I have been following the massive coverage of the Snowden affair with detached professional interest as someone with some Internet security experience. I recently read Bruce Schneier’s call to arms to the technical community to take back the Internet, and it got me thinking about what we have lost and what we actually had in the first place. But first, here’s the link to Schneier’s post. It’s worth a read:
The thought that occurred to me is that the collective outrage over the alleged invasions of our privacy obscures a fundamental question about the nature of the Internet: did Internet privacy ever exist? This question is orthogonal to the legal and constitutional aspects of the issue, and goes to the heart of why many services on the Internet are free to end users.
Think about Internet privacy for a moment. Go back to your earliest experience with the internet – email, a web page, perhaps a search engine – and ask yourself if you ever considered if what you were doing was (a) secure, and (b) private. Consider an email service. There is an assumption that your emails on a service like Gmail or Hotmail are private correspondence, and that they are being stored and treated as protected communication under the Electronic Communication Privacy Act and in the context of the Fourth Amendment. However, from a hacker’s perspective the reality is that you are using a free service (unless you are one of the few who pay…more on paid services later) and as such you are not giving the service provider “consideration” (e.g. money) to maintain any specific quality of service, including the privacy and security of your emails. Mail service providers make money as a side effect, usually via advertising or by providing additional services linked to your use of an email service, and none of the mail service providers make any specific guarantees as to the security or privacy of their services. To do so would be to expose them to liability and liquidated damages in the event that security or privacy were breached. The paying customers of an email service are advertisers, not people who send and receive email.
This perspective applies equally well to search engines. Google did not build an intergalactic search engine at enormous cost as an act of altruism; instead, they provide a free search service in exchange for collecting and retaining a large set of information about your interests (your searches) and your location (the latitude and longitude of a device that presents a search request). They use this information to target and sell advertising, and this is an extremely lucrative business for them. There is an assumption that Google will not use the information it collects about you to do evil, but Google does not make any specific guarantees that would accrue liability in the event that the data were misused. Again, the paying customers of Google are advertisers, not people who search the Internet.
And now extend this perspective to social networking, where you literally tell Twitter and Facebook exactly what you are doing (tweets and status updates), who your friends are (your social network), what you see (your photo collection), and what you like (your like votes). Again, there is an assumption of privacy and security here, but these are free services, and free services rarely, if ever, make guarantees about the quality of their service. In fact, there are a variety of quotes attributed to leaders of social networking companies in which they state (paraphrasing) that users should share more information, rather than less, and that people with nothing to hide should have nothing to fear.
The point, I guess, is that we shouldn’t be surprised to hear that the free services we use on the Internet are not as private nor as secure as we assumed they were. We are not the paying customers of the Internet services of Google, Microsoft, Facebook, Twitter, Yahoo!, et al., yet somehow we expected that they would stand up to our government and act in our best interests when our personal interests came into conflict with their commercial interests, responsibilities and obligations. The assumption of security and privacy on the Internet is a myth that has been busted, and the surprise is that it took so long for us to figure it out.
Optimistically, we can hope that Schneier’s call to arms will lead to a new generation of Internet services that are designed to guarantee privacy and security with sophisticated new cryptographic technologies. This will become increasingly necessary as each week we hear about yet another hacked Internet security technology – like the alleged SSL hacks that render browser encryption ineffective reported by the New York Times here:
Maybe part of the solution is that we will have to start paying for Internet services that we have become accustomed to receiving for free, so that the commercial interests of the Internet service companies can be aligned with our personal interests as users of the services. Or maybe we will each have to decide whether we value free Internet services more than the privacy of our information and communication. But one thing is certain: privacy and security on the Internet is fundamentally broken.