Tweet your heart out for privacy

Tweet your heart out for privacy

Summary: Doing what's necessary to protect your own privacy is not easy. Better just to blame someone else for the whole problem. #ResetTheNet!

TOPICS: Security, Privacy

Everyone's got an opinion about Internet privacy. It's obviously an important issue that affects everyone, and even those who would try to violate everyone else's privacy want to preserve their own. 

Now there's an official Internet movement to improve privacy on the Internet. As my colleague Steven J. Vaughan-Nichols explains about the new Reset the Net campaign, it doesn't advocate anything new or novel. All it does is to call for the wider adoption of TLS/SSL (hereafter "TLS") on the Internet and of certain new standards to make TLS more effective.

Nobody of consequence who needs to adopt these technologies will learn of them from this campaign, nor will the campaign give them any more reason to adopt the technologies than they already have. It's nothing but posturing of the cheapest form.

Some of the specific technologies, especially PFS (Perfect Forward Secrecy), are very good ideas and I join in the call for everyone with a TLS server to implement it. (There. I feel better for having said that, not that it matters at all.) But even granted the value of all these TLS technologies, Reset the Net overstates that value in at least two ways.

First, and the timing couldn't be more perfect to make this point, both Heartbleed and the Triple Handshake attack show that TLS is complicated enough to have exploitable flaws. I happen to believe the NSA when they say that they didn't have or use Heartbleed, but that's not the point; the point is that TLS isn't the magic bullet that Reset the Net makes it out to be. And there's no question that the NSA has myriad ways to surveil, many of which are unobstructed by TLS.

The second reason is that focusing on TLS implementation is a convenient way for Reset the Net to put the onus for privacy and the blame for breaches all in the hands of the big, bad internet companies. The fact is that end users do plenty to compromise their own privacy, and these are the problems that matter in the real world. Not to defend it, but few, if any, people were actually harmed in a material way by the NSA listening in on Google's inter-data center traffic. On the other hand, people are harmed all the time as a result of using weak passwords and reusing them, for ignoring warnings from software, for downloading executables from untrusted sites, and for numerous other practices well known to be sloppy and unwise.

It wouldn't be any fun to start a movement to take back our privacy by calling on individuals to adopt good security practices, especially since the big, bad internet companies have been doing that for years.

Those same companies also don't need self-appointed activists to tell them to protect their own traffic. They know that their own business and credibility depends on them protecting their customers' assets. Some of them have been better at adopting strict security measures than others, but it's worth pointing out that there are costs to adopting these technologies, and often implementing them increases the support burden as some clients fail. Those same companies have also been litigating against the government both to expose the extent of surveillance and to allow them to take more measures to protect their customers' data.

Of course, surely there are large breaches of security which result in users' privacy being compromised. Consider the user database breaches at Adobe, Forbes, Sony, Stratfor, Vodafone and all the others. counts 161,851,582 compromised accounts from 20 of these breaches. Oh, but then again there's no reason to believe that any lack of TLS had anything to do with the loss of that data. The companies involved are certainly responsible for what happened, but just as with the great Target breach, TLS had nothing to do with it.

So join in with Reset the Net and declare yourself in favor of privacy, motherhood, and whatever else on June 5th. It's free and easy, unlike doing what you can to protect your own privacy.

Topics: Security, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • A very good point!

    Someone who uses "password" or even "drowssap" as a password for every account complaining about data breaches is like a 3 pack a day smoker complaining about air pollution: if he got his way, it would protect others, which is good, but not himself.

    That being said, there is another threat to our privacy that big companies do not publicize, but is inherent in a method they use to increase profits: offshoring customer service. We all know that offshore call centers take jobs away from Americans, and that many customers do not like them because the accents of the agents may be difficult to understand (and this is not ALWAYS a rationalization for racial prejudice, although it can be). Incidentally, Hispanic American customers, and others who are comfortable using Spanish, have the advantage of calling the Spanish help line; since few of the currently fashionable offshore call center countries speak Spanish, these lines are usually in the US and staffed by Spanish speaking Americans.

    But in addition, when customer service is moved to another country, there may also be a temptation to keep a local copy of the customer database in the offshore call center, and given the loose laws and even looser enforcement (or corruption/collusion of police), the danger of a massive data theft not even involving network communications, just by stealing (and possibly later returning) backup tapes in transit, is much greater over there than in the US proper. Once a large customer database has been stolen, it would be very easy to use personal details not only for ordinary crime, but to request "replacements" for "lost" US passports for terrorists or other criminals.

    Customer profiles often show that someone has recently gone SOMEWHERE overseas, and thus would have a passport, and also offer clues to a US citizen's ethnicity, so that a "mark" who COULD plausibly look like the terrorist could be chosen, the terrorist shows up for a new picture, and voila! an instant "US citizen" who could fly "home" and never show up on a watch list.

    So the word to lawmakers would be: not only to help Americans get back to work, and avoid getting American customers ticked off, but to protect our identities and our nation, it's time to ban offshore customer service data and call centers.
  • There's nothing I can do to improve Internet privacy!

    What a lazy, lame-assed list of excuses. "This isn't the magic bullet you're looking for". "Even if it happens there are other problems". "People already know about TLS/SSL".

    Yes. You're right. Absolutely. All of the excuses used in this article are valid arguments about the ability of TLS/SSL to solve every security problem. What they lack are context.

    Implementing Internet-wide encryption does not mean that the Internet is suddenly completely safe, but it does make it safer. Does it matter that people are doing it badly? Yes, absolutely - but doing it badly is better than not doing it at all - at least instead of reading free text the people who want to access your stuff will need to decrypt it.

    Getting security right is hard. Just ask anyone who has tried to develop a secure email solution. Or listen to a few episodes of Steve Gibson's Security Now podcast - the recent episodes on iOS security are very informative. But should we just say "it's too hard"? Or maybe we should say "Yes, this is important. Maybe there are ways to make it a bit easier, or to get more good people to be White Hats"? If you know security, maybe you can develop an easier way to implement it PROPERLY.

    "You're telling these companies how to suck eggs!" Like people told Congress how bad SOPA was? Yeah, telling people what they already know won't affect their behaviour, will it?

    Maybe this initiative will not save the world - but it is at least raising awareness of security. Who knows - we may even end up with the next HTTP standard being secured by default. But that won't happen if people just say "this won't fix everything".