Internet security—who needs it?

Internet security—who needs it?

Internet security—who needs it?

Inside the Internet.
Jan. 28 2004 3:40 PM

See You on the Darknet

Why we don't really want Internet security.

Illustration by Mark Alan Stamaty

I have a game I play whenever I read an essay on politics written by a techie: How long until the first reference to George Orwell? Autodesk founder John Walker, in a recent 28,000-word monograph ponderously titled "The Digital Imprimatur," wastes no time: His piece is subtitled "How big brother and big media can put the Internet genie back in the bottle." If your eyes don't glaze over right then, they will as soon as Walker begins to explain how by signing up for cheap broadband service, with its firewalls and dynamic IP addresses, you've already compromised your freedom.

Walker goes on, listing spam filters, antivirus software, even those perennially just-around-the-corner micropayment schemes as further nails in the coffin of liberty. "I have been amazed at how few comprehended how all the pieces fit together in the way I saw them inevitably converging," he says, in the patiently condescending tone of a Bond villain. But Walker's heavy-handed prose would be funnier if he didn't have a point.


True, his final forecast is standard tech-blog fare: Totalitarian governments (you know, like the one in 1984) will clamp down on the Net by instituting a digital Mark of the Beast, a personally assigned crypto-certificate that tags every online transaction, letting authorities track exactly who did what, where, and when. But Walker also argues that the rest of us (the ones who aren't yet peons in Orwellian regimes) will voluntarily sign up for similar surveillance when the certificate system is marketed to us as a cure for spam, fraud, and other Internet annoyances. He's right that we'll be sold this stuff. The question is, will we buy it?

Personal ID certificates are already an essential part of the Next Generation Secure Computing Base, a content-control system for PCs being developed by Microsoft (which owns Slate) and an industry consortium that includes Intel and other chip makers. Together, the alliance hopes to build an uncrackable data vault into future PCs, one that works in tandem with the Windows operating system. Users would need to present the right certificates before being allowed to transfer data into or out of the vault. Those who try to pick the locks may find they've left digital fingerprints all over the place. The system will be opt-in, as noted in the working group's FAQ (See No. 25: "It can be disabled permanently," unlike Orwell's telescreens).

I'm all for that kind of security where it belongs—I sure hope my bank adopts it. But as Walker notes, an always-on ID would take a lot of the fun out of idle Web surfing. Advocates tout secure computing as a way to protect your medical records from hackers. But who are they kidding? The biggest beneficiaries would be music companies and Hollywood studios, whose downloadable songs and movies would be much harder to pull from the vaults of individual computers and trade around the Net.

So why would we opt in to such a restrictive system? The FCC and Congress could mandate it—they're already being lobbied to create a national Internet driver's license on the grounds it'll stop everything from spam to libel to pedophilia to terrorism. Even Howard Dean plugged this proposal in a speech two years ago (he got to Orwell on Page 6). But Walker is right. It's more likely that private companies will begin to require people to present digital IDs in the name of a better customer experience. E-commerce and entertainment sites could require them as antipiracy measures. Corporate networks could insist all inbound messages be digitally signed to minimize spam from outsiders. How would we respond? Walker thinks that with such constant incentives, average users, the people who don't spend every moment obsessing about the potential repercussions of a certificate system, might just leave the ID system on permanently. 

Walker's scenario is credible enough that Newsweek covered his essay in an article that only de-Orwellized it to the extent of changing Big Brother to "Big Government." But Newsweek also added the missing part of the story: a more nuanced sense of how Internet users would react to such a system. Using the Net without the feeling you're being watched, downloading and uploading stuff you'd get in trouble for leaving on your desk—come on, that's a major part of its appeal. Any privacy clampdown would boost outlaw computing as surely as the 55 mph limit did speeding *. "Picture digital freedom fighters huddling in the electronic equivalent of caves, file-swapping and blogging under the radar of censors and copyright cops," Newsweek concluded. They might as well have added: Cooooooooooool.

An ad hoc alliance of techno-rebels covertly transferring unauthorized data in defiance of network authorities—sound familiar, Neo? It's such a popular scenario that the same Microsoft researchers leading the company's secure computing efforts wrote a paper two years ago describing this inevitable backlash, which they dubbed the darknet. The darknet! Jeez, are they trying to make piracy cool? Who'd want to hang out on the boring old Internet when the other kids are on the darknet? The term has been picked up by mainstream publications including Rolling Stone, which defined darknets (plural) as "file-trading networks created by and for small, private groups of people." Instead of relying on KaZaA, these groups use programs like WASTE that let them swap wares on discrete networks without being remotely tracked. Even a cop with a subpoena would be hard-pressed to detect such a network's existence.

Microsoft's paper flatly warns that trying to shut down these networks could backfire:

There is evidence that the darknet will continue to exist and provide low cost, high-quality service to a large group of consumers. This means that in many markets, the darknet will be a competitor to legal commerce. From the point of view of economic theory, this has profound implications for business strategy: for example, increased security may act as a disincentive to legal commerce.