June 25, 2009

Security of Digital Gold with Unified Messaging

Filed under: Convergence, Security — ahastings @ 10:42 am

sun-through-the-cloudsThe security of personal information on the web has been a concern since the web’s inception. As more and more applications reside in the cloud, so does the data that constitutes your digital life. Recent articles in TechCrunch and GigaOM question the privacy of some of the most ubiquitous online tools. The truth is that the benefits of tools such as Facebook, Google apps, and Twitter outweigh the insecurity of streaming personal data into the cloud. This dynamic has caused users (damn near everyone with a computer and internet connection) to overlook security issues. It is equally beneficial to remember that the success of the Internet is built on the ability to share information with like-minded individuals, not the companies that store that information on their servers.

As electronic communication behavior gets increasingly complex, so does the desire for a unified platform. Take the Google suite as an example; the ever-popular apps enable you to conduct your life within a Google browser window. This is a valuable service but it also means that all of your correspondence, scheduling, documents and contacts are housed on one company’s servers. As we begin to unify our online lives and entrust “the aggregators” with increasingly more personal information, it is important, as consumers to be aware of the protection offered by the gate keepers. One questions we must ask ourselves is, Does the steward of our data have anything to gain from that information?

The emergence of the universal inbox poses a new set of security challenges. If we are consolidating all communication (email, chat, text, voice, social networking, etc) into one place rather than distributing with a number of sites, the measures the company hosting personal information takes to protect that digital gold becomes increasingly important.

January 28, 2009

Data Privacy Day 2009

Filed under: Security — Tags: — jothmeister @ 4:01 pm

From a great post today at TechCrunch http://www.techcrunch.com/2009/01/28/the-privacy-dilemma/ comes the following quote:

The more of our lives that we put online, the less privacy we have. It is as simple as that. And this is a problem that will just get worse over time. You cannot be fully engaged on social networks, blogs, YouTube, Flickr, Twitter, FriendFeed, and all the rest without opening yourself up to phishers, scammers, and identity thieves. Something to think about since today is Data Privacy Day.

How much personal information do you share on-line? A lot, we suspect, the younger you are. We have learned from a focus group of our Millennial advisors that while they are conscious and concerned about privacy, they still Twitter and Facebook their status away with things like “Having a burger” or even “In the shower now.” At the same time, these are the same 18-32 year-olds entering the work force aware that they need to disable their social network accounts whenever they apply for school or a job. Why? Because they don’t trust the sites completely and they know people are now checking candidate’s social network pages. We think these Millennials are being very prudent. After all, the social network sites started life as picture and status sharing sites and data privacy is not core to them. And none of the social networking sites are set up with a fine-grained approach to controlling access to your profile. Isn’t what you want; a way to control exactly who gets to see what portion of your profile? You may want just your college buddies to see those pictures of you inebriated at the fraternity party. You sure don’t want the next set of recruiters to see them. Might not even want your parents or your girlfriend to see them either. Someone needs to come along with strong privacy and security DNA and create this kind of fine-grained control in a trustable profile system that allows you to not only control who sees what, but also who gets to even communicate with you.

So is it that privacy is so hard to deliver on the Internet? Actually no but it has to be planned out and built in from the start. Technology has strongly supported good control over access to information for quite some time and it is quite mature with even free open source versions of it available. But you have to care enough to use it. If its not core to your business, perhaps you don’t bother with it. We think that is wrong especially if your core business intersects with handling people’s personal information. Even if you are not a bank and even if you never ask for social security numbers. To many of us, some of those pictures may be more private than even our social security number.

Trust is the key to privacy. But as Frances Fukuyama in his seminal book Trust argues, “the most pervasive cultural characteristic influencing a nation’s prosperity and ability to compete is the level of trust or cooperative behavior based upon shared norms. In comparison with low-trust societies (China, France, Italy, Korea), which need to negotiate and often litigate rules and regulations, high-trust societies like those in Germany and Japan are able to develop innovative organizations and hold down the cost of doing business.” Fukuyama argues that the United States, like Japan and Germany, has been a high-trust society historically but that this status has eroded in recent years.

We believe the increased dependence on the Internet for transactions of all kinds and for social interactions combined with the very lax approach to trust exhibited by most Internet-based organizations is significantly contributing to this erosion. And this is dangerous. Lose trust and you never get it back. And one bad egg can spoil the batch which in the context of the Internet could mean one bad incident on a social networking site could scare everyone away from all of them.

As a citizen on the Internet we want to provide personally identifiable information (PII) when we get some benefit in return but you always have to ask yourself if you trust the company you are giving it to. But as focus groups recently held by Microsoft turned up, most of us also just close our eyes and jump, out of a sense of resignation all too often. How often have you gone ahead and sent something kind of sensitive through any of the huge Webmail portals? You know full well their servers scan and process your email because that’s how they generate what are supposed to be context-appropriate ads on your Inbox page. I have to admit, even someone like me who has started a security company and written books on the subject have done it when sending business plans, sensitive legal documents and presentations and even sometimes PII. The experts call the tight control over who can read your messages no matter where they go confidentiality. It’s related to privacy because you want that information just to get to the person you specify and not to be accessible to any strangers along the way. Again, the technology to make the information in those messages absolutely unreadable by anyone except the intended recipient has been around for a long time. But it is rare to find it put to use in any of the messaging systems we all use. It seems only the government makes regular use of it. Again, we think it is long past time for that to change.

Here on Privacy Day 2009, it’s time for privacy to stop being something you close your eyes and pray for and becomes front and center in the value you seek and expect from online information brokers.

November 4, 2008

Private/confidential e-communication

Filed under: Security — Tags: , — jothmeister @ 12:24 pm

 

When you send a physical letter though the postal service you have an expectation and a guarantee of privacy for that communication: it is a federal offense to open mail not addressed to you.  From Wikipedia:

The U.S. Postal Inspection Service (USPIS) is one of the oldest law enforcement agencies in the U.S. It was founded by Benjamin Franklin.[12]

The mission of the USPIS is to protect the U.S. Postal Service, its employees and its customers from criminal attack, and protect the nation’s mail system from criminal misuse.

U.S. law provides for the protection of mail. Postal Inspectors enforce over 200 federal laws in investigations of crimes that may adversely affect or fraudulently use the U.S. Mail, the postal system or postal employees. The USPIS is a major federal law enforcement agency.

The physical seal on the envelope is pretty darn good assurance that the letter has not been opened. And the physical nature of the medium makes monitoring all mail a completely unscalable proposition. In the EU, there is a constitutional guarantee of secrecy of correspondence and e-mail is covered from eavesdropping. The guarantee is a lot softer in the US with a requirement for a reasonable expectation of privacy.

 

The Internet is a huge network of computers designed to withstand major disruptions (e.g. nuclear strike) on one portion and still able to function and in fact continue to route traffic around the disruption through a redundant set of routers and switches. The Internet is amazingly open and accessible making all this traffic inherently vulnerable to eavesdropping or worse. The standard still used for email today was established as the SMTP standard in 1980. It was originally designed to exchange messages between the researchers who were by design the original users of the Internet. The standard has not been replaced but simply had add-ons such as MIME for attachments added to it. As a mail message leaves your desktop it probably goes through your company’s server, through the ISP’s servers who serves your company, through some unknown intermediate switches, routers and servers and finally to the ISP and corporate servers of your addressee. That is a lot of servers, switches and routers not to mention connections between them where the message could be read. Many people believe they have some protection called “security through obscurity” whereby there are so many billions of messages going through these servers that the chances someone will pick my little message to focus on must be really low. For anyone who uses Gmail or one of the other free mail offerings that publish ads on your Inbox page, you know better. They have clearly scanned your messages to pick out words and phrases to drive their auto-placement of ads. We are told this is a fully automated process and that no one intervenes, but as we now know, such assurances about the NSA monitoring phone communication only of non-US citizens were not true so it calls the email assurances into equally high questionability.

If you work for a company in the US where we do not have any secrecy of correspondence laws, e-mails sent using company computers are considered the property of the company and they have an explicit right to monitor them and they do. They are looking for proprietary information leaking out of the company. They are looking for employees who are not doing company business on company time. And they are looking for potentially libelous or other types of inappropriate communication (e.g. sexual harassment, pornography) that could put the company at risk.

OK so why don’t we just encrypt all these messages and be done with it? There are actually a number of solutions that have been proposed to encrypt email communication so why don’t we all just do it as a regular course of daily activity?

Let’s just spend a minute talking about how encryption works. I am going to focus on public key cryptography for this discussion but there are other technologies that also can do this; PKI just happens to be the most prevalent form of encryption around. Like everyone else talking about cryptography, let’s use Bob and Alice as the actors. Bob wants to send something secret to Alice and he wants Alice and only Alice to be able to read it. First we need someone we both trust to identify us and to be able to assert we are who we say we are. If we don’t have this Alice could be someone else who just claims to be Alice. So we each have to prove we are who we say we are to a Certificate Authority (CA). We do that to our bank so you know how this goes. We have to tell them some personal secrets that they can validate before they are convinced we are who we say. There are all kinds of levels of authentication starting with “just trust me, I am who I say” all the way up to providing a DNA sample. The problem with “I am who I say” is that that approach has given us literally thousands of people who got certificates that said they were Bill Gates. OK so clearly that is a joke. But its pretty standard now to ask someone some questions only they know and you can check in databases like credit bureaus, drivers license bureau and other sources. So without having to show up at the doorstep we can pretty reliably get authenticated by a CA who will issue us a certificate. 

A certificate has two keys in it: a public key and a private key. These keys are just large numbers that can be plugged into a special mathematical algorithm used to transform (or scramble) some data. They are pretty magic in that if I use one of them to scramble some data, only its mate can unscramble the data. If I scramble with the private key, only the public key can read the original data. Or if I scramble with the public key, its only the private key that can read it. They are named public and private for a good reason: you always keep the private key very close to you and no one ever gets to see it or access it. On the other hand you freely distribute to everyone who needs it your public key. So play this out a little. If Bob grabs Alice’s public key and uses it to scramble (let’s start using the correct term – encrypt) a message, and assuming Alice really does keep her private key to herself, guess what, only Alice can read that message. Very simple, very clean, so what is the big deal?

Three things make this a technology that has never taken off. One is getting everyone who wants to communicate privately to get authenticated and get their certificates with the key pairs in them. If Bob wants to send a private message to Alice and she does not have a key-pair, Bob is stuck. He has no Alice public key to use to encrypt his message to her so if he wants to communicate at all he better just send it in the clear. The “network effect” is strongly at work here too. Bob can be a good guy and go get his certificate but if everyone he ever wants to communicate with has no certificate, Bob might as well give up because he can never encrypt any of his messages. And with none of those people out there having certificates, Bob will also never receive an encrypted message and he got that certificate for naught. Only within very closed environments such as the military and employee-to-employee within the same large company is there enough control such that everyone you communicate with can be counted on to have the certificate needed to participate.

The second reason this has never taken off is that it has never been smoothly integrated into the email / chat / SMS user interfaces. If its not easy to use, people will not be bothered and they will continue to hope that the critical data they are sending is not noticed by anyone out there. Finally, the third reason is that many of the biggest participants in email transport don’t want those messages encrypted. Certainly if you are a Google or a Yahoo! getting ad revenue by placing context-sensitive ads on people’s InBoxes, you will lose revenue if you can’t read the messages to extract the context.

People are increasingly sophisticated about e-communication. They hear the stories about people not getting a job because the new employer looked at the old pictures of them drunk out of their minds at the frat party. They see that the NSA is eavesdropping on US-citizen to US-citizen calling to have intimate comforting calls. And they know that technology exists to make communications secure. If we create a system built in one of these Internet Clouds where people register to get a new email account and when they do, a decent authentication that they are who they say they are is done, then we have a way to make sure everyone who is part of that system has a certificate. Further, as that system grows and grows, the network effect works in everyone’s favor and the people you want to communicate with will also be part of this system and will have a certificate. Finally, since such a system is just being built now the encryption of messages and the privacy of profiles is smoothly and elegantly built into a simple, clean UI from day one.