Admittedly, I have already seen this article come across several pundit roundup diaries, but I think it warrants a deeper look.
http://www.nytimes.com/...
Once again the feds are making a push to take away our privacy and digital security. And knowing the implication of having our every day movements monitored by the government, I for one have no intention of sitting quietly while lawmakers attempt to implement a misguided policy for digital security/wiretapping.
Before I poke holes in the whole notion that implementing these policies will actually result in something positive, let me talk a little bit about my background.
I work in data security. More specifically, I specialize in encryption. For those of you that have followed the whole evolution of encryption going back to the days of WWII code cracking (or perhaps even further back to scytales) good for you. For the rest of the population, let's just accept that "strong" data encryption is a way to protect digital information in such a manner that only the intended recipients can decrypt it. I have helped companies implement encryption to protect against data theft for such nefarious purposes as stealing credit card numbers, trade secrets, employee information etc..
Now, knowing that protecting data is going to be part of compliance and requirements within our capitalistic market, the policy to force peer-to-peer networks and other services to allow the feds to be able to decrypt and monitor communications is based off of some flawed assumptions and is contrary to what legislation has already made a requirement in many business situations.
Flawed assumptions:
- Forcing peer-to-peer networks to have centralized locations for traffic monitoring is easy and cheap to implement
- Forcing bad encryption (that is crackable) is possible
- These policies will help to catch bad guys
So let me explain why these three assumptions are flawed:
- To address the first point, peer to peer networks can take users in a number of ways including via proxies. Even if the services are redesigned (with massive expense) to use a centralized location, this would only impact American based companies based on legislation. This policy would not provide anything useful as proxying is simple and so even if individuals were using these services, it would be easy to fake identity and location.
- Enforcing bad encryption is not possible in most cases. There are free technologies such as PGP (pretty good privacy - labeled as GPG now in the open source version) and Off-the-Record encryption which encrypts data at the source and sends ciphertext messages. To an external monitoring agent, it would appear that a user was simply sending garbled messages. There is no way to decrypt these short of going to the source or destination. And if users knew they were readily being spied on (and actually cared like a criminal would) they would resort to using these tools.
- So knowing that it is easy to spoof identity and that there are free tools out there to provide strong encryption, what would this legislation possibly provide? It would cost companies money, stifle free communication, invade our privacy, and organized criminals would still find a way to to circumvent the policy. According to the 2010 Data Breach report released by Verizon, 85% of compromised records can be attributed to organized criminals, meaning the people interested in data have the means and technical resources to easily deal with this sort of policy.
This kind of policy making is dangerous and fosters the same kind of paranoid thought as many policies during the cold war. I for one, have no intention of allowing my communication to be read freely, even by the Obama administration. I am not dishonest, but if I wanted the government to read my cyber communications, I'd move to Sweden, or friend them on facebook.