers. That’s more than me! Anyway. Can’t stop. Off to the beach”.

Also curious as to where Sweden, champion of Internet freedom, convener of the Stockholm Internet forum, is in this debate. FRA anyone?

24

Ted Lemon 11.24.13 at 4:11 am

Whether you think real ethical and legal issues are raised by mass surveillance or that the uproar is just an opportunistic response to one country spying merely too successfully on all the others, it is very clear that the US security services stepped far, far over the line when they took part in IETF technical working groups to purposely undermine the security of the Internet.

Do you have a citation for this? I’ve heard this alleged before, but I haven’t heard anybody present any evidence to support the supposition that it happened. Needless to say, the IETF leadership (which includes me) is curious to know if such an incident has occurred.

One of the strengths of the IETF process is that it’s all out in the open. That can create problems and delays as well, but in theory at least, it should be easy to tell if someone is subverting the process, because they have to do it openly. So if you are aware of a case where the process was deliberately and successfully subverted, we’d like to know about it.

If you are referring to the NIST crypto thing, that wasn’t the IETF—that was NIST.

25

Emily 11.24.13 at 6:30 pm

Just blogged about Snowden, Kennedy and Internet Freedom http://www.emilytaylor.eu/articles/2013/November/John-F-Kennedy-and-Internet-Freedom

Comments on this entry are closed.