[discuss] Snowden Revelations: What concrete activities were revealed that led us here?

Thu Jan 16 15:48:53 UTC 2014

Hi,

"I didn't have time to write a short letter, so I wrote a long one
instead."

On Thu, Jan 16, 2014 at 06:22:51AM +0000, Shatan, Gregory S. wrote:
> 
> gun(s)” or “the scene of the [Internet] crime”: the explicit and
> specific acts by US surveillance (etc.) that were uniquely made
> possible by the United States’ current relationship to Internet
> governance, Internet infrastructure, ICANN, and/or IANA, etc.

Several people have responded to you without actually answering this
question.  I suspect the reason for that is that the relationship you
are looking for mostly doesn't exist.

First, there is no evidence whatsoever that control over the root zone
had anything to do with any of this, nor that it ever really could,
nor even that the US has even attempted to abuse that control for
these purposes.  There are some people who have occasionally claimed
it attempted some other abuses of the root zone, but I've not actually
managed to understand those claims and they always seem to me to be
theoretical rather than actual events.

Second, there is also no evidence that the US has used its position in
respect of IANA to influence number allocation for any nefarious
purpose or even especially unfairly.  It is probably true that the
earliest IPv4 allocations tended to be rather US-centric and
inefficient; but at the time it wasn't obvious that was a problem,
CIDR hadn't been invented, and RIR's weren't even a gleam in anyone's
eye.  Anyway, that was all before commercialization seemed realistic.
All of the same goes for AS numbers.

Third, there is no evidence that the US's position with respect to
IANA had any effect on the protocol parameters registries.  It's also
not clear that, if there were any such evidence, the registry would in
any way remain under any sort of US influence.  The IETF uses the IANA
protocol parameters registry to publish those parameters.  If something
really went pear-shaped, there's no reason the IETF couldn't just
decide to publish its parameters somewhere else.  There'd certainly be
some awkwardness with special use domain names and number resources.
And it would provoke some kind of crisis.  But I'm not even sure what
attack might be successful here, anyway, so I don't know what problem
there is here.

Some have argued that the US undermined Internet security by
subverting certain cryptographic algorithms. In particular, it appears
that the NSA attempted to insert a "back door" in Dual_EC_DRBG, a
pseudo-random-number generator, by picking particular critical values
that would affect the security. There's a claim that the NSA subverted
NIST and that NIST made the algorithm weaker than it otherwise would
have been on purpose. NIST rejects that allegation. There appears to
be evidence that the NSA paid RSA Security to pick Dual_EC_DRBG as its
default; RSA certainly did pick it. RSA denies that they had a
contract with the NSA, but their denial is quite carefully worded. The
documents released by Snowden definitely contain a claim that the NSA
had a program to weaken encryption standards deliberately.

It should be emphasised that the last time the NSA was accused of
picking some values to weaken an algorithm, it turned out that they
were making it stronger: they had a classified attack against the
proposed standard, and while they didn't tell anyone about the attack
they did convince people to use different values (which mitigated
their attack). If this sounds bizarre, it's because the NSA has a dual
mandate: both to subvert secure communications and to make secure
communications stronger. The US Government is a strange and wonderful
thing.

We should be clear that, if any of the encryption-subversion
accusations is the case, it was not a subversion of the Internet
standards process, because the IETF doesn't actually develop the
cryptographic algorithms but merely refers to them.  The US can of
course send people to argue for algorithms it has intentionally
weakened.  This is no different than any other country, however (and we
know that there have been countries who demanded a protocol parameter
for "national algorithms" that are widely believed to be weak).  It's
just like the subversion of corporate communications (which as you
said is not a position unique to the US).

The US's central position in commerce, and the fact that many
corporations do some kind of business in the US thereby somehow making
them subject to US laws, is naturally important.  But that's just a
commercial fact, and no more interesting than the fact that doing
business in China subjects a company to Chinese laws, or doing
business in Brazil makes them subject to Brazilian law.  Notably,
during the period of encryption export restrictions from the US, there
were lots of firms that went out of their way to set up entities
outside US control to get around those export restrictions.  This was
not a boon for interoperability, but it certainly was a business model
that took US law into account and avoided it.

There have been accusations that the US's importance as an
interconnection point means that it has unfair access to others'
communications, and that it shouldn't do that. I think this is
somewhat naïve, but in any case it puts the responsibility in the
wrong place. It's true, for instance, that a lot of Brazilian domestic
traffic routes through Miami, and that an enormous amount of South
American traffic goes through Miami. But this is because the
interconnections in much of South America are poor: the infrastructure
is bad; and the interconnection relationships are expensive,
perversely regulated, or both. This is a public policy and
techno-commercial problem that is entirely within the power of the
affected nations to fix (and they could have done so ages ago). There
is a cost issue, of course. But Internet exchanges are not so horribly
expensive to set up, and the population is certainly there. I am not
an expert in the economics of networking in that region, but in other
places where I'm familiar with this sort of perverse routing it often
turns out to be because of heavyweight telco regulation, cronyism in
the relevant industries in-country, or both. Certainly the experience
my employer (for whom I am not speaking!) had with setting up a point
of presence inside Brazil suggests to me that the overall IT sector
there is very heavily regulated, making locating in the area
unattractive.

The real reason I think the various recent revelations make people
press to remove the US "special relationship" is just that the US is
no longer trustworthy.  It appears to have attempted to turn the
Internet into a vast data-gathering apparatus, with the target
"everyone on earth".  It appears to be spitting on its own
constitutional principles (never mind whether all this is strictly
legal; it is plainly not in keeping with Jeffersonian limited power of
the state).  It is revealed to be a hypocrite, stridently lecturing
everyone else about individual freedoms while working as hard as
possible to subvert those freedoms.  And because the US and its closest
allies were the historic defenders of the multi-stakeholder procedures
from which we all have benefitted, and because not only the US but
many of those allies are implicated in these sad activities, there is
something of a crisis.

I hope this is helpful.

Best regards,

Andrew

-- 
Andrew Sullivan
ajs at anvilwalrusden.com