The board of the Dutch internet exchange AMS-IX proposed to its members to expand to the United States. The vote on this will take place on September 27. Bits of Freedom likes to provide the members with a few considerations when voting.
One of the most significant worries brought forward by members is that the NSA by this expansion would be legally authorised to gain access to data handled on the Dutch AMS-IX. An advice of a US lawyer to the board of AMS-IX suggests that these concerns are not justified. This is broadly in line with messages we received from a friendly lawyer. The advice to AMS-IX’s board is, however, not very clear on this point, and given the interests at stake, we deem it important to attract clearer advice from a US lawyer specialised in US intelligence services.
More importantly, the leaks on the NSA of the past months demonstrate that the NSA is very aggressive in gaining access to private data, up to the point that one can question to what extent legal restrictions pose a relevant check on its activities. By expanding into the home territory of the NSA, AMS-IX will give the agency further opportunities to break into the Dutch AMS-IX, through technological and social means. We do not know to what extent the board considered these risk and whether the members have been informed about these risks.
For the sake of completeness: we already deem these risks to be present for the Dutch AMS-IX, and expansion would merely increase those. We were thus dismayed when AMS-IX at a hearing at the Dutch parliament discussing information security stated that it did not consider the Dutch secret services to be part of its threat model. We hope AMS-IX since then has started considering the NSA and the Dutch secret service as a part thereof. This is even more relevant as a Dutch law will be proposed which would give the Dutch secret service the powers to wiretap internet traffic on a large scale.
Lastly, as the leaks show, the US in the past decade covertly built a far-reaching surveillance infrastructure targeting millions of ordinary citizens. It, together with other services such as the UK service GCHQ, intercepts and stores intimate communications on a large scale, including for example at cable landing points. It exchanges information, also with the Dutch secret services. While journalists are still busy uncovering the scale and depth of this infrastructure, the US government keeps on defending its necessity. It is therefore possible to question the political wisdom of expanding into such a country, but such an expansion should at the least be accompanied by serious plans to contribute to ending this surveillance infrastructure.
Users will not be able to enjoy the internet if they are under permanent surveillance. AMS-IX and its members bear a responsibility in ensuring that this surveillance infrastructure is broken down, in the US, but also in The Netherlands.
Update: Please read Niels Bakkers comment below!
This move clearly brings the organization AMS-IX within U.S. jurisdiction. The relevant follow-up question is, if and to what extent AMS-IX exerts ‘custody or control’ over the massive amounts of internet traffic that flow through their networks, in other words whether a possibility exists to wiretap the AMS-IX on the network layer (network intercepts) or the physical layer (digging holes and placing optical splitters, one by one at the 9 supposedly redundant hubs that make up the AMS-IX, not interrupting routing in the process).
Lawyer’s advices are all fine, but lawyers (like me) don’t know to what extent this custody or control exists. I was shocked to learn from the fellow expert witness at the Parliamentary hearing that intelligence agencies aren’t in the threat model of the AMS-IX. I have a very hard time – remember that most revelations are still to come in the next years (that’s right, not months, but years) – to believe that these capabilities don’t exists and that the concerns over mass surveillance by any intelligence agency, notably the NSA, aren’t justified.
BoF’s point on whether legal restrictions to access is more valid than ever. If we learn one thing about the revelations, it is that the law doesn’t restrict these agencies in any sense and that the rule of law generally has failed to leverage any accountability whatsoever for senior management when they systematically lie to elected officials about their operations. Trust in the rule of law is, unfortunately, not realistic but extremely naive in 2013.
Just to add to my previous comment, have a look at this recent speech of a NSA senior legal counsel, Mr. Stuart Baker: http://www.lawfareblog.com/2013/09/baker-on-cybersecurity-post-snowden/
‘Moreover, in order to do everything that I have described, the President would need access to a considerable amount of data pertaining to the Internet itself, or, as some have argued, all of the data on the Internet. Let me repeat that: there are arguments that in order to defend ourselves, the government needs to be able to monitor all Internet communications. All of them. Is this possible, even if it is necessary? Maybe. The key limiting factors are money and access. And you would need lots of both.’
By the way, this comment isn’t made by the NSA attorney Stuart Baker, but by James Baker, who ran the Office of Intelligence Policy Review in DOJ (which focused on FISA).
So it’s actually not the NSA that lobbies for this, but the Department of Justice, which makes the lecture even more worrying.
Food for thought from an well known Internet authority:
The NSA mission is national security. How is the snooping really affecting the average person?/
The NSA’s actions are making us all less safe. They’re not just spying on the bad guys, they’re deliberately weakening Internet security for everyone—including the good guys. It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create. Additionally, by eavesdropping on all Americans, they’re building the technical infrastructure for a police state.
We’re not there yet, but already we’ve learned that both the DEA and the IRS use NSA surveillance data in prosecutions and then lie about it in court. Power without accountability or oversight is dangerous to society at a very fundamental level.
But what sorts of access, to what products, has been requested and given? What crypto is, and isn’t, back-doored or otherwise subverted? What has, and hasn’t, been fixed?/
Near as I can tell, the answer on what has been requested is everything: deliberate weakenings of encryption algorithms, deliberate weakenings of random number generations, copies of master keys, encryption of the session key with an NSA-specific key … everything.
NSA surveillance is robust. I have no inside knowledge of which products are subverted and which are not. That’s probably the most frustrating thing. We have no choice but to mistrust everything. And we have no way of knowing if we’ve fixed anything.
Not speaking for AMS-IX (anymore):
Axel, I’m disappointed that you take my comments out of context, though you’re far from alone in having done so. At the committee meeting I said that AMS-IX is capable of detecting optical taps placed in existing production inter-switch links – based on what’s known of the best optical taps on the market, but I’m sure that if you throw $100M against the problem, something that was overlooked might be found by an adversary, just because AMS-IX is only a €15M/year operation; and while it’s a very professional operation, its resources are limited.
The BICS compromise proves that it’s very hard to protect against attacks of a well-funded adversary with state support. The malware found on their systems in June was not detected by any virus scanner and today is detected by only six out of 46. Short of digging yourself in inside a bomb-proof bunker and communicating by passing pieces of paper around in the dark you cannot defend yourself against all electronic attacks.
Protecting yourself against unauthorised optical taps is certainly possible: for example, you could use pressurized ducts with pressure sensors every few meters, and vary the pressure over time in an unpredictable pattern, so an adversary cannot build a pressure chamber around a duct when breaching it to avoid detection. Needless to say, this would be cost-prohibitive unless you have the budget of an American three-letter agency, which AMS-IX doesn’t.
This is what I meant with my, admittedly too snarky, threat model remark. I meant it to be taken in an engineering context where you can never have utter certainty, not that the company didn’t take its responsibilities seriously to keep traffic between connected peers flowing – and only between connected peers.
Although the Members of Parliament seemed content with my answers, hopefully AMS-IX will learn from my mistake and not send an engineer as technical expert again, but somebody more careful in choosing their words. Maybe a lawyer…
Ot van Daalen
Dear Niels, thank you very much for your reaction. Although you didn’t address your comment to me, it certainly wasn’t my intention to quote your statement out of context and I could have done better in this regard. The question is of course broader than tapping of optical cables, but your explanation definitely is food for thought, especially regarding the follow-up question: if three letter agencies should be considered part of the threat model, what measures can an organisation like AMS-IX reasonably be expected to take to defend against them. Meanwhile, the main problem, of course, is the agressiveness of the NSA and others.
The point Niels as a engineer is (and was) trying to make is that total security is impossible, or at least implausible. The best we reasonably can do is create a attack-tree (see Bruce Schneier), and make the cost for a possible attacker so high that we’ll have effective security.
And while it logical to include foreign state-actors in this threat-model, it’s not possible to fight the law (or what passes for it) in the country your operations are based in (at least not if you’re a legitimate organisation).
The only chance we have against those is by changing the behavior of the state by bringing it’s behavior into the open, so that people know what is being done in their name. That’s why we should be gratefull and protect whistleblowers like Snowden.
SURFnet: ‘AMS-IX should not set up shop in U.S.; we ought to deliberate on U.S. spying capabilities’ | Matthijs R. Koot's notebook
[…] I my translation of the NOS news report of September 27th. After reading it, go read Considerations on the expansion of AMS-IX to the US, posted by Bits of Freedom on September 25th. Do NOT forget to read the comments […]
Medidas de Segurança contra o Terrorismo: custos vs benefícios – Anders Bateva
[…] holandesa? Aqui, o AMS-IX (o Amsterdam Internet Exchange, 2º maior Internet exchange no mundo), expande-se para os EUA, fazendo-o sujeito ao Ato PATRIOTA. Estariam estas pessoas vivendo sob uma pedra nos últimos […]
Security Measures Against Terrorism: Costs v. Benefits | Sander Venema
[…] Here, AMS-IX (the Amsterdam Internet Exchange, the second-largest Internet exchange in the world), sets up shop in the US, making it subject to the PATRIOT Act. Have these people been living under a rock these past […]