Peter A Clarke

The ongoing revelations about the extent of official snooping by the US National Security Agency as well as security organs of other states has had a deep impact on the cyberspace community.  Not just the civil liberties issues, signficant thought they are.  There are more prosaic concerns which are much more significant for industry players.  The bottom line.  Users expect their ISPs, search engines and other service providers to have adequate security and proper encryption.  The expectation of private communications is an intrinsic part of many operators business model.

The New York Times reports in Internet Firms Step Up Efforts to Stop Spying that these revelations have prompted a major security upgrade in the industry.  Now private businesses are competing with the NSA to protect their integrity.

The article provides:

SAN FRANCISCO — When Marissa Mayer, Yahoo’s chief executive, recently announced the company’s biggest security overhaul in more than a decade, she did not exactly receive a standing ovation.

Ordinary users asked Ms. Mayer why Yahoo was not doing more. Privacy activists were more blunt. “Even after today’s announcement, Yahoo still lags far behind Google on web security,” said Christopher Soghoian, a technology analyst at the American Civil Liberties Union.

For big Internet outfits, it is no longer enough to have a fast-loading smartphone app or cool messaging service. In the era of Edward J. Snowden and his revelations of mass government surveillance, companies are competing to show users how well their data is protected from prying eyes, with billions of dollars in revenue hanging in the balance.

On Thursday, Microsoft will be the latest technology company to announce plans to shield its services from outside surveillance. It is in the process of adding state-of-the-art encryption features to various consumer services and internally at its data centers.

The announcement follows similar efforts by Google, Mozilla, Twitter, Facebook and Yahoo in what has effectively become a digital arms race with the National Security Agency as the companies react to what some have called the “Snowden Effect.”

While security has long simmered as a concern for users, many companies were reluctant to employ modern protections, worried that upgrades would slow down connections and add complexity to their networks.

But the issue boiled over six months ago, when documents leaked by Mr. Snowden described efforts by the N.S.A. and its intelligence partners to spy on millions of Internet users. More than half of Americans surveyed say N.S.A. surveillance has intruded on their personal privacy rights, according to a Washington Post-ABC News poll conducted in November.

The revelations also shook Internet companies, which have been trying to reassure customers that they are doing what they can to protect their data from spying. They have long complied with legal orders to hand over information, but were alarmed by more recent news that the N.S.A. was also accessing their data without their knowledge.

“We want to ensure that governments use legal process rather than technological brute force to obtain customer data — it’s as simple as that,” said Bradford L. Smith, Microsoft’s general counsel, in an interview.

Mr. Smith said his company would also open “transparency centers” where foreign governments can inspect the company’s code in an effort to assure them that it does not plant back doors for spy agencies in its products.

Already, the Snowden revelations threaten to erode the market share of American technology companies abroad.

In India, government officials are now barred from using email services that have servers located in the United States. In Brazil, lawmakers are pushing for laws that would force foreign companies to spend billions redesigning their systems — and possibly the entire Internet — to keep Brazilian data from leaving the country.

Forrester Research projected the fallout could cost the so-called cloud computing industry as much as $180 billion — a quarter of its revenue — by 2016.

“The world is quickly being divided into companies that are secure and companies that are not,” said Bhaskar Chakravorti, a dean of international business and finance at the Fletcher School at Tufts University.

One by one, technology companies have been scrambling to plug security holes.

The best defense, security experts say, is using Transport Layer Security, a type of encryption familiar to many through the “https” and padlock symbol at the beginning of Web addresses that use the technology. It uses a long sequence of numbers — a master key — that scrambles sensitive data like passwords, credit card details, intellectual property and personal information between a user and a website while in transit.

Banks and other financial sites have used such security for years, and Google and Twitter along with Microsoft’s email service made it standard long ago. Facebook adopted https systemwide this year. And Ms. Mayer said Yahoo would finally allow consumers to encrypt all their Yahoo data in January.

But as many sites move to https, security experts say more advanced security measures are needed. If a government can crack the master key — or obtain it through court orders — it could go back and decrypt past communications for millions of users.

That’s why companies like Google, Mozilla, Facebook and Twitter have added another layer of protection, called Perfect Forward Secrecy. That technology adds a second lock to each user’s transmissions, with the key changed frequently. Microsoft plans to add the encryption method next year, but Yahoo has not said whether it will add it.

“Perfect Forward Secrecy is a billion different secrets, and it’s not protected by one central secret,” said Scott Renfro, a Facebook software engineer who works on the company’s security infrastructure.

So even if an outsider obtained the master key, it would still have to crack the other keys, over and over again.

“This type of protection should have been engineered into all web systems and all Internet systems to begin with,” said Jacob Hoffman-Andrews, an engineer at Twitter.

The technology has existed for two decades, but companies were slow to adopt it because it added complexity and introduced a delay to Internet transactions, which can encourage impatient users to flee for faster sites. But many of those issues were resolved by Google when it applied Perfect Forward Secrecy in 2011, said Adam Langley, a software engineer at the company. Google shared its improvements with the broader tech community.

Still, technical solutions can be trumped by law. While https and Perfect Forward Secrecy protect the data transmission, law enforcement agencies can still compel companies to hand the data over from their servers, where it is stored.

So Internet companies are trying to ensure they are at least blocking unauthorized access by addressing other security issues, including a hole that leaves users vulnerable at the very beginning of a site visit. When users want to log into, say, Google’s Gmail, their Internet browser checks the site’s security certificate to make sure it’s not an impostor.

Some security experts believe that hackers are nearly capable of cracking the 1024-bit encryption keys that protect the certificates. But an industry standards group is requiring that, starting next year, all new and renewed certificate keys use 2048-bit encryption, which is far more difficult to break.

Ultimately, however, every security advance is met by new threats. “Attacks don’t get worse,” Mr. Langley said. “They only get better.”

Aol, Facebook (not one of the greatest respectors of privacy), Google (another frequent flyer in privacy interfering conduct), Linked In, Microsoft, Twitter and Yahoo have written a joint letter calling for reform of the current laws and practices of surveillance.  It is found here.

It provides:

The undersigned companies believe that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.

While the undersigned companies understand that governments need to take action to protect their citizens’ safety and security, we strongly believe that current laws and practices need to be reformed.

Consistent with established global norms of free expression and privacy and with the goals of ensuring that government law enforcement and intelligence efforts are rule-bound, narrowly tailored, transparent, and subject to oversight, we hereby call on governments to endorse the following principles and enact reforms that would put these principles into action.

The Principles

1. Limiting Governments’ Authority to Collect Users’ Information
   
   Governments should codify sensible limitations on their ability to compel service providers to disclose user data that balance their need for the data in limited circumstances, users’ reasonable privacy interests, and the impact on trust in the Internet. In addition, governments should limit surveillance to specific, known users for lawful purposes, and should not undertake bulk data collection of Internet communications.

 

 

 

• Oversight and Accountability
  
  Intelligence agencies seeking to collect or compel the production of information should do so under a clear legal framework in which executive powers are subject to strong checks and balances. Reviewing courts should be independent and include an adversarial process, and governments should allow important rulings of law to be made public in a timely manner so that the courts are accountable to an informed citizenry.
• Transparency About Government Demands
  
  Transparency is essential to a debate over governments’ surveillance powers and the scope of programs that are administered under those powers. Governments should allow companies to publish the number and nature of government demands for user information. In addition, governments should also promptly disclose this data publicly.
• Respecting the Free Flow of Information
  
  The ability of data to flow or be accessed across borders is essential to a robust 21^st century global economy. Governments should permit the transfer of data and should not inhibit access by companies or individuals to lawfully available information that is stored outside of the country. Governments should not require service providers to locate infrastructure within a country’s borders or operate locally.
• Avoiding Conflicts Among Governments
  
  In order to avoid conflicting laws, there should be a robust, principled, and transparent framework to govern lawful requests for data across jurisdictions, such as improved mutual legal assistance treaty — or “MLAT” — processes. Where the laws of one jurisdiction conflict with the laws of another, it is incumbent upon governments to work together to resolve the conflict.

 

Voices For Reform

“AOL is committed to preserving the privacy of our customers’ information, while respecting the right of governments to request information on specific users for lawful purposes. AOL is proud to unite with other leading Internet companies to advocate on behalf of our consumers.” —Tim Armstrong, Chairman and CEO, AOL

“Reports about government surveillance have shown there is a real need for greater disclosure and new limits on how governments collect information. The US government should take this opportunity to lead this reform effort and make things right.” —Mark Zuckerberg, CEO, Facebook

“The security of users’ data is critical, which is why we’ve invested so much in encryption and fight for transparency around government requests for information. This is undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many governments around the world. It’s time for reform and we urge the US government to lead the way.” —Larry Page, CEO, Google

“These principles embody LinkedIn’s fundamental commitment to transparency and ensuring appropriate government practices that are respectful of our members’ expectations.” —Erika Rottenberg, General Counsel, LinkedIn

“People won’t use technology they don’t trust. Governments have put this trust at risk, and governments need to help restore it.” —Brad Smith, General Counsel and Executive Vice President, Legal and Corporate Affairs, Microsoft

“Twitter is committed to defending and protecting the voice of our users. Unchecked, undisclosed government surveillance inhibits the free flow of information and restricts their voice. The principles we advance today would reform the current system to appropriately balance the needs of security and privacy while safeguarding the essential human right of free expression.” —Dick Costolo, CEO, Twitter

“Protecting the privacy of our users is incredibly important to Yahoo. Recent revelations about government surveillance activities have shaken the trust of our users, and it is time for the United States government to act to restore the confidence of citizens around the world. Today we join our colleagues in the tech industry calling on the United States Congress to change surveillance laws in order to ensure transparency and accountability for government actions.” —Marissa Mayer, CEO, Yahoo

 

 

 

 

An open letter to Washington

Dear Mr. President and Members of Congress,

We understand that governments have a duty to protect their citizens. But this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide. The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It’s time for a change.

For our part, we are focused on keeping users’ data secure — deploying the latest encryption technology to prevent unauthorized surveillance on our networks and by pushing back on government requests to ensure that they are legal and reasonable in scope.

We urge the US to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight. To see the full set of principles we support, visit ReformGovernmentSurveillance.com

Sincerely,

AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, Yahoo

Insecure networks is harmful from a privacy law perspective.  It is bad for business.  It is disastrous for those earn a living from the use of the internet for any number of uses which provide the core business of Apple, Linked in et al.

Just to show the issue is rousing the real heavy hitters The SMH (Entertainment section) reports in Edward Snowden inspires Miles Franklin authors to join global spying petition that some of our literary luminaries have decided to take the gargantuan step of singing a petition against Mass Surveillance. That’ll learn the authorities! None of them have been agitating to further strengthen the Privacy Act, broadening its operation and removing many of the exemptions.  None of them have put in submissions in the recent ALRC inquiry into whether to recommend a statutory right to privacy.  Their signatures will, I am sure, have the same effect as the Israelites trumpets against Jericho. The walls will come tumbling down and governments around the world will see the errors of their wretched ways and change the law.  Of course not.  Change can take place, after a lot of hard work.

The article provides:

It is the stuff of books and now it has become very real, with Australian authors Anna Funder, Frank Moorhouse and David Malouf joining the fight to demand an end to mass surveillance.

Petitions have their place. But on their own they are just so much paper.