Peer-to-peer terrorism

Bad news from the Napster wars: The harder you fight against decentralized networks, the more enemies you create.

Published September 26, 2001 7:30PM (EDT)

Their hatred is implacable, their forces are decentralized. They seek the protection of remote hosts for their secret bases. Their networks are weblike and personal, difficult for outside observers to penetrate. They use e-mail, encryption and other new technologies to hide their dark doings.

Pay close enough attention to the descriptions of America's newest enemies coming from Washington's talking heads, and something starts to seem oddly familiar. Haven't we heard about these people before? Wasn't it just a few months ago that we were being warned about their dire plans and the civil liberties compromises required to fight them? But no. That wasn't about Osama bin Laden at all. That was about ... about ... Napster?

Strange but true: The rules of engagement in "America's New War" have a great deal in common with the content wars of the last few years. The RIAA and the MPAA -- the FBI and the CIA of the entertainment industries -- have been involved in extended legal battles with the music traders and software hackers of the world, and the strategies they have employed show some striking parallels to recent American anti-terrorist strategic thought. Consider:

All security is insecure.

The DeCSS debacle began when a 17-year-old amateur cracked the encryption scheme on DVDs. If there's an unpenetrated Web server or uncracked content-protection scheme out there, it's only because no one truly dedicated has tried to break it. As long as the media industries rely on technology-only solutions to protect their content, that protection is purely nominal, falling quickly before the determined hacker.

The harsh lessons of computer security are worth keeping in mind when thinking about terrorism. Systems are large and complex beasts and therefore vulnerable; the United States and its people are perhaps the largest and most complicated system in the world. An attacker has free choice of attacks: The hijackers last week were able to ignore the tight physical security around the World Trade Center by choosing an airplane-based attack instead. Security is what you use to spot your attackers and slow them down long enough for you to respond. Far better to seek out your opponents than to wait for them to come to you.

The front line of the conflict is human intelligence.

Shutting down any loose network -- whether it's a cluster of terrorist cells or a peer-to-peer file-sharing system -- depends on closing the knowledge gap between initiates and outsiders. The mere existence of a strong program of infiltration has an enormous deterrent effect: How can you recruit new members with confidence if every potential recruit might be a plant?

There's no way to just search the Internet for everyone running personal Web servers to share out their MP3s, but with enough dedicated surfers, the media companies have been able to spot most sites big enough to worry about. The result is that people are forced underground: They trade music in smaller networks than in Napster's day, sacrificing convenience for safer obscurity.

Something similar operates in the realm of anti-terrorist intelligence. There's no setting on spy satellites or metal detectors to scan for "terrorist," but enough skilled agents who fit in can track down any terrorist cell that interacts with the outside world. The MPAA had an easier time of it than the CIA will -- it's a lot easier to hire for Internet credibility than it is to hire for radical terrorist credibility -- but it's the credibility, rather than the technology, that opens doors and lets the light of law enforcement in.

If you can't shut down your enemy, shut down his hosts.

When the MPAA tried to suppress the distribution of DeCSS, it quickly discovered that many of the individual users posting the code to the Web were prohibitively difficult to identify, ruling out direct legal action against them. The MPAA instead targeted their ISPs: legally, the Web hosting companies were obligated to take down DeCSS pages, unless the users were willing to stand up in court and be sued. Through this sidestep, the MPAA was able to sic its lawyers on the people it really wanted to sue, or failing that, make the problem go away.

In declaring that the U.S. government would not distinguish between terrorists and regimes that harbor terrorists, President Bush acted on the same principle. Like the ISPs, the Taliban would prefer to be a bystander in any conflict. By making them liable for the safe harbors they grant, though, Bush transferred some of the weight of U.S. pressure to a more identifiable target -- in order to acquire greater leverage against his real enemies.

So far, so good. But though Washington has been quick to copy from Hollywood's playbook, it also seems reluctant to learn from the ways in which those plays have failed.

Zealous enforcement tactics against old enemies breed new enemies.

Before Napster, few people had strong opinions about the record companies, and their voices were rarely heard. But in the process of hunting down a few college students whose main offense was liking music too much, the RIAA managed to antagonize much of the software community and civil libertarians everywhere.

How did they blow it so badly? By giving its old enemies powerful new arguments, tons of publicity and an impressionable audience to preach to. Those students and music fans started hearing about cartels and Gestapo tactics when they asked why their Napster wasn't showing any songs today.

It's hardly any surprise the RIAA didn't understand how bad the P.R. consequences of a heavy hand would be: The U.S. as a country has a long and bloody history of isolating moderates while it chases extremists.

What will happen if the government of Pakistan is forced to do so much of our dirty work that it destabilizes itself? How much ill will will we harvest once the bombs start falling? And so on. Bold action may sometimes solve present problems, but it carries enormous risk of creating worse ones in the future. More worryingly ...

You can make them hide, but you can't rid the world of them.

Or at least, if you can, the RIAA hasn't figured out how. Napster went down in flames, but the Napster clones are numerous, thriving, better-hidden and harder than ever to take out.

Flattening your visible enemies inspires your remaining enemies to stay invisible; unless you make them no longer your enemies, they will find a time and a place of their own choosing to emerge from hiding. The best "victory" one can hope for in fighting a decentralized foe is not to eradicate them, but only to suppress their activities.

Try explaining this fact in Washington today, though, and nobody seems to be listening. Has Israel been able to eradicate Hamas? Has Britain been able even to suppress the IRA? For that matter, how well has China done in eliminating Falun Gong? Which raises one last and especially disturbing point, one that ought to go without saying ...

Terrorists are not the only people who operate in decentralized secrecy.

There are other peer-to-peer rebels out there, working in secret to change the world -- and most of them are what we would normally think of as the good guys.

Think of Afghan dissidents spreading the rhetoric of democracy from Internet cafes. From the perspective of the Afghan government, they look much the same way terrorists who coordinate attacks through e-mail look to us. Think of demonstrators scattering to avoid punitive raids from the police; think of rebel leaders trying to organize a resistance movement. A lot of people will be watching very carefully what the United States does to wage this new sort of war.

On the one hand every new tactic we develop to defend democracy can be turned against the forces of democracy somewhere else in the world. And on the other, every bulwark the Internet provides against the anti-dissent squads somewhere far off and repressive, it provides also against the anti-terrorist branch of the FBI back home.

Technology giveth, and it taketh away. The same filtering software that protects children from pornography is used by repressive governments to "protect" their citizens from critical opinions. The new formats for compressing music designed to sell more CDs instead became the leading techniques for its illicit distribution.

As we prepare to develop ruthless new "weapons" in the fight against global terrorism, it is hard to overstate the need for some reflection on the ways those tactics might eventually be turned against us and those principles we believe in. A strange prospect, perhaps, but then again, until last week, how many people seriously thought of a passenger jet as a weapon of war?

By James Grimmelmann

Related Topics ------------------------------------------

Osama Bin Laden Terrorism