Right to Speech, Press, to Congregate, to Privacy, to practice Religion, and many others are no longer protected and thus effectively lost.
They say when you are dead, that you don’t know you are dead. It is difficult only for others, which is normally a select few people who were intimate with you. However, every once and a while a person is so stunning that we realize that everyone would have benefited knowing them.
The same is true for privacy.
In case you didn’t notice, a rule was changed to the way in which judges can issue search warrants, and a last-ditch effort in the Senate to block or delay rule changes that would expand the U.S. government’s hacking powers failed Wednesday, despite concerns the changes would jeopardize the privacy rights of innocent Americans and risk possible abuse by the incoming administration of President-elect Donald Trump.
As a result, the change went into effect on Thursday, December 1st and it affects Rule 41 of the Federal Rules of Criminal Procedure, which are proposed by the U.S. Department of Justice and approved by the U.S. Supreme Court. It will allow federal investigators to seek permission from a magistrate judge in, say, Texas, to plant hacking software on a computer that’s disguising its location.
Bottom line: This rule results in a situation where no one can hide from government intrusion. Nowhere, not in the U.S., outside the U.S. or on the moon. U.S. law enforcement now has an easier legal path to hack into any computer, anywhere in the world.
The time has come to make Privacy Rights a national debate and not usher in a world of carte blanche government surveillance without the people speaking directly on the topic.
Many attempts were made to delay the changes, which will take effect on Thursday and allow U.S. judges to issue search warrants that give the FBI the authority to remotely access computers in any jurisdiction, potentially even overseas. His efforts were blocked by Senator John Cornyn of Texas, the Senate’s second-ranking Republican.
The changes will allow judges to issue warrants in cases when a suspect uses “anonymizing” technology to conceal the location of his or her computer or for an investigation into a network of hacked or infected computers, such as a botnet.
The essence of the change comes to the way judges can order search warrants and can get nuanced and technical, however it falls along these lines:
– Magistrate judges can currently only order searches within the jurisdiction of their court, which is typically limited to a few counties.
– Normally, magistrate judges can allow searches only within their jurisdictions; their authority ends at the border of their judicial district. Now the rules will clearly state they can consider these unique requests from investigators.
– Until now, some judges have refused to approve warrants that allow investigators to plant software on computers that could be anywhere, either within their jurisdiction or wind up anywhere. That uncertainty over location has caused these judges to question whether they have the authority to grant the warrant in the first place.
So what’s really changed?
The truth is that the government has been hacking into computers of citizens for years. There are a myriad of cases all over the internet to help illustrate this situation. However, these efforts were frequently stymied by a host of privacy-loving judges who have resisted wholesale surveillance efforts without a notion to the whereabouts or domicile of the digital asset being requested and how this affects one’s right to unauthorized search and seizure.
The government has now given law enforcement a tool to overcome the federal magistrate’s objections to authority and ‘just means’ for surveillance. Now, if anyone leverages any technology with which the government finds is ‘anonymizing,’ a citizen on the internet then they are potentially subject to search and seizure by this new rule.
I have three questions I’d like to propose to you that ponder the ubiquitous use of the internet:
• As a result of how the internet has changed due to mankind, do these changes represent civilized society in decay, or rather in a brand new age of enlightenment?
• Should we worry about our freedoms (e.g. are any of our freedoms eroding or, rather, are they parlaying our existing ones to new heights)?
• On freedoms going forward, who owns, secures, and defends them in a logical realm with no borders, boundaries or jurisprudence system?
We live in a world where the biggest taxi company owns no cars, the biggest e-commerce company owns no stores, the largest news organization has no reporters, and the largest community gatherings of people involve no stadiums or physical interaction.
We also live in a world where the very same infrastructure which enables the above enigmas and provides us with a myriad of other tremendous benefits, as with all things in life, breathes life into a new darkness. From an ability to perpetuate harm and gain benefit(s) – this new operating regime is clearly less understood and more wild than perhaps any wild frontier humanity has ever known.
Moreover, this dark side ushers in a very frightening proposition – the ability to very seriously challenge personal “truths” about inalienable rights, which most of humanity has fought and forged for over eons and today represents the pinnacle of civilized societies: our freedoms. Let me start with an ad for a company I/we have no affiliation to, no interest outside of academics in and have not validated its credulousness, but it underscores the predicament we are in:
“It is like a HACKMAZON” – A CYBER ATTACK MARKETPLACE ALLOWS FOR CHEAP & EFFECTIVE ATTACKS
“Hello everyone, today I have purchased a plan on one of the best network stresser/booter services on the market. http://cloudstress.com is no doubt one of the greatest stresser/booter on the market! This stresser/booter has various attack types such as Layer 4; CHARGEN, NTP, and DNS. Along with Layer 7; POST, GET, and XML-RPC. The stresser’s/booter’s power is like no other stresser/booter on the market, especially for the price. To go along with being cheap but still getting the strongest power available, the stresser/booter offers a variety of tools like a Skype resolver, IP response checker, IP geo locator, and a domain to IP resolver. There is not reason to over pay for a stresser or booter ever again, starting at only $5.00 a month, this websitehttp://cloudstress.com is one of the cheapest but still the best stresser/booter on the market. With this IP stresser/internet booter you will never need to purchase another one again, it has everything. This stresser/booter makes purchasing easier than ever with their automatic payment system, as soon as you pay VIA Bitcoin or PayPal you receive your plan within seconds and you can start using the best stresser/booter on the market. http://cloudstress.com also has an on site support ticket system just in case you need help with anything along the way. Withhttp://cloudstress.com there is no reason to use any other stresser/booter ever again, they’re cheap, the best/strongest, and have an easy to navigate site.”
My first point illustrated from the above is that the world has devolved almost at an equal and opposite rate as it is evolving, allowing for a Ying to a Yang. The problem with the devolution is that it represents something different than we’ve ever seen in human kind – the ability to reach out and hit anyone at anytime from anywhere with near impunity. This was unimaginable just 20 years ago, but today we can have everything from news organizations silenced (which has occurred at scale by those who don’t like their messages) to presidential candidates and CIA directors who have their personal emails hacked and leaked en masse. How? Well, through a cornucopia of new tools, techniques, services and capabilities made readily available on the internet, such as the ad above.
The Geographic Paradigm Falls. Laws don’t work. Neither does nation-state law enforcement.
Second, let’s understand that the world no longer works within geographic confines. The internet is everywhere at once and doesn’t obey laws situationally based upon transit like the physical world does. So the notion of nation-state laws and domiciles are, paradoxically, becoming very destructive constructs in today’s attempt to protect citizens as domiciles have switched to the benefit of the attacker. They can now feasibly be either physically *or logically* in one domicile and perpetrate acts on others with essential legal impunity as no reciprocity of laws between the two lands exits.
This is self-evident in the physical world with Edward Snowden. Edward Snowden is a wanted man, however lives with impunity while domiciled in another (unfriendly) country as it relates to the United States. Other examples ring true where the U.S. allows “refugees” from other countries who have committed crimes in their country but have been granted safe living in another domicile. Most understand this world and nothing is really different here. However, as it relates to internet security, most of us seem to forget the idea of sanctuary states and crimes and the importance it plays in the current environment.
So, what do you say? Freedom falls, then liberty itself and conversely the rise of oppression.
When looked at individually, many of these issues seem small and meaningless, however focused at a macro level; an ominous cloud is upon our current security blanket to enforce our democratic ideals.
Well, as the most recent heinous breaches around the world have taught us, losing one’s privacy means also losing one of humanity’s most special attributes – its secrets. The hack at Ashley Madison taught us that no stored data is secure no matter how much we think it is, and that the spill of personal data and one’s secrets, leads to (among other things) suicides, massive lawsuits, divorce, the removal of a chief executive officer and, as time will no doubt, derail the very fabric of humanity.
However, we are not just losing our privacy, but other freedoms too like the Freedom of Press, the Freedom of Religion, the Right to Congregate, etc.
If you are monitoring events the way I am, then you have noticed a very clear trend lately for the more resourceful and powerful forces on the internet to be able to silence any difference of opinion quickly and with no adverse consequence. This includes journalists and individuals alike. Moreover, in more mob-like tactics, we see this trend scale to include extortion and ransoming, including hacking a U.S. presidential candidate’s email. The list below is just a very small example some of the legions of eroding freedoms:
On the Topic of Freedom of Press – Should we be worried?
– BBC – Early in 2016, BBC was knocked offline from reported DDoS attacks
– New York Times – Throughout the Summer of 2016 there were widely reported cyberattacks on the New York Times
– September 2016 Attack on Brian Krebs – one of the largest Information Security journalists was attacked with the world’s largest DDoS attack and silenced for days. This was in apparent retribution for some previous opinions and investigative reporting.
– September 2016 Helpnet.com – An online trade journalism website was hit and made unavailable
On Freedom of Religion / Freedom to Congregate – More Worrisome?
– We know that Twitter and Facebook routinely censor “hate” groups or “recruitment” for terrorism with no clear understanding of what guidelines they use for this censorship
– We know that in the U.S. presidential debate, online forums and ability to ‘digitally congregate’ has been met by numerous censorship proceedings from various social media outlets
– We know that the infamous hacker group Anonymous grew out of an early fight with the Church of Scientology and the interest in keeping them quiet
– We know that many of today’s western pursuits are to stop recruitment of Muslims into terror groups which may run into conflict with Freedoms of Religion observation
– We also know that in much of the world, Freedoms of Religion are still not practiced and the internet reinforces current beliefs and censors objections as a matter of routine
– It is well known, after the PRISM program revelations and other nation-state monitoring programs, that scores of companies routinely collude with nations to spy on their citizens in everything they say, do, and transact
– It is also well known that through a myriad of security violations, most of the world’s citizens have already lost their identities to massive leakage over the most recent past
– It is also well known that “Big Data” will take privacy loss to a new level where stored data privacy protections are no longer relevant in an era where non-structured data analysis can provide the same or better resolution into reviewing one’s privacy
Big questions should lead to big debate.
As you can see, the topic is immensely powerful and not trite. The real question is, why isn’t there a real national dialogue around these issues? Yes, there is a lot of chatter, but most of the conversation seems vapid. Many, if not most, of the pundits I see and read seem to be discussing the notion of ‘net neutrality’ or cyber-security legislation, which cover data protections, and appear to have at their core a goal of appointing bureaucrats and assigning budget authorities.
However, isn’t the issue really larger than that? Now to be honest, I’m not a person accustomed to speaking in such broad terms, but shouldn’t the real question of the current various forms of cyber security legislation be reaching into the heart of the matter and focusing on whether our privacy is a fundamental human right and whether or not our freedoms are truly defensible any longer?
The answer to this question settles forever the debate on how to proceed forward with information security regulations and what the reaction should be to breaches and security. After all, if we live in environments where our freedoms are granted but not protected, what use is a modern day government providing its citizens?
Consequences of not acting to protect Human Rights from Internet Attacks
Generally, I’m not a big believer that laws or regulations are very helpful in a tactical or operational way for a security professional. In fact, my general feeling is that laws only add to overburdened staff and generally only increase budgets, which are often mal-applied towards administrative attestation, not to conducting real security.
However, in the case of privacy and other human rights, I believe that there will be three real consequences of not having a national privacy law, which will not change until one is passed. They are as follows:
Prediction One: More censorship will pervade. Being able to tell the difference between a democracy and state-sponsored communist regime will be grayed.
Prediction Two: Your humanity will evaporate. With the advent of the Internet of Things (IoT), whereby nearly every consumer device from a mobile phone, to an implantable healthcare device, to a fridge is measuring and monitoring nearly all human behavior, there will increasingly be an opportunity to invade deeper and deeper into one’s personal life and, perhaps even into, one day, one’s thoughts and ambitions. This technology, although immeasurable on the opportunities for human developmental advancement, will, paradoxically further erode the notion of what it is meant to be human itself. You will become like a machine, predictable and forecast-able in every way, from your health, to your passion, to your purchasing and interest habits and hobbies. You will be ‘addressable’ in more ways than ever before.
Prediction Three: Power to people is not easily granted. There is a lot of money and interest to be gained by organizations and governments in having the power to pervade one’s privacy. The laws of control suggest that most people who are in charge of organizations and governments will not easily be interested in ceding control of the aphrodisiac which is spying on those they can ultimately manipulate.
In summary, there is lot to be learned from the debate around the loss and protection of Freedoms, however most of the debate is, in my opinion, a red herring and intellectually dishonest. The real debate rests on the central question of whether or not our human rights are being protected and by whom. First, we must answer the question on how the internet changes the game and what is tolerable and intolerable. From there we can decide on what we must do to protect it and cherish it. In the meantime, security professionals and businesses who are entrusted with data will continue to bear the cost and operational responsibility of protecting it. Indeed, they are in the position where they must husband data protection as best they can, which to some will be an insurmountable challenge.
If you care deeply about this subject, I would encourage you to take up the struggle and start calling for energy around a national law in pursuit of a constitutional amendment to settle once and for all the question of whether or not privacy is a right, and asking for more demonstration of security of our freedoms.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
Carl is an IT security expert and responsible for Radware’s global security practice. With over a decade of experience, he began his career working at the Pentagon evaluating computer security events affecting daily Air Force operations. Carl also managed critical operational intelligence for computer network attack programs to aid the National Security Council and Secretary of the Air Force with policy and budgetary defense. Carl writes about network security strategy, trends, and implementation.