Packets Citizen!

It’s been an interesting couple of weeks of developments in the technology freedom space, with the information about PRISIM in the USA coming to light, ASIC over extending it’s interpretation of law and blocking 250,000 websites in AU and the NZ government trying to push through new legalisation giving the shadowy GCSB more power than ever before to intercept citizens web traffic.

Naturally we’re told that such changes are done with the most noble of intentions – we need to protect our citizens from “terrorists” and child molesters after all. It’s a good excuse that gets brought out time and time again (remember internet filtering anyone?) because nobody wants to stand up in parliament and be seen on the side of terrorists or child abusers, making it a fantastic way to get legalisation through without opposition.

Yet these changes won’t stop terrorism or child abuse – people wanting to intentionally communicate without their data being exposed already have systems in place to do so via encryption and anonymization technologies. And the current conventional methods of catching them, such as tracing credit card payments to abuse websites will continue to be an effective tool regardless of what changes the new legalisation allows.

So why change the current legalisation? Because the current legalisation doesn’t make it very easy to catch whistle-blowers and other politically disruptive individuals. Governments want to be able to monitor and identify those whom might be a threat to them, or intercept their communications to discover their fellow dissidents and plans.

It would seem impossible that such legalisation could get pushed through without more opposition… but unfortunately the average member of the population is generally so blasé about these abuses of power – responses ranging from a shrug and a statement about how they always assume that to be the case, or how they have nothing to hide, an approach which is extremely naive, as those who have lived through oppressive governments can tell us.

Sadly it’s difficult to get mainstream buy-in for issues such as this – the Free Software movement has been fighting for decades to get mainstream adoption of ideology of software freedom with only limited success, simply because people tend to overlook that which does not immediately impact them personally in an obvious fashion. The biggest threat to the safety of our communications is our friends and associates themselves who will ignore the risks of government controlled communications until it’s too late and an oppressive government is using it against them.

The other interesting outcome of the recent discoveries about the extent of the data mining and spying is that people have started dividing technology companies into “good and bad” camps, as if they were characters in a story, ignoring the complex nature of reality.

Twitter, Google, Facebook, Microsoft, all of these aren’t evil companies – but nor are they good companies. They operate in a layer of grey, where morals are a balance between legalisation, return on investment and privacy of their users.

The fundamental fact is that a company is a legal entity  bound by the laws of the country it’s in. A “somewhat good” company will question a legal request “Should this government department get 100,000 user emails? Should we say no and request a more targeted warrant for just the appropriate users?” despite the additional financial costs this incurs. A “somewhat bad” company will just follow the legalisation without questioning it.  But both these “good” and “bad” companies are bound by the law.

If the court order comes in, they cannot refuse to process it. And it’s for this simple reason, that you can never trust any company to protect you from a malicious government bent on infringing your freedoms – at some level they will eventually sell out your privacy for the simple reason that they have to by legal order.

I’ve found MEGA a particularly amusing example of this. Having had their original business destroyed by the USA, MEGA is being seen as an underdog to be supported and trusted – helped in part, by it’s owner/founder Kimdotcom taking up the image of a righter and champion of internet freedoms. At the same time, they’ve already been forced to pull content due to it violating NZ law (in this case, hosting 3D printer gun plans could be considered as supplying weapons under NZ law), as well as other materials due to court order showing that they’re no different from any other online hosted content provider.

As much as MEGA wants to be the poster child of freedom, the reality is they’re a yapping dog than can only run around within the confines that the yard of legalisation allows, shouting about freedom and how they’re fighting the man to all those who can hear through the fence.

This probably isn’t a popular opinion, particularly in New Zealand currently where MEGA has gained a mainstream following, probably thanks to NZders strong love for the underdog. And whilst I wish Kimdotcom well in his fight against the US and NZ governments who over reached in investigating and prosecuting the original Mega Upload, I would advise caution to those who consider him a trustworthy individual who will defend our rights and freedom. Like any company, MEGA is there to make money – and if it comes down to enforcing a legal order vs being shut down, they’re always going to go down the legal enforcement route.

So with this pessimism out the way, what options are left for citizens who just want to be able to communicate with each other without being intercepted? Which companies can we trust? What technologies are suitable?

The answer is simply that no company can be trusted to keep your data as secure as you may want – the only true guarantee of security is the use of the right technologies, particularly the use of client-to-client encryption technologies such as PGP/OpenGPG (for email) and OTR (for instance messaging) and for users to put in effort to consider what systems they are using and whether the level of access to them could expose them more than they would like to be.

You may decide the risk of the US reading your family secret cake recipe in Dropbox to be low risk, but you might not want to store all the documents you’re assembling for a whistleblowing case in there. Different types of information require different treatments and considerations, depending on the circumstance.

These security technologies and how to manage the risk of interception is a big topic – I’m going to make an effort to spend the next week writing a series of blog posts about the weaknesses of some common technologies and the approaches that one can take to secure your communications, your computers and more.

The approach that works for me may not work for you – security is a game of balancing risk whilst maintaining usability – an unplugged email server is never going to get hacked, but neither is it ever going to get any emails – and the level of risk and usability are subjective to you the user.

But regardless of what level of privacy you decide is appropriate, the important thing is that you take the time to consider the risks and implications of the decisions you are making and how they can impact your freedom in the future.