Over the past days we've heard in the media that the NSA has infected at least 50.000 computers worldwide with digital sleeper agent software, as Techcrunch puts it. Obviously this has created a lot of outrage across the industry and also in the non-technical media. But despite all the outrage nobody really commented that actively infecting computers is by an order of magnitude worse from an ethical point of view than anything we have heard about the NSA's doings in recent months.
Listening passively on transmission links and harvesting data is one thing (which is already bad enough by itself), but infecting 50.000 computers with spyware is quite quite another. And I wonder who those 50.000 computers belong to!? Did the NSA really find that many terrorists out there? Somehow I doubt it. As if it isn't already bad enough that companies and individuals have to fight criminals trying to infect their PCs with malware that do all sorts of things like stealing passwords, extorting money, and so on. No, now we also have to defend ourselves against nation states doing similar things on a similar scale!?
It makes me wonder when this will go from accusation to proof? What it would take is the code or the executable of the malware and a link back to it's origin. With that in hand it wouldn't take long to actually find the malware in practice (unless all copies destroy themselves without leaving a trace). And then imagine the malware is found on computers of governments and private companies around the world. This is the point when the abstract becomes personalized. And when you look at what happened when the German Chancelor found out her phone calls were listened to you get an idea what is likely to happen in this case. Is it really possible to cover up 50.000 infections?
It really depresses me that a nation goes that far… And while we are at it: What makes us think it is only one nation who thinks it's a good idea to do such things?
My take on the PRISM scandal ist a bit different. I believe the worst revelation is that the NSA is spying on everyone. Total surveillance.
Spying on the heads of state is expected. Secret services have been doing this for millennia. But there used to be technical limits on spying. The German Stasi suffocated under the huge amount of files they kept. Similar to other Eastern European secret services that spied on their citizen. Modern computing technology has made it economically viable, for the first time in human history, to spy on the whole populace.
It used to be that spying services only spied on important people. And the rest of us could safely assume that we were not important enough to waste the resources.
50.000 computers is not that many. I expect them to be valuable targets. Mine isn’t.
But the NSA is trying to safe everything I do online for 30 years or longer. Similar, btw. to the data retention laws in Europe (Vorratsdatenspeicherung), though the European ones are “supposed” to have a time limit. And I expect the German services to have full access to the database. I also firmly believe that the only reason why some European countries don’t have similar programs like PRISM are monetary and technical. Problems that will be solved in time.
I remember a news story a few years ago about Canadian researchers discovering a botnet in China made up of computers running obsolete versions of Windows. What was notable about this botnet: a control interface written in Mandarin. The researchers could not determine who had written the software, pointing out that the US and Russia had the expertise to set up the system, as well as the Chinese. The researchers were puzzled at the lack of response from Western authorities when they published their findings.