Saturday, June 21, 2014

Telirati Analysis #10 To Change the Terms of the Privacy Debate Protect All Bits

The trust problem

US technology and Internet services companies have a deep trust problem. They are accused of collaborating with the NSA and, on top of collaboration, being exploited by the NSA. The NSA, in turn, is seen as operating without boundaries, turning America and much of the world into a glass-walled panopticon, devoid of privacy and confidentiality.

This loss of trust has already cost tens of billions, and will cost tens to hundreds of billions more in lost sales outside the US and the "Five Eyes" nations most closely collaborating in NSA surveillance. Any nation that aspires to have practical sovereignty, competitive industry, and independent decision-making finds they cannot trust US technology and services.

Solving the trust problem is one of the most valuable goals in the technology and Internet services industries, and it has proved to be a sticky problem. The key may be to change the terms of the discussion.

Describing the threat

The NSA has taken most of the headlines, but it isn't the only threat to privacy. Without understanding the whole threat, some people may conclude that they trust the US government and/or the NSA, and have "nothing to hide."

This approach ignores the non-US state actor threat and the criminal threat to data and communications security. In corrupt places, the criminal and state actor threat are combined, and there is nobody to trust. Where laws mostly work, they offer only variable protection, and none offer absolute protection against the state, and no laws restrain foreign threats.

The bottom line is that you can't rely on a service to protect you, and you can't rely on laws to protect you. You have to protect yourself.

The role of technology and service providers

The key to regaining trust is to enable individuals to protect themselves. The role of technology and service providers in this is to support individuals' ability to protect themselves. Trust can't be regained directly. It must be earned back by providing tools for privacy.

Tools for individuals

To earn back trust, technology and service providers have to enable "end to end" security that is fully controlled by individuals and enterprises. Some say this would be hard to use, but services like Skype provided a high level of security while growing on the basis of the best ease of use in their product category.

There really are no excuses for not enabling individuals to have simple access to privacy and security, and the ability to deliver high security and ease of use have only improved since Skype was introduced. For example, a "web of trust" removes the need to trust an authority to anchor a chain of trust in the identity of the person you are communicating with, and the validity of their public key.

Social networks provide a means to distribute public keys. Ephemeral keys and "perfect forward secrecy" (PFS) remove the need for individuals to manage keys for real-time communication.

A solution for individual privacy and security must include these elements:
The public has to be confident their software does not include back doors. It has to employ simple-to-use technologies where possible, and it has to make the more-complex aspects of security as simple and powerful as possible. These goals are within reach of all major Internet services and technology providers. By reaching these goals, technology and service providers will earn users' trust.

The effect of end-to-end encryption and related technologies that remove the need to trust the operators of networks and the equipment makers who built it is to reduce the value of mass surveillance. By encrypting all personal communications and personal data, for everyone, all the time, the cost of extracting that information by more powerful tools becomes impractical to apply at a mass scale.

What is a sufficient solution?

Protecting against a sophisticated state actor threat is a daunting task. The NSA actively subverts security technologies. The public can't verify proprietary security technologies. Security agencies worldwide stockpile vulnerabilities and buy them from hackers across the black-to-gray spectrum.

But protecting privacy isn't an impossible task. The ability of state actor and criminal hackers to take advantage of vulnerabilities is limited by independent discovery of the bugs enabling those exploits.  The lifespan of most vulnerabilities is in the range of a few months to two or three years. Many vulnerabilities are only suitable for targeted attacks and cannot be scaled-up for for mass surveillance without being quickly detected and fixed.

Defense against vulnerabilities must be defense in depth. Vulnerabilities will never all be fixed. Other tools, like intrusion detection and postmortem analysis tools need to be developed in the open so that they can be trusted to work against all classes of threats. Enterprises that make use of open source software should form cooperative organizations to test and audit that software and fix vulnerabilities.

A sufficient solution consists of:
  • Finding vulnerabilities and reducing the number of vulnerabilities
  • Detecting threats and intrusions
  • End-to-end encryption of all data and communication

The most valuable secret of surveillance is that it mostly depends on data being weakly defended and available in cleartext. If all data is encrypted end-to-end and never available in cleartext except at the intended recipient's system, and all systems are secured to a high standard, we can have privacy, confidentiality, and security in communications and data storage.

America's blind spot

Americans, and even American corporate leaders with plenty of international exposure now have, and are likely to continue to have a blind spot regarding the severity of the trust problem they face.

Snowden's files, and subsequent developments such as the allegations that NSA knew of and exploited the Heartbleed bug, have put the US government and the US-based technology industry in disrepute worldwide. 

You might think a problem that large would have set off alarms. But the response of US equipment and services companies has been timid: Some have issued some indignant press releases. Some have participated in proposing reforms that have so far failed to fill even a teaspoon full of the credibility hole. Some have touted wider use of SSL, while retaining access to your data in cleartext. So far, the only major Internet service to have even floated a trial balloon by means of a trade press rumor is Google, who are said to be considering implementing end-to-end encryption for GMail.

Many Americans, even those with exposure to and experience in international markets live in an "America Bubble." This bubble is made of kind assumptions about the American government: The NSA and FBI protect us. They catch Bad Guys. Some of what they do is a direct service to American businesses: catching credit card frauds, for example.

The fact is that spy agencies and law enforcement have numerous tools other than mass surveillance. Among Snowden's revelations one finds that the US government has extraordinarily subtle listening devices and transmitters available for high-value cases. Ending mass surveillance won't take away from these high-value tools.

The only way to win is to not play the game

It has been a year since the Snowden revelations, and US technology companies have not taken the required steps to regain trust. At both the national and industry level, the only way to regain trust is to not play the conventional game of laws and treaties and weakly protective technologies. By securing users' data against all threats, the terms of the negotiation are changed and the current deadlock can be broken. State security apparatuses will only re-think mass surveillance in an environment where mass surveillance is less valuable.

While many nations have surveillance operations in their state security mechanisms, some nations apply vastly more resources to these operations than others. The US, for example, spends more on its military than the rest of the world combined. Spending on the NSA and other signals intelligence is likely to be proportionate to military spending overall.

If some nations come to realize they can't compete with the NSA, they will then conclude they must change the ground on which the game is played, both to secure their sovereignty, and to secure the competitiveness and trust in their technology industries.

It is an open question when the US technology industry will take affirmative and effective steps to regain user trust, or whether the US will end up importing that approach from outside after a painful lesson in lost business. The cost to US industry is high and mounting. Likewise the frustration with the US among its allies, not to mention non-aligned nations is also mounting. Some nation's political and business leaders will say "Enough!" and decide that the best way forward is to provide people with the means to have privacy and confidentiality.

Technology alone cannot give us a system of laws, treaties, and security mechanisms that respects privacy, but, by making it harder and less valuable to violate privacy on a mass scale, technology can change the terms of the political debate, and steer it toward a better outcome. Not just for Americans, but for everyone living with a too-intrusive government.