Lately, we’ve learned many things about what the NSA and other government intelligence agencies around the world do, what their capabilities are, and just how far they are willing to go to ensure that they have the ability to know everything we do online. It used to be that the big debate was around email and phone calls, where your own ISP or an upstream provider could see all the traffic going by their network and tap into it. Without encryption, these protocols are like postcards left in the wild, for all to find. Certainly some criminal activities can be found this way, and while many are shocked at the invasion of privacy, no technically savvy person imagined that a plain text email was very secure.
That’s where encryption comes in: SSL, TLS, and even end to end solutions like PGP or Truecrypt. We used to think that if we encrypted our message before sending it out, then no one could read it. Your financial transactions wouldn’t be spied upon by the IRS, your Amazon purchases wouldn’t be linked to you by Homeland Security, and your business documents shared securely with partners wouldn’t be spied upon by foreign interests. However, this perfect solution started disintegrating in front of our eyes pretty quickly as we’ve learned more about PRISM and other government programs. Bruce Schneier, a top researcher in Internet security, has written several interesting posts about encryption, summarizing what can and can’t be gathered by third parties. Suffice it to say that encrypting your online data isn’t the end of the journey.
Even if the NSA can’t brute force your encrypted data, it turns out that there are many more ways they can find what they are looking for. The math behind encryption may be solid, but if a protocol includes code “helpfully” provided by the NSA, then that code can’t be trusted. SSL may be unbreakable, but if the NSA gathers the keys from all the major Internet companies, then they don’t even have to brute force it, they can simply use those keys. Basically, encryption, especially public key encryption, which relies on a central authority, can’t be trusted because of many potential vulnerabilities. So what is we to do if we still care about privacy? Things are indeed looking bleak, but there is still a light at the end of the tunnel, and this may be where you come in.
A lot of what the government has been doing in secret is made possible in part because of IT pros like you. This isn’t to say that most of the honest workers in IT are complicit, but data leaks out to the government because companies are forced to play by secret rules, with laws no one knows about, and warrants issued without any real due process. But clever people can come up with quite a few alternatives to simply rolling over and abandoning all sorts of online privacy.
One example is Google implementing Perfect Forward Secrecy. One of the type of requests they received from governments was to hand out their past SSL keys. Since they aren’t used to encrypt current traffic, they aren’t technically needed anymore. But any past data collected by governments could be unencrypted with those keys, creating a massive breach of privacy. With Perfect Forward Secrecy, your SSL connections basically create new, temporary keys for each session. This makes that type of request completely worthless.
Meanwhile, new startups and apps are being created around the heightened desire from customers to have secure alternatives. Silent Circle just released an Android app which allows secure file sharing and text messaging between users. Of course, if the government doesn’t like a company offering a secure alternative, they have the power to shut them down. Lavabit is a recent example of a startup owner who tried to fight against the secret orders of the NSA to access its secure messaging service; Lavabit closed shop rather than betray the privacy of its users. So while security and privacy issues are being debated in the houses and parliaments of various countries around the world, the battleground is now shifting to the IT pros and developers on the ground.
Are there things that developers and IT pros could do to help keep privacy alive? Just think how users would react if a pop-up message appeared warning them all their messages were now being sent directly into NSA headquarters? What if a webcam showed to the world your servers, and one day an anonymous device appeared, or the cam feed went dead, in a sort of dead-man-switch system to prevent tampering? These and other clever ideas are popping up in forums and on mailing lists.
So, what do you think? Is it possible to beat the powers-that-be at their own game? What are the possibilities at the grassroots level in the fight to maintain privacy on the Internet?