Law in the Internet Society
ready for review

Arrested Development: musings on the interdependence of State and commercial actors in the development of communication software and hardware

-- By NikolaosVolanis - 05 Nov 2009

1. The Argument

I will attempt to demonstrate how the interdependence of governmental and private commercial interests are detrimental for the development of communication networks and communications related software. My basic proposition is the following:

A. State law enforcement interests mandate specific technological solutions which allow for increased traceability of the behavior of individuals over electronic communications networks.

B. In order to achieve this purpose, the state has to engage either in regulation of technology directly (regulation by legislation) or indirectly by incentivising the providers of communications hardware and software to adopt a preferable techological solution.

C. Being for-profit entities, these intermediaries are primarily concerned with minimizing losses, by avoiding governmental contempt which could lead to administrative penalties or other sanctions.

D. In this context, when communications hardware and software is provided by commercial enterprises, asserting control over the latter through indirect regulation asserts influence over the specifications of hardware and software output. Digital surveillance and enforcement interests are better served through a top-down production process by commercial actors, whereas the latter may achieve higher profits or preferable treatment by ensuring that their hardware and software complies with state-endorsed specifications.

E. In this business-political embrace, grassroots software or hardware development may offset a drive towards excessive governmental control over the digital behavior of individuals.

2. Analysis

Our recent discussion regarding encryption technology not only demonstrates that the state can have an interest in regulating electronic communications code (as this allows for better enforcement and traceability), but also that such control can be exercised through commercial technologies, when the latter are favored by regulation.

A. + B. In the U.S., both the Arms Export Control Act (and the Traffic in Arms Regulations) as well as the Communications Assistance for Law Enforcement Act (CALEA, enacted in 1994) dealt with the critical issue of cryptography and the danger that this technology may pose to national defense and law enforcement respectively. In the wake of widespread migration to digital telephony and data networks such as the net, CALEA’s purpose was to enhance the ability of law enforcement and intelligence agencies to conduct electronic surveillance by requiring that telecommunications operators and manufacturers of telecommunications equipment take necessary steps to ensure that their equipment and services support built-in surveillance capabilities, so as to allow state monitoring of communications traffic in real-time. Around the same time (1993), the U.S government developed and promoted an encryption device to be adopted by telecommunications operators for voice transmission, the “Clipper Chip”. The core of that concept was based on the ability of the Government to override the encryption technology at will (“established authority”), since the cryptographic key of every device bearing the chip would be put in governmental escrow. Although this initiative met considerable protest (see here for example), the U.S. government continued to press for key escrow by offering incentives to manufacturers (e.g. by allowing more relaxed export controls if key escrow was part of the software exported - for a more detailed account, see here (pp.15-17) - or by using the government's power as a major consumer of cryptographic products to rig the market). Still, with the release and swift propagation of independent free software such as PGP and Nautilus (open source software which provided strong encryption without key escrow requirements), it became impossible for the U.S. government to effectively advance its preferred encryption technology. After all, due to consitutional concerns, the adoption of such technology was voluntary. However, the solution did not come from large commercial entities, but from small grassroots initiatives.

C. + D. Indeed, by enabling both confidentiality and identification, encryption technology can be perceived as both “liberating” and “oppressive” technology, depending on the actual parameters that define its use. The aforementioned examples demonstrate that as software or hardware development becomes a commercial activity, it is produced by a smaller number of for-profit entities, which, in turn can be incentivized or disincentivized by the state in adopting specific technological solutions or complying with governmental regulations. Although, for example, the IT-savvy community has argued that such an artificial attempt to control the flow of information and to restrain it within the U.S. would be futile, still, companies in the business of producing encryption technology prefered to comply with government regulations, in fear of invoking government contempt (or worse). Likewise, a company called Network Associates (the successor of the PGP software), originally a strong opponent of encryption regulation, started to offer products that adopted key recovery mechanisms for corporations. With regard to the hardware industry, Cisco provides us with another example of a company submitting to governmental incentives through regulation: In 1998, it announced a router that would enable encryption (thus providing encryption at the OSI network layer, not the application layer, as it is the case with software such as PGP), but which would contain a switch which would allow the government to override such encryption (p.71) so as to monitor internet traffic.

The aforementioned cases indicate that the state may influence the supply of hardware and software by commercial entities, by effectively asserting indirect control over the commercial entities themselves. A final and more recent example may be that of Google and its political/business interaction with the Chinese government: Google adopts the technology mandated by brute political force; Chinese governmental concerns about information over the net are fully addressed (since they are embedded in computer code) and Google can access and profit from the Chinese market. It takes a couple of golden handshakes and historical or current politically sensitive issues like “Tiananmen Protests” or “Tibetan independence” are seamlessly purged from the Google search results. A similar story took place with Yahoo! in 2002, whereas Microsoft's Bing it the most recent example search engine that respectfully bowed down before Party propaganda.

E. In this context, communications software and hardware acquires a meaning that surpasses the field of engineering. It becomes a form of control and thus a focus of political contest and choice (p. 28). And in such political contest, free software (“free as in free speech”) acquires its full potential. In contrast to the top-down ("cathedral") model of organisational structure and production, where directives are set by the top and followed incontestably, the process behind free software production resembles more a "great babbling bazaar of different agendas and approaches", where authority follows and derives from responsibility and participation: the more an individual contributes to a project and takes responsibility for the pieces of software, the more decision authority that individual is granted by the community. This Aristotelian context of participation (in which the latter is perceived as a manifestation and reward of the highest virtue, underlines both the open source software production process and participatory democracy).

# * Set ALLOWTOPICVIEW = TWikiAdminGroup, NikolaosVolanis

Nikolaos,

I enjoyed your essay. I agree that in the context you describe the tools of communication "surpass[] the field of engineering," and I also agree that the power of free software in such a domain, especially in light of governmental influence (as you describe), is significant. My only suggestion would be to consider drawing out E. just a bit more. Your discussion of C+D in light of A+B does a good job of painting a picture of the current situation, and in doing so your essay clearly conveys the dangers of the status quo. While I follow what you mean in E. and how you see it as a possible remedy, it would be helpful to add a sentence or two explaining it further. Otherwise, I appreciated the detailed links and careful historical discussion. I think the essay is nicely done.

-- BrianS - 03 Dec 2009

Thanks for your comment, Brian. I followed your advice, trying to stay within the word limit. I agree with you, point E. deserves more analysis than that found in this ending paragraph.

-- NikolaosVolanis - 04 Dec 2009

Nikolaos,

I like your essay.

One thing I came to my mind reading your essay is that neither Google nor Firefox may be the strongest search platform in China. They have their own local engine like Baidu.com. The way Chinese Internet is developing seems quite different from the rest of the world. A local search engine like Baidu.com should have better relationship with the Chinese government and maybe impossible even for open source players to gain a significant presence in China.

Anyhow, other than China, what you are saying seems very rational.

-- AndoY - 05 Dec 2009

Nikolaos, you have no idea how deep into the details of technological design government regulation of telecommunications industry machinery extends. The part of the market you don't discuss, and which is not strongly documented outside the industry and the segment of academia that studies network traffic engineering, is the "heavy iron" of telecomms: the routers. You mention one Cisco box and one agreement to assist tapping, but that's trivial. Network operators buy and operate hundreds of thousands of routers that perform not just all the switching in the net, but all the real-time monitoring of all the switching in the net. Those boxes not only are designed to make it possible for the network operator to monitor operations and the law enforcement operator to monitor communications, they are also built to resist intrusion by other parties under extremely exacting government regulatory standards that affect design decisions from the hardware on up. Those regulatory standards are also implemented, largely, through government acquisition controls, which you could consider "voluntary" standards if you like, but which are dominant nonetheless.

Maybe you are right that we don't want all this interpenetration of government and private telecomms, but someone will be running those big routers, and I do want both the parts that allow the routers to be monitored comprehensively by whoever is operating them, and I also want all the technological overkill that goes into making it as hard as humanly possible to sneak any code into those routers. The reality that national governments are going to force their way into those routers from a technological perspective is not something I can prevent technologically: here my defense is technology further out to the edge of the net, where I can encrypt my own traffic and a snowstorm of everyone's encrypted traffic can proceed as I describe in So Much for Savages. Oh, and there's the rule of law.

But free technology has its limits. It's all very heartwarming to attribute the failure of Clipper to the success of PGP, but I think that's not really what happened. I think Clipper failed because the US Govt realized that it was preparing to assure insecurity for its own communications, and it didn't want to do that.

 

Navigation

Webs Webs

r12 - 26 Jan 2010 - 00:07:57 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM