Edward Snowden speaks at SXSW.
The NSA whistleblower appeared at TED today via a video chatbot and issued a call to arms when he said, “To people who have seen and enjoyed the free and open internet, it’s up to us to preserve that liberty for the next generation to enjoy.”
That echoed comments Snowden made over a video stream during SXSW in Austin, Texas, when he said, “[T]he people who are in the room at Austin right now, they’re the folks who can really fix things, who can enforce our rights for technical standards even when Congress hasn’t yet gotten to the point of creating legislation that protect our rights in the same manner. There’s a policy response that needs to occur, but there’s also a technical response that needs to occur. And it’s the makers, the thinkers, the developing community that can really craft those solutions to make sure we’re safe.”
With that in mind, WIRED consulted with experts to compile this list of 10 measures tech companies should adopt to protect customer data, whether it resides on a distant corporate server or is making its way across the Internet. The Electronic Frontier Foundation has a running scorecard tracking which companies are already employing some of these items on our wish list.
1) End-to-end encryption. This is the most important technological change, and the one that Snowden emphasized in his talk. End-to-end encryption would help protect data through its entire journey from sender to recipient. Google and other services currently only encrypt data as it makes its way from a user to a given service, where it is may be decrypted. That leaves data vulnerable to collection from the service provider’s servers or from internal data links where it might be unencrypted.
“End-to-end encryption … makes mass surveillance impossible at the network level,” Snowden said, and provides a more constitutionally protected model of surveillance, because it forces the government to target endpoints to get data — by hacking individual users — rather than conducting mass collection against people who are not the target of an investigation.
End-to-end crypto would frustrate agencies like the NSA and GCHQ, which have direct taps on fiber optic lines. But they aren’t the only spies with the capability to sniff raw internet traffic. End-to-end encryption would also impede any other government that has the wherewithal to install surveillance equipment on network tributaries. And it would stop governments from compelling companies like Google, who have offices within their borders, to hand over data belonging to activists and others who may be at risk of losing their lives if the government obtains their communications.
This reform would come at a considerable cost. It would require companies to re-engineer and re-architect their services, since algorithms for encrypting communication would need to move from the company’s cloud to the user’s phone or computer. That means developing new versions of email and messaging services.
“For that reason we’re going to need to put a lot of pressure on Google, Facebook, and Apple to get them to re-engineer their systems to offer this level of security, or we will see upstart new tech companies offering these things that are built-in from day one with these security features,” says Peter Eckersley, technology projects director for EFF.
2) Bake user-friendly encryption into products from the get-go. Currently, the only option available is for users to take it upon themselves to add end-to-end encryption to their communications.
PGP (Pretty Good Privacy), GPG, or Off-the-Record messaging all allow users to encrypt email and instant messaging communications. But they can be difficult to install and use, and they only work if the person with whom you’re communicating also has them installed. But if you’re offering a communications service or product today, you should already have user-friendly encryption baked in, and it should be one of the features users demand.
A handful of companies, like Silent Circle, are already producing communication systems and services that purport to encrypt email, instant messaging, text messaging, VOIP or video chat. But consumers have no way of knowing if a service is truly secure and robust. To that end, EFF is hosting a workshop in July at the Symposium on Usable Privacy and Security conference to develop metrics for judging, testing and awarding a prize for the best end-to-end encryption products.
“There should be an objective way to measure this,” Eckersley says. “If we give [a product or service] to a sample of activists and journalists and other at-risk communities to try, do 80 percent succeed in using the software after just a couple of minutes? Do 60 percent survive a modeled attack against the software? It’s one thing to use it and another thing altogether to actually be safe when someone sends you fake messages or tries to impersonate the person you’re talking with.”
3) Make all web sites SSL/TLS. Following revelations from the Snowden documents, Yahoo announced that it would enable encryption by default for anyone logging into its web-based email service. But that’s a move that should have happened long ago, without the Snowden revelations to spur it. There’s no excuse for other web sites, particularly ones handling sensitive communication with customers, to not use SSL.
4) Enable HTTP Strict Transport Security. Otherwise known as HSTS, this is a mechanism whereby domains like Facebook.com and Google.com tell your browser the first time it connects to their domain to always connect to a secure version of their web site, using an HTTPS connection by default, even if users fail to type HTTPS into their browser. If a spy agency or other intruder then attempts to hijack the user’s connection to Facebook by directing their browser to an unsecured connection — so the communication can be monitored — the browser will switch to the secured connection by default.
This also prevents fellow users on unsecured Wi-Fi networks — say, at Starbucks — from seeing your communication if you forget to initiate a secure connection with the site on your own. And it helps prevent an attacker from trying to get your browser to connect to an unsecured fake Facebook page, prompting your browser to produce an error message instead and refuse to connect to the page.
In order for HSTS to work, however, websites need to provide secure versions of their pages, and browsers need to support HSTS. Chrome, Firefox, Safari and Opera all support HSTS in their latest versions. Microsoft recently told EFF that it plans to begin supporting HSTS for web servers handling email, personal or business documents, and media, messaging, contacts, and credentials. But its own browser, Internet Explorer, currently does not support HSTS.
Slide from NSA PowerPoint deck, courtesy of the Washington Post.
Since the story broke last October, Google has sped up its data center encryption program, and other companies like Microsoft and Yahoo are in the process of encrypting their data center links as well. But this should be standard procedure for all companies who want to protect not only customer data, but their own data as well.
6) Use perfect forward secrecy. It’s great to employ encryption for communication with customers, but if you’re a target as big as a major tech company and you employ it in the wrong way, then an intelligence agency who somehow obtains your private key can use it not only to decrypt future traffic, but all past encrypted traffic it may have collected as well.
Perfect forward secrecy, however, uses ephemeral keys for the session keys with users, which means that even if an intelligence agency or someone else manages to obtain the secret key, they won’t be able to derive the session key to decrypt your communication.
7) Secure software downloads. We already know that governments have hijacked software update services to install spyware on targeted systems. One way to thwart this would be to authenticate and encrypt download channels and provide a means for users to verify that the download they are getting is legitimate.
8) Reduce storage/logging time. To reduce the amount of data governments can obtain, companies should minimize the data they collect from users to only information needed to provide them with the company’s services. They should also develop reasonable data retention policies that limit the length of time data and activity logs are stored, thereby reducing the chance for governments to get it.
9) Replace Flash with HTML5. Flash, one of the most ubiquitous methods for serving dynamic content to web visitors, is rife with security vulnerabilities and is one of the primary ways attackers exploit systems to hack them. Eckersley calls Flash a “ghastly and broken contraption that should never be attached to the web.” Although HTML5 is not perfect and likely has elements that will need work to make them more secure, “at least they’re open tech, and the web community will do that work,” he says.
10) Fund a global account to support community audits of open source code. With news that the NSA has attempted to undermine encryption algorithms and place backdoors in systems and software, a plan emerged to fund a crowdsourced audit of the TrueCrypt open source encryption software to ensure that users can trust it. More than 1,400 donors from more than 90 countries chipped in about $60,000 and another 32.6 bitcoins (more than $20,000 at Monday’s exchange rate) to fund the auditing work, which began in January. But a general account, managed by a nonprofit, to fund additional projects would help combat the NSA’s ability to undermine trusted systems.
In addition to these 10 solutions, we’d add one more, which isn’t a technological solution but is no less crucial — fight unreasonable data requests from the government. Sure, taking on the government can be intimidating and expensive. The laws covering data requests are also confusing and often come with a gag order, leading the executives at some companies to believe they have no alternative but to comply. But you don’t have to do it alone. The EFF or ACLU can help you determine what’s an unreasonable request and mount a legal fight against it.
After one unknown telecom took the rare and courageous step of fighting a national security letter it received, a U.S. District Court in California found that such letters are unconstitutional and ordered the government to stop issuing them. The ruling has been stayed, pending an appeals court ruling, but the case has raised public awareness of national security letters and also emboldened no less a powerhouse than Google to fight several letters it received.
No comments:
Post a Comment