NEWS

Why The US Must Leave Privacy-Providing Firms Alone

Recently, a case in the US has put a spotlight on the severity of the problem facing US-based businesses when it comes to providing privacy for their users. The case is that of riseup.net, which recently admitted to complying with two sealed warrants from the FBI. The firm, which prides itself on providing privacy for its users, was only able to disclose the warrants recently – because of the Gag order that it was also under.

According to riseup.net, the first warrant “concerned the public contact address for an international DDoS extortion ring”, while the second was “an account using ransomware to extort money from people.” In its blog post on the subject, riseup.net explains that the warrants were the reason that it failed to update its warrant canary: leading to some concern from its users.

Forced against its will

In the blog post, the firm also explains that the two cases involved “extortion activities” that “violate both the letter and the spirit of the social contract we have with our users: We have your back so long as you are not pursuing exploitative, misogynist, racist, or bigoted agendas.” As such, riseup.net didn’t have to feel too bad about complying.

However, the truth is that riseup.net didn’t comply because it was taking a high moral stance – on the contrary – it attempted to resist the warrants. In the end, however, not complying with the warrants could have “resulted in jail time for Riseup birds and/or termination of the Riseup organization”. With that in mind, riseup.net can be understood to have been fortunate that the cases (it was asked to disclose details about) involved actions that the organization doesn’t particularly condone.

riseup banner

Ongoing problem for privacy-oriented firms

The riseup.net case is a perfect example of the problem facing the US: one that certainly isn’t going to help to “make the US great again”. In fact, it is these types of actions from the US government (and any other governments that feel the same) that are likely to drive tech sector businesses away from US shores – taking important jobs with them.

What is sad, however, is that since he came to power it has become obvious that the Trump administration will not be the breath of fresh air (that so many people seem so convinced it will be). In fact, in terms of technology, the Internet, and digital privacy, the Trump administration seems hell bent on destroying America rather than making it great.

trump carnival

Not just a US problem?

What’s more, it is not just the US that has this problem. The UK’s recently passed Snoopers’ Charter is in exactly the same vain. The law means that the UK could also see tech-sector firms leaving its shores – should it decide to get all heavy-handed and enforce backdoors.

Liz McIntyre – cybersecurity expert at ixquick and StartPage – understands the problem all too well. She told BestVPN.com that “a US-based company may be sincere about protecting consumer privacy, but a National Security Letter & gag order could turn a US-based service into a honeypot overnight.”

This simply isn’t good enough, and according to McIntyre it means that US-based companies are being put in an extremely disturbing position,

“Laws like the Patriot Act can force US companies to violate their sincere privacy promises by threatening owners and employees with criminal prosecution and jail time. This is why privacy-conscious consumers look for services based in EU countries where privacy is better protected by law.”

start page logo

Run away!

If Trump isn’t careful, it won’t just be consumers that are looking for products based overseas. An inability to deliver on promises that make their products desirable may force technology firms to leave the country. PrivacyTools.io – a highly respected organization that provides knowledge and tools for protecting against mass surveillance – is already encouraging consumers to boycott US-based firms,

“Services based in the United States are not recommended because of the country’s surveillance programs, use of National Security Letters (NSLs) and accompanying gag orders, which forbid the recipient from talking about the request. This combination allows the government to secretly force companies to grant complete access to customer data and transform the service into a tool of mass surveillance.”

In fact, PrivacyTools.io recently decided to withdraw its support of DuckDuckGo because the firm is based in the US, and could be forced to secretly comply with a warrant (despite its privacy promises).

A downward spiral

downward spiral1

Until recently, the EU had seemed like a better location. But data retention laws that are slowly becoming widespread threaten to change all that. This may lead firms to also want to leave those EU countries: in search of a new safer tech haven, somewhere further afield.

So, how likely is it that firms will actually up and leave?

Unfortunately, it seems highly possible. Trump has chosen to surround himself with people that ring serious alarm bells for tech firms. Newly appointed attorney general, senator Jeff Sessions, is in favor of backdoors. In addition, the newly appointed FCC chairman, Ajit Pai, is an ex-industry lobbyist that is an enemy of net neutrality. With this in mind, it would appear that things look set to get worse under Trump, rather than better.

Monkey see monkey do

Furthermore, Trump and the UK’s Prime Minister, Theresa May, have promised to rekindle the special relationship between the two nations. Theresa May was heavily involved in conceiving the UK’s much-loathed Snoopers’ Charter (during her time as Home Secretary). As such, her and president Trump are incredibly similar personalities that appear to have very similar goals for their respective nations.

In the UK, the new legislation means that UK firms must agree to put backdoors in their products if asked to do so by the government. This goes hand in hand with encryption developments such as the MIKEY-SAKKE protocol, which was designed by GCHQ. MIKEY SAKKE is just one example of the type of backdoors that the UK government would like UK-based firms to place in their products.

gchq spooks

The impossible backdoor

The problem with backdoors, however, is that although they may be written into a product for use by the government – they can also fall prey to enemies of the state, hackers, and cybercriminals. A backdoor is a security vulnerability, which means that a product or service isn’t secure at all. This is a huge problem and one that governments’ greedy surveillance practices simply won’t admit to. Sadly, however, terrorism is likely to continue being used as a catalyst for the implementation of this type of intrusive legislation. The outcome? Under Trump, US citizens are likely to face higher levels of surveillance (possibly even higher than ever before).

This may seem unlikely to some people, who mistakenly believe that the Snowden revelations have improved things. However, as Jennifer Stisa Granick explains in her new book American Spies, the US has successfully been using loopholes to continue putting US citizens under ‘bulk’ surveillance all along. Add those loopholes to gag orders and warrants, and you have a disastrous recipe that forces US-based tech firms to be completely at the mercy of the US administration.  Liz McIntyre agrees: confirming that,

“If the United States wants to achieve greatness in privacy-friendly products and services, laws that can undermine privacy promises with the stroke of a pen need to change.”

american spies

Unfortunately, the US seems more likely to join the UK in making data retention mandatory rather than making the changes that McIntyre and I both hope for. In fact, I will be highly surprised if we don’t see the US get a Snoopers Charter of its own under Trump: such is the sad state of affairs.

The Yahoo scandal

For those of you that think I’m just scaremongering, you couldn’t be further from the truth. The problem is severe. Look at the Yahoo case, for example, where the firm decided to help US intelligence by installing a spy tool into its email service (that gave the NSA access to millions upon millions of user email accounts: whether they had done anything wrong or not). Complying with that request caused Alex Stamos (CSO at Yahoo) to jump ship to Facebook, and ultimately forced Marissa Mayer to leave her position as CEO of the purple palace.

Demonstrative of my earlier security point – on that occasion when Yahoo aided and abetted the NSA – the spy tool was actually a ‘rootkit’ that could have been exploited by anybody. As such, this may have given hackers (and even Yahoo staff themselves) unfettered access to those email accounts as well. This is an enormous security risk that entirely explains how 200 million Yahoo users’ usernames and passwords ended up for sale on the dark web last August.

Time is running out

At the end of the day, strong end-to-end encryption is the best form of cybersecurity. For that reason, until the US (and other countries) decide to support strong privacy: the current cybercrime epidemic seems set to continue.

In fact, with Artificially Intelligent software and quantum computing on the rise – the future looks extremely bleak for cybersecurity – unless governments allow the privacy and security industry to successfully monetize and develop at a similar pace as the technologies that are inevitably going to rise up and make cybercrime worse. You have been warned.

Opinions are the writers own.

Title Image credit: garagestock/Shutterstock

Image credit: Onigiri studio/Shutterstock

Image credit: milo827/Shutterstock

Image credit: Stephen Clarke/Shutterstock

 


Ray Walsh I am a freelance journalist and blogger from England. I am highly interested in politics and in particular the subject of IR. I am an advocate for freedom of speech, equality, and personal privacy. On a more personal level I like to stay active, love snowboarding, swimming and cycling, enjoy seafood, and love to listen to trap music.

Related Coverage

More

6 responses to “Why The US Must Leave Privacy-Providing Firms Alone

  1. How do you rate the security of using the Linux distro, TAILS, as one must link to it to a website which is inside the US?

    1. Hi Thomas,

      As I discuss in my TAILS Review, when using TAILS you connect to websites via the Tor network. This means that connect to the websites anonymously (unless you choose to hand over personal information about yourself to them).

      1. The article above my question includes the point that some Privacy software, generated or when used with servers based inside the US has been placed under Warrant, with a gag order.

        The Tails download itself, is from a server inside the US. Tails development itself is closely linked to riseup. Riseup Also having been mentioned in the article as having been coerced into giving up info on others, by warrant/gag order. Although we are given to believe, that those riseup gave up were bad actors in violation with the basic stated permissions of the use of the riseup servers and software. In trusting riseup, like Mulder, “I want to believe.”

        My question being, and in the context of the above article seemed clear. Is, why do I trust that the Tails download, as it is being built in the US, and its primary distribution point seems to be from servers inside the US?

        To me, One of points of the relative safety of TOR is based upon the OS it works within. If Tails is compromised, then the TOR Browser working in it is also compromised.

        I see websites which I get the message, “certificate is bad or invalid.” A whole huge discussion in itself.

        Another point, some have hypothesized that one can track internet connections by the wired or wireless adapters ID. Tails documentation talks about spoofing the adapters ID automatically, and also states that one of the manufacturers of adapters which can not be spoofed is broadcom. Broadcom is used in Apple computers. Guessing TOR is not of much use for Apple. I wonder how any VPN can get around the same issue?

        1. Hi Thomas,

          My apologies. I was skimming rather too quickly though a weekend’s worth of comments. You make a very good point about TAILS being developed an hosted inside the US. TAILS is, of course, open source, and can therefore be independently audited. But this hasn’t yet happened. If it ever does happen, then you should be able to download a PGP-signed copy of the audited version from non-US servers. Probably the best argument for trusting TAILS at the moment is that it was the OS of choice for Edward Snowden. But that was some time ago now.

          With regards to wireless adapters, I’ll need to look into this subject more. But the Tor project offers a Mac version of the Tor Browser, so I will assume for now that this is not considered a major issue. As for VPNs, I think it is worth bearing in mind that VPNs are great for privacy, and will go a long way towards preventing blanket governmnet surveillance, but they are not a true anonymity tool, and should not be used as such (with the possible exception of using a VPN though Tor).

  2. Compliments to the journalist! The safety risks with US companies must be highlighted more often. I was using Duckduckgo for a while, but when I figured out they offered only a false sense of security I switched to a EU-based private search engine. I wish I knew earlier…

Leave a Reply

Your email address will not be published. Required fields are marked *