Find the Collaborator – a proposal for a new game
To find the criminal, you must follow the money. To find the collaborator, you should follow the favours.
Now, if this principle holds true, we’ve got a good game to play – finding which security firms collaborate with government agencies by looking at which companies ingratiate themselves most, and which companies receive the most government favours.
Remember, this is a game. The rules are similar to those used by law enforcement agencies in their own game called Find the Terrorist: one red flag if the suspect denounces the invasion of a foreign land; two red flags if he or she accuses the government of lying or expresses sympathy with Anonymous; three red flags if a Moslem country is visited and so on. Six red flags and you’ve found a terrorist.
In our game, the following are worth one red flag:
- production of absurd statistics that support government policy (such as the cybercrime cost figures generated by McAfee and BAE Systems Detica)
- continuing success against all natural market forces (such as Microsoft Office, when there are better free products such as Open Office and Google Docs)
- purchase of key personal data companies that are outside of core business (such as EMC buying RSA, and Microsoft buying Skype)
- existing accusations of collaboration (such as BT over Tempora, and backdoors in Windows)
- directly accusing foreign governments of involvement in specific cybercrimes when in reality their can be no objective proof (such as Mandiant’s famous accusations against Comment Crew, and various firms’ terminology that implies that ‘hackers in China’ really means ‘Chinese government hackers’).
The following are worth two red flags:
- preferential treatment that does not make economic sense (such as government insistence that costly products – eg MS Office – are used in government departments, schools and examinations – in preference to free products like Open Office)
- sudden increase in direct government-inspired attacks against the major competition (such as those against Google – so who is Google’s primary competition? Note, this doesn’t mean that Google is innocent.)
The following are worth three red flags:
- direct government ‘approval’ (such as the elevation of Mandiant, Detica, Cassidian, and Context to CESG’s Cyber Response Scheme)
- active support for proposals that will make government surveillance more simple, such as support for the Communications Bill in the UK, or the Trusted Computing Platform anywhere.
There aren’t any…
…because you can’t lose. All security firms collaborate with government to one degree or another. If they don’t do it willingly, they do so under coercion; and if they don’t do it yet, it’s because they haven’t been told to, yet. But they do or will do it. The only way for a company to avoid collaborating with government is to shut down – like Lavabit.
Is it safe to carry on using Dropbox (post Prism)? Yes and No: Part III
Is the anti-virus industry in bed with the NSA – why do CIPAV, FinFisher and DaVinci still defeat AV?
Is Windows 8 an NSA trojan?
Am I a terrorist?