Recently, I heard that information security had been the topic of discussion at a meeting of political activists here in Kolkata. This should not surprise anyone – with all the publicity that information security has got in the past year – mainly thanks to Snowden’s leaked documents – the awareness that information security might be an issue has now reached “the general public”. Of course, among information technology people it has been clear that this is an important topic for a very long time – most famously there were the “cryptowars” of the 1990s1.
Unfortunately, a lot of the public debate about information security post-Snowden tends to take the route of fear-mongering and knee-jerk responses. This can happen either out of lack of knowledge (not knowing the threat, tools or other responses available), good intentions (IT professionals have been struggling for decades to explain and ensure that people use the information security tools available to them: the current climate of “fear” might be deemed helpful in such activism) or out of less-than-good-intentions (IT professionals spot an opportunity to sell consultancy and/or software).
In the end, the revelations by Snowden doesn’t mean very much for the average computer user or activist. In fact, the needle hasn’t moved very far in terms of the capabilities that corporations, internet providers, governments or “National Security Agencies” are presumed/known to have. Certainly, Snowden’s documents did provide confirmation of things that many people have long suspected, and the scope and reach of the monitoring programs stipulated in them were definitely astounding. However, the programs and systems that came to light from these documents should primarily serve as an eye opener and perhaps a motivator to engage with information security practices that every campaigner, NGO or activist (or even regular old computer user) should already have begun to learn about.
Thus, before we begin, let’s take a deep breath and realise that in the “post-Snowden era” not that much have changed for you, likely to be an average computer user. The things you need to take into account, and the behaviours you need to adopt are not that different now than they were two years ago. Certainly, your awareness that something “needs to be done” might have changed – but the basic strategies for “what” needs to be done are broadly the same. The upside of this is that the knowledge and the tools of how to respond to the information security threats you face are already available within the IT community.
So, if you are in the position where you don’t know so much in depth about computers or information technology, but you rely on them on a daily basis to undertake research, activism or even just spreading opinions online what are you to do?
First option is to ignore this and state that the Snowden revelations and information security has little to do with you. As explained above, there is some truth to this as nothing much has changed in terms of the threats you are facing. However, even two years ago any information technology professional could have told you that you probably ought to learn more about and understand better ways in which you are managing and protecting your information. So, using this new situation as a motivator to act, you can respond in two broad ways.
A second option is to radically reduce who, when and what you communicate online or what activities you use your computer for. This would involve not only limiting your usage of any Internet communication, but also any digital storage whether on your laptop, external hard drives, USB memories or CDs. That certainly will limit your and your organisation’s exposure, but at the same time that also puts limitations both to the reach of your work in terms of audience, but also your ability to organise yourself and others as well as work effectively. In some cases, this might not hamper your cause much, in which case it might be an appropriate approach to take, but in many cases I believe that computers and the Internet is massively helpful in spreading knowledge and opinions as well as organising people, materials and work.
So, the second option is to apply a reasonable approach to information security. Now, there are many, many, details to this, and I’ll attempt at summarising some items here on this blog in a few blog entries over the next couple of weeks, however the first important realisation is: there is no perfect information security.
Basically, our assumption should be that a sufficiently motivated adversary (more on this shortly) will be able to access your digital materials in some way or the other. This might not be by means of accessing your digital content without you being aware (via some massive computer monitoring network). It could equally well be reached by legal means, say through court orders, or even simply by forcing/tricking/asking you to give up the information voluntarily. That there is the second important realisation: many threats to the security of your information will not come from technological means. They will come from behavioural or legal threats. Case in point: a virus that successfully attacked Iran’s nuclear centrifuges originally infected the control computers (which weren’t attached to the Internet) via surprisingly simple technology – USB memories2.
With this in mind, in order to develop a strategy to protect our information, the first thing we have to understand is who do we want to protect our information from? Some examples:
- Other NGOs or organisations
- Corporates
- The US government and NSA
- Our government
- Our state government
- Local police officers
- Staff or other people in connection with our work
- Our employer
- Newspapers or media
- Random “hackers” who enjoy finding secret information and sharing it / exploiting it
- Automated attack tools (viruses, trojan horses, etc.) that can steal your passwords, use your accounts to post spam or similar
- …
Then, we need to decide: what do we want to protect? This goes for both “what content” (my Facebook posts, emails, emails to a specific group of people, documents stored on my hard drive, my website or blog, etc.) as well as “what type of protection” (more on that below). Some examples of what we might want to protect:
- The very fact that we are communicating with a person or a group at all (called “metadata” – think of it as the sender/recipient of email, the subject lines, and maybe the dates and times)
- What webpages we visited
- The content of such communication, for example an actual email or content of a group post or blog post
- That the blog posts or Facebook posts we send are really sent from us and hasn’t been changed by anybody – that is it’s fine if anybody reads it, but we want to ensure it isn’t changed and that it was really sent by
- The accessibility of information, that is that the data or information we have published or have stored is always accessible to everybody who needs it.
- The list of members of a mailing list or Facebook group
- Registers, excel sheets or notes on our hard drive
Finally, when it comes to “what type of protection” in information security terms we speak about authenticity, confidentiality, integrity, availability and anonymity. In simple terms: authenticity means being able to prove that the data, document, message or other information really came from the source it claims to have come, confidentiality that only the people who have the right to read it actually does, accessibility that the information is always accessible to the people who needs it at all times and anonymity that the source (e.g publisher, sender, location of person sending it, etc.) of the information is kept unknown.
As you can see, some of these can be difficult to combine. For example, it might be hard to ensure both authenticity and anonymity at the same time (in that case we often talk about “pseudonymity”).
The questions above need to be fully considered before you even decide what tools or behaviours to adopt. The easiest way is to make a list or table of “what content”, “what protection”, “from whom”. Then, you can think about what the “default rule” should be. For example, content which I don’t feel a need to explicitly protect, I still don’t want random people accessing in any which way they like. Thus, I need to protect all data with at least a minimum level of protection. This can be stated as simple as “I don’t want my internet service provider to be able to read any of my internet traffic” or “I want the contents of my USB pen drive to be readable by me only” or “anything on my blog can be read by anyone, but I want to ensure no one can post to it” or “I want to make it hard enough for a random person in the office to not be able to read it”.
Certainly, if the NSA are willing to expend some resources to read a message to my sister about how the monsoon is progressing that might not be such a big problem. At least it’s not a big enough problem for me to expend any active energy to hide it. However, I still wouldn’t want my neighbour to be able to read it.
In the next post, I will start discussing simple tools and behaviours (tools are not all!) to ensure authenticity, confidentiality and integrity of your information. I will focus on local actors, that is other people in your vicinity (whether “virtual vicinity” or physically close to you), your employer or organisation or perhaps even local government, police or other state actors. Now, beware that in order to beat “government” type resources, you will need to adopt a) stringent behavioural changes and b) relatively complex technological tools. If these are your requirements, you probably need external help and consultancy. Additionally, if you are trying to protect yourself against serious government attention and effort, probably your protection will lie more in legal means than in information security ones. In many countries, law enforcement have the right to get you to give up passwords or keys rendering many technical modes of protection useless.
Most likely, it is not active interest from government (as some of the most surprising revelations by Snoweden touched on) you are protecting yourself against but rather the continuous, and often “passive”, erosion of privacy by all levels of government, corporations or even individuals. When it comes to active (actively targeting you) adversaries they are much more likely to be local and exploit the very real truth that much of your digital data and communication is currently unprotected, both from unauthorised access, modification, publication or deletion by anybody with minimal resources.
This is the first post in a series I plan to write. I am mostly writing this to have something to refer to when it comes up for discussion, and I hope it will be useful for anybody with the energy to read through it all.
1 Where the US government attempted to maintain capacity to decrypt foreign communications by establishing export restrictions on software which implemented such encryption.
2 USB memories were dropped by spys in the parking lots of the nuclear facilities, with the expectation that the people working in these facilities would do what most of us would, pick them up, plug them in our computers and check the contents to see if we can return them to their owners.