from the should-surveillance-engines-be-taxed dept.
Developer Poul-Henning Kamp (PHK) has written a brief post in the July issue of Communications of the ACM about the cost of surveillance having become negligible. Furthermore, in many cases that surveillance is actually required either by large governments or by large corporations, thus making it cheaper to go with the flow and track people and their online activities very closely as it becomes more and more expensive for programmers and developers to even try to avoid tracking people and their online activities.
During his keynote address, risk management specialist Dan Geer asked the 2014 Black Hat audience a question: "What if surveillance is too cheap to meter?"
As is the case with electricity from nuclear power, technology has little to do with it: This is a question about economy, specifically the economy of the path of least resistance.
Surveillance is ridiculously cheap for governments. Many have passed laws that obligate the surveillance industry—most notably, the mobile network operators—to share their take "at cost," and we know law enforcement uses it a lot.
So why is so much cheap surveillance available for purchase?
PHK also covered this topic even more briefly in his column in ACM Queue back in February. Both refer to Dan Geer's observation about metering made back in 2014 at Black Hat:
Suppose, however, that surveillance becomes too cheap to meter, that is to say too cheap to limit through budgetary processes. Does that lessen the power of the Legislature more, or the power of the Executive more? I think that ever-cheaper surveillance substantially changes the balance of power in favor of the Executive and away from the Legislature. While President Obama was referring to something else when he said "I've Got A Pen And I've Got A Phone," he was speaking to exactly this idea -- things that need no appropriations are outside the system of checks and balances. Is the ever-wider deployment of sensors in the name of cybersecurity actually contributing to our safety? Or is it destroying our safety in order to save it?
What is the way out?
Previously:
(2022) What are the Five Eyes, Nine Eyes, and Fourteen Eyes?
(2022) Forget State Surveillance. Our Tracking Devices are Now Doing the Same Job
(2018) Transparency Versus Liability in Hardware
(2014) CIA InfoSec Chief: US Govt Should Buy All Security Exploits Then Disclose Them
(2014) Proposal for Unpatchable Network Devices to Expire
Related Stories
The Chief information security officer (CISO) of In-Q-Tel Dan Geer has proposed implementation of a self terminate logic in embedded devices like industrial control and SCADA systems to manage a future where many of them will heavily populate our personal, professional and lived environments. Individually, these devices may be unimportant. But, together, many embedded systems are tremendously powerful and capable of causing tremendous social disruption. He noted the malware TheMoon, that spreads between vulnerable home routers, as one example of how a population of vulnerable, unpatchable embedded devices might be cobbled into a force of mass disruption. And proposes tgat embedded systems that lack means of being (securely) managed and updated remotely should be configured with some kind of 'end of life,' past which they will cease to operate. Allowing embedded systems to 'die' will remove a population of remote and insecure devices from the Internet and prevent those devices from being used by cyber criminals or other malicious actors.
Digital Era reports:
To increase the security of the internet and computers, the government should corner the market on zero-day vulnerabilities and exploits, offering top-dollar to force out all other buyers. At least, that's what Dan Geer thinks, and his opinion matters. Geer is chief information security officer at the CIA's venture capital arm In-Q-Tel, which invests in technologies that help the intelligence community.
Geer, an icon in the world of computer security, delivered his controversial stance during a keynote at the Black Hat security conference in Las Vegas today. His talk, entitled "Cybersecurity as Realpolitik" was provocative throughout, including advocating that software companies make their unsupported products open source to keep them secure. He even quoted the Code of Hammurabi (circa 1700 B.C.) while suggesting that product liability be applied to source code. "If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death," he said. While the death penalty may a little severe for software makers who fail to adequately secure their products, criminal and civil liability isn't, he noted.
But the highlight of Geer's talk was definitely his suggestion that the U.S. Government own the zero-day market. Zero-day vulnerabilities are security holes in software that are yet unknown to software makers or to antivirus firms. They're unpatched and unprotected, leaving them open to exploit by spy agencies, criminal hackers, and others. Once the government purchases zero-days, he said, it should burn them by disclosing them.
Bunnie Huang, hardware hacker, wrote a brief article about transparency versus liability in the context of open hardware. He covers some of the tradeoffs without going into depth.
[...] Should a buggy library you develop be used in a home automation appliance that later causes a house to catch fire, you get to walk away scot-free, thanks to the expansive limited-liability clauses that are baked into every open source software licence.
Unfortunately, hardware makers don't get to enjoy that same luxury. Beyond guaranteeing a product free from workmanship or material defects, consumer protection law often requires an implied or express 'fitness for purpose' guarantee – that a piece of hardware is capable of doing what it's advertised to do. The latest controversy over Spectre/Meltdown indicates that more people than not feel CPU makers like Intel should be liable for these bugs, under the 'fitness for purpose' theory.
Open hardware makers should be deeply concerned. [...]
At BlackHat 2014, Dan was more specific regarding software and raised, with Poul-Henning Kamp, the idea that normal liability laws should also apply to software. But with that liability in place, exemptions should be available if vendors supply complete and buildable source code along with a license that allows disabling any functionality or code that the licensee decides against. Poul-Henning has called for a long time for changes to liability laws for software.
Forget state surveillance. Our tracking devices are now doing the same job:
Way back in 2009 the German Green politician Malte Spitz went to court to obtain the data that his mobile phone operator, Deutsche Telekom, held on him and then collaborated with the newspaper Die Zeit to analyse and visualise it. What emerged was a remarkably detailed timeline of his daily life, a timeline that would have been readily available to state authorities if they had come for it with appropriate legal authorisation.
But in internet time 2009 was aeons ago. Now, intensive surveillance is available to anyone. And you don't have to be a tech wizard to do it. In mid-January this year, Kashmir Hill, a talented American tech reporter, used three bits of everyday consumer electronics – Apple AirTags, Tiles and a GPS tracker – to track her husband's every move. He agreed to this in principle, but didn't realise just how many devices she had planted on him. He found only two of the trackers: a Tile he felt in the breast pocket of his coat and an AirTag in his backpack when he was looking for something else. "It is impossible to find a device that makes no noise and gives no warning," he said when she showed him the ones he missed.
What Are the Five Eyes, Nine Eyes, and Fourteen Eyes?:
The Five, Nine, and Fourteen Eyes are agreements between the surveillance agencies (the "eyes") of several countries. The original group is the Five Eyes (abbreviated as FVEY)—consisting of the U.S., the UK, Canada, Australia, and New Zealand—which shortly after the second world war signed a deal (the UKUSA pact) to share intelligence among each other.
Over the years, four other countries informally joined the original five (the Netherlands, France, Denmark, and Norway), making nine.
A few years after, five more joined (Belgium, Italy, Germany, Spain, and Sweden) to come to the grand total of 14.
However, these three groups are different from each other in what they share with each other.
Naturally, deals struck between spies aren't accessible to regular people, but we do know a fair bit about these three groups, especially the original five. This is because their founding document, the UKUSA agreement, was made public in 2010. The British National Archives has the full text.
(Score: 2) by sgleysti on Thursday August 18 2022, @04:07PM
Based on the present lack of other comments on this article, I am guessing the topic had a chilling effect.
(Score: 2) by Barenflimski on Thursday August 18 2022, @04:12PM
Its one thing to have a security camera setup for your home or office. Its another when all of this data is aggregated and sold.
Seems to me, this goes along with the rest of the involuntary EULA's where one buys outright, or is sold under a subscription, where everyone else also gets to use what is captured/produced from said product.
Seems that could be regulated.
(Score: 0) by Anonymous Coward on Thursday August 18 2022, @07:26PM
Surveillance so cheap that Amazon proactively provides it straight from people's doorsteps directly to police, no warrant required. The bandwidth is apparently so cheap they even outsourced it to companies outside the US. [soylentnews.org]
Anyway, I still haven't seen another Bigfoot sighting...