Devices need to have better default security to protect our privacy, digital lives
ONCE UPON A TIME, a phone was something bolted to the wall in your home and a computer was something as big as house. Today, the two have converged and condensed to fit into our pockets, which is a convenient as we take our smart phones with us everywhere.
Other devices that blend communications and computing power, the likes of notebook computers to tablets, are also close at hand – from social media updates to the constant digital check-ins, we’re pretty much addicted to our devices.
Quite aside from the careless posting of information online and the perils of information culled by the social media sites – whose business is abusing your data and selling it to third parties such as advertisers – and, more nefariously, various government agencies, domestic and foreign, there’s the issue of just how much of our (theoretically) private lives is stored on our toys.
In those once-upon-atime days, phone conversations were pretty much always private. Sure, there were wiretaps, but the technology was messier, and the laws more protective. And those massive computers could be hacked, but that was a problem for governments and large institutions, as much of our lives was still analog. Today, there’s little reason to believe in privacy, and even less reason to think your largely-digital life is secure.
If you’re active on social media, chances are you’re sharing too much information. Part of that is your choice, and part of it involves that fact that you’re likely ignorant – blissfully or otherwise – of what’s being done with your personal information, as informed consent is rare.
More insidiously, it’s the data you don’t explicitly share that’s been gathered, analyzed and stored for posterity, the intent being nothing good for you or society as a whole.
“There’s a lot that happens that people don’t understand, behind the scenes,” says Erinn Atwater, a PhD candidate in computer science at the University of Waterloo and the research director of the not-for-profit Open Privacy.
While most of us are oblivious to the risks of our digital world, she’s very much aware that the times they are a changin’.
Take, for instance, the possibility of border agents checking not only that your devices are legitimate, but demanding your passwords, including access to social media accounts, when you’re travelling internationally. They can do so arbitrarily, without a warrant or even reasonable suspicion.
“They can essentially scroll through your digital life.”
With that in mind, she’s developing an app, Shatter Secrets, that allows a person to encrypt their electronic device’s password, which is then split up by the app and sent to people at the point of destination. To get the password, the travelling party has to visit people they chose to have a share of the encrypted password and tap their devices to the secret keepers’ phones.
That’s especially important given just how much of our lives is stored on our phones – past conversations, photos and videos, medical information, and passwords for services such as banking.
The distributed encryption of Shatter Secrets is a response to cases where travellers have even been compelled or coerced to provide PINs, passwords, encryption keys, and fingerprints to unlock their devices.
Atwater’s interest in the software came from an off-the-cuff remark that switching your devices into airplane mode should automatically include locking down your data, social media accounts and all the other private matters that could be invaded by border agents.
“It’s getting to the point where you have to fear for your phone,” she says. People try ad hoc solutions such as uploading their data and wiping their devices before travelling, planning to download the data again when they’ve arrived. But as the Edward Snowden revelations show, governments know if you’ve uploaded info, and can work to compel you to access it again.
Lying about the data can get you into trouble, even if you’re simply protecting your information from overzealous agents, she notes, noting current encryption technology makes a technical solution easier than the legal and political issues that are emerging.
The political circumstances, in particular, vary from country to country. There are many reasons to be mindful of the data on our phones, she says, pointing to the work of journalists working in some of the less-savoury places on the globe where governments are trying to suppress the truth from getting out.
“I want to enable that scenario,” she said of the impetus of data security software.
She acknowledges there are many forces, state players and private companies among them, who have no interest in better data security. They’d prefer not to see strong encryption in the hands of regular users.
And that’s the perfect segue into the perils of the surveillance state we’re sinking into, none too slowly at that.
In shifting into a digital world, we’ve almost eliminated data security and any real notion of privacy, as the technology and the ability to abuse it has far outpaced even the nominal efforts to protect citizens. That the technology can be used for bad/immoral/ illegal purposes means that it will and has been, including by police and government organizations. Especially so.
That there exists technology to counter some of those abuses means that the same police and government organizations are trying to suppress it.
Atwater’s software is just one prong in a battle to provide cryptographic tools that could solve some of the data breaches preva-
lent today. Much of what is being done with technology is designed to tilt the playing field in favour of the police state, though there are those looking to serve the public good.
“There are tools that can shift in favour of the good guys,” says Atwater.
The first step is to make data security and the security of our devices more robust by default, while at the same time ensuring the measures aren’t a hindrance. There’s no sense in good security if we don’t use them because it’s a hindrance.
“People circumvent the inconvenient security measures,” she says, noting some people don’t even take the simplest steps to secure their information, such as putting a PIN code on their phones.
Given that, devices should have better security right out of the box, all of it seamless for the user.
“Those devices should meet some reasonable threshold for security,” she says. “We need strong, safe defaults for people.”