Cleansing the Internet of Terrorism

Yet another vague and overreaching project to censor the internet is underway; European Commission-funded CleanIT, which aims to “countering illegal use of the Internet” and fight what they see as terrorism. It’s another attempt to use a private police network to determine what ‘illegal’ and ‘terrorist’ uses of the internet mean. Groups like European Digital Rights and the Electronic Frontier Foundation are stepping in to protect our legal safeguards:

EFF has always expressed concerns about relying upon intermediaries to police the Internet.  As an organization, we believe in strong legal protections for intermediaries and as such, have often upheld the United States’ Communications Decency Act, Section 230 (CDA 230) as a positive example of intermediary protection. While even CDA 230’s protections do not extend to truly criminal activities, the definition of “terrorist” is, in this context, vague enough to raise alarm.

The recommendations call for the easy removal of content from the Internet without following “more labour intensive and formal” procedures. They suggest new obligations that would compel Internet companies to hand over all necessary customer information for investigation of “terrorist use of the Internet.” This amounts to a serious erosion of legal safeguards. Under this regime, an online company must assert some vague notion of “terrorist use of the Internet,” and they will have carte blanche to bypass hard-won civil liberties protections.

The recommendations also suggest that knowingly providing hyperlinks to a site that hosts “terrorist content” will be defined as illegal. This would negatively impact a number of different actors, from academic researchers to journalists, and is a slap in the face to the principles of free expression and the free flow of knowledge.

The CleanIT regime would also provide for many other breaches of our civil liberties pertinent to today, such as required data retention by internet companies, notices and takedowns of content, blocking government employees from certain web content, criminalizing speech in the form of political advocacy, obligations to provide real identities to internet service providers, automatic detection of “terrorist content”, government censorship, and banning of certain language(s).

It is not only more topical than ever because we are seeing an onslaught of such oppressive legislation and reactionary organizing against the Pandora’s Series of Tubes, but because terrorists (both real and imagined) are affecting our systems now more than ever. But are they really a threat worthy of international policing and globally-dominant rule?

Despite there being a lot of controversy around who is a terrorist and who is merely an activist or hacktivist, the terms are hardly well-defined in any of the proposals. Further, ‘cyberterror’ attacks are often found and corrected as they occur. Via WIRED’s Threat Level Blog:

Telvent, which is owned by Schneider Electric, told customers in a letter that on Sept. 10 it learned of the breach into its network. The attackers installed malicious software on the network and alsoaccessed project files for its OASyS SCADA system, according to KrebsOnSecurity, which first reported the breach.

According to Telvent, its OASyS DNA system is designed to integrate a utility’s corporate network with the network of control systems that manage the distribution of electricity and to allow legacy systems and applications to communicate with new smart grid technologies.

Telvent calls OASyS “the hub of a real-time telemetry and control network for the utility grid,” and says on its website that the system “plays a central role in Smart Grid self-healing network architecture and improves overall grid safety and security.”

But according to Dale Peterson, founder and CEO of Digital Bond, a security firm that specializes in industrial control system security, the OASyS DNA system is also heavily used in oil and gas pipeline systems in North America, as well as in some water system networks.

And though the breach raised concerns that hackers could embed malware in project files (similar to the Stuxnet virus spreading around the globe), or gain remote access into customer networks, all that TelVent had to do was ‘temporarily disconnected its remote access to customer systems’. In fact, the company has now instituted new procedures to prevent future breaches, and ensure all traces of any malware are eliminated. Pointing out such holes is one major utility that hackers provide, which is why numerous challenges and contests are held by software developers and security conferences to voluntarily expose any possible exploits before they go live to the public.

Considering that these breaches are usually followed by a substantial re-up with a massive security consulting corporation, who’s to say if perhaps these private contractors aren’t themselves ‘innocently’ invading the network to expose weakness. Sort of ‘cyber-mafia racketeering’.

The intelligence community is working towards classifying digital ideologues like Anonymous under the vague term of ‘cyber-terrorist‘, and there are groups who are learning to use malevolent technology to their purposes. Via NYTimes Bits Blog:

Bank of America, JPMorgan Chase, Citigroup, U.S. Bancorp and PNC have been hit by a wave of cyberattacks that have caused Internet blackouts and delays on online banking sites… have been targeted with distributed denial of service or DDoS attacks, in which hackers barrage a Web site with traffic, causing it to slow or collapse under the load.

A hacker group, which calls itself the Izz ad-Din al-Qassam Cyber Fighters, took credit for the attacks in an online post to Pastebin, a Web site hackers frequently use to publicize attacks. The hackers say they will continue to target American corporations daily, as part of an operation they call Operation Ababil, until an amateurish 14-minute anti-Islam video, which mocks the Prophet Muhammad, is pulled from the Web.

Sara Hawkins, a Wells Fargo spokeswoman, confirmed Wednesday that customers might still be experiencing “intermittent access” to the bank’s Web site and said the bank was working to resolve the problem.

The attacks are described as a nuisance, not technically sophisticated, and typically do not affect a company’s network, funds, or customer accounts. Instead, customers only have to worry about delays and ‘intermittent access’, something that we can all attest to have endured on any normal day dealing with these sites.

We’re going to witness more of this as the Cyber-Wars escalate, with no clearly defined sides or players. After all, who is defending the network, the governments who want to clamp down on it while protecting their corporate constituents, at the expense of the populace they claim their actions really protect? The private cybersecurity firms, so enmeshed with the intelligence community that it is hard to see where one ends and another begins, with a surveillance and biometric scanning network affecting millions? Who are the real villains, the hacktivists who want to protect anonymity, privacy, and fight censorship? Or agents who want to impose their restrictive political or religious worldview bu using the free-flow of information at their fingertips? Which is a bigger threat, malware designed by secret intelligence, viruses created by pranksters, fraud perpetuated by ‘ousted royalty in Nigeria’, or activists propagating the leaked evidence of war crimes?

And wouldn’t we rather have a terrorist organization who keeps you from accessing your login for a few hours, as opposed to blowing up city blocks full of people?

Sure, some of these groups and hacktivist individuals may eventually become serious threats. The law, however, isn’t supposed to work on ‘maybe eventually.’ Not to mention how futile such overarching efforts are, as when police are forced to sift through acres of haystacks for the few needles of child predators online, or when racial profiling doesn’t provide reliable results in all of the surveillance noise. We may be able to collect all the data, but we still don’t have Precogs to act on it.

These are not easy terms to define in a brave new world with brave new words and ideas. I think it’s safe (and obvious, at this point) to say that any simplistic generalizations are ill-advised, and any that make their way into law will be disastrous.

, , , , , ,

No comments yet.

Leave a Reply