The Problem with the Universal Right to Online Privacy

privacy(As published on Norse on April 15, 2015)

A landmark decision by the UN Human Rights Council was made on March 26th to cover privacy issues arising from the pervasive monitoring by the UK and the US, in an attempt to establish that freedom from excessive (online) surveillance is a basic human right.

The resolution was spearheaded by Germany and Brazil, where public debate about online surveillance has been most intense. Naturally, German PM Angela Merkel has not yet forgotten the fact that her mobile phone was tapped, and event went as far as kicking out the CIA station chief in Berlin.

Brazil’s President Dilma Rousseff cancelled a trip to the US in protest of the surveillance on Brazil’s political leaders. Given that it is prime US policy to keep tabs (well, and taps) on all political leaders in the entire continent of South America, there is little doubt that the sentiment is shared amongst all South American nations.

It was expected that the resolution be blocked by the US and the UK, but it was adopted by consensus and the UN will be appointing a Rapporteur in June. This Rapporteur will have the authority to “remit to monitor, investigate and report on privacy issues and offer advice to governments about compliance. They will also look into alleged violations.”

The initiative, which contains the phrase, “the rapid pace of technological development enables individuals all over the world to use new information and communications technology and at the same time enhances the capacity of governments, companies and individuals to undertake surveillance, interception and data collection, which may violate or abuse human rights,” sounds very compelling and a worthy cause.

However, those who are skeptical of such an initiative have much reason to be.

To start, the UN has over the years steadily ignored both Article 12 of the Universal Declaration of Human Rights and article 17 of the International Covenant on Civil and Political Rights (where the Right to Privacy is mentioned).

This is hardly surprising since quite a number of UN member states have a rather uncomfortable record with Human Rights as a whole, and there has yet been little appetite for a clash on this subject.

Another major reason to remain skeptical is the equally uncomfortable fact that virtually 100% of all the UN member states are involved with pervasive online surveillance programs in one way or another.

In that respect there is plenty of negative sentiment to go around when it comes to online surveillance, and rightly not all of it is directed towards the US and the UK.

Even Germany, who is taking the lead in setting up this initiative, has been caught with its’ proverbial pants down when it was discovered that their own national security service BND was sharing data on German citizens with the NSA.

They are hardly alone in this: The number of European countries that hasn’t been subject to news in that area can be counted on one hand. To put forth an act that limits their own intelligence gathering operations seem counterproductive at best.

Lastly, it can be argued that the “Universal Right to Privacy” does not translate equally to “Universal Right to Online Privacy.”

However foolish it may seem, we have had a number of examples where such a translation proved much more difficult than it appeared. And these were not small topics: The laws surrounding warfare, for instance, or cybercrime.

Taking all these facts into account, it seems reasonable that this new initiative has some credibility issues. It will be very interesting to see if it develops some teeth moving forward.

Enterprise Security vs. Nation State Threat Actors

enterprisevnationThe recently published Snowden/NSA/GCHQ slides regarding the Gemalto hack have caused quite a stir amongst security practitioners, board members and politicians alike. But the uproar is minor when considering that it is now more than clear that not only non-allied nations such as China, Russia and Iran are attacking commercial entities. Nation states that we are on good terms with are apparently equally willing and able to attack their allies, just to get ahead in the Intelligence and Battlefield Preparation game. Good friend and excellent analyst Richard Stiennon already acknowledged (allied) nation states as a threat actor for the commercial industry in his article “NSA Surveillance Extends the Threat” in 2013. He asserted that the NSA was leading the threat hierarchy and was advocating a global re-evaluation of ones’ security stance. From what has been unveiled recently this is due for a revision yet again, as it is clear that British GCHQ is following the same playbook. Given both their membership in the “Five Eyes” community (of which all nations in the Five Eyes are core participants) it is increasingly safer to assume that Australia, Canada and New Zealand follow the same methodology, but that is beside the point of this article.

What does this mean?

When comparing the slides and modus operandi concerning Gemalto with what was disclosed about the Belgacom hack, useful observations can be made regarding the tactics employed by GCHQ and the NSA. And that MO demonstrates quite clearly what the real problems for commercial entities are when faced with a nation state as an adversary.

First off, they are difficult to expect. That’s right: Expect, not Detect (although that is probably equally true). Nation states have considerably different motives and these may not always be obvious. Gemalto and Belgacom were targeted because they were gatekeepers to communication networks; in this case telecommunications. They in turn contained what the NSA and GCHQ were actually after: the communications (potentially) running over those networks. It seems like arguing semantics when we differentiate between the targeting the communications networks and the communications themselves, but it is quite relevant: Both the NSA and GCHQ have other legal recourses to obtain the communications they are looking for, but are actively and purposely choosing other avenues. In short, it is not usually obvious what governments are interested in, and even if they have other (legal) means to obtain their target, they might still attack you if that proves to be more useful or less of a hassle.

Second, they are nearly impossible to deter. Cyber criminals generally tend to pick the low-hanging fruit. This will probably remain true as long as there remains so much of it available. The other major category popular with cyber criminals is the ‘big score’, where the spoils of a successful heist are so rich high that attackers consider their time and resources a good investment. Naturally this last group has more staying power than the first group, but both will eventually bug out if the operation is found to be too difficult or risky. Corporate espionage can potentially stay in the game where a cyber-criminal would have given up, but that is very dependent on the level of resources and risk that a firm is willing to commit.  You can deter them by securing your infrastructure to such a degree that the reward of breaking in is not worth the effort. Governments have deeper pockets and thus far seem to be more-or-less immune to criminal prosecution. This significantly alters the equation for such parties. The local social environment of the attacker also plays a role. Corporate spies or criminals basically get told[1] “Get in there if you can”, while soldiers get told “Get in there [period]”. Government operatives don’t get deterred by tedious work or lack of funds. To keep them out it has to be made impossible to break in and, provided it can be done, the task will be Herculean and costly.

It should also be pointed out that governmental espionage is not solely about national security. Many intelligence services are tasked not only with security, but also so-called ‘Economic Intelligence’. To put it bluntly, they are also looking for anything that might give their national corporations an edge against foreign competitors. The reason is simple: successful corporations are a boon to any nation. Not just for the additional tax income they generate, but also for the additional jobs and innovation power they bring. Some intelligence agencies focus more on this than the others, but most do it to some degree. We have seen evidence of this before, during the Echelon program. Several high stake deals were won by American firms due to the intelligence provided to them by the American intelligence apparatus. We can only guess at what intelligence the NSA is currently feeding to American firms. Perhaps the tech firms that are under the NSA yoke are being rewarded sub-rosa as compensation for the multi-billion dollar loss they have incurred (or will incur) over lost trust.

Third, they have capabilities unique to this category of attacker. When looking at the Belgacom and Gemalto hack, it is clear that one major new factor in their approach is Intelligence. Highly trained government intelligence agents are tasked with scoping out the target. They will find key target personnel in short order. It is their job to do so, and even in small nations these operatives are trained and experienced to a degree that will never be matched by a corporate entity. This might be the most effective tool in their arsenal, and next to impossible to defend against. The average person working for a corporate entity will be completely unarmed against people professionally trained in disciplines such as surveillance and interrogation. Would they spot a tail when walking or driving? Would they realize they are being interrogated during a seemingly innocuous conversation with a stranger? Would their family? What is worse, is that nothing private is off-limits when gathering intelligence. Private emails, browsing history, social media, cellphone conversations and text messages are all scrutinized in the hopes of finding a way inside the target organization. They are not above infecting a staff member with a piece of custom-made malware if it furthers their goal. The more staff a company has, the bigger this attack vector is. The problem is exacerbated when dealing with technologically advanced nations, due to higher degrees of technological refinement in their attacks.

Fourth, that we know of their operations does not mean they have stopped. It sounds strange, but for some reason many people seem to think the threat is over now that we are aware of it. It is stating the obvious, but that is not the case. All that has really changed is that we now have some measure of tangible proof to something that was strongly suspected for a long time. The repeated wake-up calls are working to force a long overdue focus on security, but it still has to be acted upon and followed through on. The security industry finally has the clout to address the serious issues, and it can be done without overhyping the matter. Throw away old disparaging sayings such as “if they want to get in, they’ll get in” and do what can be done.

 

Naturally there is more to this issue than the points described above. What is clear is that the corporate world is faced with a potential adversarial class that it is not equipped to deal with. In this regard the world is not that different from the Dutch Golden Age in the 17th century. The Dutch VOC company had a large fleet of merchant ships that were regularly attacked by foreign ships of war belonging to nations that the Netherlands was at war with at the time. The naval frigates outclassed the often cumbersome trading vessels, and defending themselves to a sufficient degree simply wasn’t economically feasible. This problem grew to such an extent that valuable VOC convoys eventually received Dutch naval escorts for protection, even though they did have to help pay for them. What is worth wondering about, is whether we can find a similar common ground with Government and truly co-defend in a meaningful manner.

 

[1] Or conceive the notion themselves, naturally.