The fallout from the Snowden affair seems to keep coming, with the shuttering of not one but two secure email services.

For those who have been living under a rock for the past month or so, Edward Snowden is the whistleblower and political dissident who leaked evidence of vast illegal US and UK internet surveillance projects, and who has currently been granted asylum in Russia. Given the American government’s shockingly poor record on the treatment of its political prisoners, as well as their clear desire to make an example of him, I for one am relieved Russia stepped up to its obligations under international law. Granting Mr Snowden some respite from persecution, however temporary that may be, was both legally and morally the right thing to do, even if the cognitive dissonance that I feel from the reversal of the traditional narrative is giving me a migraine.

Known in crypto-analysis circles as “The Rubber Hose technique”.

Lavabit, a Texas based provider of encrypted email apparently used by Snowden, shut down to avoid becoming “complicit in crimes against the American people”. Later Silent Circle, based in Maryland, did the same, taking the view that it was better to close down and destroy its servers than to deal with the inevitable bullying.

The message seems to be simple. You can’t rely on the security of services where the data is out of your control, especially if the machines or companies involved have ties to the USA, but to say you’re safe from this sort of thing because you use a non-us provider (as many seem to be saying) is frankly delusional.

For those who are looking for alternatives to giving all your data to a third party, I do suggest you check out the #indieweb community, especially if you’re a builder. #indiewebcamp-uk is happening in September in Brighton, RSVP here.

It seems it is fast becoming a dangerous time to be a software creator, and no matter how secure your platform, you always run the risk of the rubber hose technique. As an industry, we are living in “interesting times“, it will be interesting where we go from here.

Update: Graham Klyne points out that Silent circle haven’t shuttered their end-to-end encryption offerings.

Image “Security” by XKCD.

It was recently revealed that the NSA and FBI have been using the US Patriot act to conduct blanket, unwarranted, surveillance of US citizens (and anyone who happens to talk to a US citizen), and of course comes as no surprise. The fact that major companies, Google, Verizon, Apple, to name but a few, were complicit in this, is very disappointing.

In the UK, the security services already track your phone calls, RIPA makes it a criminal offence to refuse to decrypt data (or what they believe is encrypted data) on the government’s request, and with plans to re-introduce universal internet surveillance (shamelessly capitalising on the tragic murder in south London of a young man, re-branded as “Terrorism”), we are taking the lead in creating the “Cradle to Grave” Surveillance State.

History shows that the greatest threat to an individual’s liberty comes from the state itself, rather than some foreign actor. My good friend Ben Werdmuller recently coined a new “Second Amendment”, which I thoroughly agree with:

Privacy being necessary to the sanctity of a free state, the right of the people to own and encrypt data shall not be infringed.

Of course, it is easier said than done. You can’t trust cloud based services to protect you; Apple, Google, Twitter, Facebook, your phone company and ISP are all complicit.

Wider use of encryption would be a start, but that’s hard to do in isolation. Email encryption is a microcosm of the problem; I’ve had a public key available for over a decade, but the grand total of encrypted emails I’ve received can be counted on the fingers of one hand. This is not because encryption or key management is necessarily complicated, it’s just that there is no motivation for me to use it if nobody else is as well.

It is useless in isolation.

Newer technologies fare better, without the need to carry too much legacy baggage, they can afford to switch on encryption from the get-go. Many, especially IM clients, have another advantage in that they are synchronous, and so could do content negotiation ahead of time. So, perhaps a mail client/webmail client with Webfinger support, and wider adoption of that?

Might help.

However, I think the biggest issue is that society at large tolerates the state doing this sort of thing. Perhaps “We the people” should start presenting a more unified opposition.

The UK Government snooping bill will apparently “handle” HTTPS and encrypted communication protocols like Skype.

More clarification is clearly needed, but to me this is concerning and means on of the following:

  1. Nothing new, and this was just hand waving: The bill already plans to monitor connection data, so even with HTTPs which encrypts content an observer can monitor requests at the domain level. The page request and any payload is encrypted, but the fact that you’re visiting a given site is not, meaning that an observer will be able to see that you visited https://foo.com, but not which pages therein.
  2. They have site/tool level back doors: More worrying is that the snoopers have muscled back doors into sites like gmail and facebook, and protocols such as skype.

    Rumours about Skype back doors have previously been circulated, but have been denied. Skype’s own websites state that all communication is encrypted and that no transport node on the network has access to the unencrypted data, but since the tool is proprietary it is impossible to independently verify this. In my view this damages the tool’s credibility as a tool to conduct business communication securely.

  3. Compromised root certificates: Most concerning would be if the snoops had managed to strong arm certificate providers into compromising the SSL root certificates, allowing them to perform a man in the middle attack without the usual warnings. This is particularly alarming and puts at risk our entire eCommerce and banking ecosystem when these are inevitably left on a train.

Urgent clarification is needed, but to me this casts doubt on centrally issued certificate based encryption and proprietary protocols, for the time being at least.

Image “GCHQ” by James Stringer.