Appeasement over encryption is a *really* bad idea

This morning’s Observer column:

Ever since the internet emerged into public view in the 1980s, a key question has been whether digital technology would pose an existential challenge to corporate and governmental power. In this context, I am what you might call a recovering utopian – “utopian” in that I once did believe that the technology would put it beyond the reach of state and corporate agencies; and “recovering” in the sense that my confidence in that early assessment has taken a hammering over the years. In that period, technology has sometimes trumped politics and/or commercial power, but at other times it’s been the other way round.

The early battles were over intellectual property. Since computers are essentially copying machines, making perfect copies of digital goods became child’s play. As a celebrated trope put it: “Copying is to digital technology as breathing is to animal life.” So began the copyright wars, triggered by widespread piracy and illicit sharing of copyrighted files, which emasculated the music industry and led to the emergence of new corporate masters of the media universe – Apple, Spotify, YouTube and the rest – and the taming of the file-sharing monster. Result: Technology 1, Establishment 1.

The second battleground was the monitoring of network communications. The internet enabled anyone to become a global publisher and to exchange information via email with anyone who had a network connection. And this posed acute difficulties for established powers that were accustomed to being able to control the flow of information to their citizens. Since nothing on the net in the early days was encrypted, everyone communicated using the virtual equivalent of holiday postcards – readable by everyone who handled them en route to their destination. The only difficulty that states experienced in monitoring this unprotected torrent was its sheer volume, but Moore’s Law and technological development fixed that. It became feasible to collect “the whole goddam haystack” (to quote a former NSA director) if you threw enough resources at it. So they did – as Edward Snowden revealed. Result: Technology 0 Establishment 1.

But the biggest battle has always been about encryption…

Read on

Humans are the weakest link

This morning’s Observer column:

PGP (now in its fifth incarnation) does indeed enable one to protect one’s communications from spying eyes. It meets Snowden’s requirement for “strong crypto”. But it hasn’t realised its revolutionary potential because it turns out that powerful software is a necessary but not sufficient condition for effective security. And the reason is that, to be effective, PGP has to be implemented by humans and they turn out to be the weak link in the chain.

This was brought forcibly home to me last week at a symposium on encryption, anonymity and human rights jointly organised by Amnesty International and academics from Cambridge University…

Read on

The biggest question posed by the Anderson Report

This morning’s Observer column:

When, in the summer of 2013, Edward Snowden began his revelations of the shocking scale of the electronic surveillance currently practised by the NSA and its overseas franchises in Britain, Canada, Australia and New Zealand, the big and obvious question was: is this just another scandal; or is it a real crisis?

Until this week, I’d have said that it was just another scandal…

Read on

The industrial fallout from NSA surveillance

NSA surveillance is going to cost the U.S. tech sector a lot more than originally thought.

The Information Technology and Innovation Foundation (ITIF), a Washington, D.C. -based think tank that advocates for policies that nurture technology innovation, has released a new report in which it raises its previous estimate of how much surveillance by the U.S. intelligence community could cost U.S. tech companies.

In 2013, the non-partisan group estimated that the NSA-related revelations stemming from Edward Snowden’s 2013 leak would scare away foreign customers in the cloud computer sector to the tune of as much as $35 billion in business. The new report says that figure is too low, and that the economic reverberations will “likely far exceed” that initial $35 billion estimate, although the report wasn’t more specific on a final figure.

Source

Ed Snowden has definitely had an impact but…

This morning’s Observer column:

For anyone still in doubt about the impact of Edward Snowden’s revelations, it might be instructive to review what has been going on in the US Congress over the last few months, with legislators grappling with bills aimed at curbing the surveillance capabilities of the NSA and other federal agencies. In the end, in a classic congressional farce, there was a brief intermission in the NSA’s data-gathering capabilities, after which the Senate passed a bill to end the agency’s bulk collection of the phone records of millions of Americans.

At one level it’s a significant moment: one in which – as a Guardian leader writer put it – “an outlaw rewrites the law”. And in a few other countries, notably Germany, Snowden’s revelations do seem to be having a demonstrable impact – as witnessed, for example, by the Bundestag’s inquiry into NSA surveillance within the Federal Republic.

These are non-trivial outcomes, but we shouldn’t get carried away…

Read on

Sociopathy, Facebook style

BoingBoing introduced the EFF’s sobering timeline of the evolution of Facebook’s ‘privacy’ policy between 2005 and 2012 thus:

Electronic Frontier Foundation attorney Kurt Opsahl has gone spelunking in the history of Facebook’s privacy policies over the past five years, presenting a timeline that starts with something fairly moderate and reasonable in 2005 and moves to the … 2010 version which basically says, “By using Facebook, you agree to let us film your life 24/7, sell it to advertisers, ridicule it, or make a reality show from it.”

As Kurt says, “Viewed together, the successive policies tell a clear story. Facebook originally earned its core base of users by offering them simple and powerful controls over their personal information. As Facebook grew larger and became more important, it could have chosen to maintain or improve those controls. Instead, it’s slowly but surely helped itself — and its advertising and business partners — to more and more of its users’ information, while limiting the users’ options to control their own information.”

Privacy: who needs it? Er, Zuckerberg & Co

Who said irony was dead? The tech zillionaires are so blasé about how their users are relaxed about privacy and what is quaintly called “sharing”. But they are not at all blasé when it comes to sharing information about themselves. Google’s Exec Chairman, Eric Schmidt, for example, believes that “privacy is dead”, but went apeshit when some enterprising journalist dug up lots of personal information about him simply by using, er, Google.

And then there’s young Zuckerberg, the Facebook boss, who is likewise relaxed about other people’s privacy, but paranoid about his own. See, for example, this Forbes report on his need to buy up an entire neighbourhood block in palo Alto to ensure that he isn’t overlooked:

So much for Zuckerberg only making a big digital footprint. Now the online empire maker owns nearly an entire neighborhood block, just because he can.

According to property records, the Facebook CEO has spent $30 million over the past year buying the pricy homes of four of his neighbors. It’s within his right, and within his budget, especially with Facebook stock finally starting to march up in value after its controversial and lackluster IPO.

Now the NYT is reporting that he’s updating a house in San Francisco, where even he might not be able to persuade his neighbours to clear out. But builders and tradesmen working on this nouveau palace find that they have to sign Non-Disclosure Agreements lest the world should know which kind of bidet the infant zillionaire favours.

Getting to bedrock

This morning’s Observer column:

The implication of these latest revelations is stark: the capabilities and ambitions of the intelligence services mean that no electronic communications device can now be regarded as trustworthy. It’s not only your mobile phone that might betray you: your hard disk could harbour a snake in the grass, too.

No wonder Andy Grove, the former boss of Intel, used to say that “only the paranoid survive” in the technology business. Given that we have become totally dependent on his industry’s products, that knowledge may not provide much consolation. But we now know where we stand. And we have Edward Snowden to thank for that.

Read on

Straw and Rifkind had nothing to hide, but…

This morning’s Observer column:

The really sinister thing about the nothing-to-hide argument is its underlying assumption that privacy is really about hiding bad things. As the computer-security guru Bruce Schneier once observed, the nothing-to-hide mantra stems from “a faulty premise that privacy is about hiding a wrong”. But surveillance can have a chilling effect by inhibiting perfectly lawful activities (lawful in democracies anyway) such as free speech, anonymous reading and having confidential conversations.

So the long-term message for citizens of democracies is: if you don’t want to be a potential object of attention by the authorities, then make sure you don’t do anything that might make them – or their algorithms – want to take a second look at you. Like encrypting your email, for example; or using Tor for anonymous browsing. Which essentially means that only people who don’t want to question or oppose those in power are the ones who should be entirely relaxed about surveillance.

We need to reboot the discourse about democracy and surveillance. And we should start by jettisoning the cant about nothing-to-hide. The truth is that we all have things to hide – perfectly legitimately. Just as our disgraced former foreign secretaries had.

Read on

ISC Chairman had “nothing to hide” but still got into trouble

So Sir Malcolm Rifkind has fallen on his sword after a journalistic sting operation recorded him apparently touting for work from a fake Chinese company that was supposedly wanting him to join its advisory board. The other former Foreign Secretary, Jack Straw, was similarly embarrassed after he was surreptitiously recorded bragging about the access that his status as a former senior minister granted him. Both men protested vigorously that they had done nothing wrong, which may well be true, at least in the sense that they were adhering to the letter of the rules for public representatives.

What’s interesting about Rifkind’s fall is that he used to be an exponent of the standard mantra — “if you have nothing to hide then you have nothing to fear” from bulk surveillance. Both men claim that they had done nothing wrong, but at the same time it’s clear that they have been grievously embarrassed by public exposure of activities that they wanted to keep private. In that sense, they are in the same boat as most citizens. We all do harmless things that we nevertheless regard as private matters which are none of the government’s business. That’s what privacy is all about.