2006-05-15

On civilian monitoring, technology, tools, and terrorism

I try to stay away from politically-charged topics in my posts, but many times politics and information security overlap, leaving me no choice. There has been a lot of press recently involving various activities the NSA has undertaken in the past few years. Since 9/11, the US has been willing to sacrifice personal privacy in the name of security; specifically, with increasingly broad monitoring techniques using modern technologies and tools. This has spawned a virtual arms race between privacy advocates and law enforcement, with more advanced monitoring leading to more advanced protection mechanisms, and vice versa.

One of the tools developed by privacy advocates, with the help of the EFF, is The Onion Router, or TOR. At a very high level, this software attaches your computer to a network of other active TOR clients and routes network traffic randomly through these nodes, obfuscating the true source of the activity. While the implementation isn't perfect, it's a good way to provide one layer of obfuscation to requests made from one's computer. Recently, TOR was identified by a three-letter government agency as a potential threat; a tool that could be used for malicious activity, possibly by terrorists. The distribution of this document is restricted, so I am unable to reference it here.

Does anyone else find it ironic that tools being developed to protect individuals' rights in response to draconian monitoring policies are being identified as terrorist threats by the governments instituting such policies? It seems as though such policies are providing ammunition to the threats they are intended to counter. The more governments infringe on the privacy of ordinary citizens, the more prevalent and complex tools that have dual use like TOR will become, aiding terrorists and privacy advocates alike. I fear that this erosion of privacy and and misplaced trust in the tradeoffs between privacy and security will leave us with nothing to show in terms of national security. Our government needs to accurately identify the threat and focus its resources there, rather than on the wholesale collection of data.

Bruce Schneier, who was interviewed by CNN when the USAToday story broke, has a great opinion article on this topic as well. Note that it was written before the recent article that I mention above.

1 comment:

Anonymous said...

Amazingly, the best thing from a police organization's point of view, strategywise, is to NOT do wholesale spying. If everyone thinks the next WEP is secure, they have lots of easy ways to get evidence, without physically touching any hardware. Of course, this sucks from a commerce point of view.