The Fiji TimesInternet surveillance – The Fiji Times
Although it may not seem so obvious to us in Fiji for the first time in human history, almost every person is under daily surveillance – surveillance not in spite of, but because of the achievements of the networked community.
In a very interesting article on the decoupling principle (which I paraphrased), the authors revisit an old principle of building privacy into the servers themselves. I think we all assumed this was the case, but I assure you it is not!
Privacy violations are a multi-billion dollar industry, and have been a core business model of the Internet for some time now. All those free accounts through Facebook and other apps come at a price – your data (details/photos/videos/etc)!
People need privacy in their daily lives, but privacy is more important than the individual: societies progress when we prevent the chilling effects of total surveillance. Individual privacy is synonymous with organizational security: in each case, the parties involved want to retain control over their private data and metadata.
Fortunately, network designers and researchers alike have recognized the need for, at the very least, data confidentiality. Transport Layer Security (TLS) is used for almost all types of communication on the Internet, and is the default in all major browsers, modern protocols such as QUIC and HTTP/3, and much more.
Despite TLS’s success, Internet communications today are monitored even more tightly than ever before, both in the network and at the endpoints. While data is encrypted in flight, significant metadata is typically leaked in transit (eg IP addresses, DNS messages, etc.) and at the endpoints (by endpoints themselves and their partner organizations).
While the research community has attempted to address communication metadata privacy for decades, along with numerous distributed deployments, reusable design patterns to address this problem are notably absent from the protocol designer’s toolbox.
In their paper, which the authors call the Decoupling Principle, a simple idea is that to ensure privacy, information must be architecturally and institutionally divided so that each entity has only the information they need to perform their relevant function.
Makes sense, sort of a ‘need to know’ basis that we use in organizations at various levels to segment and provide information. Architectural decoupling involves dividing functionality for different fundamental actions in a system, such as decoupling authentication (proving who is allowed to use the network) from connectivity (establishing session state for communication).
Institutional decoupling involves dividing the information that remains between non-collaborating entities, such as different companies or network operators, or between a user and network peers. This decoupling makes service providers individually break-proof, as they each have little or no sensitive data that could be lost to hackers.
Simply put, the Decoupling Principle suggests always separating who you are from what you do.
This is partly done in current system authentication such as AD where users only have access to systems or databases they are authorized to use. Chaum was one of the first to design privacy protocols and systems in this way, in a series of seminal papers. Many systems have built on Chaum’s insights, including some of the most popular privacy systems ever built, such as Tor (used to access the Darknet).
However, due to increasing pressure to improve Internet privacy for end users, Chaum’s ideas only began to see widespread application and acceptance in the last decade. Some previous approaches did not obey the Decoupling Principle.
For example, VPNs and middleboxes shift trust from a diffuse set of network endpoints (e.g. websites a user may visit, DNS resolvers a user may use, etc.) to a single trusted intermediary (e.g. a VPN supplier).
Depending on the threat model, this design can address the privacy concerns of end users, especially if the network is even more unreliable. Here, however, the single trusted intermediary sees all user activity bundled with user identity, requires more trust than necessary, and is susceptible to data breaches.
This pattern does not comply with the Decoupling Principle. Examples like these lend credence to the idea that disconnection is fundamental to network privacy.
This is the authors’ argument. What is internet privacy? Privacy is free from observation, and nowhere is this more important than on the Internet, where we must rely on others to carry our traffic.
As data confidentiality has thankfully been largely resolved, privacy challenges have moved elsewhere: to metadata of traffic (rather than the now-encrypted payloads) and to the endpoints where application-level processing takes place.
Additionally, privacy challenges abound in ensuring decoupling between multiple streams of traffic from a single user/entity (in the network) and multiple identifiers (at the endpoints). Privacy challenges exist across the network stack, so privacy solutions must also be layered.
For example, encrypting application traffic can provide confidentiality of message content, but unprivileged observers from lower layers (eg, IP routing infrastructure) can easily observe who is talking to whom by recording IP endpoints.
Systems that adhere to the Decoupling Principle must consider privacy holistically and account for information leakage across the stack. Privacy interacts with security mechanisms in important ways.
As network security has grown in importance, more systems rely on authentication to confirm the identity of a user or device and authorization to confirm the levels of access to be granted.
But authentication and authorization, both in real time and for later forensic use, often creates an irrefutable record of who used a network service when, how, and even why. The actors involved are both decentralized – with authentication and authorization used from the most security-critical applications to low-risk contexts – and centralized (such as OAuth and SSO) in view of the uses of a large variety of services.
Privacy depends on trust that users must place in the Internet systems with which they interact.
When we use systems, we put our privacy in their hands. In the past 15 years, the Internet has become increasingly centralized with the majority of traffic attributable to a handful of cloud providers, CDNs, and content providers considered hypergiants.
For example, the number of ASNs (or large-scale network numbers) required to account for 50 percent of Internet traffic has decreased from 150 in 2009 to just five in 2019. This trend has led to the unprecedented centralization of trust and knowledge of users’ behavior in these organizations.
This centralization has brought some benefits to users, as large organizations are sometimes able to effectively secure user data, but it also has clear costs and consequences.
Most network protocols assume end-to-end coordination and thus end-to-end trust. Baked into this assumption is a separate reliance on authentication mechanisms that ensure that a source is certain of the destination it is communicating with (eg, using certificate hierarchies or other out-of-band mechanisms).
Users often implicitly or explicitly make judgments about whether a particular piece of data should be disclosed to a particular service in a particular context, and this judgment requires countless factors that only the user can consider.
What many do not realize is that all traffic on the Internet can be traced and even if it is encrypted, you can trace the path. Given a server or other digital device, with proper digital forensics tools it would be fairly easy to trace where all internet traffic on that device (including services and even data) was – source/destination.
Cybercriminals using Bitcoin and other cryptocurrencies are now finding this to their doom as law enforcement agencies have now resorted to this methodology to simply track the internet traffic for Bitcoin wallets.
As the inventor of the World Wide Web (WWW) – Tim Berners-Lee noted: “There are converging web-related issues emerging, such as privacy and security, that we currently have no way of thinking about.
No one thought to look at how people and the web as a whole combine – until now.” World Cup soccer finals this weekend and good luck to France and Argentina! As always, God bless and stay safe in both digital and physical worlds.
• ILAITIA B. TUISAWAU is a private cyber security consultant. The opinions expressed in this article are his and are not necessarily shared by this newspaper. Mr Tuisawau can be contacted at [email protected] cyberbati.com
