The Net Delusion - Evgeny Morozov [83]
But as security professionals attest, while it’s possible to minimize the risks created by the infrastructure, it’s much harder to discipline the users of a technology. Many sophisticated attacks originate by manipulating our trust networks, like sending us an email from a person we know or having us download files from trusted websites, as happened in the case of the Vietnamese activists. When we visit a website of an organization we trust, we do not expect to be hit with malware any more than we expect to be poisoned at a dinner party; we trust that the links we click on won’t lead to sites that will turn our computers into mini-panopticons. Such trust has undoubtedly made the Internet an appealing place to do business or just waste so many hours of our lives. Few of us spend much time pondering the security settings on our favorite sites, especially if no sensitive data is divulged. But a low level of awareness is precisely what makes compromising the security of such sites so tempting, especially if these are niche sites catering to particular audiences. An attack can infect computers of all independent journalists, brave human rights defenders, or revisionist historians without triggering any suspicions from more computer-savvy user groups.
Poorly secured sites of specific communities thus enable the kind of attacks—many of which invariably result in more surveillance—that may not succeed were members of such communities targeted individually. This is what happened to Reporters Without Borders (RSF), a prominent international NGO defending freedom of expression, in July 2009, when someone inserted a malicious link into an email that RSF sent to its supporters. The link was placed next to the text of a 13,000-strong petition demanding the release of the documentary film-maker Dhondup Wangchen from prison. Once clicked, it did lead to what looked like a genuine petition—so one would not suspect anything inappropriate—but the website also contained a security trap, infecting the computers of anyone who clicked on the malicious link. Alerted to the problem, RSF promptly removed the link, but it is difficult to estimate how many computers were compromised.
Even popular and much better-staffed organizations are not immune to embarrassing vulnerabilities that could cause damage to everyone in their social and professional circle. In early 2009 the website of the New York Times, which relies on banner ads provided by third parties, inadvertently served malware to some of its visitors. Such gaffes are poised to become even more widespread, as more and more websites incorporate a bevy of third-party services (e.g., Facebook’s “like” button), surrendering full control over what kind of data flows through their site. When even the website of the New York Times feeds you viruses, there is little on the Internet you can safely surf on autopilot.
The Internet runs on trust, but its dependence on trust also opens up numerous vulnerabilities. Its effectiveness as a tool of carving out spaces of dissent and, in exceptional cases, even campaigning against authoritarian governments has to be judged on a much wider set of criteria than just the cost and ease of communications. It’s quite obvious that in a world where there are no other uses for the Internet, email is a cheaper, more effective, and more secure alternative to the handwritten letter. But in a world like ours, where the Internet has many other functions, it would be a mistake to evaluate the practice of email in isolation from other online activities: browsing, chatting, typing, gaming, file sharing, and downloading and viewing porn. Each of these activities creates multiple vulnerabilities that alter the risk calculus.
It’s important to avoid falling victim to Internet-centrism and focusing only on the intrinsic qualities of online tools at the expense of studying how those qualities are mitigated by the contexts in which the