This article was authored by Don Sambandaraksa, and was originally posted on telecomasia.net.
The responses by the US and UK governments to the revelations made by Edward Snowden have been aimed solely at their electorate. If you are not a US or UK citizen, it would seem that the NSA and GCHQ can conduct their business on you as they please.
Think good thoughts people.
How much of an effect this will have on the way we conduct our lives and business is yet to be seen. Google, Microsoft et. al. have clamoured to petition the courts so that they can reveal the number of information requests made by the intelligence services. To date, even that figure is a secret. All the web companies are panicking and trying to rebuilt trust. Without the ability to reassure their users, a decade of advances in trust in cloud computing risk being turned back.
Who, outside of the US and UK, would trust Gmail or Hotmail with their sensitive personal correspondence anymore? Or Google Docs or Office 365 for that matter?
Can we turn back time and revert to local IMAP email boxes running on a physical server?
When Blackberry took the world by storm, I baulked at the idea of surrendering email security to a third party. The fuss in India with the government there demanding access vindicated my fears. Technology journalism all too often involves corruption in technology procurement projects by government, the very departments that controls these taps.
But what the Snowden affair has revealed is how even supposedly secure channels such as HTTPS can easily be attacked. The NSA supposedly must destroy any data collected after five years but may keep any encrypted data indefinitely.
HTTPS in its default configuration, relies on two keys, a private key of the server, and a session key that is generated for the session. The idea is that by tapping into the fiber optic cables, vast amounts of raw data can be stored and at a later date the server’s private key can be obtained to decrypt the session. Obtained either through brute force and technological advances or more traditional spy techniques, that is.
What Snowden also taught us was that encrypting email with PGP (pretty good privacy) works, but also sets off alarm bells. It is akin to wearing a mask in a busy crowd. If only a few people wear masks, all the CCTV cameras and police will be focused on the mask wearers, which negates the privacy of wearing a mask. Only if everyone wears a mask does privacy follow.
GPG (Gnu Privacy Guard) - the open source implementation of PGP - has long been an option on Android, with a program called Android Privacy Guard (APG) alongside a traditional locally hosted email client called K-9. Compared to Gmail the UI is clunky and search is rudimentary at best. But using APG and K-9 on the phone alongside the Thunderbird Enigmail plug-in on the desktop would seem to be the only way to ensure privacy in this day and age of dragnet surveillance.
As for voice, all of this has led to a renewed interest in end-to-end encryption for VoIP and the ZRTP protocol.
The question is how many will take the NSA files as a wake-up call and start protecting their privacy? How many would prefer to remain blissfully unaware and continue to trust governments and corporations with their innermost secrets?
And it is not as if we were not warned. Back in 2008, Richard Stallman, a staunch privacy advocate and one of the most iconic figures of the free and open source movement, said that cloud computing is worse than stupidity. Five years later, it seems that he was proven right after all.