This article can also be found in the Premium Editorial Download "Information Security magazine: 2010 Security Readers' Choice Awards."
Download it now to read this article plus other related content.
Earlier this decade, public criticism halted the Big Brother-esque initiative from the U.S. government to create a massive database of personal information collected from a wide range of sources, everything
Or have we?
Moxie Marlinspike, a noted independent security researcher, says the private sector has taken up the cause. Websites like Google, Facebook and others offer free services that are designed to help people take part in society, but at a hefty cost: You volunteer your personal information to companies and that valuable data accumulates. "If there's one thing Google has excelled at doing, it's making sense of large repositories of data," says Marlinspike. "Make no mistake about it, they are in the surveillance business and the effect is the same."
Managing online privacy was one of the themes that surfaced at Black Hat 2010, with a session track devoted to the issue. In a Black Hat presentation, Marlinspike railed against Google and other firms that collect personal data for analytical purposes as part of using their services. Technology has changed the fabric of society, he says. People volunteer to use cell phones that can now be used to pinpoint a person's location, meanwhile people never have to delete an email message using Gmail and can archive messages there for eternity. The alternative to using Web-based services and other technologies is to ditch the cell phone, disconnect from the Internet and live like a hermit, he says.
But there may be a better alternative. Marlinspike has introduced several tools that help people concerned about privacy avoid giving up personal information. GoogleSharing, a Firefox add-on, acts as an anonymizing proxy service and is designed to evade Google analytics and prevent Google from tracking searches. As co-founder of WhisperSystems, Marlinspike also introduced two open source mobile applications for the Android platform that address privacy. RedPhone provides encryption for cell phone calls while TextSecure encrypts text messages and stores them securely on the phone.
But privacy issues go beyond cell phone tracking and Internet analytics. Tom Cross, a research manager with IBM's X-Force research team, talked about ways the faulty programming in routers, designed for law enforcement to conduct lawful intercept operations, can be used illegally by an attacker to collect traffic from people. The techniques needed to tap into the traffic are sophisticated, Cross says but they are a cause for concern. Design issues do little to stop insiders from spying on someone. Cross says turning on audit logs can prevent insider abuse, while deploying some level of encryption could help further reduce the threat.
"If you want to reduce the amount of illegal wiretapping, improving link layer encryption in wired and wireless systems could be the answer," Cross says.
While the tools presented by Marlinspike are useful, they are not likely to be used by many people, says Graham Cluley, a senior technology consultant at UK-based security vendor, Sophos. GoogleSharing is currently used by about 80,000 people, a far cry from the estimated 300 million people that use Google every day. Still, researchers like Marlinspike, Cross and others are helping educate users about the information they are freely giving up online.
"People are giving up an astonishing amount of information to the Web because a lot of people aren't really conscious of what they're doing," Cluley says. "They haven't joined all the dots together and don't understand the serious consequences of what they're doing."
In the UK, for example, Cluley says he walks by closed-captioned cameras every day. The average person is seen on camera dozens of times there. Vehicle registration plates are logged. But most people don't seem to care or have embraced it for safety reasons, he says.
"There are people who are worried about this gradual erosion of our privacy and want to disconnect altogether," Cluley says. "But there are others who say we have to try and find some sort of happy medium, because at the moment people like what technology is doing for them. I think we need to find that middle ground."
Robert Westervelt is the news editor of SearchSecurity.com. Send comments on this article to firstname.lastname@example.org
This was first published in September 2010