Groklaw, internet security, and the surveillance state

Groklaw has decided to shut down. Its founder, Pamela Jones, has posted her explanation. Read the whole thing later, but here’s the summary: 1) email is insecure (she cites the Lavabit shutdown), 2) Groklaw can’t operate without email, and 3) the surveillance state is bad. Therefore, Groklaw must shut down. I agree with points 1 and 3, and while point 2 could probably be argued on technical grounds, I won’t. But… shut down, really? No, the solution isn’t to close Groklaw, it’s to secure your systems and communication channels.

This essay really isn’t about Groklaw. It’s about long-standing and pervasive ignorance about basic security on the internet. The NSA’s shenanigans are not only unsurprising to the security community, they’re also mostly irrelevant. To understand why that is, we have to take a look at some network security philosophy.

There are certain basic assumptions that security researchers make, including:

  • Every party in a secure communication system has a non-zero probability of compromising that system.
  • All communication traffic is being intercepted and recorded as soon as it leaves the control of the sender.
  • An adversary has full knowledge of the algorithms of any encryption used.

Thinking in this intentionally paranoid framework has technical and political consequences:

  • You cannot trust a third-party to do encryption for you. It must be done only by the parties who need to see the contents. In practice, this means that the encryption and decryption happens on computers owned, controlled, and in the physical possession of the parties.
  • You cannot trust any encryption algorithm that is not public and not publicly tested by the crypto community.
  • You cannot trust any closed-source encryption software. In fact, for security applications, you can’t trust closed-source software, period.
  • All parties to a secure communication are suceptible to being forced to reveal it by a third party. This cannot be prevented, it can only be minimized by keeping the number of parties as low as possible, and by making the coercion more difficult.

All these things were just as true in 2003 (when Groklaw started) as they are today. But another thing that’s still true as that these things are still widely ignored. And that ignorance has effects. Most don’t know what it takes to really secure internet communications. Because they don’t know, there isn’t much consumer market demand for network infrastructure that can support proper security, like static IP addresses. Because they don’t know, they casually cede control of personal data to third parties, who, needless to say, have anything but the consumer’s interest in mind (Facebook, I’m looking at you). Because they don’t know, they allow governments, corporations, and crackers to exploit their ignorance, without which mass internet surveillance wouldn’t be possible.

What really went wrong with Groklaw isn’t security state overreach (although that certainly exists), it was Groklaw’s own poor security. But I can barely blame them; real security is hard, and they did what most other websites do. What should they have done different? For starters, if the insecurity of email was too much of a risk, then making participants use a secure login and communicate through some internal method would have been an excellent replacement. That is, in fact, standard procedure on most discussion boards. If the security of the server itself was a problem (and it was if they were worried about their hosting provider getting hit with a national security letter), then it should have been moved to a secure facility controlled only by the owner. That implies that Groklaw would have to have owned its own server hardware.

There’s no question that this is onerous and expensive. But this has always been what it’s taken for decent internet security. Here I’m going to echo a prediction that others have made: The real effect of the disclosures of mass internet surveillance will not be the closure of sites like Groklaw. Instead, it’ll be a partial migration away from insecure, untrustworthy hosting and cloud services for non-public data, and toward the owner-controlled arrangement I described above. Indeed, the Lavabit and Silent Circle shutterings happened precisely for this reason.

If you’re reading this, then you’re an internet user. Get educated. Learn about the tools the government can use to force your service providers to tattle on you. Learn how to protect your privacy. If you’re not just a user but a content provider like Groklaw, and you need security, you simply have to learn how to host secure servers within your organization. There just isn’t another choice.

Mass internet surveillance is bad, but it doesn’t happen simply because the government wills it. It happens because individual internet users and content providers let themselves be taken advantage of by failing to practice proper security. Complain to your politicians all you like, but real change—the kind that keeps security state bureaucrats up at night—has to start with you.