01 October, 2014

Security doesn't discriminate

Yesterday I published a long blog about privacy and why it matters. Unfortunately, as Commit Strip eloquently paints below, privacy almost always gives away to the same old arguments...
That was all too typical in Holder's call to tech companies to leave device back doors open to police. What Holder doesn't seem to get (or care about!) is that a back door doesn't discriminate who gets through. If you leave your door unlocked so the police can get in, do I really have to tell you it also means thieves can come in?

It is no different in 'cyberspace'. There ARE differences between real life and online life - but in this is not one of them. Security Ninja Bruce Schneier pointed out the effect of this reality:
"We are all vulnerable to everyone because the NSA wanted us to be vulnerable to them."
In his blog from 2 weeks ago, he continued:
"We have one infrastructure. We can't choose a world where the US gets to spy and the Chinese don't. We get to choose a world where everyone can spy, or a world where no one can spy. We can be secure from everyone, or vulnerable to anyone. And I'm tired of us choosing surveillance over security."

Me too, Bruce. Me too. And it's even more irritating that the people who are supposed to protect us keep lying about it all.

Later addition

October 3 Vox put the issue in a historical perspective. More details are in this New York Times article from 1994.

I spend some time collecting and commenting on the most interesting quotes:
"Wiretapping is among law enforcement's most cherished weapons. Only 919 Federal, state and local taps were authorized last year, but police agencies consider them essential to fighting crime."
We know things have changed, and not just in the US. In 2011, the Berliner police collected data from 4.2 MILLION mobile phones just to catch ONE group of car thieves... Shows how government surveillance has begun to spin out of control, if you ask me.

"Still, the effect of strong crypto on N.S.A. operations is not difficult to imagine. The agency is charged with signals intelligence, and it is widely assumed that it monitors all the communications between borders and probably much of the traffic within foreign countries. (It is barred from intercepting domestic communications.)"
Thanks to Snowden, we know that they're now heavily intercepting domestic communications. Some things have changed (guardian article on effects of the Snowden leaks) but we have a long way to go. If you want to know more about Snowden - this article on Wired is among the very best.

The article talks about introducing a security chip (Clipper) with a back door for Law enforcement, but correctly asks:
"What sort of nuclear terrorist would choose Clipper?"
Indeed:
"Some people criticize Clipper on the basis that truly sophisticated criminals would never use it, preferring other easily obtained systems that use high-grade cryptography."

"The Government understands the impossibility of eradicating strong crypto. Its objective is instead to prevent unbreakable encryption from becoming rountine. If that happens, even the stupidest criminal would be liberated from the threat of surveillance. But by making Clipper the standard, the Government is betting that only a tiny percentage of users would use other encryption or try to defeat the Clipper."
In other words, this would do the same thing as famously copyright protection on music CD's did: legitmate use (like copying the songs from the album you own to your iPod) was made impossible, but slightly more sophisticated, often professional music sharers had no issues with the 'protection'.

"This seems to be the Government's intent -- to encourage "crypto lite," strong enough to protect communications from casual intruders but not from Government itself."
Making us thus all vulnerable to hackers, foreign governments etc etc. Nothing new under the sun!

A quote from the documentation of PGP gives this same response:
"If privacy is outlawed, only outlaws will have privacy. Intelligence agencies have access to good cryptographic technology. So do the big arms and drug traffickers. So do defense contractors, oil companies, and other corporate giants. But ordinary people and grassroots political organizations mostly have not had access to affordable 'military grade' public-key cryptographic technology."
Amen.

The Vox article also points out the Washington Post had to correct a op-ed by former FBI official Ronald Hosko who gave a specific example where encryption would have thwarted a law enforcement investigation and cost lives - but turned out to be wrong. Honestly, if the one example the FBI has turns out to be wrong, how much is there to say for their argument? I don't think encryption will do as much harm as they like to claim.

XKCD already comically explained this: the government has many means of getting information from its citizens, and encryption doesn't change that much.



EDIT october 6: I can keep updating this post forever, but I won't - only one more link: Bruce Schneier weighted in, calling it Return of the Crypto Wars - referring to the fight around the Clipper chip I described above.

EDIT 2: Rather than writing a new blog, I thought I'd add another piece here. I've made the point that the pervasive spying doesn't help. Just, for reference, some evidence in the form of a series of attacks where the perpetrators were known but the secret service simply lacked the resources or insight to follow and catch them:

Via a blog from Dutch journalist De Winter

Of course this is still all complaining in the margins, no matter how horrible 'terrorism' is, it isn't a cause for death which is even remotely relevant in comparison to serious threats to people's lives like smoking or car accidents... And indeed, as the word points out: it is about 'terror'. Making people afraid. Not actually killing or harming them - ISIS and friends don't have the resources to do any real harm. They can just scare us into changing our society. Which our politicians are all to happy to do, well supported by the media (see this video).