[discuss] Snowden Revelations: What concrete activities were revealed that led us here?

Shatan, Gregory S. GShatan at ReedSmith.com
Tue Jan 21 06:54:34 UTC 2014


Andrew,

Thank you for the very comprehensive reply, most of which I agree with or appears consistent with what I see.  I don't think I would say " It appears [the US] attempted to turn the Internet into a vast data-gathering apparatus, with the target "everyone on earth". "  I think it would be more accurate to say that the US took advantage of the existence of the Internet to conduct a vast amount of data-gathering, but I don't see where this leads to a claim that the US took advantage of its role with IANA, the root, ICANN, etc., to do so.   As you say, it appears that this relationship "mostly doesn't exist."

Whether all of this makes the US less trustworthy or more hypocritical, I don't know.  Frankly, I've always assumed that the US of Joe McCarthy, J. Edgar Hoover, infiltration of left-wing and anti-war groups from the '60s (and probably earlier) to the present, was always engaged in massive spycraft.  I've also assumed that any number of other countries are doing the same to the best of their abilities.  I probably hoped for better from an Obama-led administration, but between the power of the "permanent establishment," the "teeth on edge" attitude post-9/11, and the fact that Obama is really more of a centrist (or a very timid progressive), like Clinton before him, I was prepared to be disappointed.

Perhaps we should make it a pre-condition that any other government that wants a bigger piece of the IG pie should reveal (at least some of)  the nature and extent of their internet surveillance programs.  Of course this will never happen.  So we'll need some more Snowdens (international edition) to educate us on the rest-of-world's comparable facts.  But this is probably a digression, since I'm still not seeing much, if any, of a causal relationship between the US surveillance program and the US position in IG.

Greg Shatan

-----Original Message-----
From: discuss-bounces at 1net.org [mailto:discuss-bounces at 1net.org] On Behalf Of Andrew Sullivan
Sent: Thursday, January 16, 2014 10:49 AM
To: discuss at 1net.org
Subject: Re: [discuss] Snowden Revelations: What concrete activities were revealed that led us here?

Hi,

"I didn't have time to write a short letter, so I wrote a long one instead."

On Thu, Jan 16, 2014 at 06:22:51AM +0000, Shatan, Gregory S. wrote:
>
> gun(s)” or “the scene of the [Internet] crime”: the explicit and
> specific acts by US surveillance (etc.) that were uniquely made
> possible by the United States’ current relationship to Internet
> governance, Internet infrastructure, ICANN, and/or IANA, etc.

Several people have responded to you without actually answering this question.  I suspect the reason for that is that the relationship you are looking for mostly doesn't exist.

First, there is no evidence whatsoever that control over the root zone had anything to do with any of this, nor that it ever really could, nor even that the US has even attempted to abuse that control for these purposes.  There are some people who have occasionally claimed it attempted some other abuses of the root zone, but I've not actually managed to understand those claims and they always seem to me to be theoretical rather than actual events.

Second, there is also no evidence that the US has used its position in respect of IANA to influence number allocation for any nefarious purpose or even especially unfairly.  It is probably true that the earliest IPv4 allocations tended to be rather US-centric and inefficient; but at the time it wasn't obvious that was a problem, CIDR hadn't been invented, and RIR's weren't even a gleam in anyone's eye.  Anyway, that was all before commercialization seemed realistic.
All of the same goes for AS numbers.

Third, there is no evidence that the US's position with respect to IANA had any effect on the protocol parameters registries.  It's also not clear that, if there were any such evidence, the registry would in any way remain under any sort of US influence.  The IETF uses the IANA protocol parameters registry to publish those parameters.  If something really went pear-shaped, there's no reason the IETF couldn't just decide to publish its parameters somewhere else.  There'd certainly be some awkwardness with special use domain names and number resources.
And it would provoke some kind of crisis.  But I'm not even sure what attack might be successful here, anyway, so I don't know what problem there is here.

Some have argued that the US undermined Internet security by subverting certain cryptographic algorithms. In particular, it appears that the NSA attempted to insert a "back door" in Dual_EC_DRBG, a pseudo-random-number generator, by picking particular critical values that would affect the security. There's a claim that the NSA subverted NIST and that NIST made the algorithm weaker than it otherwise would have been on purpose. NIST rejects that allegation. There appears to be evidence that the NSA paid RSA Security to pick Dual_EC_DRBG as its default; RSA certainly did pick it. RSA denies that they had a contract with the NSA, but their denial is quite carefully worded. The documents released by Snowden definitely contain a claim that the NSA had a program to weaken encryption standards deliberately.

It should be emphasised that the last time the NSA was accused of picking some values to weaken an algorithm, it turned out that they were making it stronger: they had a classified attack against the proposed standard, and while they didn't tell anyone about the attack they did convince people to use different values (which mitigated their attack). If this sounds bizarre, it's because the NSA has a dual
mandate: both to subvert secure communications and to make secure communications stronger. The US Government is a strange and wonderful thing.

We should be clear that, if any of the encryption-subversion accusations is the case, it was not a subversion of the Internet standards process, because the IETF doesn't actually develop the cryptographic algorithms but merely refers to them.  The US can of course send people to argue for algorithms it has intentionally weakened.  This is no different than any other country, however (and we know that there have been countries who demanded a protocol parameter for "national algorithms" that are widely believed to be weak).  It's just like the subversion of corporate communications (which as you said is not a position unique to the US).

The US's central position in commerce, and the fact that many corporations do some kind of business in the US thereby somehow making them subject to US laws, is naturally important.  But that's just a commercial fact, and no more interesting than the fact that doing business in China subjects a company to Chinese laws, or doing business in Brazil makes them subject to Brazilian law.  Notably, during the period of encryption export restrictions from the US, there were lots of firms that went out of their way to set up entities outside US control to get around those export restrictions.  This was not a boon for interoperability, but it certainly was a business model that took US law into account and avoided it.

There have been accusations that the US's importance as an interconnection point means that it has unfair access to others'
communications, and that it shouldn't do that. I think this is somewhat naïve, but in any case it puts the responsibility in the wrong place. It's true, for instance, that a lot of Brazilian domestic traffic routes through Miami, and that an enormous amount of South American traffic goes through Miami. But this is because the interconnections in much of South America are poor: the infrastructure is bad; and the interconnection relationships are expensive, perversely regulated, or both. This is a public policy and techno-commercial problem that is entirely within the power of the affected nations to fix (and they could have done so ages ago). There is a cost issue, of course. But Internet exchanges are not so horribly expensive to set up, and the population is certainly there. I am not an expert in the economics of networking in that region, but in other places where I'm familiar with this sort of perverse routing it often turns out to be because of heavyweight telco regulation, cronyism in the relevant industries in-country, or both. Certainly the experience my employer (for whom I am not speaking!) had with setting up a point of presence inside Brazil suggests to me that the overall IT sector there is very heavily regulated, making locating in the area unattractive.

The real reason I think the various recent revelations make people press to remove the US "special relationship" is just that the US is no longer trustworthy.  It appears to have attempted to turn the Internet into a vast data-gathering apparatus, with the target "everyone on earth".  It appears to be spitting on its own constitutional principles (never mind whether all this is strictly legal; it is plainly not in keeping with Jeffersonian limited power of the state).  It is revealed to be a hypocrite, stridently lecturing everyone else about individual freedoms while working as hard as possible to subvert those freedoms.  And because the US and its closest allies were the historic defenders of the multi-stakeholder procedures from which we all have benefitted, and because not only the US but many of those allies are implicated in these sad activities, there is something of a crisis.

I hope this is helpful.

Best regards,

Andrew

--
Andrew Sullivan
ajs at anvilwalrusden.com

_______________________________________________
discuss mailing list
discuss at 1net.org
http://1net.org/mailman/listinfo/discuss


                                                                * * *

This E-mail, along with any attachments, is considered
confidential and may well be legally privileged. If you have received it in
error, you are on notice of its status. Please notify us immediately by reply
e-mail and then delete this message from your system. Please do not copy it or
use it for any purposes, or disclose its contents to any other
person. Thank you for your cooperation.

                                                                * * *

To ensure compliance with Treasury Department regulations, we
inform you that, unless otherwise indicated in writing, any U.S. Federal tax
advice contained in this communication  (including any attachments) is not
intended or written to be used, and cannot be used, for the purpose of (1)
avoiding penalties under the Internal Revenue Code or applicable state
and local provisions or (2) promoting, marketing or recommending to another
party any tax-related matters addressed herein.
                                                                        Disclaimer Version RS.US.20.10.00


More information about the discuss mailing list