In the past, there was a 'war' between cypherpunks, an informal group of people interested in privacy and cryptography who wanted to see information spread around the world, and on the other side, the government, that wanted to prevent that spread.
So said independent computer security researcher, Moxie Marlinspike, during his keynote address at the ITWeb Security Summit at the Sandton Convention Centre, this morning. “The US government had long regarded cryptographic software to be as dangerous as munitions, and as such, it was subject to arms trafficking export controls.”
The government wanted the ultimate control, he said. At one point, the government manufactured the Clipper chip, in essence a key escrow. In the factory, any new phone or consumer electronic with a Clipper chip would be given a cryptographic key. The key would then be provided to the government in 'escrow'. In this way, if government agencies established good authority to eavesdrop on a communication, the key would be given to the agency which could then decrypt all data transmitted by that specific device.
The whole dynamic was made worse because the cypherpunks wrote code, and wanted actual software to perform secure communication. In 1995, Phil Zimmerman wrote PGP, the most widely used e-mail encryption software in the world, and published it along with its source code for public consumption.
“Efforts such as these continued until 2000, when the US government changed its tune, and all significant laws restricting export of cryptography were relaxed,” said Marlinspike.
This, he added, meant the question in 2000 was: 'is it game over?' “At this time the predictions were that the spread of information is inevitable. It was predicted that anonymous digital cash would flourish, intellectual property would disappear, and surveillance would become impossible. It was also thought that governments would be unable to continue collecting taxes, and that governments would fall.”
[Google] knows where you live, where you work, how you spend your time... Essentially, they are in the surveillance business, the effect is the same.
Moxie Marlinspike, independent computer security researcher
Flash-forward, noted Marlinspike, and “everyone's mother today has an illegal copy of an MP3 somewhere. Cryptography is everywhere. There are actual darknets, or network telescopes, used to monitor network traffic on unallocated IP space, which should make the eradication of information impossible. Surveillance is at an all-time high, privacy at an all-time low.”
“What happened?” he asked. “In many ways, the future they anticipated was fascism, but what we got was social democracy. Not better, just different.”
Scope of choice
Marlinspike asked the audience how many of them would be happy to carry a government tracking device. No one raised their hand. But when asked how many in the audience carried a cellphone, the results were the opposite. There is not much of a difference, he opined. “A cellphone has real-time positioning and cellular companies are required by law to supply this information to governments. The difference lies in choice. People choose to carry cellphones.”
According to Marlinspike, people organise themselves in groups - informal communications networks. “The value of these networks lies in the people you connect to. If everyone is a member of the network, it becomes very valuable. If you can't participate, you are left out. What kind of choice do people really have? Old mechanisms for collaboration are destroyed and this technology changes the fabric of society.
As a piece of technology changes, the scope of choice expands and it becomes a question of participating in society or not. There is a pattern of small choices becoming big choices. We see this pattern everywhere.”
Moxie Marlinspike, independent computer security researcher
“As a piece of technology changes, the scope of choice expands and it becomes a question of participating in society or not. In this way, there is a pattern of small choices becoming big choices. We see this pattern everywhere.”
He cited Google Analytics as an example. “Analytics works through Javascript. Expand the scope of choice; if you block Javascript, you break the functionality of the Web site. You depend on Java for the base functionality. The question is then, do I want to use this Web site or not?”
A further threat to privacy happened in the early 2000s, when the US government wanted to make data available on a large scale, and started the Information Awareness Office. Its aim was to store all e-mail, Web traffic, credit card history, and medical records, and then develop the technology needed to mine this massive amount of data.
“This looked like the totalitarian future,” said Marlinspike. “People freaked out.”
Nowhere to hide
However, this is in essence Google's game, he noted. It has exceeded all these goals and collected all this information. It is good at pulling profiles and stats out of large volumes of data, e-mail content and suchlike. It knows where you live, where you work, how you spend your time.
“It's all about intent. Essentially, they are in the surveillance business, the effect is the same. Once again, it's about choice. If, for example, you choose not to accept e-mails from Gmail, you would cut yourself off from a large part of society.”
In addition, Google claims to 'anonymise' users' data after nine months. “Anonymise means drop the last octet of an IP address,” he explained. “Cookies are simply translated. It also says it takes privacy seriously, putting it under the user's control, but in fact only shows the user some of the information they are most obviously capable of connecting to you. In addition, it requires that the user has an account, remains logged in while using services, and maintains a consistent cookie in order to participate.”
In the past, surveillance was direct, embedded. Today, information naturally accumulates in distinct places with no effort at all, and governments move to those points of accumulation.
Moxie Marlinspike, independent computer security researcher
The scope of the 'Google choice' has become quite large, he added. “We need some innovation that allows us to reject this type of false choice while still maintaining anonymity. We need anonymous access to Google services that is fast and reliable.
With this in mind, Marlinspike has developed GoogleSharing, a special kind of anonymising proxy service, that aims to provide a level of anonymity that will prevent Google from tracking users' searches, movements, and Web sites visited. “GoogleSharing is not a full proxy service designed to anonymise all traffic, but rather something designed exclusively for communication with Google.”
He has also developed Whisper systems, which he says bring forward secure protocols into mobile phones. “With this, a phone doesn't need to maintain a constant network connection to a SIP server. Users don't need the equivalent of a Skype ID, as addressing is based on existing phone numbers. Users don't need to run a VOIP server, but can install the app and they're good to go.
“In the past, surveillance was direct, embedded. Today, information naturally accumulates in distinct places with no effort at all, and governments move to those points of accumulation. We need to deal with choices that aren't really choices.”
Share