When Bruce Schneier left the employ of BT, he finally got off the pot. His natural inclinations can now be seen. He still hasn’t criticised BT despite it being obvious that BT is no more innocent than any of the big American telecoms companies — but he told me (by email) at the time that he tried to avoid getting involved in foreign politics.
He hasn’t been 100% consistent in this. When Swedish journalists discovered Swedish involvement in the MITM NSA/GCHQ hacking program known as Quantum, he said, “Both Quantum and FoxAcid are NSA/GCHQ programs to attack computer users. The fact that Sweden is involved in these programs means that Sweden is involved in active attacks against internet users. It is not just passive monitoring. This is an active attack.”
One day we may yet hear what he knows about BT’s cooperation with GCHQ (Tempora et al).
In the meantime, he is now no longer backward in commenting on surveillance in general and the NSA in particular. An article in The Atlantic last week warns us not to listen uncritically to the protestations of either the NSA or the tech giants that now appear to be up in arms against this NSA hacking and surveillance.
The tech giants (Google, Facebook, Yahoo, Microsoft etcetera) all claim to be doing what they can to prevent further snooping. But they are not doing the one thing that would work — they are not encrypting user data on servers in a way that would be impossible for governments to demand the keys. And the reason they are not doing this is simply because the vendors and the governments both want the same thing — to be able to read our data.
The best we have are caveat-laden pseudo-assurances. At SXSW earlier this month, CEO Eric Schmidt tried to reassure the audience by saying that he was “pretty sure that information within Google is now safe from any government’s prying eyes.” A more accurate statement might be, “Your data is safe from governments, except for the ways we don’t know about and the ways we cannot tell you about. And, of course, we still have complete access to it all, and can sell it at will to whomever we want.”
Don’t Listen to Google and Facebook: The Public-Private Surveillance Partnership Is Still Going Strong
The reality is that for so long as the vendors want access to our data, the governments will be able to demand it. Neither of that is changing; although both sides are trying to pretend it is.
This coming week the European Justice and Home Affairs Council (ie, national ministers from the individual national governments) will meet in Brussels. There are several items on the agenda.
Top of the list in a memo released by Viviane Redding is reform of the data protection laws. She says,
I am confident we will be able to build on the momentum injected into the negotiations by the Greek Presidency at the last informal Council meeting in January. Seeing the latest progress, I will continue working with Ministers for an adoption of the data protection reform before the end of this year.
Bottom of the list in a ministerial statement from Theresa May is reform of the data protection laws. She says,
There will be a state of play/orientation debate on the Proposal for a General data Protection Regulation. The UK continues to believe that this proposal is far from ready for a general agreement, and that no such agreement can occur until the text as a whole has been approved. The proposal remains burdensome on both public and private sector organisations and the Government would not want to see inflexible rules on transfers outside the European Economic Area which do not reflect the realities of the modern, interconnected world.
And yes, they really are talking about the same thing. Most of Europe has already agreed the data protection reform proposals; but the UK doesn’t like it and won’t play.
The problem is, providing more protection for our personal information is difficult for the UK. It would upset the three most powerful organizations in the country: GCHQ, Google and Facebook. GCHQ would have its ability to collect our private messages, photos, home videos and internet browsing habits severely curtailed — and of course nobody would want to see that.
Google and Facebook would no longer be able to ship our personal information to servers outside of the UK; that is, the US, from where the NSA/FBI could demand access while declining to allow us to be told (assuming they need to since GCHQ will probably have already intercepted the data via its taps on the fibre cables that run between the two continents and simply handed it en masse to the NSA for storage and safe keeping).
Since these negative arguments would not prove popular to the British public, they are being hidden in spurious and frankly false claims that data protection will cost business. Yes there will be some cost in protecting our data (not nearly as much as the government would like us to believe); but that will be more than compensated by the lower cost of doing business with dozens of different data protection regimes. The net effect of reforming data protection will be greater data protection at a lower overall cost.
But Theresa May doesn’t want us to understand that. She and David Cameron would like us to believe that they are protecting us when they are really just protecting vested interests and actually selling us down the river. They are willing to trade our privacy to keep GCHQ and big American business happy.
The American tech giants – Facebook in this instance – still don’t get it over the NSA spying programmes
The following is a transcription of a brief interview given by Mark Zuckerberg. The original can be found on TechCrunch here.
I’ve tidied it up a bit – removed the ‘ums’ and ‘rights’ and ‘you knows’ – just to make it more legible. I struggled over that because they clearly demonstrate where Zuckerberg is comfortable and where he is not comfortable with what he says; but I went ahead because what he says rather than his level of comfort is important to me. Anyway, here’s what is left:
We take our role really seriously. I think its my job and our job to protect everyone who uses Facebook and all the information that they share with us. It’s our government’s job to protect all of us and also to protect our freedoms and protect the economy, and companies; and I think they did a bad job of balancing those things. So frankly I think that the government blew it. I think that they blew it on communicating what they [were doing]; basically the balance of what they were going for.
The morning after the start of [the scandal] breaking, people asked [the government] what they thought; and the government’s comment was, “Oh don’t worry, basically we’re not spying on any Americans.”
Right. Wonderful. That’s really helpful to companies who are trying to serve people around the world, and [it's] really gonna inspire confidence in American internet companies. Thanks for going out there and being really clear about what you’re doing. I think that was really bad.
We’ve being pushing just to get more transparency on this, and I actually think we’ve made a big difference. The big question that you get from all the coverage is, what’s the volume of the total number of requests going on? Is it closer to a thousand requests that the government is making of us, or is it closer to 100 million? I mean, from the coverage and from what the government has said you would not know the difference. But we worked really hard with the government, behind the scenes, to get to the point where we could release the aggregate number of requests. It was around 9000 in the last half year.
Does that number tell us everything we want? No. And that’s why when the conversations get to the point where we weren’t going to make further progress, we decided to sue them so that we could reveal, is it 1000 or 2000 or 3000 or 4000 or 8000 of the 9000 requests. But the reality is, because of the transparency that we pushed for, now people can know and deserve to know that the number of requests that the government is making is closer to 1000 (it’s 9000 or less in the last six months), and definitely not, you know, 10 million or 100 million…
Really, Mark? Do you think that knowing the NSA made just over 1000 requests for your customers’ details rather than 9000 makes it all right – and that they can carry on, without judicial oversight, as they are? It’s the fact, not the volume, of NSA spying that is wrong, just plain wrong. Until the American tech giants stop hiding behind their really quite meaningless ‘transparency’ demands and empty successes over the NSA, then anger – and especially non-American anger – will remain at a high level.
Oh; and did I mention the word ‘hypocrite’? Facebook suggesting that the NSA isn’t taking sufficient care over users’ privacy? Really?
The Electronic Frontier Foundation has a fascinating graphic on which companies are doing what things to protect their customers’ – our – data in the post Prism/Snowden era.
What really leaps out is that the companies is that provide consumer cloud services are on our side (Dropbox, Facebook, Google and Twitter); telecommunication companies are on their side (AT&T, Comcast, Verizon); and the main OS providers (Microsoft and Apple) aren’t really sure which side their bread is buttered.
Back in April Google amended its Google Play developer policy. It was a simple addition: “An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism.”
Simple, but far-reaching. At a stroke, it eliminated the growing threat of ‘silent updates’ to Android apps. At the time, many people thought it was specifically aimed at arch display advertising rival, Facebook. It probably was.
Facebook had been secretly experimenting with silent updates to its new Facebook Home app. Once an app has been installed with acceptable and accepted permissions, it is able to update itself with new and expanded permissions secretly (silent updates); that is, without telling the user what was happening, or what new permissions were being enacted.
But by forcing those updates to go via the Play Store, Google is able to stop them being ‘silent’. Good job, really. Facebook’s Android app has been updated — but provided you got it from Play, it cannot update itself silently.
Sarah A. Downey, a lawyer and privacy strategist with Abine, did a simple blog: eighteen words and a graphic compilation of three screenshots:
Her comment: “Really, Facebook? Three screens of permissions? No thanks. We don’t have that kind of relationship.”
Says it all really. If Google hadn’t insisted on updates via Play, you might never know about it this update. And if you side-load an app — for example, straight from Facebook — you might still never know about it.
So, two lessons: get your apps from Play; and dump Facebook anyway.