Would you trust Finland?

younitedI’m proud to tell you about younited, F-secure’s brand new personal cloud service. Actually so new that it isn’t open for the public yet. But you can sign up to be a tester at We will start to send invitations to registered users in November, and the service is scheduled to open to the public in early 2014.

Why younited? It is our vision about how cloud storage can be made engaging, fun and safe. It’s a supercloud that collects data from your other cloud services and helps you manage it in one place. It’s also built for privacy from the ground up. The second argument is certainly a hot topic right now so it’s only natural that younited has gained a lot of attention.

Larry Seltzer of ZDNet joined the party with a slightly critical article. He is asking why anyone should trust Finland and why we should care about the privacy of our cloud storage in the first place. The first question is excellent. Users should definitively care about where their data is stored. That’s why we created younited here in Finland as an alternative to the American services. Let’s clear out Larry’s doubts and see why Finland is an excellent home for your data:

  • Finland’s constitution has a significantly stronger protection of individuals’ privacy than what US has.
  • Finland does not have a clear distinction between own citizens and foreigners in privacy issues like the US has. Your data on younited is protected as well as mine.
  • Finland is consistently rated at the top of international surveys on transparency, lack of corruption, education and innovation, just to name a few.
  • Finland is not panicking about terrorism. This means that we have no need to reduce peoples’ fundamental rights to ensure our security.
  • Finland’s signal intelligence capabilities are minimal compared to US.
  • Finland is not perfect when it comes to transparency and control of the authorities, but the problems we have are really minimal compared to US.
  • Finland does not have a massive system for silencing persons who are forced to assist authorities. There are no National Security Letters over here.

Yes, the unknown is scary. And Finland is unknown to most people. But I can assure you that Finland really is among the best places on earth if you are looking for a safe haven for your personal data.

So a non-US service should be the primary choice if you are outside US and even a little bit privacy aware. And that’s after all most of the world’s population, about 96% are living elsewhere. But what if you are American, like Larry? Is it still a good idea to go off-shore?

Most of the cloud storage service are located in US and you may prefer domestic services. That’s the easy choice. But services overseas can really provide a significant benefit privacy-wise. First remember the four-hop principle. You think you have decent privacy protection as an US citizen, but are you sure that no friend-of-friend-of-friend-of-a-friend is suspected for some obscure reason? That would put you in the same boat as all us aliens. And the US authorities are not exactly open about what they are doing. This is what they have been forced to admit, it’s certainly not the full picture. Also keep in mind that your data is most vulnerable when stored. NSA can still attempt to snoop at your encrypted data connection to younited before it exits US, but that’s quite futile (see note below). And it’s finally game over once your data is on our disks here in Finland under a layer of AES-encryption. So an overseas service eliminates the by far easiest attack point.

You have nothing to hide? Yes, we hear that argument frequently. And it is of course good to be a decent citizen with no secrets. But are you really sure? First, no one can remember all documents and mails they have received and sent. I bet most people have items they rather not share with strangers, even if they can’t remember them right away. Second, we are changing and the world is changing around us. How can you tell that everything you do today is still in line with your profession, role and personality after 20 years? Is what you do today OK by our society’s standards at that time? No, nobody can of course be sure about that. So why take risks when there are easy ways to reduce our digital footprint?

Larry is also pointing out that we have the right to protect our data, but not necessary the need to do it. True. But if you don’t use that right, you are signaling that it isn’t important and can be taken away. And there are plenty of powers that would love to take it. In other words, it’s a lot easier to ban crypto and other privacy measures if they are used by criminals only. Let’s not contribute to a world without the right to use privacy protection.

So why not follow Larry Seltzer’s example and sign up for younited right away. Do you fall in love with the service of its level of safety and privacy, or for the engaging and fun user experience? Or both?

Safe surfing,

Note about encryption of data in transfer. There’s constant speculation about if NSA can break the SSL/TLS encryption that is used for this kind of connections. There are indications that they have succeeded in some cases, but this typically involve outdated implementations, software modules that have been weakened on purpose or keys that have been shared with NSA by the service owner. NSA’s ability to break full-strength SSL/TLS is speculative, and any such attack would, if possible, require so much resources that only a small number of targets could be followed. Summary: Ordinary people can consider the encrypted link to younited as perfectly safe.

More posts from this topic

Privacy principles 3

Your privacy is our pride, part 3 of 3 – how we act as a company

This is the final blog post in a series of three where we cover our privacy principles. I have earlier covered the fundaments and why security is a requirement for privacy. But privacy is not only about guarding your data and keeping it protected. It’s also about how we act as a company. If you select us as your provider, you want to know that we are acting in a responsible way and support your privacy in a broader sense.   WE KEEP OUR MESSAGING RELEVANT Messaging and marketing towards customers is always a tricky issue that divides opinions. Some are allergic to all kinds of marketing messaging. Others don’t mind and may even find part of it useful. We may have several reasons to contact our customers. Part of it is no doubt promoting our product and service portfolio (yes, marketing), part is necessary info related to the products you use. We also produce generic security and privacy information that we think is of interest, even if it doesn’t relate directly to our products. Our aim is to give you a messaging stream with an optimal signal to noise ratio. And you can fine-tune the stream by opting in or out to some content.   WE ARE THE GOOD GUYS There are strong global forces that want to scarify privacy for economic and diplomatic gains. This means that privacy isn’t just a technical issue anymore, it’s a highly ethical and political issue as well. The time has come when we need to choose sides. F-Secure’s choice is clearly to speak out against the privacy-hostile development. It would not be right to just sell you tools guarding your privacy and at the same time be quiet about the threats. We do demand change, for example in the Digital Freedom Manifesto. Also check out @Mikko at TED, nobody says it better than him.   TRANSPARENCY All this sounds fine, but do you believe us and will you trust us? It is so easy to write beautiful phrases, but you as a customer have very little tools to verify our claims. That’s why we need transparency. We want to be a forerunner and openly declare what data we collect, how we handle it and what principles we adhere to. That’s the best way to differentiate from those who just use privacy as a marketing message.       These principles will help us provide solutions that protect your privacy. As you can see, that’s not a simple task and it requires commitment at all levels of the organization. Publishing these principles is just the tip of the iceberg, what really matters is how we do our ordinary daily work. We need to keep the principles in mind at all time when designing systems and processes, to ensure they never are violated. Maybe I’m a dreamer, but I would very much love to be a digital citizen in a society that fully implement principles like this. It seems like a futile wish at the moment, but we are at least doing what we can to strive for it. The society may be hostile towards your privacy, but we at F-Secure work hard to make the principles real at least in a small part of the digital world. Our own products. That’s a good start, now you have a choice. If you like these principles, you can improve your privacy by selecting F-Secure.     Safe surfing, Micke

Oct 30, 2014

Snowden Says Drop Dropbox; Here’s What You Said

In his recent video interview with The New Yorker, Edward Snowden advised viewers to get rid of Dropbox, Facebook and Google, saying such services are dangerous and should be avoided. But what do consumers think? Are you and I ready to follow his advice and switch to more secure services? To find out what people really think, we consulted our recent global consumer survey* where we had asked people just those types of questions. Here's what we found: 53% of survey respondents said they’d be willing to switch from services like Google to other more private services to avoid search-based profiling. 56% of people said they have become more wary of US-based Internet services in the past year. 46% of people said they would be willing to pay to be sure that none of their personal data transits via the US. 70% said they are concerned about the potential of mass surveillance by intelligence agencies in countries through which their data may be passing. 68% of respondents said they try to protect their privacy at least some of the time through the use of private browsing or incognito mode or by encrypting their communications. 57% of people said they are not okay with companies using their profile data in exchange for getting a free service. Germany, Brazil and the Philippines showed some of the highest levels of concern about data privacy. For example, when asked whether they’ve changed some of their Internet habits in recent months due to increased concerns about data privacy, an average of 56% of people said they had: 45% in the UK, 47% in the US, and 49% in France, and going even higher to 60% in Germany and 67% in both Brazil and the Philippines. Are you ready to start using more private, secure services too? If so, F-Secure has some great options. Our online storage and sync service, younited, is fully encrypted for security and privacy from the ground up. F-Secure Freedome encrypts your connection wherever you are, even on public WiFi, and protects you from hackers and Internet trackers. And free F-Secure App Permissions lets you know which mobile apps you've installed are a threat to your privacy.   *The F-Secure Consumer Values Study 2014 consisted of online interviews of 4,800 age, gender and income-representative respondents from six countries, 800 respondents per country: US, UK, France, Germany, Brazil and the Philippines. The study was designed together with Informed Intuitions. Data was collected by Toluna Analytics in July 2014.   Image courtesy of greensefa,    

Oct 29, 2014

How to blow the whistle and survive

Whistleblowers have changed the world and there’s still a lot of hidden secrets that the public really should know about. High-profile leakers like Snowden, Manning and Assange are known globally, and are paying a high price for their courage. But only a few are dedicated enough to blow the whistle in public - most leakers want to carry on with their normal lives and remain anonymous. Snowden did no doubt show the way for others, and there are already several who have tried to leak and remain anonymous. That’s not easy and the stakes are high! Which is underlined by the recent news about the feds discovering one leaker. But is it even possible to leak anonymously in this word that in many ways is worse than Orwell’s fictive surveillance nightmare? Let’s list some advice for the case you would like to leak by phone to a journalist. I guess not many of you readers will ever be in a situation where you need this. But read on, this is highly interesting anyway and tells a lot about how our digital word works. Ok, let’s assume the worst case. The secrets you want to leak affects US national security, which means that your enemy is powerful and can use top surveillance against you. Let’s also assume it’s info you have authorized access to. And that you want to talk on the phone to a journalist. Here’s some basic rules and hints that may prevent you from ending up behind bars. First you need to assess how many persons have access to the data. They will all be on a list of suspects, together with you. The shorter the list, the bigger the risk for you. Your mobile phone is a tracking device. The cell phone network knows what base station you are connected to at any time. Other services can record and store even GPS-accurate position data. All this is accessible to the agents and you must make sure it doesn’t reveal you. Needless to say, your own phone does not participate in this project. You need to find out who you should leak to. Never do this research from your own computer because your search history can reveal you. It leaves traces both in your computer and in your user profile at Google (unless you know what you are doing and use privacy tools properly). Do this research from a public computer. Make sure you have never logged in to any personal account from this computer. You need a “burner phone” to do the leaking. This is a phone that can’t be connected to your identity in any way. Here’s some rules for how to use it: It is always switched off with the battery removed when not in use. Just using the power button does not cut power from all parts of the device. It is never switched on in or close to your home. The agents can easily find out what base station it was connected to and turning it on near home can make you more suspected than others. It is never switched on in or close to your vehicle. Base station records for the phone may correlate with traffic cameras storing your registration plate. This is especially important if you have a modern car with a built-in data connection for service monitoring etc. Never user the burner for any other contacts. Even a single call to your spouse creates a record that ties you to the phone. Needless to say, never store any other info in the phone than what you need for this project. You always leave your own phone at home when going out to use the burner phone. Otherwise the agents can see that your own phone “happen” to be in the same base station when the burner is used. Leave your own phone turned ON at home when you go out with the burner. Otherwise you create a recognizable pattern where your own phone turns off and the burner turns on, and vice versa, in a synchronized manner. Leave any other wireless devices at home. Tablets, wireless mobile payment devices, anything else with a radio transmitter. Using a voice changer is necessary especially if the list of suspects is short. Assume that your calls can be recorded and your own voice checked against the recording. Get the burner phone. Scout for a dealer with old-looking or insufficient security cameras located not too close to your home. Remember that the agents may locate the shop where the burner phone was sold, get the security camera recording and compare against the list of suspects. Even better, ask someone else to buy the phone for you. Choose a cheap non-smart prepaid phone with removable battery. Pay cash and make sure you don’t reveal your identity to the seller in any way. Safely destroy any receipts and other paperwork related to the purchase. Think about where to store physical items that can tie you to the leak. Such items are the burner phone and related documents or data media. This is especially important if the list of suspects is short. Storing such items at home, at your workplace or in your vehicle will reveal you if the agents perform a search. Try to find some other place that is safe and can’t be tied to you. Now you are ready to contact the journalist. Be very rigid with the rules for how to use the burner phone. There are also some additional rules for this situation: Dress discreetly to avoid sticking out in surveillance camera footage. Be far enough from home when making the call. Turn the burner on, make the call and turn it off again right away. Avoid public places with surveillance cameras when the burner is on. Do not use your credit card during this trip. Pay cash for everything. Any other personal payment instruments, like public transportation payment cards, is a big no-no as well. You have to assume that journalists dealing with leaks are being watched constantly. Assume that the hunt is on as soon as you have made the first contact. Try to wrap up the project as quickly as possible and minimize the number of times you turn on the burner phone. When you are done, dispose all items related to the leak in a secure way. The trash can of your own house is NOT secure. Dump the phone in the river or put it in a public trash sack far enough from home. The truly paranoid leaker will break the phone with gloves on. The outer shell can contain fingerprints or traces of your DNA and the electronics the traceable phone ID. It’s good to make sure they end up in different places. Huh! That’s a lot to remember. Imagine, all this just for maintaining privacy when making a phone call! But you really need to do it like this if the big boys are after you and you still want to continue as a free citizen. I hope you never need to go through all this, and also that you do it right if you have to. Disclaimer. This text is mainly intended as a demonstration of how intrusive the surveillance society is today. We provide no guarantee that this will be enough to keep you out of jail. If you really plan to become a whistle blower, research the topic thoroughly and get familiar with other sources as well (but remember what I wrote about researching from your own computer).   Safe whistle blowing, Micke  

Oct 28, 2014