Saturday, February 14, 2015

Dear Mr. President: Let's talk about data encryption and the right to privacy

Dear President Obama,

In a recent speech, you said you wanted an open, public, discussion about data encryption. Great! Open, public, discussions between the citizenry and our elected officials are always interesting and useful so let's start to have that discussion. Right now, right here, just you and me.

Mr. President, you're a fairly young man who, I assume, isn't particularly savvy with advanced technology. That's not meant to be a disparaging comment, not all of us are. Some people are good with tech, others fill different roles and don't need to be good with tech. You fall into the latter category. But I bring this fact up because, not being a tech-centric guy, you likely don't remember the 'crypto-wars' of the 1990's. They were a brutal time when the government, much like this government, thought that all manner of crime would run rampant if they didn't have access to secret, encrypted, communications.

The government at the time tried various ways to protect itself from 'the bad guys' having encryption. They tried to say it was a weapon and could not be exported outside of the United States, they tried to convince people to store a copy of their encryption keys with the government 'just in case', and none of that worked. Ultimately, the Clinton administration gave up and encryption became the widespread beast it is today.

You know the weird thing, Mr. President? Online crime didn't skyrocket like the FBI and NSA had predicted, the government didn't 'go dark' where it couldn't enforce laws and catch bad guys. Sure, some bad guys might have used encryption and gone uncaught because of it, but the vast majority of them just didn't care. Most criminals just aren't that smart.

Today, many in our government are making the same arguments that were made in the 1990's. The same claims about law enforcement 'going dark' are being bandied about and the same players are the ones saying it.  Except now they're using scarier words like 'terrorism' and 'protecting the homeland from attack' and 'ISIS'. But the fact of the matter, Mr. Obama, is that criminals still aren't that smart. The vast majority of bad guys still aren't using encryption - or at least aren't using it properly so, really, law enforcement isn't particularly that locked out.

You've recently started talking about how the creators of security and encryption software should build in secret back doors that "only the government" can access when there is a "compelling need". This was actually one of the arguments the government made in the 1990's and here is why that doesn't work (please read this next statement carefully):

There is no way to build a government back door that only the government can access. Once the backdoor is there, it's open to anyone who knows it exist and knows how to open it.

This will include Russia.
This will include China.
This will include run-of-the-mill hackers

Everything that is wrong with the 'let's install a government backdoor' argument can be summed up in the statements above and anyone who knows anything about security knows that the above statement is true.

Now, sir, I understand that you will have some of the best and brightest minds in the industry working to carefully design these theoretical back doors that only the government can access. But, I have to ask, where will you get these mental giants? Will you look to private industry who, by the governments own claims, have lost billions if not trillions of dollars in security breaches involving their systems in the last year alone? If they can't design systems that are secure to protect themselves, how will they protect our secrets when they work for you?

Unfortunately, as you know, government IT isn't the answer either as only a few short years ago the Anonymous collective laid many agencies secrets open to the public and a single contractor was, only two years ago, able to walk out of what is arguably one of the most secure places on earth with over 50,000 documents.

Mr. President, I think it's time you realize what your predecessors eventually did: certain communication will always and should always be locked away from government eyes. A 'pressing need' because of some spectre of fear doesn't justify giving an arguably already overreaching government the power to spy into all our lives, innocent or not.  Our right to privacy can and does extend to corners the government can't see. While this may place certain people in uncomfortable positions and cause some 'darkness', such is the price we pay for freedom.

Will bad guys slip through the cracks? Yes.
Will encryption sometimes bring an investigation to a halt? Yes.

But even with those things being true, our rights stand. Rights are not secured or laid aside by convenience.

So what is the answer then? I would put forth that there is nothing wrong with continued, good-old-fashioned police work. The FBI and NSA have proven that they have a remarkable ability to coordinate investigations into crime using all of the data - and that's still most of the data flowing over the Internet- that isn't encrypted. The FBI still has the ability to break tough cases and obtain convictions even with encryption in place and getting better.  Training is the answer. Better, more technologically focused training. It's as simple as that.   

Mr. President, you are being presented with two opportunities here - two different roads as it were. On one side, you have the ability to stand with the American people and reaffirm the rights that you swore an oath to uphold - without conditions or convenience. On the other, you have the siren call of convenience, increased power, and an ever data hungry intelligence community.

Stop for a moment, take a deep breath, and think about the world you want to live in for the next 50 years, the world you want your wife and daughters to live in. Do you believe they might have things they don't want someone in Washington to know about? Should all of their secrets be laid bare because someone deems it convenient or have a 'compelling reason'?  Do you believe you and your family would be spared from such intrusion? I'd argue that you would be a valid target in some people eyes for it because you were President and 'you know things'. Is that the life you want?

It's certainly not the life I want for you either. I want a world where you can have secrets and you can have privacy. Where everything you say and do isn't subject to the microscope of data analysis. Where your daughters can make inappropriate jokes to their friends and not have to worry that those jokes will come back to haunt them 20 years later.  Maybe even where you could write a saucy love note to your wife and not worry that someone might read it. Nothing to hide, but still private.

I want that for you, Mr. Obama because you as an American - as a human being - deserve that privacy. But so does everyone else. Stand with the American people sir and be the champion we believe you can be. Stand with us as we asset our rights to privacy without conditions, without back doors. You are an American.

Tuesday, February 10, 2015

Google Talk is shutting down. Don't like Hangouts? Here's the solution!

In less than a week, Google will be shutting down its popular instant messaging service called Google Talk. Google Talk was Google's first attempt at building chat services right into your email but they also provided mobile and desktop clients too. Best of all, because they used XMPP (Jabber) on the back end, you weren't limited to talking to only other Google Talk users, you could chat with any user on any system that used XMPP.

Over the last year or two, Google has slowly rolled out its new "Hangouts" application. The idea behind Hangouts is simple: you have the ability to have a continuous conversation that includes pictures, video, and text, with the ability to move between multiple devices during conversations and pick up where you left off. It's a fairly decent system once you get used to it but not everyone needs "continuous conversation" and many people have contacts that aren't Google users. Unfortunately, because Hangouts is its own entity, it does not integrate with other systems. If you want to chat with someone using Hangouts, they have to use Hangouts too.

Thankfully, the same technology that Google is ditching for Hangouts, XMPP, is still widely used and readily available for anyone who might not want to use Hangouts or be too happy about Google's walled-garden approach to chat. A great XMPP server can be set up in less than 30 minutes and for about $5 a month. Best of all, you're not limited to who you can talk to and can chat to your hearts content with anyone on the planet who uses a Jabber service (unfortunately, this no longer includes Google users).

Here is what you will need:

- A $5/month VPS account with DigitalOcean (or a server of your own, if you have it)
- The Prosody XMPP server
- This tutorial
- A domain or subdomain for your server (not stricly required but useful)
- Each user will need a chat program. I recommend Jitsi but there are MANY.

For security, you probably also want to grab an SSL certificate for your service. You can get that from your favorite SSL provider (I recommend NameCheap).

Once you've gotten everything you need together, setting up Prosody is really a 20 minute or less job. Following the tutorial linked above, you'll be up and running and ready to accept user registrations in minutes with a fully secure and rock solid server. Best of all, your conversations truly are private and nothing goes to Google.

A discussion about chat programs:

Many people who've used Google Talk have used third-party tools like Trillian or Miranda to access their accounts. Accessing your new XMPP server is no different. Any chat program that supports XMPP (sometimes called Jabber) will work with your new server. I recommend Jitsi because it offers features such as fully encrypted text, video, and audio chat, that make keeping your conversations secure a breeze. But, really, in the end, the choice is yours. Try out a few programs (Miranda and Trillian should still work too) and see which best suites your organizations needs.

That's it! That wasn't too hard was it? Of course, there's a myriad of things you could do with your new XMPP server if you wanted to but there's nothing saying you can't just use it for awesome and secure chat with friend, coworkers, and family.  If you have any questions, or need help, don't hesitate to contact me and I'll lend a hand if I can.

Until next time!