Digital Report recently sat down with cyber security expert Rafal Rohozinski to discuss a broad range of issues affecting the internet, such as government control, privacy and the role of hacktivism in countering social ills.
DR: Government and surveillance is an increasing concern. Where do you think it will end? Are governments seeking unreasonable control over the internet? And what are the repercussions if they do attempt to implement restrictive comprehensive controls?
To start, I think we need to realize that very few countries want to totally control all aspects of the internet. And the reason is quite simple: controlling the internet also defeats the purpose of the internet as one of the most significant drivers of economic growth in the past 20 years. The internet is responsible for one of the greatest leaps in empowering individuals in human history. More people, in more places have access to information to make decisions about what to study, where to live, what business to engage in, than at any other time in human history. It has unleashed creativity, spawning entirely new sectors of the economy. Companies like Google, Microsoft, Yandex, Facebook, and VK have changed what people know, how they interact and behave, and have created the basis for entrepreneurial activity that couldn’t be imagined 30 years ago.
Consequently, even countries like China, that have imposed significant controls over the internet, are careful not to impose total control. To do so, would mean severely curtailing their potential for economic development. China can get away with significantly more controls than most countries because of its size — they have a very large internal economy. Smaller countries that are dependent on international trade and contacts suffer disproportionately when they try to control the Internet. That is not to say that the internet should be controlled to a degree, or be policed. Clearly, as the internet has become an important aspect of national economic life, and more and more people use it, safety and security should be a public responsibility, just like it is on highways or elsewhere in the real world. That’s only natural. After all, when automobiles were first introduced in the United Kingdom it wasn’t the government that regulated speed limits, stop signs, etc., rather, it was the Automobile Association. The system was one of self-policing. This didn’t last long, however. Once enough people were driving cars, it became the responsibility of the government to ensure public safety and order. The same historic lesson applies to the internet. When it was small, it could be self-policing. Now that it is part of society at large, the internet requires some form of publicly accountable policing. The degree of policing that occurs over the internet needs to be balanced. It should ensure public safety, but should not stifle entrepreneurship, economic activity, or access to knowledge — which is a significant driver for national development.
DR: Do you think that recent terrorist attacks, and the use of the internet by groups such as ISIS, will mobilize popular support for greater control over the internet?
I think it would be a mistake to respond to recent terrorist acts by focusing on control of the internet as it is not the only means by which to prevent these actions. Yes, terrorists use the internet. And yes, it’s important that police and other authorities have the ability to practice lawful intercept as part of normal security practices designed to detect, track, and deter terrorists — before they act. It’s also true that modern terrorists use the internet more because it allows them to do things more efficiently. Small groups can operate globally because they can communicate across borders. Online payment systems make it easier to transfer cash where previously human beings would have to bring physical money across borders. And, in some cases, criminal activity online can fund the activities of these groups. But terrorist groups are ultimately a small minority. And ultimately, traditional police and intelligence techniques are more important in identifying groups and individuals than in monitoring internet traffic. If we recognize that terrorist groups are interested in changing the way we live through fear and intimidation, then the worst thing we could do is to allow them to do so, which includes diminishing the clear benefits we derive through the internet. That is not to argue that the internet does not require policing — clearly it does — but terrorism is perhaps the least good reason for imposing greater controls.
DR: Has the internet become more dangerous than it was 5 years ago?
Not really, in fact, if anything it’s grown safer. Let’s begin with the fact that the internet was never built for security — it was built for making communications easier and simpler. That’s why it’s called the “inter-net”. It was made to bridge different networks and computers by creating a single protocol across which everything would work. That’s why we have as many services as we do in today’s internet. Everything from e-government, e-commerce, voice over IP communications, chat, email — you name it, the internet can support it. One reason why the internet may feel less secure is because so many more people are using it. If you consider that between 3-5 % of any community is engaged in criminal activity, there’s a big difference in terms of the number of people involved when you go from 30,000 people on the internet, like you had 25 years ago, to close to 2.5 billion people — which is what we have today. Because the internet has no borders, that means everyone is potentially a victim of cybercrime. And many are. By some accounts up to two thirds of all users of the internet have been the victim of some form of cybercrime. That is significant.
But the reason the internet is actually more secure than it was five years ago is because companies and governments have recognized that security is an important requirement for public safety. Mr Snowden’s revelations, for example, have made protection of privacy and encryption a mainstream business. Many major companies, including Microsoft, Apple, Google, and others, have realized that their clients expect privacy and want security, and therefore pay a lot more attention to ensuring that this is as important a priority as is the latest user interface. Microsoft is now involved every day in taking down criminal botnets, and has built significant improvements to its security in the latest release of its operating system. Ordinary citizens are also a lot more aware of just how important privacy is, and as a result, have put pressure on their governments to ensure that companies that provide the services provide offer the same degree of security and safety in cyberspace, as they do, for example in protecting citizens from ordinary crime. We have seen this in Europe, where governments have demanded that companies like Google and Facebook, follow national legislation on protecting personal data and privacy.
DR: What should we “fear” from the Internet?
A famous American bank robber was once asked,» why do you rob banks?” His answer was simple, “because that’s where the money is”. Right now, cyberspace, the internet, is where people do commerce, and money ultimately is to be found. The vast majority of victims in cyberspace are victims of cyber crime which means identity theft, stealing of credentials, and extortion by cyber criminals in order to recover their data. As a result, perhaps the greatest threat we face on the internet is the same we face in real life — petty crime and theft that robs us of our money and dignity. Luckily, the vast majority of risk can be addressed by practising simple digital safety — using strong passwords, turning on two factor authentication, encrypting data on devices, ensuring your computer operating system is legal, and always updated, using a good antivirus — these are the internet equivalent of washing your hands before you eat. A simple everyday practice that prevents cyber sickness and hence, vulnerability to cybercrime.
With respect to the catastrophic attacks on civilian infrastructure, civil aviation, the power grid, or nuclear power plants, of course that possibility exists and was demonstrated by the use of Stuxnet against the Iranian uranium enrichment plant at Natanz (which was discovered by a Belarussian antivirus company — VirusBlokAda). Let’s not forget, however, that we also live under the risk of warfare, including nuclear warfare. There is recognition at the state level of the consequences of using such capabilities. And, while we do not have an equivalent of a “nuclear nonproliferation Treaty” for cyber weapons, there is a tacit gentleman’s agreement among states that encourages restraint. After all, those who live in glass houses usually think twice before throwing rocks.
DR: As social media such as Facebook, Vkontakte, Twitter and Odnoklassniki gain huge popularity — and people reveal an alarming amount of personal information about themselves online — are there real risks and dangers from sharing too much information through these platforms? Is there some “dark secret” or danger about social media we should all be aware of?
When the internet first gained popularity in the early 1990s people were drawn to it because it gave access to information and ideas. In the 2000’s — social networks connected people, and communities through the internet. That’s important, and incredibly empowering. In previous centuries, most people lived within 25 km of where they were born. The social internet makes it possible for a person to become a member of a community with people they never met, or are likely to ever meet in real life. That’s an incredibly powerful intellectual and emotional idea. That’s also what the creators of social networks understood. People are willing to trade personal information about themselves, what they like, they don’t like etc, in order to have access to the same information about others and become members of wider global communities. The operators of social networks can provide their services for free because they have perspective on all personal information of every one of their users. That makes them incredibly powerful and useful as tools of the marketing agencies that can then target specific individuals with advertising goods and services they know those individuals like. That is why companies like Facebook are worth $245 billion without having to charge their users anything. It’s created a whole economy, a whole ecosystem based upon individuals trading information about themselves in exchange for the ability to seek out and find others who share their ideas, beliefs, and likes, and companies like Facebook and Twitter turning that knowledge into money by selling the data to advertising companies that use it to target markets and consumers. Is that good, or is it bad? I guess that’s a matter of perspective. As the old Latin adage goes “Caveat Emptor” — or “buyer beware”. Nothing in life is free, and in the age of the social internet, if something appears to be free, then you are the product. It is up to each individual to weigh whether trading privacy for utility is an equitable, and justified transaction.
DR: Privacy has steadily eroded over the past few years as a result of the lure of people using social media and mobile devices. While many people seem to be concerned about privacy, can we actually have a reasonable expectation of privacy? Is such a thing as privacy worth defending?
That’s a difficult question. In principle, individuals should have the right to put a value on information they consider to be personal or private. The difficulty is that it’s becoming more and more difficult for individuals to exercise that right consciously. That’s because the technology that we use forces us to make that decision on a daily basis: do I use the GPS on my phone and therefore give away my location to my ISP, telecommunication provider, and possibly the developer of the app I am using? Or do I get so much benefit from it because it makes my life easier that it doesn’t matter? The challenge is that we need to make that decision dozens of times a day. And because, for the most part, it makes life easier for us, we are willing to trade more and more privacy for the utility we get from these technologies. Can the State do anything to ensure privacy for individuals? Yes, maybe, but that requires a broader recognition among society that these are rights worth defending. It also requires thinking through exactly how privacy rights can be protected in a way that does not take away from benefits we derive from the internet economy.
DR: Is “hacktivism” a potentially valuable means of fighting crime or terrorism?
I think whenever citizens get together, whether in cyberspace, or in physical space, they can make a difference. The difficulty for hacktivists is that their actions are generally only limited to cyberspace, whereas crime, and terrorism exist in physical space too. Therefore, hacktivists may be good at exposing Twitter accounts or online chat rooms, or parts of the dark web that are used by terrorists or criminals. Such exposure, or revealing of secrets and communications may actually harm these groups. However — in many ways all it does is allow these groups to develop better tradecraft, hide deeper, or use less of the Internet for their critical communication and organization. That is not to say that hacktivists have no role — they do, because exposing conspiratorial groups is a way of combating them, but it’s not necessarily the only, or the best way of doing so.
DR: What impact can “hacktivism” hope to have on cybercrime?
In combating cybercrime, I think hacktivists can play a very important role. Cybercrime, by definition occurs in cyberspace, and that is where hacktivists are the most effective. Applying techniques of crowdsourcing, sharing information, exposing, and even naming and shaming specific individuals behind cybercrime can be very effective in deterring others. It is a form of vigilantism, so it does have certain limits, ethical and otherwise, and cannot substitute for effective policing. However, just like community self-policing is much more effective than formal policing at the local level, so too, can citizens of the Internet act as effective policeman for their own domain.
About Rafal Rohozinski:
Rafal’s career coincided with the global expansion of the internet, a process that he helped accelerate in the 1990s, as he worked with the United Nations across Asia, the former Soviet Union, Middle East, and Africa. For much of his professional life, Rafal’s only permanent address contain an “@” sign.
Rafal is the co-founder and CEO of The SecDev Group where he leads a talented team of technologists and analysts in applying advanced analytical systems and techniques to answer some of the world’s most difficult challenges. Rafal is a passionate student of how cyberspace is rewriting the social contract between individuals, institutions and states. He is actively involved in academia and is recognized as a thought leader for his work in cyber security, cyber strategy and the tele-geography of conflict. Over the past two decades, Rafal co-founded pathbreaking projects including the United Nation’s Asia-Pacific Development Information Programme (APDIP), the OpenNet Initiative, and the Information Warfare Monitor. He was a co-founder of Psiphon Inc, a leader in circumvention technology, and served as its CEO from 2008-2013. He served as a Senior Visiting Fellow with the Munk School of Global Affairs, and is currently Senior Fellow with the UK-based International Institute for Strategic Studies, and remains engaged with research activities at the University of Oxford, Moscow University and MIT. He sits on the advisory boards of Access Now, Canadian International Council and the Canadian Association of Defense and Security Industries. Previously he served as the Chair of the advisory boards of the Estonian E-Governance Academy and the Citizen Lab.
Rafal co-founded The SecDev Foundation to ensure that advanced research, technology and access to information benefits the broader community, and that critical global issues like individual privacy and surveillance are subject to an informed public debate. He passionately believes in the importance of hard-won liberties, the rights of individuals and communities to self empowerment through knowledge, and the responsibility of community security.