Is Privacy Dead?

Dear readers,

Welcome back to the 2nd edition of our info-security digest. It has been a busy month for everyone, and that includes our readers – YOU! So let’s cut to the chase. We are pleased to announce Sixscape Communications have been selected in two competitive tech startup pitches – First as the top 10 startups in the Asian Banker Summit 2016 from 10-12 May in Vietnam; and second as the top 100 startups in the e27 Echelon Asia Summit 2016 from 15-16 June in Singapore.  These startup events, not only enhance our exposure to the market, they also validate our market position as the cutting-edge info-security solution provider.

In this month’s edition, we are privileged to have our CTO, Lawrence Hughes, to share with us his insights about data security and privacy. Lawrence is a technology veteran with over 40 years of IT experience, including PKI security and cryptography, and IPv6 technologies. Prior to co-founding Sixscape Communications, he was the co-founder and CTO of Cipher Trust, which successfully exited with USD273 million in 2006. Based on his background in creating and delivering cryptography and PKI training modules at Verisign from 1998 to 2000, he invented IRP (Identity Registration Protocol), which was officially assigned an Internet port (4604) by Internet Assigned Number Authority (IANA).

In this age of Internet advancement, we know that data security breaches have become paramount to any organization in protecting their customers and users, that no one is spared from the danger of intruding eyes and snooping keyboards. Some of us may not understand the perilous impact of a security leak, and may question how would data security and privacy matter to any of us. I encourage you to take a peek at the World’s Biggest Data Breaches that reveals almost 2 billion user records information were leaked across 180 multi-national corporations between 2004 to 2016, notwithstanding the fact that many of these MNCs have impeccable data security policies, and coupled with few of the world’s strongest software and hardware appliances that money can buy.

Without ado – let’s dive into Lawrence’s insights below. A PDF is also available for download here.

Lawrence E. Hughes
Is Privacy Dead?

A really good book from one of the best people in the security field came out last year. I recommend you to read it. It’s “Data and Goliath” by Bruce Schneier. Bruce explains exactly how your privacy is being invaded on a monumental scale today. The government does it to look for threats to national security. Many corporations (including many prominent Internet companies) do it to collect information they can resell to anyone willing and able to pay for it. Windows 10 is collecting all kinds of information on its users. This book will scare the hell out of you.

But we can’t stop using our cellphones, the Internet, chat, or e-mail – our society depends on these things now. But we can learn to protect ourselves (to some extent) from having everything about us scooped up in the widely cast nets being used today.

Bruce points out that encryption is one of the most powerful PETs (Privacy Enhancing Technologies). It is indeed, but in many uses of it, it’s simply too hard for ordinary mortals to use. It works best when it happens “in the background” with little or no effort on the user’s part. Things like HTTPS (secure web), and Full Disk Encryption (e.g. Bit Locker) are good examples of this.

With HTTPS, you don’t really have to do anything (other than include the “S” after HTTP, and even that is usually done for you, in hypertext links). The server sends you its SSL certificate, your browser validates that, verifies the server has the corresponding private key that identifies the server, exchanges a symmetric session key, and encrypts everything going in both directions. All of that wizardry happens without you having to tell it to do it, or even knowing that it’s going on. You get server to client authentication and privacy essentially for free (well, the website owner has to buy an SSL certificate, but you don’t have to buy anything). That’s good security design.

With Full Disk Encryption, your entire hard disk drive is kept in encrypted form. When you are using the computer, the device driver automatically decrypts the sectors your read, and encrypts the ones you write. You hardly can tell it’s happening (especially with an SSD that has hardware encryption). You do have to supply a passphrase when you first boot up your computer, but that’s about it. But if someone steals your computer at the airport, the data on it (which may be incredibly valuable) is completely safe from the thief. That is also goodsecurity design.

But with some Privacy Enhancing Technologies, like Strong Client Authentication (obtaining and using a client digital certificate to identify yourself to a secure server) or S/MIME (End to End secure E-mail), it’s so difficult to use that few people do. This is because the technology is too “exposed” and requires complex manual steps today (not to mention too much obscure technical knowledge).

I once heard about an experiment regarding S/MIME usability. They gave a group of technically competent people copies of Microsoft Outlook, and access to a vendor of S/MIME certificates, then gave them two hours to send the experimenter an encrypted message. At the end of the time, only two of the participants had succeeded. There is nothing wrong with S/MIME – the implementation is simply not suitable for most people to use. Current PKI implementations are mostly web based. My E-mail client can’t surf to a website to request and download a cert. Those sites are designed for humans to use. That is bad security design.

After many years of working in security and PKI I realized that creating a secure Certificate Management Protocol (like our Identity Registration Protocol) and using that protocol to allow an e-mail client to automate most of the steps (thereby hiding the complexity from the user) can make S/MIME E-mail as simple to use as HTTPS.

We first created a certificate authority that supports IRP (IDCentral), and then a secure E-mail client that supports it (Blackbird). We also added in LDAP integration to make it trivial to publish your own cert in a directory (e.g. Active Directory), and allow other users to use that directory as an address book (complete with your cert).

With this automated certificate management and directory integration, the vast majority of the participants in that experiment would have managed to complete the challenge, most in 15-30 minutes. This brings a powerful Privacy Enhancing Technology (S/MIME E-mail) into the reach of any Internet user.

Some people may say “why would I need to encrypt my E-mails? I’m not James Bond”. You might be surprised how easy it is for people to see (or even change) your E-mails without this protection. Unencrypted E-mails are easy to surveil at many points along the way. Google routinely scans all your free G-Mail messages and sells information found there to anyone willing to pay for that. But there is a better reason, as espoused by the Encrypt Everything project (who are trying to make HTTPS universal). Today, using encryption makes you stand out, and the bad guys will try to find out what you are trying to hide by other means (like installing a Trojan Horse that watches everything you type or see on your screen). If everyone uses encryption, they won’t know whose E-mails (or web searches) are “interesting”. They will be trying to find a needle not in a “haystack”, but in a giant pile of needles (a much more difficult proposition).

My primary focus at Sixscape is to create advanced Privacy Enhancing Technologies that are so simple and unobtrusive that anyone not only can, but will use them, as with HTTPS today. We are first applying this to E-mail, then to chat, and later to voice.

I am doing this because I strongly believe that Privacy Is a Fundamental Human Right.