• The State of Open Source: Privacy and Governance

    by Ben Pearson
    October 30th, 2013

    Privacy has received a great amount of attention globally in recent months. Edward Snowden, a former NSA contractor, has been releasing extensive information about the NSA through the Guardian. These leaks have painted a very questionable picture of the US government, specifically the NSA, carrying out ongoing spying operations . Before now, privacy in digital culture received little mainstream attention, but Snowden’s leaks focused the attention of users and developers everywhere on finding new ways to secure personal information on the Web.

    Domestic Spying

    The US government has long relied on the use of search warrants to gather evidence they need to prosecute people. These warrants require probable cause and must describe the particular place officials would search and the persons or things they would seize. This is to prevent the use of blanket warrants that authorize searches of indiscriminate selections of locations.

    After the NSA leaks, the FBI targeted the email provider used by Snowden: Lavabit. Rather than focusing on Snowden’s account, the FBI wanted passwords, encryption keys and software code that would allow them to monitor Lavabit’s entire user base. Ladar Levison, the owner, instead offered to develop a custom solution that would automatically transmit Snowden’s activity to the FBI daily. The FBI refused this solution, claiming that they couldn’t trust Lavabit with this responsibility. Ultimately, Levison was forced to hand over the encryption keys for his entire site; leading him to shut down the service entirely to protect his users.

    Events like this are leading a number of innovators to search for new solutions to combat the US government’s growing spy operations. John McAfee recently announced his intention to develop a decentralized network that governments can’t access. His plans include D-Central, a low-cost piece of hardware, that will have the ability to create a series of decentralized local networks that encrypt all communications. The idea has merit, but the practical outcomes might not be what McAfee desires. Questions remain about whether or not this will be successful considering that similar solutions already exist. Additionally, the proprietary nature of the device puts the entire system at risk of being tapped by spying governments because the risk of McAfee being targeted in the same way as Levison is too great as it becomes increasingly apparent that the US government is willing to turn business owners into the targets of investigations.

    Global Spying

    When governments carry out this kind of spying on a global level, the impacts of these actions resonate much more. The NSA leaks have revealed that this type of spying is even being carried out on international companies, including the largest Brazillian oil company: Petrobras. These leaks revealed that the US government carried out international spying to gather financial data. While financial and economic data may be integral to national security, making this connection opens up wide-ranging possibilities for the limits on international espionage.

    Regardless of your interpretation of national security, it doesn’t benefit a company like Petrobras to have its financial data mined in the interest of foreign governments. In fact, this kind of data gathering only has the potential to hurt that company as it increases the risk of important or sensitive information leaking to people that shouldn’t have it. It’s in the best interest of companies and governments to search for more secure methods of transferring information to prevent espionage of any kind.

    The government of Brazil has already expressed major interest in expanding its usage of open source solutions, and actions like the NSA spying will embolden these efforts. Brazil understands the importance of making software tools more accessible to its population and has spent considerable effort reducing its reliance on foreign, proprietary applications. Some of the areas it has already made progress in include banking, education, workflow management and application development frameworks. The transparency of open source applications make understanding privacy controls much easier; this is an area likely to receive much greater attention in the future.

    The Need for Global Transparency

    The global exchange of knowledge, culture and commerce requires a certain level of international trust. Distrust of the US is growing around the globe as more revelations are made about the questionable spying actions of the United States federal government; this distrust will only continue to grow if we continue on this path. The open source community offers opportunities to develop transparent solutions that can allow us to rebuild this trust; I will explore these opportunities in part three of this series.

    In part two of this series, I cover the issues we face when relying on proprietary solutions for security and privacy.

    Part 3 of this series covers the open source solutions to these issues.

    Update 11/7/2013: Days after the original publication of this article three major news stories have been released that demonstrate this move away from proprietary sources for the purposes of privacy.

    1. The Brazilian government has stated that they will stop buying software that can’t be audited. (Translated by Google)
    2. All government organizations in Brazil will only be allowed to use open source, on-premise email services.
    3. Germany and Brazil are pushing for private internet networks to combat NSA spying.

    Update 6/27/14: Due to an ongoing erosion of international trust related to spying being carried out by departments within the US Government, I have decided to create an ongoing repository of stories related to this issue. These can be found here.

    Image Credits: EFF