It’s been an on-it week, so to speak, with regards to an oft returned to topic on the ol’e blog. Friday through Sunday I was camped out at the Barbican Centre here in London for The Logan Symposium, organised by The Centre for Investigative Journalism with the subtitle/action point: “Building an Alliance Against Secrecy Surveillance and Censorship.”
This would be a marvellous achievement, and really it is something that seems to be emerging to some extent, in part thanks to summits such as this one taking place last weekend. Still, there’s trouble on the line. Our alliance is a fractious one, riven with in-fighting, ego, varying degrees of technological literacy, paranoia, defeatism and the occasional bizarre leap in logic. Meanwhile, it’s benefited by driven people bringing in diverse talents like programming, design, psychology, education, activism, counter-intelligence, research, massage therapy and whatever anyone’s got to offer.
This blog isn’t going to be a blow-by-blow of the whole programme. Get that here and here. For notes, quotes and quips from the Logan Symposium, check out Oliver Smith’s post or the Online Journalism Blog post. The Guardian’s Live blog offers several sometimes heated turns of the screw, including some sucker punches aimed at itself.
First, this post is about why people fight for the issue. Second, it’s about why people fighting for the issue are fighting one another. We’ve got a trio of re-occurring examples to take a look at on that count. But do visit the Logan Symposium site. Look up the talks and the talkers. All of them are amazing, inspiring and worth following.
Why be concerned about data and its misuses? Why should you, likely with “nothing to hide” give a shit? I’ve got nothing to hide as well, so I’ll take a stab at it:
For now, put aside the twin beasties of the NSA and GCHQ. We worry about spooks not just for what they represent to society, but because of who they report to. Some points:
1) Overall: Laws are shifting globally with a trend away from democracy, civil liberties and human rights. Freedom House’s annual “Freedom on the Net” survey “finds internet freedom around the world in decline for the fourth consecutive year” (and still gives the U.S. too high a ranking). That’s on par with it’s overarching “Freedom in the World” survey, finding for the eighth consecutive year “more declines in democracy worldwide than gains.” Too much democracy. Gotcha. Enough of that.
2) Little Britain: The UK is protesting interference from Europe, mostly around laws that protect British citizens. What amazes me about UKiP leaning voters is that they seem to want the UK to have the right to treat them more miserably. And it’s working in the name of fighting the immigrants, or terrorists, which seem to be mentioned fairly interchangeably. So less freedom. People are voting to give it up.
Ross Anderson: "Only a nutter would base an online publication in the united kindgom, given the legal climate here." #LoganCIJ14
— Andrew Ford Lyons (@drew3ooo) December 5, 2014
The British government’s Section 7 of the Terrorism Act 2000 makes it particularly risky to be an investigative journalist here. And even if that one doesn’t apply, you may still end up on British police list of “Domestic Extremists” for simply acting like a journalist.
3) That place of the Arab Spring: Egypt, United Arab Emirates, Yemen and several other countries in the region are taking stronger stances against large sections of their own populations. This news is often reported in Western media with a shrug and a wink, so let’s be sure to notice that our special friend and “only democracy” Israel is on trend, working on changing its laws to be strictly identified as a Jewish Nation State. If you’re a Druze or a Palestinian Muslim or Christian, you’re country’s about to be a little less about you than it already was. What will that mean after the next election?
4) The empire: The U.S. continues the long wake-up to a nightmare, in which it realises how little the government is accountable to its citizens. The NSA is spying on you, but the CIA is physically torturing folks. Neither of them are actually stopping physical threats to the population, but remember, the NSA is telling the CIA where you are through your Whatsapp and your Uber. Maybe under old rules you weren’t a person of interest, but under new rules you could be.
The point is, even if you’ve somehow lucked into a happy land of equality and freedom (Hello, Icelandic reader), governments change, laws change, and yet everything you’ve done in the past that’s been recorded and categorised will remain fixed but subject to reinterpretation.
Jacob Appelbaum noted in his talk via video not using Skype that people equate privacy with liberty and free speech, and yet they’ll also be the first to admit that privacy is dead. Privacy is liberty: It’s the ability to choose who you speak with. Free speech includes being able to control who you want to listen to what you’re saying.
So things are complex, and people on the same side of the fence squabble about whether you should use Skype or not when talking to your sources on that news story, or whether having an encrypted email paints a big target on your back, or if you even need to worry about the Western big bads when you have more pressing local issues. Let’s take a look at some of the conflicts and sort them out.
Myth 1: Skype is easy to use and you’ll blend into the noise
First off: millions of people use Skype. I use Skype on a couple of machines. Skype has its uses. Most of those uses exist because people are asking to talk to you using Skype. It’s free and quick. But I’d never use Skype with a source on a news story, to conduct a meeting on direct action strategy, or to talk with or about someone targeted by this or that regime or various colourful non-state actors.
I maintain a wall on contacts I don’t want imported into Skype, use different Skype accounts, and use different operating systems without Skype for work I don’t want effected by Skype. That Skype is both quick and free makes it not easy. Actually, Skype is quite complex to use. It requires a whole risk assessment.
At a Logan Symposium session on Friday, Ross Anderson suggested that Skype could be better than using PGP to talk to sensitive sources. His argument in summary: You can both create a fake user name account to hide your identity and you’re one-off communication will blend into the noise of millions of Skype users. If you use PGP or security-specific tools, you may stand out, he said. A lot of people left that session repeating what Anderson had said on the topic, there and on Twitter. For the next two days, every time Appelbaum chimed in about anything, he made sure to include a mention of why he thought this was patently not true.
Both individuals are far more knowledgeable and intelligent on the topic than I am, and I still use Skype… sparingly. And that’s what makes it complicated, because Skype wants you to use it all the time.It’s designed to get you to use it all the time, and it’s technically insecure.
The way your unique data is collected is what makes you actually stand out of the crowd so long as your chats or contacts trigger any number of “selectors” that are being looked for. You can easily stand out based on your identity, where you’re communicating from or to, who you’re talking to, the kind and size of files you’re sharing, time stamps, IP addresses, the technology you’re using, and on and on.
Skype is not so easy to use if you apply it to any reasonable threat model around working in journalism, human rights, activism, or anything that is or could some day be of interest to authorities. Here’s a possible use: Agree to meet on Skype voice to instruct someone how to use a stronger tool for communication in the event you can’t meet in person. Use another more secure other tool for your text chats and file exchanges, or simply switch to more secure things like Ostel or Jitsi for privacy, and something like Cryptocat or the like for anonymity.
Using these more secure, open source peer-reviewed programs will simplify your life. You won’t “stand out” any more than you already do with Skype, really, and if you are selected you may be thankful that there’s less of a chance that a searchable record of what you were talking about or to whom remains available.
Share files through volatile means like onionshare or filetea. Mixing your channels of communications adds strength and these are easy, no password, disposable methods of communication with encryption and deniability. You’re source will be safer than they would be on Skype.
But this shouldn’t be about one app. It’s not whether Skype is safe, because you don’t want to repeat this process with every shiny new piece of tech that comes along. It’s about application’s functional and technical structure, the business model of the company that makes it and how it views its users. If you look at it this way, you’re answer about whether you should use Skype will be the same with regards to whether you should use Viber, but possibly different from whether you should use something like Signal or Red Phone.
Myth 2: Using encryption is difficult
This was uttered in a few corners around the Symposium, both on and off stage. Digression: Long ago, back in 1992, there was a media controversy about a talking Barbie doll. One of its many pearls of wisdom was “math class is tough.” That’s a curious thing to say on the topic, instead of maybe: “maths class is fascinating,” or “prime numbers are what is left when you have taken all the patterns away. I think prime numbers are like life. They are very logical but you could never work out the rules, even if you spent all your time thinking about them.” (Okay, that’s Mark Haddon)
Relating the digression: Whenever someone sloughs off encryption as “too difficult” at one of these events, I uncontrollably see Barbie’s plastic head on their shoulders for a few seconds. Generally they’ll move on to say something smart and it goes away.
When you dismiss encryption as too difficult, you’re taking a person’s power away. You’re robbing them of the opportunity to see for themselves whether a potentially useful skill is actually too tough for them to pick up. In most cases, I’d argue it’s not, and you’re being a part of the problem. Encryption is complex, but that’s not the same as being difficult to use.
Sure, bashing out your own cipher or hashing algorithm from scratch that will stand up to AES requirements is a tall order. But that’s not what we’re talking about. And unless, you’ve got a special fetish for it, you don’t need to fire up the Unix terminal to secure your files, folders or emails. There’s software that makes it much easier. There’s Thunderbird+Enigmail. There’s GPGtools. There’s GPG4Win. There’s Portable PGP. There’s fucking Mailvelope.
Yes, there’s a learning curve to get over. There was also a learning curve to drive a car, swim, pick up a new language, spell words in your own language, mix a decent Tom Collins, and etc. There are habits and behaviours to pick up, and ways to suss out if you’re choosing the best app for the job. But that starts with curiosity and interest. You’re squishing the life out of those when you say “it’s too difficult.”
There’s enough senseless fear mongering about technology as it is, without adding to it with more nonsense. Properly used, strong encryption works. Learning how to use it can be done in a relatively short time. A complete understanding of the math and theories underneath is like diving into prime numbers: Possibly interesting, but unending and not required.
Myth 3: You live in a liberal democracy, so you can relax
People in various sessions and side discussions were right to point out that there are more threats than the Big Bads in the U.S. and UK. There’s China, there’s Russia, there are Mexican cartels and Islamic terrorists. There are financially driven criminals, moneyed despots, corporations and so on. Some argued that because we’re where we are, we have less to worry about than others. This is dangerously inaccurate.
Your data moves along servers and through networks sitting under multiple jurisdictions around the globe. Some of these networks are weaker than others. Some of these governments are more invasive than others. It’s what Maria Xynou, a researcher at Tactical Tech dubbed, “The False Dichotomy of Better and Worse Spies.”
It goes like this: Some people may look at the U.S. and China on the Freedom House site (for example) and decide, “I’d rather be spied on by the Americans…than, say, the Chinese” (Maria’s example). Thinking this way could put you or those you’re trading information with at risk. Maria writes: “intelligence agencies around the world collaborate and routinely share intelligence data. In some cases, such intelligence sharing has had major consequences and has resulted in extrajudicial killings. In these cases, the collectors of the data, the spies, have not been held accountable for collecting, aggregating and sharing this data.”
Thinking in terms of national identity makes things more complicated. You need to learn multiple legal systems and several other things, and sometimes guess which will apply to you. Thinking in terms of cross-border networks makes life easier: How many other parties (the quantity and variety of which you have no control over) do you want seeing what you’re talking about? Encrypt it.