Since social media and mobile internet started growing its popularity, the questions of privacy became a constant topic among the computer enthusiasts. When Edward Snowden blowed his whistle in 2013 the battle of privacy began its whole new chapter. US government got angry because of Snowden revealing their secrets about them snooping other people’s’ secrets. Suddenly the fears, stories and speculations of foil hats around the world became true. The big brother exists and its tricks were now public knowledge. After media writing about this for awhile people started to take sides. Regular people started to pay more attention on their privacy matters – or on the other team people kept ignoring them. I have been following media in Europe and paid attention especially in political discussions about this topic. It seems to me that there are plenty of politicians out there that seem not to understand what this thing is really about. The same goes for regular people like some of my friends.
It feels like the common understanding in the western countries is that questions about privacy are something that one cannot affect and therefore is either ignoring them or letting the cyber security professionals and companies handle them. This is mostly gibberish – one can have an impact. Current VP of Insta Group, professor of cyber security and former director of McAfee and Stonesoft, Jarno Limnéll, has constantly said that cyber security should become civic skill. I fully agree with him. Everybody who uses internet to anything should have basic understanding of information and cyber security. This is where it comes to you my friend. One of the biggest powers that cyber criminals have are the botnets that are big groups of zombie devices. They are formed by injecting normal people’s devices with malware or breaking their weak passwords. That’s why neglecting personal security does not only let the criminals get into one’s personal data, it also makes the cyber criminals stronger and stronger. Because of advancing technology cyber spying can be made automated and more sopthisticated. In the era of big data nobody should “I’m safe as long as I’m not invidually targeted”. Understanding the basics and taking actions accordingly will make a huge difference. Of course a connected device can never be 100% secure. There are professionals with lots of resources who eventually find their way through normal protection, but they are people and organizations who have other agendas than getting one more device into their botnet. These attackers are typically not invidual’s problem, they are what governments and companies should be concerned about. You can protect yourself from automated mass attacks by keeping your systems and softwares up to date, having a proper firewall, using safe passphrases and applying common sense.
The people who decided to ignore privacy questions by often saying “I have nothing to hide” should think about the following questions. What is privacy? It is more than advertisers following your physical moves and internet browsing, or NSA reading your social media messages. Saying you have nothing to hide means you have no secrets. This means you cannot keep a secret from other people either as the Chief Research Officer of F-Secure, Mikko Hyppönen, pointed out in TED Talks. Being ignorant about your privacy is often ignorance about some of your friends’ privacy as well. So wouldn’t you mind telling me or any stranger your or your friend’s income? Who do you vote for in elections? Who are the people you really like or dislike? What about your online banking credentials? Take a deep breath and please do not answer to my questions. Instead think of why do you think people wanted to keep these things secret in the first place. If you still think it’s OK that somebody has free access to your personal data where is the limit? As a couple of examples technology already makes it possible to track your location even if you don’t explicitly allow that or you turn off your tracking and location settings on your phone. MIT researches made it also possible to measure your heart rate remotely using WiFi signals. Are you still OK if all this would be used against you? What if we are not only talking about “read-only” access but also “write” access. What if somebody could control your heart rate remotely? The future comes sooner than you think. I’m not saying you should start living in a Faraday cage or so. I’m just trying to make you think if all this should be really legal and justified and OK for you.
This chapter is about the politicians and officials who are supporting or willing to give autorization for the government to do mass surveillance on their or other countries’ citizens. I’m not convinced that most of these politicians answering all these polls understand what this would really mean. We are currently living in a world where a dedicated teenager can overcome some governments when it comes to cyber security questions (or actions). There are plenty of countries in the world which governments are not taking care of their own cyber security practices and policies in a proper way – not to mention the countries’ differences in getting prepared for cyber warfare which has been a big element in the war in Ukraine. Still those governments would like to get power they don’t seem to understand. I try to make it simple. In a fundamental level giving somebody access to data that is not accessible by others, requires an authentication system. Adding an online authentication system grows the attack surface of the system. Growing the attack surface weakens security. The web and online technologies are already vulnerable without any additional “tweaks”. Since Heartbleed vulnerability was discovered last year (2014), people started to do more digging and therefore other SSL/TLS vulnerabilities started to pop up (e.g. POODLE and FREAK). FREAK is also a good example of a disastrous decision by law makers (in this case US government wanted to put weak “export-grade” encryption in place so that they can do their surveillance) which weakened the security of every web user later on when this vulnerability was disclosed. One of the extreme examples of politician saying things he don’t understand about is David Cameron wanting to ban encryption. Even with proper authentication and encryption protocols in place, it’s unfortunately often too easy to act as somebody else in the internet. So my question for those politicians is – Are you ready to take that responsibility of creating surveillance interfaces? Do you have a good plan to protect them?
This my drain of thoughts about a topic I could continue forever but I think it’s time to wrap this up for now. Feel free to continue in the comments!