Battle of privacy

Since social media and mobile internet started growing its popularity, the questions of privacy became a constant topic among the computer enthusiasts. When Edward Snowden blowed his whistle in 2013 the battle of privacy began its whole new chapter. US government got angry because of Snowden revealing their secrets about them snooping other people’s’ secrets. Suddenly the fears, stories and speculations of foil hats around the world became true. The big brother exists and its tricks were now public knowledge. After media writing about this for awhile people started to take sides. Regular people started to pay more attention on their privacy matters – or on the other team people kept ignoring them. I have been following media in Europe and paid attention especially in political discussions about this topic. It seems to me that there are plenty of politicians out there that seem not to understand what this thing is really about. The same goes for regular people like some of my friends.

weak_passwordIt feels like the common understanding in the western countries is that questions about privacy are something that one cannot affect and therefore is either ignoring them or letting the cyber security professionals and companies handle them. This is mostly gibberish – one can have an impact. Current VP of Insta Group, professor of cyber security and former director of McAfee and Stonesoft, Jarno Limnéll, has constantly said that cyber security should become civic skill. I fully agree with him. Everybody who uses internet to anything should have basic understanding of information and cyber security. This is where it comes to you my friend. One of the biggest powers that cyber criminals have are the botnets that are big groups of zombie devices. They are formed by injecting normal people’s devices with malware or breaking their weak passwords. That’s why neglecting personal security does not only let the criminals get into one’s personal data, it also makes the cyber criminals stronger and stronger. Because of advancing technology cyber spying can be made automated and more sopthisticated. In the era of big data nobody should “I’m safe as long as I’m not invidually targeted”. Understanding the basics and taking actions accordingly will make a huge difference. Of course a connected device can never be 100% secure. There are professionals with lots of resources who eventually find their way through normal protection, but they are people and organizations who have other agendas than getting one more device into their botnet. These attackers are typically not invidual’s problem, they are what governments and companies should be concerned about. You can protect yourself from automated mass attacks by keeping your systems and softwares up to date, having a proper firewall, using safe passphrases and applying common sense.

The people who decided to ignore privacy questions by often saying “I have nothing to hide” should think about the following questions. What is privacy? It is more than advertisers following your physical moves and internet browsing, or NSA reading your social media messages. Saying you have nothing to hide means you have no secrets. This means you cannot keep a secret from other people either as the Chief Research Officer of F-Secure, Mikko Hyppönen, pointed out in TED Talks. Being ignorant about your privacy is often ignorance about some of your friends’ privacy as well. So wouldn’t you mind telling me or any stranger your or your friend’s income? Who do you vote for in elections? Who are the people you really like or dislike? What about your online banking credentials? Take a deep breath and please do not answer to my questions. Instead think of why do you think people wanted to keep these things secret in the first place. If you still think it’s OK that somebody has free access to your personal data where is the limit? As a couple of examples technology already makes it possible to track your location even if you don’t explicitly allow that or you turn off your tracking and location settings on your phone. MIT researches made it also possible to measure your heart rate remotely using WiFi signals. Are you still OK if all this would be used against you? What if we are not only talking about “read-only” access but also “write” access. What if somebody could control your heart rate remotely? The future comes sooner than you think. I’m not saying you should start living in a Faraday cage or so. I’m just trying to make you think if all this should be really legal and justified and OK for you.

spiderman-with-great-power-comes-great-responsibilityThis chapter is about the politicians and officials who are supporting or willing to give autorization for the government to do mass surveillance on their or other countries’ citizens. I’m not convinced that most of these politicians answering all these polls understand what this would really mean. We are currently living in a world where a dedicated teenager can overcome some governments when it comes to cyber security questions (or actions). There are plenty of countries in the world which governments are not taking care of their own cyber security practices and policies in a proper way – not to mention the countries’ differences in getting prepared for cyber warfare which has been a big element in the war in Ukraine. Still those governments would like to get power they don’t seem to understand. I try to make it simple. In a fundamental level giving somebody access to data that is not accessible by others, requires an authentication system. Adding an online authentication system grows the attack surface of the system. Growing the attack surface weakens security. The web and online technologies are already vulnerable without any additional “tweaks”. Since Heartbleed vulnerability was discovered last year (2014), people started to do more digging and therefore other SSL/TLS vulnerabilities started to pop up (e.g. POODLE and FREAK). FREAK is also a good example of a disastrous decision by law makers (in this case US government wanted to put weak “export-grade” encryption in place so that they can do their surveillance) which weakened the security of every web user later on when this vulnerability was disclosed. One of the extreme examples of politician saying things he don’t understand about is David Cameron wanting to ban encryption. Even with proper authentication and encryption protocols in place, it’s unfortunately often too easy to act as somebody else in the internet. So my question for those politicians is – Are you ready to take that responsibility of creating surveillance interfaces? Do you have a good plan to protect them?

This my drain of thoughts about a topic I could continue forever but I think it’s time to wrap this up for now. Feel free to continue in the comments!

 

4 Comments

  1. Privace, one of my favorite topics… The big problem is the tradeoff between privacy and simplicity. Android or iOS phone is easily set up, Facebook and Whatsapp are easy ways to communicate and Google good way to find some information. None of them just isn’t secure in any way and at least I have no idea anymore what the service provider is allowed to do with “my” data according to their terms of service. Not to mention what use they have for the data they don’t tell about.

    But when I start thinking about it more, I realise I don’t really know what is secure anymore. At the moment I mostly just trust that my private data is a bit more difficult to steal than on average, so “they” don’t bother on stealing it, but concentrate on they easier prey. This is the same strategy I use with my bike, I have strong enough lock so that there is always easier catch around for the thief wanting to steal one.

    • Hi TemeV and thanks for your comment. It’s indeed true that the terms of service are long and complicated for most of the popular services. This is where one can apply some common sense though. Try to think what is the business model of that service and where it gets its income or funding. For most of the services the answer is advertisers and in this case you are the trade good they are offering. Advertising is perhaps not that bad if you are fine with seeing some ads every now and then (not to mention you can use tools to block those), but it gets more tricky when there are political or governmental agendas involved in the service. One thing that an invidual could do is to look for actively developed open source alternatives or be aware and accept publicity of your data in the most common social media services.

  2. Interesting post Kalle! It seems we all live in transparent houses made of glass, yet we collectively seem none too bothered.

    This current apathy about privacy does seem puzzling. Saying “why worry if I have nothing to hide” betrays a profound naivete. Perhaps blind faith in a seemingly benign government is harmless today, but we do not know who could come to power tomorrow and use the government’s gathered data archives against us. Perhaps totalitarianism seems too a distant memory for people today, but we should be eternally vigilant of tyranny – it can return unexpectedly. Leviathan is a beast of fickle disposition.

    During the Second World War, the Canadian government rounded up 27,000 people of Japanese origin (many of whom were citizens or veterans of the first world war) seized and sold their property, and detained them in brutal internment camps from 1941 until four years after the end of the war in 1949.

    This was not so long ago that we shouldn’t believe it could happen today – George Takei from Star Trek lived in an internment camp! Governments shouldn’t know too much about us, lest they acquire more power over us than they already have.

    • Thanks for your comment Ryan – really appreciate it! You are right. Of course it all depends on what sort of authorization / access / privileges are actually requested by the government. It’s much easier to comment when there would be more details. But in general it is as you said. It’s not about trusting the current leaders and the government, it’s about creating an interface that can be exploited by others (well depends on those details though). I don’t think it’s that bad if the government would be allowed to do something that other people cannot legally do without getting sued, but if we are tweaking the technology in a way that it provides special accesses for government, it would be naive to think that only the government is capable to use that interface in the long run.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.