Mass surveillance and the need for more encryption 
Monday, June 24, 2013, 11:03 PM
Once you understand how Internet communications work on the technical level, it becomes obvious that spying is possible. As data flows between computer systems, anyone with full access to the involved computers can potentially read or copy all unprotected information.

For example, a criminal, working as an computer administrator at an Internet Service Provider company, could spy on customers, potentially reading corporate secrets that are exchanged by email, and could secretly sell such information to the customer's competitors.

There are many additional scenarios where it's reasonable to ensure that information remains protected against spying. And the most important scenario is that people have the right of privacy.

With the recent events we (apparently) have learned, that spying isn't limited to those with criminal intentions, but that spying is also performed by secret government agencies, justified as being necessary for providing security to the people.

At the very least, this (apparently) confirms what has been rumoured or anticipated.

However, it depends on the point of view, whether you call such spying legal or criminal. If you have two countries A and B, and each of them spies on the other one, then probably each of them calls their own activities legal, and describes the actions of the other country as criminal.

What happens if you're a citicen of country A, and both countries A and B are technically able to spy on you? Even if you decided that it might be acceptable for your own country to spy on you for the purposes of national safety, neither you nor your government might like the idea that your data is being accessed by country B.

This is one example why it makes sense to protect your information, making it either impossible or very difficult (and requring a targeted effort) to read your information, instead of allowing them to read your data with zero cost.

The above should show why it's in your own interest to invest resources into the protection of your data.

After the existence of the Prism and Tempora systems became known, it triggered the question, whether government agencies should be allowed to do it or not. That's a good question, and in my opinion, in democratic countries, a government should be obligated to inform its citicens about such operations, enabling the people to use their voting powers to acknowledge or resist such operations.

However, there are arguments why it might be irrelevant what the public decides. Even if country A decided that mass surveillance performed by country A is unacceptable, you still risk being spied on by country B. For example, an Internet Provider operator could be controlled by country B, but offering services in country A. Or country B has agents working at an Internet Provider in country A, that help to spy.

We can also look at it from another angle. I don't know how realistic the numbers are, but I've read that several hundert thousand people might have access to the data being processed by the Prism/Tempora systems. In my opinion, it's very likely that at least some of those people are foreign agents. As we have seen, people with high security clearance may become whistleblowers. Essentially, you don't know what people might do, regardless how many background checks you've made. It wouldn't surprise me if a few employees of such agencies secretly query the databases, on demand, selling the information to a different country. Since this action has a much lower risk for detection than becoming a whistleblower, I don't think we can rule out this possibility. I'd conclude, by spying in your own country, you enable foreign agents to benefit from the information, too.

In my opinion, because spying is technically possible, it won't be sufficient to implement laws that forbid it.

The only solution is to make spying impossible, or very difficult. And that's what all of us should be doing, by using encryption technology and, where encryption isn't possible, such as in places dedicated to sharing information with other's, at least following a strategy of data austerity, and only providing as much information as absolutely necessary (or deliberately considered harmless).

You might say, by encouraging people in country A to use encryption technology, you make it more difficult for the secret agency in country A to do their job. Well, I think that's exactly what we should do, and is acceptable, because more difficult doesn't mean impossible.

The state authorities will still have their classic ways of investigation. They still can secretly tap a suspect, for example by secretly entering an apartment and physically installing a keyboard logger on the target's computer system, installing video cameras, etc. However, because of the required effort and because of limited resources, very likely this will only be done to real suspects, not to every citizen.

Since individual people cannot control what the powerful agencies might do, their only chance is to protect themselves.

As a consequence, in my opinion, we should actively teach all Internet users how to use encryption enabled software, and how to avoid centralized service providers, and improve the software used by people, to make it more difficult for agencies or criminals to automatically spy on them.


Add Comment
Comments are not available for this entry.