LAS VEGAS – The Internet is barreling down the same road of regulation and not-so-subtle censorship that has turned every other means of mass communication into a centralized and vanilla fountain of useless information. Kinda like television.
That’s the fear that today Black Hat keynoter Jennifer Granick drilled into an overflowing room, exposing the current landscape of surveillance, censorship and centralized control of content, and the complacency in which society has allowed this to happen. Granick contrasted today’s environment from that of two decades ago when she became passionate about protecting hackers and defending the civil liberties of those who tinker with software and devices in the name of making them safer.
“Twenty years ago I went to my first DEF CON because I believed in the dream of a free and open Internet. I believe in a world where there is a freedom to tinker, the hands-on imperative for those who want to study, manipulate, change and reverse engineer the software and devices that define the world around us,” said Granick, director of civil liberties at the Stanford Center for Internet and Society. “Today that dream of Internet freedom that brought me to DEF CON 20 years ago is dying.”
Laws such as the Computer Fraud and Abuse Act, the proposed U.S. rules and implementation of the Wassenaar Agreement, the Digital Millennium Copyright Act are as much to blame as society’s acceptance of the conveniences and centralization that governs today’s Internet, Granick said.
“I’m blaming governments, but I’m also blaming you and me,” Granick said. “The things we want are driving these trends.”
Rather than manage individual blogs, for example, people post to Facebook—a centralized platform. Many hackers may today run their own email servers, but for most of us, Gmail is preferred. People own mobile devices they don’t jailbreak, they download apps and approve excessive permissions. They share data with the so-called cloud, which is not a nebulous entity, but in reality a finite number of companies that control the Internet, Granick said.
“It’s Level 3 [Communications] for fiber, Amazon for servers, Google for search engines and Android,” Granick said. “The fact is that there’s a chokepoint for regulation; there’s an opportunity for control, surveillance and regulation. This isn’t looking like it’s going to change.”
Legal challenges to the hacker ethic have become increasingly pervasive. Proposed changes to CFAA hope to impose stiffer sentences for hacking violations. The proposed U.S. Wassenaar rules—which are being rewritten—were vague and promised stifling effects on security research and product safety.
“Decentralization was built into the DNA of early Internet,” Granick said. “There were dumb pipes and smart edges. It was a global network that allowed communication with anyone, anywhere and at any time. That would bring us all the hope and dreams the human mind dream up. I wanted to live in that world.”
Granick has a long history of representing hackers under duress, from the late Aaron Swartz to Mike Lynn, who 10 years ago quit his job the night before a talk at Black Hat 2005 during which he revealed vulnerabilities in Cisco routers that his former employer at the time ISS and Cisco tried to suppress.
“We fought back the suit for copyright infringement. The message [from Cisco] was loud and clear: ‘This is our software, not yours. This is our router, not yours. You’re just a licensee. We tell you what to do. You can’t decompile. You can’t study, and you can’t tell everyone what you find.'”
Granick said the key first step in the U.S. is for Congress to stop grandstanding on tougher cybercrime laws. She points out that Chinese, North Korean and Russian APT gangs responsible for large breaches aren’t being prosecuted for those intrusions. Instead, the heavy CFAA sentences, for example, are “chilling the good guys.”
“We have to declare that software users have the right to study and modify software and that laws like the CFAA not get in the way of that,” Granick said. She added that this takes on new weight with the influx of networked devices, from cars, to home automation systems, and much more.
“If we’re not allowed to study that, we’re going to be surrounded by black boxes that do things we cannot understand,” Granick said. “Get rid of the CFAA and DCMA. The public interest in the freedom to tinker needs to be protected.”