Observability In Botnet Takedown By Government On Private Infrastructure
I’m looking into how to make API security more transparent and observable lately, and looking for examples of companies, institutions, organizations, politicians, and the government are calling for observability into wherever APIs are impacting our world. Today’s example comes out of POLITICO’s Morning Cybersecurity email newsletter, which has become an amazing source of daily information for me, regarding transparency around the take down of bot networks.
“If private companies cooperate with government agencies - for example, in the takedown of botnets using the companies’ infrastructure - they should do so as publicly as possible, argued the Center for Democracy & Technology . “One upside to compulsory powers is that they presumptively become public eventually, and are usually overseen by judges or the legislative branch,” CDT argued in its filing. “Voluntary efforts run the risk of operating in the dark and obscuring a level of coordination that would be offensive to the general public. It is imperative that private actors do not evolve into state actors without all the attendant oversight and accountability that comes with the latter.”
I’ve been tracking on the transparency statements and initiatives of all the API platforms. At some point I’m going to assemble the common building blocks of what is needed for executing platform transparency, and I will be including these asks of the federal government. As the Center for Democracy & Technology states this relationship between the public and private sector when it comes to platform surveillance needs to be more transparent and observable in all forms. Bots, IoT, and the negative impacts of API automation needs to be included in the transparency disclosure stack. If the government is working with platform to discover, surveil, or shutdown bot networks there should be some point in which operations should be shared, including the details of what was done.
We need platform transparency and observability at the public and private sector layer of engagement. Sure, this sharing of information would be time sensitive, respecting any investigations and laws, but if private sector infrastructure is being used to surveil and shut down U.S. citizens there should be an accessible, audit-able log for this activity. Of course it should also have an API allowing auditors and researchers to get all relevant information. Bots are just one layer of the API security research I’m doing, and the overlap in the bot world when it comes to API transparency, observability, and security is an increasingly significant vector when it comes to policing, surveillance, but also when it comes to protecting the privacy and safety of platform people (citizens).