Security in Cyberspace

Torbjörn Lundqvist

Overview

● Written on the body: Biometrics and Identity, Irma van Der Ploeg – In what way does biometrics contain information about ourselves

that previous token-based systems don't ● Terrorism or Civil Disobedience: Toward a

Hacktivist Ethic, Mark Manion & Abby Goodrum– How does one go about distinguishing computer terrorism from

civil disobediance, and in what way does one define the ethics of hacking and civil disobediance?

Privacy and Security

● Security: – Ambiguous, Safety vs. security distinction,

being free from danger, hard to assure– Computer security vs. data security,

protection from worms, hackers vs. data loss ● Privacy:

– Often used synonymously with “anonymity” – Psychological Privacy/ Informational privacy– Control vs. Restricted Access theory– Impossible without security

Security

● As an ethical issue: is true security achievable? If so: is it desirable? Conflict:– Pros

● anonymity and privacy can be ensured (on a personal level, information-restriction becomes easier)

● Identity can be established more easily (seems to conflict with the latter)

– Cons● Anonymity and privacy can lead to unlawful

behavior (due to the ease of restricting information)

● “Easy identification” makes it harder to hide from others (again, conflict with the latter)

Biometrics

● In what way does biometrics contain information about ourselves that common token-based systems don't?

● How can this information be used to ”ensure our security” by ”invading our privacy”?

Biometrics

● Van der Ploeg: In 1996 I-scan software implemented in the Department of Public Affairs in Illinois● All welfare clients were called to an interview,

and made to submit a retinal scan● Failure to comply meant disqualification from

social service benefits and other sanctions● Reason: The need to ensure against social

welfare fraud

Biometrics

● Biometrics: stipulated as “The Collection of physical features using a sensory device to record digital representations of physical features unique to the individual”● Retinal scan● Fingerprints● Voice patterns● Movements/Body odor

Biometrics● The method consists of using digital representations as

templates to which a match is made upon identification, if the template matches the sample the subject is known, if not, the subject is unknown

Template:Stored indefinetly

Sample

T1Match, Known

Sample

TX

Mismatch, Unknown

Biometrics

● Older systems of identification, ID-cards etc. are ”token-based”, biometrics are not– ”Biometrics are turning the human body into the

universal id of the future” ABC News Jan 15, 1998– Possible buyers: military forces, governments,

private corporations● Development of genetic API in 1998

– BioAPI Consortium – IBM, Microsoft, Novell, Compaq ● Specifications for a global standard to allow easy

implementation of biometrics into computer software begins

Biometrics

● Of course: Biometrics is concerned with maintainence of security through identity check– Question: what is identity? Can identity be

established in relation to the human body● Van der Ploeg

– Biometrics requires a theory of identity that takes the body and the embodied nature of subjectivity into full account

– there is a need to investigate what kind of body the biometric body is

Biometrics● van Kraligen (Biometrician) – Distinction of

identity and verification of identity– Biometrics is regarded as the later

● Schrectman (Philosopher), Philosophical distinction between– Identity– Sameness of body (where identity is to self

knowledge what sameness of body is to re-identification)

● Necessary and sufficient conditions why p1 is p1 at both T1 and T2?

Biometrics

● ... is able to detect both sameness and difference of ”token”, (token-based systems can't)

● ... can re identify the body, but of course, not the ”essence” or ”beliefs and values” of the individual

● ... may seem to be able to be better at establishing psychological identity, but due to the above, cannot be any more effective than token-based systems

Biometrics● Since the body is very much a part of personal identity, and ”identity”

can be regared as more profound than ”sameness of body” ● it may be easy to identify the body using biometrics, however, it is

highly difficult to characterize a psychological individual over time, ● Parfit (Reasons & Persons): Personality does not persist over time

– P.: Personality changes over time, token identity does not, and we can not be certain that psychological identity changes over time

– P.: Wether or not psychological identity persists over time is therefore not relevant

– P.:What matters – psychological connectedness (of memory and character) between p1 and p2 over time

● From this perspective. Biometrics is not any better in characterizing the psychological identity of the individual

Biometrics

● van der Ploeg: – identity can be viewed from a third

person perspective (sameness of person)

– Identity can be viewed from a first person perspective (self knowledge)

– The distinction between can lead to an assumption that biometrics is only concerned with ”sameness of person”, but, the person is a ”performance piece”

Biometrics

● Van der Ploeg:– Personality is something that is

constantly being reshaped by (among other things) information technology

– With information technology, it becomes possible to fragment personal identity

– Suddenly bodies are irrelevant to identity, identification may be near impossible without the use of the body as identification

Biometrics

● The problem is of course that biometrics removes the boundaries between nature and culture, – Split second identification makes it

possible to map identity patterns over individuals that may not exist,

– Van der Ploeg: biometrics investigations prompts cultural determinism. One is judged but rather by ones cultural background and previous exploits

Hacktivism

● Terrorism or Civil Disobedience: Toward a Hacktivist Ethic, Mark Manion & Abby Goodrum– How does one go about distinguishing computer terrorism from civil

disobediance, and in what way does one define the ethics of hacking and civil disobediance?

Hacktivism

● Terrorism vs. civil disobedience – “One mans terrorist is another mans freedom

fighter” - William Laqueur, 1977● Violence breeds more violence, Non-violence does

not, (Ghandi, “Satyagraha”)– Violent struggle vs. civil disobedience

● Peaceful breaking of unjust laws (direct action)– Non-violent protest: Boycotts, sanctions, “sabotage” (s. f.

Plowshares-movement), “information-war”– Non-violent protest takes moral high-ground, in that it

confronts power without resorting to violence– Protesters take responsibility of their actions,

(imprisonment, etc.)

Hacktivism

● Hacktivism– “The (sometimes) clandestine use of computer

hacking to help advance political causes” - Manion and Goodrum

● Hacking– “The practice of exploiting or gaining

unauthorized access to computer systems through clever tactics and detailed knowledge” - Wikipedia

Hacktivism

● Hackers attack commercial websites – Feb. 8, 2000– 18 page statement, claiming responsibility is

released (MSNBC)– Alleged reason: Growing commodification and

capitalization of the Internet– No one is arrested, no one is charged

Hacktivism

● Valentines day, 2000, plowshares movement restricts access to Faslane naval base, Scotland– Faslane is the base of UK Trident-class

submarines – Reason: These submarines are armed with

nuclear weapons– Plowshares movement claims responsibility

due to ethical concerns– 185 arrested

Hacktivism

● 1998, Eugene Kashpureff usurps traffic from interNIC – Manion & Goodrum– Action taken non-anonymously– Ethically motivated, protest of domain-name

policy– Jailed as result

● “Under a government which imprisons any unjustly, the true place for a just man is also a prison” - David Henry Thoreau, 1849

Hacktivism

● Hacktivism, civil disobedience?– Has been used to protest

● Anti-democratic crackdowns in china● Indonesian occupation of west-timor● Human rights abusers

– Targets● Governments & national security● Private industry and intellectual property● Human rights abusers

Hacktivism

● Core principles – Manion & Goodrum– No damage done to persons or property– Non-violent– Not for personal Profit– Ethically motivated– Willingness to accept personal responsibility

for ones actions

Hacktivism

● Hacktivism, cyber-terrorism?– RAND Corp. John Arquilla and David Ronfeldt

● “Netwar” - The study of network based conflict and crime, Networks and Netwars, 2001

● “... terrorist and social activist organizations will be most effective if they develop networking capabilities ... attuned to the information age.”

● “If governmental powers can understand how modern-day netwar organizations are formed, they may be better able to target and dismantle those terrorist ... groups ...”

● “Act of violence for the purpose of intimidating or coercing a government or civilian population” - US Law

Hacktivism

● Internet provides forums for the organization of Electronic Civil Disobedience (ECD) – Manion & Goodrum– What CONSTITUTES Hacktivism (or ECD)

● Running FloodNet?● Hacking CNN.com?

– The point is not destruction of information, rather disruption of the flow of information

● New type of non-violent protest?– If so: why is hacking judged harsher than traditional non-

violent protests?

Hacktivism

● “Legitimate Hacking”? – First objective of invasion: control information

● S.f. The Phone book (don't trust the media)● Information Warfare (Op. Desert Storm)● Propaganda (WW2)

– When is it okey to breach security?● Whenever it does not concern us?● Whenever it concerns multinational cooperations? ● Whenever it concerns other governments? ● Whenever there is a need for it?

– Who decides?● Whenever it happens in our favor?● Whenever “we” condone it?

Hacktivism

● Often, Hackers take stance against warfare and even information war – Against the LoU “Declaring war in anyone is a

most deplorable act” (2600, CDC, ) - Hackernews 12/28/98

● Why label the hacktivist as a terrorist?– Labeling the hacktivist as a threat to security

furthers legitimization of erasure of individual privacy

Hacktivism

● Is hacking democratic activity? (Levy 1984)– Freedom of information– Computer access– Mistrust Authority – Promote decentralization

● Do these principles conflict with the tenants of democracy?– Foucault – Failure to confirm authority leads to

uproar (Foucault 1987)– For whom does hacking really compromise

security?