Surreptitious Surveillance on the Internet
An Ethics Case Study
Moxie Marlinspike is a cyber-security expert based in San Francisco, who writes on his website that he has "worked as a software engineer, hacker, sailor, captain, and shipwright."According to the Wall Street Journal, he has "been identified as the chief technology officer and co-founder of Whisper Systems, which produces privacy and security software applications." In May 2013, in a blog entry, Marlinspike detailed how he had been contacted via email by an employee of a Saudi Arabian telecommunication company, who was seeking his help in setting up a surveillance program at the behest of Saudi regulators. The program was intended to monitor communications on Twitter, WhatsApp, Viber, and Line (the latter are apps that allow users to make calls and send texts).
According to Marlinspike, the telecom employee sent along some design documents suggesting tactics such as "compelling a [certificate authority] in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception" and "purchasing SSL vulnerabilities or other exploits."
After asking some questions designed to get more clarification about the program, Marlinspike declined to help set it up. According to Marlinspike, the person who had contacted him then explained that Saudi Arabia was trying to respond to an ongoing terrorist threat, and added, "That's why I took this and I seek your help. If you are not interested than [sic] maybe you are on indirectly helping those who curb the freedom with their brutal activities."
Marlinspike writes that the kind of surveillance proposed by the Saudi Arabian telecom is "currently happening everywhere":
Over the past year there has been an ongoing debate in the security community about exploit sales. For the most part, the conversation has focused on legality and whether exploit sales should be regulated. I think the more interesting question is about culture: what do we in the hacker community value and prioritize, and what is the type of behavior that we want to encourage?
Before formulating an answer to the questions below, please review this summary of the qualities of good ethical judgment, and the questions that we should ask when faced with an ethical issue.
1. Assuming that all the details of Marlinspike's account are correct, did Marlinspike act ethically in rejecting the request from the telecom? Why, or why not?
2. Would your answer change if he had been approached with a similar request not by a Saudi Arabian telecom but by the government of a democratically elected country? By a U.S. ally? By the U.S. government? (Marlinspike writes that "[t]here are even explicitly patriotic hackers who suggest that their exploit sales are necessary for the good of the nation, seeing themselves as protagonists in a global struggle for the defense of freedom....")
3. What, if anything, should Marlinspike have done differently? Why?
4. Marlinspike writes,
If I'm really honest with myself, ... there was something fun about an insecure internet [in the past], particularly since that insecurity predominantly tended to be leveraged by a class of people that I generally liked against a class of people that I generally disliked. ... Somewhere between then and now, however, there was an inflectionpoint. It's hard to say exactly when it happened, but these days, the insecurity of the internet is now more predominantly leveraged by people that I dislike against people that I like. More often than not, that's by governments against people.
Do you agree with his assessment? If so, what role should software engineers/developers/hackers play in this new environment?
Irina Raicu is the Internet Ethics Program Director at the Markkula Center for Applied Ethics.