RightsCon: Encryption vs. Surveillance and How Do You Govern the Web, Anyway?



Yesterday, the third annual RightsCon kicked off in San Francisco. The conference brings together tech executives, diplomats, policy advocates, and self-described cypherpunks who sometimes double as security experts, to name a few. The goal is to find ways in which the digital realm, which is ever more encompassing and impacting daily life, can be used to protect and expand the rights of people worldwide. Here are two highlights from the first day of the conference:

1. Encryption won't save us from surveillance, but it's better than regulation

Where do we stand in the battle against digital surveillance? "If you imagine being a cypherpunk in the '90s, and waking up right now, you might actually think we won," speculated Morgan Marquis-Boire, a Senior Security and Technical Adviser at the Citizen Lab (Marquis-Boire is also a Senior Security Engineer at Google, but explicitly said he was not speaking in that capacity). He pointed to the proliferation of the Tor Project, the encryption of major operating systems, and the interpretation of HTTPS into most browsers. But, the surveillance game has changed too.

While governments used to rely on their in-house capabilities, the demand for surveillance has given rise to third party cybersecurity companies like Narus, Amesys, and Blue Coat Unfortunately, their technology ends up in the hands of repressive regimes, who use it to find dissidents, infect them with malware, and extract information about them and their allies. Last year, Reports Without Borders declared Blue Coat an "enemy of the Internet" for helping China, Russia, Venezuela and others free speech-squelching capabilities.

Marquis-Boire was hesitant about regulatory efforts to do away with these problems, noting that secret court systems, such as the U.S. Foreign Intelligence Surveillance Court, could easily make exceptions for themselves. Instead, he suggested engineering solutions. Encryption "won't save you," but that "we need to start engineering in a commercially resistant manner." Marquis-Boire explained that security engineers can develop encoding that's so complex and hard to crack, decrypting would be financially unfeasible. He also pointed to opportunistic encryption, which can secure communications between clouds.

2. Who governs the web? And more importantly how?

Who governs the Internet? "This is a very important question," said Fadi Chehade, the CEO of the Internet Corporation for Assigned Names and Numbers (ICANN), which plays a major role in internet governance.

Speakers on a panel listed an alphabet soup of organizations like ICANN, the Internet Architecture Board (IAB), the Internet Engineering Task Force (IETF), the Internet Governance Forum (IGF), which all play different roles, such overseeing domain space and IP addresses, managing the engineering of the internet, and conducting policy discussions.

A more important issue, though, is how they are held accountable. After all, as Professor J.D. Ross of Syracuse University writes, ongoing is a "15-year controversy over the U.S. government's special relationship to [ICANN]."

Betrand de La Chapelle of ICANN contended that the "accountability mechanism of the representative-democratic system is relatively weak for international issues," and presented a hypothetical crime in which an "Australian traveling in Peru, using Yandex, to say something about a Chinese. What's the jurisdiction for that?" De La Chapelle suggested that this leaves the world in "in a framework where you have to pile up accountability mechanisms," and that the best way to do so is through transparent multistakeholder meetings, in which (ideally) anybody can participate.

Particularly, next month the international community hopes to address some of the issues around this next month at the Global Multistakeholder Meeting on the Future of Internet Governance in Brazil. The panel acknowledged that currently, those outside the tech community–and even many within it–are unaware of Internet governance and the ability to participate in it. One panelist suggested a simple solution: making information public on GoogleDocs and allowing anybody to comment on it as it is being discussed.