Archive for the ‘Theory’ Category

h1

Out of the Office: Simple Electronic Security and Practical Data Protection Workshops

February 3, 2009

Knowledge is powerFrom the what-you-don’t-know-can-hurt-you department: I’ve recently returned from presenting my third successful “Simple Electronic Security and Practical Data Protection (SES & PDP) workshop in as many months: two abroad, and one here in Washington D.C.

Truly effective privacy protection and security strategies require more than “silver bullet” software, they require an understanding of the ecosystem in which they’re deployed and implemented.

That’s where these workshops come in: by helping you to understand how the different parts of the privacy and security food chain interact, you’re more likely to protect what’s valuable to you, in addition to feeling empowered and in control of your digital life.

Knowledge is power, and I love sharing it.  Drop me a line here for more information.

2009.03.16: I’ve just conducted two more workshops in the last month and have now decided to offer them as a short, free introductory seminar, and as a paid, hands-on workshop.   Go here to see how I can help you and your organization protect yourselves.

h1

Two Takes on Anonymity

December 15, 2008

From WashingtonPost.com: In a First Amendment case with implications for everything from neighborhood e-mail lists to national newspapers, an Eastern Shore businessman argued to Maryland’s highest court yesterday that the host of an online forum should be forced to reveal the identities of people who posted allegedly defamatory comments.

It is the first time the Maryland Court of Appeals has confronted the question of online anonymity, an issue that has surfaced in state and federal courts over the past few years as blogs and other online forums have increasingly become part of the national discourse.

Leaving the issue of what differentiates libel from opinion, it’s important to remember that in the worst case, the aforementioned forum would be potentially obligated to reveal the poster’s pseudonym.  Not their identity.  For most of your online posting, a well thought out set of pseudonyms would be a great way of insulating yourself from somebody’s desire to silence you through seemingly legal means.

In other news from Slashdot: Esther Dyson, chairman of EDventure Holdings, describes anonymity on the Internet as similar to abortion: a bad practice that people should still have rights to. Calling anonymity one of the greatest disappointments of the Internet’s evolution, Dyson said: ‘I’m pro choice, but I think abortion is an unfortunate thing. I think the same thing about anonymity: Everybody should have the right to it, but it’s not something one wants to encourage.’

From where I sit, it doesn’t seem auspicious to make a comparison between anonymity and abortion.  While the former is a mostly theoretical discussion for most, the later is the kind of thing that gets people killed, or at the very least causes a kind of apoplectic reaction not usually seen in our day to day lives.

So let’s try a madlib experiment instead: I’m pro first amendment, but I think that having everyone freely expressing their opinions is an unfortunate thing.  I think the same thing about anonymity: Everybody should have their right to it, but it’s not something that one wants to encourage. Kind of takes the steam out of the argument, doesn’t it?.

Bottom line:  Yes, people do tend to be less, em, diplomatic when posting anonymously in online forums.  Much as they are at their less-than-best in their cars, staff break rooms, city streets, etc.  This is a part of being human that can’t be solved by requiring that people not post as Anonymous Cowards.

h1

US drafting plan to allow government unfettered access to all internet communications

January 22, 2008

From Wall Street Journal & TheRawStory: Spychief Mike McConnell is drafting a plan “to protect America’s cyberspace” (WSJ’S wording) or “for cyberspace spying” (TheRawStory’s words) that will raise privacy issues and make the current debate over surveillance law look like “a walk in the park,” McConnell tells The New Yorker.

“This is going to be a goat rope on the Hill. My prediction is that we’re going to screw around with this until something horrendous happens.”

At issue, McConnell acknowledges, is that in order to accomplish his plan, the U.S. government must have the ability to read all the information crossing the Internet in the United States in order to protect it from abuse.

Whether this article is based upon a trial balloon or not is irrelevant – this sounds like a recipe for disaster.

Worst case: If this plan is approved and implemented, you can say goodbye to democratic dissent, private love letters, and the open and honest exchange of ideas, along with patient/doctor and client/attorney privilege. Filling the privacy vacuum you could find further politicization of government employment, balance sheets gone astray, abuses of power, businesses that can’t protect the privacy of their clients’ transactions, and the witch hunt of the week, just to name a few possible potential downsides to this power grab.

Best case: Individuals, businesses, non-profits, and academics, along with their congressional representatives from across the political spectrum will see this straw man for what it is and quash it. But not without first having to deal with the two-headed false dilemmas tag team of “privacy vs. security” and the perpetually sanctimonious “if you’ve done nothing wrong, than you’ve nothing to fear” argument.

It appears reasonable to assert that if president Bush doesn’t use email for personal communications because he doesn’t want “you reading [his] personal stuff” then, all other high-minded and principled arguments aside, I’m equally justified in saying that neither do I want any government reading mine.

h1

Intelligence Deputy to America: Rethink Privacy

November 16, 2007

From CNN: As Congress debates new rules for government eavesdropping, a top intelligence official says it is time that people in the United States change their definition of privacy.

Privacy no longer can mean anonymity, says Donald Kerr, the principal deputy director of national intelligence. Instead, it should mean that government and businesses properly safeguard people’s private communications and financial information.

This kind of wooly (and dangerous) thinking reminds me of one of Scott McNealy’s infamous foot-in-mouth episodes, albeit with much more serious consequences.

Besides anonymity, privacy and security not being mutually exclusive, there are so many problems with what Kerr proposes that it’s hard to know where to start: There’s business and government’s abysmal track record at protecting privacy, serious abuses of power in our nation’s not-too-distant past, the historical importance of anonymity, the costs borne by those whose privacy is violated, and a new low in public trust of its own government.

As if that weren’t enough, there’s the lopsided inequity of a faceless and nameless beaurocracy having ready access to our digital lives without any mechanism for review, revision and redress on our part, and an utter lack of oversight, transparency and accountability on the government’s part.

Mr. Kerr thinks that we should trust big business and the current administration (or any other one for that matter) with something so valuable as our privacy?

I think not.

h1

Privacy, you, and the $64,000 question, part I

June 2, 2006

There’s a question that privacy advocates face on a daily basis that’s incredibly difficult, if not impossible, to answer. It’s the perennial show stopper “If you aren’t doing anything wrong, then what do you have to hide?“.

Bruce Schneier recently responded to this question with an eloquent essay titled The Eternal Value of Privacy, and Daniel Solove even issued a call for a simple answer to this question on his blog. While Schneier’s essay does an exemplary job of establishing the value of the principle we call privacy, it doesn’t provide a readymade reply that’s easily digested by the general public. This was one of the recurring threads of the Solove’s blogged discussion.

So why is it that so many attempts to answer this question have failed to provide a satisfactorily succinct answer to this question that the mythical “guy next door” can understand? Is privacy such an ill defined, archaic and/or useless concept that there’s no convenient shorthand for answering this question?

After spending much time and energy trying to wrestle my way out of this rhetorical tar pit, it dawned on me why this question is so maddening, and why it tends to stop privacy advocates in their tracks. The reason it’s so effective is quite simple:

There is no question to answer.

In its place however, is a morality trap disguised as a question. This rhetorical trick is as unanswerable and significanly more subtle than the classic “are you still beating your wife?” or the more contemporary “are you still having unprotected sex with strangers?”

What is it about this question that renders it unanswerable? Having “something to hide” is laden with the negative semantic implications of secrecy and deception, while “not doing anything wrong” and “having nothing to hide” align quite nicely with the semantic domain occupied by truth and virtue. Thus, whoever poses the question implicitly positions themselves as defenders of truth and virtue while the privacy advocates find themselves defending secrecy and deception in a debate that somebody else has framed to their advantage.

How then, are we to respond to this question? We could try the following nonsensical answers:

“Yes!”, “Mu!” or “D: None of the above”

Or we could simply choose to ignore the question as it is posed above.

Once we realize that attempting to answer this question is a losing proposition, we can get back to the business of protecting our privacy through arguments that place us on an equal footing with those who would presume to dominate the higher ground, instead of chasing our rhetorical tails.

h1

The eternal value of privacy

May 23, 2006

(Source: Bruce Schneier on Wired.com) The most common [and maddening] retort against privacy advocates — by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures — is this line: “If you aren’t doing anything wrong, what do you have to hide?”

As Bruce states at the close of this essay, the core issue is not the false dilemma of “security vs. privacy”, rather it’s “liberty vs. control”. Now, let’s take that idea a bit farther and reduce it to the following:

Your loss of privacy is directly related to someone else’s increase in control. Over you.

Here’s the essay, as published in wired.

h1

Is there a good response to the "nothing to hide" argument?

May 23, 2006

(Source: Daniel Solove’s blog) One of the most common attitudes of those unconcerned about government surveillance or privacy invasions is ” I’ve got nothing to hide.” I was talking the issue over one day with a few colleagues in my field, and we all agreed that thus far, those emphasizing the value of privacy had not been able to articulate an answer to the “nothing to hide” argument that would really register with people in the general public. In a thoughtful essay in Wired (cross posted at his blog), Bruce Schneier seeks to develop a response to this argument.

The posts to Daniel’s blog are interesting: it seems that principaled, lawyerly arguments don’t have the resonance necessary to incite the kind of public outrage that’s a prerequisite to making policy changes in Washington.

Here’s Daniel Solove’s blog entry.

h1

Are you the weakest link in the secure computing chain?

September 28, 2005

You are the proverbial last mile in any secure computing strategy. If you can’t, or won’t, keep you computer free of malware (viruses, keystroke loggers, trojans, etc) by practicing safe computing habits, then using the VaultletSuite (or any privacy protecting software such as PGP or GPG for that matter) will only result in a nominal increase in your privacy protection.

So what’s a mild mannered computer user who’s concerned about their privacy and security to do? You could start by checking out the CERT (Computer Emergency Response Team) link below to help protect you and your privacy. Or you could hire VaultletSoft to help you put your privacy and security house in order, or better still, do both.

No matter what you do though, it’s important to remember that security is a process that requires continuous participation, and that a secure system is only as good as its weakest link.

For further reading, read and heed this article about home network security on CERT’s website.

h1

Weren't the crypto wars fought and won years ago? Think again.

February 28, 2005

While many people might think that the crypto wars were won in the 90′s after a long, hard fought battle in the press and the courts, the victory is a hollow one: hardly anybody makes use of encryption for their daily communication needs (aside from encrypting the transmission of their their credit card information via SSL).

Why is this? While pretty much anybody and everybody in the world is now free to import, use, and export varying levels of cryptographic protection, the overwhelming majority (~99%?) of internet users don’t for the simple reason that it’s just too damn complicated and socially awkward to incorporate it into their daily lives.

There’s an article written about Whitfield Diffie in which, as I remember it, he’s quoted as saying that only ~10% of the email he receives is encrypted; I wish I could find it, it would be a fine way to document the point I’m trying to make here.

Follow

Get every new post delivered to your Inbox.