Is There Still Such a Thing as Privacy - and Should There Be?

The BlackBerry wirelesstap case, and understanding the concept of all public, all the time

I recently expressed the opinion that individual privacy is indeed important, and should in fact be the default in all business and governmental relationships. As we're taking politics here (privacy is the political side of security), the opposite position is worth at least some discussion, to wit: nothing should be private; only criminals have any need to hide their communications. And, as a middle ground (or the very least), governments should be able to read your mail (and more) in the interests of "national security", whatever that is, subject only to limitations like the Fourth Amendment to the US Constitution. This position, as Research in Motion really understands now, has profound consequences for IT security, and is clearly worthy of some debate.

This blog entry was motivated by the news that the governments of the United Arab Emirates and Saudi Arabia are threatening to cut off BlackBerry service because such is encrypted, and encryption is the very backbone of wireless security. In fact, while we have addressed encryption from a technological perspective quite effectively, we have not so much from the political angle, especially outside the United States. But here in the States, consider that very celebration of the Constitution of the United States, the USA PATRIOT Act, or even CALEA, and you'll soon realize that even Constitutionally-protected rights have serious limitations when the national-security banner is waived with oh so much vigor by determined bureaucrats, politicians, and scoundrels who wrap themselves in the figurative cloak of freedom.

Oops; my own biases here are showing, although I have, in fact, never claimed to be unbiased. But, hey, I at least alluded to a neutral attitude in the above paragraphs when discussing this topic, so I want to be fair. Let's grant that governments should have access to otherwise private communications, under whatever the local law might be. Think of all the crimes that could be prevented - except that really good criminals encrypt their traffic with really good encryption, under their control, and not that of a carrier. The argument with what RIM is doing is that they, the de facto carrier, encrypt traffic, and they should therefore have to make the encryption keys available for legitimate government purposes. The only problem here is that RIM doesn't actually have the keys; these are transparently negotiated between a given BlackBerry handset and the network. Not even RIM (or so they claim) can provide access to messages in the clear (this isn't entirely true, as traffic on the other side of their servers could indeed be in the clear). Regardless, what the protesting governments are really saying is that all communications should in fact not be encrypted, and I suspect that there are moves afoot in many countries to require traffic to be in the clear unless otherwise permitted - as in, the government shall have a back door they can open whenever they want, I mean, under appropriate local law. But the de facto result will be that encryption will be frowned upon, if not actually illegal, and thus there will be no secrets, except presumably within governments, anymore.

The problem here that the economy depends upon secrets. Competitive advantage today only really exists because one firm has access to information that another does not. Keeping secrets is thus very important. And, politically, a government seeking access to private information really should have to (a) show cause why they need this access and then (b) protect this information until such time that it is clear that the information is in some way involved with a crime, when it becomes evidence. But that's not really what governments care about; they seek their own competitive advantage, after all. Spying on the electronic communications of foreigners (and locals, where allowed) is both effective and a time-honored means of achieving this goal. Encryption makes this difficult, but what do you think the thousands of people employed by the National Security Agency do all day, aided by what are rumored to be the most powerful code-cracking machines in the universe? My guess (and this is only a guess; I have no direct knowledge here) is that NSA can crack 256-bit AES (or codes of similar complexity) in essentially real time, and longer keys, which are impractical on compute-limited mobile devices, with only a little more effort than that. Competitive advantage? You bet! Legitimate? It all depends upon how such is used, and we're back to the fundamentally political question. In politics, though, there is no right or wrong - only who gets their way.

As the wonderful character V in the equally-wonderful movie V for Vendetta so eloquently put it, "People should not be afraid of their governments. Governments should be afraid of their people". And, indeed, those governments are - every one of them. The evidence, as we've discussed here, is plain to see. Sure, some of it is legitimate - every civilized individual should take a stand against terrorism, but there are plenty of folks who disagree with this statement. And, again, as the evidence shows, really good terrorists operate at a level well above this fray.

In the meantime, I continue to recommend that everyone practice what I suggest as the basic rules of security: have a security policy that defines what data is sensitive, whom should have access to it and under what circumstances, how such access is logged, and what to do if a breach is discovered; encrypt all sensitive data while in residence anywhere; and protect all sensitive data by a VPN while in transit. Do not rely on your carrier to perform these services for you - think end-to-end and Layer 7. And do comply with all local laws - if you don't like them, don't do business there. The government in question will eventually get the message.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

IT Salary Survey: The results are in