Tuesday, June 21, 2011

Pozitivna akcija kao mogući presedan ka kontroli sadržaja na Internetu

[Jun 2011]


Povodom vesti:

MUP i Telenor potpisali sporazum o bezbednosti na Internetu


Pozitivna akcija kao mogući presedan ka kontroli sadržaja na Internetu


Put do pakla popločan je dobrim namerama.

Partnerstvo MUP i Telenor u cilju sprečavanja pristupa sadržajima sa dečijom pornografijom na Internetu svakako je urađen u dobroj nameri obe strane. Zajednička inicijativa državnih institucija i privatnog sektora u domenu Interneta – pogotovo u oblastima u kojima nedostaje jasna regulativa (poput regulative sadržaja na Internetu) a oko kojih postoji neosporni najširi konsenzus (kao što je borba protiv dečije pornografije) – je za svaku pohvalu. Pa ipak, dobre namere ne donose uvek i efikasno rešenje, a ponekad vode i do pakla.

Blokiranje pristupa Internet sajtovima sa dečijom pornografijom kroz naše telekomunikacione mreže sprečiće u velikoj meri da naši korisnici (pogotovo omladina) slučajno nabasa na takav sadržaj. Ovakav pristup svakako neće onemogućiti bilo koga ko zaista želi da pristupi ovakvom sadržaju – koji najčešće nalazi u stranim zemljama, i to na udaljenim ostrvima Pacifika i drugde daleko od domašaja (čak i globalnih mehanizama) pravde – jer postoji niz servisa na Internetu kojima se može zaobići filter. Takođe, filtriranje neće pomoći identifikovanju i hvatanju prestupnika. Blokiranje i filtriranje sadržaja na Internetu je jedan od najlošijih pristupa regulativi: ovakav tehnološki pristup može biti samo jedna komponenta u cilju zaštite dece, ali su od nje mnogo važniji edukacija i širenje svesti dece, roditelja, nastavnika i društva, kao i odgovarajući pravni okvir.

Do kakvog pakla onda može da vodi ovako popločan put?

Uvođenje filtriranja sadržaja na Internetu u nedostatku pravnih okvira – makar i u sasvim opravdanu svrhu poput borbe protiv dečije pornografije – postavlja opasan presedan na osnovu koga se ubuduće mogu filtrirati drugi neželjeni sadržaji. Dok ćemo se svi saglasiti da je dečija pornografija nedopustiva, eventualno filtriranje politički, kulturološki (pa čak i pravno) „neprikladnog“ sadržaja izazvalo bi svojevrsnu cenzuru i ugrozilo slobodu pristupa informacijama i sadržaju na Internetu.

Svetska iskustva govore da se ova naizgled jasna granica između blokiranja sveopšte neprihvatljivog i „diskutabilno problematičnog“ sadržaja brzo se prelazi. Sledeći korak u primeni ovog presedana je blokiranje u kontekstu govora mržnje, kockanja, autorskih prava, falsifikovanih lekova i drugo. U manje uređenim zemljama sa krhkom demokratijom ovakvi presedani – nakon zakonskog kodifikovanja – bivaju lako zloupotrebljeni i u političke svrhe: virtuelni policajac iskače na monitorima u Kini prečesto (ideja za MUP značku na monitorima u Srbiji ima dosta vizuelne sličnosti).

Upravo o ovim pitanjima u Evropi i svetu plamte žestoke rasprave. Nedavni predlog o uspostavljanju „jedinstvenog bezbednog Evropskog sajber-prostora“ (neke vrste virtuelne Šengen zone) koji je procureo iz Evropske unije – a u kome se blokiranje sadržaja u svrhu sprečavanja zloupotrebe dece čak otvoreno navodi kao prvi korak u nizu – naišao je na oštre kritike evropskih udruženja za zaštitu prava korisnika na Internetu. Korišćenje blokade pristupa Internet sadržaju u svrhu zaštite autorskih prava pomenuto tokom G8, kao i u Francuskoj, Engleskoj i Americi takođe je naišlo na veliki otpor udruženja korisnika, pa čak i telekom operatora koji ne žele da budu odgovorni za odlučivanje o tome šta je neprihvatljiv sadržaj kao ni za implementaciju blokada i time ugrožavanje korisničkog pristupa informacijama i servisima na Internetu – pogotovo u nedostatku vrlo jasnih pravnih normi. Konačno, pan-evropski dijalog o upravljanju Internetom (EuroDIG) koji se održao pre nepunih mesec dana u Beogradu upravo je pokazao da ne postoji podrška filtriranju sadržaja na Internetu.

Vratimo se na Srbiju.

Uprkos dobroj nameri i pozitivnoj inicijativi MUP i Telenor, postavljena je ploča na putu ka paklu filtriranja sadržaja na Internetu u Srbiji. Zato hajde da, pred postavljanje svake od sledećih ploča u smeru regulative Interneta, prvo dobro porazmislimo i javno prodiskutujemo kuda će taj put da vodi, a da paralelno sa time što pre poradimo na jasnom regulatornom okviru koji bi onemogućio zloupotrebu presedana i kontrolu Interneta.

Network Neutrality in law – a step forwards or a step backwards?

[June 2011]
Published at: http://www.diplomacy.edu/blog/network-neutrality-law-%E2%80%93-step-forwards-or-step-backwards

‘Hurrah! The Netherlands has become the first European country to enshrine Net Neutrality in law.’

Many would share John Naughton’s joyous feeling expressed in his blog on 10 June. Many – but not everyone. In fact, a good number of those following the Net Neutrality debate would be cautious, if not adverse. Where do you stand?
On 9 June 2011, the Netherlands became the first country to encode the principle of Network Neutrality into national law, ensuring that telecoms and Internet service providers would place no restrictions on user access, or discriminate based on types of Internet content, services or applications. To some extent it does not come as surprise, bearing in mind that some of the Dutch telecom providers openly block access to Skype and similar VoIP and online messaging services over their networks, giving the advantage to their own voice services.

Similar breaches of Network Neutrality principles are made by the telcos in other countries as well. While entirely restricting the access to some online applications and services is a somewhat blunt way to protect your own interests, more sophisticated approaches include openly or tacitly throttling the bandwidth for some applications such as VoIP or peer-to-peer (based on the type of application which can be easily tracked by the ISP), or surcharging for these while not charging for others (like Facebook) in ‘bandwidth caps’ models.
Clearly, this annoys and worries the users; they request an open Internet – the unrestricted access to any content, application or service online. On the other hand, however, the telcos and ISPs look for business models that will ensure proper returns on their investments in infrastructure, and motivate them to invest further in order to deliver the service with a due quality, in spite of the fast-growing demands from new services for larger and larger bandwidths. Governments and regulators face the challenge to find the balance.
One of the major challenges regulators face is whether to act pre-emptively (ex-ante), in order to prevent possible breaches of the Net Neutrality principle, or to respond based on precedents (ex-post) once (and if) the breach occurs. Another challenge is whether the problem should be dealt with, with ‘hard law’ – encoding the principles into legislation – or if ‘soft law’ (guidelines and policies) would be sufficient.
Views on this are very divergent: telcos and ISPs commonly advocate existing telecom competition laws and soft ex-post anti-trust responses as sufficient to deal with Net Neutrality as well, while user communities and the software and content industry stand strongly for an ex-ante hard law approach for electronic communications, justifying that the competition is not sufficient to protect users’ interests. Governments and regulators play somewhere in between, based on the level of competition and the existing legal frameworks in their countries.
For instance, the USA copes with a lack of true telecom competition; there, the Federal Communications Commission (FCC) is in a years-long fight with the major telcos over its legitimacy to codify and enforce its Network Neutrality principles defined through its own policy acts into legally binding rules. Japan envisages possible congestion due to fast-growing demands for bandwidth because of new services; back in 2007 its Ministry of Internal Affairs and Communications worked on a comprehensive report on Net Neutrality, amending its policy programme with the principle of no discrimination. In the European Union, which has a solid competition and legal framework on telecommunications, the European Commission provided directives to national regulatory authorities to promote ‘the ability of end-users to access and distribute information or run applications and services of their choice’ within its amended Framework Directive in late 2009 (yet remains very cautious not to endanger the innovations and investments from business). The Declaration of the Committee of Ministers of the Council of Europe on Network Neutrality in late 2010 clearly supports the Net Neutrality principles, and calls member states and the private sector to further work on guidelines. None of these approaches, however, calls for either of the extreme poles, but rather for positions in between.
The most known and most accepted are the Guidelines by the Norwegian regulatory authority (NPT): a soft regulation based on the collaborative dialogue with the entire Internet industry and community. Voluntary but broadly supported, they provide a new ‘collaborative’ approach to Internet regulation; yet, ultimately, the regulators always preserve the option of transforming these into hard law – if necessary.
The Netherlands has chosen a pole: ex-ante with a hard law approach. Such a regulatory approach will certainly satisfy the users; the question is whether it will stifle further investment by the telcos. If it does, the Dutch might need to revert to a more balanced approach; if it does not, however, this model might outshine the Norwegian one and show that the telcos were crying about Net Neutrality debates for no reason. Let’s wait and watch closely.
For more on Network Neutrality, visit www.diplomacy.edu/ig/nn

State-driven hactivism

[April 2011]
Published at: http://www.diplomacy.edu/blog/state-driven-hactivism

Twitter followers these days could notice an intensive buzz about the recent Comodo case – a serious security breach within the system of trusted authorities for web certificates. The news is, however, not in ‘what’ or ‘how’, but rather in ‘who’ and ‘why’. The suspects: the governmental structures of Iran. The possible motive: eavesdropping on its citizens on global communication channels.
Technically speaking, what is this all about? When we type the web address of our bank or social network platform into a browser, our Internet service provider’s DNS (Domain Name System) server translates the alphanumeric domain name address (such as www.facebook.com) into a unique numeric IP address that computers and servers use to identify themselves (e.g. Facebook is 66.220.153.15), thus linking our computer with the server under this number. But, who can guarantee that the DNS will not adversely cheat us and link us to a bogus copy that has a homepage that looks exactly the same as Facebook’s? Such bogus websites can allow their owners to steal our usernames and passwords for social networks or online email accounts, but more seriously our credit card numbers and PINs to our bank accounts also.
Years ago, in order to make our browsing experience more reliable and secure – especially in cases of online payments or when accessing private areas – online businesses agreed with browser platform providers (Google, Firefox, etc) to introduce the concept of reliable digital certificates for websites: each public website can obtain a secured digital certificate that certifies to users that the requested web address is linked to only certain IP numbers and servers approved by the owners. Thereby, our browser would warn us of a bogus web page if our DNS linked us to any server other than that (or those) approved by the owner of the website we requested: for example, only a server with the IP address of 66.220.153.15 (and a number of others confirmed and hosted by Facebook) would be certified as the www.facebook.com server.
The two features of this system of digital certificates for websites make it very trustworthy:
a) Technical: digital certificates are based on the reliable SSL (Secure Sockets Layer) protocol that relies on public-key cryptography – one of the most reliable cryptographic methods.
b) Economic: the system of issuing SSL certificates for websites is a well-developed market with countless multinational companies involved as clients (Microsoft, Google, Skype, major banks and online payment systems, etc.), and several other big companies acting as trusted Certificate Authorities (CA) for certificates integrated with web browsers – such as VeriSign or Comodo – that look carefully over their procedures for ensuring the real identity of the owners of the certificates they issue and certify.
So the global uneasiness resulting from the recent incident with Comodo comes as no surprise.
Yet, following the golden principle of security – a chain is only as strong as its weakest link – the perpetrators managed to get into the system by compromising less secure user accounts with one of many affiliate registration authorities (RA) under Comodo’s trusted root CA. Pretending to be the corrupted RA, the perpetrators implemented a well-prepared, sophisticated action to register nine bogus certificates for famous websites such as those of Google, Skype and Yahoo! The operation, had it not been uncovered, would have resulted in our browsers not objecting to being linked to a bogus server for Google, Yahoo! or Skype –the IP numbers of those bogus servers would also be within the certificates issued by the trusted CAs. Wired magazine featured an interesting analysis of the case.
This news was alarming; the reactions of Comodo, Microsoft, Mozilla, and others were prompt. But – there was more.
To really (mis)use the potential of these ‘rogue certificates’ and attract many users to access the nine bogus sites believing they were accessing the original ones, a perpetrator would also need to take control of one or more DNS servers and make them cheat us. The DNS system is (still) way more vulnerable than the SSL, and temporarily hijacking the DNS servers is not ‘a big deal’; but to have the impact on a greater number of Internet users, one would need to hijack DNS servers higher up in the hierarchy – those of major national telecoms or beyond. Moreover, an effort to break the SSL system for such important websites would make sense only if the hijacking of part of the DNS system was perennial, not temporary; while hijacking can be only temporary – until uncovered and restored, longer-term control can be obtained only through physical or ‘political’ control over its management.
One more detail was noticeable from the Comodo report: ‘The perpetrator has focussed simply on the communication infrastructure (not the financial infrastructure as a typical cyber-criminal might)’ – the bogus certificates were requested for the following well-known websites: mail.google.com (GMail), login.live.com (Hotmail), www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org (Firefox extensions). The aim of the perpetrators was thus not to obtain financial benefit, but rather to endanger privacy – for personal, business, or possibly political benefit.
Lastly, Comodo experts claim they have traced the origin of this cyber-attack back to Tehran, Iran. Geo-localisation of the users (and attackers) according to their IP address is becoming more and more sophisticated; but so are the anonymisers that hide the IP address of the original sender – thus there is also a possibility that the attacker attempted to lay a false trail.
The reasons for believing that some governmental structures have implemented such a sophisticated well-planned cyber-attack to break into the communication identities and records of (some of) their citizens are found primarily in the fact that the platforms focused on were communication rather than financial ones, and in the suspicion that such an attack would need a strong, long-lasting second pillar in the form of the control of the (national?) DNS infrastructure. Tracing the attack back to Iran only gives a possible political context.
Concerns over the SSL or DNS vulnerabilities are not new, and will probably never really disappear but will periodically be replaced by slots of trust in new secure protocols and slots of mistrust due to the evolution of hactivism. The concern that the governments have become more aware of the growing importance of the Net is not brand new either. A growing concern is that the states now use skilful, sophisticated, ‘undercover’ hacking actions to achieve their national or international goals. The Comodo case adds to a number of recent examples, including the Stuxnet virus (industrial worm) allegedly produced by Israeli-US secret services to destroy Iranian nuclear facilities, or the case of a state-owned Chinese telecommunications firm that re-routed some 15% of world web traffic through its own servers for a short while.

Države stežu obruč oko Interneta?

[Januar 2011]

Države stežu obruč oko Interneta?

U senci diskusija o Viki-liks slučaju i značaju Interneta u „razotkrivanju“ međunarodnih rabota i povećanju učešća javnosti u državnim odlukama ostalo je razmatranje o povratnoj spregi: u kojoj će meri slučajevi u kojima se države i vlasti osećaju ugrožene zbog Interneta uticati na njihovo povećano učešće u upravljanju Internetom, te i na samu otvorenost i slobodu komunikacija i delovanja na Internetu. Nedavni signali iz međunarodne politike nedvosmisleno najavljuju da države (ponovo) postaju zainteresovane da pojačaju kontrolu nad Internetom.

Ulazak država u arenu upravljanja Internetom

Kada su se, oko 2000., države konačno zainteresovale za rastući značaj Interneta i iskazale želju da utiču na upravljanje nad njim, našle su se u šoku: za njih tamo nije bilo mesta! Internetom su već „upravljali“ velike poslovne korporacije poput Majkrosofta i Gugla kroz nove servise, udruženja korisnika kroz svoje uticajne mreže i pokrete, i Američka Vlada kroz sebi blisku korporaciju ICANN odgovornu za adrese na Internetu. Uticaj država na globalnu mrežu oslonjenu na globalnu ekonomiju pogotovo u već poodmakloj fazi razvoja, bio je gotovo minoran. Takvu nemoć da ostvare kontrolu države nisu lako mogle da podnesu.

Svetski samit o informacionom društvu pod okriljem Ujedinjenih nacija okupio je u Ženevi 2003. godine predstavnike država i međunarodnih organizacija, kako bi našli način da se i Internetom upravlja kroz saradnju država. Predstavnici brojnih međunarodnih korporacija poput Majkrosofta, Ciska, Linuks zajednice i drugih, te udruženja korisnika poput „Internet društva“ (ISOC) i mnogih univerziteta – pa čak i predstavnici ICANN – onemogućeni su da prisustvuju plenarnim sesijama Samita.

Nije trebalo dugo predstavnicima država da shvate da će u slučaju Interneta saradnja država morati da bude upotpunjena saradnjom sa međunarodnim poslovnim i nevladinim sektorom. Istovremeno, poslovni i nevladin sektor shvatio je da je Internet duboko ušao u interesnu sferu država i da u sveopštoj međunarodnoj saradnji postoje obostrani interesi. Stoga je rezultat druge faze Samita – u Tunisu 2005. godine – bio iniciranje godišnjeg globalnog Foruma o upravljanju Internetom (IGF) kao osnove za dalji otvoreni međunarodni dijalog o budućnosti Interneta, politikama i upravljanju resursima i razvojem.

Kroz svojih pet skupova – od Atine 2006. preko Rio de Žaneira 2007., Hajderabada 2008. i Šarm el Šeika 2009. do Viljnusa 2010. godine – Forum o upravljanju Internetom uspostavio je princip otvorenog dijaloga svih interesnih strana o ključnim političkim pitanjima Interneta: razvoju infrastrukture i kontroli nad kritičnim resursima, borbi protiv sajber-kriminala i saradnji u oblasti bezbednosti na Internetu i zaštite dece, kontroli sadržaja naspram slobode govora, zaštiti podataka i privatnosti korisnika, ekonomskim modelima uz održavanje pristupačnosti i dostupnosti servisima, balansu između slobodnog pristupa sadržaju i zaštite intelektualne svojine, potrebama marginalizovanih grupa poput osoba sa invaliditetom, te dogovorima za pomoć zemljama u razvoju i promociju kulturne raznolikosti i multijezičnosti...

Ovakav otvoreni dijalog – u kome i samu agendu skupa dogovaraju predstavnici i država i poslovnog i nevladinog sektora, i gde se umesto glasanja i odlučivanja nacionalne i međunarodne politike grade na osnovama zajedničkih iskustava i razmatranja stavova „svih strana“ – novina je u međunarodnim odnosima, pogotovo u okvirima sistema Ujedinjenih nacija. Svakako, bilateralni pregovori država među sobom i sa vodećim korporacijama i Internet zajednicama o ključnim pitanjima (pre svega kritičnoj infrastrukturi, te zaštiti podataka i sajber-bezbednosti) nisu prestali; štaviše, postali su učestali upravo na marginama Foruma o upravljanju Internetom. Ipak, države su se uvek trudile da pojačaju svoj uticaj.

Jačanje državnog suvereniteta u virtuelnom svetu

Učeći brzo, te pažljivije analizirajući tehničku strukturu Interneta i uočavajući rastuće mogućnosti geo-lociranja korisnika i segmenata globalne mreže, države su uspele da pristup upravljanju Internetom donekle uklope u postojeće uigrane međunarodne okvire u kojima se rešavaju i druga slična globalna pitanja a u kojima je dominantan – državni suverenitet.

Države su postale primetno agresivnije prema poslovnom sektoru oko pitanja vezanih za upravljanje Internetom. Kina je, tako, jakim tehnološko-političkim pritiscima Internet imperiju Gugl uspela da natera da suštinske principe svog poslovanja – koji podrazumevaju zaštitu podataka korisnika i slobodan pristup sadržaju bez cenzure – u ovoj zemlji prilagode lokalnim političkim okolnostima (sve dok Gugl konačno nije odlučio da postoje granice koje ne sme da pređe zbog svog međunarodnog ugleda i povukao se sa kineskog tržišta početkom 2010. godine). Lider u mobilnim servisima Blekberi takođe je prošle godine popustio u svojim principima zaštite podataka korisnika pred pravilima suverene države – Saudijske Arabije. Tunis je, prosto, svojim građanima blokirao pristup Ju-Tub video servisu još 2007. godine. Amerika je uticala na oduzimanje globalne Internet adrese za Viki-liks portal krajem ove godine. Primera je sve više.

Nacionalna bezbednost postaje dominantni izvor zabrinutosti država kada je u pitanju Internet: ključna državna infrastruktura – od državne uprave preko elektro-energetskih sistema do nuklearnih postrojenja – neminovno biva priključena (direktno ili indirektno) na Internet. Sajber-napadi postaju sve sofisticiraniji, mete sve kritičnije, a profil napadača je odavno načinio odklon od pukih klinaca hakera ka organizovanim grupama, neretko terorističkim ili čak državnim (vojnim ili obaveštajnim). Svedočanstva su brojna: od dramatičnih masovnih nestanaka struje u Americi 2003. i Brazilu 2005. i 2007. godine, preko „obaranja“ sistema državne uprave Estonije 2007. za koje je tamošnja Vlada optužila Rusiju a zbog koga je i NATO bio vrlo zabrinut, do nedavnog spektakularnog napada vrhunski sofisticiranim virusom na Iransko nuklearno postrojenje Natanc (navodno od strane Izraelske i Americke obaveštajne službe). Curenje poverljivih državnih podataka u slučaju Viki-liks dodatno je ulje na vatru. Države, čini se, nisu više rade da svoju nacionalnu bezbednost ostave otvorenom dijalogu svih strana, kakav je Forum o upravljanju Internetom.

Borba za izbalansirani pristup upravljanju

Budućnost Foruma o upravljanju Internetom takođe je podpao pod šapu država: Komitet za nauku i tehnologiju (CSTD) Ujedinjenih nacija odlučio je početkom decembra 2010. da o budućem formatu Foruma diskutuje radna grupa sačinjena – isključivo od predstavnika država. Ova odluka, iako potom blago izmenjena tako da uključi i poneke nevladine predstavnike, alarmirala je brojna udruženja civilnog društva kao i predstavnike privatnog sektora koji su pokrenuli kampanju očuvanja uspešno uspostavljenog otvorenog dijaloga o ključnim problemima Interneta.

Ne poričući potrebu država da ojačaju nacionalnu bezbednost, poslovni i nevladin sektor zabrinut je da bi izostanak otvorenog dijaloga svih interesnih strana omogućio državama da zanemare interese korisnika (građana) – poput slobode izražavanja naspram cenzure, i zaštite podataka o ličnosti naspram prisluškivanja – ali i sputaju slobodan razvoj novih servisa od strane privatnog sektora usled pregršta regulative i prejake kontrole Interneta.

Klatno upravljanja Internetom trenutno je gurnuto ka jačem uticaju država, time i potencijalnoj dominaciji sajber-bezbednosti i kontroli sadržaja spram slobode izražavanja i zaštite privatnosti. Osnovni parametri klatna su, međutim, nepromenjeni: globalni bisnis kreira nove trendove u skladu sa potrebama korisnika, kao i pravilima koje nameću države – u meri u kojoj ta pravila moraju da poštuju. Čeka se novi udar na klatno.