I’m proud to tell you about younited, F-secure’s brand new personal cloud service. Actually so new that it isn’t open for the public yet. But you can sign up to be a tester at younited.com. We will start to send invitations to registered users in November, and the service is scheduled to open to the public in early 2014.
Why younited? It is our vision about how cloud storage can be made engaging, fun and safe. It’s a supercloud that collects data from your other cloud services and helps you manage it in one place. It’s also built for privacy from the ground up. The second argument is certainly a hot topic right now so it’s only natural that younited has gained a lot of attention.
Larry Seltzer of ZDNet joined the party with a slightly critical article. He is asking why anyone should trust Finland and why we should care about the privacy of our cloud storage in the first place. The first question is excellent. Users should definitively care about where their data is stored. That’s why we created younited here in Finland as an alternative to the American services. Let’s clear out Larry’s doubts and see why Finland is an excellent home for your data:
Yes, the unknown is scary. And Finland is unknown to most people. But I can assure you that Finland really is among the best places on earth if you are looking for a safe haven for your personal data.
So a non-US service should be the primary choice if you are outside US and even a little bit privacy aware. And that’s after all most of the world’s population, about 96% are living elsewhere. But what if you are American, like Larry? Is it still a good idea to go off-shore?
Most of the cloud storage service are located in US and you may prefer domestic services. That’s the easy choice. But services overseas can really provide a significant benefit privacy-wise. First remember the four-hop principle. You think you have decent privacy protection as an US citizen, but are you sure that no friend-of-friend-of-friend-of-a-friend is suspected for some obscure reason? That would put you in the same boat as all us aliens. And the US authorities are not exactly open about what they are doing. This is what they have been forced to admit, it’s certainly not the full picture. Also keep in mind that your data is most vulnerable when stored. NSA can still attempt to snoop at your encrypted data connection to younited before it exits US, but that’s quite futile (see note below). And it’s finally game over once your data is on our disks here in Finland under a layer of AES-encryption. So an overseas service eliminates the by far easiest attack point.
You have nothing to hide? Yes, we hear that argument frequently. And it is of course good to be a decent citizen with no secrets. But are you really sure? First, no one can remember all documents and mails they have received and sent. I bet most people have items they rather not share with strangers, even if they can’t remember them right away. Second, we are changing and the world is changing around us. How can you tell that everything you do today is still in line with your profession, role and personality after 20 years? Is what you do today OK by our society’s standards at that time? No, nobody can of course be sure about that. So why take risks when there are easy ways to reduce our digital footprint?
Larry is also pointing out that we have the right to protect our data, but not necessary the need to do it. True. But if you don’t use that right, you are signaling that it isn’t important and can be taken away. And there are plenty of powers that would love to take it. In other words, it’s a lot easier to ban crypto and other privacy measures if they are used by criminals only. Let’s not contribute to a world without the right to use privacy protection.
So why not follow Larry Seltzer’s example and sign up for younited right away. Do you fall in love with the service of its level of safety and privacy, or for the engaging and fun user experience? Or both?
Note about encryption of data in transfer. There’s constant speculation about if NSA can break the SSL/TLS encryption that is used for this kind of connections. There are indications that they have succeeded in some cases, but this typically involve outdated implementations, software modules that have been weakened on purpose or keys that have been shared with NSA by the service owner. NSA’s ability to break full-strength SSL/TLS is speculative, and any such attack would, if possible, require so much resources that only a small number of targets could be followed. Summary: Ordinary people can consider the encrypted link to younited as perfectly safe.
The whole world is waking up to a new reality. Privacy used to be a fundamental human right that we took for granted. Technically it still is, but the global Internet has made it easy to violate this right. Too easy as there is proof that many states and companies violate it extensively and blatantly. There’s many motives for this. Technical feasibility, commercial benefits, diplomatic and political advantages, fear of terrorism and last but not least, peoples’ lack of awareness. The incentives to violate our privacy will not go away, but peoples’ awareness is certainly increasing. This is obvious now in the post-Snowden era. Customers start to ask how their service- and software providers guard their privacy, and make purchase decisions based on that. Protecting our customers’ data has been F-Secure’s mission for more than 25 years. That’s why we are very worried about the current situation, and eager to raise awareness about it. But raising awareness is not enough. We also need to get our act together and make sure our own offering isn’t violating your privacy. It’s by the way a surprisingly complex task that affect all functions in a company. That’s why we have published nine privacy principles that guide our work to guard your privacy. Let’s walk through the first 3 in this post. Stay tuned, the rest will be covered soon. WE RESPECT YOUR RIGHT TO PRIVACY This is really the fundament of it all. Our goal is to provide you with products and services that create some value for you, but this is never done by violating your privacy. Quite the opposite, guarding your privacy is a central goal in many products. Many companies market “free” services, where the customer in reality pay by letting the provider utilize personal information. F-Secure is NOT one of them. YOUR CONTENT BELONGS TO YOU We handle your data in many ways, either by apps on your own device or uploaded to our services. But no matter how we get in touch with it, it is still YOUR data. We have no right to utilize it for our own purposes and we do not reserve such rights in legal-jargon user agreements that nobody reads or understands. YOU DECIDE HOW MUCH YOU SHARE WITH US Your data, or data about you, may become accessible to us in several ways. You may upload it to our servers yourself. In this case it’s obvious that you are in full control of what data you transfer. Our products may also collect data to improve the service we offer, but you can opt out from much of this. Only a small part of the collected data is mandatory and not controlled by you. In short, we apply a strict minimalistic policy to automatic data uploads. We only fetch data if it’s needed to improve the service, we anonymize data when possible and we let you opt out if the data isn’t absolutely necessary. That’s 3 fundamental privacy principles in our set of totally nine. Stay tuned, we will present the rest shortly. Safe surfing, Micke
The recent statements from FBI director James Comey is yet another example of the authorities’ opportunistic approach to surveillance. He dislikes the fact that mobile operating systems from Google and Apple now come with strong encryption for data stored on the device. This security feature is naturally essential when you lose your device or if you are a potential espionage target. But the authorities do not like it as it makes investigations harder. What he said was basically that there should be a method for authorities to access data in mobile devices with a proper warrant. This would be needed to effectively fight crime. Going on to list some hated crime types, murder, child abuse, terrorism and so on. And yes, this might at first sound OK. Until you start thinking about it. Let’s translate Comey’s statement into ordinary non-obfuscated English. This is what he really said: “I, James Comey, director of FBI, want every person world-wide to carry a tracking device at all times. This device shall collect the owner’s electronic communications and be able to open cloud services where data is stored. The content of these tracking devices shall on request be made available to the US authorities. We don’t care if this weakens your security, and you shouldn’t care because our goals are more important than your privacy.” Yes, that’s what we are talking about here. The “tracking devices” are of course our mobile phones and other digital gadgets. Our digital lives are already accurate mirrors of our actual lives. Our gadgets do not only contain actual data, they are also a gate to the cloud services because they store passwords. Granting FBI access to mobile devices does not only reveal data on the device. It also opens up all the user’s cloud services, regardless of if they are within US jurisdiction or not. In short. Comey want to put a black box in the pocket of every citizen world-wide. Black boxes that record flight data and communications are justified in cockpits, not in ordinary peoples’ private lives. But wait. What if they really could solve crimes this way? Yes, there would probably be a handful of cases where data gathered this way is crucial. At least enough to make fancy PR and publically show how important it is for the authorities to have access to private data. But even proposing weakening the security of commonly and globally used operating systems is a sign of gross negligence against peoples’ right to security and privacy. The risk is magnitudes bigger than the upside. Comey was diffuse when talking about examples of cases solved using device data. But the history is full of cases solved *without* data from smart devices. Well, just a decade ago we didn’t even have this kind of tracking devices. And the police did succeed in catching murderers and other criminals despite that. You can also today select to not use a smartphone, and thus drop the FBI-tracker. That is your right and you do not break any laws by doing so. Many security-aware criminals are probably operating this way, and many more would if Comey gets what he wants. So it’s very obvious that the FBI must have capability to investigate crime even without turning every phone into a black box. Comey’s proposal is just purely opportunistic, he wants this data because it exists. Not because he really needs it. Safe surfing, Micke
The issue of mass government surveillance may have taken a back seat to other headlines lately, but the new Edward Snowden documentary is bringing it to light once more. CITIZENFOUR, the Laura Poitras film documenting the moments Edward Snowden handed over classified documents detailing the mass indiscriminate and illegal invasions of privacy by the US's National Security Agency, is getting rave reviews ahead of its world premiere. The film is already prescreening in the UK, and along with that, F-Secure's UK office is publishing a research report that highlights the growing concern of the public - specifically, the British public - with mass surveillance. The ‘Nothing to Hide, Nothing to Fear?’ report centers on the concern about surveillance being undertaken by the British government on its own people, as well as foreign nationals. The concerns are justified, as Snowden himself in recent comments warned that the British Government is even worse than its American counterparts, since the founding fathers of the US enshrined in law certain rights which the Brits – with no written constitution – cannot claim. Research* commissioned for the report shows that 86% of Brits do not agree with mass surveillance. Snowden’s leaks last year highlighted the extent to which Western intelligence agencies are snooping on the general populace, including their emails, phone calls, web searches, social media interactions and geo-location. And when you consider the fact that the UK has 5.9 million closed-circuit TV cameras (one for every 11 people, as opposed to one informant per 65 people in the Stasi-controlled East German state), the extent to which Britain has fallen into being a surveillance state becomes shockingly clear. The UK government, of course, insists that indiscriminate surveillance will protect national security. However, the UK's Regulation of Investigatory Powers Act (RIPA) contravenes Article 12 of the Human Rights Act: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence.” “We are in unchartered territory and we appear to have sleepwalked here,” said Allen Scott, managing director of F-Secure UK & Ireland. “Little by little, our rights to privacy have been eroded and many people don’t even realise the extent to which they are being monitored. This isn’t targeted surveillance of suspected criminals and terrorists – this is monitoring the lives of the population as a whole.” With the future use of this data uncertain, the British people are showing their concerns. The research showed that 78% of respondents are concerned with the consequences of having their data tracked. This concern will only increase as more privacy-infringing schemes pervade UK government departments, offering up more personal data for GCHQ, the British intelligence agency, to use. Be sure to check out CITIZENFOUR once it hits your part of the world. And if you're in the UK, you can be among the first to see it – see pre-screening venues here: https://citizenfourfilm.com/ READ THE REPORT: Nothing to Hide, Nothing to Fear? See more of what Brits think about surveillance in our infographic: *Research conducted by Vital Research & Statistics on behalf of F-Secure. 2,000 adult respondents. 10-13th October 2014.