I went to the Royal Court Theatre this weekend to see a play called Teh Internet is Serious Business – and no, I am not incapable of spelling “the” correctly; the error is in the title is intentional.
The utterance itself is of course somewhat ironic and subject of various memes but it seems to make sense to think about it in a little more depth. Or perhaps to consider the question: how seriously are we taking “the business” that is “the internet”?
The answer seems to be: not seriously enough. At least many private individuals don’t seem to. Governments, corporations and cyber criminals are of course an entirely different matter. Once again, this became very clear this week. The issue is complex enough to fill two blog posts so this is the first of two complementary ones, although each of them should make sense without the other.
This first one is going to take a look at the question of how seriously – or not – we as individuals are taking the internet. The second one looks at some developments this week and what they tell us about how seriously others are taking the internet.
So. I went to my first cryptoparty this week (prior to seeing the show at the Royal Court) where I fell in love with TrueCrypt, a wicked little tool that encrypts files and also creates – if you so desire – something called a “hidden volume” (i.e. folder that you can fill with files) that is virtually undetectable. Once again, encryption turned out to be something totally awesome: white magic against the Voldemorts of Cyberspace. But more on TrueCrypt some other time.
What I also learned at that party is that I very certainly have a record in xKeyscore. Not that I hadn’t suspected it but hearing from a crypto expert that something as innocent as signing up for a cryptoparty or googling TOR – which is an innocent thing to do because exercising your right to privacy should not get you placed under surveillance – immediately makes you look suspicious to governments, still made me shudder a little (although that may have been the aircon).
And while I was somewhat surprised by the variety of people at the event, it also confirmed my suspicion that people attending these events already know about encryption and understand its importance. Getting most other people interested in data security is extremely difficult. So essentially, this seems to mean that too many of us simply do not take it seriously enough. What this also means of course that most users do not take the internet seriously enough. Which, in many ways, its fine. We don’t all need to start constantly looking over our shoulders or taking a very strict and ascetic approach to the internet. What is more, the profusion of funny cat videos (there were some at the cryptoparty as well) and miscellaneous memes, invitations to find out your Jedi name or simply photos of people’s babies, pets or parties do not really make the internet – or at least the social media – seem like very serious places at all. And the internet is fun too. So was the Royal Court’s play and it staged the funny side of things very well – the sometimes ridiculous, all-over-the-place, anarchist side of the internet. Yet, the internet is far more than that. At its best, it is a place for sharing information, for opinions, and discussion – an environment that promotes and supports free speech, creativity and invention. That, too, was woven into the production at the Royal Court.
But the positive, light-hearted, ridiculous aspects of the internet can be deceptive. And they may somewhat obscure that fact that the internet is also a global place with no one set of rules or jurisdictions, a free and liberating space but, on the flipside of that, also dangerous: a place of trolling, abuse, viruses, botnets and hazards to free expression and privacy like mass surveillance and censorship.
Given that, as the party host said, we live much of our lives through our electronic devices – our photos, thoughts, communication, music, books are on these devices and not just on social media – our ignorance when it comes to the security of our laptops, smartphones, fondleslabs seems disproportionate. Data security or “having nothing to hide” goes so much further than just putting your photos on social media – that, in fact, may be one of the less revealing things you can do.
Any device that has ever been connected to the internet is potentially a spying tool or a bot, every email ever sent, every file ever stored to a cloud, is likely still out there, even after you’ve deleted it.
Everything you have ever done or said on the internet could come back to haunt you. So much for having nothing to hide: the control any one of us has over their data, their personal stuff and, essentially, their digital (and non-digital) lives, is quite limited. And while we wouldn’t let anyone read the private files we have stored in a folder in our home somewhere or leave our keys under the doormat for anyone to find or use the same key for every single one of our doors, most of us are happy enough to use the same password (i.e. the same key) for any doors we might want to keep locked on the internet, or leave them lying around or make our locks so weak than any half-decent burglar can crack them.
And while it may not seem so to us, the internet is – at the hazard of using a much-reviled term here, literally – “serious business” for many: corporations, governments, criminals. Corporations want our data so they can sell us stuff. Therefore, protecting our privacy isn’t really the most prominent item on their list of priorities. Which makes us vulnerable. Not just to criminals who want our data so they can steal from us but also to governments who want our data so they can always know what we do – and, in the worst case, censor us or punish us when we step out of line. This isn’t just those governments we would immediately think of as oppressive regimes either. We have seen enough evidence of our so-called Western democracies doing the same over the past 16 months: we have found out that we are being spied on on a massive scale. And it was only this week that we found out that, in the UK, the police has used powers under the Regulation of Investigatory Powers Act (RIPA) to spy on journalists and their sources. Meanwhile, in Germany Süddeutsche Zeitung has revealed a close – and in many ways quite possibly illegal – cooperation between Germany’s foreign intelligence agency and the NSA. No one in Germany is likely surprised by this: the German government’s reaction to the Snowden revelations and its obstruction of the NSA inquiry in the German Bundestag (some of which I discussed last week) had long since led to the suspicion that something was not quite right. Turns out, the BND has probably been collecting communications data within Germany (which is illegal) and passing it on to the NSA (just as illegal). We are not surprised. And again: given that our communications are collected and shared like this (illegally or not) our insouciance about securing them seems out of all proportion.
“Not surprised we are being spied on,” we say instead. “Nothing we can do about it.”
Except we can. Since Edward Snowden first leaked troves of information to journalists almost 16 months ago, there have been some positive developments. Silicon Valley corporations are ramping up security for their users. iOS 8 now comes with default encryption. Contrary to what former FBI members may tell you, this isn’t a bad thing. Trevor Timm makes it clear in the Guardian why government and law-enforcement media strategies to denounce default encryption across iOS 8 are misleading – partly because, while a great start, iOS8 encryption is only just that: a start. Apple, as Micah Lee reminds us in The Intercept, still has access to more than enough of its users’ data – iCloud users beware! Partly also because – and this goes back to the beginning of this post – governments shouldn’t demonise as illegal or dangerous perfectly legal and valid attempts at making sure that we can exercise our right to privacy, should we so wish. The fact that they are going to great lengths to do just that should give us pause. And make us reconsider just how serious it all really is.
The Royal Court production managed to make this very clear, as well: as the LulzSec group at the centre of the play hacked increasingly high-profile targets, coming under scrutiny of law-enforcement, the play, too, progressed from its initial noisy, colourful and jumbled hilarity to a much darker and bleaker set-up. Notably, the play skilfully refused to side with – or demonise – any of the groups it portrayed. Instead it managed to convey the fact that things are hardly ever as black and white as any side is trying to make us believe. Governments have a point, as do dissenters. It is logical that law enforcement needs certain powers to stop serious cyber criminality. But is should also be clear that governments have no business abusing that power to stifle legitimate dissent or sensor the internet. People standing up against that are justified (even if their means sometimes aren’t).
Legislation, it has been suggested, is not going to be the answer to the internet’s problems – be they mass surveillance and censorship or cyber criminality and trolling. While we can reasonably expect governments to provide an infrastructure that is as secure as possible, not only has it been revealed that they aren’t doing so, such a thing will also only ever be possible to a certain extent. Tim Berners-Lee seems justified in renewing his call for a magna carta of the internet. Because as it is, there are no common rules or laws governing the global space that is the internet.
Ultimately, what the play also made its audience understand is that the internet is still (and hopefully always will be) a space that cannot be controlled – which makes it a free and liberating but also a dangerous space. And we might all want to take its dangers a little more seriously. In a space where it is just as easy to hide behind anonymity as it is to be stripped of that anonymity, the play seemed to suggest, it may ultimately be up to the individual to protect themselves. Who would, in the real world, constantly rely on the goodwill of random strangers? No one would question the idea that, offline, in addition to having laws and institutions that keep us safe, it is sensible to expect each and every one of us to look after themselves as well. And behave responsibly. We often have little but contempt for people who we believe do not behave responsibly.
Yet we do not seem to have quite understood that the same is true online – and how irresponsible many of us are inadvertently being. Perhaps this because we are allowing the non-serious side of the internet to lure us into if not a false sense of security then at least into the idea that all the internet really is, is a space of perpetuous lulz.