We talk a lot about privacy on the net nowadays. Some claim that privacy is dead, and you just have to cope with it. Some are slightly less pessimistic. But all agree that our new cyber-society will redefine and reduce what we once knew as personal privacy.
The privacy threat is not monolithic. There are actually many different kinds of privacy threats and they are sometimes mixed up. So let’s set this straight and have a look at the three major classes of privacy.
This is about controlling what data you share with your family, spouse, friends, colleagues etc. Tools for doing this are passwords on web accounts, computers and mobile devices, as well as your privacy settings in Facebook and other social media.
This is the fundamental level of privacy that most of us are aware of already. When this kind of privacy is discussed, it is usually about Facebook privacy settings and how to protect your on-line accounts against hackers. Yes, protection against hacking is actually a sort of privacy issue too.
Who knows most about your life? You, your spouse or Facebook? Chances are that the service providers you use have the most comprehensive profile on you. At least if we only count data that is stored in an organized and searchable way. This profile may be a lot wider than what you have shared yourself. Google knows what you Google for and your surfing habits are tracked and blended into the profile. The big data companies also try to include as much as possible of your non-digital life. Credit card data, for example, is low-hanging fruit that tells a lot about us.
But what exactly are they doing with that data? It’s said that if you aren’t paying for the product, then you ARE the product. The multitude of free services on the net is made possible by business models that utilize the huge database. Marketing on the service provider’s own page is the first step. Then they sell data to other marketing companies or run embedded marketing. And it gets scary when they start to sell data to other companies too. Like someone who consider employing you or who need to figure out if you’re a high-risk insurance customer.
The main problem with provider privacy is that there aren’t any simple tools to guard you. The service provider can use data in their systems freely no matter what kind of password you use to keep outsiders out. The only way to master this is to control what data they get on you, and your own behavior is what matters here. But it is hard to live a normal cyber-life and fight the big-data companies. I have posted some advice about Facebook and plan to come back to other aspects of the issue in later posts.
The security and privacy of Internet is to a large extent enforced by legislation and trust, not by technical methods like encryption. But don’t expect the law to protect you if you do a crime. Authorities can break your privacy if there is a justified need for it. This can be a good compromise that guards both our privacy and security, as long as the authorities are trustworthy.
But what happens if they aren’t? Transparency and control are after all things that make the work harder for authorities, so they don’t like it. And a big threat, like terrorism for example, can easily be misused to expand their powers far beyond what’s reasonable. Authority privacy really becomes an issue when the working mode changes from requesting data on selected targets to siphoning up a broad stream of data and storing it for future use. There has been plenty of revelations recently showing that this is exactly what has happened in the US.
There can be many problems because of this. It is, first of all, apparent that data collected by US is misused. The European Union and United Nations are probably not very dangerous terrorist organizations, but still they rank high on the target list. Data collected by authorities is also supposed to be guarded well and used for our own good only. But keep in mind that a single person, Edward Snowden, could walk out with gigabytes of top secret data. He did the right thing and spoke out when his own ethics couldn’t take it anymore, and that’s why we know about him. But how many secret Snowdens have there been before him? More selfish persons who have exchanged data for a luxury life in some other country without going public. Maybe your data? Are you sure China, Russia or Iran don’t have some of the data that the US authorities have collected about you?
And let’s finally play a little game to remind us about how volatile the world is. Imagine that today’s Internet and computer technology was available in 1920. The Weimar republic, also known as Germany, was blooming in the golden twenties. But Europe was not too steady. The authorities had Word War I in fresh memory and wanted to protect the citizens against external threats. They set up a petabyte-datacenter and stored all mails, Facebook updates, cloud files etc. This was widely accepted as some criminal cases had been solved using the data, and the police was proud to present the cases in media. The twenties passed and the thirties brought depression and new rulers. The datacenter proved to be very useful once again, as it was possible to track everybody who had been in contact with Jews and communists. It also brought a benefit in the war to come because many significant services were located in Germany and foreign companies and state persons had been careless enough to use them. The world map might look different today if this imaginary scenario really had happened.
No, something like that could never happen today, you might be thinking. Well, I can’t predict the future but I bet a lot of people were saying the same in the twenties. So never take the current situation for granted. The world will change, often to the better but sometimes to the worse.
So lack of authority privacy is not something that will hurt you right away in your daily life. Your spouse or friends will not learn embarrassing details about you this way, and it will not drown you in spam. But the long term effect of the stored data is hard to predict and there are plenty of plausible harmful scenarios. This really means that proper privacy legislation and trustworthy authorities is of paramount importance for the Internet. A primary set of personal data is of course needed by the authorities to run society’s daily business. But data exceeding that should only be collected based on a justified suspicion, and not be kept any longer than needed. There need to be transparency and control of this handling to ensure it follows regulations, and to keep up peoples’ trust in the authorities.
So what can I do while waiting for the world to get its act together on authority privacy? Not much, I’m afraid. You could stop using a computer but that’s not convenient. Starting to use encryption extensively is another path, but that’s almost as inconvenient. Technology is not the optimal solution because this isn’t a technical problem. It’s a political problem. Political problems are supposed to be solved in the voting booth. It also helps to support organizations like EFF.
Today is World Press Freedom Day – a day created by UNESCO in recognition of the importance of free speech, as well as the important role journalists play in using this right to help inform citizens about what’s going on with the world around them. This year’s main event is being held in Helsinki, Finland, and co-hosted by the Finnish government. There was lots happening at Finlandia Hall – the event’s “ground zero”. And because Finland is home to F-Secure’s headquarters, we were there in full force to express our support for the journalists who, according to Reporters without Borders, put their privacy, freedom, and even their lives on the line to keep us all informed. Mikko Hypponen, F-Secure’s Chief Research Officer, delivered a keynote address ahead of a discussion called “Protecting your rights: Surveillance Overreach, Data Protection, and Online Censorship”. “But right now, over the last couple of years, the biggest changes in this field have not been with online crime. They’ve been with governments entering the online, cyber attack business,” Hypponen told the audience (he hits the stage at about 20:32). [youtube=https://www.youtube.com/watch?v=R8tKOGVxPSo&w=560&h=315] After his speech, Mikko shared some additional thoughts on Apple vs. the FBI, and World Press Freedom Day. [youtube=https://www.youtube.com/watch?v=BBINozrQGlc&w=420&h=315] Sean Sullivan was also there, along with one of F-Secure Labs’ forensic analysts to help journalists check their devices, and provide security tips on how they can protect their data. “Without privacy, we can’t have free press. And without a free press, we cannot have democracy. And without democracy, we cannot have freedom,” Mikko told the audience. And that’s not just rhetoric – it’s something we’re backing up. Any journalist interested in using encryption to protect themselves against unwanted surveillance can get in touch with us before May 15 to get a free, 3-device, 12-month subscription for F-Secure's Freedome VPN, which lets users encrypt their communications, block tracking attempts and malicious websites, and change their virtual location. All journalists need to do is send a confirmation of their valid press credentials (for example, an image) by direct message to our Twitter feed (@FSecure) before May 15. Edited to add: We also caught a panel discussion about digital threats to journalists with F-Secure Cyber Security Advisor Erka Koivunen, Tanzanian journalist and newspaper editor Dennis Msacky, and University professor, writer and journalist Hanna Nikkanen. [youtube=https://www.youtube.com/watch?v=WYifFDj2UaI&w=420&h=315]
Collision is coming to a close today, and what a week it’s been. F-Secure’s Chief Research Officer Mikko Hyppönen was there earlier in the week, and gave a compelling talk on the evolution of cyber crime. He also gave a quick post-talk interview, so check out this Quickfire article to learn who Mikko thinks deserves a slap in the face. F-Secure also ran a basic Wi-Fi experiment at Collision*, similar to ones conducted in 2014 and 2015. While the experiment conducted at Collision had a smaller scope than our previous investigations, it does prove that people are still pretty promiscuous when it comes to connecting to public Wi-Fi hotspots without the proper protection, such as a VPN. In the first two days of Collision, we observed nearly one hundred people connecting to a phony Wi-Fi hotspot. And none of them were encrypting their traffic. Connecting to a phony Wi-Fi hotspot can open the door to all kinds of problems. Hackers have been known to use similar setups to help them “sniff” people’s Internet traffic, allowing them to do things like read personal messages, log the websites people visit, and even steal passwords and other sensitive information. So if you make a habit of using public Wi-Fi hotspots – whether you’re at a tech conference, an airport, a café, or a hotel – you should give Freedome a try to keep you and your private data safe and secure. [Image by Erin Pettigrew | Flickr]
Finland is home to the freest news media in the world, according to Reporters Without Borders. It's fitting, then, that the annual UNESCO World Press Freedom Day conference will be held in Helsinki this year, May 2-4. Freedom of information is a topic that's close to our heart. We were fighting for digital freedom before it was cool - yes, before Edward Snowden. A free press is foundational to a free and open society. A free press keeps leaders and authorities accountable, informs the citizenry about what's happening in their society, and gives a voice to those who wouldn't otherwise have one. Journalists shed light on issues the powers that be would much rather be left in the dark. They ask the tough questions. They tell stories that need to be told. In a nutshell, they provide all of us with the info we need to make the best decisions about our lives, our communities, our societies and our governments, as the American Press Institute puts it. That's a pretty important purpose. But it can also be a dangerous one. Journalists working on controversial stories are often subject to intimidation and harassment, and sometimes imprisonment. Sometimes doing their job means risking their lives. According to the Committee to Protect Journalists, 1189 journalists have been killed worldwide in work-related situations since 1992, when they began counting. 786 of those were murdered. Freedom of the press and digital technology are inextricably intertwined. Journalists' tools and means of communication are digital - so to protect themselves, their stories and their sources, they also need digital tools that enable them to work in privacy. Encrypted email and messaging apps. Secure, private file storage. A password manager to protect their accounts. A VPN to hide their Internet traffic and to access the content they need while they're on assignment abroad. F-Secure at World Press Freedom Day It's because press freedom and technology are so intertwined that it's our honor to participate in this year's World Press Freedom Day conference. Here's how we'll be participating in the program: Mikko Hypponen, Chief Research Officer at F-Secure, will keynote about protecting your rights. Tuesday May 3, 14:00 to 15:45 Erka Koivunen, our Cyber Security Advisor, will participate in a pop-up panel debate on digital security and freedom of speech in practice. Tuesday May 3, 15:45 – 16:15 Sean Sullivan, our Security Advisor, will be on hand to answer journalists' questions about opsec tools and tips. One of our lab researchers, Daavid, will be inspecting visitors' mobile devices for malware. We'll feature our VPN, Freedome. Check out our Twitter feed on May 3 for livestream of Mikko's and Erka's stage time. Banner photo: Getty Images