Online security - Someone's hanging on your every word.
Sending sensitive company information electronically may not be as
Sending sensitive company information electronically may not be as
At the time of writing, the UK government’s infamous Regulation of Investigatory Powers Bill (the so-called Snooper’s Charter or RIP, in common parlance) is still undergoing considerable changes.
This is largely as a result of its rocky ride through the House of Lords, but also a response to the howls of derision and cries of foul play from just about every group with an interest in the internet – from civil rights groups to the British Chamber of Commerce. Quite what will emerge as law from the present debacle is uncertain.
RIP is essentially a measure that gives the authorities new powers to monitor what the ‘baddies’ get up to online. These measures include installing ‘little black boxes’ within ISPs so that internet traffic may be intercepted, and the right to demand that people who use encryption technology – like companies – to protect their data must decrypt on demand.
So what’s wrong with that, you may wonder? Surely only those with something to hide need fear such powers? Well, it’s a big subject – too big to cover here in great detail, but quite aside from concerns about censorship, security and privacy, the biggest flaw with any system on the RIP model is that it’s bound to be ineffective.
On one hand, those who really are of criminal intent can always find ways to evade surveillance (it’s really not very hard to do). On the other, those caught red-handed with seriously incriminating material on their computers are not likely to decrypt it on pain of a two-tier jail sentence if, by complying, they might expect a much longer term inside.
Know your cyber-rights
Yaman Akdeniz, founder of Cyber-Rights & Cyber-Liberties UK, a pressure group devoted to free speech and privacy on the internet, says: ‘I have always thought that the internet is an amazing and positive development.’
‘But there are negative aspects, too. In my view, online privacy is by far the most important issue in the Information Age. He says some government regulation is needed. But just because criminals and paedophiles misuse this medium does not mean that the authorities should seek or be granted what they call ‘new powers’ to turn this country into a surveillance society.
All initiatives should be proportionate and effective.’
There is every chance RIP, if it survives, will be tested in court and ruled in breach of the Human Rights Act.
Keys to encryption
The key to modern encryption is keys, and that’s what all the fuss is about. This is how it works: say you want to send Igor at DodgyArms Dealers.com a purchase order for a dozen Kalashnikovs. First, you get hold of his public key, which is just a big software-generated number, and use it to scramble the message.
Now you can send the order by e-mail secure in the knowledge anyone intercepting it will see only garbled gobbledegook. Igor, on the other hand, simply has to run the encrypted order through his private key – another big number, but known only to him – for all to be revealed.
Note a couple of interesting features about this system: if the RIP police suddenly come beating on Igor’s door, he might quickly encrypt all his records with the first public key that comes to hand. Now it’s no longer in his power to open his files to scrutiny.
Consider the related scenario in which you receive an encrypted message from you know not whom. The authorities show up and demand that you decrypt it while they wait. Would you hesitate?
What if you’re being cleverly framed? In effect, you have lost the right to silence. The Human Rights Act will undoubtedly safeguard our right to privacy, but it’s a true optimist who imagines that electronic communications will ever be truly private and secure.
Tracks and trails
One of the enduring misconceptions about the internet is that it offers complete anonymity. It may feel that way but you can’t help but leave footprints as you weave your merry way around the web.
For a simple but vivid example, drop in on Privacy.net and see how much the site knows about you already. Scary, huh?
This is also a good starting point for learning how to keep a low profile online, as is Anonymizer.
Just try searching for yourself with deja.com’s power search utility.
The same is true of mailing lists, where every ill-conceived or embarrassing message may be archived on a website for all the world to dredge up and use against you in the future.
Of course, it’s possible and often desirable to use a false name and secondary e-mail account for newsgroups and mailing lists, if only to deflect the inevitable spam and flames, but a remarkable number of people are apparently quite happy to include their real address and phone number in their e-mail signature.
This is not to be recommended, in our view, not least because there are plenty of sneaky software programs busily scanning public forums for just such information.
Your phone will soon be ringing off the wall with exclusive offers for double-glazed mobile kitchens or whatever it is they try to sell you halfway through dinner. The best-known encryption software – Pretty Good Privacy, or PGP – was developed by Phil Zimmerman, an achievement which led to him being persecuted for three years by the US Customs department.
As he stated in his unapologetic address to the US Senate: ‘The only way to hold the line on privacy in the Information Age is strong cryptography – cryptography strong enough to keep out major governments.’
A freeware copy of the program can be downloaded from his website but the commercial release is considerably easier to use. However, there’s nothing like suspicious behaviour to draw suspicion upon oneself, and a PGP-encrypted message is quite clearly hiding something.
An alternative approach is to use a program such as Steganos Security Suite. This not only encrypts files but hides them within others.
What appears to be an innocent family snapshot might conceal your company’s accounts or the battle plan for the revolution. Spooky stuff.
As the dispute over the legalities and technicalities of RIP rages, we can just imagine the tittering in the smoke-filled rooms of the secret services.
After all, they’ve been systematically monitoring every electronic communication under the sun for years. Enemies and allies alike are spied upon. Secrets are traded across battlelines. Word recognition software filters emails to identify conspirators. Industrial espionage enables companies in the spy ring loop to secure orders.
It’s a global conspiracy, it’s called Echelon, and there’s nothing you can do about it.
Far fetched? Well, while we await the findings of a European committee’s investigation into whether Echelon does in fact exist and, if so, whether its methods are legal (a clue: yes and no).
Here’s a fun game you can play at home. Strike up an e-mail correspondence with a friend and include some or all of the following key words and phrases in your messages: heroin, hacker, bomb, anarchy, subversion, fifth columnist, David Shayler.
Then get under your bed and stay there. On second thoughts, perhaps it’s safer to follow the Echelon saga from a distance. Should you be inclined to let rip against RIP, pay Stand a visit at and make your voice heard.
Kyle MacRae writes for vnunet.com
Pretty Good Privacy