I’m proud to tell you about younited, F-secure’s brand new personal cloud service. Actually so new that it isn’t open for the public yet. But you can sign up to be a tester at younited.com. We will start to send invitations to registered users in November, and the service is scheduled to open to the public in early 2014.
Why younited? It is our vision about how cloud storage can be made engaging, fun and safe. It’s a supercloud that collects data from your other cloud services and helps you manage it in one place. It’s also built for privacy from the ground up. The second argument is certainly a hot topic right now so it’s only natural that younited has gained a lot of attention.
Larry Seltzer of ZDNet joined the party with a slightly critical article. He is asking why anyone should trust Finland and why we should care about the privacy of our cloud storage in the first place. The first question is excellent. Users should definitively care about where their data is stored. That’s why we created younited here in Finland as an alternative to the American services. Let’s clear out Larry’s doubts and see why Finland is an excellent home for your data:
Yes, the unknown is scary. And Finland is unknown to most people. But I can assure you that Finland really is among the best places on earth if you are looking for a safe haven for your personal data.
So a non-US service should be the primary choice if you are outside US and even a little bit privacy aware. And that’s after all most of the world’s population, about 96% are living elsewhere. But what if you are American, like Larry? Is it still a good idea to go off-shore?
Most of the cloud storage service are located in US and you may prefer domestic services. That’s the easy choice. But services overseas can really provide a significant benefit privacy-wise. First remember the four-hop principle. You think you have decent privacy protection as an US citizen, but are you sure that no friend-of-friend-of-friend-of-a-friend is suspected for some obscure reason? That would put you in the same boat as all us aliens. And the US authorities are not exactly open about what they are doing. This is what they have been forced to admit, it’s certainly not the full picture. Also keep in mind that your data is most vulnerable when stored. NSA can still attempt to snoop at your encrypted data connection to younited before it exits US, but that’s quite futile (see note below). And it’s finally game over once your data is on our disks here in Finland under a layer of AES-encryption. So an overseas service eliminates the by far easiest attack point.
You have nothing to hide? Yes, we hear that argument frequently. And it is of course good to be a decent citizen with no secrets. But are you really sure? First, no one can remember all documents and mails they have received and sent. I bet most people have items they rather not share with strangers, even if they can’t remember them right away. Second, we are changing and the world is changing around us. How can you tell that everything you do today is still in line with your profession, role and personality after 20 years? Is what you do today OK by our society’s standards at that time? No, nobody can of course be sure about that. So why take risks when there are easy ways to reduce our digital footprint?
Larry is also pointing out that we have the right to protect our data, but not necessary the need to do it. True. But if you don’t use that right, you are signaling that it isn’t important and can be taken away. And there are plenty of powers that would love to take it. In other words, it’s a lot easier to ban crypto and other privacy measures if they are used by criminals only. Let’s not contribute to a world without the right to use privacy protection.
So why not follow Larry Seltzer’s example and sign up for younited right away. Do you fall in love with the service of its level of safety and privacy, or for the engaging and fun user experience? Or both?
Note about encryption of data in transfer. There’s constant speculation about if NSA can break the SSL/TLS encryption that is used for this kind of connections. There are indications that they have succeeded in some cases, but this typically involve outdated implementations, software modules that have been weakened on purpose or keys that have been shared with NSA by the service owner. NSA’s ability to break full-strength SSL/TLS is speculative, and any such attack would, if possible, require so much resources that only a small number of targets could be followed. Summary: Ordinary people can consider the encrypted link to younited as perfectly safe.
This year’s Mobile World Congress (MWC) is coming up next week. The annual Barcelona-based tech expo features the latest news in mobile technologies. One of the biggest issues of the past year has enticed our own digital freedom fighter Mikko Hypponen to participate in the event. Hypponen, a well-known advocate of digital freedom, has been defending the Internet and its users from digital threats for almost 25 years. He’s appearing at this year’s MWC on Monday, March 2 for a conference session called “Ensuring User-Centred Privacy in a Connected World”. The panel will discuss and debate different ways to ensure privacy doesn’t become a thing of the past. While Hypponen sees today’s technologies as having immeasurable benefits for us all, he’s become an outspoken critic of what he sees as what’s “going wrong in the online world”. He’s spoken prominently about a range of these issues in the past year, and been interviewed on topics as diverse as new malware and cybersecurity threats, mass surveillance and digital privacy, and the potential abuses of emerging technologies (such as the Internet of Things). The session will feature Hypponen and five other panelists. But, since the event is open to public discussion on Twitter under the #MWC15PRIV hashtag, you can contribute to the conversation. Here’s three talking points to help you get started: Security in a mobile world A recent story broken by The Intercept describes how the American and British governments hacked Gemalto, the largest SIM card manufacturer in the world. In doing so, they obtained the encryption keys that secure mobile phone calls across the globe. You can read a recent blog post about it here if you’re interested in more information about how this event might shape the discussion. Keeping safe online It recently came to light that an adware program called “Superfish” contains a security flaw that allows hackers to impersonate shopping, banking, or other websites. These “man-in-the-middle” attacks can be quite serious and trick people into sharing personal data with criminals. The incident highlights the importance of making sure people can trust their devices. And the fact that Superfish comes pre-installed on notebooks from the world’s largest PC manufacturer makes it worth discussing sooner rather than later. Privacy and the Internet of Things Samsung recently warned people to be aware when discussing personal information in front of their Smart TVs. You can get the details from this blog post, but basically the Smart TVs voice activation technology can apparently listen to what people are saying and even share the information with third parties. As more devices become “smart”, will we have to become smarter about what we say and do around them? The session is scheduled to run from 16:00 – 17:30 (CET), so don’t miss this chance to join the fight for digital freedom at the MWC. [Image by Hubert Burda Media | Flickr]
The newest leak from Edward Snowden may be coming at a terrible time for the Obama White House but it's not particularly shocking news to security experts. The Intercept's report about the "Great SIM Heist" reveals American and British spies stole the keys that are "used to protect the privacy of cellphone communications across the globe" from Gemalto, the world's largest manufacturer of SIM cards. It goes on to report that "With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments," which sidesteps the needs for legal warrants that should be the foundation of ethical law enforcement. While this is certainly troubling and speaks to the agencies wanton regard for privacy and some amateurish procedures being used to transport keys, it likely won't alter the security landscape much. "The best summary is that an already unreliable communication method became even more unreliable," F-Secure Labs Senior Researcher Jarno Niemela, the holder of 20 security-related patents, explained. "Nobody in their right minds would assume GSM [Global System for Mobile Communications --the digital cellular network used by mobile phones] to be private in the first place," he said. "Phone networks have never been really designed with privacy in mind." Mobile operators are much more concerned with being able to prevent their customers from avoiding billing. While a scope of such a breach does seem huge, Jarno points we're not sure how many of the billions of cards manufactured by Gemalto may be affected. Keys sent to and from operators via without encryption in email or via FTP servers that were not properly secured are almost certainly compromised. But according to The Intercept, GCHQ also penetrated “authentication servers,” which allow it to "decrypt data and voice communications between a targeted individual’s phone and his or her telecom provider’s network" regardless who made the cards. With the cracked keys, users' calls would be vulnerable but likely only in a limited manner. "I am told that these keys only expose the encryption and authentication between the mobile device and the local cell tower," F-Secure Security Advisor David Perry explained. "This means that the NSA or (whoever else) would have to be locally located within radio range of your phone." So could the NSA or GCHQ be listening to your calls without a warrant? Maybe. Here's what you can do about it. Add a layer of encryption of your own to any device you use to communicate. A VPN like our Freedome will protect your data traffic. This would not, however, protect your voice calls. "Maybe it’s time to stop making 'traditional' mobile phones calls," F-Secure Labs Senior Researcher Timo Hirvonen suggests. "Install Freedome, and start making your calls with apps like Signal." [Image by Julian Carvajal | Flickr]
This comes as no surprise after the Snowden revelations. British signal intelligence agency GCHQ has been spying illegally on a large number of internet users. What’s positively surprising is that the UK Surveillance Tribunal finally developed from a rubber stamp into something capable of making real decisions. In short, their recent decision states that the secret information exchange between the NSA and GCHQ was illegal. It’s also a welcome indication that unnecessary secrecy isn’t acceptable. Secrecy is needed in intelligence work, but has widely been misused to hide unlawful activities. We are, of course, grateful to Privacy International and its supporters, for their important work in this case. But they are not done yet! Their next step is to let you know if you’re a victim. You can submit your contact info and join a campaign where they will reveal if GCHQ has data on you. That’s nice. The more privacy-savvy of you are probably smiling right now. The campaign page clearly states “I authorise Privacy International and their legal team to pass my information to GCHQ …” That’s naturally necessary when asking GCHQ if they have data on you. But what if they didn’t? Now they have. Submitting private info to an agency that just has been exposed with illegal data processing might not sound as a good idea. And it’s not just your name, email and phone number. What may be less obvious is that your submission ties these pieces of info together. If they had just your mail, now they know to whom it belongs. Ok, time to take off the tin foil hat. I think Privacy International’s campaign is great and a unique opportunity to get a glimpse into the secret world of intelligence. One should not worry too much about revealing info through this form. What you submit is probably already known to them and they could easily find out, if they had a real interest in you. So just go ahead. But the above is a great reminder that you should think twice before submitting private info. Always think about whom you submit to and for what purpose. Micke P.S. This reminds me of an old web form at a Russian server. “Enter your credit card number to check if it has been stolen on the net.” No, I didn’t enter mine either.