Apathy over Internet snooping is a recipe for disaster

by John Naughton

The Observer

As someone who is supposed to know about these things, I’m sometimes asked to give talks about computing to non-technical audiences. The one thing I have learned from doing this is that if you want people to understand technological ideas then you have to speak to them in terms that resonate with their experience of everyday things.

It’s obvious, I know, but it took me a while to get it. I can vividly remember the moment when the penny dropped. One of the ideas I was always trying to get across was why open-source software was important. The term “open source” is actually a euphemism for free software, coined because some advocates of free software thought that the U.S. corporate world would associate the word “free” with communism. The key thing about free software is not that you don’t pay for it (because sometimes you do) but that you have the freedom to change it to meet your requirements — on condition that you pass on the same freedom to anyone who uses the modified software.

When I tried to explain the significance of this to my lay audiences, however, they invariably responded with blank stares. And then one day I realized what the problem was: None of them had ever written a program. So the next time I gave a talk I brought with me a copy of food author Delia Smith’s great “Complete Cookery Course.” I put up a slide showing her recipe for gratin dauphinois, one of the ingredients for which is 150 ml of double cream. “Now,” I said, “double cream is not good for me, so I’d like to substitute single cream in the recipe. Can you imagine a world in which, if I wanted to do that, I would have to get Delia’s written permission, and possibly pay her a fee? Wouldn’t that be absurd?”

Suddenly my audience got it. Computer programs are recipes, and everyone understands recipes.

Now spool forward to the present. One of the things that baffles me is why more people are not alarmed by what Edward Snowden has been telling us about the scale and intrusiveness of Internet surveillance. My hunch is that this is partly because — strangely — people can’t relate the revelations to things they personally understand.

In the past two weeks, two perceptive commentators have been trying to break through this barrier. One is Cory Doctorow, the science-fiction novelist, who had a terrific essay in the Guardian arguing that instead of increasing our security, government agencies such as the NSA, GCHQ and others are actually undermining it. The essay is worth reading in full, but one part of it stood out for me. It’s about the thriving, underworld online market in malicious software. Nowadays, if some hacker discovers a previously unknown vulnerability in widely used software, that discovery can be very valuable — and people will pay large sums for such “zero-day” exploits. But here’s the creepy bit: Sometimes the purchasers are government agencies, which buy these pieces of malware to use as weapons against their enemies.

To most people, this will seem pretty abstruse. But with the imaginative skill of a good writer, Doctorow nails it: “If you discovered,” he writes, “that your government was more interested in weaponizing typhus than they were in curing it, you would demand that your government treat your water supply with the gravitas and seriousness that it is due.” In a networked world, in other words, cyberwarfare and cybercrime are analogous to public health issues and our intelligence agencies ought to be treating them as such, rather than polluting the water supply.

With similar acuity, the security expert Bruce Schneier homes in on the patronizing cant about automated surveillance that is being purveyed by both intelligence agencies and Internet companies. In an insightful blog post, Schneier quotes a Google executive’s remark that “worrying about a computer reading your email is like worrying about your dog seeing you naked”.

Schneier is not impressed. Commenting on the revelation that GCHQ has scooped up millions of webcam images from Yahoo users, he writes: “When you’re watched by a dog, you know that what you’re doing will go no further than the dog. The dog can’t remember the details of what you’ve done. The dog can’t tell anyone else. When you’re watched by a computer, that’s not true.

“You might be told that the computer isn’t saving a copy of the video, but you have no assurance that that’s true. You might be told that the computer won’t alert a person if it perceives something of interest, but you can’t know if that’s true. You do know that the computer is making decisions based on what it receives, and you have no way of confirming that no human being will access that decision.”