privacy

Weekend Reads 011118: Mostly Security and Policy

Traveling is stressful. The last thing you want to worry about is getting scammed by crooks on the street. Your best tool? Knowledge. Know how they work. Know what they’ll do. Prevent it from happening in the first place. —Relatively Interesting

The European Union’s competition chief is zeroing in on how companies stockpile and use so-called big data, or enormous computer files of customer records, industry statistics and other information. The move diverges starkly from a hands-off approach in the U.S., where regulators emphasize the benefits big data brings to innovation. —Natalia Drozdiak @ MarketWatch

The cybersecurity industry has mushroomed in recent years, but the data breaches just keep coming. Almost every day brings news of a new data breach, with millions of records compromised — including payment details, passwords, and other information that makes those customers vulnerable to theft and identity fraud. —Alistair Johnston @ MarketWatch

To break the dominance of Google on Android, Gael Duval, a former Linux developer and creator of now defunct but once hugely popular Mandrake Linux (later known as Mandriva Linux), has developed an open-source version of Android that is not connected to Google. —Kavita Iyer @ TechWorm

China has rarely undertaken a role in developing public international cybersecurity law over the many years the provisions have existed. Only once did it submit a formal proposal — fifteen years ago to the 2002 Plenipotentiary Conference where it introduced a resolution concerning “rapid Internet growth [that] has given rise to new problems in communication security.” Thus, a China formal submission to the upcoming third EG-ITRs meeting on 17-19 January 2018 in Geneva is significant in itself. —Anthony Rutkowski @ CircleID

If all you want is the TL;DR, here’s the headline finding: due to flaws in both Signal and WhatsApp (which I single out because I use them), it’s theoretically possible for strangers to add themselves to an encrypted group chat. However, the caveat is that these attacks are extremely difficult to pull off in practice, so nobody needs to panic. But both issues are very avoidable, and tend to undermine the logic of having an end-to-end encryption protocol in the first place. —Krebs on Security

This past Friday Twitter issued what is perhaps one of the most remarkable statements in modern diplomatic history: it said both that it would not ban a world leader from its platform and that it reserved the right to delete official statements by heads of state of sovereign nations as it saw fit. Have we truly reached a point in human history where private companies now wield absolute authority over what every government on earth may say to their citizens in the online world that has become the defacto modern town square? —Kalev Leetaru @ Forbes

On differential privacy

Over the past several weeks, there’s been a lot of talk about something called “differential privacy.” What does this mean, how does it work, and… Is it really going to be effective? The basic concept is this: the reason people can identify you, personally, from data collected off your phone, searches, web browser configuration, computer configuration, etc., is you do things just different enough from other people to create a pattern through cyber space (or rather data exhaust). Someone looking hard enough can figure out who “you” are by figuring out patterns you don’t even think about—you always install the same sorts of software/plugins, you always take the same path to work, you always make the same typing mistake, etc.

The idea behind differential security, considered here by Bruce Schneier, here, and here, is that you can inject noise into the data collection process that doesn’t impact the quality of the data for the intended use, while it does prevent any particular individual from being identified. If this nut can be cracked, it would be a major boon for online privacy—and this is a nut that deserves some serious cracking.

But I doubt it can actually be cracked for a couple of reasons.

First, in context, differential privacy is a form of data abstraction. And anyone who’s paying attention knows that from summary aggregates to protocol layers, abstractions leak. This isn’t a bad thing or a good one, it’s just the way it is—the only way to truly prevent personally identifiable information from leaking through an information gathering process is to detach the data from the people entirely by making the data random.

Which brings up the second problem—the concept of gathering all this data is to be able to predict what you, as a person, are going to do. In fact, the point of big data isn’t just to predict, but to shape and influence. As folks from Google have a habit of asserting, the point is to get to absolute knowledge by making the sample size under study the entire population.

The point of differential privacy is that you can take the information and shape it in such a way is to predict what all females of a certain heritage, of a certain age, and in a certain life position will do in reaction to a specific stimulus so advertisers can extract more value from these people (and, in the background, the part that no-one wants to talk about, so that other folks can control their attitudes and behaviors so they do “the right thing” more often). If you follow this train of thought, it’s obvious the more specific you get, the more predictive power and control you’re going to have. There’s not much point in “the flu project” if my doctor can’t predict that I, personally, will catch the flu this year (or not). The closer you can get to that individual prediction, the more power data analytics has.

Why look at everyone when you can focus on a certain gender? Why focus on everyone of a certain gender when you can focus on everyone of a certain gender who has a particular heritage? There doesn’t appear to be any definable point where you can stand athwart the data collection process and say, “beyond this point, no new value is added.” At least no obvious place. The better the collection, the more effective targeting is going to be. As a commenter on Bruce Schneier’s post above says—

The more information you intend to “ask” of your database, the more noise has to be injected in order to minimize the privacy leakage. This means that in DP there is generally a fundamental tradeoff between accuracy and privacy, which can be a big problem when training complex ML models.

We’re running into the state versus optimization pair in the complexity triangle here; there’s no obvious way out of the dilemma.

Which brings me to the third point: Someone still has to hold the original data to be able to detune it in the process of asking specific questions. The person who holds the data ultimately controls the accuracy of the questions other people ask of it, while allowing themselves more accuracy, and hence a business advantage over their rivals. To some degree—and it might just be my cynicism showing—this type of thing seems like it’s aimed as much at competitors as it is at actually “solving” privacy.

I have great hopes that we can eventually find a way to stand athwart data collection and yell “stop” at the “right moment” at some point in the future. I don’t know if we’ve really figured out what that moment is, nor if we’ve figured out human nature well enough to keep people from sticking their hands in the cookie jar and using the power of leaky abstractions to respect the limits.

It’s an interesting idea, I just don’t know how far it will really go.

Should We Stop Encryption? Can We?

It’s not like they’re asking for a back door for every device.
If the world goes dark through encryption, we’ll be back to the wild west!
After all, if it were your daughter who had been killed in a terrorist attack, you’d want the government to get to that information, too.

While sitting on a panel this last week, I heard all three reactions to the Apple versus FBI case. But none of these reactions ring true to me.

Let’s take the first one: no, they’re not asking for a back door for every device. Under the time tested balance between privacy and government power, the specific point is that people have a reasonable expectation of privacy until they come under suspicion of wrongdoing. However, it’s very difficult to trust that, in the current environment, that such power, once granted, won’t be broadened to every case, all the time. The division between privacy and justice before the law was supposed to be at the point of suspicion. That wall, however, has already been breached, so the argument now moves to “what information should the government be able to trawl through in order to find crimes?” They are asking for the power to break one phone in one situation, but that quickly becomes the power to break every phone all the time on the slimmest of suspicions (or no suspicion at all).

Essentially, hard cases make bad law (which is precisely why specific hard cases are chosen as a battering ram against specific laws).

The second one? Let’s reconsider exactly why it is the laws protect personal action from government snooping without reason. No-one is perfect. Hence, if you dig hard enough, especially in a world where the size of the code of law is measured in the hundreds of thousands of pages, and the Federal tax code is over 70,000 pages long, you will find something someone has done wrong at some point within the last few years.

Putting insane amounts of law together with insane amounts of power to investigate means that anyone can be prosecuted at any time for any reason someone with a uniform might like. Keeping your nose clean, in this situation, doesn’t mean not committing any crimes, as everyone does. Keeping your nose clean, in this situation, means not sticking your neck too far out politically, or making someone with the power to prosecute too angry. We do want to prevent a situation where criminals can run wild, but we don’t want to hand the government—any government—the power to prosecute anyone they like, as that’s just another form of the “wild west” we all say we want to prevent.

By the way, who is going to force every cryptographer in the world to hand over their back doors?

Even if the U.S. government prevails in its quest to compel Apple and other U.S. companies to give the authorities access to encrypted devices or messaging services when they have a warrant, such technology would still be widely available to terrorists and criminals, security analysts say. That’s because so many encrypted products are made by developers working in foreign countries or as part of open source projects, putting them outside the federal government’s reach. For example, instant messaging service Telegram — which offers users encrypted “secret chats” — is headquartered in Germany while encrypted voice call and text-messaging service Silent Phone is based out of Switzerland. And Signal, a popular app for encrypted voice calls and text messaging, is open source. -via the Washington Post

If we’re going to play another round of “the law abiding can be snagged for crimes real criminals can’t be snagged for,” count me out of the game.

The third one? I never trust an argument I can turn around so easily. Let me ask this—would you want breakable encryption on your daughter’s phone if she were being stalked by someone who happens to have a uniform? Oh, but no-one in uniform would do such a thing, because they’d be caught, and held accountable, and…

We tend to forget, all too easily, the reality of being human. As Solzhenitsyn says—

Gradually it was disclosed to me that the line separating good and evil passes not through states, nor between classes, nor between political parties either—but right through every human heart—and through all human hearts. This line shifts. Inside us, it oscillates with the years. And even within hearts overwhelmed by evil, one small bridgehead of good is retained. And even in the best of all hearts, there remains … an unuprooted small corner of evil. -The Gulag Archipelago.

Strong encryption is too important to play games with. As Tom says—

Weakening encryption to enable it to be easily overcome by brute force is asking for a huge Pandora’s box to be opened. Perhaps in the early nineties it was unthinkable for someone to be able to command enough compute resources to overcome large number theory. Today it’s not unheard of to have control over resources vast enough to reverse engineer simple problems in a matter or hours or days instead of weeks or years. Every time a new vulnerability comes out that uses vast computing power to break theory it weakens us all. -via Networking Nerd

Anonymity isn’t a bug

Despite the bad rap it sometimes gets, anonymity – and anonymity technology – is used all the time by everyday people. Think about it: just walking in a park without being recorded or observed or “going off the grid” are common examples of people seeking to disconnect their identity from their activities. via the center for democracy and technology

The problem with anonymity and the modern Internet is we tend to think of being anonymous as either “on” or “off” all the time. The only real reason we can think of to want to be anonymous is to do something evil, to hurt someone, to steal something, or to do something else considered anti-social or wrong.

But there’s a problem with this thinking — it’s much like pitting “the rich” against “the poor,” or any other time bound classification. There are times when I want to be anonymous, and there are times when I don’t care. It’s not a matter of doing that which is nefarious. It’s more about expressing opinions you know people won’t agree with, but which the expression of could cause you material harm, or about being able to investigate something without telling anyone about the situation. For instance, support someone you love has a dread disease — is it right to violate their privacy by searching for information about the disease on the ‘web? And yet how can you hope to prevent anyone with access to the data about your browsing and your network of friends from drawing a conclusion based on actions taken? In some places (like college campuses in the US, for instance), it’s will kill your career to hold certain opinions or beliefs (conservative Christianity in general, for instance). Should people not be able to express their opinions in a way that protects them from the harm of the “twitter storm?” Or what if you move into a house only to find it’s horribly built — if you tell anyone in a way that allows you to be identified, you’ve just lost the value of the house. On the other hand, if you don’t tell anyone at all, you’re letting the builder off the hook.

While privacy can certainly be used to cover a multitude of crimes, it is also necessary to being fully human in any way that really counts.

Information wants to be protected: Security as a mindset

George-Orwell-house-big-brotherI was teaching a class last week and mentioned something about privacy to the students. One of them shot back, “you’re paranoid.” And again, at a meeting with some folks about missionaries, and how best to protect them when trouble comes to their door, I was again declared paranoid. In fact, I’ve been told I’m paranoid after presentations by complete strangers who were sitting in the audience.

Okay, so I’m paranoid. I admit it.

But what is there to be paranoid about? We’ve supposedly gotten to the point where no-one cares about privacy, where encryption is pointless because everyone can see everything anyway, and all the rest. Everyone except me, that is—I’ve not “gotten over it,” nor do I think I ever will. In fact, I don’t think any engineer should “get over it,” in terms of privacy and security. Even if you think it’s not a big deal in your own life, engineers should learn to treat other people’s information with the utmost care.

In moving from the person to the digital representation of the person, we often forget it’s someone’s life we’re actually playing with. I think it’s time for engineers to take security—and privacy—personally. It’s time to actually do what we say we do, and make security a part of the design from day one, rather than something tacked on to the end.

And I don’t care if you think I’m paranoid.

Maybe it’s time to replace the old saying information wants to be free. Perhaps we should replace it with something a little more realistic, like:

Information wants to be protected.

It’s true that there are many different kinds of information. For instance, there’s the information contained in a song, or the information contained in a book, or a blog, or information about someone’s browsing history. Each piece of information has a specific intent, or purpose, a goal for which it was created. Engineers should make their default design such that information is only used for its intended purpose by the creator (or owner) of that information. We should design this into our networks, into our applications, and into our thought patterns. It’s all too easy to think, “we’ll get to security once things are done, and there’s real data being pushed into the system.” And then it’s too easy to think, “no-one has complained, and the world didn’t fall apart, so I’ll do it later.”

But what does it mean to design security into the system from day one? This is often, actually, the hard part. There are tradeoffs, particularly costs, involved with security. These costs might be in terms of complexity, which makes our jobs harder, or in terms of actual costs to bring the system up in the first place.

But if we don’t start pushing back, who will? The users? Most of them don’t even begin to understand the threat. The business folks who pay for the networks and applications we build? Not until they’re convinced there’s an ROI they can get their minds around. Who’s going to need to build that ROI? We are.

A good place to start might be here.

And we’re not going to until we all start nurturing the little security geek inside every engineer, until we start taking security (and privacy) a little more seriously. Until we stop thinking about this stuff as just bits on the wire, and start thinking about it as people’s lives. Until we reset our default to “just a little paranoid,” perhaps.


P.S. I’m not so certain we should get over it. Somehow I think we’re losing something of ourselves in this process of opening our lives to anyone and everyone, and I fear that by the time we figure out what it is we’re losing, it’ll be too late to reverse the process. Somehow I think that treating other people as a product (if the service is free, you are the product) is just wrong in ways we’ve not yet been able to define.