The great SIM Heist: NSA, GCHQ and access too our mobile phones

Esteemed readers,

as I am working too much this week to put out a proper blog post, I would like to direct you to The Intercept instead, where Jeremy Scahill and Josh Begley report how NSA and GCHQ hacked into the computers of one of the largest SIM card manufacturer in the world and came away with their encryption keys.

What that means for private communication on our mobile phones (spoiler: it is not good) you can read here.

I will tackle this and other issues across the next couple of weeks when I will hopefully be less busy.

Meanwhile, for German readers, I have had an article published that tackles Obama’s request that Germans should give the USA “the benefit of the doubt” when it comes to NSA spying. You can read that here.

Back with more idc.

Whether or not we like WikiLeaks et. al. doesn’t matter. We should support them.

A few weeks ago, Guardian columnist Trevor Timm, who is also the executive director of the Freedom of the Press Foundation, expressed his dismay that “more people aren’t raising their voices (and pens, and keyboards) in protest” at what he calls “the outrageous legal attack on WikiLeaks and its staffers, who are exercising their First Amendment rights to publish classified information in the public interest—just like virtually every other major news organization in this country” (i.e. the US).

Timm’s comments followed the revelation that Google had handed emails from WikiLeaks staffers to the US government. Calling the steps taken against WikiLeaks “an attack on freedom of the press itself,” Timm went on to illustrate the length that both the US and the UK government had gone to in attacking WikiLeaks.

 

Attacks on press freedom

Say about WikiLeaks what you like but Timm is right: press freedom continues to be under attack and we have seen many manifestations of it over the past months and years.

A few examples:

Journalist James Rosen was accused of being a “co-conspirator” in a leaks case for “soliciting” classified information from a source. As Glenn Greewald wrote at the time:

That same “solicitation” theory, as the New York Times reported back in 2011, is the one the Obama DOJ has been using to justify its ongoing criminal investigation of WikiLeaks and Julian Assange: that because Assange solicited or encouraged  [US army whistleblower Chealsea] Manning to leak classified information, the US government can “charge [Assange] as a conspirator in the leak, not just as a passive recipient of the documents who then published them.” When that theory was first disclosed, I wrote that it would enable the criminalization of investigative journalism generally”.

Similar terms like the ones used to describe Rosen (aider-abetter, co-conspirator) were used to describe the journalists involved in the Snowden disclosures, some or all of whom were also threatened with prosecution. It is ridiculous, of course, to try and make the mere publication of information by the media a criminal offence. One of the functions of the media being to hold governments to account, it would be a dangerous thing indeed if any media outlet exposing government misconduct based on leaked information that the media has passively received could be subject to prosecution.

In another example of how governments – in this case the US government under president Obama – “threaten and intimidate whistleblowers, journalists and activists who meaningfully challenge what the government does in secret,” Journalist James Risen was subpoenaed and threatened with jail during a leaks investigation against CIA operative Jeffrey Sterling. Risen was prepared to go to jail rather than compromise his source by testifying against Sterling. Risen ultimately was not forced to testify – the DOJ decided not to insist – but the case against him lasted no less than seven years and it created “bad precedent, and not every executive branch in the future will exercise their discretion the way this one did. It didn’t have to go this way.” Meaning, the DOJ could very well have decided to press the point. Risen was effectively spared jail on a whim and, as the NY Times writes “these developments…do not really settle the big issues raised by President Obama’s devoted pursuit of whistle-blowers and the reporters who receive their information.” Neither do they “erase the Obama administration’s record of bringing more leak cases than all the president’s predecessors combined.”

Most recently, Journalist Barret Brown was sentenced to five years in prison for being involved with Anonymous. Not, mind you, for any criminal hacking, but essentially for copying and pasting a link to information made public by hackers. Contributors to Brown’s website were “declared… criminals, and participants in a criminal conspiracy.” When a judge declined to subpoena the records of these contributors, apparently, the US governments sought to obtain them by “other means” so it could investigate the contributors and possibly press charges. Glenn Greenwald has written an illuminating article on the prosecution of Barret Brown for the Guardian.

There are of course the cases of Chelsea Manning and Edward Snowden, who are but two of the whistleblowers charged – and in Manning’s case prosecuted – with unprecedented ferocity by the Obama government.

And then, just this January, the revelation that Google handed emails of WikiLeaks staffers over the US government. Prior to this, WikiLeaks supporters including TOR project analyst Jabcob Applebaum and Icelandic MP Birgitta Jonsdottir had their Twitter data seized as part of an investigation into WikiLeaks. The FBI even had an informant inside WikiLeaks.

 

In the dragnet

All of this goes to show how far governments are prepared to go to stop the free press from exercising their right to free speech and to keep certain information under wraps. Yet despite how undemocratic, concerning and downright outrageous this is, a lot of people, including those journalists and press freedom groups Timm criticises for being silent, do not seem very interested or concerned by this. As to the reason for that, we can only guess. Perhaps, to many people, these problems seem too far removed from their world and their lives. They are not journalists or activists and they have no problem with the authorities.

Others simply may not like Julian Assange, that dude who has been crashing at the Ecuadorian embassy in London for ages now to avoid extradition to Sweden to face allegations of sexual misconduct (and possibly to the US from thence). They couldn’t care less that it “sickens” WikiLeaks journalist Sarah Harrison that “the FBI read the words [she] wrote to console [her] mother over a death in the family.”

After all, the argument may go, these people had it coming. They took on the government and now they are getting their just deserts. That view is, of course, incredibly short-sighted. The obvious civil liberties argument aside, the scope of information that was gathered from the three WikiLeaks staffers is frightening enough to give anyone the heebie jeebies. Once again, it makes clear how easy it is for innocent people to not only end up in a dragnet but have private and intimate communications investigated simply hey may have sent a perfectly innocent email to someone who just happens to be under scrutiny from the security services:

The court orders [against the WikiLeaks staffers] cast a data net so wide as to ensnare virtually all digital communications originating from or sent to the three. Google was told to hand over the contents of all their emails, including those sent and received, all draft correspondence and deleted emails. The source and destination addresses of each email, its date and time, and size and length were also included in the dragnet. The FBI also demanded all records relating to the internet accounts used by [the investigations editor of WikiLeaks, the British citizen Sarah Harrison; the spokesperson for the organisation, Kristinn Hrafnsson; and Joseph Farrell, one of its senior editors], including telephone numbers and IP addresses, details of the time and of their online activities, and alternative email addresses. Even the credit card or bank account numbers associated with the accounts had to be revealed.

This “hand over everything you’ve got” approach means, for example, that not even deleted emails are safe. Now, make the argument again, if you please, that you have nothing to hide and thus nothing to fear and watch me responding that surely, you deleted that email you never sent for a reason. That perhaps you deleted certain parts of it because, after all, you did not want them to be read. Perhaps they were personal thoughts, or perhaps you re-read what you had written and realised it was, actually, rather embarrassing. Everyone has something they don’t want people to know about. Be it that you have recently found out your wife is expecting a baby and you don’t want to tell anyone yet, except your closest friend who just happens to be abroad at the time. Basically, don’t put than in an email. And before you pick up the phone, bear in mind that phone correspondence with someone outside your given country isn’t quite safe either because it’s considered foreign correspondence.

 

Support truth tellers

Trevor Timm is right; it is “shocking that more people aren’t raising their voices (and pens, and keyboards) in protest” at the invasion of their and other people’s privacy and attacks on “on freedom of the press itself”. Without a right to free speech and a free press, not only wouldn’t we know about any of the things outlined in this post, but democracy itself would become impossible. If all our communications are monitored then how are we to make free choices?

What is equally shocking is that people still seem so unconcerned about the very concrete threats to their own privacy. And that others still tend to concentrate on the personalities of the leakers rather than the information they have exposed, or the personalities of the journalists writing about them. Who cares if Glenn Greenwald to some comes across as a bit of a jerk? As Edward Snowden has been stressing time and again, it doesn’t matter whether we like or dislike the journalists, the whistleblowers, the activists. What matters is what they are telling us. And what their treatment at the hands of people in power says about the societies we live in. And what it says about how safe we ourselves are.

If we think it through to the end, then the inescapable consequence of what we have learned is that we need to support those telling us the truth, especially when others aggressively try to keep them from doing so by infringing their rights to “privacy, association and freedom from illegal searches”. Because these are our rights to. We cannot take these rights for granted and fail to position ourselves with those who help expose whatever threatens our rights. Once we understand that, perhaps more of us will start protesting by whichever small means we have at our fingertips.

Collect everything, understand nothing – and possibly break the law: the CSE’s LEVITATION and the GCHQ’s illegal data sharing

As far as mass surveillance is concerned, Canada may not have taken up much of our attention over the past 18 months. Apart from the revelation about a year ago that

Canada’s electronic spy agency [the Communications Security Establishment, or CSE for short] used information from the free internet service at a major Canadian airport to track the wireless devices of thousands of ordinary airline passengers for days after they left the terminal

there has been more concern about the shenanigans of the NSA, for which Snowden worked as a contractor before he blew the whistle, and Britain’s GCHQ which “has often been much more flagrant [than the NSA] in its violations of privacy rights of the world’s citizens“.

Canada, on the other hand, has so far been “described as a junior partner in the Five Eyes spying partnership”. Now, with a new revelation based on documents provided by Snowden of a CSE mass surveillance programme called LEVITATION, that perception may change.

 

LEVITATION, the mass spying programme courtesy Canada’s CSE

As a cooperation between The Intercept and the CBC reveals,

Canada’s leading surveillance agency is monitoring millions of Internet users’ file downloads in a dragnet search to identify extremists.

LEVITATION can monitor downloads in countries across Europe, the Middle East, North Africa and North America. It is evidence that the CSE has built its own global spying programme – and one that potentially rivals similar efforts by the NSA and the GCHQ. Ron Deibert, director of University of Toronto-based Internet security think tank Citizen Lab, calls it an illustration of the “giant X-ray machine over all our digital lives.”

And that isn’t all. “The past 10 days have been a difficult time for Canadians concerned with privacy and civil liberties,” writes Michael Geist in The Star, and goes on to explain why:

Strike one came with new Edward Snowden revelations regarding Canada’s role in the daily tracking of the Internet activities of millions. Strike two was the introduction of Bill C-51, the anti-terrorism legislation, which sparked concern from observers across the country.

Indeed – like governments in the UK and Germany – the Canadian government is pushing for an extension of its security powers and proposing new legislation that would allow “suspects to be detained based on less evidence and let CSIS actively interfere with suspects’ travel plans and finances.” The purported aim of these powers of course being to catch terrorists and prevents acts of terrorism.

However, the LEVITATION programme, whose supposed use in the WAR ON TERROR (PANIC!) is to “identify people uploading or downloading content that could be connected to terrorism – such as bomb-making guides and hostage videos,” shows that the surveillance powers in place are already pretty intimidating.

Under LEVITATION, the up- and downloads of millions of users not suspected of any wrongdoing get swept up in the CSE’s dragnet. The only file sharing sites named in the documents provided by Snowden are “RapidShare, SendSpace, and the now defunct MegaUpload” but there are said to be 102 sites affected in total. As a result

[m]illions of pictures, videos, and other files downloaded online globally are being watched by Canada’s electronic spy agency CSE.

CSE analysts even joke about having to sift through “inevitable episodes of Glee” to get at the content they are really looking for.

Edward Snowden speaking at a World Affairs Conference at Upper Canada College last week, uttered words of warning to the Canadian students in attendance, pointing out that surveillance and security powers of this kind “fundamentally change… the balance of power between the citizen and the state”, thereby posing “a threat to democracy.”

Legal experts are also raising concerns:

The specific uses that they [i.e. the CSE] talk about in [counter-terrorism] context[s] may not be the problem, but it’s what else they can do,” said Tamir Israel, a lawyer with the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic [because] picking which downloads to monitor is essentially “completely at the discretion of CSE.

 

“Hugely intrusive” practices of questionable legality, not to mention ethics

The “hugely intrusive” potential of such programmes became obvious recently when it emerged that

the [British] GCHQ scooped up emails to and from journalists working for some of the largest American and British media outlets, as part of a test exercise (my emphasis).

This is particularly worrying when you consider not only that the GCHQ ranks journalists as a threat of similar proportions to terrorists and hackers, but also that British government officials like Home Secretary Theresa May have previously suggested that journalists reporting on the Snowden materials are “condoning” terrorism. Considering that, the question needs to be asked what exactly constitutes “terrorism” in the eyes of the people using these formidable surveillance powers to combat it.

A similar issue could arise [with regard to LEVITATION], with the eavesdropping service choosing targets outside the terrorism realm… Academics, lawyers, journalists, activists and business people commonly use file-hosting sites as part of their jobs.

 

Collecting the hackers’ “take”: how the agencies exploit the “successes” of hackers

And file sharing sites are not the only sources that the intelligence agencies apparently get material from that can be considered to be “outside the terrorism realm”.

The U.S., U.K. and Canadian governments [may] characterize hackers as a criminal menace, warn of the threats they allegedly pose to critical infrastructure, and aggressively prosecute them, but they are also secretly exploiting their information and expertise,

for example by “by collecting the hackers’ ‘take,’” – i.e. stolen data – to get access to things like emails from the hackers’ targets. These targets include, you may have guessed, “a wide range of diplomatic corps, human rights and democracy activists and even journalists.”

It seems safe to say that surveillance is already being deployed outside the so-called terrorism realm and what is more, the British GCHQ, for one, has previously been reported to have “employed some of the same hacker methods against Anonymous (e.g., mass denial of service) as governments have prosecuted Anonymous for using,” which means that GCHQ is using the same techniques that hackers are being prosecuted for.

 

The Investigatory Powers Tribunal: UK-US surveillance regime was unlawful ‘for seven years’

This in mind, it may not come as much of a surprise that “the UK’s most secretive court [the Investigative Powers Tribunal]” has ruled that

[m]ass surveillance of the internet by the monitoring agency GCHQ has not in the past been conducted within the law

– contrary to what the GCHQ has been claiming for the past 18 months.

Don’t get me wrong here: it shouldn’t come as a surprise that parts of GCHQ’s mass surveillance programmes were found to be illegal, but that doesn’t change the fact that the ruling itself constitutes a landmark which is lauded by Privacy International as (further) vindication of Snowden’s revelations.

Yet, there no reason to get over-excited either. The GCHQ and the British government themselves interpret the ruling – which finds that “[t]he regime that governs the sharing between Britain and the United States of electronic communications intercepted in bulk was unlawful until last year” (my emphasis) – to mean that “the UK’s bulk interception regime is fully lawful” (my emphasis) because the IPT has only “found against the government in one small respect in relation to the historic intelligence-sharing legal regime” (my emphasis).

This “bizarrely positive reaction to the ruling” has prompted online tabloid The Register to quip that “[r]evelations in documents leaked by former NSA sysadmin Edward Snowden accidentally made British spies’ data-sharing relationship with the US NSA lawful by making the secret relationship public, the Investigatory Powers Tribunal ruled.”

Indeed,

The 12-page tribunal judgment in the case brought by Liberty and Privacy International does not rule that the British GCHQ bulk interception programmes were unlawful. But it has ruled that the secret intelligence sharing arrangements between Britain and the US, known as Prism and Upstream, did not comply with human rights laws for seven years because the internal rules and safeguards supposed to guarantee our privacy have themselves been kept secret (my emphasis).

Thus, while the ruling is significant because it “marks the first time since the IPT was established in 2000 that it has upheld a complaint relating to any of the UK’s intelligence agencies” saying “that the government’s regulations were illegal because the public were unaware of safeguards that were in place” privacy campaigners are right to criticise that activities that are now deemed lawful (as opposed to the past seven years) are only so “thanks… to the degree of disclosure Liberty and the other claimants were able to force from our secrecy-obsessed government.”

In other words, had privacy campaigners not brought this to court, the intelligence agencies likely would have continued to conduct their secret illegal activities. Whereas now, it seems as if “[t]he logic… is that it is perfectly fine to spy on people, as long as you tell them about it.

What is more,

the intelligence services retain a largely unfettered power to rifle through millions of people’s private communications – and the tribunal believes the limited safeguards revealed during last year’s legal proceedings are an adequate protection of our privacy.

That’s not necessarily awesome news for anyone who values their privacy. Still, the ruling and efforts by campaigners pushing for stronger oversight have already prompted those of the media who have been doing little but government PR over for the past 18 months to chime that “the current campaign to drag the full scope of GCHQ’s activities into the light threatens to damage that security irreparably.” No surprises there.

Trevor Timm is right when he argues that the IPT ruling “should have huge implications for… many members of the British media, who purposefully ignored the clearly illegal GCHQ mass surveillance program for so long.”

Because what this ruling clearly indicates is that reassurance by the GCHQ that “all of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight” are open to interpretation. Or rather, there isn’t even much room for interpretation because GCHQ’s

framework wasn’t legal – or, at least, it wasn’t until the Snowden documents forced GCHQ to release more information after being dragged into court, thereby creating one.

It isn’t thanks to much of the British media that we now know about this illegal framework.

Thankfully, Liberty plans to take the case to the European court of human rights.

 

LEVITATION: adding to a haystack of mostly irrelevant data, or: sifting through episodes of Glee

In addition to the questionable legality of mass surveillance programmes and Five Eyes data sharing, adding to a vast haystack of data which is already “straining spy agency resources” and using programmes that can “take resources away from targeted data collection of specific threats” will do little good when trying to obtain data that is actually relevant to terrorism investigations.

This is something else that Edward Snowden repeated this in his address to the Canadian conference, telling students that

mass surveillance can actually harm the ability to prevent terrorist attacks while also being detrimental to personal privacy.

The problem with mass surveillance is when you collect everything, you understand nothing.

CSE’s LEVITATION programme is a case in point:

CSE finds some 350 “interesting” downloads each month… a number that amounts to less than 0.0001 per cent of the total collected data.

Importantly,

It is unclear from the document whether LEVITATION has ever prevented any terrorist attacks.

Considering what seems to be its rather limited success, LEVITATION’s scope seems disproportionate.

Here is what else it can do:

LEVITATION “does not rely on cooperation from any of the file-sharing companies” because separate operations can siphon data directly from tapped fibre optic cables (sound familiar? You may remember TEMPORA, the GCHQ’s fibre optic tapping programme).

By sifting out IP addresses and using the information as a search term for other databases – such as GCHQ’s MUTANT BROTH – the CSE can then identify users and reveal associations with other online accounts, for example on social media. For instance by seeing “five hours of that computer’s online traffic before and after the download occurred.” They can also use other Five Eyes databases, like for example the NSA’s MARINA, to go back even further in time – MARINA stores metadata for up to a year.

In the end, the spy agency not only paints a detailed picture of someone’s online life, but can also identify that individual as a new potential suspect.

Similarly, the CSE’s airport WiFi tracking programme that was revealed a year ago collects “so much data [that the CSE] could even track the travellers back in time through the days leading up to their arrival at the airport”, according to experts. If that ain’t scary…

 

A slippery slope: legislation in “times of fear and panic”

Now, the IPT ruling in the UK “has put a question mark against [the] assurance” by the security services that everything they do is legal. Moreover, given the broad scope of programmes like the CSE’s LEVITATION or the GCHQ’s TEMPORA, the question is how much of data from Canadians and Brits ends up in their own foreign intelligence agencies’ dragnets even though – like the foreign intelligence agencies in countries like the US and Germany – the GCHQ and the CSE are both “prohibited by law from targeting [people in their own countries] without a judicial warrant.”

In Canada, the opposition has apparently decided to “to focus on oversight [because of] the weakness of the current system and the absence of any meaningful reforms within the proposed legislation.”

That is important because, as Snowden told students in Canada:

without oversight, governments cannot resist the temptation to use the data which they have collected for “new and novel purposes.”

However, it is perhaps doubtful that mere oversight would be enough to reign in the kind of massive surveillance apparatus built by the Five Eyes partners. Rather, it seems imperative that shortcomings in current legislation are amended and that proposed new legislation be given proper scrutiny before it is implemented. “[P]articularly during… times of fear and panic,” it seems more important than ever that we carefully consider expanding surveillance powers and introducing new anti-terrorism legislation that could have a major impact on people’s civil liberties.

As Snowden said:

Once we let these powers get rolling, it’s very difficult to stop that boulder.

 

More on this…

A video of Snowden’s keynote address to the World Affairs Conference at Upper Canada College is here.

Michael Geist’s insightful explanation of the problems of oversight and the new Canadian anti-terrorism legislation is here.

News you may have missed: why voting encryption-unfriendlies back in really isn’t a great idea

Last week, I wrote an article (in German) on David Cameron’s plans to ban certain encrypted communication tools. His suggestion came in the wake of the attacks on the French satirical magazine Charlie Hebdo. I called Cameron’s move political opportunism of the lowest sort. Opportunism that instrumentalises the attacks for cheap political gain to put back on the agenda laws that have previously been discussed and dismissed, like the Snoopers’ Charter.

 

In through the back door: Blair, Carlile, King, West

This week in the UK – had you noticed? – four peers (one of whom – Lord King – seems to have little idea what modern communications actually look like) went even further when they tried to sneakily re-introduce the Snoopers’ Charter (aka, the Communications Data Bill, which was thrown out in 2012 for infringing civil liberties “disproportionately”, while also being deemed too intrusive and too costly) into a new counter terrorism bill, leaving almost “no time for the other lords and the rest of us to engage in serious analysis” of the amendment in question. As David Meyer writes:

This is shocking behavior… it is genuinely surprising to see not only repeated attempts to avoid proper legislative scrutiny, but an attempt that ignores almost every objection made the last time.

Naughty. It seems that if our peers and MPs can’t implement their preferred legislation via the agreed democratic routes, they’re are prepared to do it thought the back door (you could argue that there is nothing very democratic about the House of Lords anyway but that’s a discussion for another day).

Speaking of back doors: in Germany, interior minister Thomas de Maizière recently echoed David Cameron’s call for weaker encryption, saying that it should be possible for law enforcement agencies to decrypt communications. Sascha Lobo, in German weekly Der Spiegel, draws attention to the fact that exactly 153 days before demanding weaker encryption, de Maizière had called for the opposite. As politicians do.

So now the Securocrats argue (with renewed vigour) that encryption is a problem because it allows THE TERRORIST (PANIC! IN SHOUTY CAPITALS!) to communicate in secret and thus makes it more difficult for law enforcement to prevent attacks like the one in Paris. That argument keeps being regurgitated ad nauseam. Haters gonna hate. Mass data retention on the other hand – or, in fact, building back doors into encrypted systems for law enforcement to exploit – is considered invaluable for STOPPING THE TERRORISTS!

Well. Wrong (and it doesn’t become more right, the more often you repeat it either).

Mass data retention and mass surveillance have failed on multiple occasions to prevent terrorist attacks. Mass data retention is used in France, yet it didn’t stop the Charlie Hebdo attack. For other examples of when mass surveillance didn’t help take Mumbai 2008 or Boston 2012. What is more, Cameron, de Maizière and their fellow encryption-dissers are very wrong (or being very dishonest) when they laud encryption back doors as some sort of anti-terrorism panacea. Making encrypted systems vulnerable to exploitation by the security services makes these systems vulnerable to everyone, not just law enforcement. And besides, the idea that government agencies could be allowed by law to circumvent encruption should be worrying enough in and of itself – I have argued on multiple occasions, as have others, that we should not trust governments never to exploit that kind of power. Strong policies and rigorous oversight are needed to keep people safe from government overreach. Recent revelations that the British GCHQ has been capturing the emails of journalists – or that MPs tried to sneak in the Snoopers’ Charter without the electorate noticing – are further proof that we shouldn’t simply take at face value what we are being told by people trying to capitalise on our worries. That is especially important in the run-up to the general election in the UK. As the Electronic Frontier Foundation points out,

now is the time to challenge politicians to oppose mass surveillance, support privacy by supporting encryption, and rein back the intelligence services.

Well, some of the people who make laws in the UK seem to think we shouldn’t get a say.

 

Crypto Wars 2.0

Governments have never exactly been fans of encryption. Back in the 90s, encryption was under attack from governments as well. People call this the Crypto Wars. Back then, laws that would have weakened encryption were thrown out. Perhaps this was because, pre-9/11, the world was a less panicky place. Surely it must be panic, as it certainly isn’t rationality that makes politicians keen to launch Crypto Wars 2.0. There is no sound or sensible basis for the demand made by people like Cameron and de Maizière that encryption be weakened.

This is true even if the civil liberties argument that everyone has a right to privacy and secure communication doesn’t convince you.

You may argue, like Max Hastings has done in the Daily Mail, that to be safe from THE TERRORISTS you would happily let the spooks “access the phone calls, bank accounts, emails of you, me or any other law-abiding citizen.”

You may think that if you have nothing to hide, then you have nothing to fear.

You may agree that perhaps we need to give up some of our civil liberties to keep ourselves and the ones we love safe – and sod all the others. Every man for himself, you may think, as long as me and my own are safe, I don’t care that we become less free or that some minority to which I don’t belong or a society in a distant future which I won’t live to see are less free and less safe because of it. If that makes me and my own safe, then so be it. We’re fighting a global WAR ON TERROR after all.

Especially if you agree with the latter (i.e. the “as long as I am safe, sod the others” take on things), I am sorry to tell you, you probably lack imagination, a sense of responsibility, and basic empathy. It shouldn’t be that difficult to imagine why weakening encryption and implementing mass surveillance is a bad thing because there is always the possibility that people become subject to persecution based on some arbitrary characteristic that another group of people dislikes or fears (it’s not like we haven’t seen it before – no imagination required, just a bit of historical knowledge). You may feel that this is unlikely to happen to you in which case, congratulations, you have been properly and thoroughly assimilated and anesthetised by the dominant culture.

If you believe any of the former (i.e. that you have nothing to hide and hence nothing to fear), you might still want to think again. Especially when it comes to weakening encryption to make it easier for law enforcement to catch THE TERRORISTS! Because that idea betrays either complete ignorance about how encryption works or frightening dishonesty on the part of the people who advocate it. Neither of which – ignorance and dishonesty – are things we should be looking for in our leaders.

Yet,

[r]ight now, some British MPs are walking into a highly competitive election supporting policies about surveillance and the destruction of encryption that they have not personally considered, and may lack public support.

Germany had a general election last year and as far as online security is concerned, voters may come to regret their choices of voting a government back in that has so far been reluctant to support a real investigation into NSA spying and whose ministers are now chiming in with Securocrats elsewhere in the world that surveillance powers need to be extended and that weakening encryption is a good idea.

 

Physical damage to critical infrastructure: imagine hospitals

I have said this before but let me say it again; encryption keeps all of us safe. Not just from the prying eyes of mass-data-retaining government agencies which you may think you have nothing to hide and nothing to fear from but also from – wait for it – that’s right, TERRORISTS and other cyber criminals.

I can prove it too. Because, you see, there was a piece of news over Christmas that – amidst all the shouting over the Sony hack – went virtually unnoticed and which, now that the discussion of intrusive surveillance laws is back on the agenda (at a convenient time in the run up to the UK election, no less), continues to be disregarded.

This is the news that “A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever”. As Wired reported:

hackers… struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage.

So why, you may ask, does an unnamed steel mill somewhere in Germany matter? Well, it may not matter to you. But the interesting fact isn’t so much what was attacked or where, but that a cyberattack resulted in physical damage. It is an example of what cyber-criminality can do in the offline world.

Add to that a vital piece of information from the Wired article, namely that

[i]ndustrial control systems have been found to be rife with vulnerabilities, though they manage critical systems in the electric grid, in water treatment plants and chemical facilities and even in hospitals

and it will become clear to you that

[a] destructive attack on systems like these could cause even more harm than at a steel plant.

All of a sudden, this shouldn’t seem so obscure or far away anymore. Think hospitals. Critical infrastructure that each and every one of us innocent civilians rely on, right? Well, cyber criminals could attack systems that manage the electrical grid in a hospital. You or I or someone we love could be in that hospital on a life support machine. Not that I wish that on anyone but just for the sake of the argument – imagine the power being cut completely.

That is the kind of scenario that encryption keeps us safe from. Even a “2009 document from the US National Intelligence Council… called encryption the “best defence” for computer users”, as the Guardian reported at the start of the year. That is any computer user. Not just THE TERRORISTS or you and I who have nothing to hide and thus nothing to fear. Building backdoors into encryption for the security services to exploit makes encrypted systems vulnerable to exploitation by the very people who could and would cause us harm:

If there are backdoors… or if weak encryption is used, then you are only opening up opportunities for hackers to break in and steal information too,

independent computer security expert Graham Cluley said in response to David Cameron’s call for weaker encryption. That should be something we might want to consider next time someone evokes THE TERRORISTS or THE WAR ON TERROR to try and justify putting backdoors into secure systems, or to advocate their Crypto War 2.0.

Let us be clear: encryption isn’t just important. It is essential and

[h]aving the power to undermine encryption will have consequences for everyone’s personal security.

Therefore, strong encryption concerns every single one of us because it protects every single one of us in many fundamental ways. To claim anything else and to call for encryption to be weakened is “insane”, disingenuous or just plain daft. Or perhaps a combination of the three.

If you vote in the UK, take that into consideration. Now is the time to challenge such claims and to make sure that politicians don’t sneak laws past us that make all of us less safe.