PGP (now in its fifth incarnation) does indeed enable one to protect one’s communications from spying eyes. It meets Snowden’s requirement for “strong crypto”. But it hasn’t realised its revolutionary potential because it turns out that powerful software is a necessary but not sufficient condition for effective security. And the reason is that, to be effective, PGP has to be implemented by humans and they turn out to be the weak link in the chain.
This was brought forcibly home to me last week at a symposium on encryption, anonymity and human rights jointly organised by Amnesty International and academics from Cambridge University…
When, in the summer of 2013, Edward Snowden began his revelations of the shocking scale of the electronic surveillance currently practised by the NSA and its overseas franchises in Britain, Canada, Australia and New Zealand, the big and obvious question was: is this just another scandal; or is it a real crisis?
Until this week, I’d have said that it was just another scandal…
NSA surveillance is going to cost the U.S. tech sector a lot more than originally thought.
The Information Technology and Innovation Foundation (ITIF), a Washington, D.C. -based think tank that advocates for policies that nurture technology innovation, has released a new report in which it raises its previous estimate of how much surveillance by the U.S. intelligence community could cost U.S. tech companies.
In 2013, the non-partisan group estimated that the NSA-related revelations stemming from Edward Snowden’s 2013 leak would scare away foreign customers in the cloud computer sector to the tune of as much as $35 billion in business. The new report says that figure is too low, and that the economic reverberations will “likely far exceed” that initial $35 billion estimate, although the report wasn’t more specific on a final figure.
For anyone still in doubt about the impact of Edward Snowden’s revelations, it might be instructive to review what has been going on in the US Congress over the last few months, with legislators grappling with bills aimed at curbing the surveillance capabilities of the NSA and other federal agencies. In the end, in a classic congressional farce, there was a brief intermission in the NSA’s data-gathering capabilities, after which the Senate passed a bill to end the agency’s bulk collection of the phone records of millions of Americans.
At one level it’s a significant moment: one in which – as a Guardian leader writer put it – “an outlaw rewrites the law”. And in a few other countries, notably Germany, Snowden’s revelations do seem to be having a demonstrable impact – as witnessed, for example, by the Bundestag’s inquiry into NSA surveillance within the Federal Republic.
These are non-trivial outcomes, but we shouldn’t get carried away…
Electronic Frontier Foundation attorney Kurt Opsahl has gone spelunking in the history of Facebook’s privacy policies over the past five years, presenting a timeline that starts with something fairly moderate and reasonable in 2005 and moves to the … 2010 version which basically says, “By using Facebook, you agree to let us film your life 24/7, sell it to advertisers, ridicule it, or make a reality show from it.”
As Kurt says, “Viewed together, the successive policies tell a clear story. Facebook originally earned its core base of users by offering them simple and powerful controls over their personal information. As Facebook grew larger and became more important, it could have chosen to maintain or improve those controls. Instead, it’s slowly but surely helped itself — and its advertising and business partners — to more and more of its users’ information, while limiting the users’ options to control their own information.”
Who said irony was dead? The tech zillionaires are so blasé about how their users are relaxed about privacy and what is quaintly called “sharing”. But they are not at all blasé when it comes to sharing information about themselves. Google’s Exec Chairman, Eric Schmidt, for example, believes that “privacy is dead”, but went apeshit when some enterprising journalist dug up lots of personal information about him simply by using, er, Google.
And then there’s young Zuckerberg, the Facebook boss, who is likewise relaxed about other people’s privacy, but paranoid about his own. See, for example, this Forbes report on his need to buy up an entire neighbourhood block in palo Alto to ensure that he isn’t overlooked:
So much for Zuckerberg only making a big digital footprint. Now the online empire maker owns nearly an entire neighborhood block, just because he can.
According to property records, the Facebook CEO has spent $30 million over the past year buying the pricy homes of four of his neighbors. It’s within his right, and within his budget, especially with Facebook stock finally starting to march up in value after its controversial and lackluster IPO.
Now the NYT is reporting that he’s updating a house in San Francisco, where even he might not be able to persuade his neighbours to clear out. But builders and tradesmen working on this nouveau palace find that they have to sign Non-Disclosure Agreements lest the world should know which kind of bidet the infant zillionaire favours.
The implication of these latest revelations is stark: the capabilities and ambitions of the intelligence services mean that no electronic communications device can now be regarded as trustworthy. It’s not only your mobile phone that might betray you: your hard disk could harbour a snake in the grass, too.
No wonder Andy Grove, the former boss of Intel, used to say that “only the paranoid survive” in the technology business. Given that we have become totally dependent on his industry’s products, that knowledge may not provide much consolation. But we now know where we stand. And we have Edward Snowden to thank for that.
The really sinister thing about the nothing-to-hide argument is its underlying assumption that privacy is really about hiding bad things. As the computer-security guru Bruce Schneier once observed, the nothing-to-hide mantra stems from “a faulty premise that privacy is about hiding a wrong”. But surveillance can have a chilling effect by inhibiting perfectly lawful activities (lawful in democracies anyway) such as free speech, anonymous reading and having confidential conversations.
So the long-term message for citizens of democracies is: if you don’t want to be a potential object of attention by the authorities, then make sure you don’t do anything that might make them – or their algorithms – want to take a second look at you. Like encrypting your email, for example; or using Tor for anonymous browsing. Which essentially means that only people who don’t want to question or oppose those in power are the ones who should be entirely relaxed about surveillance.
We need to reboot the discourse about democracy and surveillance. And we should start by jettisoning the cant about nothing-to-hide. The truth is that we all have things to hide – perfectly legitimately. Just as our disgraced former foreign secretaries had.
So Sir Malcolm Rifkind has fallen on his sword after a journalistic sting operation recorded him apparently touting for work from a fake Chinese company that was supposedly wanting him to join its advisory board. The other former Foreign Secretary, Jack Straw, was similarly embarrassed after he was surreptitiously recorded bragging about the access that his status as a former senior minister granted him. Both men protested vigorously that they had done nothing wrong, which may well be true, at least in the sense that they were adhering to the letter of the rules for public representatives.
What’s interesting about Rifkind’s fall is that he used to be an exponent of the standard mantra — “if you have nothing to hide then you have nothing to fear” from bulk surveillance. Both men claim that they had done nothing wrong, but at the same time it’s clear that they have been grievously embarrassed by public exposure of activities that they wanted to keep private. In that sense, they are in the same boat as most citizens. We all do harmless things that we nevertheless regard as private matters which are none of the government’s business. That’s what privacy is all about.
Interesting video by Tim Libert, summarising the results of some research he did on the way health information sites (including those run by government agencies) covertly pass information about health-related searches to a host of commercial companies. Libert is a researcher at the University of Pennsylvania. He built a program called webXray to analyze the top 50 search results for nearly 2,000 common diseases (over 80,000 pages total). He found that no fewer that 91% of the pages made third-party requests to outside companies. So if you search for “cold sores,” for instance, and click the WebMD “Cold Sores Topic Overview” link, the site is passing your request for information about the disease along to “one or more (and often many, many more) other corporations”.
According to Libert’s research (Communications of the ACM, Vol. 58 No. 3, Pages 68-77), about 70% of the time, the data transmitted “contained information exposing specific conditions, treatments, and diseases.”
So think twice before consulting Dr Google. Especially if you think you might have a condition that might affect your insurance rating.