Infrastructure vulnerabilities make surveillance easy

Governments want to spy on their citizens for all sorts of reasons. Some countries do it to help solve crimes or to try to find “terrorists” before they act.

Others do it to find and arrest reporters or dissidents. Some only target individuals, others attempt to spy on everyone all the time.

Many countries spy on the citizens of other countries: for reasons of national security, for advantages in trade negotiations, or to steal intellectual property.

None of this is new. What is new, however, is how easy it has all become. Computers naturally produce data about their activities, which means they’re constantly producing surveillance data about us as we interact with them.

Corporations are doing it for their own purposes; collecting and using this data has become the dominant business model of the internet. Increasingly, governments around the world are ensuring that they too have access to the data, either by mandating that the companies give it to them or surreptitiously grabbing their own copy.

Corporations are doing it for their own purposes; collecting and using this data has become the dominant business model of the internet.

by 

Since Edward Snowden revealed to the world the extent of the NSA’s global surveillance network, there has been a vigorous debate in the technological community about what its limits should be.

Less discussed is how many of these same surveillance techniques are used by other – smaller and poorer – more totalitarian countries to spy on political opponents, dissidents, human rights defenders; the press in Toronto has documented some of the many abuses, by countries like Ethiopia , the UAE, Iran, Syria, Kazakhstan , Sudan, Ecuador, Malaysia, and China .

That these countries can use network surveillance technologies to violate human rights is a shame on the world, and there’s a lot of blame to go around.

We can point to the governments that are using surveillance against their own citizens.

We can certainly blame the cyberweapons arms manufacturers that are selling those systems, and the countries – mostly European – that allow those arms manufacturers to sell those systems.

There’s a lot more the global internet community could do to limit the availability of sophisticated internet and telephony surveillance equipment to totalitarian governments. But I want to focus on another contributing cause to this problem: the fundamental insecurity of our digital systems that makes this a problem in the first place.

Exploiting existing vulnerabilities

IMSI catchers are fake mobile phone towers. They allow someone to impersonate a cell network and collect information about phones in the vicinity of the device and they’re used to create lists of people who were at a particular event or near a particular location.

Fundamentally, the technology works because the phone in your pocket automatically trusts any cell tower to which it connects. There’s no security in the connection protocols between the phones and the towers.

IP intercept systems are used to eavesdrop on what people do on the internet. Unlike the surveillance that happens at the sites you visit, by companies like Facebook and Google, this surveillance happens at the point where your computer connects to the internet. Here, someone can eavesdrop on everything you do.

This system also exploits existing vulnerabilities in the underlying internet communications protocols. Most of the traffic between your computer and the internet is unencrypted, and what is encrypted is often vulnerable to man-in-the-middle attacks because of insecurities in both the internet protocols and the encryption protocols that protect it.

There are many other examples. What they all have in common is that they are vulnerabilities in our underlying digital communications systems that allow someone – whether it’s a country’s secret police, a rival national intelligence organisation, or criminal group – to break or bypass what security there is and spy on the users of these systems.

IMSI-catchers are used by criminals, too. Right now, you can go onto Alibaba.com and buy your own IMSI catcher for under $2,000.

by 

These insecurities exist for two reasons. First, they were designed in an era where computer hardware was expensive and inaccessibility was a reasonable proxy for security. When the mobile phone network was designed, faking a cell tower was an incredibly difficult technical exercise, and it was reasonable to assume that only legitimate cell providers would go to the effort of creating such towers.

At the same time, computers were less powerful and software was much slower, so adding security into the system seemed like a waste of resources. Fast forward to today: computers are cheap and software is fast, and what was impossible only a few decades ago is now easy.

The second reason is that governments use these surveillance capabilities for their own purposes. The FBI has used IMSI-catchers for years to investigate crimes. The NSA uses IP interception systems to collect foreign intelligence. Both of these agencies, as well as their counterparts in other countries, have put pressure on the standards bodies that create these systems to not implement strong security.

Of course, technology isn’t static. With time, things become cheaper and easier. What was once a secret NSA interception program or a secret FBI investigative tool becomes usable by less-capable governments and cybercriminals.

‘Wrongheaded and dangerous’

Man-in-the-middle attacks against internet connections are a common criminal tool to steal credentials from users and hack their accounts.

IMSI-catchers are used by criminals, too. Right now, you can go onto Alibaba.com and buy your own IMSI catcher for under $2,000.

Despite their uses by democratic governments for legitimate purposes, our security would be much better served by fixing these vulnerabilities in our infrastructures.

OPINION: The IP Act – UK’s most extreme surveillance law

These systems are not only used by dissidents in totalitarian countries, they’re also used by legislators, corporate executives, critical infrastructure providers, and many others in the US and elsewhere.

That we allow people to remain insecure and vulnerable is both wrongheaded and dangerous.

Earlier this month, two American legislators – Senator Ron Wyden and Rep Ted Lieu – sent a letter to the chairman of the Federal Communications Commission, demanding that he do something about the country’s insecure telecommunications infrastructure.

They pointed out that not only are insecurities rampant in the underlying protocols and systems of the telecommunications infrastructure, but also that the FCC knows about these vulnerabilities and isn’t doing anything to force the telcos to fix them.

Wyden and Lieu make the point that fixing these vulnerabilities is a matter of US national security, but it’s also a matter of international human rights. All modern communications technologies are global, and anything the US does to improve its own security will also improve security worldwide.

Yes, it means that the FBI and the NSA will have a harder job spying, but it also means that the world will be a safer and more secure place.

Bruce Schneier is a fellow at the Berkman Klein Center for Internet and Society, and the Harvard Kennedy School. His writings can be found at schneier.com.

The views expressed in this article are the author’s own and do not necessarily reflect Al Jazeera’s editorial policy.