Sunday, 1 November 2015

Safe secrets?

Worried about spooks? 
It is a complicated world now, and there are a lot of issues. I am getting annoyed by the spin from the government - wanting everyone's web history, and then backing down (apparently). We will see when the bill is published, and pulled apart. They will push too far I am sure, and I hope they are reined back enough.

For a lot of the history of the Internet, any sort of encryption was an add-on. The idea was that the network allows communication, and is robust. Indeed, it was devised by the military originally. Their concept, I am sure, was that the underlying communications lines were physically secure. But the world has changed. Communications goes via any number of companies and countries.

These days we use DNS, and we go to web sites, and a lot of that is "in the clear". Even so, we do not expect to be tracked and logged. Yes, a web site will log accesses (by IP) which could be traced to us, but most of us know and trust that web site operators cannot be arsed with holding that or handing it to the police, especially as they are probably not in the same country as us a lot of the time. The biggest "threat" most consider (to the point of crazy nanny state laws on cookies) is advertisers profiling us in some way.

But we also use https, even for "normal" things now, like google, and Facebook. Someone monitoring the underlying connection can tell we are accessing google or Facebook, but not what we are doing.

Similarly, email was normally "in the clear" over the network. Increasingly the links between clients and servers, and even between servers, are being encrypted, but if someone runs an email server, they can log and see the emails. The fun with the internet is that you can run your own mail servers and you don't need a "service provider" - a concept that does not make sense to government. Even so - who are you emailing and who is emailing you and what servers have logs of those emails? The only way to be sure is to use end to end encryption like PGP, but even then there is the meta-data of email addresses and even subject line "in the clear".

But why are any of us so paranoid?

I perceive some threats to my privacy... What are they?

Companies: We all see that there are targeted adverts and people tracking what we do when we interact with them and this feels wrong some how. Some of it is good in a way as it saves time when a site remembers my details for me, but some of it is spooky and worrying. Then you worry about how well these people protect all that personal data.

Criminals: We all have concerns over criminals - not people using data "legitimately" for marketing and other gains, but people getting that data and mis-using it. The most obvious being credit card fraud. I am sure we have all suffered from that at one point or another, but even so I have had massively more hassle from my banks hair-trigger of a fraud detection system than any actual fraud. Ultimately the actual fraud is against my bank and not me anyway. That said, my personal data could be used in other ways as a weapon against me. If I did have something to hide, I could be the subject of blackmail.

Government: This is perhaps the most worrying of all - they are better funded than companies or criminals, and their intentions are not clear. I am not a criminal, and as such I really dislike the idea that the government has any data on me and what I do on the Internet. I don't trust them with that data - either to keep it safe from leaking to criminals (or companies) or for what they might do with it. I don't trust them not to abuse that data themselves if ever I am thought to be "wrong thinking" and they can find something to use against me. I really dislike the idea that they then want to out-source collecting data about me to ISPs and other companies that also cannot be trusted with that data.

Nothing to hide?

I have nothing to hide, do I? No affairs; No dodgy deals; No tax avoidance; No criminal activity; No dodgy downloads; No drugs (apart from coffee and whisky). Much of my life is an open book - heck, I'll even admit to watching porn occasionally. Not everyone is so open, and they should not have to be.

But really, we all have something to hide. Anyone reading this that thinks that they have nothing to hide, please post a reply with your credit card number start and expiry, name, date of birth, address, and code from back of your card: Oh, you want to hide that do you? OK post your medical history: or do you want to hide that? What about your last 50 payslips: No, want to hide that too? Tell us what porn you like: No? What about installing a public webcam in your bedroom, or toilet: No?

Of course we all have something to hide, and we expect and demand some level of privacy. We are entitled to privacy - it is a basic human right. Some of us expect a lot more privacy. Most people do have something to hide which is entirely non-criminal. A few people have something to hide which is criminal. Some people are even politicians!

For some people their web history could almost be as invasive as a webcam in their bedroom. And for people that do have a web cam in their bedroom - to use in "conversations" with their "friends" over the Internet - that traffic may be something they want to hide from the world too.

If we have a right to privacy, then we need to understand who can monitor what we do on the Internet, when that is "visible" and to whom it is "visible".

One of the great things in the world today is end-to-end encryption, so you can communicate with someone and know that only they can see what you are saying.

At the end of the day - privacy is always an option. We can communicate using the means we have, and we can use end-to-end encryption (even without using a computer). If the law says we cannot, then there are ways to do that covertly with no way to prove the use of encryption (steganography). So laws can only encroach on our privacy and not actually stop people communicating covertly. There is no point in such laws and they need to be blocked.

What we need is a society at a national and global level where people do not feel the need to be terrorists or criminals - tackle these problems at the root. If we give up our privacy and our way of life then the terrorists win by default. Don't let that happen.

P.S. cool halloween photo, Andrew (who also carved the pumpkin).


  1. You don't need to put the word "conversations" in quotes. The conventional meanings of the words "conversation" and "intercourse" flipped in the 18th century, and the old meanings of both are still valid (even if archaic and very likely to be misunderstood). :)

  2. It's a real shame that this discussion is even on the table. It's not only a violation of privacy but simply impractical and impossible. It's one of these things that when viewed from a technical standpoint, could only serve to infringe upon the rights of people who aren't terrorists or criminals.

    You do make a good point in that, everyone has something to hide. And this is in and of itself reason enough to not let the Government have access to potential blackmailing material for every person in the country.

    I like to use a particular analogy when relating to terrorism. If your PC was broken, the way we've dealt with terrorism is akin to skipping any diagnostics and going right ahead to hitting it with a hammer.

    Again and again, until it starts working.
    "You don't think we should hit this with a hammer? Terrorist sympathiser!"
    "See it's getting more broken that means we need to keep hitting going."
    "Your computer is totally wrecked? Well the ends justify the means!"

  3. I sometimes feel that David Cameron is looking to the spirit of Erich Honecker for guidance here. Gather everything you can about every citizen, because sooner or later you'll get something about someone that you can use to your advantage. Angela Merkel grew up under Erich Honecker, wonder why she's so keen on privacy ?

    Once we give the state extra powers over our privacy, you can bet that such powers won't be revoked when the threat has long since vanished. A more extreme government could have a field day with all the collected data. Remember that the Nazi Party was democratically elected (well, sort of).

  4. Any devices on my home network that use a browser are getting routed through a VPN in future ...

  5. Hey Rev...

    Here is that information about out secret plot involving explosives tomorrow...

    Yrgf unir n uhtr sverjbexf qvfcynl. Lbh pna'g orng n srj rkcybfvbaf naq n ovg bs rssvtl oheavat.