Time to encrypt the entire internet?
The Heartbleed bug crushed our faith in the secure web, but a world without the encryption software that Heartbleed exploited would be even worse. In fact, it’s time for the web to take a good hard look at a new idea: encryption everywhere.
So writes Klint Finley on Wired and personally, I don’t think this is a bad idea at all.
Finley quickly specifies what he means by “encryption everywhere”: “secure connections to everything from your bank site to Wired.com to the online menu at your local pizza parlor”.
It seems to me that rolling out SSL/TSL encryption widely across the internet would be an initial step of the kind of “technical response” to mass surveillance that Edward Snowden called for at the South by Southwest conference in March this year.
You can read more on this type of encryption here.
My impression – as a rather tech un-savvy person who has been following the Snowden revelations for almost eleven months now – is that widespread SSL/TSL would make mass surveillance a lot more difficult and “too expensive for the NSA to spy on everyone” – a point that both Mr Snowden and the ACLU’s Christopher Soghoian made repeatedly at SXSW.
[The NSA] will need to actually have a good reason to dedicate […] resources to either try and break the encryption or to try and hack into your device. So encryption technology even if imperfect has the potential to raise the cost of surveillance to the point that it no longer becomes economically feasible for the government to spy on everyone (Christopher Soghoian).
Naturally, there are downsides to implementing SSL/TSL more widely. Finley mentions that the cost of TLS certificates might not be cost-effective for smaller websites. What is more, increased server resource consumption could slow sites down.
“But even if the entire web isn’t ready to switch completely to HTTPS,” Finley concludes, “there are plenty of reasons that more sites should start using HTTPS by default — especially sites that provide public information and software.”
In their SXSW talk, Christopher Soghoian and Edward Snowden discussed further reasons for why encryption is important and obviously they weren’t thinking exclusively of SSL/TSL.
When Edward Snowden says that “encryption does work”, he means technologies that go much further:
…there are a couple of key technologies; there is full disk encryption to protect your actual physical computer and devices in case they are seized. Then there is network encryption which are things like SSL…You can install a couple of browser plug ins. NoScript to block Active X attempts in the browser, Ghostery to block ads and tracking cookies….
This kind of encryption would, according to Snowden, make users “much safer” from “mass surveillance that is untargeted” – from the NSA’s “collect it all approach.”
Still, for me the question remains of how encryption that will not only keep the average user safe from mass surveillance but at the same time make that surveillance less economically worthwhile for the spooks can be used by someone like me who, when it comes to this kind of thing, am a bit of a Glenn Greenwald.
An often-quoted anecdote has it that when Edward Snowden first contacted Glenn Greenwald, the steps Mr Snowden asked Mr Greenwald to take to encrypt their communication seemed so little worth Greenwald’s while that he broke off the communication. This led Edward Snowden to jokingly refer to useable encryption having to pass the “Greenwald test”.
To me personally – with my admittedly limited knowledge – not a lot of the encryption available at the moment seems likely to pass that test. I can hardly be bothered with anything that goes beyond an easy-to-use VPN client. I have tried implementing TOR and was put off.
No wonder, perhaps, that Ben Wizner and Christopher Soghoian told the SXSW that “when there is a question about average users and the answer is TOR we have failed.”
However, ever since I have been getting deeper into the subject matter of the Snowden disclosures, and listened repeatedly to Edward Snowden and others insisting that encryption is the way forward if we, as users, want to do something about mass surveillance – “to lock things down” as Soghoian says – I have been feeling a little guilty for not trying harder.
Here is me going on about how serious and dangerous the kind of surveillance that Edward Snowden’s documents have revealed is. Here is me telling people that the argument that “we don’t have anything to hide” is neither very good nor very true. Yet here also is me not practicing what I preach, even though the more I learn, the more paranoid I become (right now the thought of what an algorithm might infer about me by my use of the word “paranoid” gives me the heebie jeebies).
At the end of the day, I am a lazy sloth and the kind of encryption that really protects a user, as Snowden and Soghoian themselves point out, isn’t exactly user-friendly. It certainly isn’t sloth-friendly. It may not come as a surprise, thus, that in the face of such adversity I too am guilty of clinging to the naïve hope that I am not, and will not for a long time be, a target.
That hope may or may not be in vain but I think that the argument that by using encryption we could all make mass surveillance a lot more difficult is in itself a powerful incentive. Suddenly, this concerns not only our own personal security but that of other users as well. It concerns all of the internet. Somehow, this creates an imperative to at least try.
Of course, ideally what will happen in the long run, says Christopher Soghoian, is that services will build “security in by default and enable [it] without any advanced configuration.”
However, it also seems clear that we as users cannot rely on tech companies to come up with the solutions for us:
…it is going to be difficult for these companies to offer truly end to end encrypted service simply because it conflicts with their business model. Google wants to sit between you and everyone you interact with and provide some kind of added value. Whether that added value is advertising or some kind of information mining. Improved experience telling you when there are restaurants nearby where you can meet your friends. They want to be in that connection with you and that makes it difficult to secure those connections.
Edward Snowden and Chris Soghoian suggested that ultimately it is the technology community that needs to come up with user-friendly solutions that make encryption so easily useable that the average user will not shy away from using it. “This is something we all need to be not only implementing but actively researching and improving on an academic level,” Edward Snowden says.
Defence Against the Dark Arts
Yet, in the meantime, I still feel it may be time for all of us less tech-savvy users, all us Glenn Greenwalds out there, to perhaps try and start thinking of encryption “not as this sort of arcane black art” but as something we should try to learn more about.
Edward Snowden at the SXSW referred to encryption as “a defense against the dark arts for the digital realm.”
As an unapologetic Harry Potter fan (whether Mr Snowden was referring to the books or not), I enjoy the metaphor. After all, one of the most difficult spells Hogwarts students learn in their Defence Against the Dark Arts classes is to conjure a corporeal Patronus – a protective entity that keeps them safe from Dementors, the soul-destroying guards of the wizard prison Azkaban. Conjuring a Patronus that truly protects against Dementor attacks is an incredibly difficult thing to do but by practicing and keeping at it, most of Harry’s secret group of friends eventually manage it.
Perhaps, until more user-friendly solutions are rolled out across the internet, until HTTPS is more widely used, we should do the same: take some lessons in Defence Against the Dark Arts to protect ourselves from the Voldemorts and Dementors of the digital realm and keep practicing until we get it.
So, with this blog post, a pledge:
If one of the things we – I – can do to make sure that the spooks have a harder time spying on millions of innocent people is to learn about encryption, if this is one way of reclaiming a free internet, then I think I should try. And here is what I will do to try it:
German weekly der Spiegel, which published many of the Snowden disclosures jointly with the Guardian and the Washington Post, has published a couple of guides explaining how to encrypt email, how to encrypt files stored in a cloud, even how to build a router that protects all your internet traffic.
Taking these as a starting point I am going to try the options proposed across the internet step by step. Probably, I will be slamming a few doors in the process. I might tear out a few hairs. There will definitely be swearing. Hopefully, though, I will eventually progress as far as TAILS, “the operating system that Edward Snowden used to evade the NSA” and TOR – which the NSA thinks “stinks” and which I, too, find annoying but for different reasons than the NSA.
I will blog about my experience here. From the perspective not of a computer whizz kid like Edward Snowden, who knows exactly what he is doing, but from the perspective of an increasingly paranoid average user who is wondering what, apart from railing against surveillance and the unwillingness of government to really engage with it, she can contribute.
Even if it’s only for my own peace of mind, the benefit of knowing that I have tried.
So, fingers crossed, wand at the read and Expecto Patronum!