Privacy progress and the perils of perfectionism

November has been a good month for people who want better privacy and security online. A few positive initiatives and tools have been launched that represent advances in securing the privacy of internet users.

Digital-rights activists, however, can be a difficult bunch to please. I’ve noticed a tendency for us to criticise positive developments if they fall short of perfection – and we have pretty high standards so that’s quite easy for them to do!

It’s important to identify security weaknesses, and improvements can always be made, however I think some of the criticisms people (including myself) have levelled at attempts to improve privacy have been manifestations of the perfect as the enemy of the good. This probably isn’t the best strategy if we want to achieve privacy progress.

Let’s Encrypt!

This week the EFF, Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan announced Let’s Encrypt. The initiative’s thesis is that lots of web traffic remains unencrypted because TLS is hard to deploy (a view with which I have some sympathy). They  are trying to fix this by making deployment easier.

“For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s a pain to update.

“Let’s Encrypt is a new, free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.”

More encrypted web-traffic improves our privacy online. Eavesdropping becomes more difficult and expensive for people sharing your wi-fi connection at a cafe; for your employer snooping on your lunchtime surfing; and even governments tapping transatlantic cables have to work a harder.

There are other problems with TLS that this new certificate authority will not solve. Alexander Hanff highlights an important one in his opinion piece about Let’s Encrypt:

“Certificate Authorities are the weakest link in the digital security chain. They have the power to issue special master keys (for want of better phrase) which allows a third party to pretend to be someone they are not. In essence, this means if compelled by a secret court order, a certificate authority can provide special certificates to any intelligence agency or other law enforcement body, which will allow them to masquerade as someone else (your bank, Facebook, Google – anyone who uses that certificate authority for their SSL certificates).” [Emphasis in original]

This is a valid point, however Alexander goes on to argue nobody should use Let’s Encrypt, since it fails to solve this particular problem.

“We need to find another way, we need to remove the weak link in the chain, we need remove Certificate Authorities completely if we are to gain any serious trust and confidence in encrypted communications – because until we do, certificate based encryption is worthless, it is a red herring, a lie; and the sooner the rest of the world wakes up and realises this, the sooner we will change to truly secure solutions.”

Alexander is right that perfect security isn’t possible while we are relying on centralised certificate authorities. Yet this is not the problem Let’s Encrypt was established to solve. It is still possible to improve privacy for many people by making TLS easier to implement. Encrypted traffic is more private than cleartext even if certificate authorities can’t be trusted.

Meanwhile the EFF, at least, is aware of the problem and has other projects aimed at addressing it. We can continue to work towards more perfect solutions and still welcome incremental improvements to the status quo.

What’s up at Whatsapp?

Also this week, Whatsapp announced the roll-out of end-to-end encryption for its 600 million Android users via the TextSecure protocol, with support for iOS and other platforms coming soon. From now on only the sender and receiver will be able to read Whatsapp message-contents. Surveillance of messages in transit, or at Whatsapp’s servers, just got a whole lot harder. This is great for the privacy of users, however some have criticised the move as it does nothing to prevent attacks on the end-points themselves.

https://twitter.com/KevinSMcArthur/status/534753306518630400

Similar criticism was voiced in the Hacker News thread about the announcement.

I am guilty of this one too. I chose to question publicly how Facebook (which bought Whatsapp for $19Bn earlier this year) makes money from this, which acted to derail what could have been a conversation about a privacy win, even though it’s imperfect. Whatsapp can still gather metadata, and it may share this with Facebook to augment its social graph, however that’s not the threat being mitigated by this new feature.

(Apologies for my typo. I meant FB’s motives in acquiring Whatsapp. Please expand that tweet if you want to see the full discussion.)

What I should have been saying was – wow! This is a really neat privacy improvement for 600 million Whatsapp users. Their communications are more private than they were before and the cost of surveilling them en-masse just went through the roof. Amazing!

Get off, Microsoft! WTF, Facebook?

Just this afternoon I’ve seen mild criticism of a new tool to detect government malware on computers running Microsoft Windows because it doesn’t solve the security problem of, um, running Microsoft Windows in the first place.

To be fair, Caspar does at least mention the fact of the tool’s existence in a positive light! I probably wouldn’t have noticed or mentioned it if I hadn’t already been writing this post.

Another event this month was Facebook’s launch of a Tor hidden-service for users wishing to log in via the Tor network. Many raised the obvious question of why one would wish to log into the world’s least privacy-respecting website using the world’s best anonymity-preserving network. Those people failed to recognise the indirect benefits of using Tor: censorship circumvention, preventing intermediate routers from observing which websites you are using, and keeping your geographic location a secret from Facebook.

Le mieux est l’ennemi du bien.

To sum up, I think it’s counter-productive to condemn privacy enhancements that fall short of perfection, and I need to be more careful about avoiding doing so myself. It’s disingenuous to argue against better mitigation of one threat-model because some other threats remain. To require ideal systems and model user-behaviour to spring forth fully-formed is unrealistic. We must start from where we are and encourage things to improve in whatever ways we can.

As Christopher Parsons says in a recent blog post:

“The work of WhatsApp, Facebook, Open Whisper Systems, the Electronic Frontier Foundation, and that other members of the ‘Let’s Encrypt’ initiative can massively reduce the challenges people face when trying to communicate more responsibly. And the initiatives demonstrate how the cryptographic and communications landscape is shifting in the wake of Snowden’s revelations concerning the reality of global-scale surveillance. While encryption was ultimately thrown out of the original design specifications for the Internet it’s great to see that cryptography is starting to get bolted onto the existing Internet in earnest.”

Digital-rights campaigners need to recognise good things when we see them.