* The gradual accumulation of issues concerning data rights and data security that paralleled the rise of global computing finally came to a head in the raucous US presidential election of 2016 -- with an "infowar" arising that hasn't stopped yet. However, the conflict is gradually being dealt with.
* In 2016, the data security controversy went to a full boil. The US presidential election of that year pitted Democratic candidate Hillary Clinton against Republican candidate Donald Trump in one of the dirtiest US presidential campaigns ever. Clinton was assailed by endless smears, most notably over her poor judgement to use a private server to handle work emails while she was secretary of state.
An FBI investigation exonerated her of criminal conduct in the matter, though was critical of Clinton's lax attitude towards data security. She acknowledged that the use of the email server was a mistake -- but it didn't make any difference, the smear campaign simply grew in intensity. Partly the campaign was based on "fake news", or fraudulent stories circulating on the internet -- most notably a tale of a pedophile ring, supposedly run by Clinton and the Democratic National Committee (DNC), centered on a pizza parlor in Washington DC. It should be noted that the tale had the pedophile ring operating out of the basement of the pizza parlor ... when it didn't have a basement.
This and other conspiracy hoaxes relative to the Democrats would, over the next few years, lead to consolidation under a bizarre online cult known as "Q-Anon", devoted to the fabrication of ever more preposterous conspiracy hoaxes to smear liberals. Disinformation had finally gone completely off the deep end.
Some of the fake news was obtained from Rightist websites run by Americans, along with a Rightist "alternative media" apparatus, the most prominent element being Fox News. Trump also proved adept at drumming up support among his followers by sending out propaganda, often ridiculously fraudulent, over the Twitter messaging system.
However, the Clinton campaign took the most punishment from Wikileaks -- a website set up in 2006 to distribute secret materials, run by an Australian named Julian Assange. Wikileaks published floods of materials damaging to the Clinton campaign, notably from hacks into the DNC. In parallel, it became obvious that the Russian government, under President Vladimir Putin, was running a disinformation campaign to deny Clinton the presidency, the Russians regarding Clinton as an enemy. Trump, in contrast, spoke highly of Putin and envisioned an American partnership with Russia.
The Russian attempt to influence the election was blatant and used every dirty trick in the book, with Russian trolls picking up themes from American extremists and amplifying them in social media -- the Facebook social media website being a particular outlet. The Russians had long experience in spreading disinformation in European countries; the attacks on the US represented an escalation in Russian ambitions.
In the end, Trump won the election, if just barely -- prevailing in the electoral vote, but losing the popular vote. Clinton's use of a private email server substantially contributed to her defeat. Ironically, it appears nobody hacked into the email server, since there were no leaks from it via Wikileaks.
Of course, the dirty presidential campaign led to a high level of agitation that only picked up steam after election day. The disinformation continued without a letup, in fact being enthusiastically generated by President Trump. In response, there was a pushback against fake news, with skeptics trying to get fake news sites shut down, or at least deprived of advertising revenue. Facebook came in for intense criticism, with chief executive officer Mark Zuckerberg called to testify before Congress in 2018. The worst offense of Facebook was that the company had allowed organizations working for the Trump campaign to mine user information to generate highly targeted smear campaigns against Clinton among Facebook users.
Wikileaks and Julian Assange were also heavily criticized, it having become obvious that the website exclusively targeted Western democracies -- while leaving authoritarian regimes like Putin's alone, and not being choosy about where the leaks were coming from. Assange's meddling in the US election and effective assistance to Trump made him many enemies. He ended up in the Ecuadoran embassy in London, hiding out from sexual assault charges in Sweden; he feared, with good reason, that the US would snatch him if he went outside the embassy walls. Assange was finally evicted from the embassy in 2019 and bodily hauled off by British police. He went to a British lockup, with the Americans interested in getting their hands on him, to face spying charges.
Very significantly, the US Department of Justice (DOJ) began an investigation of Russian involvement in the election, with the extended investigation indicting both Russian officials and American citizens. A later bipartisan Senate investigation would also shine light on the activities of the Russian trolls. President Trump pushed back on the investigation, since it undermined the legitimacy of his election -- with the most suspicious of the public wondering if there had been active collusion between Trump and the Russians.
This suspicion was inflamed by the fact that, during the presidential campaign, Trump had publicly called for the Russians to steal and reveal Hillary Clinton's files. The reports of the two investigations did not conclude there had been provable collusion, but there was no doubt of connections between the Trump campaign and dodgy Russians. A total of 34 individuals & three companies were indicted by the investigation, resulting in 8 guilty pleas or convictions -- including five Trump associates & campaign officials.
Trump retaliated against the DOJ by contriving a case that the FBI had been pressured by the Obama Administration into spying on and attempting to subvert the Trump election machine. There was no honest evidence that was so, and nothing of substance was ever established to support the accusation. Ironically, although the Left had traditionally been critics of the FISA Court, the Trump Administration joined in as well, on the basis that it had allowed the "spying" on his campaign. In any case, "counter-investigations" sponsored by Trump and his advocates would continue until after he left office.
In sum, the US presidential election of 2016 was a huge shock, with weaponized disinformation -- the "firehose of falsehood", as it was called -- rising to the top of data security concerns, to become a geo-strategic issue.
BACK_TO_TOP* While the US electoral fuss was going on, other components of the 21st-century data-security challenge were becoming evident. Along with online surveillance, real-world surveillance was becoming more prevalent as well -- partly due to the growth of security cameras, along with bodycams and dashcams, but also due to the widespread use of camera-equipped smartphones. By 2010, few significant events took place that weren't caught on video.
The smartphone was less of an issue than the government use of surveillance cameras. As surveillance networks grew, it became ever more difficult to monitor the data, and so the networks were increasingly monitored by artificial intelligence (AI) technology that could identify events of interest and flag them for inspection. There was a parallel growth in AI facial-recognition systems, which led to a debate over the use of AI systems by law enforcement -- both because such systems are prone to "false positives", meaning they think they've found something when they haven't, and tend to be biased against minorities. For such reasons, the courts are reluctant to admit facial-recognition matches as evidence.
Concerns over surveillance are being worked out, piece by piece, in the West. Anxieties on that subject have been enhanced by the example of China which has, so far with an unpleasant degree of success, gone a long way towards construction of a security state -- particularly in Xinjiang Province, home to China's restless Uighur Muslims. Along with comprehensive online surveillance, China has set up networks of surveillance cameras, backed by facial-recognition systems. Xinjiang is littered with checkpoints, where Uighurs are required to hand over their smartphones for inspection. The state also installs "spyware" on the smartphones of citizens. Uighurs regarded as suspicious by the state often end up in a network of re-education camps.
* The Chinese example highlighted the issue of data rights versus the spread of government data systems. From the 1990s, governments investigated wider use of the internet -- generally for the benign purpose of streamlining government bureaucracy and helping citizens. Small countries, which didn't have such a big data management challenge, were the pioneers. In Denmark, by the start of the second decade of the 21st century the government had effectively moved all functions to the net that could be shifted over.
Danish parents could check on the availability of kindergarten slots for their tots, or update health insurance. Government offices could be easily contacted online, with all documents citizens needed available online as well. All government transactions were handled online. All Danish residents had to designate a single bank account for dealings with the government, with direct deposits to the account replacing check or cash payments for benefits, pensions, and so on. The system was efficient and convenient for the technically-literate; not so convenient for the technically-illiterate.
There has also been a push for online voting, Estonia being one of the pioneers, and finding the scheme at least as secure as paper voting. However, as with Denmark, Estonia is a small country, and doesn't have such a formidable data-management problem; Estonia, faced with Russian cyber-meddling, also acquired an unusually high data security capability. Another advantage Estonia had was a national ID (NID) system, a notion that wasn't popular in the US or the UK.
NID and national data systems are linked concepts. That was demonstrated in 2009, when the Indian government began work on a plan to issue a biometric-based "unique identity (UID)" card to all the country's 1.2 billion inhabitants. In the following decade, enrollment centers were set up across the country, with officials canvassing the country, from city slums to isolated villages, taking photos, scanning retinas and fingerprints.
The entire country was signed up, obtaining 12-digit UID numbers, with the biometric data stored in a database named "Aadhaar", Hindi for "Foundation". There was also an effort to set up a public digital infrastructure, named "India Stack", to allow India's people to store and share their personal data. That could include bank statements, medical records, birth certificates, or tax filings. In addition, the system involved a "Unified Payments Interface (UPI)" for transfer of funds, based on biometric ID, with the government working to phase out cash in favor of electronic transactions.
Central, state, and local government could leverage off Aadhaar, using it to provide welfare benefits, issue passports, update land records, and so on, ensuring that citizens got benefits they were supposed to get, while filtering out fraud from officials in the benefits pipeline. To that time, there were at least 20 different proofs of identity in India, such as birth certificates, driver's licenses, and of course caste certificates -- this was India, after all. Unfortunately, none were universally recognized. That was not only inefficient on the face of it, but made life difficult for poor Indians who migrate around the country; they often became nonpersons, losing access to government assistance programs.
Aadhaar sounds marvelous, and it is, but it presents difficulties -- a big one being that India doesn't have strong privacy or data protection laws, and there are concerns about misuse of the data. Of course, there's the ever-present threat of error, fraud, and particularly break-ins and leaks, with a number of leaks from the system having occurred to date. Defenders of the system claim the problems are exaggerated and that the system works as designed, it just needs to be fine-tuned to work better. Critics broadly agree; they rarely challenge the need for the Aadhaar system, but they believe it needs to be more legally and technically robust. Whatever problems India's national data system has, it is not like the Chinese model.
* Incidentally, during this timeframe, improved data security technologies became widely available, most notably "smart cards". They look like conventional charge cards, except that they have a chip on them that contains a private key that can't be read out; only the card knows what it is. To test a card, a value can be encrypted with its public key, and the result fed to the card; the card can decrypt the result with its private key -- asymmetric encryption works both ways -- and spit out the value. If there's a mismatch between the public and private keys, the value won't be returned. This same approach can be used with similar devices, such as hardware ID keys. ID keys have been standardized by the "Fast Identification Online (FIDO)" Alliance, providing substantially enhanced security for online logins.
Smart cards were introduced in Europe in the 1990s, but they didn't start to catch on in the USA for over 20 years, due to the inertia of the old insecure magstrip charge-card technology. Along with smart cards, the ubiquitous smartphone now offers biometric ID, including thumbprint or face recognition; smartphones are built with security hardware to make faking more difficult, with an individual smartphone being as uniquely identifiable as a FIDO key.
For online purchases, users still have to submit charge-card numbers that can be copied, but that issue has been addressed to a degree by screening software, these days boosted by AI technology, that can identify anomalous use of a charge-card number and alert the user, usually by email, to request confirmation. The problem of charge-card ripoffs persists, but it isn't as troublesome as it was.
BACK_TO_TOP* The data-security issues that became apparent in the 2016 US election didn't go away, rolling along through the Trump Administration. As mentioned, investigations of Russian trolling in the 2016 election had led to unfounded counter-accusations of "dirty tricks" against the Trump campaign. Trump also increasingly pushed back on social media companies for "censorship" when they shut down Right-wing trolls, with running invocations of the 1st Amendment -- few understanding that the 1st Amendment merely said the government couldn't lock people up for what they said, and did not say companies had an obligation to give everyone a free global platform where they could say whatever they liked. Trump made noises about revoking Section 230, but it didn't happen.
By 2020, the US Trump Administration was making a fuss over strong encryption again, saying it aided terrorists. It was the same quandary as always: there was no way to subvert data security without making everyone more vulnerable to the Black Hats. The Trump Administration also worked against what was known as "net neutrality" -- the doctrine that internet service providers should not impose arbitrary limits on internet access, such as throttling internet services, or prefer or deny access to specific internet services. The Federal Communications Commission rules requiring net neutrality were overthrown, in the face of loud public protests. Several states, most notably California, passed their own net-neutrality laws in response, limiting the damage until the rules were restored by the next administration.
In addition, the Trump Administration was engaged in a war against Chinese tech vendor Huawei, one of the attacks being the claim that Huawei had built "back doors" into their gear to snoop for the Chinese government. That led to the irony of the US government protesting back doors in Chinese gear, while saying that Apple iPhones should have back doors as well. How many iPhones could Apple sell overseas if potential buyers knew the US government could get into them? Not many. Many US buyers wouldn't like it, either. It is hard to believe that the Congressman denouncing strong encryption would be happy knowing their phones were insecure.
In another irony, in response to worries about the security of Huawei gear, Britain set up a lab, funded by Huawei, to check the security of Huawei's products. Huawei was happy with the arrangement, since it provided more testing, and also enhanced the Huawei's reputation. The UK lab could be seen as the nucleus of an international data-security certification organization (IDSCO).
While all that was going on, in 2020 the world was hit by the COVID-19 pandemic, which led to social lockdowns and a drive towards virtualization of business, education, and entertainment -- underlining the importance of data rights and data security. The pandemic made the US presidential election of 2020 troublesome, with a push for voting by mail to reduce the pandemic hazard. Some American states had long voted by mail, so it wasn't anything all that new, but it was an adjustment for other states.
What particularly complicated matters was the fact that President Trump insisted, without evidence, that voting by mail encouraged voter fraud -- and went so far as to declare an intent to defund the cash-strapped US Postal Service (USPS), so that mail ballots couldn't be collected. The COVID-19 pandemic led to a "disinformation pandemic", with loosely-organized groups promoting resistance to pandemic-control measures online by telling endless malicious lies -- a process aided by Trump himself, who attacked his own health experts and worked to undermine them.
Trump lost the 2020 election to Joe Biden by a clear margin -- to then start pushing back again, claiming the election had been stolen from him, and working obsessively to get critical election counts overturned. That led, on 6 January 2021, to Trump inciting a mob to ransack the Capitol Building, in a futile attempt to stop certification of the vote. He was promptly booted off social media -- but remained at large, as Congress slowly assembled an investigation to take him to task. Rightist outlets like Fox News backed up Trump, in particular saying that voting machines had been badly compromised. In consequence, Fox News was sued for defamation by Dominion Voting Systems, a major manufacturer of voting machines.
* In the meantime, social media remained under fire. In late 2021, a whistleblower named Frances Haugen who had worked for Facebook testified to Congress about the diseased company culture there -- saying that Facebook harmed children, sowed division, and undermined democracy in pursuit of breakneck growth and "astronomical profits."
Haugen told Congress that Facebook consistently chose to maximize growth instead of implementing safeguards, while it kept to itself internal research that illuminated the harms of Facebook products: "The result has been more division, more harm, more lies, more threats and more combat. In some cases, this dangerous online talk has led to actual violence that harms and even kills people."
Before Haugen left Facebook, she copied thousands of pages of confidential documents and shared them with lawmakers, regulators, and THE WALL STREET JOURNAL -- with the WSJ publishing a series of reports titled THE FACEBOOK FILES. Her testimony to Congress was highly credible, since she was obviously intelligent, articulate, professional, and organized. She claimed that Facebook was never forthright when outsiders tried to probe the company: "Facebook chooses to mislead and misdirect. Facebook has not earned our blind faith."
Haugen urged lawmakers to examine the algorithms that drive popular features in social media apps, like the main feeds in Facebook and elsewhere. The algorithms rewarded engagement: postings that got comments, "likes" and other interactions were spread more widely and were featured more prominently in feeds. The engagement-based formula was biased towards the distribution of rage, hate, and disinformation. She suggested that the algorithms be publicly listed, and that while social media operators couldn't be liable for content, they could be liable for algorithms. Haugen, however, was against breaking up Facebook -- since the separated components could network to maintain the status quo.
There was clearly a problem with Facebook, but the rage against it was often incoherent. Both Democrat and Republican politicians blasted it, but were short on realistic solutions, and sometimes worked at cross purposes: Democrats, for example, wanted to suppress trolls such as antivaxxers, while Republicans insist that there should be no "censorship" of even the most ed toxic trolls. Of course, many of Facebook's problems are those of the internet in general, particularly trolling and "fake news". For the moment, the complaints went nowhere -- though the Biden Administration did move forward on antitrust litigation against Big Tech companies, starting with Google, though the focus was on unfair business practices.
* The Biden Administration remained focused on a legislative agenda, complicated by the malicious lies told by Fox News, other Right-wing media outlets, and online trolls to undermine the government and keep the COVID-19 pandemic going. In addition, the US was hit by a spate of "ransomware" attacks on infrastructure companies, in which criminal gangs seized control of their systems and only relinquished it after payoffs.
Nonetheless, there were signs of a changing landscape. In late 2022, Alex Jones was ordered to pay $1.5 billion USD to the Sandy Hook families in restitution for defamation. The next year, Fox News settled with Dominion Voting Systems for almost $800 million USD. Actually getting the money out of Alex Jones would prove difficult -- but it was still clear that a legal cadre had arisen to take on trolls, and the courts were accepting their lawsuits.
Following the settlement with Dominion, other plaintiffs lined up to take on Fox News -- which no longer had much of a future. It wasn't just because of the lawsuits; Fox News ran on cable TV, and cable TV was fading away as high-speed internet became predominant. Video streaming services dominated high-speed internet, and they had little interest in supporting Rightist propaganda operations like Fox News.
BACK_TO_TOP* In early 2022, Russian invaded Ukraine, touching off a devastating and protracted war. From the outset, along with the battles on the ground there was a battle in cyberspace, with Russian hackers facing off against Ukrainian hackers. Much to everyone's surprise, the Russians having been long seen as masters of cyber-warfare, they failed to achieve anything of significance. The Ukrainians had implemented solid cyber-defenses, and Ukrainian hackers -- assisted by colleagues in other countries such as Estonia -- flew rings around the Russians. A lot of the activity was prankish, DOS attacks and such, but there was undoubtedly considerably cyber-spying behind the scenes.
Russian online propaganda similarly fell flat. It wasn't for lack of effort, but because it was unbelievable, the Russian claim that they were "liberating" Ukraine from a "Nazi" regime (led by a Jewish president) foundering in documented stories of Russian atrocities. The Ukrainians, in contrast, were adept in their propaganda, for example running a video series about Ukrainian soldiers with their "battle cats" and dogs, while publicly releasing intercepts of phone conversations by demoralized Russian soldiers. Russian propaganda, in contrast, was clumsy and blatantly fraudulent.
Indeed, the Ukrainians took cyberwarfare to a new level, with Ukrainians in Russian-occupied territory using their smartphones to provide intelligence. They employed a chatbot named "eVorog" to qualify the intelligence and a robust ID app named "Diia" to provide security, with Diia normally being used to providing access to government services.
Against the backdrop of the war, in late 2022 American billionaire Elon Musk took over the popular Twitter short-messaging social-media system, with an agenda of "free-speech absolutism" -- which translated into eliminating moderation, allowing bots and trolls to run almost completely loose there, while Musk cynically equivocated on the Ukrainian cause. It was generally believed that Twitter, which he relabeled to "X", no longer had a future, but it had such momentum that replacements were slow to come online.
Eastern European countries, confronted with Russian disinformation that ramped up with the war, took measures to deal with the threat, even changing school curricula to teach students how to recognize disinformation. In 2023, Estonian Prime Minister Kaja Kallas, speaking at a cyber-security conference in Sydney, Australia, suggested that the war in Ukraine was providing big lessons on cyber-defense. She began with:
BEGIN_QUOTE:
Nearly two years ago, I had the opportunity to chair the first official UN Security Council meeting on cyber-security. Almost everyone at the meeting stressed what all states have already agreed: international law, including the UN Charter in its entirety, applies in cyberspace. Russia did not.
... there are four things of which we need to take note, and four things all free nations must do.
First, we need to understand that integrating cyber-warfare into regular warfare is now established practice. An hour before Russian tanks rolled over Ukraine's border, Russia disrupted Ukraine's access to Viasat communication satellites. The aim was to leave the Ukrainian armed forces without one of their communications lines, as well as having a broader spill-over effect on broadband services that, for instance, control the remote monitoring of wind turbines in Germany. Russia has also targeted communications and IT infrastructure such as data centers and wireless masts in the same way it has targeted energy infrastructure.
Second, having a well-protected digital infrastructure is crucial. Ukraine's digital backbone has enabled the state to keep delivering services online during the war. Many Russian cyber-attacks have failed because Ukraine had spent years building up cyber-resilience, with help from Estonia and others, and has now had extensive wartime assistance.
And now it has lessons to teach us. Using apps such as Diia, the Ukrainian government has shown how technology can help taxes to be paid, public services to remain available and data to be kept secure even during war. Such technology also allows Ukraine to continue providing services for millions of refugees spread across Europe or trapped under Russian occupation. Estonia is already working with Ukrainian partners to adapt Diia for our own citizens.
Third, there is still a sense that bad actors can do what they want in cyberspace. While there have been significant examples in recent years of major cyber-attacks being attributed to foreign governments, it has not necessarily led to a change in behavior. The complexity of ascertaining who is behind attacks and following up with real consequences still makes some actors see cyber-warfare as an attractive tool. Russia continues to use so-called "DDoS diplomacy" -- bombarding websites with traffic to send political signals and to try to disrupt services beyond Ukraine. Nearly every week, Estonia experiences cyber-attacks on government and private services. The effects have been minimal, because we are well prepared and the attackers are not sophisticated. But a bigger threat lies elsewhere: malicious state-sponsored cyber groups are becoming more active across the world and sometimes gang up with ransomware groups.
Finally, the private sector has transformed its role during this war, and taken public-private partnership up a level in defense of digital infrastructure. Though social-media platforms are not doing enough to prevent the spread of disinformation, companies like Palo Alto Networks and Amazon Web Services have provided much-needed services and security measures for Ukrainians to defend their critical infrastructure and government services. Co-operation with companies like Microsoft, cyber-security specialists Mandiant and others has also been crucial.
END_QUOTE
Kallas said that in response to the threats, democratic nations need to be prepared to continue to deal with cyber-warfare after the shooting stops, and invest in defensive measures. That implies developing new methods and setting up new systems. The bad actors need to be identified, neutralized, and held accountable. Finally, cyber-defense needs to become a function of democratic society as a whole:
BEGIN_QUOTE:
... we must build connections beyond current institutional limitations. It is clear that security for liberal democracies can no longer happen in silos. We must set standards with those we can trust, especially as new technologies like artificial intelligence, 5G and quantum computing become realities. Governments must better link with counterparts in other countries, as well as building partnerships with businesses and civil society.
Tyrannies like Russia will keep trying to turn technology into a tool of oppression and a means to destabilize free societies. Our job is to prevent that, to help Ukraine win the war and to build solid alliances. We must ensure impunity does not prevail in any sphere, and cyberspace is no exception.
END_QUOTE
Incidentally, in late 2022 Edward Snowden announced he had become a Russian citizen. Snowden having decided to throw in his lot with an authoritarian, oppressive, and imperialistic regime, what credibility he had left evaporated.
Also incidentally, early in 2023 Microsoft introduced a new system for its Bing search engine, based on a chatbot named "ChatGPT" that could, under good circumstances, compose coherent documents in response to a query. It was the leading edge of "generative AI (GAI)" systems with composition capabilities, able to create images, articles, novels, songs, and video by request.
There was considerable fuss over the introduction of GAI, with worries that its ability to construct convincing "deepfake" videos would lead to its use to propagate disinformation. From a data-security standpoint, however, GAI didn't change matters much, the world already being awash in fakes, and many people eager to believe in them. It was much more significant in threatening, for example, the livelihoods of Hollywood scriptwriters -- who stood to be put out of work by GAI-written scripts -- and also posed difficult questions in copyright law, with authors and musicians pressing lawsuits when GAI systems were trained using their written works and music.
BACK_TO_TOP* At the present time, the new information world is in a state of chaos that is only slowly being resolved, centered on issues including data security and data rights, for both citizens and governments, along with the control of disinformation.
As far as data security goes, the first thing that can be said is that citizens will obtain strong encryption; the technology is there, and the case for it is solid. Although there will be restrictions on that right, nobody will be selling smartphones with backdoors built into them. Indeed, vendors have a strong need for an IDSCO to certify that they don't. Anybody who doesn't have the certification won't sell product.
It should be added that in 2021 it was revealed that AMON, a secure smartphone system used by criminal networks, turned out to be under the control of international law enforcement, resulting in a wave of arrests. That underscored the fact that law-abiding citizens, with a clear need for data security, should not be forced to rely on bootleg software that may be weaponized against them; if the authorities can run a con, so can criminals, and they're good at it. Citizens should instead have robust encryption tools that have been validated by an IDCSO -- with such an organization mandated under an international data rights treaty. The treaty should also ban the unwarranted government use of "spyware" against citizens, an issue underlined in 2021 when spyware named "Pegasus" from the NSO Group was linked to efforts by heavy-handed governments to suppress dissidents.
As far as dealing with the bad actors infesting the global internet, commercial and government data security operations have become more adept at taking them down but unfortunately, it's like trying to choke off a firehose. There's a question of improving data-security technology, but there's also a question, at least as important, of educating users in data security. Some of the major ransomware attacks of early 2021 were against businesses whose data-security procedures were weak to the point of nonexistent. There's a need for education, and also changes in culture -- for example, limiting insurance awards for damages from ransomware attacks if the business did not have a credible data-security plan. It may be useful to develop AI systems that can warn users of possible threats and propose corrective actions.
One big thing that can be definitely done is for the USA to set up a standardized and robust multi-factor NID system, like Ukraine's Diia. In 2021, the US Congress passed a "Digital Identity Act (DIA)", which proposed a set of measures toward a national ID system:
The DIA did not mandate an NID but instead establish a framework for NID. A number of US states have introduced ID apps; state and Federal governments have also gone to a commercial ID operation named "ID.me" to prevent welfare, entitlement, and tax fraud. Although ID.me proved successful, adoption of the system was not at all smooth, with many welfare recipients spending days trying to get validated. The rush eventually ended and operations became smoother. We're still stuck with a patchwork system instead of NID, but we're getting there.
We can't have online security until every American has NID. Once we have it, we will be able to perform all legal transactions online, or for that matter, vote online. That would neatly bypass the difficulties of the 2020 US election. It would also be nice to be able to access any formal records -- birth certificate, military discharge, vaccination records -- online, without having to access paper copies. Of course, that poses security problems, but current systems are not secure, with "identity theft" remaining a problem.
There are protests against NID systems, on the basis that they pose a huge threat to privacy. Yes, but right now we're worse off, given that we have fragmented ID systems and personal information scattered all over the internet, with very little security. Citizens would be the owners of their NID accounts, with the government having only limited access without a warrant, say enough to conduct a census -- which would be easy with the NID system. Security would still be an issue, but it can be argued that it won't be as much as it is now, and the personal benefits would be substantial. Of course, national ID could lead to global ID (GID), with an international, interoperable ID network specified as part of a data rights treaty.
* There is considerable work towards formalizing data rights. In 2018, the European Union (EU) established the "General Data Protection Regulation (GDPR)", which defined how businesses were to handle the personal data of European residents. The rules covered almost everything that can be linked to an individual: addresses, charge card numbers, travel records, web search history, computer ID codes, biometric data, and so on. Requirements under the GDPR included:
And so on. One thing it did not cover were proposals that consumers be given compensation for use of their personal data. In a sense they were, through the discounts and such provided by loyalty card programs. Analysis showed that the value of the personal information of any one consumer was not very great -- but people like getting discounts, and the idea of compensation deserves to be investigated further.
As for rights of government surveillance, government agencies could process personal data without consent if there was a "national security," "defense," or "public security" concern -- terms the regulation did not define, though still subject to national and international human-rights laws. It implied no change of the status quo in the USA, and left the ugly issue of misuse of surveillance by authoritarian governments as something to be discussed in the future.
The GDPR led to the EU "Electronic Commerce Directive 2000", which covered many of the same issues, along with a focus on coordination between EU states. It was essentially a basis for discussion, leading to the comprehensive "Digital Services Act (DSA)" and the "Digital Markets Act (DMA)", intended to impose order on the hodge-podge of national regulations that had arisen across the EU. The DSA required that most online platforms feature:
The requirements were tougher for online platforms that had 10% of the EU population in their user base. These "very large online platforms" had to give users the right to opt out of recommendation systems and profiling, share key data with researchers and authorities, cooperate with crisis response requirements, and conduct external and independent auditing.
The DSA maintained the EU rule in which companies that host other's data were not liable for the content unless they actually knew it was illegal, and upon obtaining such knowledge did not act to remove it. This "conditional liability exemption" was stricter than the broad immunities given to intermediaries under the US Section 230 CDA rule.
EU member states also obtained access to the mechanisms of platforms' recommendation algorithms, with platforms required to briefly explain why specific ads were directed to specific users, and also to justify why they removed specific content. In addition, platforms had to release a biannual report on their content moderation efforts, and were prohibited from using "dark patterns" -- that is, misleading user interfaces that tricked users into inadvertently agreeing to, for example, share their data.
The DMA applied to a much smaller subset of companies, specifically those with 45 million monthly active users and / or an annual turnover of at least 7.5 billion euros. Such "gatekeeper" firms included Alibaba, Amazon, Apple, Google, Meta, Microsoft, TikTok, Wikipedia, and X/Twitter. While the DSA focused more on protecting the rights of individual users, the DMA gave European regulators power to crack down on anticompetitive and unfair business practices, including over how large Big Tech platforms collect and use data. The DMA prohibited platforms from combining data sources without explicit opt-in, as well as from preferencing their own products and services.
The overriding principle in both acts was to protect consumer privacy, and in particular to protect children. The DSA and the DMA will be enforced by different enforcement bodies. The European Commission is the primary enforcer of the DMA, but EU member states will have to coordinate their own governing bodies for DSA enforcement.
The USA is lagging Europe on data rights legislation. Some US states have passed data rights laws, but it's hung up at the Federal level on the battling between Right and Left. Indeed, in 2023 a Rightist Federal judge slapped an injunction on the Biden Administration, saying administration officials couldn't talk to social media firms about disinformation and moderation. That was nonsense and didn't last long, but it did underline the problem that the USA can't move decisively forward on data rights and security until their political dysfunction is resolved.
Over the longer term, the dysfunction is likely to be resolved, with the USA catching up to the EU -- but so far, there hasn't been much noticeable work towards an international data rights treaty, and certainly no evident work towards a comprehensive international treaty system whose signatories will be obligated to enforce data security and, significantly, respect the data rights of citizens. Nations that don't sign up could find their access to the global internet restricted.
* In the absence of such a treaty system, there are many efforts in progress along parallel lines towards the new global information world. The most prominent at the moment is the fight against disinformation, or the "5th Horseman of the Apocalypse" as it has become known.
There are many ideas for dealing with disinformation. One of the more interesting was "Bot Sentinel", developed by a group working with a software engineer named Chris Bouzy, which monitored trolling activities on Twitter, it seems using AI technology. After Twitter was taken over by Elon Musk, Bouzy led the creation of a competitor to Twitter named "Spoutible" that kept users informed of their Bot Sentinel rankings with a letter grade, "A" through "F". Spoutible also did not use engagement algorithms, contributors being instead promoted by "word of mouth" among the community.
Although Spoutible hasn't graduated into the same league of global users as X/Twitter yet, Bot Sentinel proved competent at keeping out trolls. Obviously, more can be made of the concept, if the will is there. Microsoft has also invested serious funds in data security, one major program being the "Azure Sphere" effort to devise standards and technology for computer security. Microsoft's educational software system also emphasizes teaching students how to recognize disinformation.
Beyond new technology, there are more general suggestions, not all of which are credible. There's been talk of revoking Section 230 and allowing social media outlets to be sued, but that would be immediately weaponized by the Black Hats. Talk of bringing back the Fairness Doctrine is just as dubious; Donald Trump would have greatly liked to have the Fairness Doctrine to use against his enemies.
A better idea is to realize that the weaponization of disinformation implies its criminalization. The flood of disinformation relative to the COVID-19 pandemic helped get a lot of Americans killed. Surely there must be existing legal measures to fight back. It's obviously not legal to maliciously interfere with the work of the fire department; it can't be any more legal to interfere with the work of public-health authorities.
Similarly, the wild lies told about senior public-health officials led to death threats against them, and it is also obviously not legal to incite attacks on government officials, with such malign propaganda being labeled "stochastic terrorism". The successful lawsuits against Alex Jones and Fox News were encouraging steps towards the criminalization of disinformation, demonstrating the emergence of a cadre of lawyers willing to take on high-profile trolls -- and finding it profitable to do so. Could that be expanded, by ramping up traditional policing of mail fraud on the internet? It's already done to a degree, but the resources for the effort are modest.
The disinformation plague will almost certainly not have any one big solution, just a big set of little ones: no silver bullet, but many silver pellets. As with data security it general, it will demand a change in mindset and culture. Disinformation can't be made to disappear, but it can be shunted off to the fringe, where it can do much less harm. In a generation, given improvements in data security and global treaties on data rights, the global internet will be a much more orderly place, though it can never be completely bullet-proof.
BACK_TO_TOP* This document started life in the form of a history of cryptology that was originally released in 2001. It grew over time, and in 2021 I split into two documents, one on classical cryptology, and the other modern cryptology. Having done that, I decided to sift out discussions of cryptology-related law and politics, and arrange them more coherently in a third document.
There are no major sources for this document, in large part because there aren't many documents out there like it, at least for the present. It was mostly scavenged in bits and pieces from online sources, with a lot of it written off the top of my head, on the basis of the information I had accumulated. It's been evolving, and it will evolve further.
* The banner image in this document was by one Vu Hoang, who released it under the Creative Commons Share Alike License. I was pleased to find it, since I was desperate to get a good free-use image appropriate to the document.
* Revision history:
v1.0.0 / 01 sep 21 v2.0.0 / 01 oct 23 / General rewrite. (*)BACK_TO_TOP
