Internet Insecurity

The same technology that drives many of the greatest technological developments in society brings with it vulnerabilities that affect every aspect of our lives, from our bodies to our national security to our bank accounts. Responsibility is built into the internet, which was designed as an open-access research forum in the 1960s. It's the architecture of open access that makes internet security feel like an oxymoron now.

The internet has become so important to our community that fixing its vulnerabilities is like "operating on a live patient," says Mark Crovella, a professor of computer science and department chair at the College of Arts & Sciences. CAS computer scientists are taking up the task of securing an open access network while defending our freedoms.

We really don't think about what happens when we press "Send," but the layout of the internet decides whether our emails end up where we want them to go. And it is easier to mess with the architecture than you would expect. A Chinese service provider seized the internet in 2010, stealing 15 percent of the traffic in the world for 18 minutes. Communications intended for the Pentagon, the US Senate, and the Secretary of Defense's office, as well as other networks such as Microsoft and Yahoo, were included in the stolen traffic. And while China believed the hijacking was an accident (an statement that cannot be verified), the incident exposed deeply rooted weaknesses in the infrastructure of the internet.

The internet consists of tens of thousands of independently run networks (one network may be a large employer; Verizon, another) interconnected via the Border Gateway Protocol (BGP). Every machine has a unique Internet Protocol (IP) address on every network, just like every phone has a number. The framework operates on trust in the absence of a central internet authority: there is no way to prevent networks from lying about the addresses they own, so that one network can hijack the traffic of another just by claiming its addresses. It's almost as if you told the post office that you owned the house of your neighbor and asked him to give you all the mail for that address. It can be like patching a dam, plugging one hole and the strain changes, pushing water out of a new one to develop solutions for insecurities like this one.

Technology bugs are not the only reason we have an unreliable internet like that. Another significant factor, maybe even the main explanation, is that the most influential developers of the internet have tampered with the network to make it suit their own interests.

Everyone apart from them, wants you to have protection. As long as it can track you and use the data it collects to sell advertising, Google is willing to give you protection. A similar deal is given to you by Facebook: a stable social network, as long as it can track anything you do for marketing purposes. This is named "surveillance capitalism" by Harvard Business School professor Shoshana Zuboff, and it's the internet business model.

This surveillance is simple since it is naturally performed by machines. A transaction record is generated by anything we do that involves a machine. This means surfing the Internet, using a mobile phone, walking past a computer sensor, or saying something in the same room as Amazon's Alexa, and just holding it. Data is a by-product of socialization that we use machines, such as phone calls, emails, messages, chatter on Facebook.

To work at peak performance, the commercial Internet needs insecurity. As long as corporations are free to obtain as much data about us as they can, our networks will not be guarded properly. It's at risk of being stolen as long as they buy, sell, exchange and store the info. And we risk it being used against us as long as they have it.

Normally, with a company making choices on which goods it holds, we will not have a problem. We can purchase them elsewhere if a store doesn't sell music CDs with a parental warning advisory sticker. But the network impact helps internet businesses. One phone is useless, two are slightly useful, but it is very useful to have an entire phone network. For email, the internet, messages, Facebook, Instagram, etc., the same is true. The more they are used by people, the more useful they are. And the more dominant the businesses that run them become, the more those businesses will exert control over you.

The online situation is essentially a feudal one. Some of us have vowed our loyalty to Google: we have Gmail accounts, we have Android phones and we use Google Calendar and Google Docs. Others have vowed loyalty to Apple or to Microsoft. Or we purchase Amazon music and e-books, which keep track of everything we own and make it easy to download to a Kindle, tablet or phone. These businesses shield us like feudal lords, from external attacks, and they also have remarkably full power of what we can see and do.

This tension will play out everywhere as the internet+ permeates more of our lives. People will want access to data from their fitness trackers, watches, home sensors, and cars, and they will want it in ways that they can use for their own purposes, on their own terms. To add features, they'll want to be able to change those devices.

Device manufacturers and policymakers are seeking to escape enhanced capabilities, sometimes for profit, anti-competitive or regulatory purposes, or because suppliers have not bothered to make the data or controls available. All of this decreases security. But they're going to create systems that allow for remote control in order for businesses to control us in the way they want. More significantly, they can create structures that presume that the intruder is the consumer and needs to be contained.