Moxie Marlinspike is a cyber-security expert based in San Francisco, who is identified as the chief technology officer and co-founder of Whisper Systems, which produces privacy and security software applications. In May 2013 Marlinspike detailed how he had been contacted via email by an employee of a Saudi Arabian telecommunication company, who was seeking his help in setting up a surveillance program at the behest of Saudi regulators. The program was intended to monitor communications on Twitter, WhatsApp, Viber, and Line (the latter allow users to make calls and send texts).
According to Marlinspike, the telecom employee sent along some design documents suggesting tactics such as “compelling a [certificate authority] in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception” and “purchasing SSL vulnerabilities or other exploits .”
After asking some questions designed to get more clarification about the program, Marlinspike declined to help set it up. According to Marlinspike, the person who had contacted him then explained that Saudi Arabia was trying to respond to an ongoing terrorist threat, and added, “That’s why I took this and I seek your help. If you are not interested than [sic] maybe you are helping those who curb the freedom with their brutal activities.”
According to many world-wide sources, the kind of surveillance proposed by the Saudi Arabian telecom is “currently happening everywhere”:
Over the past year there has been an ongoing debate in the security community about exploit sales. For the most part, the conversation has focused on legality and whether exploit sales should be regulated. I think the more interesting question is about culture: what do we in the hacker community value and prioritize, and what is the type of behavior that we want to encourage?
Please consider the following questions relating to the above ethical issue:
1. Assuming that all the details of Marlinspike’s account are correct, did Marlinspike act ethically in rejecting the request from the telecom? Why, or why not?
2. Would your answer change if he had been approached with a similar request not by a Saudi Arabian telecom but by the government of a democratically elected country? By a U.S. ally? By the U.S. government? (Marlinspike writes that “[t]here are even explicitly patriotic hackers who suggest that their exploit sales are necessary for the good of the nation, seeing themselves as protagonists in a global struggle for the defense of freedom….”)
3. What, if anything, should Marlinspike have done differently? Why?
4. Marlinspike writes,
If I’m really honest with myself, … there was something fun about an insecure Internet [in the past], particularly since that insecurity predominantly tended to be leveraged by a class of people that I generally liked against a class of people that I generally disliked. … Somewhere between then and now, however, there was an inflection point. It’s hard to say exactly when it happened, but these days, the insecurity of the Internet is now more predominantly leveraged by people that I dislike against people that I like. More often than not, that’s by governments against people.
Do you agree with his assessment? If so, what role should software engineers/developers/hackers play in this new environment?
These scenarios are filled with small details that you must take into account in writing up your response. Be sure to focus on those details and on the specific objective you are given. You cannot change the details or pretend that they don’t exist when responding to the scenario. What is described, with all its caveats, is the situation in which you find yourself. Take your time. Think through all the variables. You cannot change the situation as it is described. So be careful to make sure that you haven’t ignored any of the particulars in the situation’s description. Within the parameters of the situation at hand, try to predict what the different possible actions you might take could result in and pick your solution. Write up your best thinking.