It’s as true as anything else that political life is an ongoing process of (re)negotiating “normal.” Policies and practices succeed and become part of society most often when they seem safely in the realm of already acceptable political opinion – what is tolerated depends on what is successfully sold as tolerable. Twenty years ago, equal marriage nationwide was unthinkable – today, it is quickly becoming business as usual. Meanwhile, US airports in the age of homeland security have assumed a new character, with carefully drilled experiments in choreographed security theater, as nonsensical as they are absolute. “Negotiations” of what is “tolerable” can take many forms.
Are we, as a society, comfortable with a world where the government lurks behind every webcam?
In the next 10 years, one of these negotiations will take place over hacking – are we, as a society, comfortable with a world where the government lurks behind every webcam? Earlier this August, Wired reported that it had obtained a copy of a Federal Bureau of Investigation (FBI) warrant application from a 2012 investigation into child pornographers on Tor, the anonymity network.
The application described its targets simply: “computers that access the website ‘Bulletin Board A.'” The first of its kind to be approved publicly, the eventual warrant allowed the FBI to hack and deploy a small computer virus on the computer of every person who visited the website in question. That the FBI didn’t know who these visitors might be didn’t matter – the court’s warrant authorized an attack that did not discriminate based on the individual identities of its users, treating a click as probable cause.
Recent years have shown a number of forays by the agency into the world of policing-by-malware – the use of data or hardware alone or together to disrupt, degrade, record, transmit or otherwise modify information involved in the operations of computers and computer networks without the authorization of the owner of the information or network. Some hacking investigations have sought to identifypersons suspected of making bomb threats. Others have showed interest in placing invasive remote administration tools on unknown computers, software that could allow the agency access not only to a computer’s contents and keystrokes, but also to the feed from its camera.A 2013 attack similar to Operation Torpedo, also against a Tor-based private service, is thought to be the work of the Bureau, as well.
Attacks on speech often begin at the unsavory margins where few will raise the alarm.
If you ask the agency, these are not hacks – they are “Network Investigative Techniques.” But regardless of what we call them, the dangers of a world where the FBI can surreptitiously install malware on the computer of every visitor to a given website – unknown parties, intent irrelevant – are immediate and arresting. It is guilt, or at least infection, by mouse-click. And sadly, an online world littered with booby traps is one where people are less likely to speak and explore freely. The “pedoboard” targeted by Operation Torpedo involved a reprehensible, per se illegal type of speech – images of child pornography – but attacks on speech often begin at the unsavory margins where few will raise the alarm.
Government actions can create a chilling effect on free expression, a concept that frequently arises in First Amendment law. When the threat of negative repercussions for speech or an expressive act exists, people will censor themselves, withholding protected speech to remove the risk of potential reprisal. During the 1960s, for example, political protests themselves were not officially outlawed – they could not be – but activists, civil rights leaders and members of the American Communist Party nonetheless faced a repressive climate under the policies of J. Edgar Hoover’s FBI. More recent research has shown that once Edward Snowden tuned the world in to massive surveillance overreach, people were “less likely to search using search terms that they believed might get them in trouble with the U.S. government.”
“Digital technology has opened up a whole new world of surveillance and identification. The government has developed these programs almost entirely in secret, spending a lot of our money without consulting us.”
There is ample precedent of federal agencies using powers lawfully granted to them to exceed their authorizations, and to harm the public. The narrow charge of the Authorization for the Use of Military Force and the USA PATRIOT Act, marketed as anti-terrorism necessities, have since morphed into multiple bloody occupations, a recurring drone war and grave domestic restrictions that have enveloped nearly every US citizen, a state of affairs that at least one federal judge has harkened to the fantastical Alice in Wonderland.
Domestic policing by digital attack is by necessity still in the twilight of its youth, but the kind of adult it will grow up to be is unsettled. Luckily, it has many siblings, problem children of the US surveillance state whose mistakes should be observed and not repeated. The explosion of biometric data collection and policing in the past decade is a good example.
Immediately after 9/11, with the United States in a collective hysteria, the transformation of public infrastructure into a monitoring device went forward in earnest. Electronic surveillance in days since has accelerated, generating massive expansions in the amount of personal, private data collected and stored by police and government agencies.
Kade Crockford, director of the American Civil Liberties Union of Massachusetts’ Technology for Liberty Project, described the terrain in an interview with Truthout: “Digital technology has opened up a whole new world of surveillance and identification. The government has developed these programs almost entirely in secret, spending a lot of our money without consulting us.”
The explosion of biometrics surveillance has unfolded without consistent, substantive restrictions on its operation. While federal agencies collect ever more personal information, cities experiment with predictive policing and other forms of data collection that, given more information, many Americans might object to. Did you know, for example, that Chicago’s Navy Pier is outfitted with streetlights that double as microphones, or that in many major cities, surveillance cameras funded by the Department of Homeland Security (DHS) capture and record license plate information of cars whose drivers are suspected of no wrongdoing? The rapid rise of these technologies has left the country with few clear rules guiding how authorities use our personal information.
“They’re not regulated at all,” Crockford said of biometric policing initiatives. “Congress has completely punted on all of these issues . . . there’s no oversight nor statutory limits from top to bottom.”
Almost overnight, the United States has become a country where walking in public means being recorded.
Once a practice, whether hacking or mobile fingerprinting, becomes mainstreamed, it adheres to the status quo, becoming an impassable, insidious force. “There’s a huge cultural shift,” Crockford said, describing the expansion of biometric policing following 9/11. “There are all of these TV programs where FBI agents and police officers use extremely powerful surveillance and identification technology and at the end of the one-hour episode everything is tidy, tightly wrapped up.”
“The problem is that that is not a full portrayal of what is really going on,” Crockford added. “There’s a lot of abuse, and that abuse isn’t a part of the TV portrayal of police surveillance. We need to learn from history and not reflexively trust agencies like the FBI when they say ‘we are only going to use these tools against the worst of the worst.'”
The speed with which invasive biometric policing has become commonplace in American society screams caution toward new technologies as they enter the fray. Almost overnight, the United States has become a country where walking in public means being recorded. And in some ways, these technologies are now almost an afterthought to the press, their novelty gone. A New York Daily Newsarticle about pranksters who replaced flags on the Brooklyn Bridge casually notes in its last paragraphs that police were using license plate readers, cell phone tower records, Instagram, and CCTV feeds to find culprits of, essentially, a grand practical joke. Today, they photograph; tomorrow, they hack.
The Usual Suspects
The FBI is not the only US agency that uses hacking to get its way, and the actions of its colleagues may offer indications of what the future might hold. Although the National Security Agency (NSA) has already captured shocking headlines since June 2013 with no end in sight, some of the agency’s less widely discussed actions, even to the most jaded, remain jaw-dropping.
The point of these actions is total collection and total control – to destroy any refuge from scrutiny for any person who might pique the NSA’s interest on the internet.
NSA documents discussed in The Intercept in March 2014 described the agency’s ambitions to “own the net” by infecting millions of devices worldwide and allowing the agency to activate computers’ microphones, read keystrokes and peer through webcams. The kicker? The classified initiative that the NSA tasked to make this goal a reality took some responsibility out of the hands of humans – computers would manage and control many aspects of the digital attacks, until they wrapped the globe. This automation led security firm F-Secure’s Mikko Hypponen to note that in the NSA dream world of offensive digital exploitation, individual computers “implanted” by the agency would be “impossible to target and name.”
Automated, unfocused hacking against computers that can’t be targeted flaunts Fourth Amendment requirements of particularized warrants for searches of US persons. And if we can take former NSA chief Keith Alexander at his word, the point of these actions is total collection and total control – to destroy any refuge from scrutiny for any person who might pique the NSA’s interest on the internet. And before you take a breath, remember: The NSA also hacks the old-fashioned mail. Order a new computer while on the wrong watch list (is there really a right one?) and there’s always the chance that agency hackers will intercept, infect and repackage your machine before it even reaches your door.
Have you covered your webcam yet? Will you?
Money in Their Pockets
When law enforcement or intelligence services get a new toy, the acceptance of that toy as “normal” tends to have unintended consequences. These unintended consequences, known as “blowback” in foreign intelligence circles, are as present with state hacking as they have been with armed drone warfare. And the spread of malware – like the spread of military weaponry to police departments nationwide – should make observers question the tactic.
When the United States began weaponizing drones under the administration of George W. Bush, this country had a monopoly on the practice. But the kinder, gentler, safer world these machines were promised to herald has been anything but – US drones have dealt staggering civilian casualties even as they have been strategically ineffective. In the Middle East and North Africa, they have become the primary engine for mobilizing and militarizing individuals against the United States. What’s more, US investment in the practice has also led to a global arms race. After the Pentagon’s drone budget skyrocketed during the 2000s, dozens of nations have directed their own funds to the practice. The United States’ chickens have, once again, come home to roost.
Specialized malware tools developed in the United States may become hot items for repressive regimes in other countries.
The US defense elite have much to gain from digital escalation, but a world with heavy US reliance on offensive malware risks serious unintended consequences. And just as baseless US bluster about the dangers of cooperating with Chinese tech giant Huawei rings hollow beside revelations that the NSA itself hacked the company, the State Department’s scolding of private malware purveyors will be flimsier still if domestic entities turn to like or identical technologies for their own use.
Specialized malware tools developed in the United States may become hot items for repressive regimes in other countries. A recent report by Morgan Marquis-Boire for Internet human rights research house Citizen Lab showed that a technology for managing and manipulating network traffic developed by US Department of Defense contractor CloudShield Technologies was adapted for use by private spy technology venders like Gamma International, companies that often face charges of cooperating with human rights abuse.
NSA hacking has elsewhere meant secretly weakening the internet’s infrastructure, in effect leaving the door unlocked for anyone who knows where the house is. The DUAL_EC_DRBG algorithm, once recommended for use creating secure encryption by the National Institute of Standards and Technology has fallen from grace after multiplereports that the algorithm was compromised in secret by the NSA and then offered to the public.
This is not a blueprint we should encourage domestic law enforcement to follow.
“Nation states engage in realpolitik,” noted Eva Galperin, a global policy analyst at the Bay Area digital rights nonprofit Electronic Frontier Foundation, in an interview with Truthout.”Regardless of whatever rules you have on paper, they get away with what they can get away with.”
The militarization of domestic police forces, for its part, provides still another cautionary tale for the current malware state of affairs. Since its creation, DHS has offered grants of weapons and money to local police departments, passing no-strings-attached resources to local police who increasingly resemble armies. According to Chris Soghoian, the principal technologist of the American Civil Liberties Union’s Speech, Privacy and Technology Project, the same processes that have led to the police militarization evident in places like Ferguson, Missouri could lead to an acquisition of hacking tools by local police without oversight.
“When DHS just offers money from the sky, then it’s a no brainer for the local cops,” Soghoian said, referring to the potential that local police might acquire hacking tools like those manufactured by private entities such as Italian company Hacking Team.”If I learned tomorrow that local law enforcement is already using this stuff, I wouldn’t be surprised . . . and unfortunately, when the money’s free, oversight is minimal.”
“Police don’t even really have to go to a state legislature. Whatever oversight happens, happens at the city council level, and the question is only ‘do we accept this grant, and then can we use it to buy this?'” he added. “[Hacking technology] sells itself.”
The Beauties of Anonymity
People speak – and refrain from speaking – for many reasons. We choose to disguise our speech online for many more. It might be shyness, fear of professional or political consequence, disdain for algorithmic advertising, or simply a principled attachment to privacy. It may be a desire to harass, but it might also mean life and death. Invasive US flexing on the internet touches upon this right to speak anonymously, a right well recognized by the US Constitution. Despite abuse (which is probably more a symptom of our culture than a result of anonymity itself), the right to speak anonymously has historically proven itself essential to a robust public discourse.
The proposition of the famous New Yorker cartoon – “. . . on the internet, nobody knows you’re a dog” – is equally salient for any other classification. On the internet, no one knows you’re a whistleblower, or a sex worker, a human rights activist, or a person with bipolar disorder. Mark Felt – “Deep Throat” – exposed grave wrongdoing and lived for years with a false identity; authors and commentators of various stripes have adopted different genders and even different races to share ideas without the toxicity that often penalizes non-white and non-male opinion in US culture. Information about birth control and kink has been disseminated anonymously at times when doing so openly would mean legal and other consequences.
Sex workers advocating for labor protections, civil rights and community in the face of restrictive policing and an unregulated industry have used anonymous and pseudonymous speech to shape narratives and fight for basic rights. By default, this means assumed identities. Some, like pseudonymous critic Charlotte Shane, use the platform of anonymity to write and publish while keeping their day job, and others, like Glasgow-based Pastachips have noted the importance of anonymity to safety and organizing.
“It is very important to me to have my Twitter/activist ID very separate from both my Legal Name ID *and* my working identity,” Pastachips told Truthout, via email. “I would really fear the repercussions from dangerous people if I knew that they could click through on a link and book me to go over to their house.” She expressed concern about Scottish police combing internet ads for addresses and performing house calls. “It is so scary to feel under surveillance, even by some incompetent PC plod who only just realized sex work and the internet could be a thing.”
Speaking of the internet’s offerings, she said, “The ability to communicate rapidly and anonymously has led to an explosion of community building, emotional support, consciousness-raising, resource and strategy-sharing, and the ability for people who might get sidelined or ignored to hold people to account.”
Many foundational documents of the American Revolution – Common Sense, the Federalist Papers – were pseudonymous in origin as well.
An Operation Torpedo during Watergate might have extended Nixon’s presidency. An Operation Torpedo targeting activists explaining birth control in another era could have meant misery or death. A malware-aided extension of the already grotesque and reckless police actions towards sex work could endanger workers even more than current tactics already do. The very idea is repugnant to the idea of a free society.
Hacking as State Repression
The legitimacy of state hacking is, for now, considered piecemeal and slowly, with individual judges ruling on immensely important and complicated issues with no clear comment or response from federal bodies, and with little public debate about potential consequences. The “watering hole” attack used in Operation Torpedo falls somewhere between a more focused attack to identify a bomb threat and the NSA’s pestilent vision of a world where self-directing computers target at will. But there is no reason to believe, once the general practice is approved of, that the FBI will stop itself at attacking boards trafficked by presumed child pornographers.
Governments destroy political movements. It’s what they do. It is a feature, not a bug, of American governance. It is a reflex. And the thing about reflexes is that they’re automatic – regardless of any individual at the NSA, FBI or CPD, the institutional logic of law enforcement encourages repression. Abuse is predictable, and without oversight, inevitable.
“We need automatic transparency, rigorous external oversight, and a statutory framework that explicitly prohibits abuses . . . When the government knows everything about its citizens, we become subjects,” Crockford told Truthout.
“But the future is ours if we claim it, if we reject fear and embrace our own power. If we want our children to have anonymity in a crowd, privacy at home, and the possibility for freedom in their world, we must make it so.”