Recently, a case in the US has put a spotlight on the severity of the problem facing US-based businesses when it comes to providing privacy for their users. The case is that of riseup.net, which recently admitted to complying with two sealed warrants from the FBI. The firm, which prides itself on providing privacy for its users, was only able to disclose the warrants recently - because of the Gag order that it was also under.
According to riseup.net, the first warrant “concerned the public contact address for an international DDoS extortion ring”, while the second was “an account using ransomware to extort money from people.” In its blog post on the subject, riseup.net explains that the warrants were the reason that it failed to update its warrant canary: leading to some concern from its users.
Forced against its will
In the blog post, the firm also explains that the two cases involved “extortion activities” that “violate both the letter and the spirit of the social contract we have with our users: We have your back so long as you are not pursuing exploitative, misogynist, racist, or bigoted agendas.” As such, riseup.net didn’t have to feel too bad about complying.
However, the truth is that riseup.net didn't comply because it was taking a high moral stance - on the contrary - it attempted to resist the warrants. In the end, however, not complying with the warrants could have “resulted in jail time for Riseup birds and/or termination of the Riseup organization”. With that in mind, riseup.net can be understood to have been fortunate that the cases (it was asked to disclose details about) involved actions that the organization doesn’t particularly condone.
Ongoing problem for privacy-oriented firms
The riseup.net case is a perfect example of the problem facing the US: one that certainly isn’t going to help to “make the US great again”. In fact, it is these types of actions from the US government (and any other governments that feel the same) that are likely to drive tech sector businesses away from US shores - taking important jobs with them.
What is sad, however, is that since he came to power it has become obvious that the Trump administration will not be the breath of fresh air (that so many people seem so convinced it will be). In fact, in terms of technology, the Internet, and digital privacy, the Trump administration seems hell bent on destroying America rather than making it great.
Not just a US problem?
What’s more, it is not just the US that has this problem. The UK’s recently passed Snoopers’ Charter is in exactly the same vein. The law means that the UK could also see tech-sector firms leaving its shores - should it decide to get all heavy-handed and enforce backdoors.
Liz McIntyre - cybersecurity expert at ixquick and StartPage - understands the problem all too well. She told ProPrivacy.com that “a US-based company may be sincere about protecting consumer privacy, but a National Security Letter & gag order could turn a US-based service into a honeypot overnight.”
This simply isn’t good enough, and according to McIntyre it means that US-based companies are being put in an extremely disturbing position,
“Laws like the Patriot Act can force US companies to violate their sincere privacy promises by threatening owners and employees with criminal prosecution and jail time. This is why privacy-conscious consumers look for services based in EU countries where privacy is better protected by law.”
If Trump isn’t careful, it won’t just be consumers that are looking for products based overseas. An inability to deliver on promises that make their products desirable may force technology firms to leave the country. PrivacyTools.io - a highly respected organization that provides knowledge and tools for protecting against mass surveillance - is already encouraging consumers to boycott US-based firms,
“Services based in the United States are not recommended because of the country’s surveillance programs, use of National Security Letters (NSLs) and accompanying gag orders, which forbid the recipient from talking about the request. This combination allows the government to secretly force companies to grant complete access to customer data and transform the service into a tool of mass surveillance.”
In fact, PrivacyTools.io recently decided to withdraw its support of DuckDuckGo because the firm is based in the US, and could be forced to secretly comply with a warrant (despite its privacy promises).
A downward spiral
Until recently, the EU had seemed like a better location. But data retention laws that are slowly becoming widespread threaten to change all that. This may lead firms to also want to leave those EU countries: in search of a new safer tech haven, somewhere further afield.
So, how likely is it that firms will actually up and leave?
Unfortunately, it seems highly possible. Trump has chosen to surround himself with people that ring serious alarm bells for tech firms. Newly appointed attorney general, senator Jeff Sessions, is in favor of backdoors. In addition, the newly appointed FCC chairman, Ajit Pai, is an ex-industry lobbyist that is an enemy of net neutrality. With this in mind, it would appear that things look set to get worse under Trump, rather than better.
Monkey see monkey do
Furthermore, Trump and the UK’s Prime Minister, Theresa May, have promised to rekindle the special relationship between the two nations. Theresa May was heavily involved in conceiving the UK’s much-loathed Snoopers’ Charter (during her time as Home Secretary). As such, her and president Trump are incredibly similar personalities that appear to have very similar goals for their respective nations.
In the UK, the new legislation means that UK firms must agree to put backdoors in their products if asked to do so by the government. This goes hand in hand with encryption developments such as the MIKEY-SAKKE protocol, which was designed by GCHQ. MIKEY SAKKE is just one example of the type of backdoors that the UK government would like UK-based firms to place in their products.
The impossible backdoor
The problem with backdoors, however, is that although they may be written into a product for use by the government - they can also fall prey to enemies of the state, hackers, and cybercriminals. A backdoor is a security vulnerability, which means that a product or service isn’t secure at all. This is a huge problem and one that governments’ greedy surveillance practices simply won’t admit to. Sadly, however, terrorism is likely to continue being used as a catalyst for the implementation of this type of intrusive legislation. The outcome? Under Trump, US citizens are likely to face higher levels of surveillance (possibly even higher than ever before).
This may seem unlikely to some people, who mistakenly believe that the Snowden revelations have improved things. However, as Jennifer Stisa Granick explains in her new book American Spies, the US has successfully been using loopholes to continue putting US citizens under ‘bulk’ surveillance all along. Add those loopholes to gag orders and warrants, and you have a disastrous recipe that forces US-based tech firms to be completely at the mercy of the US administration. Liz McIntyre agrees: confirming that,
“If the United States wants to achieve greatness in privacy-friendly products and services, laws that can undermine privacy promises with the stroke of a pen need to change.”
Unfortunately, the US seems more likely to join the UK in making data retention mandatory rather than making the changes that McIntyre and I both hope for. In fact, I will be highly surprised if we don’t see the US get a Snoopers Charter of its own under Trump: such is the sad state of affairs.
The Yahoo scandal
For those of you that think I’m just scaremongering, you couldn’t be further from the truth. The problem is severe. Look at the Yahoo case, for example, where the firm decided to help US intelligence by installing a spy tool into its email service (that gave the NSA access to millions upon millions of user email accounts: whether they had done anything wrong or not). Complying with that request caused Alex Stamos (CSO at Yahoo) to jump ship to Facebook, and ultimately forced Marissa Mayer to leave her position as CEO of the purple palace.
Demonstrative of my earlier security point - on that occasion when Yahoo aided and abetted the NSA - the spy tool was actually a ‘rootkit’ that could have been exploited by anybody. As such, this may have given hackers (and even Yahoo staff themselves) unfettered access to those email accounts as well. This is an enormous security risk that entirely explains how 200 million Yahoo users’ usernames and passwords ended up for sale on the dark web last August.
Time is running out
At the end of the day, strong end-to-end encryption is the best form of cybersecurity. For that reason, until the US (and other countries) decide to support strong privacy: the current cybercrime epidemic seems set to continue.
In fact, with Artificially Intelligent software and quantum computing on the rise - the future looks extremely bleak for cybersecurity - unless governments allow the privacy and security industry to successfully monetize and develop at a similar pace as the technologies that are inevitably going to rise up and make cybercrime worse. You have been warned.
Opinions are the writers own.
Title Image credit: garagestock/Shutterstock
Image credit: Onigiri studio/Shutterstock
Image credit: milo827/Shutterstock
Image credit: Stephen Clarke/Shutterstock