Internet Superhero Cory Doctorow's Plan to Thwart the NSA
The government won't even let businesses disclose that it has made data requests. Here's a way around one of the intelligence community's most depraved practices.
Internet superhero Cory Doctorow*, rendered above by XKCD's Randall Munroe, has taken to the pages of The Guardian to distill why the NSA behaves unethically when it deliberately inserts security weaknesses into digital technology:
It doesn't really matter if you trust the "good" spies of America and the UK not to abuse their powers (though even the NSA now admits to routine abuse), you should still be wary of deliberately weakened security. It is laughable to suppose that the back doors that the NSA has secretly inserted into common technologies will only be exploited by the NSA. There are plenty of crooks, foreign powers, and creeps who devote themselves to picking away patiently at the systems that make up the world and guard its wealth and security (that is, your wealth and security) and whatever sneaky tools the NSA has stashed for itself in your operating system, hardware, applications and services, they will surely find and exploit ....
Our world is made up of computers. Our cars and homes are computers into which we insert our bodies; our hearing aids and implanted defibrillators are computers we insert into our bodies. The deliberate sabotage of computers is an act of depraved indifference to the physical security and economic and intellectual integrity of every person alive. If the law is perverted so that we cannot tell people when their security has been undermined, it follows that we must find some other legal way to warn them about services that are not fit for purpose.
That would be sufficient for a mortal's op-ed, but being an Internet superhero and all, Doctorow has a suggestion for warning the masses about the NSA's depraved sabotage.
To understand his proposal, it's important to review one of the creepiest, most dystopian things that the NSA does: The secretive surveillance agency approaches people who run digital businesses, demands that they break the privacy promises that they've made to their customers, and then prohibit those entrepreneurs and staffers from telling anyone about what happened, even to complain. They manage to transgress against the First and Fourth Amendment all at once!
You'd think that in America, anyone would have the right to stand on a street corner or cable-news soundstage and say, "The government is forcing me to do something I regard as immoral and unconstitutional, and this is what it is: _____."
The government is legally compelling companies and individuals to keep their mouths shut. Americans are made to understand that if they tell the truth about what the government is forcing them to do, men with guns will be sent to arrest them, and they will be confined to a cage in the manner of murderers, rapists, and thieves.
How to respond to this thuggery?
The idea under discussion traces its origins to a librarian who was furious that the Patriot Act not only allowed the federal government to snoop into the library records of patrons, but also forbade librarians from telling patrons about it.
Librarian Jessamyn West's ingenious solution:
In the same spirit, one company posts notices that say, "Wickr has received zero secret orders from law enforcement and spy agencies. Watch closely for this notice to disappear."
Back to Doctorow:
This gave me an idea for a more general service: a dead man's switch to help fight back in the war on security. This service would allow you to register a URL by requesting a message from it, appending your own public key to it and posting it to that URL. Once you're registered, you tell the dead man's switch how often you plan on notifying it that you have not received a secret order, expressed in hours. Thereafter, the service sits there, quietly sending a random number to you at your specified interval, which you sign and send back as a "No secret orders yet" message. If you miss an update, it publishes that fact to an RSS feed.
Such a service would lend itself to lots of interesting applications. Muck-raking journalists could subscribe to the raw feed, looking for the names of prominent services that had missed their nothing-to-see-here deadlines. Security-minded toolsmiths could provide programmes that looked through your browser history and compared it with the URLs registered with the service and alert you if any of the sites you visit ever show up in the list of possibly-compromised sites.
He points out that a court case testing an action of this sort has never been adjudicated, "but in US jurisprudence, compelling someone to speak a lie is generally more fraught with constitutional issues than compelled silence about the truth."
One would hope that neither the courts nor the people would permit the government to compel its citizens to speak lies. Then again, one would have hoped that compelled silence about the truth would be anathema. I suspect the NSA has gotten away with it until now not because a majority of Americans have values that would permit something so execrable, but because the public mostly doesn't understand what the government is doing. That is gradually changing.
In the meantime, I hope companies begin to use Doctorow's suggested strategy for alerting attentive customers to the fact that their government is surveilling them.