- Ethics Home Page
- About the Center
- Focus Areas
- Contact Us
- Site Index
Surreptitious Surveillance on the InternetBy Irina Raicu
Moxie Marlinspike is a cyber-security expert based in San Francisco, who writes on his website that he has "worked as a software engineer, hacker, sailor, captain, and shipwright."According to the Wall Street Journal, he has "been identified as the chief technology officer and co-founder of Whisper Systems, which produces privacy and security software applications." In May 2013, in a blog entry, Marlinspike detailed how he had been contacted via email by an employee of a Saudi Arabian telecommunication company, who was seeking his help in setting up a surveillance program at the behest of Saudi regulators. The program was intended to monitor communications on Twitter, WhatsApp, Viber, and Line (the latter are apps that allow users to make calls and send texts).
According to Marlinspike, the telecom employee sent along some design documents suggesting tactics such as "compelling a [certificate authority] in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception" and "purchasing SSL vulnerabilities or other exploits."
After asking some questions designed to get more clarification about the program, Marlinspike declined to help set it up. According to Marlinspike, the person who had contacted him then explained that Saudi Arabia was trying to respond to an ongoing terrorist threat, and added, "That's why I took this and I seek your help. If you are not interested than [sic] maybe you are on indirectly helping those who curb the freedom with their brutal activities."
Marlinspike writes that the kind of surveillance proposed by the Saudi Arabian telecom is "currently happening everywhere":
Before formulating an answer to the questions below, please review this summary of the qualities of good ethical judgment, and the questions that we should ask when faced with an ethical issue.
Assuming that all the details of Marlinspike's account are correct, did Marlinspike act ethically in rejecting the request from the telecom? Why, or why not?
Would your answer change if he had been approached with a similar request not by a Saudi Arabian telecom but by the government of a democratically elected country? By a U.S. ally? By the U.S. government? (Marlinspike writes that "[t]here are even explicitly patriotic hackers who suggest that their exploit sales are necessary for the good of the nation, seeing themselves as protagonists in a global struggle for the defense of freedom....")
What, if anything, should Marlinspike have done differently? Why?