Schneier explained his fears to a packed room at RSA 2012, outlining how he saw individuals, companies and governments effectively outsourcing security to cloud providers, abdicating ultimate control in exchange for convenience and cost savings.
The result is a state of “security serfdom” where fealty is pledged to one of a few centralized data gatekeepers who promise and deliver great benefits – but upon whom the user becomes completely reliant for basic security. Apple’s legion of adoring gadget geeks and people who live the “Google lifestyle” through GMail, Google Voice and more now rely on those companies to make critical security decisions for them.
It’s not an all together negative trend, particularly since “average users” historically do the bare minimum of backup, encryption and other information security hygiene possible, but it does create a more monolithic landscape that is likely to get harder and harder to opt out of.
“There’s a war on general purpose computing, because companies realize they gave up too much control,” said Schneier.
Battle lines are drawn
He said these companies are now working hard to change that. Big data, in the form of companies like Google, Choicepoint and major ISPs, require almost unfettered access to user data in order to optimize, package and sell analytics and advertising, and so have building products that require that access from day zero.
Meanwhile, law enforcement agencies have been pushing through what Schneier categorized as “ill-conceived legislation” that would endanger the freedom and security of the Internet while doing little or nothing to prevent true threats.
The result is a fast-coming future where data and even device ownership is a grey area: Kindle Fires, iPhones and even many “open” Android devices all severely limit root access, which inevitably diminishes how secure they can be.
“If you pledge your allegiance to Google, they will protect you … as long as they protect you,” he said, explaining that while outsourcing to cloud providers takes away a lot of the traditional security headaches, it means leaving your security in the hands of a corporation whose security policies you cannot control – or sometimes even know.
But we like being oppressed!
[kml_flashembed movie="http://www.youtube.com/v/JvKIWjnEPNY" width="425" height="350" wmode="transparent" /]
There are benefits to this approach, not only for the “feudal lords” controlling the security ecosystem but also for the serfs.
“If you’re the general person, it’s probably better for you, because you’re doing a lousy job,” Schneier said. “Like with Flickr: Now you don’t have to backup your own photos.”
Even enterprises, which have traditionally held to stricter security standards, are finding the allure of serfdom hard to pass up.
“The economic benefits of outsourcing are really great,” Schneier said.
But the big picture impact is a little more mixed, particularly when it comes to the impact of the feudal model of security has on actual security.
“For attackers, it’s more or less the same that it’s ever been,” Schneier said.
Higher walls but bigger payoffs
With more companies and individuals outsourcing their security decisions and implementations to Facebook, Google, Amazon and Microsoft, these companies become increasingly valuable targets for attackers. The consolidation also fundamentally changes the landscape for attackers: It used to be enough to protect most people was to simply be more secure than the next target.
Just like a car thief will pass by a well-alarmed car with a Club on it in favor of a less defended vehicle, users who took basic precautions could generally defend themselves from most untargeted attacks. With monolithic security systems, however, one successful attack can compromise thousands of accounts.
Those payloads will only become more valuable over time.
“Some of these companies are going to become banks,” Schneier said, pointing to Google Wallet. “Full expect some of them to become everything.”
Consolidation, meet regulation
What really worries Schneier, he said, is what happens as these consolidated security lords face more and more regulation, which will almost inevitably negatively impact security.
For example, data retention laws.
“The best way to secure data is to delete it,” Schneier said. But around the world, countries are passing laws requiring data be kept for 30, 60, 90 days or more, making users more vulnerable to both government surveillance as well as unnecessarily vulnerable to unauthorized access from both internal and external attackers.
“I really worry at some point we will be forced to design and Internet kill switch,” he said. “And then I’d have to design it to make sure only the president could push it – I don’t trust myself to build that.”
There is hope, however: Schneier said that SOPA and PIPA were succesfully fought off with the help (and lobbyists) of Big Data companies like Google, and there’s a winning track record of fighting bad Internet legislation.
He said the Internet’s “lack of regulation” stood as a testament to that, but that vigilance was needed.
“Here is my challenge to you: Get involved at layers 8 and 9, the economic layer and the political layer,” Schneier said. “Common sense does not have a lobby.”
Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.]]>
BTJunkie issued a statement on their website saying goodbye to their users and proclaiming the move was voluntary. “This is the end of the line my friends. The decision does not come easy, but we’ve decided to voluntarily shut down. We’ve been fighting for years for your right to communicate, but it’s time to move on. It’s been an experience of a lifetime, we wish you all the best!”
With file-sharing sites already looking over their shoulders, BTJunkie decided enough is enough and needed to make a major change.
After seeing this, the major question becomes: How much longer will file sharing be able to last?
Several other sites have been scared off: QuickSilverScreen has shut down and FileSonic and FileServe has restricted themselves to files members have uploaded themselves.
Even though BTJunkie didn’t host files for download, the website allowed users to download them from others and quickly became one of the top file sharing websites in the world.
In the recent months, we have seen illegal downloading and online piracy become an issue across the world. Leading the charge was SOPA/PIPA followed by Kim Dotcom’s arrest. It seems to me the damage has been done: File sharing sites are now on notices and much more carefully watching where they tread.
Michael Tidmarsh is the Assistant Community Editor at ITKnowledgeExchange.com. He can be reached at email@example.com.]]>
Privacy is the forefront issue once again as Congress is preparing to attack Google over their latest changes to their privacy policies. Several lawmakers are concerned with how Google will collect a user’s data across their services.
Members of the House Subcommittee on Commerce, Manufacturing and Trade, Mary Bono Mack and G.K Butterfield, wrote a letter to the Internet giant expressing their concerns on their privacy changes.
Beginning on March 1st, Google will be able to cross reference data from their users which is collected from their various services including Google Apps, Gmail, and Youtube.
Google fired back to explain the new changes as Google director of public policy Pablo Chavez wrote a blog post accompanying the letter.
“We’re not collecting more data about you. Our new policy simply makes it clear that we use data to refine and improve your experience on Google.”
Last year, the FTC reached a settlement with Google regarding complaints of unfair practices and the company would submit to reviews by an independent auditor.
Michael Tidmarsh is the Assistant Community Editor for ITKnowledgeExchange.com. He can be reached at Mtidmarsh@techtarget.com.]]>
And so far, love her or hate her, the results are pretty tame: Mother Jones, which has had some of the most aggressive coverage of the e-mails, reported that she did, indeed, regularly use the folksisms she’s become famous for, from “unflippinbelievable,” “what a goof” and “holy flippin A“to “we love the mobster in ya.” Indeed.
The New York Times has embraced the webby world and even invites readers to help crowdsource the potential treasure trove. So far, more yawnshells than bombshells, at least as new insights are concerned. Whatever your feelings on the divisive reality show star, they will probably be more deeply confirmed.
So far, at least, she’s survived the up-close scrutiny. But could you?
We are all Sarah Palin
It’s not a purely academic question. While most of us aren’t subject to freedom of information laws, we are subject to laws that include subpoena, search and discovery and search warrants, leaving ample opportunities for supposedly private conversations to leak into the public, and those are just some of the legal means.
As ZDNet’s David Gewirtz confessed:
Could you withstand the scrutiny?
I’m not sure I could. I am highly profane in my email traffic (I’m an engineer by training; profanity is a necessary tool). I’m cranky. I tend to tell my correspondents about how little sleep I’ve gotten and how long it’s been since I’ve had lunch. …
I would not want to share my email with the world. You probably wouldn’t want to, either.
You’re also generally subject to your boss’ – or even boss’ boss’ – prying eyes when it’s your work e-mail account or even work cell phone messages. An old business executive once told me, he’d learned long ago to not say something he wouldn’t mind showing up on the front of the Wall Street Journal. The same advice applies double to what you type out at work, even if it is just a humorous e-mail forward.
Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com. Image courtesy of David Shankbone and licensed under Creative Commons.]]>
That’s the question that the Supreme Court has agreed to tackle as it reviews USA Mobility Wireless Inc. v. Quon. As CNN reports, the case would cover what, if any, expectations of privacy federal employees have at work when they’re using their employer’s equipment:
The department has a “Computer Usage, Internet and E-mail Policy” that gives workers only limited use for personal communications. Quon signed a statement acknowledging that “use of these tools for personal benefit is a significant violation of City of Ontario Policy” and that “users should have no expectation of privacy or confidentiality when using these resources.”
It was only in reading the transcripts voluntarily provided by Arch Wireless from its electronic archives that the often-racy messages to his wife, his girlfriend and a fellow officer were revealed, prompting an internal department investigation.
A review of one month found that Quon had sent and received 456 personal messages while on duty, an average of 28 per shift, and only three were deemed work-related. A federal court judge characterized many of the messages as not “light personal communications,” as defined in the policy as generally acceptable, but words that were, “to say the least, sexually explicit in nature.”
When I’ve spoken with IT professionals on the matter of personal privacy at work, the number one piece of advice is spell policies out. It seems like the City of Ontario did that, and still ran into problems, suggesting what a thorny issue it is.
GigaOm’s Sebastian Rupley also takes on the case, noting other cases where the federal government has been accused of overstepping its bounds, particularly when it comes to social media:
This isn’t the only recent dust-up involving the privacy rights of government workers online. Earlier this month, the Electronic Frontier Foundation (EFF), working with the Samuelson Law, Technology and Public Policy Clinic at the University of California at Berkeley, slapped a lawsuit against half a dozen government agencies for refusing to explicitly state their policies for using social networking sites for investigations, data collection and surveillance. The suit specifically charges that the agencies are withholding information on data they’ve collected from their workers’ usage of Facebook, Twitter and other social applications.