The Problem with the Universal Right to Online Privacy

privacy(As published on Norse on April 15, 2015)

A landmark decision by the UN Human Rights Council was made on March 26th to cover privacy issues arising from the pervasive monitoring by the UK and the US, in an attempt to establish that freedom from excessive (online) surveillance is a basic human right.

The resolution was spearheaded by Germany and Brazil, where public debate about online surveillance has been most intense. Naturally, German PM Angela Merkel has not yet forgotten the fact that her mobile phone was tapped, and event went as far as kicking out the CIA station chief in Berlin.

Brazil’s President Dilma Rousseff cancelled a trip to the US in protest of the surveillance on Brazil’s political leaders. Given that it is prime US policy to keep tabs (well, and taps) on all political leaders in the entire continent of South America, there is little doubt that the sentiment is shared amongst all South American nations.

It was expected that the resolution be blocked by the US and the UK, but it was adopted by consensus and the UN will be appointing a Rapporteur in June. This Rapporteur will have the authority to “remit to monitor, investigate and report on privacy issues and offer advice to governments about compliance. They will also look into alleged violations.”

The initiative, which contains the phrase, “the rapid pace of technological development enables individuals all over the world to use new information and communications technology and at the same time enhances the capacity of governments, companies and individuals to undertake surveillance, interception and data collection, which may violate or abuse human rights,” sounds very compelling and a worthy cause.

However, those who are skeptical of such an initiative have much reason to be.

To start, the UN has over the years steadily ignored both Article 12 of the Universal Declaration of Human Rights and article 17 of the International Covenant on Civil and Political Rights (where the Right to Privacy is mentioned).

This is hardly surprising since quite a number of UN member states have a rather uncomfortable record with Human Rights as a whole, and there has yet been little appetite for a clash on this subject.

Another major reason to remain skeptical is the equally uncomfortable fact that virtually 100% of all the UN member states are involved with pervasive online surveillance programs in one way or another.

In that respect there is plenty of negative sentiment to go around when it comes to online surveillance, and rightly not all of it is directed towards the US and the UK.

Even Germany, who is taking the lead in setting up this initiative, has been caught with its’ proverbial pants down when it was discovered that their own national security service BND was sharing data on German citizens with the NSA.

They are hardly alone in this: The number of European countries that hasn’t been subject to news in that area can be counted on one hand. To put forth an act that limits their own intelligence gathering operations seem counterproductive at best.

Lastly, it can be argued that the “Universal Right to Privacy” does not translate equally to “Universal Right to Online Privacy.”

However foolish it may seem, we have had a number of examples where such a translation proved much more difficult than it appeared. And these were not small topics: The laws surrounding warfare, for instance, or cybercrime.

Taking all these facts into account, it seems reasonable that this new initiative has some credibility issues. It will be very interesting to see if it develops some teeth moving forward.

Enterprise Security vs. Nation State Threat Actors

enterprisevnationThe recently published Snowden/NSA/GCHQ slides regarding the Gemalto hack have caused quite a stir amongst security practitioners, board members and politicians alike. But the uproar is minor when considering that it is now more than clear that not only non-allied nations such as China, Russia and Iran are attacking commercial entities. Nation states that we are on good terms with are apparently equally willing and able to attack their allies, just to get ahead in the Intelligence and Battlefield Preparation game. Good friend and excellent analyst Richard Stiennon already acknowledged (allied) nation states as a threat actor for the commercial industry in his article “NSA Surveillance Extends the Threat” in 2013. He asserted that the NSA was leading the threat hierarchy and was advocating a global re-evaluation of ones’ security stance. From what has been unveiled recently this is due for a revision yet again, as it is clear that British GCHQ is following the same playbook. Given both their membership in the “Five Eyes” community (of which all nations in the Five Eyes are core participants) it is increasingly safer to assume that Australia, Canada and New Zealand follow the same methodology, but that is beside the point of this article.

What does this mean?

When comparing the slides and modus operandi concerning Gemalto with what was disclosed about the Belgacom hack, useful observations can be made regarding the tactics employed by GCHQ and the NSA. And that MO demonstrates quite clearly what the real problems for commercial entities are when faced with a nation state as an adversary.

First off, they are difficult to expect. That’s right: Expect, not Detect (although that is probably equally true). Nation states have considerably different motives and these may not always be obvious. Gemalto and Belgacom were targeted because they were gatekeepers to communication networks; in this case telecommunications. They in turn contained what the NSA and GCHQ were actually after: the communications (potentially) running over those networks. It seems like arguing semantics when we differentiate between the targeting the communications networks and the communications themselves, but it is quite relevant: Both the NSA and GCHQ have other legal recourses to obtain the communications they are looking for, but are actively and purposely choosing other avenues. In short, it is not usually obvious what governments are interested in, and even if they have other (legal) means to obtain their target, they might still attack you if that proves to be more useful or less of a hassle.

Second, they are nearly impossible to deter. Cyber criminals generally tend to pick the low-hanging fruit. This will probably remain true as long as there remains so much of it available. The other major category popular with cyber criminals is the ‘big score’, where the spoils of a successful heist are so rich high that attackers consider their time and resources a good investment. Naturally this last group has more staying power than the first group, but both will eventually bug out if the operation is found to be too difficult or risky. Corporate espionage can potentially stay in the game where a cyber-criminal would have given up, but that is very dependent on the level of resources and risk that a firm is willing to commit.  You can deter them by securing your infrastructure to such a degree that the reward of breaking in is not worth the effort. Governments have deeper pockets and thus far seem to be more-or-less immune to criminal prosecution. This significantly alters the equation for such parties. The local social environment of the attacker also plays a role. Corporate spies or criminals basically get told[1] “Get in there if you can”, while soldiers get told “Get in there [period]”. Government operatives don’t get deterred by tedious work or lack of funds. To keep them out it has to be made impossible to break in and, provided it can be done, the task will be Herculean and costly.

It should also be pointed out that governmental espionage is not solely about national security. Many intelligence services are tasked not only with security, but also so-called ‘Economic Intelligence’. To put it bluntly, they are also looking for anything that might give their national corporations an edge against foreign competitors. The reason is simple: successful corporations are a boon to any nation. Not just for the additional tax income they generate, but also for the additional jobs and innovation power they bring. Some intelligence agencies focus more on this than the others, but most do it to some degree. We have seen evidence of this before, during the Echelon program. Several high stake deals were won by American firms due to the intelligence provided to them by the American intelligence apparatus. We can only guess at what intelligence the NSA is currently feeding to American firms. Perhaps the tech firms that are under the NSA yoke are being rewarded sub-rosa as compensation for the multi-billion dollar loss they have incurred (or will incur) over lost trust.

Third, they have capabilities unique to this category of attacker. When looking at the Belgacom and Gemalto hack, it is clear that one major new factor in their approach is Intelligence. Highly trained government intelligence agents are tasked with scoping out the target. They will find key target personnel in short order. It is their job to do so, and even in small nations these operatives are trained and experienced to a degree that will never be matched by a corporate entity. This might be the most effective tool in their arsenal, and next to impossible to defend against. The average person working for a corporate entity will be completely unarmed against people professionally trained in disciplines such as surveillance and interrogation. Would they spot a tail when walking or driving? Would they realize they are being interrogated during a seemingly innocuous conversation with a stranger? Would their family? What is worse, is that nothing private is off-limits when gathering intelligence. Private emails, browsing history, social media, cellphone conversations and text messages are all scrutinized in the hopes of finding a way inside the target organization. They are not above infecting a staff member with a piece of custom-made malware if it furthers their goal. The more staff a company has, the bigger this attack vector is. The problem is exacerbated when dealing with technologically advanced nations, due to higher degrees of technological refinement in their attacks.

Fourth, that we know of their operations does not mean they have stopped. It sounds strange, but for some reason many people seem to think the threat is over now that we are aware of it. It is stating the obvious, but that is not the case. All that has really changed is that we now have some measure of tangible proof to something that was strongly suspected for a long time. The repeated wake-up calls are working to force a long overdue focus on security, but it still has to be acted upon and followed through on. The security industry finally has the clout to address the serious issues, and it can be done without overhyping the matter. Throw away old disparaging sayings such as “if they want to get in, they’ll get in” and do what can be done.

 

Naturally there is more to this issue than the points described above. What is clear is that the corporate world is faced with a potential adversarial class that it is not equipped to deal with. In this regard the world is not that different from the Dutch Golden Age in the 17th century. The Dutch VOC company had a large fleet of merchant ships that were regularly attacked by foreign ships of war belonging to nations that the Netherlands was at war with at the time. The naval frigates outclassed the often cumbersome trading vessels, and defending themselves to a sufficient degree simply wasn’t economically feasible. This problem grew to such an extent that valuable VOC convoys eventually received Dutch naval escorts for protection, even though they did have to help pay for them. What is worth wondering about, is whether we can find a similar common ground with Government and truly co-defend in a meaningful manner.

 

[1] Or conceive the notion themselves, naturally.

Data Mining Protection: Taking A Privacy Roadtrip with IRMA

dataminingIf you have ever clicked “I Agree” on Facebook or an Apple device without really going through it, it might be worth your while to go back and read up. Do you know where your data is going?

A few months ago I went to get a haircut at my local barber shop. The work was done and I walked to the register to pay. The kind lady who had done my hair asked me something I had somehow never seen coming: “Would you like to fill out this customer loyalty card?”

My barbershop, a place that had always remained unchanging, the last bastion of complete digital disconnection, had entered the digital age of nonsensical data gathering and targeted marketing. I regretted it instantly.

A casual look at the contents of ones’ wallet now tells you exactly how far the broad-spectrum gathering has already gone. All the credit card-shaped slots in my wallet are full and I have a stack of at least 40 similar cards at home that I don’t use.

All those customer loyalty cards are there for one key reason: data mining. Many organizations are trying to get to know as much about you as they possibly can. Very often this includes things about you that they have no purpose for.

Whether they want to be better at targeting their sales efforts at you, or to resell that information to third parties, the endgame is almost always about profit.

And the reselling of such data doesn’t just happen occasionally – it’s big business. According to a McKinsey Global Institute study from 2012, Data is a $300 billion dollar a year business that employs 3 million people in the US alone.

You’ve probably never heard of companies like Acxiom, but you can be sure that they know all about you. Information that you gave one company is happily sold to another company without your knowledge and in most cases, with unknowing consent.

With the ever increasing digitalization of our society, it’s becoming more and more obvious that all that information gathering and sharing comes at a great cost: our privacy. Fortunately, there are some great initiatives on the horizon that help combat the broad-spectrum data mining that is going largely unchecked.

IRMA is one of those initiatives that can help a great deal. IRMA stands for I Reveal MAttributes, and essentially comprises a whole new way of approaching identity, authorization and authentication.

It is a project of the Privacy & Identity Lab, which is a collaborative union between research-oriented institutes in the Netherlands such as the Radbout University Nijmegen, the Tilburg Institute of Law, Technology and Society (TILT) and TNO.

Using the underlying technologies of Idemix (IBM) and U-Prove (now Microsoft), IRMA is essentially a new form of identity smartcard that can be ‘loaded’ with various sets of ‘credentials’ from different sources, such as the local authorities.

Information such as Date of Birth, Nationality or Place of Residence can be stored on the card and you can use those attributes in transactions both online and offline in a variety of scenarios.

For instance, when voting on local elections: You must show that you are a resident and you currently have to show some proof of ID before you are allowed to vote. In theory, this means you are no longer anonymous.

With the IRMA card, this is a thing of the past. You’d simply present your card and they would only see that Yes, you are a resident of that town. They would also see who issued that credential to you (such as the government), but nothing that compromises your identity.

The same scenario plays out when purchasing liquor. In the Netherlands, the minimum age for purchasing alcohol is 18 and shop owners are legally required to ask for ID. What they really only need is to verify whether the buyer is over 18 or not.

This attribute is stored on the IRMA card, and that is all it will tell the store owner: “Yes this person is over 18”. Neither your age or your date of birth is transmitted, just the indicator of whether you are over 18 or not. Again, nothing but this attribute and the source of the attribute is shared.

The project is still under development, so it is hard to say exactly how it will eventually turn out. But the concept is very promising. If users are indeed capable of choosing additional attributes to store on the card, which is currently the direction it is heading, it can theoretically replace virtually every card in your wallet today.

Naturally users can only load attributes up to a point, some information must always come from highly trustworthy sources, but should be plenty of room for user freedom.

Imagine, just having to carry one single card. Driving license?  Passport? Customer Loyalty cards?

Every one of these items has attributes that are just as easily stored on an IRMA card. Provided the physical and cryptographic properties are secure enough, we may even be able to replace our bank cards with the same single IRMA card.

If you’d like to learn more, visit the project site. One of the lead scientists, professor Bart Jacobs, explains the whole project much more eloquently than I ever could. Find it here: