Secrets, Security & Privacy

Anybody who has been paying attention to the news recently will know there are two threads running which directly relate to the trade off between security and our personal privacy. The most recent is the ongoing release by The Guardian of information mined from secret documents provided to them by Edward Snowden; the other is the trial and sentencing of Pfc Manning, convicted recently of leaking classified documents to Wikileaks.

I have been somewhat conflicted by these because, on the one hand it is important the people trusted to protect national secrets actually do that. But, on the other hand there really needs to be a way that violations of the law within that community can be reported properly, and are taken seriously.

Breaking the Law

In both cases, it is apparent that laws were broken. Those who work with national secrets (and I used to be somebody in that position, though not intelligence related) are trusted to maintain those secrets no matter what. In the UK, people who work regularly with such information are required to sign a copy of the law that protects these secrets. Not because it doesn’t apply until it has been signed – like any UK law, it applies to everybody in the country. We are made to sign it so there can be no doubt that we have read it, and understand what it means.

Simply disagreeing with something that is being kept secret does not change that. People trusted to protect national secrets are not (usually) the ones who get to decide when something is no longer a secret and can be released to the media.

But the law works both ways. The people in charge of these agencies are, by virtue of the fact that most of what they do is hidden from public oversight, trusted to be doing the right thing. As has become apparent over the last few weeks, even the politicians charged with over seeing the activities of these agencies have limited ability to really see what is going on. Instead they are left to trust compliance reports generated by the same agency. Can you imagine a public company being allowed to audit its own financials? Or school kids being allowed to grade their own test papers? Why are these agencies not audited by another part of the government?

I have seen nothing reported so far to suggest that the NSA has ever intentionally violated the rules set up to bound their activities. And to be honest, even though the number of violations sounds large in isolation, when presented as a percentage of the total number of queries they run, it is pretty small. Easily believable as unintentional mistakes. After all, the people running these queries are just human, and we all make mistakes. It is also apparent that they monitor & record violations of their policy, otherwise the report would not exist. Not really the behaviour expected of a rogue agency ignoring the rules; more like one staffed by humans, perhaps over worked ones at times.

Content vs Method

Another thing that stands out for me in all of this is that everything I have seen so far has been describing the methods used to gather intelligence. When dealing with encryption, it is often best to have the method well known, and well reviewed. It is the content that needs to be kept secret, not the algorithm. Obviously, that does not translate perfectly to all situations, but what is the harm in everybody knowing that the intelligence gathering agencies of the world are looking for the bad guys online? And that they have the ability to tap into lots of the pipes carrying traffic around the world? Does anybody really think the bad guys didn’t already assume that was happening?

There are clearly questions about how intelligently the technologies are being applied, but I think the public needs to come to terms with their expectations of privacy regarding Internet communication. Unless you take steps to protect it, I think you need to assume that anything you send over the Internet could be seen by any number of folks (for example, the sys admins in your office or at your ISP). I have always told less tech-savvy folks who ask me that email is more like a postcard than a letter. There is no envelope covering the contents while it is in transit. Luckily for us, most people, including those working for government agencies, likely have more important things to so than read the emails we send to our friends & family. And if you are posting on Facebook or Twitter, that is like pinning a notice on a community noticeboard. I don’t understand people who expect Facebook to be private – it is a platform for sharing.

Bottom line is if you are sending something sensitive (for example, the designs for a new product, drafts of a patent or the source of your application) in email, encrypt it. And choose a good, long pass-phrase or an asymmetric technology like public key.

Forcing criminals to avoid electronic communication for fear of being detected sounds like a good idea to me. Sure, it might be harder to see what they’re planning, but it is also much, much harder for them to coordinate & plan their attacks in the first place.

Crossing the Line

All of that said, two things today struck me as government crossing the line. Detaining David Miranda under the UK’s terrorism law, and demands for Pfc Manning to serve 60 years because he is still young both seem to go beyond reasonable.

Stopping Mr Miranda was almost certainly justified because he might be carrying classified material that he was not authorized to be in possession of. So, while technically legal, a very amateur move by the UK authorities. Had they been paying attention they would have read the excellent article in the NY Times magazine detailing the extraordinary measures Glenn Greenwald and Laura Poitras take to ensure the security of the material they have. Even assuming Mr Miranda was carrying anything of value, it would most likely have been encrypted in a way he could not decrypt (a simple public key method could achieve this goal, such that only Mr Greenwald could decrypt it using his private key).

It doesn’t end there though. Even if he had been carrying unencrypted documents, you would expect the people tasked with this kind of operation to understand that “recovering” them from Mr Miranda’s laptop, thumb drives or phones does not mean they are not still out there. Are they really naive enough to believe that by taking any copies he had they would stop Mr Greenwald writing anything more? Even before everything became electronic, paper documents or even film could be copied, so this should not be news to the people in the intelligence world.

As for Pfc Manning, does he really deserve to spend the rest of his life in prison? Was his crime really that serious? And does society benefit from locking him up many times longer than a murderer or rapist? What about those whose irresponsible actions led to the financial crisis we’re in, most of whom haven’t even been charged with anything despite negatively impacting orders of magnitude more people. It is clear nobody will entrust him with state secrets, but I am pretty certain he could contribute way more outside of prison than inside. Demanding he spend the rest of his life behind bars is just vengeful. So much for being a christian nation.

Intelligence or TSA

It was somewhat refreshing to hear that at least some part of the government was using intelligence (or at least trying to) rather than brute force to find the criminals who would attack us. Airport security has always appeared to me to be ineffective security-theatre, designed to make people feel safer as long as they don’t think too much about it. Always just reacting to the last attack vector, never predicting the next one. Catching criminals works better when you use intelligence and detective work.

Really, which is better: (a) having low paid bouncers at airports (or even train stations, arenas & along roads now) scare us into taking our shoes off and throwing away our bottled water & shampoo, (b) having intelligence analysts looking for patterns in electronic communications that could lead to thwarting an attack before it even made it out of the planning phase, or (c) doing nothing at all and letting these common criminals terrorize us all?

As more and more of the services we use every day become encrypted (think email, Facebook, Skype and even Google now), the ability to see patterns in the data captured from the infrastructure of the internet is reduced to just the patterns in the very limited meta-data about the connection itself. There is a certain elegance, at least from a technical perspective, in being able to tap into the data post-decryption in the data centers of the most common services. Unfortunately, it is a model that doesn’t scale (I think about scaling things a lot these days). There will always be services that are not included, or services like Lavabit that would never agree.

And I have to wonder whether the kind of criminals planning major attacks on us are really using Facebook to communicate. Seems pretty unlikely to me. I would have thought they would stick to less well known, and more secure services, likely using security like VPN tunnels or anonymisers like Tor. In which case, analysing the traffic going to Facebook and Twitter, or even Google would provide little or nothing of value.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.