‘Nick Merrill is building an internet service provider called Calyx. Calyx will be designed to encrypt user's data in such a way that it'll be inaccessible to anyone but that user. Which means that if the government asks for your browser history or emails, Calyx will be technologically unable to hand them over.’. When I stumbled across this, I was horrified. As a civil servant and government lawyer, I bridled at the blatant attempt to undermine the criminal justice process. But then I read on and watched videos of Nick Merrill telling his story of fighting a national security letter requiring him to disclose details about one of the clients of his ISP company. It is quite compelling to hear of his 6 year battle for recognition of his entitlement to speak with his attorney and his right to tell others that he was issued with a national security letter. So Nick Merrell’s encrypted ISP project started to sound less like paranoia and more like a rational reaction.
Just this week, I read that at the recent Black Hat Conference, when the room full of internet and security professionals was asked who they trusted less, Google or the government, the majority raised their hands for Google. This surprised me, given the deeply ingrained distrust of big government and led me to wonder whether we were sliding into a situation in which the public will not trust anyone with regulation of online activities. Is the web to become a wild west of anarchy because we are too afraid to trust anyone with any form of monitoring or enforcement?
FEAR OF THE GOVERNMENT
The US PATRIOT Act has a lot to answer for. One part of the post-9/11 legislative reforms was provisions extending the FBI’s ability in certain circumstances to request records from ISPs, financial institutions and credit providers without the need for a court-issued warrant. Moreover, recipients of national security letters were unable to challenge the request and were prohibited from telling anyone that they had received a letter (let alone the content of the letter) for an indeterminate period. Nick Merrell was the first person to challenge the constitutionality of the regime. The personal and financial toll that the battle has taken on him makes you question whether the 9/11 terrorists were more successful at undermining the most highly-prized values in our system than we will ever care to admit.
Meanwhile, media attention on the ‘great firewall of China’ and the role of internet censorship in the Arab Spring has brought home the power of the internet internationally as a tool of oppression in the hands of an unscrupulous government.
Domestically, the fear that the government will exploit the power of the internet has found a focal point in the campaign against the Cybersecurity Act 2012. Alarm bells are ringing for privacy advocates as the Cybersecurity Act seeks to expand the ability for ISPs to share user information with the government outside of the current judicial oversight mechanism.
Internationally, many civil society bodies seem to see the upcoming 2012 World Conference on International Telecommunications in December as an opportunity for governments to seize control of the internet for their own purposes. The WCIT seeks to renegotiate the International Telecommunications Regulations with a view to expanding the ITU’s mandate to include regulation of the internet. Distrust of the intention behind this move has led to the creation of a wikileaks-style site that posts the preparatory reports and proposals.
FEAR OF COMPANIES
While the public might have been willing to cut Google some slack over the ‘inadvertent’ capturing of private data in the UK during its street view operations (everyone makes mistakes, right?), their subsequent failure to follow through on their undertaking to delete the data might start to undermine the credibility of the ‘don’t be evil’ mandate.
I suspect that the friendly glow of social networking and web companies is also fading as the public confronts the fact that these companies are not benevolent societies established to help us share information and stay in touch with friends, but are businesses that ultimately need to make money. Facebook’s much-analysed IPO and disappointing profits underscore the imperative for companies to find ways in which to capitalise on all that ‘big data’ that they have amassed from their user base. The popularity of the ‘do not track’ movement, which allows users to request that websites not collect information about their online browsing habits reveals a growing distrust of web companies and their moves to use our personal data for profit.
FEAR OF ANARCHY?
It seems we’re at risk of descending into a Mad-Eye Moody state of ‘constant vigilance’, unwilling to trust anyone. But short of finding a real life Dumbledore, this is not a sustainable approach. Without effective policing of the internet, it becomes a modern wild west; a safe haven for criminals and a dangerous place for the rest of us. But when there is no public visibility of the many times when police or security authorities’ access to online information has helped thwart criminal activities and protect users’ rights, it is difficult to assess the value of government access to online records.
At the risk of sounding like a government stooge, I think the answer lies not in efforts to circumvent government access to information, but in better systems for managing government access to our information. Law enforcement and security authorities need quick and effective access to the information held by web companies in order to enforce the criminal laws. Of course, all governmental power needs appropriate checks and safeguards. This is where the national security letter scheme went wrong and this is where we should be focusing our attentions. While I can't deny the logic of Nick Merrill's latest encrypted ISP project, I hope that this is not the direction that we end up taking. I still hope that we can work to fix the system, rather than taking ourselves outside of the system.