As indicated by a report by the Citizen Lab, at least 45 countries worldwide use the commercial spyware Pegasus, many of which use it to intercept the communication of individual human rights defenders and journalists, among others.
In order to hack into someone’s device, the target receives an exploit link, that resolves to a private server of the attacker. Numerous cases of human rights violations document the use of Pegasus and similar sophisticated spyware with often severe consequences. High-level infiltration of communication is mostly targeting human rights defenders and regime critiques from authoritarian countries. Yet, the internet’s architecture is vulnerable to privacy and security intrusion for individuals at large.
Flawed design: A brief history of the internet’s architecture
The internet, as we know it today, was built in the 1970s and 1980s. The core protocols upon which the internet relies, Transmission Control Protocol/Internet Protocol (TCP/IP), were built to exchange information quickly and reliably among a small group of researchers and political elites. Not foreseeing the massive popularisation of the network, those protocols were designed without built-in security features and, for a long time, encryption of communication pertained to military elites only. Not much later, the Border Gateway Protocol (BGP) was developed in the 1980s to enable the routing of internet traffic between different networks. Similar to the design of TCP/IP, the designers of BGP assumed all networks to be trustworthy and did not consider security as an issue.
In the 1990s, commercial companies, commonly known as internet service providers (ISP) were allowed to operate networks as privatisation was considered the only way to grant internet access to a large number of individuals. Since then, the internet—originally made of a small number of networks used by a select group of people—developed into a global system used by every individual in their everyday lives. The security standards, however, did not change, and the same protocols developed back then are used for the transmission of communication today.
Systemic risks of internet use for individuals
An individual has little control over what happens to their data. If they sign up to a platform like Facebook or Instagram, they give away personal data with no knowledge about where this data is stored and whether and what information is shared with third parties. While cyber sceptics might simply refrain from sharing their data with US-based tech giants, in modern societies, it seems impossible to escape the digital world.
For many services that we rely on in everyday life, such as banking or health insurance, we share our data with public and private organisations. We thereby grant those organisations some rights on managing our data and hence also managing our privacy. This might include the jurisdictional location of storage and processing of our data and therefore makes the data more susceptible to security breaches. The health sector, for instance, is among the most vulnerable to data breaches, with millions of health records breached every year with potentially severe consequences such as identity theft.
Using SCION to gain control over data
While regulations such as the EU General Data Protection Regulation (GDPR) provide some protection to sharing personal data with other jurisdictions, we remain vulnerable to data exploitation and, above all, ignorant of where our data travels. Internet service providers using SCION can fully determine the routing of data packets and hence decide on particular jurisdictions to be excluded from routing. This makes communication less susceptible to data breaches such as BGP hijacking.
What if content providers were also using SCION to determine the routes taken by their customers’ data? In such a world, citizens would be less vulnerable to data exploitation as they would be able to choose the jurisdictions through which their data travel. This would provide a more robust and secure basis for communication, based on which individuals can choose additional layers to secure communication such as encryption.
Anstis S., Deibert R., Kenyon M., and Scott-Railton J. (2019): The Dangerous Effects of Unregulated Commercial Spyware, online: https://citizenlab.ca/2019/06/the-dangerous-effects-of-unregulated-commercial-spyware/
Chan, A. W. (2019). The need for shared responsibility regime between state and non-state actors to prevent human rights violations caused by cyber-surveillance spyware. Brooklyn Journal of International Law, 44(2), 795-830.
Datapath.io (2016): The History of Border Gateway Protocol, online: https://medium.com/@datapath_io/the-history-of-border-gateway-protocol-a212b7ee6208
European Commission (2017): What rules apply if my organisation transfers data outside the EU?, online: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-rules-apply-if-my-organisation-transfers-data-outside-eu_en
Garbe, L. (2020): Internet hijacking a threat from the past? SCION pledges that it could be, online: https://www.anapaya.net/blog/internet-hijacking-a-threat-from-the-past
Harris, P. (2011): Social networking under fresh attack as tide of cyber-scepticism sweeps US, online: https://www.theguardian.com/media/2011/jan/22/social-networking-cyber-scepticism-twitter
HIIPA journal (2019): First Half of 2019 Sees 31.6 Million Healthcare Records Breached, online:
Steger, A. (2019): What Happens to Stolen Healthcare Data?, online:
Timberg, C. (2015): A Flaw in the Design, online: / https://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/
Yuksel, H. (2020): Anapaya develops a new communication service for the financial centre with the Swiss National Bank and SIX, online: https://www.anapaya.net/blog/anapaya-develops-a-new-communication-service-for-the-financial-centre-with-the-swiss-national-bank-and-six