The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

CAT | Musings

IMG 1402

David Shedd, former director of the Defense Intelligence Agency, recently published an OpEd on the damage that unrestricted focus on catching criminals can do to our general cyber security. It is great to see people with that kind of background speaking on on this critical issue.

“Americans want their cyber data to be safe from prying eyes. They also want the government to be able to catch criminals. Can they have both?
It’s an especially pertinent question to ask at a time when concerns over Russian hacking are prevalent. Can we expose lawbreakers without also putting law-abiders at greater risk? After all, the same iPhone that makes life easier for ordinary Americans also makes life easier for criminals.”

You can read the whole essay here.

No tags

This article got me thinking: People’s ignorance of online privacy puts employers at risk – Network World

There is an interesting paradox for security folks. On the one hand, almost two thirds of people feel that security is a matter of personal responsibility. On the other hand, few are actually doing very much to protect themselves.

In the workplace we see this manifest in the BYOD (bring your own device) trend. Workers want to use their own phones, tablets, and often laptops. Because it is their personal device, they don’t think the company has any business telling them how to secure it, or what they can or can’t do with it. Yet they want to be able to work with the company’s documents and intellectual property, and access company sensitive networks from that device.

When that trend intersects with the poor real-world security practiced by most people, the security perimeter of businesses just got both larger and weaker.

Realistically, it is too much to expect that users will be able to fully secure their devices, or that security professionals will be able to do it for them. The productivity impact of locking users out of the devices they use (whether BYOD or company provided) is often too high, especially in the case of technical workers. Spear Phishing attacks eventually penetrate a very high fraction of targets, even against very sophisticated users. How then can we expect average, or below average, users to catch them, and catch them all.

Increasing use of sandboxing and virtualization is allowing a change in the security model. Rather than assuming the user will detect attacks, the attack is encapsulated in a very small environment where it can do little or no damage, and from which it is quickly eliminated and prevented from spreading. The trick will be to get people to actually use these tools on their own devices.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.




Is anyone here actually a bad guy?

Wendy Nather at Dark Reading has post on the explosion of white hat “offensive defense”.

She speaks to an issue I have been thinking about for some time. More and more security firms and internal security groups are going “offensive”. They are setting up more and more honey pots, creating fake malware, posting about false vulnerabilities, and actively participating in hacker forums. Even the hackers are getting in on the action by dropping false information and leads.

At what point does the false information start to swamp the real and cause the value of the collected intelligence to degrade. Undercover law enforcement calls the problem “blue on blue” where one group (typically overt) is actively investigating an under cover group.

I was told a story like this by a friend in law enforcement. He told of a drug case. A deal was going down in a warehouse between some drug distributers and drug importers. In the middle of the transaction the warehouse was raided by the local police. Turns out, everyone there was in law enforcement.

Even if that story was apocryphal, it illustrates what we are likely to see on-line. Undercover is in many ways easier and certainly less dangerous on-line, and we are likely to see many private investigations in addition to official law enforcement activities.

This is likely to get interesting. The Internet may start to feel like cold war Vienna, where you never know where anyone really stands.

· ·

There is a lot of buzz right now about how Google Glass will lead to some kind of universal George Orwell type surveillance state.

I think this misses the point. We are going there without Google Glass. Private surveillance is becoming ubiquitous. Any place of business is almost certain to have cameras. After the Boston bombings, we are likely to see the same proliferation of street cameras that has already happened in London any many other places.

The meteor in russia earlier this year made me aware of just how common personal dash board cameras are in Russia. It seems likely that they will be common everywhere in no too many years.

Smart phone cameras are already doing an amazing job of capturing almost any event that takes place anywhere in the world.

So, you are probably being filmed by at least one camera at almost all times any time you are away from your house.

David Brin and others have been arguing for “sousveillance”. If surveillance is those with power looking down from above, sousveillance is those without power looking back. It tends to have a leveling effect. Law enforcement officers are less likely to abuse their power if they are being recorded by private cameras. Similarly and simultaneously they are protected against false claims of abuse from citizens.

I would rather see ubiquitous private cameras than ubiquitous government cameras. If there is a major incident, the public will send in requested footage, but it would make broad drift net fishing, and facial recognition based tracking more difficult.

An interesting counter trend may be in the creation of camera free private spaces. Private clubs, restaurants, gyms, etc. may all differentiate themselves in part based on their surveillance / sousveillance policies.

· · · ·

I have recently seen chatter suggesting people are confused about my thinking and allegiances on various privacy issues.

First, a few core beliefs that form the axioms underlying my actions and positions.

I believe that:

  • The basic design of the Internet and the protocols that run on top of it make it the most privacy hostile major communications media ever used.
  • Censorship and widespread surveillance are inimical to free speech and free expression.
  • Personal privacy is critical to our social, societal, and mental health.
  • There are criminals, terrorists, and governments whose activities will undermine the quality of life for myself, friends, and family.
  • Law enforcement and intelligence organizations are a necessary part of a functioning society.
  • Governments and other organizations are made up of real people with real and diverse opinions and are not monolithic entities and edifices of conformity.
  • If data is valuable to someone, and is sitting around in a database or other storage, it is very likely to be compromised at some point, in some way.

So, these basic tenants lead me to take the following opinions:

Individuals need the ability to robustly protect their privacy when engaging on-line. While not all areas of the Internet are appropriate for anonymity (I really want my bank to make sure it is me accessing my accounts), anonymity / pseudonymity should be an option in most social spaces on the Internet.

Not only are most websites not inclined or incentivized to help you be anonymous, but the very structure of the Internet encourages detailed logging such that creating anonymity friendly systems is quite hard.

All providers of privacy services are fundamentally saying “trust me and I will protect you.” Any claims about how a service works rely on the operator to have actually implemented the system as claimed. At the end of the day this is only backed up by the reputation of the operators of those systems. Choose wisely.

Criminals and other “hostiles” are indiscriminate in their use of technologies. They will use the best tool for any job. The Internet is no exception to this rule. While there is a long history and extensive precedent for plain clothes and under cover police and intelligence activities in the meatspace, the same is not true for cyberspace. Yet, the same need applies. If one is trying to engage with a criminal on the Internet, doing so as a law enforcement officer, from known law enforcement IP addresses is going to imperil the investigation at the very least.

What does this mean for me and how I comport myself?

I have chosen to very publicly back the privacy services with my personal reputation. I have been active in the personal privacy space since I started running anonymous remailers as a grad student in 1992. I have been creating new privacy services since I wrote Mixmaster in 1993. I created the “Kosovo privacy project” during the Kosovo conflict to enable people in the country to report on atrocities going on. I have provided multiple anonymity and anti-censorship tools for the Chinese and Iranian people, protecting hundreds of thousands of their citizens against their own country. Human rights and free speech are passions of mine. itself has protected countless numbers of users of its services. In all that time there has never been a case where we have violated the privacy assurances we have made to our customers. This is not because we have not been tested. Anonymizer is regularly subpoenaed for information on our customers’ activities. Compare this to a relative newcomer “” They, as it turns out, did keep logs and were compelled to compromise the privacy of a member of LulzSec. There are numerous examples of TOR exit nodes monitoring and even altering traffic. With a much longer and weightier track record, you will find no such incidents with Anonymizer. It is logically impossible to prove a negative, but our history speaks volumes. Anonymizer will never provide a back door or violate any of our privacy assurances while my name is attached to it. Reputation is hard to earn and easy to squander. It is my personally most valuable asset.

Law enforcement and other government entities need anonymity and pseudonymity tools too. In their cases the people trying to pierce the veil are often much more motivated, skilled, funded, and resourced, than those tying to identify ordinary individuals. It is not practical, reasonable, or desirable to have these groups simply ignore the Internet in the scope of their responsibilities I have been involved in the creation and operation of numerous tools to enable such organizations to do their jobs on-line as they do off-line. In working with these people I have discovered that they are “people.” They hold diverse opinions about privacy and anonymity. Many are personally closely aligned with my beliefs. They are also tightly constrained by legal limitations on what they can do. Watching my U.S. government customers struggle with their legal departments to do even the simplest and most innocuous activities, while very frustrating, makes me sleep much better at night.

While there have certainly been times when the U.S. Government has overstepped its authorities, they are rare, and we know about these because they came out. The diversity of people in these organizations makes any of the grand conspiracies I see discussed on the Internet absurd on their face. Secrets are either known by very few people and thus limited in scope, are reasonable to just about everyone who all agree they should be kept secret, or will get leaked or blown in some way.

Some users of my personal / consumer privacy services see themselves as in opposition to some or all of my corporate or government users, and vice versa. I think both are important and I protect the anonymity of all of my customers equally. There is no “crossing of the streams.” None of my customers get any special insight into the identities or activities of any of my other customers. As above, there are no secrets like that which would last very long, and it would destroy my reputation.

Honor, reputation, and a man’s word being his bond may be very old fashioned ideas these days, but they carry great weight with me. I hope this clarifies where I stand.

· · · · ·



The Fear Tax

Thanks to Bruce Schneier for linking to this post by Seth Grodin on the “Fear Tax”.

This is a great essay on the hidden, and possibly very large, costs of acting in reaction to our fears in ways that fail to substantially benefit us. He uses the example of TSA Security theater as an obvious case, but talks about a number of others.

As a concept, this is an important one for us to grasp. It goes hand in hand with our misperceptions of risk. Most people judge the risk of spectacular but highly unlikely events to be much higher than they actually are. The relative costs and efforts of fighting terrorism and car accidents is a great example.

No tags