Why not both: On backdoors and spyware
Last week I attended an event convened by Jigsaw on AI and the Public Square. It was an incredible agenda led by implementers and activists who are embracing democracy in all of its flaws, while also doing something about the at-scale effects of the rather disputatious online experience. Two papers were helpful in framing the discussions:
- Identity and Personhood in Digital Democracy: Evaluating Inclusion, Equality, Security, and Privacy in Pseudonym Parties and Other Proofs of Personhood
- Reimagining Content Moderation and Safeguarding Fundamental Rights
I took away an enormous amount of assuredness that the approach, rigor, curiosity and urgency with which a multitude of experts and researchers are approaching the erosion of civic space must necessarily constitute a lasting and ongoing community of practice.
ICYMI
- Other problems at Truth Social, and the Mastodon in the room https://www.dailykos.com/stories/2024/3/26/2231675/-Other-problems-at-Truth-Social-and-the-Mastodon-in-the-room
- ARTICLE 19 is looking for its next Head of Digital https://article.peoplehr.net/Pages/JobBoard/Opening.aspx?v=6fccb075-87fb-455c-bad2-9e4ecbf76cd2
- Konstantinos Komaitis on the UN's Global Digital Compact https://www.komaitis.org/personal-blog/the-gdc-zero-draft-is-out-the-good-the-bad-and-the-ugly
- RIPE NCC publishes it's annual transparency report on law enforcement requests https://www.ripe.net/publications/docs/ripe-819
- From the Tor blog, "Surveillance as a Service: The Global Impact of Israeli “Defense” Technologies on Privacy and Human Rights" https://blog.torproject.org/surveillance-as-a-service-global-impact-of-israeli-defense-technologies-on-privacy-human-rights/
- Save our seabed – the bottom of the ocean needs to become a top priority, and the UN agrees https://theconversation.com/save-our-seabed-the-bottom-of-the-ocean-needs-to-become-a-top-priority-and-the-un-agrees-222860
- The Disability Inclusion Fund launches second request for proposals for the DIF x Tech Fund https://borealisphilanthropy.org/2024/04/04/the-disability-inclusion-fund-launches-second-rfp-for-the-dif-x-tech-fund/
- The W3C launches new Federated Identity Working Group https://www.w3.org/groups/wg/fedid/
- Apply! The Trusted Internet Summer School on Internet Governance and International Law will be in Poland in July. This year's theme is "Satellite Internet: Trust and Data Governance,” https://www.cyber.uni.lodz.pl/en/ssigil
Backdoors 🤝 Spyware: Or, what you get with broken encryption and government hacking (hint: it’s genocide)
Encryption backdoors and government hacking often emerge as competing solutions. Human rights groups tend to point out that this is a false dichotomy because while olicy makers present them as tradeoffs, they are in fact reinforcing. Both facilitate government access to encrypted communications for law enforcement or intelligence agencies. Both violate civil and human rights if abused or mandated at scale.
However it is important to remember that these two solutions are not theoretical, nor does the future present some “choice” for civil liberties and human rights groups. The reality is that government hacking is flourishing from extrajudicious hoarding of zero-day exploits to spyware products like NSO Group’s Pegasus. What is not yet a reality is mandated backdoors of end-to-end encrypted messaging, but not for lack of trying by, notably, the Five Eyes countries.
It’s worth recalling the key differences between these techniques not because discernment informs a meaningful choice, but because the exercise illustrates how they exist to compliment one another. When combined, backdoored encryption and government hacking leads to surveillance at scale, and in the age of AI leads to disastrous consequences.
We have some notion of what happens if even limited data can be gleaned from communications on a mass surveillance level in combination with targeted surveillance for the purposes of national security: Project Lavender.
Project Lavender has been reported on in the press as a tactical toolkit implemented by the Israeli government to find and bomb members of Hamas in Gaza. It uses a variety of data: “visual information, cellular information, social media connections, battlefield information, phone contacts, photos.” The largest and most comprehensive source of data that can be obtained would be cellular data. Mobile networks operate with protocols that facilitate “lawful access”, eg backdoors https://dx.doi.org/10.2139/ssrn.4167105. In Gaza, this is additional data that is available to Israel, who controls Palestinian mobile operators, to the location tracking data that any mobile service can glean from a customer device authenticating with the network.
Mobile communications are a vector for abuse of privacy because of, as DKG of the ACLU explains, “the architecture of the cellular network itself. In order for your carrier to route calls and data to your phone, the network needs to constantly know which cell tower your phone is near. And when you make a call or use data, the provider can see where that traffic is going. Cell carriers track and store this accidental byproduct of the technology in order to record people’s location history and network activity for marketing purposes and, in certain circumstances, for sharing with law enforcement.”
All of that data, obtained through encryption backdoors, is now combined with government hacking methods typically used to target specific individuals. Project Lavender therefore “targets” at scale. And, like many AI, it is inaccurate and imprecise, leading to actual deaths– many, many innocent deaths. So, what do you get when you combine backdoors and spyware? You get a tool of genocide.