IGF 2010 Main Session on Security, Openness and Privacy
Contribution of Kevin S. Bankston
Senior Staff Attorney
The Electronic Frontier Foundation
Thank you for allowing me to represent the views of the Electronic Frontier Foundation in this important dialogue on Security, Openness, and—the focus of my comments—Privacy.
When considering avenues for international cooperation in maintaining cybersecurity, EFF proceeds from one overriding premise: that fundamental liberties—in particular, the right to privacy and the right to free expression, including the right to speak anonymously—must not be sacrificed on the alter of security.
Freedom and openness, by their very nature, carry risk. A perfectly secured network is a perfectly controlled network, and is by definition not open or free. A perfectly secured network is also a frank impossibility, and EFF fears that in attempting to achieve that impossible goal we may surrender the values of openness and innovation that the Internet both enables and thrives upon, and that in seeking to establish an architecture that facilitates the security of the internet, we will instead unwittingly build an architecture that enables tyranny. Put another way, cybersecurity must not be allowed to become a pretext for authoritarian control of the network environment. I recognize that I am using strong words, but I do use them purposefully.
Of most concern to EFF is what we perceive to be a current over-emphasis in cybersecurity discussions on the need for increased monitoring and control of network traffic, with a renewed focus on direct governmental involvement in such monitoring and control. This is represented in my country, the United States, by recent legislative proposals that would grant our President broad and undefined powers to declare and respond to a cybersecurity emergencies, including the power to order the disconnection of Internet facilities that he deems to be critical infrastructure—you have likely heard this referred to as the “Internet kill switch” —and that would grant the government vague and expansive new authority to obtain from Internet providers user information that is deemed relevant to that emergency.
Granting governments such powers over our networks, in addition to posing an unprecedented threat to privacy and the freedom of expression, seems an overreaction when there are much more straightforward measures that would not risk collateral damage to the rights of every Internet user. Rather than focusing on securing the network—requiring vast new expenditures from service providers that already operate on razor thin margins, while also risking the freedoms of millions—we think that there must be instead renewed focus on protecting the end-points in the network, by addressing the software vulnerabilities and poor security implementations that are the root cause of our problems.
We and the countless other millions that rely on the Internet should not have to tolerate new restrictions on free speech or surrender our privacy because software providers build insecure software, or because those who run that software fail to use it correctly. Put simply and frankly, it would be dangerously shortsighted to invite our governments to exercise more control over the Internet simply because someone forgets to patch their Windows installation. We do not address telephone and mail fraud by allowing the government to listen to any phone call or open any piece of mail; we deal with them by arming those who may be targeted with the knowledge and tools they need to defend themselves, by strictly enforcing the law against wrongdoers that we succeed in discovering, and by working to mitigate the damage when we fail. The internet should not and must not be treated differently, or else we risk destroying the very thing we seek to protect.
Thank you very much for your time, and I look forward to a continuing dialogue on these critical issues.