|
Crypto-anarchism (or crypto-anarchy) is a form of anarchy accomplished through computer technology. Crypto-anarchists develop and employ their own cryptographic techniques to prevent knowledge of the information or even the identity of parties communicating over networks. The motivations vary—from just having fun and causing turmoil, to achieving perceived status within a crypto-anarchy community, to furthering socio-economic views about information availability, absolute privacy, political advocacy and spreading anti-government paranoia. Increasingly today, crypto-anarchy is also used by hostile nation-states, criminals, and terrorist actors to engage in widespread hacking and deployment of cyber threats.
Several significant new developments in law and public-private collaboration seem sure to contain the worst manifestations of crypto-anarchism and introduce tort law as a means of sorting out the difficult tensions among cybersecurity harms, privacy desires, economics, and marketplace dynamics.
Until the mid-90s, the development and deployment of cryptographic communication techniques was largely the province of governments and regulated network service providers, and small numbers of companies and academics that supported both. This comparative stasis changed dramatically—especially in the U.S.—twenty-five years ago because of three concurrent developments. One was the enactment of what is known as Section 230 which provided essentially complete immunity for online service providers. The second was a decision by the U.S. Administration to end all regulatory oversight of internet developments and promote a single, highly vulnerable network protocol—TCP/IP—and embrace its institutions—in part to achieve global strategies. The third was the Administration’s concurrently ending the support for public network security and trust platforms developed over the previous decade known as SDNS (Secure Data Network System).
These three developments enabled and unleashed a 25-year period of crypto-anarchy and endless cybersecurity nightmares facilitated by the development and deployment of ever more elusive and nuanced cryptographic techniques by actors competing among each other. The pursuit of Crypto-Anarchy by Design became institutionalized and commercialized—as companies competed in a new, predominantly Silicon Valley-based, marketplace for products and services—promoted, lobbied, and sold as absolute privacy. Clever and innovative cryptographic consultants and academicians became sought-after commodities to pursue ever more extreme implementations in favoured, unfettered TCP/IP venues like the IETF.
After the Snowden Revelations in 2013, all of the crypto-anarchy activity increased dramatically. A general public ignorant of history and technology, were willing recipients of paranoia-laced crypto-anarchism. As the market increased for products and services, practitioners began congregating to generate ever more aggressive and ambitious crypto measures—egged on by slogans like “encrypt everything” and let’s encrypt.” The well-known adverse effects—which enabled cyberattack mechanisms and disabled operator network management—were ignored. The U.S. became hoisted on its own petard.
The principal home for this crypto-anarchy activity has been an IETF working group known as TLS (for Transport Layer Security)—which is ironic given the origins of a trusted TLS in NSA’s public-private SDNS initiative publicly announced in 1986 and placed in standards of the ITU and ISO several years later. Much of the IETF TLS work was accomplished via 30,000 emails between 2004 and today. The metrics show a prominent “Snowden Bump” in 2014. Twenty people accounted for 50% of those emails—making them rock-stars in the crypto anarchy world and sought-after commodities by those exploiting the resulting marketplace. The crypto-anarchy champion of the group generated more than 2100 emails and holds 13 patents.
The pièce de résistance of the TLS group at Snowden’s urging was a new encryption protocol known as TLS 1.3 which used some clever ephemeral encryption techniques that enabled near-perfectly opaque network communication. It is a boon for network attackers, as the ability to monitor for attacks is essentially eliminated.
However, the zeal didn’t stop with TLS 1.3, but also included an array of additional synergistic protocol variants intended to defeat any attempts to eliminate all manner of cyber defenses as well as detection and control of unwanted or illegal traffic. Indeed, when TLS 1.3 is paired with a multistream protocol known as QUIC, many opaque parallel paths can be created—making it ideal for the illegal streaming of multimedia works. Under the rallying cry of “encrypt everything,” all manner of new crypto-anarchic schemes were devised to cause enterprise network security to “go dark” and facilitate adversary hacking. Despite the expression of considerable concern by industry groups such as the Bank Policy Institute, U.S. government agencies not only did nothing, some were co-opted to actually promote TLS 1.3 use. Responsible, responsive measures were shifted to global collaboration in ETSI’s CYBER Technical Committee where an ensemble of new protocols that balanced both cyber defense and privacy requirements were developed by concerned world-class cryptographers.
Perhaps the largest crypto-anarchy coffin nail is the potential elimination or substantial modification of the immunity provided by Sec. 230 of the Communications Act of 1934. The provision generally provides a “preemptive pardon” for providers of hosted online sites by designating them as content distributors and establishing a broad policy of encouraging unfettered online distribution of almost anything and everything.
The penumbra of that blanket immunity has been spread over the past 24 years to cover everyone involved in content distribution, including the deployment supply chain for crypto-anarchy protocol products and services. It has established a dynamic of increasing incentives to pursue ever more extreme measures as revenue opportunities evangelized by the mantra of perfect privacy. All those engaged are incented to act, no matter the adverse consequences. Consequential damages—no matter how great—are not “their problem.” It is all about revenue and market share for software vendors and support and hosting service providers. The public and every company and institution—especially in the U.S.—bear the consequences. In most other jurisdictions, these implementations are not tolerated, but since U.S. based providers of these capabilities have a global outreach, the adverse effects are nonetheless global.
Beginning in 2017, the dean of the Brookings Institution Lawfare Blog, Ben Wittes, citing a 2005 article on “the tort of negligent enablement of cybercrime,” co-authored a seminal law journal article calling for new legislation, The Internet Will Not Break.
An overbroad reading of the CDA has given platforms a free pass to ignore destructive activities and, worse, to solicit unlawful activities while doing what they can to ensure that abusers cannot be identified. With modest adjustments to § 230, either through judicial interpretation or legislation, we can have a robust culture of free speech online without extending the safe harbor to Bad Samaritans.
In 2018, the Congressional Research Service (CRS) was requested to review Sec. 230 with respect to the breadth of immunity. That CRS report traced the overbreadth problem to the definition of “information content provider” to include “any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service,” combined with judicial interpretations that sweep in almost any entity that provides or facilitates access, including search providers. The year 2018 also saw an initial limitation on Sec. 230 immunity with the enactment of FOSTA (Fight Online Sex Trafficking Act) which provided that internet companies could be held liable for assisting in sex trafficking if they “knew or should have known” what their customers were doing and began to signal limits on extreme end-to-end encryption.
In 2019 and 2020, increasing numbers of legislators, judges (including the U.S. Supreme Court) and security authorities in the U.S. and abroad have signalled that Sec. 203 immunity, including tolerance by other nations, must largely come to an end. One of the deans of national security law, Stewart Baker, asked specifically “why should they be immune from liability for utterly predictable criminal use of warrant-proof encryption” and “why not decentralize and privatize that debate by putting the costs of encryption on the same company that is reaping its benefits.” Noting “imposing tort liability makes this a private decision…that’s the way tort law usually works, and it’s hard to see why the U.S. shouldn’t take the same tack for encryption.”
In early 2020, the EARN (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act of 2020—which was directed at establishing “best practices” to prevent, reduce, and respond to the online sexual exploitation of children—garnered support in the U.S. Congress. As has been common in the past, an array of free expression extremists and hosting provider lobbyists appeared to oppose anything that even resembled regulatory requirements. After being referred among three different committees, it ultimately died.
Finally, the U.S. DOJ, in Sept 2020, introduced proposed amending legislation addressing four reform areas:
1. Incentivizing Online Platforms to Address Illicit Content 2. Clarifying Federal Government Enforcement Capabilities to Address Unlawful Content 3. Promoting Competition 4. Promoting Open Discourse and Greater Transparency
The latest roundup of proposals under development, but widely considered a certainty of passage in some form—especially as it might apply to cybersecurity and law enforcement needs. As the year 2020 ended, the high stakes standoff over Sec. 230 ensures that Silicon Valley is interested in making a deal. Given the other current developments described below, it seems certain that crypt-anarchy’s free immunity ride under Sec. 230 is over. The effects of loss of the immunity could also apply broadly—not only to hosting and all ancillary internet service providers, but also potentially to all those in the crypto supply chain, including software providers and even those devising the specifications.
The establishment of tort immunity based on conformance requirements as a means for getting online service providers to achieve desired levels of cybersecurity has recently emerged among State jurisdictions. For example, somewhat similar to the best practices approach of the EARN Act of 2020 modifying Sec. 230, the State of Ohio established through its Uniform Commercial Code, a set of safe harbor requirements for data breaches. The Ohio provisions—pointing to other examples of qualified tort immunity—create a legal duty of care by establishing that reasonable security is derived from Controls-based measures and metrics. Similarly, other states like California (led by Kamala Harris), Nevada, and Idaho have taken tort law concepts of defining or identifying reasonableness to sort out the complexities and tensions among competing harms and rights and move toward a minimum standard of information security.
Buried in the Anti-virus Relief Bill just signed into law on 27 Dec 2020 is significant new legislation known as the “Protecting Lawful Streaming Act of 2020” that makes it a serious Federal crime to engage in “illicit digital transmission services.” This far-reaching new law protects almost anything that is copyrighted, including “a computer program, a musical work, a motion picture or other audiovisual work or a sound recording.” The prohibited acts include offering or providing to the public a digital transmission service. The new law was promoted by holders of copyrighted material. TLS1.3—especially via QUIC—is one of the more common means for such unlawful streaming. The new law is described by its principal congressional author as “tailored to specifically target the websites themselves, and not “those who may use the sites nor those individuals who access pirated streams or unwittingly stream unauthorized copies of copyrighted works.”
The Protecting Lawful Streaming Act, which criminalizes unlawful distribution, was also accompanied by the CASE (Copyright Alternative in Small-Claims Enforcement) Act. It provides an additional civil law mechanism by creating a new ‘small claims court’ for copyright infringement. Instead of filing a conventional lawsuit, copyright holders will be able to file a complaint with a new agency called the Copyright Claims Board. The CCB will function much like a court, hearing evidence from both sides & then deciding whether to award damages. But it will develop an informal, streamlined process in an effort to keep the costs of litigation down.
Here also, the effects could apply broadly not only to hosting and all ancillary internet service providers, but also potentially to all those in the crypto supply chain if they knew or should have known their products and services were being used for unlawful purposes under the two Acts.
In late 2020, one of the most widespread hacks in the history of information networks was discovered—believed to encompass tens of thousands of public and private sector organizations worldwide over many months and undertaken by agents of the Russian government. According to the NSA, exploitation activity took place within a TLS-encrypted tunnel associated with a web-based management interface for network management and monitoring product known as Orion. Multiple national security agencies in different countries issued advisories. Hard-hit global financial institutions noted that the incoming new Biden Administration promises a response.
However, given the apparent lack of interest by U.S. Federal agencies in addressing these same exploits raised by their financial institutions over several years, significant changes will be required to address the endemic inaction and laissez-faire approach to crypto-anarchy. The adversary Russian intelligence agencies were simply exploiting widely known vulnerabilities. While the U.S. responses to the Orion Hack are yet to be articulated—in order to be effective, they must necessarily be aimed at the rampant crypto-anarchy that has ensued over the past decade that facilitated “dark” encrypted tunnels into government and enterprise network information systems.
Those invisible tunnels not only benefitted Russian intelligence services to institute the Great Orion Hack. They were also invaluable in instituting all manner of election-related hacking and massive mis- and dis-information capabilities launched from social media platforms and obscure websites. These latent election and societal threats recognized thirteen years in a prescient report by the former head of DARPA to the DTRA (Defense Threat Reduction Agency), only began to be addressed this year in a Center for Internet Security Projects known as the Misinformation Reporting Portal and RABET-V.
On 18 December 2020, the Europol and the European Commission announced the inauguration of a new decryption platform to tackle the challenge of encrypted material for law enforcement investigations. Although details were not made available, the platform is being developed by the Joint Research Centre, operated by the European Cybercrime Center (EC3) and made available to national authorities. The new programme and expansion of activity underscore the increasing concern over the adverse effects of crypto-anarchy.
The kind of crypt-anarchy havoc that began emerging several years ago and led to events like the Great Orion Hack, resulted in a confluence of U.S. financial institutions, security industry, responsible academic cybersecurity researchers, and UK government cryptologists to pursue new protocols that balanced end-user privacy interests with pragmatic needs to meet network communication compliance obligations. The result was a study of security capabilities that could be effected at network gateways, followed by establishment of a collaborative group and development of an ensemble of Middlebox Security Protocol specifications—one directed specifically at TLS 1.3 enterprise challenges.
Over a three-year period, a special group of cryptologic experts was created, demonstration software produced, and workshops and hackathons hosted by the UK government’s National Cyber Security Centre held over the past two years. Somewhat incredulously, the responsible U.S. government agencies remained unengaged and largely unresponsive to the concerns of its own financial institutions over network hacks and exfiltration threats emerging from IETF crypto-anarchy.
A few days ago, ETSI announced the release of the full Middlebox Security Protocols Framework Specification—which could become the new norm for reducing cyber risk for providers and enterprises.
Over the past year, a broad array of government antitrust enforcement authorities at Federal and State levels in the U.S. as well as in Europe have begun to institute investigations and causes of actions against Silicon Valley actors. Crypto-anarchy strategies have figured prominently in the attempts by many of them to obtain ever-expanding dominance of the online services marketplace.
Two of the most subtle and effective of these dominance strategies are through 1) the web browser, operating system, hosting, and search marketplaces combined with the use of ephemeral cryptographic techniques and digital trust mechanisms which they control, and 2) the domain name resolver marketplace which they control directly to each individual end-user customer device also encrypted using new ephemeral encryption techniques. The strategies include an effectively isolated virtual internet for end-users under complete control of a single Silicon Valley provider. The strategies are facilitated by also leveraging control of the two internet standards bodies that have effective monopoly control of these marketplaces—the IETF and CA/B Forum.
While these crypto-anarchy gambits are sold as enhancing privacy, the companies involved are able to exercise tight, expanding control of the marketplaces to benefit themselves and reduce competition while significantly diminishing the ability to reduce cyberthreats and criminal behavior. New expansive antitrust enforcement actions directed at Silicon Valley institution behavior and antitrust behavior of standards bodies have been announced over the past year.
Although considerable attention has been given to an array of adverse effects of Sec. 230 over the past quarter-century since its enactment, little focus has occurred on the enormous decrease in cybersecurity arising directly and collaterally from both the immunity provided as well as the policy. Indeed, many of these adverse effects could not even be envisioned at the time of Sec. 230’s enactment in 1996. Only recently has such analysis begun to occur, and needs to be fully understood and remediations instantiated. Like the COVID-19 pandemic, without containment immunization, the worst effects of crypto-anarchism may lie ahead.
Despite the usual intense lobbyist Think Tank and Privacy Lobby complaints over changes to Sec. 230, eliminating the immunity that enables the worst effects of crypto-anarchy seems long overdue and essential to achieving effective cybersecurity for U.S. networks and infrastructure. Rational privacy is actually a benefactor of these changes.
A recent Congressional Research Report portrays an expansive array of tools. Combined with other new law and requirements designed to bring about responsible online behavior by imposing liability costs and potential criminal law exposure on supply chain software, support, and host providers, a significant enhancement of network security could be at hand as these new nails get pounded into the crypto-anarchy containment coffin.
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byVerisign
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byRadix