The people of the formerly free world have again been dragged into a war not of their own choosing. This time, the enemy is not a nation, or an ethnic group, or even an idea. We have become the enemy. We have become the subject of undue scrutiny, paranoia, distrust, imprisonment and violence.
It is often our habit, in cases of great injustice, to look to our leaders for solutions. We ask for statutory, constitutional or regulatory protections. We cast our eyes toward the politicians, asking for the power of government to support their people and validate the mandate we gave them as our elected representatives.
There is no hope for that now. The U.S. government, the British government, the Canadian government, the Australian government, the government of New Zealand and many more have become the perpetrators of this injustice against their own people. Furthermore, they possess vast resources, technology and knowledge. They have the capability to exploit any computer, break nearly any encryption and they have the coercive power to silence much dissent.
In instances such as these, the solutions must come from us. We have the numbers and the knowledge. Do we have the will?
There are only a few methods with which we can approach security when browsing the Internet. One is encryption, but that only works if both parties cooperate and are willing to maintain secrecy. So, it’s not really much of a solution.
Another is hiding in the crowd. Currently, Tor is the best option for this method, allowing users to bounce their Internet traffic off of numerous other Tor users’ computers before it ultimately rejoins the network. The last person in the chain is called an exit node operator. One must volunteer to become an exit node operator—and not many people do. In fact, Tor has begun offering to pay exit node operators because they don’t have enough for the system to really work very well. We’ll see if it works.
The problem is, exit node operators take on a lot of risk. When Internet users look at child pornography or use a stolen credit card to buy something, this illegal activity is connected to an IP address. When those Internet users do it through Tor, that IP address is going to be that of an exit node operator.
These guys have been blacklisted, raided, arrested, manhandled, etc. because, unfortunately, bad guys exist and Tor is a great place for them to hide. That’s why not too many people are lining up for the job of exit node operator and consequently, why Tor is quite slow and cumbersome. Tor data from thousands of users is funneled through a handful of exit node operators. Google’s home page is about a seven-second ordeal. Just imagine trying to watch a YouTube video, if Tor were able to protect your anonymity while doing so.
So, how can we avoid the problems inherent in Tor, maintain the Internet speeds we’ve all grown accustomed to, still keep the bad guys in the shadows and remain anonymous all at the same time? It’s a tall order, but it’s possible.
If we target a specific application, rather than attempting to anonymize all web activity, then we can have our privacy and our speed. Simply put, we change the deal with Google. Right now, the deal is that Google gives us the ability to find any information our hearts and souls desire, and in exchange we give Google our actual hearts and our actual souls.
That’s not a great deal, but let’s be honest. You can’t beat ’em. Google’s search capabilities are unmatched—they’ve constructed an absolute wonder of the digital world. Search results are lightning fast and incredibly thorough. Their maps capabilities would have Magellan green with envy. Who wants to settle for a second rate search experience?
The problem is, Google has betrayed us. Eric Schmidt, Google’s Executive Chariman brushed domestic surveillance aside recently, saying:
“There’s been spying for years, there’s been surveillance for years, and so forth, I’m not going to pass judgement on that, it’s the nature of our society.”
Those aren’t the words most of us want to hear from one of the higher-ups in our most widely-used companies. We want to see outrage, indignation and counteraction from Google, Microsoft, Facebook and all the rest of them. But they aren’t forthcoming.
What we need is a new way to use Google like people use Tor. If Google searches are bounced off of millions of user’s computers and everyone is potentially an exit node, we have our ability to hide in the crowd. We have plausible deniability when it comes to our search engine use.
Furthermore, Google already polices itself for illegal activity like kiddie porn and fraud. So, online criminals will have to continue lurking the depths of the Internet if they wish to continue their behavior.
Government spooks will still be able to see what goes on in our smartphones, hack our computers, read our email and, yes, find our search engine data. But that would be an incredibly expensive and drawn-out process—and at least we wouldn’t be handing out our search engine habits on a silver platter.
Such an endeavor, socially, must act like a movement. If no one is willing to be an exit node operator—as is the case with Tor—it won’t work. But with hundreds of millions of Google users, such a movement is entirely possible.
Here’s how it can work: A browser add-on joins you with other participants using similar techniques to those employed by the Bittorrent file sharing protocol to implement distributed trackers. The plugin would operate much like Tor as an exit node, only instead of allowing arbitrary TCP connections it would be strictly limited to performing search queries on Google.
Such a system would solve the incentive problem stunting Tor. Everyone would be an exit node by default. Nobody would be enabling credit card fraud because it would be impossible to buy anything through you. You would not be enabling child pornographers because Google tries to avoid hosting that type of content anyway. You would not be helping botnet operators hide their command and control systems from network operators and security researchers. You might proxy some unsavory searches, but the combination of all the queries your browser submits to Google would be so random that anything embarrassing or incriminating couldn’t be attributed to you with any certainty.
There would definitely be some security challenges to solve, but it would be easier and more productive to overcome those technical problems than trying to pay Tor exit node operators. After all, Bittorrent is doing just fine in spite of powerful adversaries who would love to see its demise. Just how much money would it take to anonymize 25% of global search traffic with Tor? Based on what we’ve seen so far, is it reasonable to believe Tor can really scale to the size necessary to achieve that?
If the spooks want our souls, let’s make them pay one hell of a high price. Let’s force them to turn Microsoft, Apple, and Samsung’s update services against us, because that’s extremely expensive both operationally and politically. Let’s force them to use their zero day exploits against our endpoints because while they still dominate that space at least we have the ability to bring technical countermeasures to the fight. Their advantage battling us as vulnerability researchers and exploit developers is based entirely on information asymmetry, and even as they win battles, they lose information advantage just by fighting us. Just as the surveillance state slowly crept up on us we will slowly erode its potency, and eventually we’ll snuff it out.