Reality check: We should not expect our communications to remain private Welcome to the latest Register Debate in which writers discuss technology topics, and you the reader choose the winning argument. The format is simple: we propose a motion, the arguments for the motion will run this Monday and Wednesday, and the arguments against on Tuesday and Thursday. During the week you can cast your vote on …
We should not expect our communications to remain private
It makes it easy to click on the wrong yes/no. I know that the el-Reg readership is by & large intelligent but we can be busy or rushed.
The question would have been much better worded "We should be able expect our communications to remain private"
Every time we complain about the wording of these polls. El reg is very quick to be critical of everyone else's mistakes but not accept or fix their own. Set aside your curse of knowledge and fix the wording you'll get a better of idea of how people feel on the subject considering how much confusion is caused every bloody time.
We could simply not bother giving an answer until they sort out their poor UX.
Ah yes, framing the question. An ever fruitful source of bias in questionnaires.
Whenever this topic comes up, I remember a classic comic strip, Bloom County by Berke Breathed and a couple of day's strips where Milo Bloom (reporter on the Beacon) is questioning Senator Bedfellow on the telephone:
Milo Bloom: Hello, Senator. I'm working on my first news story, and I' like you to confirm something...did you say, quote, "I paid them 50 grand to sink Hoffa in the Potomac?"
Senator Bedfellow: WHAT?!
MB: Then you don't deny ever saying that?
SB: YES!
MB: Then you admit confirming not denying you ever said that?
SB: No! I mean YES! WHAT?
MB: I'll put "Maybe."
Later strip:
MB: Senator? This is Milo Bloom at the Beacon. Will you confirm that you sunk Jimmy Hoffa in your backyard pond?
SB: What? Of course not!
MB: Fine. I'll go with "Sen. Bedfellow denies that pond is where he sunk Hoffa"
SB: That's not true!
MB: Okay. "Bedfellow DID sink Hoffa in pond."
SB: I DON'T KNOW where Hoffa is!!
MB: "'I lost the body' says Bedfellow."
https://www.neogaf.com/threads/bloom-county-returns.1078984/post-172628879
Naah I reckon that they should produce two version of the poll with two versions of the article, in order to proivde a "balanced sample". One version of the article would depict GCHQ poking fun at your search history, at your private pictures and another version would show them stopping you procuring some parts needed for a dirty bomb. Then have the same question at the end (Are you in favour of the government pilfering all your private communications Yes/No) but serve up a different version of the article, at random.
Sir Humpy knows what this - as shown here https://www.youtube.com/watch?v=G0ZZJXw4MTA
By adding the words "be able", you completely change the meaning of the question. Your version is framed as a mirror image of the question, but it's nothing of the sort.
"Should expect" is an inference based on observed facts. If we "should expect" something, that suggests "the observed facts and known laws point to this conclusion, it is too early to be certain but there is a strong likelihood that this is the case."
"Should be able" is quite different - it's a moral statement. The argument even says this much - yes, we absolutely should be able to expect privacy. But whether we should expect it is a very different question.
For what it's worth, my father told me back in the 1970s always to assume that phone calls and letters were not really secure, they could be spied on in many ways. Some of those ways don't even require much in the way of special resources or tools. I've made that assumption from childhood, and the Internet has done nothing to dispel it.
.. it may be worth looking at what inspired Eric Arthur Blair (his real name) to write 1984 because it will gives you a bit more depth on the topic.
George Orwell got the idea for his story after reading Jeremy Bentham's fairly radical theories for the Panopticon, a prison which uses the feeling of constant observation to change behaviour. You could call it an early form of psychological, well, abuse really.
Why is this background important?
1 - observe the concept of inducing a feeling of being watched 24/7. Go to the UK and have a walk in Central London or drive on adjecent motorways to get an idea. Don't bother counting the cameras you see, because you are guaranteed to run out of fingers and toes within seconds.
2 - and this is very important: this was for prisoners.
George Orwell extrapolated on consequences, but even he could not have dreamt up the pervasive amount of surveillance the average citizen is now subjected to as soon as someone discovered just how much profit could be made with reselling that data - with, of course, themselves nicely excluded from it.
Worth keeping in mind.
What Orwell could definitely not have imagined is that the surveillance society be implemented by companies and accepted without thinking by the global population.
Sure, NSA is tapping comms, but Facebook has access to almost everything and people are giving it freely.
It's one thing to wonder about using Signal or not, it's an entirely different kettle of fish when you post you entire life between Twitter, Instagram, FB and Tik Tok.
Facebook has access to almost everything and people are giving it freely.
Not entirely true. Zuck has my phone number because OTHERS installed WhatsApp and so shipped my personal data to Zuck without me ever having given permission to do so (because I wouldn't trust me on that). This is why commercial use of WhatsApp in my opinion is a straightforward breach of the GDPR unless you have the permission of every single person in your address book.
Unfortunately, not much can be done about private users doing this which is what Zuck is taking to the bank on a daily basis.
So, is your objection to Facebook or the general population? This is the bit I don't get. It seems you have a minority view and are demanding that the state adopts it. There are plenty of people who are willing to upload their address books and get a benefit from doing so. It's not a simple problem.
My objection is to the giant omission in GDPR that allows you to acquire personal details as long as you avoid getting it from the person themselves. Given my phone number to someone else does not entail permission for any commercial spam vendor to acquire it too, yet that is exactly what happens through WhatsApp users.
The very fact that WhatsApp is still downloading address books wholesale should be prohibited, but there's no provision in GDPR to address that, none. It's a big, gaping, HGV sized hole through which civilians are still milked dry without them having any control over who gets access to the data thus stiolen, to call this activity by its proper name.
Any other messenger does this by hashing in one form or another, but WhatsApp just downloads address books wholesale which means at that point you have lost control over your contact information - hello floods of double glazing salesmen contacting you via every possible channel. There is not even an obligation to inform you they have your details now.
There are plenty of people who are willing to upload their address books
Ah, but here's the crux: did the people in those address books know that the recipient was going to splatter their details all over the planet via Zuck? I consider it a limited audience version of doxxing. My personal details are mine, and like copyright, I should have the ability to control who gets it and uses them. Hell, if I ever installed WhatsApp I would be in immediate breach of the Official Secrets Act - there's a reason my phone is locked and some apps won't even work without an extra PIN to decrypt their separate store.
I suspect that if you have someone's details on your phone, and WhatsApp slurps them, then you may be in violation of the GDPR because you've knowingly (you accepted the T&Cs) allowed their details, which were given to you for the specific purpose of being contacted by you alone, to be transmitted to a third party without their knowledge or consent.
I don't know this. I am not a lawyer. I am, however, fairly sure that the legislation on this topic is virtually brand new, and I don't think anybody has gone to court for this specific problem yet, so I don't think that even a lawyer could know for sure whether my suspicion is right or not.
However, I definitely don't want to be the one to have to find out for sure, hence no WhatsApp on any devices that might be anywhere close to any of my business-related data, and I'll aggressively uninstall anything else I hear might be sending contact details home.
Under GDPR, uploading some ones contact details to Facebook without getting their express permission to do so is illegal.
It is why most companies ban it from company devices, here in Germany, and you can't install WhatsApp on a private phone, if you have a business email account, with synced contacts, the company would be liable, because you uploaded their employee and customer/supplier names and addresses to Facebook, without the company getting their permission.
Go to the UK and have a walk in Central London or drive on adjecent motorways to get an idea.
I had a car accident in central London quite recently and made inquiries about obtaining possible footage. Surprise surprise cameras either didn't cover that specific area or weren't recording / weren't working at that time...
It is still a very valid response.
It's right up there with "don't say anything in public you might regret".
Gossip used to be the drive to disseminate information. It was the old "can you keep a secret" and the next day you hear about it at the company lunch room.
Now we have Social Media, and gossiping is in overdrive.
The solution remains the same : only say something in public if you are willing to stand up and own up to it.
The problem is that encryption of data whizzing across the internet is normal now. This very website uses HTTPS and so my communication with it is encrypted. The messages I post are available for all to see though. What amazed me was at Christmas was I met someone who was uneducated in what was encrypted. He was dead set against end to end encryption because of the potential for misuse “Think of the Children” However he said yes to doing his banking and shopping online and seemed oblivious to the fact that those used end to end encryption.. Oddly though he thought email did, but that you had to “register” for that so it was known who you were if necessary. I told him the oft repeated phrase Don’t write anything in an email that you wouldn’t write and send on a postcard. He had no idea and sent his card details, CVV, address and all via email.
You can’t ban encryption over the internet because so much of what we do depends on it. However what Snowden did was make the job of the security services that much harder. If I know that a particular application or program has been compromised or the encryption broken then I probably won’t use it. The same is doubtless true of miscreants, and we’ve seen them with their own messaging apps such as Encrochat which is in the news today. I don’t expect my communications to remain private for ever because with ever increasing computing power it seems less likely. If I communicate with one member of my extended family then (for reasons i won’t go into here) there’s a good chance it’s being read by the security services. If the fact that she’s was asking around last night via WhatsApp for light blue darning wool is of interest to them, then great.
Most email is encrypted in transit these days, though it isn't guaranteed to be. Microsoft (including in-house Exchange Server), Google, and Yahoo all support encryption, so if you are sending emails between those three services, it is probably going to be encrypted.
The main exception is people who use snake-oil email security services. They very often don't support encryption, and make your email less secure.
Also, sniffing packets as they transit over the internet is not how people access emails. They either attack the servers or the endpoints.
It is still a very valid response.
For you posting your own data, sure. But your data can still end up out there in many other ways -- passive surveillance, provider breaches, data given up by others in your sphere, doxxing, revenge porn, malware/spyware, etc. ad nauseam.
It's not really possible to control our own data anymore. There are too many paths to public disclosure that are out of our control. Sucks, but that's where we are.
It's not really possible to control our own data anymore.
Indeed, especially when you factor in that, should you actively choose to not (want to) use digital communication and services, life is/ will be made extremely difficult for you.
As an example: I can remember (must have been the 80s or 90s) a documentary about people who tried to live without "identification papers". Youngsters will be dumb struck by this, but back then this was possible. The documentary showed how difficult having "no papers" made life, easily clashing with some of those UN principles that were mentioned in the piece.
Then we got the introduction of an "ID number for life" for each citizen. Quick comparisons with tattooed numbers were made. But still we got them, and nowadays we have to cough up that number on many occasions (geographic variations do exist of course, please forgive me the generalisation). No number means no way Jose.
Now translate that to the present day. Just have a think how opinion/ society moves with regard to for example a preference to use cash only. That's just for criminals, right? No digital communication, "sorry, do not have email, can you send me a letter/ on paper please"? "What, you don't have a smart phone? really?" No "convenient" online forms to fill out for e.g. your taxes, car, vaccination status, finances, travel arrangements, holiday booking. Your GP not taking appointments by phone any more, but directing you to that great online scheduler. And with high streets in decline, getting a pair of shoes might be next.
Sure we can contemplate whether and how we would "allow" our digital engagement. In the mean time in the real world, the use of the word choice has become an overused empty marketing shell, ignoring the inconvenience that choice implies that there are options. Alternatives. Which there are not here because there are no "analogue" options available to lead life. And if there are, they are easily labelled an ageing remnant of bygone days, open to scorn of "old fashioned" and "outdated" eccentricity.
Resistance is futile.
Welcome to the future, shiny happy people!
Well there are a couple of things to consider here:
To paraphrase Douglas Adams - "Mostly Harmless"
So if you keep flagging up flags (I see what I did there) you will eventually get labelled as not a problem. We are seeing this in the UK now - with shed loads of targets we now find MI5 having to use arbitrary rules as to which ones to whack off (sorry, meant follow).
In the mid eighties I was a member of Compuserve MilForum and often spoke on the phone to American and other colleagues about all sorts of things including I know nor whatever. An aquaintance of mine asked if that were deliberate. I sort of stated I didn't realise that it mattered, to which his reply was something along the lines of "well no one listens to you any more".
Of course I didn't understand that and carried on with my normal life.
But this story sort of indicates the issues of using AI driven interpretations of reality. Yes Facebook (sory, bollixia) can keep track of data - and can make serious estimations of you and your intents. If you don't put y9ur stuff up they can do the same. But the key issue to me is ownership, (and spoofing just for fun.). They can have as many predictive systems as they like, you can have as many games as you like. When they come up with:
"You should join this group"
"Biil Blogs has changed his gender by self descrption and now wishes to be known as MaryFuckwit" you as the recimpient have multiple choices
You can ignore it, which may leae to even more enticing reasons to be a target
You can respond with a meaningful response (not reccomended)
Or you can respond with arbitrary statements designed to make the AI lifes untennable. And I think I need to think about it again https://www.youtube.com/watch?v=96rC4X_KWl4
Re: We should not expect our communications to remain private.
I am surprised enough that at this point the 'for' camp is less than 40%. This is a slam-dunk 'Yes, we should not expect our communications to remain private'. There are many routes to failure and exposure. The only hope of modest privacy is being someone who is not interesting enough to look at. Given the value of successfully targeting you as a consumer, you are indeed interesting to look at for anybody who can capitalize on this.
If you know about Snowden's revelations, know what side-channel attacks are, know what social engineering is, understand how various types of data correlation and statistics work, are aware of things like undocumented instructions to alter CPU microcode, fundamental weaknesses in security code, deliberately weakened security standards by entities like the NSA and collaborating security experts, laws allowing government agencies to demand private data from service providers, hardware backdoors in things like hard disks , etcetera, it is hard to imagine how you think you can ensure you keep communications private.
I have a K210 developer kit here so I can examine the feasibility of using a custom made open source system based on a custom open source RISC-V device to increase security by eliminating possible back-doors in the chips.
You have no hope of privacy if a powerful enough adversary targets you.
I am surprised enough that at this point the 'for' camp is less than 40%
This may be partly because it was phrased in such a way that it's dubious what to select - see the observation that you should not ask a question with a negative in it. Did I vote not not, so keeping it private, or not?
Personally I think this should be rephrased and then run again.
It's always going to be a cost/benefit calculation. If you are a paranoid zillionaire then you could go to extreme lengths and still not feel 'safe'. For us mortals best to do enough to make it harder than for the next guy. For frivolous stuff WhatsApp may be good enough even though Zuck can make some use of the metadata but use Signal for more critical stuff.
The big change came when it became easy to surveille lots of data going past. Previously with post & telephone the sheer work involved in checking any significant volume self-limited the process, except in extreme (East German) cases. Now it's easy enough to get done even on multi-terabit submarine cables. So if it's important to you, wrap it in the digital equivalent of a Foreign Office courier case. It's hard to stop the metadata i.e courier X flew London to Kabul on Y flight at Z time, but you don't know what was in the case.
Another example: I was out walking the other day, heard louder aircraft noise than usual & looked up. Four engine jobby - 747 or A380? but neither seemed likely. So out came Flightradar. It's a RAF C-17 out of Brize Norton heading east. Not perhaps unexpected in current circumstances. Anyway, my interest piqued, I followed it periodically, all the way to Ukraine... That's metadata, easy to get but tells me nothing about what was in it or why.
No, there is no privacy if a misguided enough and big enough criminal organisation or criminally acting organisation wants your data, speech and snores.
Apart from "pure hardware" surveillance like LASER resonance devices that turn each and every glass surface into a giant microphone membrane, every internet and (mmobuile) phone provider is already forced to give access to everything and anything that is coming to and from your access points if asked by authorities. Some of those keep selling your location to everyone and his dog, as mentioned here on the register, even after a nice collection of court orders that prohibit doing this.
No need to mention the full scale security issues from google/android or apple here.
The only thing preventing full scale real time surveilllance is the greediness of all those "security" organisations. The respective organisations in france needed over three months to actually process the communications information from those murderers that slaughtered the charlie hebdo journalists. France is using complete data retention but the relevant information was stuck so deep in the collection that even with the mobile phones of the murderers hacked, they still needed that insane amount of time to actually find something useful in that pile of data dung.
If you are OK with spam and obsessive data greediness being your only real privacy protection, thats fine by me. I tend to be a bit more paranoid, not "because i have something to hide" but because my business is MY business and also because accidents and misinterpretations do happen and i would really hate to be in the dragnet just because my name does not differ enough from a hardcore drug baron plus any data clerks typo.
Everyone/thing everywhere should be using strong encryption. Until encryption is the norm, things that are encrypted can/will be targeted for attack.
I arrived at my pessimistic assessment because no matter what I could think of that could be done, I could not trust the safety of something important enough to invite attack by an enemy with sufficient resources.
Government agencies have colluded with industry to compromise enough hardware that you have to assume it has all been compromised.
It drives me nuts that Canadian border guards can and do demand passwords to your devices and seize them if you refuse.
We can't stop total surveillance, but we can change laws and procedures so that use of surveillance data requires more than just the arbitrary demand from a single individual.
I wonder if it comes down to interpretation of the question itself ?
When I first read the title, in my mind it was asking something more like "Should we not be able to expect our communications to remain private?" - i.e. is it reasonable of us to continue to expect there to be some attempt to protect that privacy. I guess the current climate - with the Govt trying to knacker E2E - feeds in some additional context.
I don't expect anything I transmit to remain private (so I'd vote For), but I *do* think we should expect Government not to try and outright nobble the protections we do have.
If I'd read the title and not the article body, I'd have ended up voting against - I wonder if that's part of why the result is skewed the way it is?
> is it reasonable of us to continue to expect there to be some attempt to protect that privacy
I think this is the trap the proposer (Joe Fay) and many of those voting for the motion are falling into: expectations and reality.
I fully expect some attempt to be made to protect privacy, however, I know the reality and thus there is a risk that my communications may be eavesdropped on, typically by state players but increasingly by commercial interests and bad actors.
I think Jay in their close is being naive:
"Accepting the current reality doesn't mean you can't still hanker after a world where your privacy would indeed be respected. But here and now, vote for reality, and acknowledge that we should never expect our communications to be private."
Following this through, merely endorses government lobbying to outlaw encrypted communications, because only bad actors use encrypted communications; law abiding citizens have nothing to hide and thus fear.
It also means commercial interests will be emboldened to eavesdrop on conversations and potentially interrupt (man-in-the-middle): "excuse me couldn't help hearing you have a death in the family, XYZ funeral directors offer a sensitive service...press one to talk to one of our arrangers". Given this effectively happens today with our web searches, its only a matter of time before those 'free' to end user services such as FB, moving into other communication spaces.
So yes it is reasonable to expect our communications to be private to the same extent as they were over the fixed line telephone network, if only to make life difficult for bad actors and exploitative commercial actors.
I voted FOR as in our communications should be private. Because it was the FOR side of the argument being presented. If this was wrong, then the question is faulty (though that might explain the large number of opposing votes?).
Besides, it shouldn't count until the AGAINST side has had a say. I'm sure I'll disagree with all of it (how many sentences until "think of the children"?) but at least give it a fair hearing and then vote.
One of the definitions for the verb "to expect" is to think or believe that something should be or happen a particular way. In that sense, one absolutely should expect their private communications to remain private. That does not mean one should expect that governments and corporations are going to respect that expectation. The motion for debate seems oddly phrased. Which, perhaps, we should have come to expect from El Reg's motions for debate ;-)
I interpret the question in the same way as I would interpret "We should not expect to be able to walk to work without getting run over".
I realise, of course, that I might be run over. I might even be deliberately targetted by someone for some reason. But I expect to be able to walk to work without being run over.
Similarly, someone might accidentally or stupidly forward a private message to the world (or accidentally or stupidly run me over). And I might be targetted by someone who is willing to spend a lot of effort (zero-day bugs, quantum computer decryption, or renting a big HGV and waiting outside my office). But I expect my communications to remain private.
I expect most people I deal with to be honest and law-abiding, and for the most part they are.
But locks and legal contracts exist.
Both are there to keep honest people honest. Dedicated lawbreakers pay no heed to either, so the reality is that while you can generally expect most people to be mostly law-abiding, you have to be prepared to deal with other types. Which is a shame.
The same applies to privacy. I have an expectation that most of my dealings can remain private. Unfortunately, the people who take advantage currently are having a heyday. While it is reasonable to have one's privacy removed in specific and limited circumstances, I object to its wholesale removal. Privacy, like honesty, should be capable of being assumed.
Note that sociologists point out that civil society requires a degree of trust to operate effectively. I feel that having my privacy removed abrogates that trust, which worries me.
https://en.wikipedia.org/wiki/Trust_(social_science)#Sociology
I see when talking about this matter, people tend to conflate three different situations in a single issue - and that makes finding solution a mess. Basically we have:
1) Access to communications by commercial entities to monetize them
2) Legal access to communications under a warrant
3) Espionage
The Constitution in my country explicitly protects communication secrecy - and only lawful accesses are permitted. We may like it or not, but fighting some kind of crimes requires communication access - especially organized crime but not only. The problem then becomes the controls about lawful accesses - with too many law enforcement people asking for too broad rights, because they think that way is simple. It's up to citizens to force politicians to rein in this attitude - because technical solution may not always work. See the CLOUD Act, for example.
That also will make 1) much more difficult as long as the proper fees and penalties are in force. Of course 3) is much harder to fight - internal one if you again leave some agencies too broad powers, and external one if your agencies are too busy to spy their own citizens and allies instead of protecting them from foreign powers.
Not all the communication may require the same level of secrecy, but all of them requires privacy. And that can be achieved only with a combination of technical and legal protections - because without the latter, when technology fails, you are naked. If we cannot trust our democratic government any longer we have far bigger problems than looking for a better encryption algorithm - it's time to rebuild the government and ensure democratic laws protect us - and not only a bunch of oligarchs and when you're found using a not approved technology you're sent to a cold re-education camp somewhere.
This.
Intercepting communications via legitimate court order for the purpose of tracking bad guys is an acceptable part of policing.
Copying everything from a person's phone in the hopes of finding something is not.
Having an app run in the background spewing your exact location to a service in another country is beyond the pale. As is "helpfully" pilfering someone's entire address book.
As far as I am concerned, if you (you as in the rozzers etc) suspect me of something, turn up with a court order. I'll make you tea while you discover I'm about as boring and unimportant as can be. Otherwise, piss off. You get to see that which I choose to share, nothing more.
My Dad grew up under occupation in WW2 and because of those experiences, he fiercely defended his privacy until he passed away.
He would have been appalled by how promiscuous we are expected to be with our data and our privacy. I used to think he went too far to keep his affairs private but as time has passed and Tech has developed, I reckon he was right.
I don't think that today's corporations or governments should be entitled to examine and use the personal details of anyone's life, neither do I think they should have the information in order to better exploit groups or individuals for profit (or otherwise). Sadly they do have that power and control.
This is not a new idea to convince us to give up our lives for profit. I seem to remember Bill Gates saying something like "We should not expect our communications to remain private", back in the day.
Someone has been banging that drum ever since, but I don't see the benefits to me. As time passes I engage less and less with electronic communications.
@Joe_Fay
Quote1: "Who do you trust to ensure the privacy of your communications?"
Quote2: " something your in-laws might raise when it comes to deciding between WhatsApp and Signal for arranging family get-togethers..."
Sorry, but the implication is that it's reasonable to trust WhatsApp or Signal........without wondering if either or both WhatsApp or Signal HAVE BEEN HACKED BY THIRD PARTIES!!!
Quote3: "...acknowledge that we should never expect our communications to be private..."
Sorry, but there IS something that INDIVIDUALS can do....namely use private encryption BEFORE any message enters ANY public channel. This might not be perfect (snoops being who they are), but it certainly makes the snooping an order of magnitude harder!!!
And talking about "making snooping harder"....it's quite possible to arrange for a different random key for every private message (Google "Diffie/Helman" for details). So private arrangements mean the snoops have multiple problems:
(1) breaking the public encryption (WhatsApp or Signal or...)
(2) what private encryption algorithm has been used? ... and how to break it?
(3) guessing the different key for every private message
*
k4ZzNn/8kglH1o/nCyHmeRUy5dsxWLSlorOinMFQI/LWUyVzPA7Rizsn14kRI2r4cqTxUZGXeRg8
L474TBT78CB0r/v+GqMu5/euk4eOvXCEFE7yApXgVyUHjtuBQbOTe8dZZNmGBJb6DjPWIM7qgSos
gfB30yhtxKDQloaaVfA+ZpiVivhkjwfghOl8yc0qouymuNs7gkJkNzM48Awdam3moXD/5uhw+1I2
eo0mnEnPSQma9t05uSBwwmE/nmuLp2JVVSPgthk=
*
P.S. I voted "For".....but I completely reject the idea that I can do nothing about "privacy"....see above!
@AC
Yup....the Google suggestion would be a start. But if you have time for a 758 page reading assignment, then Bruce Schneier's book "Applied Cryptography" should give a reasonable assessment of what might be possible. There's lots of code examples too (so you need a C compiler to explore).
Talking about C, there's plenty of open source support for some of the bigger programming challenges. One example would be the challenge of number arithmetic for VERY large numbers (including the business about prime numbers):
- Link: https://gmplib.org/
....but I guess the snoops in Fort Meade and Cheltenham would prefer that the "unwashed masses" continue to know nothing about how to help themselves!!!
People think it's for their own good, but reality is those who want / need their communication to be private will have the means to ensure that.
Everyone else will have their thoughts monitored and then government narrative will be adjusted to nudge public opinion in the desired direction.
If you participated in some polling during the pandemic you would often get questions "do you fear catching Covid?" and be sure that when they numbers fell below certain level the fear propaganda was heated up.
Instead of running these kind of polls, they want to have wholesale access to your communication and to have a feedback loop to build more effective propaganda models.
That's only one aspect - when it comes to shaping public policy, but it will be also very very useful for corporate messaging - for example if people start talking about a new social media platform - the established platforms get signal to nip it in the bud.
Systems that rely on secrecy to function and maintain a remote, as in safe and secure and relatively anonymous, virtual leadership, with proxy public media puppet figureheads being presumed and assumed to be instrumental leading figures rather than them being widely realised as only sub-prime cohorts and lackey lickspittles, cannot compete and triumph against sensitive novel and truthful information freely shared for further processing and deeper understanding.
Many times then is the only best and cheapest solution the exercising of the option to pay a realistically hefty fee to any party able to ensure, if not its non-existence, at least its non-appearance at any present time or current future space/place.
This argument effectively boils down to a cynical surrender. Since it's very easy for privacy to be broken, both by deliberate attack and accidental mismanagement, and it's very hard to make those possibilities go away, we shouldn't expect it. I'm a cynical person too, and I frequently make pronouncements of this kind. However, when dealing with problems, even cynics have ideals toward which they work even if they consider success unlikely.
Lots of things are very hard. Some things we do seem impossible when first attempted or may actually be so. However, we don't let that force us into apathy, which is how we have solved lots of hard problems throughout history. We don't have to assume that the next advance will solve everything for it to still be worth making that advance. So the real question is whether privacy should, ideally, be present or not. On this, I and the article writer agree that it definitely should. Since that's the goal, we should expect it. Where we don't get it, we should work to advance that goal, whether that be by making stronger cryptography, making it easier for nontechnical users to properly employ it, putting penalties on those who infringe our privacy, or new methods yet to be considered. If we try but fail to do this in the next decade, we can hope that the one after will improve it. If we give up and do nothing this decade, then the next will be worse and it will be our fault.
tech providers from Google to Meta and beyond know everything you do think want need feel and say and happily send all that info to the government for free, and unrequested in their drive to crush all thoughts they don't approve of. Yes nothing is private. Nothing. Now what?
We all desire privacy but expecting to receive it is naive.
My expectation is that all my electronic communications are available to all major intelligence agencies.
My further expectation is that curtailing intelligence agencies is not going to happen.
Even further I expect that attempts to avoid it get you flagged as a person of interest.
"we should not expect out communications to remain private. We should require it."
An argument that is defeated by anyone who uses social media or gmail and therefore gives large corporations free access to their personal information and communications. It's a sad truth that we (the IT/Security/Privacy community) talk about privacy and reasonable expectation of privacy and the users really don't care and vote with their feet. They prefer "free" as in beer to free as in the context of "free from oppression".
Joy Fay starts off with
"Your absolute right to privacy has been endorsed by the United Nations, no less."
And then quotes the UN
"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence..."
There's a huge difference between "absolute" and "not arbitrary".
The problems start when rich tech companies pander to the perception that the right is absolute in countries where that is unnecessary, and cave in in countries where it is necessary, in the pursuit of making money.
Some conversation should not be in public, but still needs to happen.
So, what tools do you use to plan and deploy security personnel on a map? Patrol routes?
Or discuss who is off sick?
Or be subject to a request for information from a government department? (We just had one requesting all chat logs mentioning a particular location).
The lack of ability to have a private conversation is harmful to doing useful work.
@Joe Fay stated: "We know what the threat is. But the tools to counter them are in our reach."
Individuals and corporations do not have the tools to counter nation state actors including the security services of their own countries. These organisations have access to tools and computing power not available to citizens[1] that can break commercial encryption or grab credentials. Governments do not trust commercial crypto at higher levels of assurance, they use their own crypto and a variety of algorithms and implementation that individuals cannot obtain and could not afford even if they were available. Some companies list these products but any attempt to buy them will be met with a demand for authorisation of the purchase by the appropriate government department.
AES256 will slow down a well-resourced attacker, not stop them.
Anyone remember the fuss that the Met/Home Office made about Apple's iPhone encryption being "too strong to break" which went away pretty quickly when they realised that the Israeli company Cellebright had already broken iPhone encryption.
[1] Not quite true since anyone with access to sizeable bot nets has a lot of distributed computing power to hand.
@Lotaresco
The point about a private citizen (or private citizens) using private encryption is NOT "perfect secrecy".
If we use private encryption BEFORE A MESSAGE ENTERS ANY PUBLIC CHANNEL, the snoops are given three challenges, not one:
(1) How to break the public service encryption (Proton, WhatsApp, etc)
(2) ...then how to determine what private encryption scheme has been used (AES, SALSA, chacha....maybe a private book cipher)
(3) ...and then what key might have been used in item #2
By the way, if item #2 is arranged to use a different random key for each message (see Diffie/Helman), the task is much harder than if say, PGP or similar was in use.
The point is that well designed private encryption slows the snoopers down!! Perhaps by a lot!!
Your comment implies that we citizens are weak, and have no recourse against large private (or state sponsored) snooping. Perhaps this is not true. If our messaging takes, say, a year for snoopers to read......then the message has been private for LONG ENOUGH!!
*
E3yzqJOZMVUrGZgxU3MBIDq9YHW1YT6NIPqxOV8N6BM109GdUhun2JYVUr4PERIzWjwXwxC1Y9K7
63MzwBMT234dGnEBw9mdarEZ0TC9mLkx0TcXKXKfyFufohcBkDo1O12tUf2JiziledOfaHyZI5Wb
WPuhwjEdiXyNuzGF6FCPAJGZU5szGjSLCxetYtsV8d2xyn6d8x4V23Q3oDoviHCFer8563GVyXMV
cjstY7MDkXczSNubYFyLQd4vOjKde7Ax0rIfSFMrYT2Bg3opKJ2vY3WJiJ2Tu7SbETIDklaL01Ux
s30BUjyfOL2Nub2J69UDEDuTsduBmbmbG9YN4vaJKjSH05Y7OP0d4x0VS9w1MN8FonWt4Xep2nS7
QRihWFuxo5eZCdk92v89SHEHEzulYNY1slafU943iRmbi7GBuDQBmZODOxal4dmfY1mXqbiVE90H
2NkvUJ8L0Pin4vYR4p2V4zCZ0xmn0ZWtElAja7mNKrwtszw5srqJcV01M94ZYlmZcbIB8Pw9C58L
wFwji1ufs3iRKj8HmjihMvwL8tAlk1AhivAX
*
The biggest problem is that people just can't act PG all the time, and we are in the middle of a pandemic that won't end any time soon. Otherwise they wouldn't be talking about 4th, 5th and 6th boosters. So private conversations in person are rare and are now done digitally instead.
I cut my social media use to the minimum I could, because they tell you were and when to get your next shot by WhaApp and e-mail in my country. I no longer use Discord or Twitter. I never used Facebook or Instagram or you name it. I will avoid Zoom as long as I can.
I use irc, e-mail, WhaApp and Google Hangouts or whatever Google is calling it today, that's it. I never do backups of WhaApp conversations, online or otherwise.
I use Firefox that's now best pals with Facebook, I use Google that needs no explanation because you can Google it instead, I haven't used Chrome in several years.
So to sum up, is very hard to control what you say and do online because nowadays that's were most of our interactions happen.
Can we do it? Yes we can, but even for the so called "digital natives" is not going to be easy.
I used computers before I even started schooling, I even had a Game & Watch clone from Casio, and back then it was safer because things were offline by default, if anything because I am not a digital native I am aware of how insane this is.
Aside from the already mentioned "never use not in the motion":
As the argument specifically states, we SHOULD expect our communications to be private.
Furthermore, this is enshrined in international law.
Arguing to remove an axiom of the debate itself is a non-starter. "Should not expect" is cast down before the proponent even begins their argument - or would be if the question had not been phrased so terribly badly.
Whether we currently DO or technically CAN expect it is a different matter that can be argued over.
As is what can be done to protect this right.
The UDHR is a fundamental treaty of the UN
it is required for any new members
interpretation of Article 12 is settled and well established.
Unless the benefit to society is significantly greater than the benefit to the individual, then the right to privacy is guaranteed.
the problem is that in the modern age, companies and people always ask "can we?" and rarely ask "should we?" and the value of online privacy is not appreciated by the masses.
there are ways to protect your privacy in a digital world and legislation Like GDPR is helping.
I voted 'Against', meaning I think that privacy SHOULD be held sacred, and not violated by anyone for any purpose. Looking at you, Zuck... And YOU, Alphabet. Etc, etc, and so on so forth.
To that end, I use ad blockers on every website. If a website requests I not use blocks on their site, too bad. I don't need their site.
But that is the tip of my iceberg, and, unlike the real world's climate change, MY iceberg is unfortunately growing.
Sometimes El Reg gets the blue-ribbon for use of double-negatives that create ambiguity and confusion in just what a "For" or "Against" vote means.
The literal reading is a vote "For" means agreeing you "should not expect" your communications to remain private and a vote "Against" means agreeing that you "should expect" your communications to remain private. I wonder how many took the opposite interpretation (and how that effects the validity of the results)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
