Computers and information systems, while certainly a love of mine now, were not my first. I have always been an avid student of history and an observer of geopolitics. My bookshelf can readily attest to this.
My embrace of digital technology is really an extension of my reflection on geopolitical dynamics. When Edward Snowden arrived on the scene in 2013, my takeaway was that technical literacy was essential to avoid getting swept up in geopolitics.
Snowden is far from the only one who would suggest computers are an integral part of the new geopolitical battlefield. The idea of Fifth-Generation Warfare posits that geopolitical competition is going on constantly, everywhere, involving everyone connected to the global politico-socio-economic network. This network is composed of digital devices more than any other component.
So, when I saw this video, it tantalized all the hungriest segments of my curiosity.
On His Majesty’s Security Service
To start with, Mr. Braxman warned of a significant new push among Western nations in the race to heighten their level of awareness of and control over those within their respective reaches.
The U.K., which the video focuses on, is only the latest Western developed nation to try and peer into the private lives of all its citizens. In 2016, the U.K. government proposed a plan that privacy advocates asserted could outlaw end-to-end encryption. Cryptographers laughed it out of consideration, but such a defeat did not diminish the government’s desire to thwart encryption one way or another.
Recently, the U.K. gave it another crack (pun intended). What’s notable this time is that the Brits are taking a more insidious tack — insidious for two reasons.
One, U.K. spooks and elected officials are taking aim at devices rather than the link between them. A rudimentary understanding of cryptography will confirm this approach is more feasible.
Whereas reading an encrypted message in transit requires catching the transmission in the act and attacking its ciphertext (the scrambled data), all an attacker has to do to read the same data at rest on the device is to compromise the device. Encryption at rest can’t protect decrypted data. Legislators, while not exactly known for their computer science competence, are persistent enough that they were bound to try this eventually.
Two, and more worryingly, these brazen Brits are using technology that is not only viable but already deployed to millions of devices, a keystroke away from activation. As Mr. Braxman aptly points out, you can thank the self-proclaimed “guardians of privacy,” Apple, for that (a major reason I don’t think highly of the company).
Therefore, anyone who values digital privacy should be extremely wary of this effort. Doubtless, governments around the world, especially less democratic ones, are eagerly watching how the policy plays out.
We Wanted the Year of the Linux Desktop, but Not Like This
What interested me most about Braxman’s treatment of the subject was his argument for Linux as a refuge of privacy. While he framed his video as presenting Linux as a digital privacy option, if the U.K. legislation spreads, I foresee Linux becoming one of the only options.
Instantly, instinctually, I ran with this. This piece is where I ended up once my legs got sore. If Linux becomes a digital safe haven, and governments are adamant about ending privacy to enable surveillance, it logically follows that they will target Linux. Their means of attack are many.
They could outlaw the distribution or even installation of Linux. The kind of commercial regulation common to most countries can easily be invoked to at least criminalize the running of Linux on servers within its jurisdiction used for commerce.
They could also block access to sites that distribute Linux, whether within the country’s borders or beyond. There is no shortage of tried-and-true techniques for this, from delisting DNS to getting ISPs to enforce IP or domain blocking.
It’s worth noting that any attempt to “outlaw Linux” would be an inherently tricky proposition. Should lawmakers word their measures sloppily, they would instantly prohibit most IoT devices, including cars. I’m no lawyer, but I’m guessing it will take some fumbling by lawmakers before they isolate their desired target.
The United States, the Penguin’s Last Known Habitat
Because of the uniquely strong protection of individual liberties enshrined in the U.S. Constitution and a key legal precedent established by the courts, the United States is the only place I’m aware of in which Linux would remain freely accessible, at least on paper — literally.
As outlined in my previous writings on privacy, in the throes of the “Crypto Wars,” Bernstein v. Department of Justice established that code is speech, and thus protected by the First Amendment.
To quickly summarize the ruling and its background, in the 1990s, the U.S. government attempted to limit the distribution ciphers it deemed to be “military-grade.” Believers in the universal availability of strong encryption skirted the regulations by publishing their software in printed books. When the government objected, the courts ruled that because the First Amendment extended to print media and code could be printed; it thereby extended to code in any medium. Legally, code became speech.
This precedent means the government may not silence the “speech” of offering Linux distributions within the United States.
A theoretically anti-privacy U.S. administration could try to strong-arm OS developers into including backdoors to circumvent privacy protections. While the government could probably coerce big U.S.-based proprietary software companies via scary-enough legal threats, such as fines, loss of business license, and dissolution of corporate charter, this is unlikely to faze Linux organizations.
My unlawyerly suspicion is that the government would be hard-pressed to justify, under U.S. law, fining a company that distributes a free product. There are also hundreds of Linux distros based abroad, which U.S. law can’t reach.
Let the Cat and Bird Game Begin
So, would a U.S. government that hypothetically followed the U.K.’s lead just throw up its hands? Hardly. To develop an inkling of what that might look like, we need to consider (a) the tools at the government’s disposal, (b) the countermeasures digital freedom lovers may employ, and (c) the potential escalation of this intel/counter-intel dance.
Round 1: Not only will security services watch the watering holes, but they’ll poison them, too. At the barest of minimums, a hypothetical obsessively anti-privacy U.S. regime would monitor everyone who visits a Linux distro download site.
But with more at this regime’s disposal, it probably would go further. We know from leaked NSA documents that the agency has hacked telecom companies to execute supply chain attacks, compromising the infrastructure that other services rely on. It would be child’s play for the NSA to crack the developers of the libraries in most Linux distros’ foundations, inserting backdoors, keyloggers, and other attacker goodies.
Round 2: Don’t be so sure your eye can spot the needle in the gargantuan Linux kernel haystack. “Linux is open source!” you might insist. True enough. Just read information security news for a week or two, though, and you’ll see how many scary decades-old bugs are found in open-source codebases all the time. An NSA-engineered backdoor could take years to find.
Round 3: A key is only as secure as its holder. U.S. government actors could just as easily contaminate the download. If the NSA penetrates systems that offer installation image files, the agency can modify their contents without touching the distro’s public code repository. The savvier among you would counter that this is why you check the GPG signatures on distros. That is why, but it won’t help against an NSA-level entity that can steal a copy of the signing keys and sign whatever poisoned image it wants to pass off as legitimate.
Round 4: When it comes to spy games, the pros have the hackers outclassed. If internet-hosted sources of Linux get swarmed by the Feds, privacy ideologues will likely take the fight for digital privacy back to the real world, where it becomes intelligence versus counterintelligence. Under an (again, hypothetical) anti-Linux U.S. administration, the old-school hacker scene would thrive again. The days of hackers passing around Linux distro USBs would come roaring back.
Ball back in their court, the spooks would break out the traditional spycraft and infiltrate the real-world hacker networks with their informants and saboteurs. In such a world, digital privacy seekers would have quite literally to watch their backs. That level of vigilance and paranoia isn’t easy, but then again, if you’re the kind of person who wants that level of privacy, you know you didn’t pick the easy road.
Adopt a Penguin Before They’re Endangered
While Linux will remain a viable option in the U.S. as long as the constitution remains intact, it could require considerable precautions to exercise it in practice. The good news is that we don’t live in the world I spent a whole article depicting: Linux can be yours now without any spy movie antics. If you think you’ll ever want privacy later, grab an installation image now while the stakes are low.