Het internet lijkt te veranderen; van een ruimte waar alles kan naar een iets meer gereguleerd geheel. Steeds meer landen voeren beleid uit dat de manier beperkt waarop burgers de online wereld ervaren. Wordt het internet dat we kennen en waar we zo gek op zijn langzaam verdeeld door geografische lijnen? Is echte internetvrijheid verleden tijd?
Tom Van de Wiele van F-Secure vergezelt Janne in deze aflevering van Cyber Security Sauna om te praten over digitaal controlerende regimes, het omzeilen van die controles, en waarom een gezond informatiedieet belangrijk is voor ons allemaal.
Luister of lees hier verder voor het transcript. En vergeet niet je te abonneren en een review achter te laten!
Janne: So the internet is not just the internet anymore. It seems to be fragmenting from under our feet.
Tom: Not only that, but the truth is that the internet has never really been as open as we think it is, even though the name implies or tries to suggest that it’s always been free and open. But the truth is that the internet always has been filtered or limited in some way, and that could be done commercially, but that could also be driven by political ideology. And it’s the latter one that we’re seeing more and more.
Right. So what are some of the examples we’re seeing of that?
Well, unfortunately, the only examples we see right now in the media are the more extreme cases. Everyone knows about the Chinese internet and the Great Firewall of China. But also stories coming out of states where there are certain dictatorships or where there’s a certain limitation on political freedom. And of course, their governments are very burned on controlling not only the messages going in and out, but also being able to kill internet access when they want to.
But the truth is that even in European countries and in the USA, there are filtering mechanisms that are active right now when it comes to trying to stop and track terrorism, pedophilia, things like that. So the internet that you’re using right now, or maybe the internet access that you use to download this very podcast, could have gone through some kind of filtering device that you might not be aware of.
That’s a very good point, because I think we often tend to think about things like in certain countries you can’t use VPNs, or Khazakstan was recently issuing a root certificate that they wanted everybody to use because they wanted to man-in-the-middle their HTTPS traffic, things like that.
Yeah, exactly. And also, you know, there’s the United Arab Emirates, where, for example, the use of VPNs and voiceover IP are kind of a gray zone. So certain regimes and certain countries have certain preferences for what technology they want you to use, obviously in the light of the technology they can control. I think in the last year or so there’s been multiple, hundreds of cases of governments turning off the internet because there was a certain political protest that was brewing, or just preemptively trying to kind of catfish certain people into certain Facebook groups, forums to be able to detect how people are thinking, what they will do, and with that, trying to control the narrative. And that’s extremely dangerous.
What are some of the dangers in that?
The dangers are that you have certain countries that maybe have not had the same steady evolution of technological progress, countries that have not had a slow introduction to for example smartphones, the internet in general and all the news coming in, they don’t really have the tools or, dare I say, the education to be able to process things like fake news and disinformation. And that can escalate very quickly, as we have seen examples of in India, Pakistan with WhatsApp, where a message gets out, it is perceived as the truth, and in the end people get hurt or even die because of it.
Yeah, well, even in the western economies, I’m ashamed to say that I know people who seem to think that Facebook is a legitimate news source.
Unfortunately it isn’t. And this is all part of what we like to call in the industry a “healthy information diet” – you need diversity of sources. But unfortunately in these days where the real news and real journalism costs money, everyone goes for the free resources, which means news is supposed to be quote unquote “free.” This puts a huge pressure on media companies, and (we get) all the online click bait that we take for granted. And with that you get a certain sloganization of the truth. And that polarizes people, which is exactly what leaders want – the old “divide and conquer” still holds true. And that is what leaders want right now, is to control that narrative in a certain direction, to divide their people.
Unfortunately you need to have some education or know-how to read information to be able to tell whether or not something is fluffed up with a political opinion, versus are these really the facts or being able to read through the glasses, so to speak, that the journalist had on when writing a certain article, a certain piece, a certain book.
Absolutely. So what are some of the arguments why regimes and countries are filtering the internet?
Well, they will say to the general population that, you know, we are the government, trust us, and we are removing these rights for your own protection.
We know what’s good for you.
We know what’s good for you. But the fact of the matter is, the people in the position of power want to keep that power. And that means being able to control what can be said and what can be read. And if one can control what can be said and what can be read, that means you can control how people think.
If you are born in a regime or a way of thinking like that, then you will think it’s normal. And you will think it really is for your protection. And that polarizes people, and that’s exactly what someone wants, if you want to keep a certain government in its current place, not having elections, trying to spin the narrative to make the other parties look bad, or even worse. Or trying to not have any outside influence come in, which is just information about what is going on in the world, so people can’t compare it with their own lives. So all in all it’s about control.
But some of this argumentation is fairly compelling, like “We’re doing this to not hand the Nazis a bullhorn. We’re doing this to stop the spreading of child pornography.” These are things that I can get behind.
Yeah. And of course, every country is different. There are certain things where we need some kind of filtering, like when it comes to the content you mentioned. But in a lot of countries we get into this slippery slope argument, where countries want to stop hate speech. But you know, hate speech is also part of free speech. But knowing where to draw that line is very, very difficult.
I’m of the opinion that our freedoms, or determining what is to be read and not to be read, should not be set by technology companies located in California in the United States, which is kind of where we are right now. Look at Facebook, look at Twitter, trying to play the arbiter of what is considered decent and what is not. I challenge you to post Renaissance art with naked bodies on Facebook. It will get taken down because of their policies. You can fight that all you want, and you can tell people to get off Facebook all you want, but this is kind of the way that people communicate. And if this is the normal way of perceiving the world, then anyone that is able to manipulate that has a real weapon in their hands.
So what can we do to open up the conversation and start making informed decisions instead of reacting on fears and our desire to be safe online?
Well, one is to spread awareness that whatever you read and can see is controlled by the person who made it. So whenever someone says “I saw a documentary,” well, that means that you saw a certain version of whatever it is, through the eyes of whoever made the documentary. And the same goes for when we read articles, when we read books. If you only stick to one source, that’s very dangerous. So spreading awareness is very important, because there might even be countries where awareness is not even possible.
The most famous example is the way that people are putting news articles tied to balloons and making them fly over the North Korean border so people have something in their hands when it comes to information to compare to their current lives or to the information being given by the government. So you try to disrupt by giving people other versions of the truth. And as we all know, there’s four sides to that. There’s what one person said, there’s what the other person said, there’s the truth, and there’s what really happened. So being able to give more perspective is really important.
I sometimes get the question about what kind of iPad should I buy my child, or my nephew or whatever it is. And I would normally answer those questions with a technical answer. But right now in the light of all the things that are going on in the world – where people are acting on single sources of information, where people can be misled with injury, death and destabilization as a consequence – I now recommend people buy online subscriptions to newspapers and magazine, with a minimum of two completely opposite viewed magazines or publications. It costs the same amount of money – it’s not cheap, because journalism has to be paid for, because it is important that we get local sources, that we have local journalism. So I’m pretty sure that new iPad can wait for a year.
And just teach your friends and family that there is more to one particular story, that stories come from a certain narrative, and they need to look at different topics from different angles – again part of that good diet of information – so that people are able to make their own opinions rather than borrowing an opinion from the supermarket of slogans, and trying to use that to divide people and countries.
But you’re talking about a very difficult topic, people being aware when they’re being influenced. Now you and I like to think that we know something about phishing people and influencing people in that context, and even still we’re susceptible to phishing. Like somebody might be able to come up with a bait that would catch either or both of us. So is it realistic to expect that people can sort of be able to identify when somebody is trying to influence them, either purposefully or just because the newspaper they’re reading happens to have an agenda?
Well, it is certainly difficult, and it comes with quote unquote “training,” which is just reading more. Not everyone has time for that, I completely agree with you with that, and it is difficult. Even major online publications sometimes get duped. So it is really important that we talk about whether or not something is based in facts, that it’s not just assumptions being made or someone trying to spin a narrative.
The other side of the medallion is that you get people who start questioning things that we’ve taken for granted, which means you get people who are starting to challenge certain scientific methods, or certain scientific facts that we all take for granted. The flat earth movement, or whatever it is. People who get so obsessed by a certain source of information that it’s very hard to pull them out of that way of thinking. So rather than trying to reschool those people, or trying to bring them back to reality let’s say, it’s really important that we do this from the ground up and to teach people at a young age that information is just that, information. There’s always someone behind it.
So trying to make that distinction and trying to keep the truth kind of in the middle. Trying not to make too many assumptions, because again, smart people also make mistakes – there’s mispublications, there’s the occasional prankster. It’s just important that people don’t take information for granted and start running with it and start spreading the information. Because certain stories start living a life on their own.
And we want to make sure that the information can be fact checked. And at the same time we want to make sure that the fact checking websites also don’t start looking at things from a certain political perspective. So this is a really, really hard topic.
Absolutely. Let’s get back to those countries where the internet and the access to information is being restricted. What are some of the things that citizens and hackers are doing to escape those digital shackles?
It depends on how they’re being filtered or censored. If you think about China, everything is done by what we call the Great Firewall of China, and that’s a name for a collection of very large groups of people that will look at every single news source, and as part of a drip drip way introduce information from outside of China to Chinese mainland citizens. It also means filtering any way that information could come in. And of course there the bypass is VPN.
But in certain countries trying to evade censorship is already an offense on its own. So there we’re kind of stuck between, do we want to stay in the open and try to get information from outside that particular country or regime; versus is there any way we can get the information in a way the government can’t see it? So things like steganography, but the most common example is the use of Tor or operating systems such as Tails, which are created to make sure that whoever is using the operating system has a certain level of anonymity. So that once the machine is powered off, there’s no trace of whatever someone was doing.
These technologies will give you some digital freedom, but only for the people that know how to use them. And the leaders of those countries know very well that there’s no one solution with which you can just bypass everything. So they’re trying to hunt for digital resistance fighters, who will try to spread alternative viewpoints into the country. We’ve seen these famous pictures of the IP addresses of DNS servers being spraypainted as graffiti onto walls in places like Syria.
So it kind of depends on what the censorship technology is. For those countries it could be DNS-based, so DNS is the domain name service. We like names of websites, but computers prefer IP addresses so we have the DNS service that will translate these names to the corresponding IP address of where the information is located. So these governments will provide alternative locations for these, not only to track you, but also to give you alternative information, which is a very big euphemism for lies, or just turn off or sinkhole the information. So then you have people spraypainting alternative DNS servers – Google’s – to make sure that people can get the information they need. But at the same time, you are making yourself vulnerable for detection because the moment you start using those, the government can also see that you’re trying to evade their censorship, and you might make yourself a target.
But Google is not running that alternative DNS service out of the goodness of their hearts. So what exactly is the role of companies in this discussion of freedom versus censorship on the internet?
It’s a difficult task for those kinds of companies to come forward and say “We’ve set up this service as part of digital freedom fighting.” There’s always a commercial incentive. We’ve seen the launch of the DNS service of companies like Cloudflare, to also say “Give us all your DNS queries.” That is not necessarily a good idea. So using VPN services that you can trust – which is also sometimes a question mark based on which services you use -and being able to talk to people who have communication with the outside world – usually it’s in those ways that small seeds get planted where more people can gather the information.
But there’s always a commercial incentive. And it’s us as users of these services, but also governments that need to keep these companies accountable, as far as what information they’re presenting to these people, and to be able to make sure that, as we’ve seen in 2016 with the US elections, that a rivaling political party cannot just start buying ads or try to spin narratives and trying to confuse people who maybe are not used to having this major influx of information that is spun in a certain way.
What about when those commercial incentives those companies have clash with optimal freedom? I’m not saying I’m in the same position as these people who are being digitally oppressed in certain countries, but when I try to log on to my Amazon Prime account through my F-Secure Freedome VPN, it says “You’re logging on through a VPN, and we won’t show you any content.” Now I’m just doing that because I always have my VPN on, but there are other reasons why people might use VPNs, and this service is actively blocking that because of their own reasons.
Yeah. So there’s definitely countries where the use of VPN is still a gray zone, where using those services will result in you becoming a target. So then we go into the second phase if you will, which is using things like Tor, or Tor Bridges, which are network connection points or nodes where you can point your Tor client or program towards, and that network, be it slow and be it controlled by whoever runs a Tor node bridge, let’s not forget that, that way you can get information out, and you might be able to bypass certain filtering technology. Having said that, Tor is only as strong as the exit node where the information comes out of, so you can still lure people to your own infrastructure and still try to compromise people there.
So it really is a choice of do I want to get the information? How do I want to spread the information? What technology will I use? And am I making myself a target in any way? Because if there is a compromise of one of these services, in certain places your life might be at stake. Same things for your friends and family.
But it is important that we still support this kind of technology to make sure that information can get out, and people get a different perspective. Even knowing that the information has been spun in a certain way or is written by for example a western country or whatnot. It is still good to get the perspective, and to make people think in a different direction.
That’s what I was thinking about, sort of the general attitudes. I’m not saying that this is a life or death matter for me, but I think it’s a bit of a stretch for me to fire up Tor just to be able to view my content if I don’t quite trust my ISP. So is this part of the slippery slope you mentioned, that companies for whatever reasons are limiting our freedoms online for their own commercial reasons. And today it’s not a big deal, but maybe somewhere down the line it is, unless we’re very aware of each step.
Certainly. And it starts – and we see this in the west – it starts with technology. Take the net neutrality that has gone away in the United States, where you have technology companies like Google, but not limited to Google, where they are not able to control not just the pipe, so to speak, which is the medium, but also the content. And that is very dangerous, because I’m pretty sure that their services will be served up with the expected speed and availability, but they quote unquote “cannot guarantee” the availability of other services necessarily. And that’s really where it starts. So there’s always going to be an incentive for these companies to make sure that whoever’s using their services think, act, or buy in a certain way.
Sure. Now, you and I are of a generation that can still recognize the sound of a 1200-baud modem handshake in our sleep. What does the future of the internet look like? What are some of the ways that people are going to be using the internet in the future? What’s in your crystal ball?
We are already seeing now that if you want to bypass any kind of censorship, or if you have any kind of filter set up, then as a government trying to control the narrative and filter people’s connections, you want to create chokepoints, right? The internet kill switch as it’s called, is the best example of that. A major switch – it’s not really a switch, it’s a proverbial switch – where they turn off network connectivity to the outside world or whatever peering they have. Lots of governments are experimenting with those.
So the natural reaction to that is some kind of meshed network, where it’s not just one chokepoint that you can block, but everyone can spread the information to anyone using this meshed network.
But isn’t the internet supposed to be that already?
That’s how it’s supposed to be, but we have loads of examples where in that meshed network, if you put a bad apple in there, or a bad network connection, or if you can lure traffic towards your endpoint, then of course you’re back to square one. Because there you can again control the narrative, or at least influence it. So as we’ve been talking about fake news and spinning narratives, the integrity of the information that you’re sending from one point to the other is extremely important.
So you want to avoid chokepoints. So as said, meshed technology, you know, let’s say cell phones that you can put in a certain mode where now they don’t need the central towers which can be blocked by governments, but communication can go from phone to phone and that way find its way to its destination.
We are now seeing experiments being done by for example, space exploration companies, or commercial space flight, where they intend to launch satellites that will provide internet connectivity. Not only is that going to be a major disrupter for countries where there are monopolies when it comes to internet access – and the United States is the best example of that, you don’t have to go for a lot of other exotic countries when it comes to that – but that is certainly going to open the door for a lot of people to be able to get free internet access. With free I mean free of censorship. Where in the future – and this might be in the next 10, 20, 30 years, I don’t know – where with a pizza box-sized antenna, you would be able to access the internet in a way that quote unquote “cannot be filtered.”
Yeah. So you’re not at the mercy of your local monopoly internet service provider.
Exactly. It might come in the next 10 to 20 years or so, but I predict several “digital Arab springs” for countries that right now are being filtered and censored. The question is what will those countries do when all of a sudden they get this influx of whatever we call the internet today, with its click bait, its disinformation, its fake news, commercial interests, and all kinds of other stuff? There are people who say as part of complicated studies that we as human beings aren’t even wired for this kind of information overload. Education and awareness are the two biggest things we can do there, but in countries that we’ve been talking about where there is censorship, that awareness and that education simply isn’t there yet.
So technology is getting ahead of us. We’re going to see some very weird situations across the globe, I think, when those floodgates do get opened through, for example, space-based internet. I know how that sounds, but it will become a reality. And we need to be ready to help our fellow internet citizens, so to speak, in learning how to digest this information overload, and to teach that there are different sides to a story.
I like that message of sort of responsibility that we all have, and also you’re talking about how you predict these grassroots movements springing up all over the place demanding a more free internet. It’s almost like you’re saying that at it’s heart, information wants to be free.
That’s a pretty interesting way of putting it. Sure. But as said, information is only as impartial as the person who’s giving you the information. But we want to be able to give people more choice. We want to be able to give people perspective. We want to be able to invoke a healthy way of questioning what you see in front of you, be it a picture, be it a video or a piece of information. And the truth can be distilled from that. And that’s really what we should be teaching people.
Even in the west, we experience that information is free, but the information that is free isn’t necessarily the most valuable information. Again, it is sloganization, it is click bait to make you click on things, because journalism has to be paid, and unfortunately a lot of people stay with that initial message, that initial slogan, and again, that polarizes people and that’s not exactly what we want. We want people with perspective, we want people that are able to digest multiple information sources and make up their own minds rather than copying the mindset of a government, a political party, of any kind of regime.
Words to live by. You’re talking about fully meshed networks. But from a security point of view, isn’t there an argument to be made for chokepoints, about gaining visibility into the network traffic?
It’s actually a network security best practice, to be able to funnel traffic through a central point or a number of central points, to be able to see what is being communicated and does it align with a company’s security policy or whatnot. But the same goes for the internet uplink or upstream peering as we call it, which is all the connections a country has to other countries for their internet connectivity. So this is certainly the philosophy that government leaders also use to control the narrative, is to make sure they know exactly where all the communication is, so that they can install their filtering devices and filtering technology. Which, by the way, is supplied by western technology companies.
So in all things there’s a tradeoff between security and usability or freedom.
Absolutely. As I mentioned, meshed networks – meshed meaning that every node or every party in the network talks to the other party to be able to get information, kind of, quote unquote “upstream” – there the integrity of the information is incredibly important, because meshed means that anyone can be in that network, serving you up maybe alternative versions of what you’re trying to receive. So both have pros and cons and obviously government leaders are trying to leverage this for their own censorship purposes.
Encryption to the rescue.
Encryption is only as good as who holds the keys. When someone says encryption, I say, now you have a key management issue. So encryption can certainly work, especially peer to peer, but then that shifts the risk towards the endpoint. So can you trust the endpoint, again in that meshed network possibility? So imagine every cell phone talks to other cell phones instead of talking to a mast. That’s great, but no one can try and deceive you or try to change the information or even try to deny you access to the information – which you can do still, if you have some kind of meshed network.
The other downside of meshed networks for your own protection is that you can create outages where you can create certain islands where now the information is very select and very limited. Which again, limited information might also be the difference between life and death in certain situations. So the last word has certainly not been written about this. We’re going to see all kinds of different technology being used by you know, the oppressors and people wanting to bypass them. So this is going to be a cat and mouse game that we’re going to see go on for a very long time.
I want to thank you for being with us today.
Thanks for having me.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.
Een opmerking achterlaten