US Homeland Security must disclose ‘internet kill switch’, court rules

library
crime | hacking | security

A US court has given the government 30 days to come up with a decent reason not to disclose its plan for a so-called internet kill switch.

The Electronic Privacy Information Center (EPIC) has been trying to wrangle documents concerning the kill switch – officially known as Standard Operating Procedure 303 – from the tight grip of the Department of Homeland Security (DHS) since filing a Freedom of Information Act (FOIA) in July 2012.

Standard Operating Procedure 303 describes a shutdown and restoration process for wireless networks in the event of a national crisis that would prevent, among other things, the remote triggering of radio-activated explosives.

First, DHS said it couldn’t find any records on the kill switch.

EPIC appealed.

Next, the agency managed to locate the protocol, but it redacted nearly all of it.

DHS argued that the protocol is exempt from public disclosure because it discloses “techniques and procedures for law enforcement investigations or prosecutions” or could “reasonably be expected to endanger the life or physical safety of any individual.”

In the case of disclosing SOP 303, the government argued that “any individual” means anybody anywhere near an unexploded bomb.

The United States District Court for the District of Columbia rejected the agency’s arguments.

In its memorandum, the court wrote that the government’s interpretation of the law was a teensy bit broad, given that it could apply to everybody on the planet:

Indeed, if the Government’s interpretation were to hold, there is no limiting principle to prevent “any individual” from expanding beyond the roughly 300 million inhabitants of the United States, as the Government proposes here, to the seven billion inhabitants of the earth in other cases.

The court ordered DHS to release the records in 30 days but left the door open for the agency to appeal the ruling, given what it said was the potential impact on national security of releasing the protocol.

Civil libertarians are understandably unnerved by the idea of an internet kill switch.

After all, where does a government draw the line with defensive measures? Would the US government shut down only the government systems affected by an attack – be they systems running the traffic lights, or perhaps electrical and/or other power grids, for example – or would it shut down the whole internet?

And as Sophos’s Chester Wisniewski argued in a podcast a couple of years ago, Chet Chat #49, if we’re under attack over the internet, and that attack is disrupting essential systems, turning off the whole darn thing wouldn’t disrupt the problem.

It would just keep us all from accessing those very systems.

And as far as internet censorship goes, the Arab Spring showed the world how governments can use law, technology and violence to control what gets posted on and disseminated through the internet, as the people of Egypt, Libya and Syria saw their access shut down.

In Tunisia, the government didn’t shut down the internet – rather, it compromised its citizens’ Facebook and other social media accounts.

Which is worse? To know that access has been cut off, or to have credentials intercepted so governments can secretly spy on us?

Unfortunately, it’s not an either/or situation. We have both. We’re living in a world where both the internet kill switch and government surveillance co-exist.

Or are we?

Unless DHS appeals the decision, we should know, in 30 days, how real this internet kill switch is.