I spent February on a book tour for my YA novel Homeland, which concerns a group of American teenagers enmeshed in the surveillance/security apparatus. The kids are chased by private military contractors and anonymous hackers who infiltrate the teens' computers, turning them into surveillance tools whose cameras, mikes, keyboards and hard drives are silently spying on them. On the first stop of the tour, in Seattle, I spoke to the audience about the real-world inspiration for all this: the companies, governments, crooks and schools that compromise our electronic infrastructure and our privacy in unimaginably invasive ways.
Every part of our lives is touched by the Internet, and we interface with that network through our devices. I gave examples of network connections, laptops, phones and even implanted defibrillators being co-opted. When our devices betray us, we are compromised in every conceivable way.
I could have cited the example of a case from last year, when the U.S. Federal Trade Commission settled with seven computer rental companies and a software maker named DesignerWare. These companies had installed on their rentals DesignerWare software that covertly captured video of their customers having sex, video of their children, audio of their conversations, banking passwords, financial details, privileged discussions with lawyers and confidential health information. The FTC sternly told the companies that in future, they must refrain from this activity, unless they give notice of it in their terms and conditions.
When I was done addressing the crowd, a woman put up her hand and said, "You've scared the heck out of me. How on Earth can I possibly make all the electronics in my life secure?"
I said, basically, you can't. I can't. Only we as a society can. If I'd just given you a talk on the risks of waterborne parasites, you wouldn't be asking how you could personally run an effective water filtration and sewage system. You'd be asking how we can get our governments and regulators to treat potable water with the gravitas becoming to something that is life or death for all of us.
Ronald Deibert's new book, Black Code, is a gripping and absolutely terrifying blow-by-blow account of the way that companies, governments, cops and crooks have entered into an accidental conspiracy to poison our collective digital water supply in ways small and large, treating the Internet as a way to make a quick and dirty buck or as a snoopy spy's best friend. The book is so thoroughly disheartening for its first 14 chapters that I found myself growing impatient with it, worrying that it was a mere counsel of despair.
But the final chapter of Black Code is an incandescent call to arms demanding that states and their agents cease their depraved indifference to the unintended consequences of their online war games and join with civil society groups that work to make the networked society into a freer, better place than the world it has overwritten.
Deibert is the founder and director of The Citizen Lab, a unique institution at the University of Toronto's Munk School of Global Affairs. It is one part X-Files hacker clubhouse, one part computer science lab and one part international relations observatory. The Citizen Lab's researchers have scored a string of international coups: Uncovering GhostNet, the group of Chinese hackers taking over sensitive diplomatic computers around the world and eavesdropping on the private lives of governments; cracking Koobface, a group of Russian petty crooks who extorted millions from random people on the Internet, a few hundred dollars at a time; exposing another Chinese attack directed at the Tibetan government in exile and the Dalai Lama. Each of these exploits is beautifully recounted in Black Code and used to frame a larger, vivid narrative of a network that is global, vital and terribly fragile.
Yes, fragile. The value of the Internet to us as a species is incalculable, but there are plenty of parties for whom the Internet's value increases when it is selectively broken.
Black Code shows how governments – from "free" Western/liberal states such as Canada to states such as Myanmar, China and Iran – have hit upon the Internet as a system for ubiquitous surveillance and social control, and documents how the ability to dictate unaccountable censorship is too much temptation to be borne. As Google's annual "Transparency Report" of government censorship requests reveals, apparatchiks all over the world issue take-down demands to online services to remove embarrassing revelations about their offspring and cronies, as well as covering up graver sins, making use of censorship systems established in the name of fighting child porn, jihadism and copyright infringement.
These same states have demanded means of "lawful interception," mandating that switches, servers and services be built with deliberate vulnerabilities so that law enforcement can tap into citizens' communications and funnel them into massive intelligence databases. The telecom infrastructure is made even more fragile by the cozy relationship between phone companies and the agencies responsible for regulating them. Deibert makes this point vividly when he claims that Somalia has some of the world's most advanced, cheapest and most reliable wireless infrastructure, thanks to the absence of a regulator that can be lobbied for anti-competitive favours – though thanks also to the usefulness of functional networks to warlords.
The temptation to play games with the wires and the airwaves is seemingly irresistible. Only one of Uzbekistan's four major ISPs is free from heavy censorship – the one owned by President Islam Karimov, who benefits every time his own regime's censorship rules make the three competing networks less attractive to the citizenry. Network penetration is growing fastest in the world's poorest and most fragile states – countries whose populations desperately need the edge that better communications delivers – meaning that this is no privileged First World problem.
Everybody wants networks, and everyone wants to turn them to their advantage, whether that's Canadian telecom giant Telus blocking its own union's website (along with hundreds of other sites hosted in the same system that fell as collateral damage), the Taliban's strong-arm control of cellular towers, or the Mexican narco-cartels that built their own elaborate wireless networks designed by kidnapped Motorola engineers. The tools of network control are the same, whether you're a government, a military hacker or an organized crime syndicate.
This is Black Code's virtuoso moment: when, after chapter after chapter of horror stories, Deibert shows that when states stop protecting the Internet and sacrifice its freedom and integrity in the name of convenience, they join forces with criminals and thugs.
Once, it was the norm for security researchers who discovered critical vulnerabilities to report them to vendors through a process of "responsible disclosure" that threatened to reveal the flaw at a date far enough in the future that the vendor could issue a patch before the news got out, but not so far away that the vendor could simply ignore the problem. Now, the major work on discovering vulnerabilities is being done by private security firms that sell their research to governments to be used in "lawful interception" software that hijacks criminals' and dissidents' computers and phones and turns them into remote snooping devices. As a result, these vulnerabilities remain unpatched, so crooks can use them to attack us too.
Without continuous disclosure and repair of security vulnerabilities, our digital world grows progressively less secure – even as we continually increase the intimacy of our relationship with it.
The conclusion of Black Code is as stirring and inspiring as the main body is chilling. Deibert calls on cops and spies and governments to actually do what they say they want to do: make cyberspace safe for human habitation. Stop compromising the network's integrity and recognize that the only way to make the network secure is to stop eroding its security – even if that makes it harder to unaccountably, warrantlessly and secretly wiretap whole populations. Deibert calls on activists and civil society groups to take cops at their word when they say they want to secure our electronic nervous system, and to work with them on this project – but without letting them off the hook.
We live in a world made of computers: Our cars and houses are ultimately computers into which we insert our bodies; our bodies are increasingly full of computers such as cochlear implants. Everything we do today involves the Internet, everything we do tomorrow will require it. A responsible state has an obligation to approach Internet regulation with the gravitas due to the nervous system of the 21st century – but instead, it gets used as a toy for panopticon fetishists who think that all our problems will be solved when all the details of our lives are harvested and processed in the government's data mills. Black Code is a manifesto for a 21st-century form of network stewardship, a sense of shared responsibility toward our vital electronic water supply. It's a timely rallying cry, and sorely needed.
Cory Doctorow (craphound.com) is a science fiction author, activist, journalist and blogger. He is the co-editor of Boing Boing (boingboing.net) and the author of the bestselling teen novel Little Brother. His latest young adult novel is Homeland, and his most recent novel for adults is Rapture of the Nerds.