The Deepest Dark

[Poem] In the deepest dark of the night…

In the deepest dark of the night
When you’re all alone
It reaches

A (Renewed) Case for Encryption

I kind of hoped that this NSA/PRISM/wholesale government surveillance business would re-energize people into actually getting back into using encryption – but sadly it doesn’t seem that way. Content encryption – as opposed to just endpoint encryption, like SSL – is important, and especially so in light of this kind of wholesale government surveillance.

gpg encryptionI kind of hoped that this NSA/PRISM/wholesale government surveillance business would re-energize people into actually getting back into using encryption, and perhaps even trying to solve the problem of getting more people to actually use it.

One of the big problems with encryption – for example, email encryption using public key cryptography (PGP or GnuPG) – has been just getting enough people to start using it. With the way public key encryption works, you need to use encryption, AND the person you’re sending it to needs to use encryption, too.

In addition, there’s also the further complication of signing one another’s keys and assigning trust levels and so on… it’s just a bit too complicated and technical for your average user.

However, it doesn’t have to be complicated, and given what we’ve learned recently, it seems to me it really shouldn’t be – and that it is in all of our best interests to make it be as simple and easy as possible.

People have been harping on about the importance of encryption for ages, but widespread adoption has mostly been limited to SSL (for webmail & other web apps & services). This sort of encryption prevents a 3rd party from intercepting your communication with Google or Microsoft or Facebook or your bank or whatever, but none of that matters if your data is just going to be handed over to the government by the company on the other end anyway!

SSL encrypts your connection and your data during transmission, but the actual contents of your data are unencrypted at either end, and vulnerable to interception. It’s a good first step, but it isn’t enough – not anymore.

passwordOn the other hand, actually encrypting the contents of your communications – the email, the files, etc. – means that even if they are stored on a server (as your email is, for example), they are still encrypted – and most importantly, the server doesn’t have the decryption key –  only the recipient does.

What this would means in practice is that it would prevent the wholesale collection of data.  If the government wanted the contents of someone’s communications, they would need to go after that individual; they wouldn’t be able to just pull it out of a big database.

Since going after an individual takes effort and requires a subpoena or at least a court order of some sort, there’s protection built-in. Plus, now the government’s attempts to access your data would be limited in scope to one person at a time, and they can’t be done in secret – or, at least, they’d be less secretive.

The government may still collect other data about you, of course – encryption is not a cure-all. It may still collect “metadata” about you – times and dates and such – but at least the content of your data remains secure until specifically subpoenaed.

As a side note, the NSA has repeatedly said that this is what it does anyway, as part of an attempt to justify why we shouldn’t be worried about this – but because everything the NSA does is secret, we have no way to be sure that this is actually the case. All we have to go on is the NSA saying “trust us, we won’t read your email without a court order (that you aren’t allowed to see).” Doesn’t exactly inspire a lot of trust, now does it? Especially given the track record we’re dealing with.

Perhaps if our government had a long & strong history of being trustworthy, of being transparent with its behavior, of standing up for individual rights and privacy, and severely limiting the collection and access of people’s data to only what is explicitly needed for specific cases and actions, this whole wholesale surveillance thing wouldn’t be such an issue.

But sadly, this is not the case – our government has shown, again and again, that it cannot be trusted in this regard, and that when given the opportunity, it will make a grab for as much power as it possibly can get.

Given the recent revelations on exactly how much power (and, by extension, data) our government has grabbed as of late, making actual content encryption available, widespread, and easy to use seems like an absolute no-brainer.

Icons courtesy of the Crystal Icon Set.

Know Your Code

Q: As a .NET programmer, why do you care about being familiar with the Win32 API?

A: Because the .NET framework is just another abstraction, and I like to think that I’m a good programmer – and good programmers know that all abstractions are leaky.

We’re Not Ready to be a Surveillance State

Recent news has revealed what many already suspected – we have become a de-facto surveillance state. The problem is: we are not at all ready to be a surveillance state.

1984 was not supposed to be an instruction manual for a surveillance stateRecent news has revealed what many already suspected – that we are (or are about to become), a de-facto surveillance state. The problem is: we are not at all ready to be a surveillance state.

The kind of surveillance that was previously only in the realm of dystopian fiction has been revealed to not only be possible, but to be taking place right under our very noses, without our knowledge, our consent, or what we would consider proper oversight.

The thing is, we’ve been headed in this direction for a long time – companies have effectively been doing this for years now. What’s changed is the scope of the  surveillance, and the government’s involvement in (and use of) that surveillance.

This sort of surveillance is a by-product of the digital age we live in, and is not, by itself, a bad thing. What is bad is that government is getting deeply involved, and it is doing so very quickly, and without a chance for public debate (or even without the public’s knowledge!).

In light of the seeming inevitability of increased surveillance and data collection, and to prevent the absolutely certain slide into despotism and a de-facto police state, you need deep, fundamental protections against misuse of data – and such protections need to be built in, from the start – they are not the sort of thing that can be added on afterwards.

Technology is progressing so rapidly that our laws simply cannot keep up – even the ways we create laws is still largely stuck in the last century, so that even if we try to adapt to new technology, by the time we’re done, it’s too late.

Even more worrying is that even though our laws can’t keep up with technology, that’s not stopping our governments from taking advantage of that technology – and that creates a huge problem.

In a way this is like having a really old machine that we’re trying desperately to keep running, even though the manufacturer has long since gone out of business, and the purpose for which the machine was originally built no longer exists. Instead, we keep replacing parts as they break or wear out – which takes longer and longer, since we have to rebuild them from scratch (since no one makes them anymore). We keep trying to get the machine to do things it was never intended to do – bolting on additions and making adjustments, all without really knowing how it will affect the overall functioning of the machine, or even if it’ll work the way we want it to.

Programmers in the audience will recognize this pathological pattern of behavior – any large software system will often find itself in this very same situation. And when faced with this kind of situation, often the response will be to just throw it all out and start over again from scratch.

In law, as in software, the argument against doing this is usually “why throw it away, since it still works” or “why fix what isn’t broken?” But I think it’s clear, especially in the face of new technology and what we’ve learned recently is being done with that technology, that things are in fact NOT working, and that the system IS broken.

doubleplusungood (1984)We either need to start over, or more practically, immediately begin reforming the ways we deal with technology – from the ground up. The pace at which we adapt needs to keep up with the pace at which technology changes – the way we debate laws, the way we vote, the protections & systems needed to prevent abuse – all of these things need to be updated, and they need to be updated in a hurry.

Until our laws are fundamentally overhauled to provide the same kind of deeply embedded protections in this digital age that we previously enjoyed before computers existed, we simply are not ready to be a surveillance state.

That such a surveillance state is being created, before we are ready for it, is deeply disturbing and either needs to be stopped right now, or a concerted effort to reform our laws needs to happen, yesterday.

Why Corporate Participation in Politics is Bad, Bad, Bad

I’ve talked before about why corporations are evil (or rather, why they tend to behave that way). But there’s something else I want to talk about which is related to that – and that’s corporate participation in politics.

Let’s back up a bit first though and go over what exactly is a corporation?

A corporation is a sort of legal fiction, an “entity” that exists only on paper, created and sustained only by the laws that allow its existence, and designed to shield people from loss and liability so as to give them a way to do things they wouldn’t be able to (or wouldn’t want to risk doing) otherwise.

In order for this to work, corporations have to be able to do some of the things ordinary people do – borrow money, have credit, enter contracts, etc.

But lately, corporations have started to be able to do things that aren’t strictly necessary for corporations to exist – specifically, they can now participate in politics in ways that they weren’t allowed to before.

Now, corporations can’t vote in elections – thankfully things haven’t gotten that out of hand yet – but it’s getting close, because of the way corporations are now allowed to influence (i.e., give money to) politicians & political campaigns.

This isn’t, by itself, a bad thing. People band together for political reasons all the time, and they can gather money and contribute to campaigns & such – this is nothing new.

What’s new is that corporations are allowed to do this, on their own behalf.

The problem with this is that corporations are inherently immoral.

Remember – corporations are not people, even though we sometimes think of them as being like people. They exist to shield people from risk, and to make a profit. Corporations do not exist to be nice, or act in a moral manner.

Let me say that again: corporations do NOT exist to be moral, or be nice, or obey laws. While all (or some) of those things may be done by some corporations (especially when they are small), they are NOT the purpose of the corporation, and they can all be subverted to greater or lesser degrees in pursuit of the primary purpose, which is PROFIT.

This is true even if the people running the corporation are the nicest people, and the shareholders are all nice, ordinary people themselves – all of this is stripped away by the structure of a corporation, by its very nature.

Everything a corporation does is measured against a single metric: profit. Even adherence to laws is considered only insomuch as how much that disobedience would cost (literally), or how those individuals in the corporation would be punished directly by disobedience.

Now, don’t get me wrong here – I’m NOT saying that corporations are themselves a bad idea, or that these attributes of corporations make them terrible. There are problems with them, sure, but they have served us well over the years with various tweaks here and there, and I’m sure they will continue to do so in the future.

The problem here can be summed up like this:

  1. Corporations are inherently immoral.
  2. Corporations can now participate directly in politics.
  3. Because corporations are inherently immoral, their influence in politics will also be immoral.

Politics is a nasty enough business on its own, but now it is going to be much, much worse – which is why letting corporations participate in politics (a la the Citizens United decision) is such a bad, bad, bad idea.

This is akin to suddenly having large, sentient, carnivorous dinosaurs appear, and then giving them an almost equal vote in our political processes, and wondering why very soon it’s legal for people to be eaten by dinosaurs at any time, or have their homes stomped on, etc.

When corporations can participate in politics and government, the natural evolution will be for corporations to gain more and more influence, behaving like parasites, until eventually they merge with government itself, and you can no longer tell where one ends and the other begins.

Corporate participation in politics is, frankly, wrong, and it runs contrary to all the ideas of democracy that underpin so much of our society. If we are to continue to be a government of the people, by the people, and for the people – and not a government “for the corporations” – then corporate participation in politics must not be allowed.