As we learn more and more details regarding government spying, it seems more and more foolhardy to trust our security to third party businesses.
The state requires information on its subjects to be effective. From the first census in Egypt more than 5000 years ago, states have sought personal information on their citizens, especially in tyrannical states, where informants and secret police gather information on any and all potentially subversive activities. In the age of the Internet and the surveillance state, spy agencies collect information on us that would make Stalin’s NKVD green with envy — much of it naively handed over via social media. When the surveillance state will be dismantled is anyone’s guess, but, in the meantime, the less useful data that can be collected on us the less effective the state’s control of us. For activists, use of private or anonymous communication in first world countries could be key to avoiding pre-emptive arrest, In places like Syria, it becomes a matter of life and death.
Initially, I had hoped companies like Google would come to the rescue by implementing powerful encryption systems; unfortunately it seems less and less likely that corporations beholden to shareholders and intertwined with government can effectively and securely create these services. While these big companies with their large profits and lobbying budgets are probably in the best position to fight back against the surveillance state, they also have the most to lose if they don’t play along.
Ladar Levison’s Lavabit was a semi-secure email service. In August, Levison shut down Lavabit citing government threats and interference. Observers speculated that Levison had received a National Security Letter demanding customer data, likely that of NSA whistleblower Edward Snowden. Recently unsealed court document show that a warrant was issued for the private SSL key for the Lavabit service. This key allows a secure encrypted connection between user and server. Having access to this key would give the government real time access to information being sent by users to the site. This in turn would allow them to scoop up log-in credentials and access the encrypted emails of any of Lavabit’s 400,000 customers.
Much to his credit, Ladar Levison decided to shut down Lavabit — denying access to the privately stored communications of its customers. This sort of principled stance is unexpected. Levison didn’t have shareholders to answer to. He answered to himself and his customers. We cannot expect large tech corporations like Google, who put forth the public image of being on our side and actually attempt to publicize government intrusion, to actually defy the government when compelled by law. Other players, such as Microsoft, appear to be enthusiastic in their collaboration with the NSA and other 3 letter agencies.
So what does this all mean for us? Is it all doom and gloom? No! We have to take this into our own hands. There are a multitude of free and open source projects and open standards for encryption. From what we understand, the NSA has broken encryption through coercion and subversion, not by raw attempts at bashing away at the numbers and cracking the codes. Most likely, we can still trust the mathematics.
When a project is open source its code is open to scrutiny. It can be vetted and we can know exactly how it does what it does. While the majority of us do not have the technical know-how to look through the code of a specific program to vet it before compiling it, trusted researchers and academics can and do vet these for us. Thus we can be aware of potential vulnerabilities of encryption software and know the limits of its capabilities. When we communicate with PGP, for example, we are using an open standard. We do not need to trust our communications to a company that may have been coerced by government to compromise our privacy. With PGP, you are in possession of your private key and no one else can be made to hand it over. The Tor project, due to its complexity, is not so clear cut. Because of its distributed nature, there are more opportunities for exploitation, but the project is open source and these potential exploits are documented so we are able to understand its limits.
The conclusions we must draw is that we are in this together. If we decide to use corporate service that claim to be secure, we must be aware that they could be compromised at any time — not through brute force, but coercive force. With closed source encryption software, there is no way to evaluate or trust the developer’s claims. When we use open source encryption software we must make ourselves aware of its limitations and use it accordingly.
Internet security is our responsibility.
Translations for this article:
- Portuguese, Segurança Na Internet É Responsabilidade Nossa.
- Italian, La Sicurezza su Internet È Responsabilità Nostra.
