Platt Perspective on Business and Technology

Deciphering net neutrality and the concept of an open-range internet 7

Posted in business and convergent technologies, in the News by Timothy Platt on April 8, 2015

This is my seventh posting to a series on the contentious topic of net neutrality (see Ubiquitous Computing and Communications – everywhere all the time 2, postings 299 and loosely following for Parts 1-6.)

I find myself writing this at a point in time (on February 6, 2015) when it looks like the United States Federal Communications Commission (FCC) is going to rule that internet access should be regarded as and regulated as a basic essential communications utility, much as telephone service is. I fully expect that this bare-bones decision will have been formally made and announced before this posting goes live. But that still leaves the real work of translating intent and overall policy decision into day-to-day actionable process, and into actionable performance benchmarks that could be used in evaluating real world online service provider and other involved business practices, and how they do or do not comply with this new regulatory framework. Given the complexity of the law, and even just within the United States for regulating utilities, and given the additional complexities of shoehorning online connectivity with its sometimes unique features and requirements into this framework, that decision and its formally stated ruling should only be considered a first step in what will be a long and drawn-out process, and probably one that will be significantly reshaped in the courts at that.

I wrote at the end of Part 6 to this series that I would continue its discussion here, by considering, among other possibilities:

• The challenges that would arise if, in keeping with President Obama’s recommendation (n.b. as of when I wrote that posting), that internet access per se should be governed under Title 2 of the US Communications Act of 1934 as amended.

That essentially means the FCC regulating internet accessibility and bandwidth allocation as a utility, so that approach lies at the heart of what Tom Wheeler, the Chairman of the FCC has just proposed actually implementing. But Wheeler’s recent announced regulatory intentions for this would go even further than what President Obama has requested be considered (see the February 4, 2015 New York Times news story: F.C.C. Plans Strong Hand to Regulate the Internet and this same date article from Wired: FCC Chairman Tom Wheeler: This Is How We Will Ensure Net Neutrality.)

• Wheeler has now stated that at least in his opinion, the FCC’s rulings on net neutrality should explicitly include personal privacy protection provisions, and also provisions for ensuring effective internet access for people with disabilities and for those living in remote areas, at least within the United States where his agency holds sway.
• International regulatory oversight would be needed in order to ensure these protections in the developing world, as discussed here in Part 5 of this series and in Part 6.
• But given the impact of United States activity and involvement in the internet and on all levels, and given the legal history of the European Union and other Western bodies to actively and proactively support personal privacy rights, among other information sharing and control issues, it is likely that other significant national and multinational participants in this debate would follow a similar course.

I stated above that this is likely to be resolved, at least for the official initial release of an FCC ruling on net neutrality this time around, before this posting goes live. The expected date for that ruling to be publically announced, at least as of this writing, is currently set for February 26, 2015. It is always possible that lobbying-driven legal and other challenges could postpone that date but a formal decision will be announced on this soon. And then the real action on this will begin, converting regulatory intent into actionable regulatory process and detail. I have already mentioned the likelihood of legal challenges, and I add legislative challenges from the US Congress. But for purposes of this discussion, let’s simply assume that some version of a ruling is passed, and with whatever adjustments from whatever sources made until it is finally at least widely enough accepted to be able to function and regulate. And that brings me to the core area of discussion that I would address in this posting: the challenges of legal and regulatory systems always being reactive, and particularly when addressing very rapidly evolving and disruptively innovatively changing contexts. And I write this with that next step of turning regulatory intent into detailed regulatory statute in mind.

The specifics of the rulings that the FCC arrive at for protecting net neutrality in the here and now and for the immediate future, will begin to drift from relevancy as soon as they are drafted. And at least parts of them are likely to be outmoded before they can go into effect as a legally mandated regulatory framework. There are a variety of reasons for this, and I would touch upon at least a few of them here as food for thought moving forward.

• The internet may have begun, and certainly as a publically involving system, as following a central publishing model, with a smaller number of web sites and other centrally organized information sources, and a larger number of primarily passively receiving and absorbing audience members. And most of what I at least have heard of the current debate over tiered pricing and bandwidth access has been presented as if that were still the dominant face of the internet in its here and now. But that is no longer true, and even when just considering businesses and other organizations that connect online, to at least in significant part centrally publish still. The audiences they seek to reach, inform, influence and do business with are all actively communicating online too, and about those businesses as much as they are about anything else. And they demand a voice in this too. And these conversation flows are increasingly ubiquitous, from anywhere to anywhere and at any time. Net neutrality has to be built and maintained with that expanded reality in mind.
• Just considering the anywhere to anywhere ubiquity of the ever-more interactive internet, that has brought whole new business types and even whole new industries into this arena, and in constantly evolving new ways. Consider wireless telephony – the smart phone would not even exist, there would be no need for it, if not for the internet and pressures to provide rich ubiquitous interactive connectivity of all sorts, all the time and to essentially everyone at very affordable prices.
• One of the complex sets of issues that the FCC is likely to at least begin to address in its upcoming ruling and its implementation is what is coming to be called the online interconnect industry, and all of the behind the scenes infrastructure technology providers that stand between the web site or social media server, for example, and the people with their smart phones, tablets, laptop computers and more who connect into and actively stay involved, and both with businesses or other organizations and with each other.
Google Glass might turn out to be a 21st century cyber-Edsel before it can (finally) be fully, effectively marketed and widely sold. But wearable computer and communications devices that blur the line between computer and communications to insignificance and that are ubiquitously and unobtrusively there and on, will both widely arrive and become so routinely accepted so as to fade into the background for their mundane commonality. This will definitely change what net neutrality has to mean in actionable practice if it is to remain relevant to actual need.
• And so will our developing internet of things, where the number of active online nodes will expand out into the many trillions – quickly and in ways that both inform our lives and in ways that carry every conceivable form of information about us while doing so.

The law is, or rather it certainly can be an ass; it is reactive by nature, often hobbled by partisan ideological forces, and it is usually if not always at least somewhat behind the curve and a bit out of date and certainly where that really matters, where events and contexts change rapidly – and it is essential if society is to function smoothly and with any chance of openness and fairness. (Nota bene: I admit that I thought of a passage from Charles Dickens’ novel Oliver Twist while writing that: “If the law supposes that,” said Mr. Bumble, squeezing his hat emphatically in both hands, “the law is a ass – a idiot.” Dickens, of course, did not invent that sentiment.)

I am going to end this posting, and for now at least this series as well, by offering a few thoughts on how the FCC ruling that is finally arrived at and agreed to, might best be translated into enforceable statute and rules of action. And my goal in that is to offer at least a few ideas on how to improve the shelf life of this soon to be ruling, before it drifts far enough into irrelevancy so as to need significant updating or even outright replacement.

• Keep the details of the core implementation regulations for this focused on what the technology seeks at a high level to accomplish and on access and availability goals per se. And do not seek to regulate the specifics of any particular technology that may be necessary for internet connectivity now, but that will be replaced and both evolutionarily and by disruptively new and divergent technology that follows equally new and novel connectivity paradigms. Any current state of technology available now will pass into old and legacy, and into a no longer used and irrelevant status, and so will any regulatory wording that is specifically drafted in terms of it. This is vitally important but difficult in practice to achieve, and certainly when attempting to draft operational rules for the here and now that can be practically applied, but that have the flexibility to accommodate change that cannot really be anticipated in any real detail.
• Make any more technology-specific implementation details, a matter of more secondary documentation that would be offered to help involved parties to make sure their systems are regulatory compliant in accordance with the core implementation guidelines. And update these interpretation best practices support documents when and as needed, and with legal oversight in drafting them, but hopefully without burying them in legal jargon for the benefit of anyone who would have to use them.
• And where possible and feasible, focus on specifying what not to do, spelling that out with clarity, leaving open the door to new-approach innovations that would not in and of themselves intrinsically challenge the overall goals of net neutrality but that do not exist yet.

And I finish this discussion, at least for now with those points stated, though I am likely to come back to these issues in future postings and series too. Meanwhile, you can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation. And I also include this in my In the News postings list.

From stuxnet to heartbleed – the impact of US national cybersecurity doctrine and practices on businesses and markets 5

Posted in business and convergent technologies, in the News by Timothy Platt on March 19, 2015

This is my 24th installment in an occasional series on international cyber-security and the changing nature of threats faced and responses offered to them (see Ubiquitous Computing and Communications, postings 58 and loosely following for Parts 1-15 and that directory’s Page 2, posting 296 and following for Parts 16-23.) This is also my 9th installment in a sub-series within that, with its posting titles collectively identified as: From Stuxnet to Heartbleed.

I began Part 23 in this series/Part 8 in this sub-series by listing two points that I intended to at least begin addressing there:

1. The specter of the USA PATRIOT Act and how it has come to be interpreted, and how some of the United States’ closest ally governments have come to see the US government itself as violating their privacy and confidentiality laws.
2. And China and their cybersecurity and intelligence gathering activities, as viewed from the perspective of this context and as a special case in point.

I did in fact lay a foundation in that posting, for addressing the first half of Point 1 of that list, with a discussion of the PATRIOT Act itself and how it has come to be interpreted and followed, first under President George W. Bush, and now under President Barack Obama. And in reiteration of a point that I have been making throughout this series, and certainly over its most recent eight installments, this law has been used to legally justify an amazingly wide-ranging assortment of open-ended surveillance programs that have directly impacted upon essentially everyone who goes online or uses a telephone – everywhere.

That is a stunningly wide claim to assert. But its apparent accuracy seems difficult to deny, and certainly given Edward Snowden’s leaks and related disclosures concerning still-ongoing US National Security Agency (NSA) programs and the US government’s responses to those leaks – confirming their accuracy. And that brings me specifically to the second half of Point 1 as stated above: “… and how some of the United States’ closest ally governments have come to see the US government itself as violating their privacy and confidentiality laws.” This claim has come to be widely accepted as true too, and both in the United States and more globally.

I have already written in this series about the impact of American cyber-policy on individuals, and on businesses and their credibility. And I have written about how these surveillance programs have been used against specific leaders of allied countries (e.g. Angela Merkel in Germany.) I write here about the impact of this ongoing policy and its implementation on the credibility of the United States as a nation, and particularly as a nation that has always stood for democratic principles and the protection of human rights, and on freedom and liberty as its defining principles.

Public awareness of what the United States national security system have come to call “enhanced surveillance techniques” have come to damage the reputation and credibility of this country. And it is in that context that a second use of this new interpretation of the word “enhanced” has forcefully come to light too, with ongoing revelations about US use of waterboarding and extraordinary rendition of prisoners who have not in fact been charged with any specific crimes, and now with the public release of an unclassified version of the United State Senate Select Committee on Intelligence report: Committee Study of the Central Intelligence Agency’s Detention and Interrogation Program. This link leads to the declassified revision version of the 499 page summary document to that report as initially publically released on December 3, 2014, and as initially approved in its top secret classified version on December 13, 2012.

Neither of these “enhanced”-program components of the overall United States led War on Terror work, at least to positive effect and either for the United States as a country or for its citizens, or for its allies or their citizens. Enhanced surveillance programs as developed in haste and out of existential fear of world terrorism and its threats, have not and will not work to positive benefit that in any way matches their cost. And neither do the enhanced interrogation programs that have been deployed and used, as developed out of that same source of haste and fear – and with as little foresight as to their long-term cost. And in both, monetary cost is only one small part of what the United States and their participating allies have paid for all of this.

I noted above that I would cite China and their cyber-policies and activities in this context, and I do so here. I have actively and recurringly discussed and analyzed these programs and their foundations in this blog, and in postings and series that I have specifically cited with links throughout this series. My core point here, related to them is that when the United States and her closest allies, partners to these “enhanced” programs, speak out against the activities of other nations, China included for their cyber-espionage and related activities, they open themselves up to dismissive challenges of simply displaying hypocrisy.

The basic principles that the United States was founded upon as a nation are not easy to achieve, as they are ideals. American history has, in many respects been a journey towards living up to them and their lofty ambitions. Acting out of fear, and acting in haste and with short-term consequences the only ones considered, have led the leadership of the United States to lose its way in this journey.

I find myself thinking back to my earlier cyber-security postings where I admit, I did not want to think that the government of a country like the United States would launch a cyber-attack like Stuxnet against another sovereign nation. And now I have studied and written about the immerging Bush, and now Obama cyber-security doctrine and how this has been carried out.

I will probably come back to the issues of cyber-security, and the programs that the United States and her allies have developed and implemented as they seek that illusory goal of absolute, perfect safety and security. But I end this series on this note, which I would argue is not so much a political note as a human rights one – remember, both Democrats and Republicans have built and continued these programs.

We as a nation, and I write this as an American, have to return to our roots, and to the ideals that this country was founded upon. And we have to acknowledge our mistakes and step back from them. And when I began writing this blog, and when I began writing this series, I did not anticipate ended this series or anything like it on that type of note, but I find myself doing so anyway. I write a lot about best practices and I train people and businesses to better identify them and follow through on them. I write here of a best practices approach too, and of what in the long-term might be the only viable path forward – rethinking what we need to protect and what we need to do in order to achieve that, and without losing ourselves as a nation in the process. And we need to reestablish and reaffirm our trustworthiness and our adherence to a moral code that others would look up to again, which we cannot do as long as we pursue “enhanced” solutions to difficult problems.

You can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation. (This posting was written over several days, and finished for uploading to the blog server on December 21, 2014.)

Deciphering net neutrality and the concept of an open-range internet 6

Posted in business and convergent technologies, in the News by Timothy Platt on March 7, 2015

This is my sixth posting to a series on the contentious topic of net neutrality (see Ubiquitous Computing and Communications – everywhere all the time 2, postings 299 and loosely following for Parts 1-5.)

I have been writing about net neutrality, and both as it is now under public discussion, and as a wider-ranging complex of issues from the beginning in this series. And as a part of discussing that wider vision of what net neutrality means, I focused on a possible software-level challenge to it in Part 5, where I began a discussion of open source and open standard, and proprietary software-based online connectivity and content presentation software as basic resources for both presenting information online and for accessing it there. The specific recent and I add still unfolding example of this that I focused on in Part 5, involved Facebook and their emerging plans to in effect actively shape online access capabilities for the peoples of developing nations. And I will continue that discussion here in this posting. And I will also at least touch upon a second line of discussion that I began in Part 5 too, where I made note of one of several possible specific regulatory responses to net neutrality challenges that the US Federal Communications Commission (FCC) will have to consider, and both in their 2015 net neutrality hearings, and as they move forward from them.

I begin this posting with the first of those two complex issues, and will follow the same order of discussion in this installment that I pursued in Part 5. And I begin that by noting that I wrote about Facebook’s apparent plans in Part 5, in terms of open source versus proprietary online connectivity and information sharing software. That is an important consideration. But in a fundamental sense, there is wider cause for concern of possible challenge to net neutrality in what Facebook and their peer companies seek to do here, than I have been addressing up to now. The possibility of for-fee gate-keeping control over internet access is real, but it is self-limiting and certainly at the software level, as any fee-based barriers or bottlenecks to online access in developing nation communities would create opportunity for alternative connectivity options that were not so controlled – including freeware and the wider use of already-available open source options.

The real potential profit to a for-profit that sought to dominate online access for these newly connecting communities would not come from directly controlling, or seeking to gate-keep online access and with all of the potential for international challenge and for bad press that this could bring. It would come from being an essential, if essentially invisible intermediary in the flow of all of this social media and other exchange of online information, and with the opportunity to gather monetizable personal date from and about essentially everyone who goes online through these systems.

Let’s start by considering the basic business models that are involved here. Facebook offers social media services for free, at least as far as direct monetary cost to consumers is concerned. It generates its incomes from advertising fees, and from the big data that it accumulates, filters and organizes and markets, to its community of client businesses.

As of this writing, there are over one billion user accounts with their own distinct Facebook pages that are live online.

• Some of these are in effect duplicates and for a variety of reasons, and even if Facebook discourages individuals from setting up multiple separate accounts as if for separate people.
• Some of these are inactive and never really looked at by their owners, who in that case are unlikely to even know how to login to their pages. Their content tends to be sparse and more out of date.
• Some, and with time, a growing number of Facebook pages are owned by people who have now died, or become incapacitated. And these accounts in effect offer ghost social media pages and content.
• But hundreds of millions of these accounts and their social media connectivity pages are maintained and even very actively so, and are active conduits to new and continuously updated personal data of all types and both from these account owners and from their social network contacts, through their Facebook walls.

And collectively they offer rich sources of online-accessible data about who all of these people are and what they do and with what priorities and with whom. The announced plans that Facebook and others have floated for bringing internet access to new and emerging developing nation communities would hold potential for doubling this number of accounts and very quickly, where their current markets are largely saturated by now, and with a tremendous increase in the range and depth of the marketable personal date that they can gather and commoditize.

Think of this as the third main component to net neutrality:

1. Net neutrality at the network hardware access level,
2. Net neutrality at the software protocols and software connectivity level, and
3. Net neutrality at the level of who owns the flow of content that goes out online, and perhaps especially the collectable metadata that collectively tells our individual stories as to who we are and what our priorities are, and with all of our personally identifiable information included in all of this, that could potentially be filtered out in creating anonymous commoditizable demographic products, or that might be offered as individually targeted consumer profiles as marketable products.

Ultimately, the issues of net neutrality cannot be separated from the issues of online privacy and confidentiality, and certainly if net neutrality is considered from a fuller, wider perspective – and we will ultimately have to do so societally.

And with that stated I turn back to consider the US FCC and its net neutrality hearings, and to consider any similar regulatory bodies that might also take on the challenges posed by these issues. And I come to the challenges of what these bodies might propose, or promulgate with the force of law depending on the scope and reach of their regulatory authority. I begin that part of this overall discussion with the challenge of tiered online access and the possibility of United States regulatory oversight of it, as my working example:

• Major online service providers seek to offer preferred online connectivity and preferentially wider broadband access to their preferred, higher fee customers. Current debate has focused on the possibility that big businesses with deeper financial resources could come to dominate the internet through this, with smaller and newly forming businesses squeezed out from this, and with smaller organizations of all sorts offered what amounts to second class online citizenship. So a range of organizations and I add a tremendous range of individual citizens have publically expressed concern, and have written against tiered access from online service providers as public comments offered to the US FCC.
• And as I noted at the end of Part 5, one possible resolution to this that has been floated by the FCC is that they might come to a compromise, hybrid ruling that would allow for some sort of tiered pricing for preferential bandwidth and online access, but with safeguards in place that would seek to keep this from becoming anticompetitive. I specifically note that this means protecting the interests of smaller businesses from anticompetitive business practices, but at least as importantly it means protecting those who would express minority views or who might offer opinions or supporting evidence for them, that would be viewed as unpopular to those who hold greater power.
• And I noted that this type of compromise approach could at least potentially lead to significant problems, it could lead to positive and constructive results, or it could lead to results that hold elements of both of these outcome scenarios – depending on how net neutrality is construed in this ruling and on how “hybrid” is laid out operationally, and as a matter of enforceable rulings.

I am going to continue this discussion in a next series installment where I will, among other things, delve into the challenges that would arise if, in keeping with President Obama’s recommendation, internet access per se was to be governed under Title 2 of the US Communications Act of 1934 as amended (see in particular changes to common carrier law as stipulated in the Telecommunications Act of 1996.) Meanwhile, you can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation. And I also include this in my In the News postings list.

From stuxnet to heartbleed – the impact of US national cybersecurity doctrine and practices on businesses and markets 4

Posted in business and convergent technologies, in the News by Timothy Platt on February 13, 2015

This is my 23rd installment in an occasional series on international cyber-security and the changing nature of threats faced and responses offered to them (see Ubiquitous Computing and Communications, postings 58 and loosely following for Parts 1-15 and that directory’s Page 2, posting 296 and following for Parts 16-22.) This is also my eighth installment in a sub-series within that, with its posting titles collectively identified as: From Stuxnet to Heartbleed.

I have, in this subseries, been working my way through a progression of issues that relate operationally to United States cybersecurity doctrine and practice, and ended Part 21 by stating that I would finish that part of this overall discussion in this installment, addressing two final points:

1. The specter of the USA PATRIOT Act and how it has come to be interpreted, and how some of the United States’ closest ally governments have come to see the US government itself as violating their privacy and confidentiality laws.
2. And China and their cybersecurity and intelligence gathering activities, as viewed from the perspective of this context and as a special case in point.

I have not explicitly discussed the USA PATRIOT Act all that often in my discussions of US cybersecurity doctrine and practice, and whether viewed from a more strategic or a more operational perspective. But I do explicitly note here that this law has come to serve as a foundation for much, if not most all of what has followed it in establishing and carrying through on US cyber-policy, and certainly where issues of government access to private information and communications are involved.

I initially wrote Part 21 of this series in October, 2014 where I did mention this law by name. And I add that I have been thinking about US national cybersecurity in terms of this law since it was first enacted. And then between the day that I finished writing and uploading Part 21 to this series and today when I write this next series installment (November 22, 2014), events have developed that make explicit reference to this law both topically germane and essential for explicit discussion.

The PATRIOT Act was initially signed into law by then president George W. Bush on October 26, 2001. The timing there is crucially important; this law was initially conceived, drafted in all of its complexity, reviewed and argued in Congress, passed by both the US House of Representatives and by the US Senate and brought to the White House Oval Office for signing, and all within a very tight timeframe with that beginning as the immediate initial shock of the September 11, 2001 attacks began to wear off. And the complexity and scope of this law created openings for, and legal justification for what rapidly came to be essentially open-ended online and telephonic surveillance and without need for review or warrant issuance from a standard court of law as organized and run under the US Department of Justice. In practice, all implementation decisions made pursuant to this law were, and have continued to be turned over to a special secret court: the United States Foreign Intelligence Surveillance Court (FISA Court) as initially set up in 1978 under the Foreign Intelligence Surveillance Act (FISA).

The September 11 attacks by forces of Al-Qaeda were seen by many, and certainly in Congress and the White House as representing the first direct blow on American soil from a fanatical terrorist organization that sought to become an existential threat to the United States and to all that it stands for. And very importantly, this attack was acknowledged as representing simply one more large-scale and significant event in a series of attacks that this organization had already launched and both against the United States interests and against that those of its allies. Al-Qaeda had already developed a track record of carrying out large-scale, carefully planned terrorist attacks and in that regard I would cite their:

• Bombing of American and other embassies (e.g. the all but simultaneous August 7, 1998 truck bombings of the US embassies in Dar es Salaam and Nairobi), and their
• Attack on a US naval vessel with loss of life there too (the October 12, 2000 attack on the USS Cole: an Arleigh Burke-class Aegis-equipped guided missile destroyer and one of the US Navy’s most advanced combat-capable vessels).

When Al-Qaeda launched their attacks on September 11, 2001 they already had an established track record that showed both their capability for causing harm, and their willingness to do so. 9/11 served as a wakeup call, and one of the key lessons learned was that Al-Qaeda was able to carry out so many attacks, including that day’s attacks, in large part because of systematic, ongoing US intelligence gathering failures. Information that was necessary for insuring national security was not being gathered by the appropriate agencies of the United States federal government and when it was, it was not being shared or even looked at. Critically, in that regard, an after the fact review of what had been known about the Al-Qaeda team and its members who carried out the 9/11 attacks found that enough was known about them in advance so that if this raw intelligence data could have been assembled together, this attack with its thousands of lives lost might have been avoided. I have already discussed the issue of how realistic that conclusion was, in earlier series postings and simply repeat this point here as one that was accepted by the US government as if absolute and irrefutable truth.

• The Department of Homeland Security was put in place as a response to the 9/11 attacks, as an overarching national security entity to facilitate bringing information that is gathered, together in one place so it can be more effectively identified for its value and connectedness and used.
• The USA PATRIOT Act, with that acronym standing for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism, was drafted and enacted with a goal of increasing the overall reach and completeness of critical national intelligence information gathering.

And with that background in place, which I admit here, consists largely of points and details that I have noted before in this blog, point by point through a succession of other postings, I come to the news of this specific posting, and more specifically to Title II of the PATRIOT Act which covers legally defined and legally approved use of “enhanced surveillance procedures.”

The US PATRIOT Act was initially drafted and enacted with a tight focus on enabling more effective surveillance of, and action with regard to foreign and foreign-based threats to United States national security and to the US public. This came to include a wide ranging ensemble of open-ended online and internet-based, and telephone systems surveillance programs that under FISA Court approval came to include open-ended sweeps of data from and concerning both foreign nationals and American citizens; quite simply, the PATRIOT Act was drafted with an explicit foreign threat charter but it was determined that in practice, that distinction was impossible to always cleanly and clearly make. So while the express goal of these surveillance programs was and has been on foreign-based threats and on surveillance of direct participants in them, this has operationally led to open ended surveillance on essentially everyone.

Title II of this Act was set up with a sunset provision (in its Section 224) that set an initial expiration date of December 21, 2005 for most all of the provisions of the 25 surveillance-related Sections in it. That expiration date has been moved forward by subsequent legislation several times now and is currently set to occur on June 1, 2015. And that brings me directly to news events that are transpiring as I write this and that are bound to continue to develop over the coming months from now.

• Congressional challenges to further extending the expiration date for Title II-specified enhanced surveillance procedures, as spelled out by the US PATRIOT Act and sequentially approved by the FISA Court have been put in serious doubt,
• With a wide range of ongoing massively large-scale open-ended surveillance programs currently in place, facing distinct danger of losing their legal basis for continuance.

This most overtly means a much more likely closure of programs that have been used to vacuum up vast amounts of telephone system caller-metadata – about who calls whom, and from where and to where and for how long and when and how often. This also directly threatens the continuance of a wide range of other, less publically known surveillance programs as well. And high ranking spokesperson representatives of the Obama administration have already started at least floating the prospect that President Obama might continue these programs anyway, citing a separate section in the PATRIOT Act for legal justification: Section 215 of the PATRIOT Act, or rather a note appended to it that has remained in place through a series of updates and revisions to this law.

This same law that mandates a sunset provision expiration date for surveillance programs that are not terminated earlier from their completion, also contains provisions for continuing ongoing investigations until they are completed with the programs and resources that have already been approved for them and until those investigations are formally deemed completed. Al-Qaeda still exists and is still the subject of numerous ongoing investigations, and both against individual members of that organization and against the organization as a whole. What proponents of this aspect of the operational side of the Obama cybersecurity doctrine would argue, is that legally set expiration dates notwithstanding, these surveillance programs are grandfathered in, at least until all already ongoing Al-Qaeda investigations are concluded, and whether individual or organizational in nature. And they are grandfathered in, according to this logic for any and all other still-ongoing operations too, as long as those operations are formally in place before June 1, 2015 – to cite the current sunset provision date in place.

As noted above, my goal for this posting was to address the last two numbered discussion points that I repeated at the top of this posting. Then developing events intervened. I will address them in my next series installment, citing this posting as well as earlier ones in this series as background for that discussion to come. Meanwhile, you can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation.

Deciphering net neutrality and the concept of an open-range internet 5

Posted in business and convergent technologies, in the News by Timothy Platt on February 1, 2015

This is my fifth posting to a series on the contentious topic of net neutrality (see Ubiquitous Computing and Communications – everywhere all the time 2, postings 299 and loosely following for Parts 1-4.)

My goal for this posting is two-fold. First, I intend to discuss the pivotal role that Facebook and a group of strategically aligned fellow social media companies seek to play in expanding internet access more fully into what have been the more underserved communities of the developing world. And in the course of that, I seek to more fully explain why the current debates taking place in the United States concerning perceived threats to net neutrality, only touch on one facet of a much larger problem. And second, I intend to offer at least a brief news update regarding the US Federal Communications Commission (FCC) hearings on net neutrality, that still are yet to take place as of this writing (on November 11, 2014), given the level of controversy that this issue has generated and the volume of public comment offered.

I begin with Facebook and the social media and related businesses that they are aligned with – and with what I see as the next real net neutrality battle that will come to public awareness after our currently debated public concerns as to open online accessibility have been at least temporarily resolved.

The current net neutrality debate that has captured essentially all of the open net and net neutrality conversation as of late 2014 and going into early 2015, revolves around whether or not online service providers can selectively offer wider bandwidth and better connectivity to some, and slower and less effective connectivity to others. That is in large part a discussion of hardware-level systems access – the level of access to and from backbone internet cable and router systems, and the question of whose message if anyone’s will be given preferential access to this physical infrastructure for a fee. The still to emerge challenge that Facebook and friends offers, is if anything much more fundamental in how it would limit and control online connectivity and information access, and for both content providers and recipients. And to at least briefly explain that, I begin with the absolute fundamentals that make the internet work as a globally shared and accessible resource at all: open standards.

• The internet works the same essentially way everywhere it is available at all, and equally so for all who would go online, because the fundamental connectivity protocols and languages for organizing information online for use, and for transmitting it are openly available and without licensing restrictions, as open source resources.
• This is important; net neutrality is about access to bandwidth and connectivity without requirement of approval from discriminating gatekeepers, who would favor some online information or information providers, or some online businesses or other organizations over others. But more than just that, it is open because the basic connectivity protocols are not proprietarily owned and controlled either.
• Open and unencumbered bandwidth access rights per se cannot offer much in the way of net neutrality protection if the software level protocols and standards that make the internet work were to become proprietary and gatekeeper-controlled.

This brings up controversies, and yes battles that go back to the beginning of the internet, and certainly as a widely publically accessed and used resource with the dawn of the World Wide Web. The basic web format scripting language: HTML was developed as an open standard and was made freely and universally available for use and both by content providers and content consumers from the beginning. But as soon as Microsoft and other for-profit businesses started producing their own web browser software, they began developing proprietary coding add-ons. For Microsoft that meant creating new HTML extensions in the form of special proprietary coding elements and browser plug-ins that would only work on their Internet Explorer browser. And they encouraged third party software providers to develop coding extensions to HTML too, that would only effectively work on their browsers. And on the production side, they commercially offered web development tools for building web sites that use these new formats and features, arguing that businesses that did so could make more effective use of the full range of what their browsers could offer to web site visitors, making those sites more effective to those site owning businesses. Their goal was to carve out proprietary niches in the online conversation by creating what amounted to tools and format level, privately owned areas within the overall internet and its flow of information.

Most of what Microsoft and I add a wide range of other companies developed in this was offered for free for browser users who would access these new forms of online content through those browser plug-ins and other features. Most of the content developer side to this was offered on a for-fee basis and through software development tool fees and licensing agreements, for any web developers who wanted to offer content in these new formats. The business model idea here was that public demand for content with the new features and functionalities contained in these new proprietary web-content formats would compel developers to pay for access to the software tools needed for building web pages that included them.

The basic issues of open source versus proprietary go back a long ways, and this drive to create new and even disruptively new has always outpaced the capacity of the overall organization that manages open source internet software standards: the World Wide Web Consortium (W3C) to keep up, with progressively more expansive and inclusive updates to their open standards progressively offered to open-source cover more and more of the new innovative developments in what is offered. But new is always being developed faster than it can be included into any new or next version of any of the open source products that an organization like W3C can develop and publically offer.

And to bring this up to date with an example that I saw on my own computer earlier today, I opened my copy of the Internet Explorer browser and I saw a systems-generated notice at the bottom of the screen. This notice asked me if I wanted to turn off plug-ins that were slowing me down, and when I clicked to see what plug-ins were doing this, one and only one came up for review: a plug-in that I had installed for security reasons to keep Google advertisers from tracking my online viewing, with my not allowing that activity adding on average almost five seconds to the time it takes to open my browser or a new tab in it.

I have been writing about bandwidth access and online speed, and how this might be differentially apportioned. Then I switched to consider the software side to net neutrality, which I have been laying a foundation for more specifically discussing here, in the above notes. And I come right back to the issues of accessibility and speed. Not allowing third party tracking cookies should not slow down my computer or my browser in any way, and certainly when I am reducing the number of processes that have to be carried out as I use my browser. In fact a proliferating accumulation of cookies such as tracking cookies is a well-known way to slow down a browser and the computer that seeks to run it, so cutting back on the accumulation of cookies attached to a browser can significantly speed it up. So why does blocking these specific cookies, that do not in any way enhance the functioning of my browser per se, slow everything down?

If the FCC were to offer genuine, wide ranging net neutrality protection, that would impact upon online service providers: bandwidth providers. But at least as importantly, it would directly challenge companies like Microsoft for building their browser software in ways that would lead to slowdowns in function for anyone who does not want to be tracked for their web browsing too, by advertisers and other consumer data aggregators who pay for that consumer monitoring access. And regulatory enforcement of wide-ranging net neutrality would in fact have wide-ranging impact on the software side to this complex of issues in general, too.

Facebook and several other online social media businesses seek to develop new avenues into the developing world through which they could build online communities – around their software, and for as wide a swath of online activity as possible. If they do this as a matter of making open sourced connectivity more widely and economically available in the developing world they are saints. If they primarily seek to do this as a means of making their proprietary software and systems the basic default systems in use and with them as dominant first mover advantage gatekeepers, in these new and emerging markets, saints might not be the best word for describing them. And if the latter is their plan, they are actively seeking to become more of a challenge to net neutrality and to the open internet than today’s tiered access desiring online service providers could potentially become, and regardless of the outcomes of the still soon to occur and conclude FCC hearings on this.

And now my update on those still to occur (as of this writing) hearing: As of yesterday – November 10, more than 3.7 million public comments have been submitted to the FCC in anticipation of their hearings on tiered online service bandwidth provision, and on net neutrality as that would impact upon it. And yesterday, President Obama weighed in by publically offering his own public comments on this too, asking the FCC as a separate and independent agency that functions under congressional oversight, to rule that online access should be protected under Title 2 of the Communications Act of 1934 as amended (see in particular changes to common carrier law as stipulated in the Telecommunications Act of 1996.) That would mean regulating online access and usage rights as essential utilities, the same way that access to electrical power is, or for a more FCC-oriented example, the way more traditional telecommunications access is – and not simply as luxuries or readily disposed of incidentals to everyday life, like television is. And Obama couched his comments directly in terms of the wider framework of net neutrality per se, even as he cited the specific proposed challenge to it of allowing service providers to offer for-fee special tiered bandwidth options to preferred customers, as the here-and-now reason for his stepping in with an opinion on this.

I am going to continue this discussion in the next two series installments where I will discuss a hybrid approach that members of the FCC have floated as a possible resolution to the tiered bandwidth debate, and how this type of compromise approach might create new and more intractable variations on this same specific problems faced now later on, and by that I mean in just a few years from now, or create a basis for a more stable future for all. And I will also continue my discussion of the Facebook-led social media company approach to bringing online access to underserved developing-world communities, there focusing on a set of issues that many would see as more important and compelling than the open source versus proprietary software issues that I have just raised above: access to and ownership of whole new worlds of personal information big data. I will begin with that.

Meanwhile, you can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation. And I also include this in my In the News postings list.

From stuxnet to heartbleed – the impact of US national cybersecurity doctrine and practices on businesses and markets 3

Posted in business and convergent technologies, in the News by Timothy Platt on January 12, 2015

This is my 22nd installment in an occasional series on international cyber-security and the changing nature of threats faced and responses offered to them (see Ubiquitous Computing and Communications, postings 58 and loosely following for Parts 1-15 and that directory’s Page 2, posting 296 and following for Parts 16-21.) This is also my seventh installment in a sub-series within that, with its posting titles collectively identified as: From Stuxnet to Heartbleed.

I ended Part 19 of this series with a list of points to cover next, and I began addressing them in Part 20 where I focused in on the first two of them. And I begin this installment by repeating that list, with the rewording for its first two points as offered in Part 20 included:

• The Obama cyber-doctrine and its implementation through open-ended surveillance programs have raised broad-based civil rights and United States Bill of Rights concerns. And from a business and marketplace perspective, this had led to concern over the capability of businesses to even be able to secure personally identifiable and other confidential customer and employee information. This had led to court challenges and imposed operational restrictions and particularly as US based businesses seek to reach out to and do business with customers in countries that like Canada and the nations of the European Union, have very strong privacy and confidentiality protection laws in place. And it has also led to increased anticompetitive barriers to participation in marketplaces in countries such as China – a complex of issues that I will also delve into as part of this discussion, as well as discussing business and marketplace pushback.
• The Obama cyber-doctrine and its implementation, as most recently discussed here in my posting: The Operational Side of National Cybersecurity and its Issues 3 have also directly created avoidable risks for businesses and organizations of all types and for marketplaces and their individual and organizational participants.
• And both of these sets of challenges have served to add significant risk and potential costs, reducing the competitiveness of American businesses and interests – in the name of enhancing overall national security. I could, and I add will argue that this dichotomy of vision and of consideration of consequences limits capability of achieving either full achievable American business competitiveness in world markets, or American national security.

I said at the end of Part 20 that I would at least briefly discuss legal frameworks for regulating proper use of personally identifiable information, and for responding to violations of their standards as legally set. And I added that from that starting point I would more fully discuss how businesses based in the United States and following US data practices have been challenged in court when doing business in countries like Canada and member states of the European Union. Then I stated that I would raise the specter of the USA PATRIOT Act and how it has come to be interpreted, and how some of the United States’ closest ally governments have come to see the US government itself as violating their privacy and confidentiality laws. And I went on to add that I will also discuss China and their actions in this context.

That covers a lot more territory for discussion than I would put into any one posting – and even in a double-sized posting such as offered with Part 20. So I will begin addressing these issues here, and with the issue of pushback.

In the United States, Facebook, Twitter, Microsoft, and a growing number of other software, and I add hardware producers have begun to actively show resistance to the United States government’s National Security Agency (NSA) led cyber-surveillance programs, and particularly to their open ended programs such as PRISM and XKeyscore. And I could add to them, programs such as:

Boundless Informant and more than twenty others,
• Some of which were set up specifically to target foreign nationals (e.g. Dropmire: a program designed to surreptitiously gather information from foreign embassies, and Fairview which was set up to “collect phone, internet and e-mail data in bulk from the computers and mobile telephones of foreign countries’ citizens”),
• And many of which were set up to gather such information regardless of nationality or national boundary considerations.

These companies began adding encryption layers and other security safeguards into their systems, specifically to block these NSA-led surveillance initiatives. And they have publically stated that they are doing this, to safeguard the privacy of people who use their products and systems. And the NSA has taken (much more surreptitious) action against them to block these efforts, by bringing them as defendants to the United States Foreign Intelligence Surveillance Court (FISA Court) to force them to allow covert government surveillance of use of their products.

And a growing number of foreign governments have begun actively, systematically pushing back too, with that number definitely including the governments of some of the United States’ closest allies, including its close allies in the War on Terror, like Germany.

And this brings me to the first issues that I said I would be addressing “next”, as listed after my top three bullet pointed items for further discussion: “legal frameworks for regulating proper use of personally identifiable information, and for responding to violations of their standards as legally set.” Laws were actively set up for protecting online privacy and confidentiality and for explicitly protecting sensitive personal information, starting way before our current era of seemingly ubiquitous government-led open ended online surveillance. And case law precedent was developed as these laws were enforced on a case by case basis, clarifying both realized meaning and intent of these laws. Then governments started putting themselves in the cross hairs that were established by these laws through their active, open ended surveillance and online data gathering programs. And when I use the plural: “governments” there, I include any and all of a growing list of them that engage in online surveillance programs and for a wide range of what would loosely be identifiable as national security reasons.

The United States with its NSA-led programs comes immediately to mind here, and so do their direct allies in the War on Terror. That includes their more obvious allied participants in this endeavor:

• The Five Eyes nations: Canada (with its Communications Security Establishment Canada), Great Britain (with its Government Communications Headquarters), Australia (with its Australian Signals Directorate, New Zealand (with its Government Communications Security Bureau, and of course the United States. I tend to simplify US participation in this by only citing their NSA and leaving it at that, but multiple other agencies are actively involved in this, only some of which fall under the auspices of their Department of Homeland Security.
• And I add France to this list of nations (with its Direction Générale de la Sécurité Extérieure (DGSE) and Germany (with its Bundesnachrichtendienst and note that this list up to here only represents the most visible War on Terror co-participants in all of this, and that a significant number of other allied countries have at least situationally participated in these and related online surveillance activities too.
• And that only includes nations that are engaged in this as part of the United States led War on Terror, and as American allies in that ongoing endeavor. Russia has been very active in online surveillance and both within its own borders and internationally, and as I have been discussing for years, and with its own agendas for doing so. And so have China and I add a growing number of other nations as well.

The private sector business and commerce side to law that would limit and protect against violations of online privacy and confidentiality, and that would protect sensitive personally identifiable information are relatively mature now. These laws have been drafted and enacted and they have been tested in the courts of law and refined, and in both wording through new legislation, and in interpretation as tested in real-world court cases. Parallel law that would address governmental violation of privacy and confidentiality, and without specific cause that could be justified in court through the granting of a warrant or subpoena is far less developed and certainly for this specific context, and largely rests on foreign espionage law.

And this brings me to the third bullet point at the top of this posting, which I repeat here:

• And both of these sets of challenges have served to add significant risk and potential costs, reducing the competitiveness of American businesses and interests – in the name of enhancing overall national security. I could, and I add will argue that this dichotomy of vision and of consideration of consequences limits capability of achieving either full achievable American business competitiveness in world markets, or American national security.

American businesses that cannot, and for whatever reason, securely hold and protect the customer data that they collect, are subject to legal action and both within the United States, and outside of it where they do business with foreign nationals, for how their information security systems leave customer and other sensitive personal information at risk. Ultimately, it does not matter who is conducting this surveillance and sensitive personal data gathering, as far as breach of trust and creation of risk are concerned.

Collectively, this limits the overall competitiveness of American businesses, and certainly as they are more readily targeted for surveillance and as they are included as permitted targets for most of these open ended surveillance programs. And pushback against all of this government surveillance has to have an overall effect of limiting US national security.

And this brings me to an ending point for this posting. I will continue this discussion in a next installment where I will address the last of the “to discuss” points that I listed at the top of this posting and that I have yet to cover:

• The specter of the USA PATRIOT Act and how it has come to be interpreted, and how some of the United States’ closest ally governments have come to see the US government itself as violating their privacy and confidentiality laws.
• And China and their actions in this context as a special case in point.

As a foretaste of this discussion to come, I note here that the PATRIOT Act was signed into law and publically stated as explicitly only allowing surveillance and related activities against foreign nationals and even there only with explicit justifying cause. Then the open ended surveillance programs that are actually in place came to light, that explicitly seem to violate the key terms and requirements of this law as publically stated and justified. That creates consequences. Meanwhile, you can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation.

Deciphering net neutrality and the concept of an open-range internet 4

Posted in business and convergent technologies, in the News by Timothy Platt on December 29, 2014

This is my fourth posting to a series on the contentious topic of net neutrality (see Ubiquitous Computing and Communications – everywhere all the time 2, postings 299 and loosely following for Parts 1-3.)

I finished Part 3 of this series with a start to a discussion of 2014 Federal Communications Commission (FCC) hearings on net neutrality, and more specifically on their then still to occur hearings on whether online service providers can offer preferred higher bandwidth connectivity to select favored customers and slower, lower-priority connectivity to others – leading to tiered bandwidth favoritism. And more specifically, I ended that posting with at least a preliminary discussion of the FCC’s public comments period where in this case more than one million statements, position papers and comments had been submitted, and by private individuals and by organizations of all sizes and types. And this led me to a core question, which I also raised:

• Which voices out of all of this are listened to and with what attentiveness and urgency, and which voices are for the most part ignored?

I have focused in that regard on businesses and organizations and on how they seek to influence regulatory decision making in their favor. And I turn here to consider how legislation in place and legal rulings based upon that have given large businesses – like the online service providers that seek permission to switch to tiered online connectivity systems, larger and more preferentially favored voices and in multiple arenas of public discourse and decision making. And a key to understanding this is in how businesses hold corporate and organizational identities but also and increasingly importantly, how they hold identities as persons too, and particularly under the aegis of recent, as of this writing, US Supreme Court rulings under the Roberts Court. But to put that in perspective, I go back to the beginning for the issues of corporations as persons, and the US Supreme court decision: Trustees of Dartmouth College v. Woodward of 1918.

Trustees of Dartmouth College v. Woodward 17 U.S. 518 (1918) began as and came to the court as a result of a conflict between a private college located in the state of New Hampshire and the legislature of that state. In brief and admittedly cartoonish summary, the state legislature sought to take over this private educational institution and make it a state-run entity, so it could impose a state controlled board of trustees on it and install legislator-approved administrative leadership there. The Supreme Court through majority decision saw this as an unwarranted intrusion by government and framed its protective remedy to this in a novel manner. It decided that a nonprofit organization – in this specific instance a nonprofit college or university had the same rights as a natural person to enter into and enforce contracts, in this case their school charter with its contractually binding terms. And this decision, creating the status of corporate person, first framed with a privately owned and operated college in mind, has served as a foundation-point precedent for much that has followed that is relevant here. And with that, I cut ahead to more recent Supreme Court decisions that have significantly and even dramatically expanded what corporate personhood means. And I begin there at a fundamental turning point in the history of United States jurisprudence and of how the US legal system impacts upon society: the Citizens United v. Federal Election Commission ruling of 2010 and its direct consequences.

The Citizens United decision as it is more generally called, holds that First Amendment rights held by nonprofit organizations as corporate persons, prohibits the government from restricting their political expenditures: how much they can legally donate politically, and to whom. And in the essentially immediate aftermath of this decision, further judicial rulings were also enacted that allowed for-profit corporations to donate without let or limitation to political campaigns through nonprofits: political action committees (PAC) and particularly through so called super PACS. And at least as of this writing, it is legal to set up and contribute to a number of specific types of legally defined super PACS completely anonymously and for both super PAC organizers and for their donors. And it is possible to make political donations through these entities at whatever donation levels and with no limitations on what these funds would be used for – and with no outside auditing or oversight.

The outcome of this set of court decisions has been summarized, and both cynically and accurately as “one dollar equals one vote.” And this affords large corporations an overwhelmingly large voice and influence in the political process, and certainly when compared to the vast majority of natural persons – citizens who do not belong to the highest income and wealth level 1%, or rather the top 1% of that 1% group. These corporations, operating through their politically compatible super PACS can and do hold disproportionate voice and influence in political elections.

Granted, it is easy and valid to argue that the regulatory process, as for example carried out by organizations like the FDA, the FAA, or in this case the FCC are run by appointed officials. In principle, this means that these agencies can operate and make decisions that are free of at least direct political pressure. But the leadership of these agencies are selected by politicians and have to meet political litmus test standards as well as skills and experience-based qualification standards in order to get selected for these positions, and before being approved for office by appropriate congressional oversight committees. The political nature of the selection and approvals process here, at the very least taints the credibility of these agencies as politically impartial bodies, and particularly when national politics are so rancorously partisan as they are now. And this brings me back to a question that I raised and noted earlier in this posting:

• Which voices out of all of this (that seek to influence and shape the outcome of these FCC hearings) are going to be listened to and with what attentiveness and urgency, and which voices are for the most part going to be ignored?

I leave that as a still open question, and one that’s answer will only become clear in aftermath to these hearings themselves.

And with that, I come to the issues of Facebook and a group of social media and internet companies that they have come to work with, in an effort to shape online connectivity for developing nations. I am going to delve into that complex of issues in my next series installment, noting here that the issues and challenges that I will be discussing, go a long way in explaining why I take the issues of net neutrality per se as being much more inclusive and wide-ranging than just the issues of whether service providers can offer tiered bandwidth services. And in anticipation of that discussion, I note here that it will revolve around connectivity and service standards that would be followed in this expansion of online access availability, and the issues of developing these new network capabilities using open or proprietary technology as standards-essential innovations. Meanwhile, you can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation. And I also include this in my In the News postings list.

Asking the fundamental questions when considering North Korea’s cyber-espionage and cyber-warfare capabilities 2

Posted in business and convergent technologies, in the News by Timothy Platt on December 24, 2014

Two days ago I posted an immediate-release news piece about North Korea and their cyber-espionage attack on Sony Pictures Entertainment for producing and planning on releasing a new comedy movie about them: The Interview. I was not planning on following through on it with a continuation posting this quickly, but decided to do so given the pace and nature of unfolding events.

Within 24 hours of the initial attack against Sony, President Obama gave warning that the United States saw it as a direct attack on American interests by the government of North Korea – and even if they acted through a group that identified itself as the Guardians of Peace as if this had been carried out by a privately organized and run hacker group. And Obama promised that the United States would meet this challenge with a “proportionate response.” Then within the next 24 hours, all of North Korea’s fixed-place internet capabilities went down and off-line.

I noted in my earlier posting that “North Korea has essentially no meaningful internet access or internet connected network resources.” They have in fact been maintaining four networking links to the internet, with all of them routed through China in order to connect into it. All four of these lines of connection are government owned and are primarily maintained and used by the cyber-units of their Korean People’s Army. I noted what little I know about these specific units and particularly their Bureau 21 and Bureau 121 in my December 22, 2014 posting. Perhaps as many as 2,000 individuals have had supervised, directly monitored and controlled online access through these links. And they have primarily if not exclusively been afforded this internet access in order to carry out their military service duties. Such personnel are carefully selected for their political reliability and stringently monitored to make sure that they live up to this trust.

By comparison, the United States and its citizens and business communities have access to over 152,000 direct connections into the overall internet and its core backbone network and with even the more modest of these lines of connection offering wider bandwidth than could be found in any intranet in North Korea, or in its set of four cabled points of outside connection that run through China.

Put somewhat differently, North Korea currently, as of this writing has 1024 registered IP addresses, and the United States has many billions of them.

I add that there is also significant evidence that North Korean cyber-espionage and cyber-warfare units also connect into the internet wirelessly for at least a portion of their online activities. In this, they locate facilities in strategic sites in their country, near their borders with China and with South Korea. More specifically, they chose operational sites for this where they can deploy at an elevation high point with unobstructed views across these borders. And they select them for their proximity to Wi-Fi hotspots and wireless routers that are not security protected from unauthorized outside use. And they do this both to gain additional pathways into the internet and with a goal of masking who is carrying out their activities by linking what they do to foreign IP addresses. And yes, they intentionally seek to make their cyber-espionage activities seem to come from China – their one and only real friend and their supportive patron. So saying that the North Koreans have been maintaining four points of connection into the internet as a whole, is misleading and underestimating.

The important issue here is that those cable-connected internet links were knocked off-line with slow-downs that turned into full stoppages of service. Who did this? It is certain that at least officially, the North Korean government will blame the United States and entirely so. But I would argue that the Chinese have significant reason to want to warn their smaller neighbor if nothing else, that they cannot take this type of cyber-military action with impunity. Agencies in the United States certainly have the technical capability to turn off internet connectivity for as limited a system as North Korea has, with its four fixed target network links. But it would be even easier for the Chinese to do this, as all they would have to do is make some minor adjustments in their own internet routers, where those North Korean cables cross their border and connect into their systems.

Who did this? What will the North Koreans do in retaliation? I am not going to even try to answer the first of these questions, simply adding that there are a number of possibilities, including joint effort scenarios that readily come to mind. What will North Korea do next? I fully expect to see more of the terabytes of material that were taken from Sony to be publically released as they are an easy target for that. I would not be surprised to see their Bureau 21 stepping up its already active attack campaigns against South Korea – simply because they do that. And I would expect further direct attack attempts against the United States government and the US private sector too, as a stepped up continuation of their activity against the United States that has been ongoing anyway.

I offer this as a news story update, noting that I will probably come back to it again, if not as quickly. Meanwhile, you can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation. And I also include this in my In the News postings list.

Asking the fundamental questions when considering North Korea’s cyber-espionage and cyber-warfare capabilities

Posted in book recommendations, business and convergent technologies, in the News by Timothy Platt on December 22, 2014

I have written at least on occasion about North Korea in this blog, and in that regard cite my 2011 posting: Romania and North Korea – a brief tale of two generations, where I first raised the specter of North Korea’s cyber-espionage and cyber-warfare ambitions. I pick up on that discussion again here, in the immediate aftermath of Sony Pictures Entertainment deciding not to release a movie that they had just produced that was set to be premiered this coming Christmas day: a comedy called The Interview. This movie depicts an exclusive interview opportunity, in which a fatuous American TV journalist and his producer are invited by the North Korean government to meet with their leader, Kim Jong-un, at his specific request as he is one of their fans. And when the CIA learns of this, they bring in these near-journalists to persuade them to take this opportunity to assassinate him. They agree to do that and at the end of the movie, he is in fact violently killed. And this movie identifies the leader of North Korea who is to be killed in this movie by the real leader of North Korea’s real name and an actor was employed to play him who was made up to look a lot like him too.

Given North Korea’s history and what is known of their way of thinking, it is all but certain that the real Kim Jong-un and his government would assume that any movie like this could only be made at the behest of and under the supervision of a government in power – in this case the United States government. So the director and producer of this movie, and the executives of Sony Pictures Entertainment who signed off on making it, should have anticipated that this movie would in all probability be seen as a direct US government-originated threat to their leadership, and especially given the failure on the part of the United States to bring North Korea to abandon their nuclear weapons ambitions, among other points of friction between those countries.

Sony produced this movie and began heavily advertising it, and with advance notice that it was about assassinating Kim Jong-un by name. North Korea saw this as a direct threat of what was to come in reality. And elements of the North Korean military tasked with cyber-espionage and cyber-warfare were given a green light to carry out cyber-attacks against Sony Pictures Entertainment and its interests, hacking into its computer intranets and computers and copying and deleting emails, electronic file copies of movies that had been made but that were still awaiting release, draft material from movies that were still under production, personnel records and other sensitive files – deleting Sony’s copies of all of this from those computers where they could, while doing so. And they began publically releasing these files, starting with the confidential emails and business planning documents that they had gathered, with threats of doing more and worse if this movie were to be publically shown. They also explicitly threatened any movie theatres that agreed to show this movie, with “9/11-like attacks” if they did so. Large movie chains that had agreed to show this movie began pulling out of their contracts to do so on the grounds that fulfilling them and showing The Interview would put their employees and customers in direct and grave risk. And with that, Sony decided to pull this film from release and either in theatres or through any other channels (at least for now and through the immediate future.)

The US Federal Bureau of Investigation (FBI), acting as a point of contact for other intelligence gathering agencies and as spokesperson for them, has announced that they had clear and direct evidence that this hacking attack did in fact originate in North Korea. A back and forth exchange immediately began between Sony and American politicians and others, as to whether this film studio should or should not have bowed to this extortionate terrorist threat, rewarding North Korea by doing so and conveying a message that went global that such threats can and do succeed in the United States.

This posting, at least up to here, summarizes the bulk of this news story as it has been conveyed up to today: December 20, 2014 as I write this. But my reason for writing this posting is somewhat different than simply to repeat a news story that has already been covered. My goal here is to at least consider the Who and How side to this news story. And I begin that by making note of a detail that I have heard before and that I have recently read confirmation of.

I couch this observation in terms of a newly published window of insight into the hermit kingdom of North Korea:

• Kim, S. (2014) Without You, There Is No Us. Crown Publishers.

Suki Kim is a Korean American who had opportunity to teach English to 270 elite students at the Pyongyang University of Science and Technology (PUST) for six months. And she taught and in fact lived with these North Korean students for that entire time. PUST is among other things the first privately funded university in that country and was conceived and built as a joint venture between North and South Korea. But it is also one of the North’s premier technical universities and it is an educational stepping stone for those who would be advanced and both in Communist Party and government ranks. And that is where this narrative gets interesting. Kim met with and discussed a wide range of issues over this six months period, and quickly learned in the course of it that her students all knew that they were always being watched and reported on. So they had to be very circumspect in anything that they chose to tell her or say to each other. But they did not see any reason for concern in telling her that they knew about and used computers as basic tools in their study. And they were willing and even happy to tell her about how their university-provided computers were linked into a network system – a closed intranet system. And in the course of this, she learned that absolutely none of them had ever even heard of the existence of the globally-reaching internet, or of search engines or of any of the basic routine online resources that we all take for granted outside of the closed and insular world of their country. And this brings me to two pivotal questions:

• If even the technologically and socioeconomically elite of North Korea do not in general even know of the internet’s existence, how and where did that country find thousands of highly trained computer and internet systems hackers in their population, as would be needed to build and staff their proclaimed and acknowledged cyber-espionage and cyber-warfare capabilities?
• And how and where would they be trained in these skills and technologically supported in using them?

And this brings me back to the points I raised in my above-cited 2011 posting and to the crux of this late-2014 posting too: the patron and uncooperative protégé relationship that exists between China and North Korea.

North Korea has essentially no meaningful internet access or internet connected network resources. The computer networks they do have are essentially all locally situated intranets that do not connect with each other, let alone with the wider internet. But they do have a series of military-run cyber units that are specifically tasked with tracking and targeting current and potential foreign enemies. The top three entries on their list enemies in this regard are South Korea and Japan and their government and private sector computers and networks, and those of the United States. And their active cyber-espionage and ready cyber-warfare reach goes far beyond simply targeting online resources in those countries. Their enemies and potential enemies list has a global reach.

What are these operating cyber-units? There are at least three that have been actively involved in overt hacking attacks over the past several years, and attacks and intrusions of all sorts, with a great deal of emphasis on business intelligence gathering and on sabotaging business and at least non-military government networks and computers and both as vulnerability probing exercises and to inflict specific harm.

• Bureau 21, which specifically targets South Korea,
Bureau 121, which among other things is the likely direct source of the recent attacks against Sony over this movie, and serves as a key component of North Korea’s principle military intelligence agency (their General Bureau of Reconnaissance), and
• Bureau 225.

This is only a partial list, identifying units that have been firmly established as sources of specific attacks. Members of their technical staffs are drawn from a pool of their most politically reliable, technically educated citizens, such as graduates from their technical colleges and universities. They are primarily trained in China at established People’s Liberation Army (PLA) cyber-warfare training facilities, and in China’s own cyber-espionage and cyber-warfare units, though North Korea’s cyber-personnel also receive at least some of their training in Russia too. And a significant amount of their work is in fact carried out from China, giving them greater access to the internet and to advanced network technology than they could find in their own country. And this would also help them to mask who is behind their activities and particularly where North Korea’s own direct points of connection to the internet are so limited that use of them for this would be difficult to hide. China’s cyber-warfare and cyber-espionage facilities can and do connect out through a vast maze of IP addresses and anonymizer servers, and through numerous physical network links and they hide their activity in the vast flow of every-day online traffic going in and out of their country – which does not occur in or out of North Korea.

And that brings me back to the question that I at least implicitly left open when writing my above cited 2011 posting. China is North Korea’s patron, even if a reluctant one given North Korea’s willingness to take action that their Chinese allies would find awkward and embarrassing. But they do provide what is seen as a vital physical barrier between their own people and the South Koreans and these countries do share what both sides see as mutually beneficial history between them.

• In keeping with the basic tenor of my December 25, 2011 posting, does China see the recent events that I write of here as a readily deniable test of tools and principles that they would benefit from, and both from real world proof of principle validation of their technology, and from possible consequences from this in the West?
• Or do they see this as yet another example of how this problematical protégé state of theirs can be more of a problem than they are worth?

My basic guess here, and I admit I am surmising here when I state this, is that China and its leadership probably see elements of both in this, and with the second of these possibilities probably predominating here, as this type of technology proof of principle testing is not worth its readily anticipated costs.

What are the potential costs from this in the United States and I add in Japan, where the overall headquarters of Sony are located? They could easily include an increased level of attack and from new sources and directions on United States interests and on those of US allies – because Sony caved in here, proving that this type of attack can succeed, giving an attacker the reward that they seek to achieve from their actions. I leave that the possibilities that I just raised above as open questions, noting that I write this on December 20, 2014 – almost exactly three years after my first posting related to this complex of issues.

And I finish this posting with a final thought. North Korea itself has offered to help resolve where this attack came from – and with threats if they are not included in this effort. It would be foolish to accept their offer, but every reasonable effort should be made to enlist China’s help in that, and to actively engage with China in jointly reining in North Korea’s very active cyber-espionage and cyber-warfare programs. Quite simply, any positive benefits that China might seek to achieve from placating North Korea – including preventing massive waves of refugees from there, flooding into China, are outweighed by the costs of this patron and protégé relationship that they have already been paying, and that simply continue to rise.

You can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation. And I also include this in my In the News postings list.

From stuxnet to heartbleed – the impact of US national cybersecurity doctrine and practices on businesses and markets 2

Posted in business and convergent technologies, in the News by Timothy Platt on December 13, 2014

This is my 21st installment in an occasional series on international cyber-security and the changing nature of threats faced and responses offered to them (see Ubiquitous Computing and Communications, postings 58 and loosely following for Parts 1-15 and Page 2 of that directory, posting 296 and following for Parts 16-20.) This is also my sixth installment in a sub-series within that, with its posting titles collectively identified as: From Stuxnet to Heartbleed.

One of the core elements of Part 19 to this series was a list of issues to discuss, that I offered at the end of that posting. And I stated there, that I would begin working my way through them in this installment and starting with that list’s first point. After that I will address the second of those points too. Then I will add a concluding note on a recent, as of the date of this writing (September 26, 2014) news event of some relevance to this series. But first that first bullet point, which I repeat as a starting point for this posting’s discussion (with some minor rewording for inclusion in this new context):

• The Obama cyber-doctrine and its implementation through open-ended surveillance programs have raised broad-based civil rights and United States Bill of Rights concerns. And from a business and marketplace perspective, this had led to concern over the capability of businesses to even be able to secure personally identifiable and other confidential customer and employee information. This had led to court challenges and imposed operational restrictions and particularly as US based businesses seek to reach out to and do business with customers in countries that like Canada and the nations of the European Union, have very strong privacy and confidentiality protection laws in place. And it has also led to increased anticompetitive barriers to participation in marketplaces in countries such as China – a complex of issues that I will also delve into as part of this discussion, as well as discussing business and marketplace pushback.

The complex of issues that I raise in the above bullet point have a history that go back to well before the September 11, 2001 terrorist attacks on the United States or the Obama administration, let alone the still emerging Obama cyber-defense doctrine (see the series: Learnable Lessons from Manning, Snowden and Inevitable Others, Part 26, Part 27 and Part 28 for a discussion of that US policy development.) So to build a foundation for discussing the above stated Point 1, I offer a brief and selective historical background note.

The issues that I write of here go back to the beginning of online commerce, and to the explosion of personal information that businesses began to collect from their customers and from both within their own home countries, and from across international borders as they entered into international online commerce. Their reasons for collecting this flood of data were, and I add still are fairly clear-cut and easy to understand. The more a commercial enterprise can know about their customers, the more fully and effectively they can market and sell to them as individuals, drawing in their business and their repeat business. And the more they know of these consumers as individuals the more appropriately focused their marketing outreaches can be for them as individuals and the less wasted and irrelevant marketing they will hit them with. This, I add means both more effective targeted marketing with increased returns from it, and it also and at least as importantly also means reduction of wasted expenditures from marketing to the wrong people and in the wrong ways – which can drive away potential future customers.

The same basic goals and ideas for reaching prospective customers apply when considering them at a demographic level, in shaping overall marketing campaigns and overall messages to be shared. The defining difference between this approach and the explicitly individualized marketing and sales approach that I just noted above is in how this flood of individual consumer-sourced data is brought together for statistical and other demographic modeling analysis in better understanding and connecting with broader market segments. It is at least in principle, fully scrubbed of details that would be connectable to any particular individuals and that could be used for identity theft or other individually targeted malicious purposes. But even here, data collection, processing and analysis, use and retention have to be done correctly so as to limit actual risk of possible malicious use, if a demographic marketing approach is to be done correctly. Online and I add bricks and mortar storefront businesses actively pursue both approaches.

But up to here I have only considered how this data can be used internally within an acquiring business as a means of developing competitive advantage in its own marketplaces. Many businesses also found early on in this endeavor, that the data they were collecting about their customers and the metadata they added to it through their own sorting, filtering, organizing and analysis were in and of themselves a source of potential marketable and sellable commodities too – and certainly when marketed and sold to businesses that were not direct competitors for their own customers in their own markets. And even when they were not selling this data, there was functional value and even need for at least selectively sharing from their consumer data with supply chain partner businesses that they worked with in fulfilling customer orders and delivering products purchased.

And to add one more thread to this skein, I have been writing here of circumstances where an information acquiring and developing business intentionally diffuses out access to their customer data to others, and both within and also at least potentially outside of their own organization.

• Sloppy data management and problematical information technology security policy and practice can lead to loss of control over data, including highly sensitive personally identifiable customer data,
• And both within the business to unauthorized members of their own personnel
• And to others outside of their business – and all without intent and even in ways explicitly contrary to that.
• And I explicitly note here that experience shows internal malicious hackers and their activity in compromising their own employers’ customer and other sensitive data, can be more widespread and common than successful outside hacker assault on business data resources. And I add that carelessness (e.g. employee loss of laptop computers in public places that hold critically sensitive data that is not in any way encrypted or protected, or high risk employee use of third party cloud storage) can be an even bigger problem, and certainly for impact on business reputation.

And this leads me very explicitly to privacy laws and the issues of protecting confidentiality of individually personally identifying information where that includes names and contact information of all sorts, sensitive data that could be used for facilitating identity theft such as US social security numbers, and of course explicit financial information such as credit card numbers. And historically, enough businesses have developed and pursued problematical enough approaches to all of this, and in the United States and I add in many other countries to provoke legislative response. And even early on in the development of online commerce, there were enough large-scale publically noted data breeches of sensitive personal information to prompt national governments to begin to pass privacy and confidentiality laws mandating better managed and more restrictive business practices; the development of such legislative responses go back a long way too now.

I have written most of my From Stuxnet to Heartbleed postings up to here, with a primary focus on the United States government’s cyber-defense policy and its implications and consequences. But the United States does not exist in an information, or an information security concern vacuum, and its actions in conducting widespread and even open-ended surveillance have come to raise red flags, and both within the United States and outside of it, that at the very least closely parallel the concerns I have just been discussing about business practices. The core issues in both cases revolve around security of personal information, and certainly personal information that if misused could cause personal harm.

A progression of privacy and confidentiality laws have been passed and enacted within the United States, and at least initially with a goal of regulating customer data practices followed by American Businesses. They have also been invoked in the context of foreign government action as that is used to surreptitiously gather data about individual citizens and about American based businesses. And I also cite in this context, the two foreign government legal jurisdictions that I noted in my above starting bullet point: Canada and the European Union. They have very actively developed and enforced legal protections over confidential information and both as this would be gathered concerning individual citizens and as this might be gathered in from their businesses too.

• Both Canadian and the European Union courts have taken legal actions against American based companies for what they see as systematic breeches in personal privacy and confidentiality protection as laid out in their laws, and as those businesses gather information about their nations’ citizens.
• Those same legal safeguards and certainly their frameworks of intent can just as easily be seen as being violated by governmental surveillance programs that seek to vacuum in personal data of all types about essentially everyone too.

And this brings be to the second bullet point of my Part 19 list:

• The Obama cyber-doctrine and its implementation, as most recently discussed here in my posting: The Operational Side of National Cybersecurity and its Issues 3 have also directly created avoidable risks for businesses and organizations of all types and for marketplaces and their individual and organizational participants.

When a business gathers sensitive, personally identifiable information about its customers, its employees and at times about others as well, it is legally required to safeguard this trove of potentially damaging data from any and all outside access, except where specifically allowed for and even legally required through approved mechanisms. For governmental access that would, as an allowed exception to enforced confidentiality include divulging data concerning specific named individuals under explicit court order, where those individuals have been brought up on specific criminal charges. A failure to be able to secure data against open ended access, would in most cases be seen as a failure to meet the legal requirements of all of these privacy and confidentiality laws, and regardless of whether these breeches were being conducted by private sector or governmental agents.

And this brings me to that more explicitly In the News item that I said I would address here at the end of this posting: the revelation of a fundamental software flaw in a tremendously widely deployed and used element of the Unix operating system and in Unix-based software of all sorts: Shellshock. Public revelation of this software flaw indicates that a vast number of computers and computer systems have been at risk, and of being coopted and taken over by malicious outside interests as well as of being compromised for information held on them, with this including everything from major corporate networks to government computer systems to much of the internet’s backbone as a worst case possibility.

As of now certainly, I have not seen or heard of any evidence to indicate that the US National Security Agency (NSA) or any other US government agency knew of this software bug, or that it was withholding knowledge of its existence for its potential value in cyber-surveillance or in more active cyber-warfare. But revelations of Stuxnet and of the still recently uncovered Heartbleed bug do indicate that government agencies do gather zero-day attack vulnerability information for possible use and that they do keep these findings to themselves regardless of potential consequences for not sharing this knowledge. I raise this as a matter of credibility and to note how loss of a measure of that can and does spread doubt more widely and to unrelated but similar sounding contexts.

When I first wrote about Stuxnet in this blog I did not have any evidence at hand to suggest that the United States government or any of its agencies had played a direct role in constructing or launching that computer worm as a malware weapon. Then I subsequently learned otherwise and posted that too. Heartbleed does appear to have been a known vulnerability, and to the NSA if nowhere else, and for a significant period of time before its existence became general public knowledge.

I do not know what if anything I will have to add to this brief discussion of Shellshock a year from now. But the still unfolding Heartbleed story does raise questions – and it does highlight the level of challenge faced in rebuilding a fuller credibility again, when that is lost from the way a government agency collects information, including software security vulnerability findings. I may add more on this news story in upcoming installments of this series, as the basic facts of what has happened here become clearer.

I am going to continue this posting’s main points of discussion in a next series installment where I will discuss the third point of Part 19’s list and at least briefly discuss legal frameworks for regulating proper use of personally identifiable information, and for responding to violations of their standards as legally set. And from that starting point I will discuss how businesses based in the United States and following US data practices have been challenged in court when doing business in countries like Canada and member states of the European Union. Then I will raise the specter of the USA PATRIOT Act and how it has come to be interpreted, and how some of the United States’ closest ally governments have come to see the US government itself as violating their privacy and confidentiality laws. And as noted above, I will also discuss China and their actions in this context.

Meanwhile, you can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation.

%d bloggers like this: