When it comes to cyberspace, should national security trump user security? – Citizen Lab

Always valuable, the insights and activities of the Citizen Lab of UofT’s Munk Centre, with the highly pertinent, and rhetorical, question at the end:

As the Snowden document makes plain, CSE and its allies in the United States, United Kingdom, Australia and New Zealand knew about UC Browser’s privacy and security problems since at least 2012. But rather than disclose them to the public and notify the company (as we felt compelled to do), they sat on and exploited them.

Of course, a leaky browser application is not as critical as a fault in a pacemaker, a 747, or a nuclear enrichment facility. Or is it? Consider that in China where the browser is most popular, all network operators are required by law to retain customer data and turn it over to security agencies upon request. The Chinese regime does not look fondly on political opposition and public demonstrations, the organization of which is now almost entirely dependent on mobile devices. Each year, China executes thousands of people for crimes against the state, and sends thousands of others to re-education labour camps. Chinese dissidents with UC Browser on their mobile device have been sitting ducks for China’s targeted surveillance, for years.

Did CSE and its allies deliberate seriously about these moral tradeoffs? Hard to say, as such deliberations are classified. For what it’s worth, the White House’s Cybersecurity Coordinator, Michael Daniels, has said the United States has a “disciplined, rigorous, and high-level decision-making process for vulnerability disclosure” in which “all of the pros and cons are properly considered and weighed.” The top-secret documents, however, evince a different attitude, one full of only excitement at the discovery and the prospects for exploitation.

The case of UC Browser is one illustration of a larger public policy problem around cybersecurity. We stand at a crossroads. Down one path is a future where governments secretly stockpile information vulnerabilities as weapons, weaken encryption to make eavesdropping easier, and engineer secret “back doors” into our networks to steal info and sabotage systems. Heading down this path will turn the global information commons into an inter-state battlefield. In worst case scenarios involving the targeting of critical infrastructure, it will lead inevitably to large-scale loss of life.

There is another path we can head down, one in which the security of users, regardless of nationality or geography, is the primary concern. Going down this path would begin with the premise that cyberspace is a shared common resource requiring stewardship. It would imply a much greater role for civilian, as opposed to military, agencies. From this view, securing cyberspace would be undertaken by independent and globally distributed individuals and groups insulated from national rivalry. The core of this approach would involve the public disclosure of vulnerabilities wherever they occur in the interests of global public policy, human rights and international humanitarian law.

Are we confident our governments are on the right path?

When it comes to cyberspace, should national security trump user security? – The Globe and Mail.