This article can also be found in the Premium Editorial Download "Information Security magazine: How automated compliance solutions can help you plan for your next audit."
Download it now to read this article plus other related content.
Point: Marcus Ranum
In a recent court decision, a Canadian judge ruled that Internet users have no reasonable expectation of privacy with regard to warrantless collection of subscriber/IP address information from a suspected child pornographer's ISP. Couple that with the Bush administration's cheerful bypassing of warrants for wiretaps against U.S. citizens, and those are just two of the more public instances we've heard of where privacy has been trampled. (There's no need to mention the many governments that don't hesitate for a second to collect whatever information they can regarding their citizens' activities.)
Does this mean that the notion of online privacy is in jeopardy?
From the beginning, online privacy was probably more of a goal than a reality -- a goal that was near and dear to a few technologically sophisticated users: the
What we've seen is that governments are consistently willing to ignore their own wiretapping rules -- so much so, in fact, that a cynic might say that the rules exist only to encourage a false sense of confidence in the targets. It makes you wonder, doesn't it?
The big surprise, to me, is that anyone falls for it.
If you're even moderately technologically sophisticated, you can achieve a fair amount of online privacy with very simple techniques. You don't have to sit back and wish that government and business would suddenly decide to always play nice and respect your agenda. If you're a member of the tinfoil hat brigade, you can achieve an amazing amount of online privacy, with some difficulty. There are plenty of open source and freeware tools for hard drive encryption, tunneling data within data, steganography, and -- of course -- more operating systems than you can be bothered to keep track of. I'm pretty sure that, if I joined the tinfoil hat brigade, I'd be able to quickly assemble a communications system that was so secure it'd be practically unusable.
Here's a guy for whom online privacy is an issue: I was hanging out at a photographer's studio and he arranged a small illicit purchase using text messaging on his cell phone. When I found this out, I was speechless -- I'd never seen anything so dumb in years. But he laughed at my paranoia and said "Of course I didn't refer to it by name! I just asked my friend for a 'package.' " I pointed out that if his friend was ever busted, the police only had to pull the friend's phone call records, and suddenly he wasn't laughing. At a certain point, you've got to just shake your head and chalk it up to evolution in action. People who are using public data networks to do naughty, terroristic, or counter-revolutionary things have simply got to protect themselves. To a government or business, privacy looks indistinguishable from sedition or crime.
Privacy has always been something special, enjoyed by those who are wealthy and powerful enough to afford guards, walls and lawmakers. It speaks well of techno-geek society that we tried--and tried hard--to democratize the data networks and protect their users, but the end-game was inevitable. From one side, you're either a member of the tinfoil hat brigade or an activist Cypherpunk. Seen from the other side, you're a pre-selected terrorism suspect or a blob of marketing data waiting to be analyzed and sold.
Which are you?
Marcus Ranum is the CSO of Tenable Network Security and is a well-known security technology innovator, teacher and speaker. For more information, visit his website at www.ranum.com.
Counterpoint: Bruce Schneier
If your data is online, it is not private. Oh, maybe it seems private. Certainly, only you have access to your e-mail. Well, you and your ISP. And the sender's ISP. And any backbone provider who happens to route that mail from the sender to you. And, if you read your personal mail from work, your company. And, if they have taps at the correct points, the NSA and any other sufficiently well-funded government intelligence organization--domestic and international.
You could encrypt your mail, of course, but few of us do that. Most of us now use webmail.
The general problem is that, for the most part, your online data is not under your control.
Cloud computing and software as a service exacerbate this problem even more. Your webmail is less under your control than it would be if you downloaded your mail to your computer. If you use Salesforce.com, you're relying on that company to keep your data private. If you use Google Docs, you're relying on Google. This is why the Electronic Privacy Information Center recently filed a complaint with the Federal Trade Commission: many of us are relying on Google's security, but we don't know what it is.
This is new. Twenty years ago, if someone wanted to look through your correspondence, he had to break into your house. Now, he can just break into your ISP. Ten years ago, your voicemail was on an answering machine in your office; now it's on a computer owned by a telephone company. Your financial accounts are on remote websites protected only by passwords; your credit history is collected, stored, and sold by companies you don't even know exist.
And more data is being generated. Lists of books you buy, as well as the books you look at, are stored in the computers of online booksellers. Your affinity card tells your supermarket what foods you like. What were cash transactions are now credit card transactions. What used to be an anonymous coin tossed into a toll both is now an EZ Pass record of which highway you were on, and when. What used to be a face-to-face chat is now an e-mail, IM, or SMS conversation--or maybe a conversation inside Facebook.
Remember when Facebook recently changed its terms of service to take further control over your data? They can do that whenever they want, you know.
We have no choice but to trust these companies with our security and privacy, even though they have little incentive to protect them. Neither ChoicePoint, Lexis Nexis, Bank of America, nor T-Mobile bears the costs of privacy violations or any resultant identity theft.
This loss of control over our data has other effects, too. Our protections against police abuse have been severely watered down. The courts have ruled that the police can search your data without a warrant, as long as others hold that data. If the police want to read the e-mail on your computer, they need a warrant; but they don't need one to read it from the backup tapes at your ISP.
This isn't a technological problem; it's a legal problem. The courts need to recognize that in the information age, virtual privacy and physical privacy don't have the same boundaries. We should be able to control our own data, regardless of where it is stored. We should be able to make decisions about the security and privacy of that data, and have legal recourse should companies fail to honor those decisions. And just as the Supreme Court eventually ruled that tapping a telephone was a Fourth Amendment search, requiring a warrant--even though it occurred at the phone company switching office and not in the target's home or office--the Supreme Court must recognize that reading personal e-mail at an ISP is no different.
Bruce Schneier is chief security technology officer of BT Global Services and the author of Schneier on Security. For more information, visit his website at www.schneier.com.
This was first published in May 2009