Thursday, September 19, 2013
Everyone assumes that technology companies like Apple, Facebook, and Google don’t care that their customers are being spied on. I don’t believe that’s true.
On the very day the media dropped detailed documents on the NSA’s X-Keyscore collection program, the Facebook engineering team published a blog post stating that all access to Facebook via apps and web browsers was now SSL encrypted. Given X-Keyscore was a program primarily designed to intercept unencrypted internet traffic, you could be forgiven for interpreting Facebook’s post as a middle finger pointed in NSA’s direction. (Sources inside Facebook say it is a coincidence, and indeed the company had been in the process of enabling this across-the-board for years. But still. The timing.)
There are new interception hurdles everywhere you look. Even plain old SSL encryption is becoming more difficult to snoop on. Previously, governments could rely on complicit or compromised certificate authorities to provide them with the means to intercept encrypted traffic. Thanks to the Iranian government’s overly enthusiastic use of this technique, Google made changes to the Chrome browser to neuter the practice. Similar updates are expected soon in Internet Explorer. There goes another interception technique for law enforcement!
And it’s only going to get worse for the poor ole G-Men. Technology companies are enabling security features that make certain types of government surveillance extremely difficult, and it’s a trend that’s set to continue. That’s why the U.S. government has long wanted laws that force tech companies to make their products wiretap friendly.
It’s not just web providers that are making life more difficult for government intercepts. It would take Apple, for example, a negligible amount of development time to introduce the cryptographic anti-snooping features of OTR — a form of instant messaging encryption and authentication — into a protocol like iMessage. At the moment authorities can get in the middle of the keying process at Cupertino and read user content, if they show a warrant. But one simple iOS update and they won’t be able to do that anymore without setting off alarm bells: You want us to execute that warrant for you? Ok, sure, but the user will get a nice big popup warning telling them that their messages are likely being intercepted! (Still want us to proceed? Didn’t think so.)
There’s the rub. Currently, there’s no law stopping companies like Apple, Facebook, and Google from introducing such security changes or forcing them to build in backdoors. Why would Apple want its users migrating to cross-platform, anti-snooping messaging apps like Hemlis (by the founders of The Pirate Bay)? Especially when the company could push itself out of the surveillance business with its own technical tweaks before federal regulations force them to become key players in warrant execution.
In fact, advancements in the usability of cryptographic protocols have made anti-surveillance features relatively simple for technology companies to bake into their communications products. And public demand for greater security and privacy in the wake of Edward Snowden’s revelations may make it virtually obligatory for them to do so before new wiretapping laws can be introduced.
This heralds a looming standoff between technology companies and government … even though much of the focus until now has portrayed the two as being in the same camp.
Full article: http://www.wired.com … -they-may-be-at-war/