Chaos Program

How can you not love a domain named “cryptohippie.com?”

Okay, so it’s a business that sells unusual and interesting services that broadly fall under the heading of “security.” I say broadly because this is not the usual anti-virus or hacker proofing kind of stuff. Check out the website if you like. For now let’s just say that CryptoHippie lives up to its name.

What I really want to discuss is CryptoHippie’s report on the Electronic Police State, 2008. (Available here). The title caught my eye immediately, partly because I recently finished a class that included in the reading list a couple books that were chock full of scare stories about that same topic, more or less [See No Place to Hide by Robert O'Harrow, Jr. and Darknet: Hollywood's War against the Digital Generation by J.D. Lasica]. The class wasn’t quite about that, though. It was about the law as it relates to computer and internet security and privacy (It was also brutal but it looks like I got the A).

Of course, some of what we covered included the hoops the government has to jump through to gather and the way that was changed by the USA PATRIOT Act. Privacy policies and the laws that govern or even require them were also a large part of the class. And other interesting things. Never did the phrase “Electronic Police State” come up. That would be worth another class by itself and I hope to take it one of these days.

The first topic should be What does “Electronic police state” mean?

First, what is a “regular” police state? According to Wikipedia, the term “describes a state in which the government exercises rigid and repressive controls over the social, economic and political life of the population” (Police state). This is a nice start but doesn’t tell the half of it. A police state is one where citizens have few, if any, rights. It’s a place where they can be arrested at any time with, or without a reason. In the old Soviet Union the crime of committing “anti-soviet activities” (or was it un-Soviet?) was a catchall that could be used to collect dissidents or prostitutes with equal ease (the story goes that it was used against prostitutes because there were no laws against prostitution, since that was said to exist only in decadent western countries like the U.S.A. But that law could be used to nab almost anybody for almost anything, so it worked just fine).

In a police state, you might need to have the equivalent of a passport to travel a couple hundredmiles to visit your sick mother, which you would rather do than call her because, like East Germany before the fall of Communism there might be more people employed to tap citizen phones than to service the lines and keep the system running (note: I don’t know the actual numbers but Stasi, the East German secret police, was really big). The upshot is, a police state works hard at keeping people in their place.

According to the Cryptohippie report, the modern electronic police state is a slightly different animal. It is characterized by “State use of electronic technologies to record, organize, search and distribute forensic evidence against its citizens.“ This is distinguished from the effort to compile electronic dossiers of people’s purchases, habits, movements and behavior that is mostly done for marketing purposes (though the government has access to an amazing amount of this kind of data. See the book No Place to Hide, mentioned above). It is also different from having your employer read your emails or monitor your web browsing habits while you work. These things come more under the heading of a surveillance state, which is worth studying, just not what the Electronic Police State is about. So far.

Getting to the meat of the report, the fine and thoughtful people of Cryptohippie developed a list of 17 aspects of an EPS (I’m getting tired of typing it all out) and gathered data (also available at the link given) to score a number of different countries on those factors. From that they computed an average and ranked the countries. The higher the average score, the more oppressive the EPS in that country. The factors include the requirement for personal identity documents, mandatory retention of phone and ISP records, and the ability of the government to electronically gather more information, with or without warrants, financial tracking, gag orders (such as are associated with the National Security letters that the FBI uses to gather information. The people served with those letters are not allowed to tell the subjects of the investigation, or anyone else, that there even is an investigation) and more.

The list looks to me to be heavily U.S.-centric and heavily weighted toward the negative. Where, for example, does the strong protection of the European Union Privacy Directive fit? Possibly under “constitutional protection” though that doesn’t sound like a perfect match for it. There is no “good laws about privacy” category and not enough information provided to be sure that such laws are even considered.

I also had some questions about the “Loose Warrants” category, which applies to a lot more than electronic measures. In some countries, warrants may be loose because little evidence is required to justify them. In the U.S., it is more likely that warrants are loose because the judges reviewing them are simply lazy. Does that count?

That is probably just nit-picking, though, I’m sure in the coming years they will refine their list and their method (if they continue to update the report, anyway). One point that is not nit-picking is that there is virtually no information provided about how the numbers for each country in each category were arrived at. There is no way to argue or agree with the numbers because there is no background. That makes this seem more like a propaganda tool than an attempt at actual debate. This is the truth from on high. Trust us. It’s not that I don’t trust them, I just like to see for myself.

The ranking of the countries is interesting but contains few surprises. With a score of 3.588 (out of a possible 5), China is the number one worst EPS, according to this report. Number 2 is a bit of a surprise: North Korea. It’s such a poor country, I didn’t think they would have enough computers to even show up on the chart! But the number of electronic transactions is not one of the factors considered. It would be too hard to estimate, I imagine. And once estimated, it would have to be divided up by population, or possibly by number of computers.

Hmm. That brings up an interesting point: What proportion of EPS activity is directed against companies rather than individuals? In the U.S., the answer might be quite a bit. The SEC and the FBI both enforce laws against corporate misbehavior and following the paper trail (or email trail) is a standard part of that. RICO investigations (Racketeering Influenced Corrupt Oragnization, historically used against the mob) also use a lot of electronic material. This may be almost entirtely the province of very advanced countries like the U.S.

I don’t get the impression the Cryptohippie people considered investigations of organizations vs. investigations of individuals in their calculations. It would be very hard to study but might shed light on how electronic police tactics are used and how they really affect freedom and privacy.  I wonder if I could get a grant? …

Anyway, the United States came in at number 7 with a score of 3.118, just behind The United Kingdom and Russia, which were tied at 3.176. Again, the question of infrastructure is apparent. The United States may score higher than, say, Ecuador, simply because it can. This is the dark side of modernization and economic development. Countries with little expertise in the digital world, will not (yet) score high on EPS measures. It may also be a trifle mis-leading. Just because a country does not have an EPS doesn’t mean it’s more free than others. It might still have an old-fashioned police state, with rubber hoses and secret dungeons. That’s not a flaw in the report. It’s just a caution not to read more into it than it says.

The EPS is an important subject that deserves a lot of attention, study and debate. This report, short and vague though it is, is a fascinating start. I hope that next year, Cryptohippie will update the report and provide more insight into the research behind those 17 scores for each country. Until then, it will be left as an exercise for students to each pick a country and submit their own scoring for the class to discuss.

And yes, there will be a test afterwards.

Tags: freedom, infosec, law, privacy

This entry was posted on Monday, May 18th, 2009 at 8:48 pm and is filed under security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.