The Unites States, the world’s most connected nation, and the rest of the world will face a deficit of 1.5 million cyber professionals over the nextfive years whose jobs are essential to protecting critical networks and securing personal information. Fortunately, this crisis also presents a significant opportunity.
If we are serious about building a long-term vision for cyber security, the defense vs. offense mindset dominating most policy conversations must be left behind. In such a complex environment where state and non-state actors deploy largely the same tools and methods to protect or attack the systems, developing an effective cyber policy requires understanding that the Web is a critical global space that is impossible to segregate to damage only criminals or foreign adversaries. From now on, rather than relying on an antiquated framing of cyber security, the focus should instead be on immunizing the Web by improving network reliability, quality of products, capabilities, and trust to ensure the long-term resilience of our economy and all internet-powered systems.
First published by TechCrunch on August 17, 2016
The news of the DNC email hack has put the issue of securing the US election systems against foreign attacks and boosting the resilience of national critical infrastructure front and center. It has also raised the stakes for solving the shortage of cyber security professionals that can actually address these risks.
One way to widen the cyber talent pipeline is to start education early, very early in fact.
Today, most kids are avid technology users, spending countless hours on their devices, creating content and sharing deeply personal data — photos, networks and locations. Yet, very few have looked inside of a computer or had a chance to reverse-engineer an app to understand how it can be broken into, compromising its users.
r00tz Asylum, the longest running kids hacker conference taking place at the heart of DEF CON, has steadily grown to become one of the largest spaces for kids to explore cyber security, cryptography, hardware hacking among many other topics. r00tz has consistently been one of the most diverse programs in information security where girls and boys are equally supported to explore ethical hacking.
Although hacking is yet to overcome its bad rap among the general public, r00tz kids seem to be immune to its influence, embracing their newly acquired skills as superpowers that come with great ethical responsibility.
When they learn how easily the air traffic control systems can be compromised, they think of it as a personal security issue that may affect their families flying home from Las Vegas — something they now know can be solved with strong encryption and authentication protocols.
For young hackers that come to DEF CON every year, it requires no proof that without understanding how to break a system and then put it back together, it is impossible to make the tech they love and use more secure and resilient. Learning how to identify the weak points across web servers and break into designated websites teaches r00tz kids playing at this year’s pentester workstation to detect the attackers and understand their game.
Given how complex and interdependent the technology space that today’s kids will inherit has become, the r00tz mission is rather focused on instilling a hacker mindset than teaching a specific set of skills. And more than anything, the hacker mindset is about having the freedom to innovate and break things to understand how they work and how they can be made better.
Tellingly, two of the longest lines were for the junkyard and soldering stations where kids could break computers apart to see a motherboard for the first time and then (maybe) put them back together. As one of the r00tz kids explained:
“When we see a computer, we normally just see a box that works. But exploring what is inside was actually super empowering. Normally, we are never given a chance to break stuff without consequences. But that’s what helped me understand how the technology I use all the time actually works.”
Another r00tz hacker perceptively quipped: “Many kids at school don’t understand that the apps they use a million times a day are created by coders. They think it is just magically there." Indeed, it is much easier for kids to see themselves as creators rather than only consumers of technology when they have an idea of what is under the hood of a karaoke or a photo-sharing app.
Over the past 6 years, r00tz kids have learned from world-renowned hackers who openly share their “war stories” because they strongly believe it doesn’t benefit the global community if only a handful of people have critical knowledge. This year, almost half of r00tz speakers were kids – form 9-year-old Emmett sharing his experience of setting up Capture the Flag to 16-year-old GajetGirl talking about 3D printing.
Speaking at the end of this year’s r00tz, the legendary Dan Kaminsky challenged the kids to “go ahead, break stuff, that is how I got to where I am … Understand how it really works, understand how it really breaks. But also understand that your job doesn’t stop there. We have the Net to protect — you are going to be in a position to make things better.”
Many of the r00tz kids are eager to do just that.
The global surge in encrypted traffic and a wide adoption of end-to-end encryption by mainstream tech companies is a transformative shift in information security worth celebrating. Billions of online users now enjoy default peer-to-peer security, shielding the content of web communications from prying eyes of criminals and corporate surveillance. Yet the industry continues to collect and store massive amounts of metadata associated with every digital transaction – conversation, purchase, or data transfer. These extensive historical accounts of personal or business activities live forever and are shared and analyzed outside of user control, becoming a breeding ground for the next wave of cyber risks at all levels — reputational, financial, and national security.
It Is Only Metadata, Nothing to See Here
We have been led to believe that metadata – or rather activity logs – is nothing to worry about; it’s only the content that matters. This may have been true a couple of decades ago when the frequency of digital communications between people and systems was minimal and storage prohibitively expensive. Today, metadata collection and mining has become an industry of its own – accumulating and matching information across countless databases to produce detailed records of everyone’s activities and associations. The goals range from targeting users with relevant advertising to behavioral pattern recognition to aimless harvesting of records for yet unknown future use.
Every technology and service we use – from banking to communications to transport – combined with the massive visual surveillance we encounter daily generate a historically unprecedented amount of information about our whereabouts, mapping out countless connections between people, businesses, locations, and things. In practical terms, the depth and the historic nature of metadata collection would be similar to having someone follow you around 24/7 – online or offline – recording everything you do and who you do it with, only stopping short of listening to your conversations. This is clearly contrary to the dominating public narrative – metadata alone cannot be used to infer specific sensitive details about you.
With the Internet of Things bringing billions of new devices online in the next few years – from cars to smart homes to public utilities and healthcare systems – even more metadata will be fed into the global commercial databases, adding yet another rich and often unprotected layer of information about organizations, individuals and nations.
Today’s corporate data collection, particularly of metadata, is easy and cheap, and it often occurs without a meaningful user input and proper informed consent. Most people don’t know where their personal or business activity logs reside and for how long, how they are shared, what conclusions are derived from this data and how it may impact their personal lives or business prospects.
Blurring Lines Between Content & Metadata
“We kill based on metadata,” an infamous statement by the former NSA director Michael Hayden, is a reflection of the intelligence community’s understanding that activity logs have become so exhaustive that they are just as powerful in providing insight into people’s lives and minds as the content of their communications. A new study by Stanford University found “telephone metadata densely interconnected, susceptible to re-identification, and enabling highly sensitive inferences”. When metadata is used and correlated with other open source data without any restrictions, it can reveal profoundly intimate information about individuals. And, unlike the content of digital communications, it is not protected under the Fourth Amendment and can be surprisingly trivial to obtain without a warrant.
Our national policy discourse, so intensely focused on the precedence of digital content over metadata, only further exacerbates the misbalance in how the private industry – from global corporations to small start-ups – treat these two types of data. Most activity logs across global databases, as massive as they are, are stored unencrypted without much safeguards to protect data against exposure, nor are they properly secured or anonymized when shared with third parties.
Collecting and storing any information, metadata included, in an unsecure way clearly fails a duty of care companies owe to their users. As a result, the global attack surface is rapidly increasing to open up individuals, organizations and government systems to vulnerabilities, leading to unauthorized collection and use of sensitive data.
Digital Toxic Waste: Why Metadata Should Not Live Forever
With no defense being 100% impenetrable, the private companies as predominant data collectors and custodians of information, need to begin thinking long-term about why and how they collect and store our activity logs. When it becomes almost impossible to secure such large data sets, they turn into hazardous waste and a cause for user distrust rather than a source of cash flow.
Think about what you can learn about a person or a company by simply looking through their activity logs across different networks – the answer is likely ‘too much.’ While some data – content or otherwise – may need to be retained for several years for compliance or other reasons, there is a lot more information that does not need to live forever. The less time the metadata lives and the fewer servers it touches, the more secure we all are against targeted criminal attacks and cyber espionage.
As information security becomes a national priority with cyber threats reaching epidemic proportions, both the tech community and policy-makers must make it significantly harder and exponentially more expensive to exploit networks and databases containing the activity logs.
Here is an easy fix: limit metadata collection to retain what is essential to your business and only for a short period of time. In addition, anonymize and encrypt the data, while adhering to the responsible information disposal processes.
So long as we keep historically detailed activity logs across services – private or public – without effective means to clear the data that is no longer needed or can be secured, encryption remains a half-measure giving only a temporary and illusory sense of security.
Nico Sell, Founder of 533DZ Foundation and a World Economic Forum Tech Entrepreneur & Anja Kaspersen, Head of International Security, World Economic Forum
First published by The Hill on July 12, 2016
At a time of the global information security crisis, we often hear that in order to achieve stronger security against emerging threats, including terrorism and cyber attacks, we must accept less privacy. This should apply to our communications, financial transactions, and all other internet-powered activities. Many simply assume that more visibility and state control automatically translate into more safety.
Coming at it with different sets of expertise and experiences, we argue against this alleged conflict between privacy and security. And here is why.
For centuries, only a handful of states have had the resources to wreak havoc on a massive scale. Today, technology is rapidly democratizing this destructive capability. Remote cyber attacks can now target any world region, disrupting or destroying digital assets – valuable information networks and physical objects – dams, power plants, and other industrial facilities.
International criminal groups run the bot armies of billions of puppet computers, which belong to unknowing victims around the world, to attack corporate systems. The attribution is clearly no easy tasks when cyber vulnerabilities are involved, thus traditional state-level deterrence strategies often prove futile.
In this complex and rapidly changing security environment, many domestic and international policy-makers appear to believe that the only “defense” to counter these emerging threats is the increased control over population. In their view, the premise seems straightforward – if individuals with destructive intent are able to communicate with complete privacy, it will have a negative impact on the law enforcement’s ability to uncover wrongdoings.
Hence, the security vs. privacy narrative equates privacy with potential for criminality, and security with government access to citizens’ data.
As a result, to keep the public safe, governments scale up the surveillance techniques historically relied upon to enforce security policy. With expanding connectivity, there is no longer the time-consuming need to bug phone lines individually and have human agents read the intercepted conversations. Instead, communications can be hoovered up en masse and analyzed to search the haystack of data for patterns and anomalies that might indicate potential threats.
The key question is whether these policies are effective in reaching their stated goals in a new increasingly decentralized cyber reality?
Recent world events cast some doubt on the effectiveness of this approach. In the aftermath of the Brussels and Paris terrorist attacks, we have learned that the problem has not been the lack of information, but rather ineffective data analysis and failed international cooperation in sharing intelligence in a timely fashion. When the haystack becomes so large, the chances are authorities may miss crucial intelligence.
However, even if data analytics and intelligence sharing mechanisms could be improved, the existence of mass data collection and the ongoing push for encryption backdoors imply that it is technically possible to exploit global networks en masse without creating the attack entry points accessible to others – criminals or foreign intelligence.
Today, the increasing connectivity, advancing technology, and a proliferation of internet-powered devices make it impossible to isolate backdoors to be only useful to particular governments and their needs for investigative powers. At a time when the record numbers of high-impact data breaches are reported almost daily, any and all vulnerabilities are indeed open for exploitation to anyone who can find them – be it in consumer applications, critical infrastructure, or government networks.
With the Web being a global ecosystem, we can no longer segregate it to weaken security for only bad actors, whose possible criminal activities may pose risks to national security. Injecting vulnerabilities in commonly used protocols or services indiscriminately affects the security of everyone using these technologies.
In addition, we are not guaranteed that bad actors will not create their own encryption tools or use stronger security offered by foreign companies. According to a recent global survey of encryption products, only one third of these tools are produced in the US while two thirds are developed elsewhere, with Germany, UK, Canada, France and Sweden being the top generators of crypto tech. The report also found that 44% of over 860 encryption products available are free, and 34% are open source.
In this complex technological environment, citizens, government systems, corporations, and critical infrastructure facilities are increasingly connected and everyone’s security is dependent on the same protocols and hardware while bad actors can still access strong encryption to secure their data. Thus, compromising the integrity of global networks appears unlikely to result in much gain in intelligence capabilities. Hence, the net outcome likely becomes less security and less privacy for all.
Interestingly, the existing mass data collection programs across the world have been long surrounded by secrecy regarding their very existence and the governments’ capabilities to infiltrate information networks. Such secrecy, aside from the public perception that it is undermining the social contract at the core of democratic governance, also puts national governments at a disadvantage by limiting the critical input they may receive from their citizenry in an effort to strengthen national security.
Considering a rise of cyber threats and a dire state of security in most technologies – consumer, enterprise or industrial, and the fact that 85% of all critical infrastructure is privately owned, it appears short-sighted to not actively engage the expert community and a broader public from contributing to this critical conversation. Information security and technology experts may offer valuable insights into the latest research and innovation occurring in the private sector, which can significantly influence the effectiveness of government data collection and defense strategies.
As technology redefines security, who can credibly provide it, and where the cyber attacks might be coming from, there is an urgent need to redefine a new social contract for the cyber age to ensure the sustainability of an increasingly connected global economy and reducing risks to the critical infrastructure.
While it would be unrealistic to expect no state secrecy regarding intelligence activities, the important question to think through is how to ensure that effective safeguards are in place to protect against potential abuse from all parties – government and corporate actors. This requires an agile and fit-for-purpose oversight regime so it is conducted in a most responsible and secure fashion minimizing the probability of citizens’ personal data being misused or compromised.
It is clearly time to broaden the dialogue to engage all stakeholders to think through these complex technological and policy issues, including the private industry that may often be overly focused on indiscriminate collection and infinite storage of consumer data.
There are no easy answers or solutions but one thing is sure: by creating a false tension between privacy and security, the issues that are far more pressing to the safety of global communications and information networks are not being addressed. Collecting more data does not guarantee intelligence efficacy. Surveillance and other intelligence mechanisms can play a legitimate role in curbing malicious behavior online of offline, but these powers should be used sparingly and strategically.
There is a need for greater literacy about security policies’ impact, consolidating and strengthening of the norms around the collection and use of data and a more inclusive dialogue on how to address shared vulnerabilities in a new increasingly decentralized world.
Cyber security is a massive challenge affecting everyone – start-ups, government, corporate systems and consumers, costing the global economy billions of dollars annually. Ironically, the one solution we are seriously considering – mandating encryption backdoors – will undermine the integrity of our networks, as confirmed by information security experts and the government’s own defense and intelligence officials.
For the tech industry to become more effective in making its case for strong security to the public and US policy-makers, we all need to understand and rebut two critical misconceptions currently dominating the policy debate.
“Going Dark” or Blinded by Too Much Data?
The key assumption is that law enforcement does not have enough data to combat crime and must therefore boost its capability to intercept and decrypt web communications. Let’s look into what data the government already has access to and whether it is being utilized effectively.
The majority of global networks – including Facebook, Google, Twitter, and Skype – operate with full visibility into user accounts and often their activities, rendering this data available to law enforcement with a warrant request. That includes metadata, a rich unencrypted layer in our expanding profiles – who we talk to, where and how often, where we spend time and with whom, and what our interests are.
Widespread visual surveillance – from cameras on public utility polls and transport to commercial data collectors time-stamping and geo-tagging billions of photos of license plates – supplies an exhaustive picture of our physical activity. Law enforcement has access to a historically unprecedented amount of information, capable of mapping out countless connections between people, businesses, locations, and things – sometimes with and sometimes without a warrant.
Current trends in technology are only adding to the pool of data that law enforcement can draw from. By 2020, the IoT industry will add as many as 50 billion new connected devices – from smart TVs capable of listening to ambient noise to cars equipped with GPS and voice-activated systems to toys and baby monitors with recording features. Many of these technologies operate with minimal data safeguards, expanding not only the attack surface for criminals but also real-time surveillance opportunities for law enforcement.
“Big Data” is a buzzword for a reason – the majority of tech businesses are built around collecting and analyzing data that people around the globe generate while using services. This trend is unlikely to substantially change in the near future as we add more products feeding data into global systems.
Thus, the quantity of data and information channels available to law enforcement provides ample opportunities to obtain lawful intelligence. However, as investigations following the Paris attacks have demonstrated, governments have yet to establish data analytics capabilities allowing the massive amount of data already collected to be timely and effectively analyzed in order to extract actionable intelligence.
Backdoor for Only Exceptional Circumstances
With its access to countless data streams and targeted information sources, the government is now faced with an urgent need to secure public and corporate information systems. Both are now a high target for foreign state actors and criminals alike. Following OPM and other major breaches of national networks, it became clear to many within the defense sector that maintaining the integrity of encryption is key to securing data in transit and at rest and it must become a national security priority.
However, no matter how numerous and loud the expert voices are in confirming that it is technologically impossible to limit backdoor privileges to one party without making the whole system vulnerable, some officials continue to dismiss the tech industry as uncooperative and uninventive, completely rejecting the mathematics behind strong crypto. Unfortunately, the result of this misunderstanding is a demand to force the private sector to work against public interests, which may cost us all a gravely compromised national cyber defense.
Due to the lack of security awareness, for many non-technical folks this argument remains too abstract – simply an obstacle to providing law enforcement with a backdoor access it wants. Meanwhile, a case where an intentionally built-in backdoor was possibly repurposed against US government systems is currently under investigation by the House Oversight Committee. A severe vulnerability discovered last December in Screen OS by Juniper Networks – employed across government agencies and global corporations – may have allowed foreign hackers to infiltrate networks and decrypt traffic. As with many cyber intrusions, especially of this magnitude, it is hardly a trivial task to determine when the breach occurred, what information has been compromised and whether hackers still retain a persistent presence within the network.
A Changing Cyber Space: Security For All or For No One
When vulnerability is injected into technology used worldwide, it becomes everyone’s liability. If mandated, today’s crypto backdoor is likely to become a “ticking time bomb,” open to exploitation by foreign intelligence and criminals harvesting data and communications. With the Web being a borderless global space, intelligence needs to be targeted, expensive and therefore accessible to only the most sophisticated state actors. Otherwise, we risk weakening everyone’ security to harvest data without a cause to the detriment of our own rights, economic freedoms, and political stability.
The demand for compelled cooperation to alter technology against public interests has a powerful negative impact on the relationship between the industry and the government. It not only limits the possibility for every-day open and effective collaboration, but also creates a deep distrust at a time when cyber threats are rising, requiring all of us to work together to strengthen the security of our critical information systems.
Unless we are prepared to live with the consequences of inadvertently enabling foreign nations and hackers to exploit a government-mandated backdoor, we must shift the national dialogue to examining how law enforcement can effectively use and secure the data it already has access to. The government and the tech industry can work together to enhance national security by applying innovative technologies and data safeguards to critical networks, rather than battling over access to data which most likely will not assist lawful investigations, but will guarantee weaker security for all.
With every high-profile data breach and emerging global terrorist threat, public discourse on cyber security and encryption becomes increasingly polarized and unproductive. The recent terrorist attacks in Paris claimed by ISIS have re-launched the international encryption backdoor debate. The proponents of mandatory backdoors have continuously argued that end-to-end encryption makes it impossible for law enforcement to combat criminal activity, including terrorism. On another front, the growing threat of foreign, quasi–state attacks often attributed to Chinese, Russian and Iranian hackers compels private companies to ramp up their cyber defenses prompting rapid adoption of strong crypto to protect commercial IP and customer data. Focusing the public dialogue on the dichotomy of these seemingly competing priorities inevitably prevents us from advancing global security, which is why it is time to directly address security challenges by first looking for a fact-based starting point we can all agree upon.
At a time of understandably heightened concerns over potential terrorist attacks around the world, many governments view control of and visibility into citizens’ communications as a key prerequisite to preventing extremism, both domestically and internationally. The only publicly discussed means to achieving such control and visibility is the so-called backdoor into encryption technology designed to protect digital communications from being listened to – by criminals or governments.
While having access on the backend of countless web networks will enable mostly unobstructed data access, the question is to what extent would this capability compromise the government’s own ability to secure its citizens?
As the Web continues to grow, it is adding an unprecedented number of devices constantly engaged in information sharing – some more sensitive than the rest, with most data still transmitted in the clear. Increased connectivity has facilitated the rapid growth of successful attacks aimed to steal valuable personal, business and government data. The only defense for data in transit is encryption, properly implemented to ensure information is only accessible by the intended recipient, not by criminals. Often unnoticed, encryption secures countless core applications – from satellite and power control systems to instant messaging, to air traffic communications, to healthcare and stock exchange transactions. It literally is the first line of defense for any information we deem sensitive or proprietary.
As a thought experiment, let’s play out the backdoor scenario to its logical end.
Tech companies developing technology for banking, medicine, the energy sector and the auto industry are now required to introduce a US government-mandated backdoor in their systems. The government is entrusted to safeguard the decryption keys that access the backdoors of information networks. Law enforcement agencies still have to obtain a warrant or perhaps a FISA court order to decrypt the information – all for national security purposes. However, unless government systems undergo a seismic overhaul of their information security, the encryption key repository will be breached sooner rather than later, as countless other national databases have been, with OPM alone leaking over 20 million of the most sensitive background check records.
Following the US or UK precedent, the Chinese government, with a different set of national security targets and interests – potentially including dissidents and foreign companies – will ask for similar access to encrypted data. Others including Russia, France, and UK will demand the same. Most technology companies, including US–based enterprises, are global players, and will face a choice – comply with national laws to continue to operate internationally or risk losing a hard-earned share in Chinese, French and UK markets.
A capability that was sought by one or two governments as a defense against terrorist threats now becomes a liability that will be exploited by other nation states for offensive operations against US economic or national security interests. Of course, with vulnerabilities mandatorily built into security systems, criminal hacks will become even easier to carry out. To defend business IP and customer data, the private sector will be left to rely on protecting windows, garage doors and the chimney, while the backdoor into their systems is wide open to criminal breaches that are often supported by foreign national interests.
So how do we navigate our collective way out of this dead-end debate the outcome of which does not serve anyone’s interests?
It is time to shift the focus from seeking special access to serve political needs or give one nation an advantage over another to keeping the Web safe for all its beneficiaries – whether they are governments, businesses or citizens. Because when the Web is not secure, it is not secure for all.
Developing an effective global cyber security approach must therefore address technology and policy at both levels –government and private sector.
At the international policy level, the challenge lies in bringing everyone to the table to develop a set of unified rules for what we can and cannot do to advance national interests on the Web. Clearly, it will take time and commitment to truly understand the technology in question and engage in diplomatic craftsmanship. What we can do today is begin designing bilateral and multilateral agreements with our closest allies, including the private industry, to join forces to secure the global digital space. Critical to the success of this strategy is our ability to negotiate credible enforcement mechanisms for such international agreements including the recently announced cyber framework between the US and China focused on protecting intellectual property and the economy.
Building a working model for domestic and international threat information sharing is a good first step in preempting and investigating attacks that may compromise financial or other critical information systems. It requires mutually beneficial cooperation between the government and private companies whose networks may be targeted by state and non-state actors. Timely sharing of threat indicators is key to a government’s ability to effectively protect its citizens and national infrastructure, and bring certain threats to the attention of our international partners.
However, since the state has not maintained a particularly impeccable information security track record, the private industry is legitimately concerned about sharing critical data that may contain sensitive business and user information with a partner that cannot guarantee its protection. If we are serious about bringing technology companies to the table to jointly counter criminal intrusion threats, it is time for significant improvement of government security practices, including wide adoption of encryption across the board.
For its part, the private sector, including e-commerce, financial services and internet tech companies, has built unprecedented collections of information that are a rich target for criminal hackers and nation states. The cost of largely inevitable security breaches is only going to grow as more information is mined for further monetization. In the short term, we, as an industry, need to carefully assess our capability to secure data and refrain from collecting information we cannot protect.
It is in companies’ economic interest to establish a policy of transparency about data collection and innovate ways for users to opt out of information repositories that retain personally identifiable data. The idea that we all need to have greater control of our personal information is fundamental for the development of digital economy. Although potentially expensive, it must become a long-term goal for the industry to rethink our business strategies around data collection, similar to the car industry lowering emission and fuel consumption levels, which once was considered impossible.
In parallel, the same security overhaul required for government information systems is overdue across all enterprise industries. Proper protection of business assets including IP, high value communications and most importantly critical digital infrastructure will become key factors in growth and business evaluation. As the cost of cyber breaches to the global economy continues to grow, security ratings will undoubtedly play a much larger role in determining companies’ resilience and financial longevity. Audits of digital protocols and infrastructure may well become a decisive factor in determining key financial indicators and opportunities including insurance rates and long-term credit ratings for businesses and countries. Today, we all – including enterprises and governments – need to work towards establishing a set of new standards that will govern the Web as a global resource and economic engine.
Since the inception of the internet, we have come a long way in improving its security and expanding its benefits globally. Last year, around 29% of the North American web traffic, including online communications, banking and shopping transactions, was protected by encryption of various degrees of sophistication. That number has been steadily growing over the past few years, recorded at around 2.3% just two years ago.
To collectively build up the Web’s resilience to global security challenges, its various stakeholders – nation states, technology companies and citizens – have to realize that even though we may have different goals related to the internet, the means to achieve those goals are rooted in a fundamental question: how do we keep it safe? Because when the Web is safe, it is safe for all.
Nico Sell is Co-Founder of 533DZ Foundation and Co-Chair and Co-Founder of Wickr Inc., a secure communications platform providing end-to-end encryption to users in over 190 countries. Sell serves as an advisor to various security start-ups including AllClear ID, Crowdstrike, and Lookout, and has helped to organize DEF CON, the largest hacker convention in the world.
Gilman Louie is Co-Founder and Partner with Alsop Louie Partners, a venture firm based in San Francisco. Gilman serves as a member of the Markle Foundation Task Force on National Security in the Information Age, serves as a member of the Technical Advisory Group for the United States Senate Select Committee on Intelligence, chairs the committee on Persistent Forecasting of Disruptive Technologies for the National Academies, and was appointed as member of the National Commission for Review of Research and Development Programs of the United States Intelligence Community.
What the US post office teaches us about privacy
George Washington could have become a king, but instead devoted his life to giving power back to the people. This is why his political heritage remains so strong today, inspiring millions around the world to continue striving for liberty and democracy. One of my favorite US presidents, Washington proved that great leaders rule by empowering the people, not by usurping the power.
In the next decade, billions of online citizens will join the web making national borders less relevant and the world more connected. Technology and the hopes it fuels have empowered millions of people across the globe to demand social and political change from some of the most oppressive governments. Yet, the same technology is being used to suppress and monitor more than half of the world’s population that still live under undemocratic regimes and lack basic rights.
The United States Postal Service was one of the most visionary civil liberties ideas of its time – deeply rooted in Washington’s belief that a strong state and society can only exist if every citizen has access to uncensored information and can freely communicate without government’s prying eyes. The Postal Act of 1792 that began the history of a modern post office established free speech and a right to private communications, going as far as imposing the death penalty for robbing mail service personnel. The newly established post office was envisioned to be the antipode of the crown post operated by the British government, which frequently opened and censored correspondence.
The same commitment to privacy and access to free, uncensored information is the reason we started Wickr. Our vision is to bring this service to billions by making strong trusted encryption incredibly easy and intuitive for personal or business use.
Today, we need to breathe new life into Washington’s idea of the post office to provide these basic rights to all 3 billion people already connected to the web, and to those who will be coming online in the next decade. We need to collectively balance our global web to ensure the internet remains a platform for free speech and uncensored information, where privacy and real human connection enable strong social discourse and economic prosperity.
I call that space the private web.
The public web has brought us incredible innovations that have improved lives and celebrated human creativity. But as we all move online, it becomes increasingly clear that the internet requires a long overdue fine-tuning, just as any complex and ever evolving system.
We, as web users, are generating millions of pieces of information about the most personal aspects of our lives on a daily basis, creating dangerous treasure troves of detailed and calibrated information.
Once in the open, we lose ownership of that information, to the point that we do not even know who is collecting it. Businesses increasingly depend on technology, becoming more and more vulnerable to critical data security breaches.
Global financial, transport and security systems are being compromised almost weekly – either through targeted attacks or as a result of poor and outdated safeguards.
To expand the benefits of the internet, we need to continue building the private web – through applications, technology, policies and norms – to power innovation, develop ideas, protect our assets and strengthen human rights for all. Although achieving privacy and universal access to free, uncensored information will always be a moving target as technology evolves, our ability to intentionally choose a right mode of communications, private or public, is a critical step towards bringing George Washington’s vision closer.
Today, it is essential to set the ground rules that will govern our networks and infrastructure systems in the future. Strong encryption is a key component of the private web. Having trusted encryption without a backdoor – for either governments or criminals – will enable us to keep out not only prying eyes of totalitarian regimes but cyber criminals as well.
A recent debate around technology backdoors has raised a critical point. Is it possible to weaken encryption in a way that would only allow access to the “good” government and never to criminals or authoritarian regimes? The answer has been a loud resounding “no” from many prominent technologists. Considering that most American internet companies are operating as global entities that must comply with local laws, we should never adopt a policy that we would not want another government to adopt and take advantage of. If the US government passes a law that requires a backdoor to operate in America, then what would stop the Chinese and Russian governments from doing the same, requiring US companies to give backdoor access to them as well?
Many questions remain regarding how exactly to achieve that vision in the hyper connected, digital world. How will the private and public web coexist? What should the standards of data collection be? How can companies that profit today from leveraging our personal and business information innovate around new business models? How do we establish trust with companies we let host our most sensitive and valuable information? How do we verify public promises companies and governments make about their data retention and usage practices? Who has the duty of care to our children’s data, our health and financial information? How do we promote encryption by default? There are many more questions we all need to consider if, as a society, we value the progress we’ve made and the rights we continue to fight so hard for, both offline and online.
The US Post Office served as a catalyst for building strong political and social discourse. For the first time, citizens were able to engage in political conversations without fear of being persecuted.
Speech is only free when we have direct control of our communications – whether public or private – without the need to self-censor or fear that a piece of communication can be used out of context many years after it was sent.
It is time to invest our energy, creativity and resources into building the web’s private hemisphere to carry on the tradition of private communications, uncensored information and ownership of our assets.
16 February 2015
Dear Prime Minister Cameron,
Those of us who care about privacy were shocked to hear your statements last month in support of outlawing encrypted civilian communication. To strip us of our right to keep our words and thoughts private from the government would be the ultimate victory for terrorists who seek to destroy our society.
Today in America, we are celebrating the Presidents who have led our country. Our first President and those who came with him to America had many aspirations for the country they founded. But central to their inspiration was the belief that every citizen's right to communicate freely was of greater importance than any need of government.
George Washington had his own central thesis about freedom of speech. To build a strong social system, all citizens must have these rights:
- private communication that can be kept hidden from the government's prying eyes
- freedom of information without government censorship
Washington learned the importance of these rights from the over-reaching British before him. This is why he founded the United States Post Office. In the United States, the First Amendment and the Fourth Amendment protect free and uncensored communication.
But, today around the world, the right to private communication that can be hidden from the government's prying eyes has become a human rights issue. Two of the articles in the United Nations Universal Declaration of Human Rights make this very case.
Article 12 argues: "No citizen should be subjected to arbitrary interference of their privacy, family, home or correspondence."
Article 19 of this same declaration states: "Everyone has the right to freedom of opinion and expression; this right includes the freedom to hold opinions without interference."
The few countries in the world that ban encryption are also the most totalitarian nation states on the planet -- Iran, Syria, Burma, Sudan and North Korea. I do not believe that is the kind of company British citizens want to keep.
I believe free and uncensored communication for every citizen is how we make a strong social system worldwide. These rights enable evolution instead of revolution. We need more technologies that let us preserve our privacy, not less. Government cannot go so far in this war on terror that citizen's very rights to life, liberty and the pursuit of happiness are sacrificed. We cannot let our fear of terrorism and its violence become an excuse for turning our back on human rights.
I urge you to join the growing chorus of those who think free and open communication without government intervention or restriction should be recognised as a global human right. Instead, you seek to make this right a crime. I would love to sit down and chat with you more about this perspective.
Please feel free to contact me anytime on Wickr. My username is
*********. Better do it quick before it becomes illegal. Actually, no need to hurry. If that happens, just download Wickr through another country using a VPN to change your IP address location ;)
I hope to hear from you soon.