Abstract
Susan Landau’s account of US government surveillance policy and practices is refreshing, avoiding the typical hyperbolic referencing of George Orwell and Big Brother. Like other aspects of communication, new media technology has outstripped the legal and policy paradigms of the past century. Landau argues that embedding old surveillance systems deep into the new digital media infrastructure can actually make our systems less secure, more vulnerable to attack, and stifle innovation. For example, FBI insistence on backdoors to Silicon Valley’s products could impose financial burdens on startups and sour consumers on American media technologies. Furthermore, innovation could become the provenance of companies without a US presence to avoid conditions imposed by federal authorities, and the FBI in turn may ban new media tools created in other countries. Therefore, the tools and policies that have ensured security in the past and present are a danger in the long term. While the US government still focuses on surveillance and wiretapping of people, the greater threat may lie in cyberattacks on information systems and infrastructure grids. In 11 detailed chapters spread over 253 pages, Landau documents the risks inherent in law enforcement reliance on backdoors and wiretapping technology to catch traditional ‘bad actors’, such as the perpetrators of 9/11. This one-sided approach has allowed other potential risks to go unnoticed and use the digital network against law enforcement. Examples include the subversion of the Greek Vodaphone network to eavesdrop on the leaders of the Greek government, or the hacker collective Anonymous obtaining the private information of police officers and Sony PlayStation users, and posting that information online. This is the beginning of a digital battle that traditional wiretapping and surveillance will not be able to prevent.
Landau starts her book with a history of wiretapping from early telephone networks to the beginning of the internet where the architects did not perceive a need for network security. She notes that today’s network intruders are not just lone hackers or groups, but nation-states. It is easier and safer for a hacker working for the Chinese government to attempt to steal classified information and data from the US government and corporations in a Beijing office than to do so on the ground in New York City. All the surveillance cameras in Manhattan will be of no use in preventing this type of digital espionage. And simply asking people to be digitally secure is not enough. One motivated weak link such as a Bradley Manning (suspected of leaking classified US military and diplomatic cables to Wikileaks) can lead to the dissemination of a vast store of classified information. But just as dangerous is the passive but careless user who can expose a network to invaders. As such, vigilance and security must be built into the network itself. The book’s concluding chapter presents thoughts on ‘getting communications security right’ by not implementing measures that threaten freedom, human dignity or consent, having open public reviews before implementation, and non-interference with the free press. Any suspension of privacy protection should be short in duration and only during times of extreme emergency.
When the government does not abide by these practices, Landau proposes people use the Pentagon originated Tor as an online privacy protection solution, but does not point out its potential shortcomings. While Tor does mask a user’s IP address when visiting websites by bouncing the user’s network requests off multiple Tor nodes around the planet, she neglects to mention the weakness in the exit node. Before the information request arrives at its final destination, the computer at the exit node of the Tor network could have an unscrupulous owner gleaning the data from the packets passing through the router. In 2007, a Swedish security consultant, Dan Egerstad, scooped up a large number of usernames and passwords from his exit node. He concentrated on governmental and embassy accounts with a filtering script, thereby intercepting email from over 200 entities (though none from the US government). He contacted many of the governments whose secret information he had been reading, but only one (Iran) bothered to contact him to ask what they were doing wrong with Tor. Used correctly, Tor can do an excellent job hiding one’s IP address, but it does not encrypt data sent over its network, and therefore privacy needs to be a concern when exit nodes controlled by rogue operators can siphon off passing packets. Of course this use of the Tor network violates the wiretapping laws of the US and other countries. Egerstad was arrested after publicizing his ‘misuse’ of Tor.
Landau is a rare expert in the multiple fields of technology, policy and law, while at the same time writing in a clear, concise and organized manner on these three intersecting areas. The book is amply footnoted, allowing other researchers to build easily on her work in their own niche areas. One limit for some readers may be the book’s focus on the United States as her prescriptions and analysis are national, not international, in scope. Going back to the book title’s question, Landau believes that focusing on surveillance will not lead to security in the future. A break needs to be made with past practices and thinking.