Information Technology is a hype driven industry, a fact that has largely contributed to the current situation where the NSA and GCHQ have unprecedented access to the global communication and information. Including for a very Realpolitik based approach to how that information may be used. Economic and political manipulation may not be how these measures are advertised, but it may very well be the actual motivation. It’s the economy, stupid!
Ever since all of this started, many people have asked the question how to protect their privacy. Despite some there is still a lack of comprehensive answers to this question. There is an obvious answer that most mainstream media seem to have largely missed: Software freedom advocates had it right all along. You cannot trust proprietary cryptography, or proprietary software. If a company has a connection to the legal nexus of the United States, it is subject to US law and must comply with demands of the NSA and other authorities. But if that company also provides proprietary software it is virtually impossible for you to know what kind of agreements it has with the NSA, as most of their management prefer not to go to jail. But one would have to be very naive to think the United States is the only country where secret agreements exist.
Security unfortunately is a realm full of quacks and it is just as easy to be fooled as it is to fool yourself. In fact many of the discussions I’ve had over the past weeks painfully reminded me of what Cory Doctorow called “Schneier’s Law” although Bruce Schneier himself points out the principle has been around for much longer. He has dated it back to Charles Babbage in 1864:
One of the most singular characteristics of the art of deciphering is the strong conviction possessed by every person, even moderately acquainted with it, that he is able to construct a cipher which nobody else can decipher.
So in my experience it makes good sense to listen to what Bruce Schneier and a few others have to say, which is why I think his guide to staying secure on the internet is probably something everyone should have read. In that list of recommendations there are some points that ought to read familiar:
4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.
5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than BitLocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.
“So you were right, good for you” I hear you think. The point I am trying to make is a different one. It has been unbelievably difficult in the past to consequently do the right thing that would now give us the answers to the questions posed by the NSA and others. Both the Free Software Foundation Europe (FSFE) as an organisation and Kolab as a technology have a very long history to that extent. In fact if you’ve read the background of MyKolab.com, you’ll hopefully see the same kind of approach there, as well. Having been involved with both has given me a unique perspective.
So when Bruce Schneier is listing GnuPG as the first of several applications he is using and recommending to stay secure, I can’t help but find this rather ironic and rewarding at the same time. Because I know what has been necessary for this crucial piece of software to come so far. Especially Werner Koch, but also Markus Brinkmann are two people all of us are indebted to, even though most people don’t realize it. Excellent software developers, but entrepreneurs with much room for improvement and (I’m sorry, guys) horrible at marketing and fundraising. So they pretty much exploited themselves over many years in order to be able to keep the development going because they knew their work was essential. Over the course of the past 12 years the entire Kolab team and especially individuals such as Bernhard Reiter at Intevation have always done what they could to involve them in development projects and push forward the technology.
And we will continue to do that, both through MyKolab.com and some other development projects we are pushing with Kolab Systems for customers that have an interest in these technologies. But they have a whole lot more in mind than we could make possible immediately, such as dramatically increasing the usability for end-to-end cryptography. The concept they have developed is based on over a decade of working on obstacles to end user adoption. It’s called STEED — Usable End-to-End Encryption and has been available for two years now. I think it’s time to be finalized and implemented.
That’s why I am using tomorrow’s Software Freedom Day to ask for volunteers to help them run a crowdfunding campaign so they can finally put it into practice, in the open, to everyone’s benefit. Because that’s going to contribute more than just a little bit towards a world where privacy will once more be the default. So please help spread the word and let the STEED run!