Last year I updated my PGP public encryption key to 4096 bits since it now looks as though it may be possible to crack a 1024 bit key within my lifetime. Not that I have many secretes, but those that I do, I intend to keep out of prying eyes. And unless quantum computers start to enter the arena, 4096 should be enough to see me through to the grave.
I’ve been pushing encryption and secure communication for as long as I can remember. And I’m not talking about the crippled or back-doored varieties being flogged as secure-enough for the average schmo – all in the “interest of national security”. This news is almost two years old and I take my hat off to Mr Snowden for leaking the documents which alerted the wider public to the collusion between the National Security Agency (NSA) and RSA.
Of course, RSA was quick to respond to the accusations by stating that it “always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products.” Nevertheless, the weaknesses in the crypto propagated throughout many of its product lines without so much as a word at the time. There are two scenarios here, either RSA collaborated and introduced the weaknesses, or they were incompetent and oblivious to what was happening under their very noses.
Thankfully, the recent disclosures have led to at least some change. The National Institute of Standards and Technology (NIST), the government agency in charge of one of the cryptographic standards the NSA has alleged to have secretly weakened, has reopened public comment on its standard and has even gone as far as to recommend people do not use it anymore.
But it’s too little, too late. It simply goes to show that we, as consumers of encryption technologies, can’t take for granted the security of algorithms which may have been fudged to enable the likes of the NSA or GCHQ the ability to eavesdrop on our communications.
An old security adage goes something like this:
A young spy will try to break the encryption; An old spy will steal the keys.
We are in the midst of some pretty hefty Crypto Wars. Government against government, corporation against corporation, East against West. On the one side we have paranoid, overzealous government regimes supported by their crony corporations, and on the other, private citizens and underfunded pro-privacy organizations such as the Electronic Frontier Foundation (EFF).
Ubiquitous applications like Skype and WhatsApp have crossed over and are now under large corporate control — Skype owned by Microsoft and WhatsApp by Facebook. Every time a small company is bought by a larger fish, I find that we are slowly being herded towards products which may herald end-to-end security but will ultimately never deliver on that promise. Underneath the thin security veneer hides a quagmire of red tape skewed against anyone trying to hold onto their rights to privacy.
Update 5 April 2016: Whisper Systems and WhatsApp announced that they have completed integrating the Whisper’s Signal protocol into WhatsApp software, giving WhatsApp full end-to-end encryption for text and voice. This is great news for privacy and security.
If you ever took the time to read the small print, you’d realize that most organizations can and will hand over your chat history, audio/video calls and fried lists if compelled to do so by a court order. And in a time when human rights and liberties are being eroded by police states, it is difficult to believe that any such court order was obtained by due process of law.
Microsoft may access, disclose and preserve your data (including your private content, such as the content of your instant messages, stored video messages, voicemails or file transfers) to provide the service or to assist its local partner or the local operator facilitating your communication to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.
So, are Skype and WhatsApp secure? Yes and no. They are secure from people who do not have access to the underlying encryption keys, like your family, neighbours and friends. It stands to reason that if you’re only talking to the likes of your granny about her favourite cake recipe, I think you’re safe.
But if you’re trying to hide something from big brother, the recommendation is that you do NOT rely on these technologies alone. I’m not advocating one software over another, I leave it to you to make up your own mind.
There are plenty of alternatives which have risen to prominence. Telegram seems to have a solid security-focused mission statement, but there has been some recent criticism about Telegram’s protocol and their Crypto Challenge. Time will tell.
For something with Mr Snowden’s endorsement, check out Open Whisper Systems, which develops Signal (for iPhone) and TextSecure (for Android).
Going back to the RSA crypto fiasco, even before these revelations hit the press, it was universally understood that vendor-controlled cryptos were subject to government legislation and secret backroom agreements. As a result, it is next to impossible to tell whether private keys have been exchanged with big brother and to what extent information sharing is occurring. It’s also important to note that I’m not just talking about governments with overt human rights violations.
“Power tends to corrupt, and absolute power corrupts absolutely. Great men are almost always bad men.”
— Lord Acton
Don’t be fooled. Your communications are neither protected nor anonymous. It is up to you to start taking control of your privacy by educating yourself and those you care about.