“The Net interprets censorship as damage and routes around it.” – John Gilmore, circa 1993
For more than two decades, the Internet has provided us with a truly global platform for expression. Today, anyone can write an opposition party blog, post photographs of their cats, organize a street protest, contribute to an open source cryptography project on GitHub, participate in the search for extraterrestrial life, mine for Bitcoins, swap selfies, use PGP, or send 419 scam emails.
Some of the activity on the Internet—rightly and wrongly so—has drawn the ire of governments around the world. Their reactions have been unfortunately predictable; they not only proscribe the activities they consider harmful, but attempt to prescribe the manner in which the Internet itself operates. That they fail repeatedly somehow fails to deter them from trying time and time again.
As a case in point, those of us of a certain age will remember a befuddling option on the Netscape Navigator (remember Netscape?) download page: did we want a version of Netscape that supported only 40-bit RC4 in its SSL, or did we want the full 128-bit capable version? The “strong” version was only available if you checked a box verifying that you lived in the United States or Canada. Why? Because encryption with a key length of more than 40-bits was considered a weapon—“military grade”—and its export was illegal. At the time there were no geo-IP blocks or other verifying mechanisms: just an ineffectual check box. The United States’ ridiculous restriction on cryptography lead to all sorts of silly results (algorithms printed on t-shirts, or OpenBSD developers moving to Canada for example), but it did nothing to stop the spread of strong encryption.
Of course the United States government eventually gave up trying to stop encryption—only after a lawsuit by Daniel J. Bernstein and the Electronic Frontier Foundation—and crypto is now freely exportable. But governments haven’t stopped trying to stop the spread of information and export regulations remain a favorite method. A current proposal would ban the export of surveillance command-and-control servers and possibly even all 0-day exploits. 3D printer files, not just those describing firearms, are also a common target for administrative bans. And while no one would suggest using a simple Netscape-style check box to enforce such a ban, given the rise of Tor and other censorship-resistant technologies, any export regulation today would be almost as ineffective.
The development and sale of software intended for mass surveillance—or mass violence—is a problem that desperately deserves our attention. I will argue that we must learn from the past, stop attempting to regulate our way out of the problem, and turn to other methods of holding accountable those who try to make the Internet a dangerous place.