Warning: this is certainly a depressing post.
The NSA/PRISM/big brother scandal of late didn’t surprise nor shock me. The discovery that “the NSA probably silently circumvents/broke all our crypto and hid backdoors everywhere” is not really a discovery to geeks who have given the whole system a bit of thought — spies are spying on us, and they’re not telling us that our GPG keys or disk encryption are not sufficient to guard against them? No sh**, Sherlock!
What kept me relatively optimistic about the whole thing is that running a fully open-source software stack on your computer gives you long-term protection, in theory. Sure, it probably has backdoors planted by the NSA right now (you may now begin the witch hunt), but the increased awareness and outrage from recent events means (hopefully) that we’ll weed out those vulnerabilities with more audits, ruthless efficiency and an almost fanatical devotion to security.
But then, on the privacy side of things in general, some much more worrying thoughts have started resurfacing in my mind.
For starters, let’s just take the case of WiFi networks. Until today, it somehow did not truly occur to me that no matter how security-conscious I am, no matter how “safe” my encryption is considered to be or how clever my wifi passphrase is, it doesn’t matter at all: as soon as a friend or family member logged into my wireless network once, it’s game over: Google (or Apple, or whoever) knows your passphrase, which allows circumventing the entire system.
I say that I’m surprised this realization had not occurred to my mind until now, because this is just the logical extension of what I’ve been thinking for years about everything else, about GMail, social networks and addressbooks. Network effects means that you do not have any “opt out”, only the illusion of it. Even if you boycott them and avoid giving out any information, your friends and family (you know, normal people) will happily enter this information into the system. Didn’t fill in your birthdate, phone number or door passcode number in your profile? It doesn’t matter: somebody else added that info right next to your name and email address in their own addressbook which, unless they are as paranoid as you, is stored (or synchronized) online.
Even if we go full-tinfoil and use only privacy-intensive, security-audited, local-storage-only open-source software, we are still compromised… because humans are socially interconnected and technology has become integral to the world as we know it. I don’t know where to go from there, so maybe there’s a huge flaw in my analysis that I’d love to hear about.
You can check out my main website, find me on Twitter or Mastodon or subscribe to my YouTube channel.
Comments
8 responses to “Privacy does not exist — it never did”
It pays off to be anti-social 🙂
translation
P NP.
Use a rock as a One Time Pad, and a Cat as your Voice of Reason.
par, tar and xdelta are probably also your friends.
Go hard or get off my porch.
Spot on. Just fwiw, some access points/wifi routers allow the creation of several different SSIDs that are isolated, so you can solve at least that one problem by giving your family and friends info for the ‘insecure’ SSID and using one for just yourself. But, yeah, that is probably the least of our problems.
Apparently the solution is to not have any friends?
Joking aside, you’re correct. Privacy isn’t just a question of what you do – it’s about what everyone connected to you does as well. And you don’t have to use Facebook or Twitter yourself to end up with an online trail from friends tagging you in photos and so forth…
Heck, I use WPA2-Enterprise, EAP-TLS. That means my one friend has to use certificates to get on my Wifi. I don’t think, don’t *think* mind you, that the devices back up certificates and the secure data store password.
And the one friend is a joke.
A couple flaws:
Realize that an unbelievably small group of people (and even smaller amount of money) have traditionally been put toward solving the kinds of problems you’re describing. Most of the people now claiming they knew these problems all along were the ones saying “that’s way outside our threat model” about something or other in the software they were working on before the revelations. Those people are now completely justified and welcome to change their minds. And they will. But it takes time to turn that energy into usable results.
More and more browser vendors integrate webrtc and websockets into the browser, which allows P2P communication, with a server just acting as a connector between the both, but both clients send all data over their self.
You can see the traffic in the Chrome Developer Console.
GNOME has to invest more in P2P in Empathy, but there isnt any popular P2P chat client (?)
Déprimant en effet! Faut-il la peine alors d’éviter comme la peste tous les Google de ce monde?