Privacy vs. Security: Interview with Newsweek's Steven Levy
Since 1984, when he made "Hackers" a household word by writing the groundbreaking book of the same name, Steven Levy has followed and chronicled the extraordinary growth of computer technology and the men and women who invented the digital age. His most recent book, Crypto, published in 2001, tells the story of how public key encryption-the bedrock of today's Internet security-fought its way into the marketplace. As Newsweek's chief technology writer and a contributing editor to Wired since its inception, Levy is in a better position than most to shed light on the important issues and trends affecting computer technology today. Recently, the editors of i.t.link sat down with him for a conversation.
Post 9/11, who's winning the battle between privacy and security?
9/11 actually raised the profile and importance of the privacy debate. There were a lot of privacy initiatives in Congress and State legislatures before the attacks, and it looked like a broad-based privacy bill might pass Congress, but the privacy debate was really taking place across a pretty narrow spectrum-policy wonks, lawyers, civil liberties advocates. Right after the attacks there was a sense among some people that anything about protecting privacy ought to be put on hold, that we ought to focus on Job 1, which was protecting ourselves from terrorism by any means necessary. But something interesting happened pretty quickly. Along with the concern over security there's a mutual concern over what we might have to give up to protect ourselves. The debate has raised the level of public awareness greatly-and the consensus is that most people want to make sure that the government doesn't ask for too much, that somewhere in there our rights don't get stepped on. One thing that's encouraging to me is that, along with a focus on protecting ourselves, there's a pretty broad consensus that we shouldn't go nuts, that we shouldn't invade privacy unless it's absolutely necessary, or put thousands of people under surveillance, or conduct blanket dragnets. As things stand now, most people agree that we ought to protect ourselves while doing the least harm to civil liberties, which is pretty much where the Constitution comes down on the subject. So to answer the question, privacy doesn't have to lose for security to win. It's not a zero-sum game, but a balancing act.
What about fears that terrorists will use the Internet somehow to plan another attack?
There are a lot of theories about how terrorists operate through technology. One thing we do know is that if they're using a channel they suspect is under surveillance, they'll stop using it and use something else, like couriers. If you take as an assumption that they're smart enough to know that someone might be listening to them, then under a blanket monitoring system the only people who are going to be monitored are the people who aren't doing anything wrong. If we intercept satellite phone messages, they'll stop using satellite phones and go into a library in Florida and use a public access computer and HotMail to send coded messages that look like ordinary e-mails. The tradeoff between all of us giving up our privacy so the government can read anything we write, and catching one bad guy that's stupid enough to be caught, isn't a good one. The goal shouldn't be to stop communication but to stop acts of terrorism.
Putting terrorism aside, what can be done to make the Internet and the networks it runs on more secure, whether we're trying to protect ourselves from government snoops or credit card thieves?
The Internet is an open network. When it was built, a very low priority was protecting these things in the pipeline from eavesdroppers. The most important thing was moving stuff along. The basic concept was a network where things could move freely and quickly. The whole history of Internet development has been to do things fast, to bring more things online, to introduce new applications, innovating without stopping. Most of the principal developers assumed that some day some guy with a bucket would come along and clean up the little messes left behind. When it comes to security, we're doing that now, but there are degrees of protection. An absolute guarantee of privacy for the average user is probably impossible.
Why is that? Can't we develop encryption algorithms that are unbreakable?
There are plenty of algorithms out there that are extremely strong, and have stood up to repeated attacks. The challenge is to get those algorithms to work on the average computer, or at least on the majority of computers in the marketplace. My suspicion is that we won't see much stronger cryptosystems installed on our machines anytime soon. Even if you install an algorithm that's far more inscrutable, there's still plenty of opportunity for a sophisticated and dedicated codebreaker to crack it. Because there are all kinds of variations in individual machines-timing variations, conflicts with other installed software-that give the cryptanalyst a foothold on what looks like sheer rockface. Even the tiniest variation-a conflict between the crypto system and the operating system, for instance-can give a good codebreaker a foothold. Once he starts to exploit those tiny footholds, the sheer face doesn't look sheer any more, but more like chipped ice-easier to climb. If there's one thing we've learned, it's that there's probably no such thing as an unbreakable code system.
The more connected schools and colleges become, the more young people that learn to use computers, the greater the chance that some will misuse them. What are the latest trends in hacking?
I call it rowdy computer activity, not hacking, because to me the word "hacker" is positive, not negative. But whatever you call it, the nature of it has changed, whether it's done on home machines or in school computer labs. Ten years ago kids-or adults-hacked into larger computers so they could root around to see what was stored on them or use their processor power and memory to do things they couldn't do on their own machines. They don't have to do that anymore, since home computers have become so much more powerful. What's fun and exciting now is breaking into some company's Web site and messing around with it or creating viruses that can literally propagate themselves around the world in a very short time. Today's big virus is called klez, which is about the most virulent I've ever seen and is really interesting because it does different things to different machines and programs as it moves around. Interestingly enough, some of the first copies I got started on Brown University's server, although none of the people whose names were attached to the originating e-mails containing it knew anything about its existence. Clearly someone got into Brown's server and used it to develop and then broadcast-sort of a classic example about how you can't protect yourself against every intruder.
When you wrote Hackers, you talked at length about the "hacker ethic." What is it and how has it changed as computing has evolved? Should kids today be studying the history of the computer pioneers to understand better where this concept came from?
The hacker ethic is a belief system, a way of looking at the world. When I wrote Hackers I boiled it down to two sentences: "Access to computers-and anything which might teach you something about the way the world works-should be unlimited and total. Always yield to the Hands-on imperative." The ethic wasn't written down before I took what was in the air and codified it, but there was a set of values that I felt was communicated by the tools themselves, by the way you programmed computers, the way they worked, and the ideas of sharing and collaborating. Those things haven't changed. They've proliferated because of the Internet. You don't have to look into the history to understand that when you work within that world you learn the values of collaboration, openness, values which force you to share if you really want to take full advantage of the tool. Free software, open source code, and the World Wide Web itself all evolved from the hacker ethic.
Did the dot.com boom and the overnight millions change the way the ethic evolved?
The resiliency of the ethic has consistently exceeded my expectations. When I wrote Hackers I was concerned about how greed might tarnish it, and the money most of the pioneers in hardware and software made was nowhere near the amounts generated by the dot.com boom. But for a lot of people who are really important in the computing and software world, the dot.com boom was really an annoying distraction because the emphasis on money and commercial potential obscured what to them is really important-which is expanding the toolset and getting ideas and information out there. Every time there's excess in one direction, there's a reaction against it-like the open source movement. So the more the medium evolves-the more pervasive computing and communication and networks become, the more the essential values of the hacker ethic are reinforced. It's pretty hardy. The medium really is the message. You can't be connected to the world without wanting to share-almost being forced to share-your ideas and thoughts with the world.
What's the next stage? How will the technology landscape change?
I can't foresee the future, but I think that it will be more and more about connecting. At first it was all about the computers themselves, then about the applications, then about the Internet and now it's all about connectivity-the potential of collaboration is virtually limitless because now and even more in the future it will not be about what network you're connected to but just where you happen to be-in an office, in a car, or a baseball stadium. You won't be tethered to your computer. The things that will surprise and delight us will be products of that collaboration, bringing together brainpower and efforts in non-obvious ways with wonderful results.