Privacy, Intelligence and Old News

For as long as I can remember, whenever I was in a conversation about cryptographic systems or network security there has always been a caveat[0]. Security has always been relative because there is always someone with more resources than you, "unless you're the NSA". In fact, more often than not, it was probably me reminding everyone that there is always someone with more money, more computing power, more smart people. Everyone in the room knew we didn't have the resources to compete with the likes of the NSA or GCHQ (the UK's version of the NSA). But then, the things we worked on weren't a matter of national security.

The fact is, all privacy and security decisions are trade-offs. At some point you realize that the money and expertise you have can't compete with the budgets and expertise of governments and huge corporations. At that point you begin to determine the probable threats and arrive at a sweet spot in the middle of usability, implementability, and security.

We knew all this before we knew about the NSAs Prism Program[1][2] or the fact that they seem to have an IV into Verizon's telephony metadata[3]. We also knew that you don't have to be able to crack into encrypted data to learn a great deal from the presence of it. Sometimes it's enough to know who is talking to whom, from where, when, and for how long. The fact that they are using an encrypted channel or encrypted data is another helpful data point. In fact, if you want to build a social graph you don't need to know the content of the communication. You just need to know the players and the points of connection[4].

My point in all this: we have always known that governments and Internet service providers have an advantage over the rest of us when it comes to signals intelligence. We've always made trade-offs with them in mind. The only thing that's different now is the non-technical public is being made aware of it.



[0] http://en.wikipedia.org/wiki/ECHELON
[1] http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data
[2] http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/
[3] http://www.guardian.co.uk/world/interactive/2013/jun/06/verizon-telephone-data-court-order
[4]The funny thing is it's real easy to make these connections if you have enough data. Remember how freaked out you were when Facebook started recommending friends to you; people that you actually knew? I remember a couple of months after we moved into our new house my wife was shocked that Facebook recommended our new neighbor as a friend when they had no other friends in common and she hadn't yet updated her location. It seems Facebook used geoip information to make the suggestion.