brettneilson/Flickr

Face It: Privacy is Dead

But do we accept that or build a better internet?

On July 27 through August 1, the Black Hat conference took place in Las Vegas, where security researchers from around the world convened to present new research into computer security. One of the most interesting revelations was, in the words of ThreatPost, that “the web is thoroughly broken.” Researchers at Black Hat showed that they can read encrypted messages under some conditions use JavaScript to force a page to reveal secured user information and reconstruct supposedly secure portions of webpages.

Key to both security cracks is that there are no known protections against them.

One researcher said, “We are currently unaware of a practical solution to this problem.”

“There’s no real way to fix it,” said another.

There might be eventual workarounds, but researchers are finally hitting the fundamental, unsolvable insecurity of the Internet, which the military never designed to be secure or to protect user identities.

Self-described “cypherpunks” — like Julian Assange and technology activist Jacob Appelbaum (among many others) — see the internet as a public good that should never be monitored, regulated, or exploited by governments. Yet their most standard complaint, summarized as “the militarization of cyberspace,” is completely disconnected from cyberspace’s origins as a military program.

The internet began in a 1966 program called Resource Sharing Computer Networks. Started by the Advanced Research Projects Agency (the precursor to DARPA, where the “D” stands for “Defense”), this network was meant to decentralize data storage to protect it from a nuclear strike. Over time, ARPANET grew to become the Internet we know and love today. Whatever the utopian wishes of the Internet’s most ardent evangelists, there is no escaping that it began as a military research project.

In fact, the military has always been active on the Internet. Fourteen years ago, reports emerged of a vast NSA surveillance network called ECHELON. Created in 1971, ECHELON reportedly collected every satellite communication, almost all phone calls, and, according to some estimates, nearly 90 percent of traffic on the Internet.

That such a vast, longstanding surveillance system for the Internet exists makes perfect sense when one considers that the military invented the Internet, and thus knows how to monitor it the most effectively. It was never meant to be secure, because the Pentagon never imagined it would grow beyond the scale of safeguarding government data (along with some universities doing research) to become the pervasive presence it is today. The internet’s insecurity is why the U.S. government built alternate internets, called SIPRNet and JWICS — it was the only way to keep secret communications private.

Now we face a conundrum: The internet is not just used for research and storing government data away from nuclear strikes but for everyday things, like communicating, buying toys and groceries, banking, reading the news, and paying bills. The security of the internet never caught up to all of those things we take for granted. New systems meant to safeguard people’s privacy and data have been tacked on top of it, but the internet itself is so inherently insecure that those improvised security systems have holes that will eventually be discovered.

Apart from identifying the arms race that security research has become, there is a deeper question becoming clear, especially in light of the public debate over NSA surveillance: Do we even have a reasonable expectation of privacy anymore?

It sounds almost rhetorical, but that question is important to the debate about what the government can or should do with easily accessible data. Even supposedly anonymous systems, like TOR (The Onion Routing network, which was birthed by the U.S. Navy and gets over half its money from the U.S. government), can get cracked open by government agencies and their contractors to uncover criminal conduct, such as the distribution of child pornography. There are workarounds, like using email with strong cryptography, but they’re difficult to use. Most average people either can’t be bothered or can’t understand it.

The NSA isn’t the only agency capable of monitoring everything you do. Google tracks an incredible amount of data about its users (are you one of the 53 percent of Internet users on Chrome?), as does Facebook and Microsoft (the latter through its ubiquitous chat program Skype). One of the most fascinating aspects to the reaction against the NSA has been the seeming comfort with allowing for-profit corporations to strip mine personal data while reserving opprobrium when the government does the same thing for law enforcement.