back to article Psssst: If you wanna be rich, make the next privacy Robocop app

Revelations of US spooks monitoring the internet have freaked out consumers so much that privacy protection software will be The Next Big Thing. That's according to antivirus firm AVG, which reckons the market for products that safeguard online freedoms will be huge. Siobhan MacDermott, chief policy officer at the company, …

COMMENTS

This topic is closed for new posts.
  1. Mystic Megabyte
    Linux

    Flash?

    Being a Linux user I would guess that the biggest security risk on my PC would be Adobe's Flash.

    Has the NSA the ability to switch my microphone and web-cam?

    Whatever the answer ,the sooner Flash is retired the better.

    1. Anonymous Coward
      Anonymous Coward

      Re: Flash?

      Have you considered installing a flash blocking plugin for your browser?

      1. David Pollard

        Re: Flash? - BleachBit

        "Have you considered installing a flash blocking plugin..."

        If not, or if Flash is sometimes needed, BleachBit seems to work quite well. It's conveniently available at portableapps.com.

      2. Anonymous Coward
        Anonymous Coward

        Re: Flash?

        I wouldn't trust any software 'off' switch.

        Considering the debate and fears over privacy now, it won't be too long before we see laptops with slidable caps over the camera and an hard 'off' switch for any mics.

        In the mean time, blue tack of sticking plaster if you're doing anything in front of the computer you'd rather not have recorded.

    2. Ross K Silver badge
      Gimp

      Re: Flash?

      Wow, you're a Linux user? You don't say.

      Maybe you could go back to using Lynx as your browser? They probably still bundle that with Linux...

      1. Chairo
        Happy

        @Ross K; Re: Flash?

        Lynx is available from a repository if needed.

        It can come handy, if you need to browse a website or configuration page from some lightweight system without GUI.

        No need to bundle unneeded packages with the distribution, if anything you need can be installed easily on a whim.

        Say, you still use a proprietary OS?

        1. Anonymous Coward
          Anonymous Coward

          lynx

          $ cat README.txt

          Refer to README.html

          $ lynx README.html

          [nothing that couldn't have gone in a txt file]

          Thanks for that Oracle.

        2. Ross K Silver badge
          Holmes

          Re: @Ross K; Flash?

          Say, you still use a proprietary OS?

          I use OS X, XP, and 7. I don't really give a shite if some people consider them "proprietary". They're a tool to get the job done, not a lifestyle choice - although the level of misguided fanboi-ism round here would make you wonder.

      2. Tom 38
        Linux

        Re: Flash?

        No-one uses lynx anymore, it's a bit pap. We all use links2, which is to lynx what vim is to vi.

    3. C 18
      Facepalm

      Re: Flash?

      Eh, read this...

      And then have a look under the hood of the thingy your o/s is running on...

      And to which your webcam and microphone and ethernet or wi-fi and every other darn thing that can be classified as hardware is connected.

      Who the heck knows what those circuits are doing with your bits?!

      (And don't give me the whole, you need device drivers for all the devices... well, that's true, but the spooks just need the bits, they can figure out what device drivers to use later, when you've gone and blown something up for instance.)

      PRISM is just the tip of the iceberg.

  2. Pen-y-gors

    No shit, Sherlock!

    I think she may be right - but it needs to be seamless. Install and forget and all communications are automatically encrypted. And given the lack of trust for the suppliers in the middle, it'll need to be encrypted between the end-users, so the servers in the middle only ever see/store encrypted traffic (bar the routing info perhaps, and even that can hopefully be obfuscated?) - and if everything is encrypted the NSA/GCHQ will be storing an awful lot of traffic.

    When will Gmail incorporate automatic PGP?

    1. No longer in IT
      Big Brother

      Re: No shit, Sherlock!

      "When will Gmail incorporate automatic PGP?"

      You're not seriously suggesting that someone interested in privacy would use a Google product are you?

    2. Ru
      Black Helicopters

      Re: No shit, Sherlock!

      When will Gmail incorporate automatic PGP?

      Hushmail touts PGP encrypted mail as one of its big benefits. Unfortunately, the private keys are held server side, and as a result they can pretty much decrypt whatever the hell they wanted and indeed did: http://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_privacy

      I'm not aware of a javascript based system that would let you do client-side encryption of webmail, yet, and that's what would probably be needed for GMail to run PGP in a way that actually stopped the likes of the NSA having free reign of your private keys. Now if Google added PGP/GPG support to their standard Android mail clients and let you set up a key pair as part of the Google account registration system, that would be rather different and much more interesting. I'm not holding my breath though.

      1. Buzzword

        Re: No shit, Sherlock!

        Even with Javascript decryption, you'd have to trust the site providing it. Who's to say that the JS decryption code isn't secretly sending your keystrokes back to Gmail.com? For that matter, you can't trust the browser makers either - and if the spooks can corrupt Microsoft, Google, and Apple, then most likely they can corrupt the Mozilla foundation too. Technical solutions aren't the answer - only legal solutions.

        1. Ru

          Re: No shit, Sherlock!

          Even with Javascript decryption, you'd have to trust the site providing it

          I did think about this. Ultimately, it is possible to examine the behaviour of software running on your own machines and tranmissions over your own networks. Covert channels can be very stealthy indeed, so you can never be 100% certain, but you can go a long way by logging what the javascript (or whatever) client is trying to send.

          I'd prefer to be running my own client software, but even the javascript approach is more useful than Hushmail's.

          Technical solutions aren't the answer - only legal solutions

          Legal solutions generally have legal workarounds, especially when it comes to issues of national security which often grants those working around the problem with legal immunity of various kinds, and gagging orders. The best you can hope for is a decent audit trail and responsible oversight, which ultimately boils down to a matter of how much you trust Google (or whatever other service provider) and your local friendly security services, vs how much you trust the implementation of GPG in your mail client.

          In the spirit of "trust, but verify", I'd lean towards the latter because I can take some minimal steps to ensure it isn't misbehaving. Bit hard to do that with big corporation and government agencies in your own country, let alone foreign ones.

      2. Suricou Raven

        Re: No shit, Sherlock!

        Only partially effective, unless you want to verify every time the code comes down. Javascript can be altered easily. Sending every user a 'null operation' script would get notice, but they could easily target it at anyone the NSA's algorithm considers suspicious.

        To be any good, encryption needs to run at the client end. What we really need to see is integration into something like Thunderbird.

        Not that it matters. People don't actually email that much any more: The masses just communicate through facebook messages.

    3. Anonymous Coward
      Anonymous Coward

      Re: No shit, Sherlock!

      "When will Gmail incorporate automatic PGP?"

      PGP encrypts the email for transmission through the interwebs. That doesn't stop the NSA snooping if they have a backdoor into Google (which they apparently do, despite official denials which Google is required to make under the law). They can just see your message before it is encrypted.

      However, you can use gmail via an IMAP or POP client like Thunderbird. I have GPG installed on that and can send encrypted messages to recipients that even Google cannot read, because they're encrypted on my machine. Only down side is cannot read them via the Google web interface.

      I suspect the next NSA scandal is going to be backdoors build into all manner of software and not just OSs. Basically if you have anything compiled and produced by a US corporation on your machine, the NSA can (it appears) force them to compromise it. Having access to the device allows them not only to view all communications coming in/out without encryption, it also lets them read anything you have stored locally, and operate your camera and mic. Pretty scary considering we're all carrying around phones with OS from Google, Apple or MS on them.

    4. Badvok

      Re: No shit, Sherlock!

      "When will Gmail incorporate automatic PGP?"

      What would be the point? The 'security' services are generally more interested in who you are talking to rather than what you are actually saying. Though obviously if you are sending lots of encrypted emails then they will probably flag you up for further investigation and try to find out what you are talking about.

  3. Anonymous Coward
    Anonymous Coward

    If you encrypt things or conceal them then there is a feeling that you have something to hide.

    People who avoid mobile phones and the Internet for those sorts of reasons seem suspicious if you think along those lines.

    1. Ian 62

      something to hide

      But if it was the accepted default. "Everything everyone does, send, recieve, create, read, is encrypted end to end."

      Then it's not suspicious is it?

      So if we all start using proxies, vpn, PGP, truecrypt, then it's no longer something unusual.

      Why shouldnt the best available encryption and privacy be the expected default on for everything?

      Not just to avoid Government agency snooping, but also criminal and insider attacks?

  4. Alister

    The security expert was astonished by the reaction to the scandal of the web-snooping NSA PRISM project, which left consumers feeling "violated".

    Apart from a few Daily Mail types, the average consumer's reaction appears to have been resounding apathy, either because they don't understand, or they don't think it applies to them.

    1. Anonymous Coward
      Anonymous Coward

      gov'ts too feign indignation...

      But they're all at it, so are prepared to overlook the US/NSAs transgressions.

  5. Anonymous Coward
    Anonymous Coward

    Yawn

    and the Next Next Big Thing will be anti-anti snooping software.

    etc.

  6. Ketlan

    "In Europe, people remember a time when you could be killed for having the wrong political beliefs or religion. The people who run Facebook and other big social media companies don't have that baggage, so privacy can be something of an abstract concept to them in a way it isn't in Germany, for instance, with memories of the Stazi and Nazis."

    In many places, you can STILL be killed for having the wrong political beliefs or religion. A good enough reason on its own for having a bit of privacy when using the net in whatever form.

    The comment about Facebook and privacy issues being a tad abstract compared to those who had clearer memories of the Nazis is strange, given that Mark Zuckerberg is Jewish. Not many people have a clearer memory of the Nazis than the average Jew. Not being snarky, by the way - I'm Jewish, too.

    1. Anonymous Coward
      FAIL

      Errr, pretty sure the only Jews who have 'clear memories' of the Nazis are the ones who lived through the Holocaust. Don't see what Zuckerberg being Jewish has to do with anything?

      1. Ketlan

        "Errr, pretty sure the only Jews who have 'clear memories' of the Nazis are the ones who lived through the Holocaust. Don't see what Zuckerberg being Jewish has to do with anything?"

        Because those who survived the Holocaust make damn sure their descendants never forget what happened.

        1. Anonymous Coward
          FAIL

          Yeah, but the original point was that US companies like Facebook, et al don't see privacy as much of a concern as certain European countries as they have never grown up under a Communist/Fascist government, as many Germans, Poles, Spaniards, etc did.

          Are you saying Zuckerberg being Jewish means he does know what that is like? Or are you just living vicariously through the suffering of your ancestors, in which case we can all do that.

          <---- Irish

          1. Homer 1
            Big Brother

            Re: "US companies never experienced fascist government"

            Erm, but the US is fascist, surely.

            If Gitmo and the "Patriot" Act weren't enough to demonstrate that fact, surely Prism makes it crystal clear.

            1. Anonymous Coward
              Anonymous Coward

              Re: "US companies never experienced fascist government"

              Not quite comparable to Nazi Germany or Poland under Stalin, but whatever....

              1. Chairo

                Re: "US companies never experienced fascist government"

                Not quite comparable to Nazi Germany or Poland under Stalin, but whatever....

                It should be mentioned, that Hitler was democratically elected in a real and functioning democracy. He first became chancellor, then bullied the parliament into granting him more and more power, but it was only when the president died, that he made his final grasp for power and became "president and chancellor" in one person. Up to that moment pre-war Germany was still a democracy.

                So no, I don't agree. It is quite comparable, what happens here. democracies are very fragile things that need a proper balance of power between government and people. Secret courts, a unseen external threat, a all seeing spy network that is out of control - that is the stuff dictatorships are born from.

                OK, I agree that Obama is not Hitler. He will not misuse this power. But there will be another president after him. What about that guy?

          2. Anonymous Coward
            Thumb Down

            what about us

            I don't think Jews have a monopoly on having had some bad things done to them in history, or even by the Nazis, and certainly no evidence that this makes them any less likely to perpetrate the same on others, considering what their own race-based state has got up to since.

        2. This post has been deleted by its author

        3. T. F. M. Reader
          Black Helicopters

          Holocaust education

          I already mentioned Cryptonomicon tangentially in another post, but anyway: one of the most profound ideas there is that to prevent a future Holocaust one needs to educate potential victims, not potential perpetrators. And privacy seemed to be a pretty important means to that goal. I wonder why?

    2. Ross K Silver badge
      WTF?

      Not many people have a clearer memory of the Nazis than the average Jew.

      Are you high or something?

      If there was a Moron Of The Week™ award, you'd be receiving it right about now.

  7. CompuGuide

    Detailed Control of Smartphone app permissions is seriously needed

    Where this really makes sense in on smart phones. Many Android apps require a list of permissions, that if abused could easily reveal personal information. Facebook, for eg activates your GPS. Now, I, for one would love to be able to disable this!

    1. Pat 11

      Re: Detailed Control of Smartphone app permissions is seriously needed

      Predictably, someone (me) is going to say custom ROM's are blazing a trail here.

      Cyanogenmod has granular permission toggles, but even better the recent builds have Privacy Guard, which enables spoof empty contact , calls and message databases that can be enabled for individual apps, and set as default for new apps.

      Obviously not everyone can have this, most are tied to the OS the phone came with.

      1. Ru
        Happy

        Re: Detailed Control of Smartphone app permissions is seriously needed

        Cyanogenmod has granular permission toggles, but even better the recent builds have Privacy Guard, which enables spoof empty contact...

        Woah, seriously? That's a feature I've been waiting for in Android for years. My next Android device will definitely be a Cyanogen-compatible one.

        1. anger

          Re: Detailed Control of Smartphone app permissions is seriously needed

          The only problem I have with all these custom ROMs, is that you have to trust them, that there isn't any trojan already sending all the sensitive data back to the base.

          Google should incorporate these features in their codebase, but I doubt they ever will.

          1. DropBear

            Re: Detailed Control of Smartphone app permissions is seriously needed

            Wait, let me get this straight - you wouldn't trust a "custom ROM" (which is basically a recompiled version of a somewhat further developed open source Android codebase) to behave, but if a ROM offered as a binary blob directly by Google (and / or one of its partners) would include those features, you'd be ready to trust it...? Yeah, sounds legit...

            1. anger

              Re: Detailed Control of Smartphone app permissions is seriously needed

              That's right - google is lesser of two evils. I'd rather have google reading my credentials than some other crooks.

          2. Chairo

            Re: Detailed Control of Smartphone app permissions is seriously needed

            Ironically the new Huawei Ascend P6 has this functionality out of the box. Of course, it being a Huawei, it is questionable what kind of backdoors, etc are build in, as well.

            On the other hand, it might give some pressure on other makers to also include such kind of functionality.

  8. Anonymous Coward
    Anonymous Coward

    Microsoft?

    Given how Microsoft put back doors into Outlook for the NSA to access a users stuff (according to Snowden), why would anyone trust a system with MS OS on it under any circumstances?

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft?

      No, but do you trust Google or Apple, considering they were in on Prism? Having an open-source kernel means absolutely nothing in terms of preventing either of them putting backdoors into their OSs.

    2. dogged
      FAIL

      Re: Microsoft?

      Given how Microsoft put back doors into Outlook for the NSA to access a users stuff (according to Snowden), why would anyone trust a system with MS OS on it under any circumstances?

      Given that MS dispute this and claim that the Grauniad has misreported what Snowden said - and is allegedly going to court for the right to tell people what information they've given NSA as reported here on the Reg - while Google (for example) aren't denying anything.... why the hell would anybody choose Android or ChromeOS for anything?

      But nice try, Eadon.

  9. Anonymous Coward
    Anonymous Coward

    It still amazes me

    That so many companies still transmit commercially sensitive information, unencrypted. For some reason, a "Need to transmit commercially sensitive information? Here's my public key," in the signature of an email, is extremely rare.

    Because it is so rare, BTW, I assume any evidence of encryption will be flagged by organisations like the NSA and GCHQ.

  10. Katz

    I think she's right, I think there will be a surge in demand for simple seamless encryption products, whether it's the next Big Thing, not sure, but I reckon it'll be significant. The only gripe I have with it is surely any U.S company and many Western software security companies will simply be pressured (one way or another) into releasing algorithms or making some sort of backdoor for 'national security' requests anyway. If it were too difficult to break and became popular, they'd then just make it illegal, surely.

    I'm not expert on this sort of thing, maybe someone can enlighten me?

    But it would defeat the object wouldn't it?

    1. Ru
      Big Brother

      any U.S company and many Western software security companies will simply be pressured (one way or another) into releasing algorithms or making some sort of backdoor for 'national security' requests

      Adding a backdoor that's untraceable by cryptanalysts is a tricky job. Creating a cryptographic algorithm that actually works well is also pretty hard, that's why most folk use standard ones like AES. AES may be an NSA approved standard, but ultimately it has seen some serious investigation and appears to be sound. Remember that vulnerable encryption is bad news for big western businesses, and they're the ones who keep the political parties propped up. If nothing else, it'll be quite hard to stop end-users making use of their own cryptographic software.

      No, instead you'll see other means for the security services to get the information they need. In the UK at least they'll just lock you up if you don't hand over your encryption keys. The Fifth Amendment appears to protect US folk for now, but I wonder if all it would take is a bomber using encrypted email or files to give police additional powers if they suspected terrorist activity?

  11. T. F. M. Reader

    Mostly Useless?

    This may turn into a big market indeed. Maybe short-living as well. As any snake oil promotion.

    It seems to me that any such solution will lie between useless and impractical.

    1. A gazillion privacy/encryption providers with different offerings will mean hardly anyone will be able to talk to anyone else. Even 2 or 3 is too much. So, will they all need to agree on an (open) standard?

    2. 99% of one's likely correspondents probably have problems attaching a file or copy/pasting stuff to emails - I doubt any encryption software, even install and forget one, will be practical unless you only talk with geeks. Most people wipe lots of stuff from their disks often (due to virus infestations, negligence, whatever), which will necessitate re-generation of security keys, etc. NB: encryption must be done on the client side, cannot be done by Google on their servers.

    3. Assume a known encryption scheme, e.g., something like public/private key pairs. How would keys be exchanged by laymen? Will public keys be sent by email? Each time they are regenerated (see above)?

    4. Who are the companies offering privacy solutions? Are they American? British? European? Russian? Ah, registered in the Sultanate of Kinakuta! Thought so.[*]

    5. Your metadata will not be hidden - email needs to be routed somehow. That is arguably more important than content.

    6. VPNs, Tor, etc. won't help much, either - they do nothing to application-specific metadata, such as your account name. So you connect to GMail using an obfuscated IP address, but you log in as so-and-so, and Google know. [If your address is identified as Tor your location may be deemed as foreign by the NSA with a higher probability - happy?] Then you send an email to me at Yahoo! - that is also known to both Google and Yahoo!. Then I use Tor and hide my IP address, but what has really been achieved in terms of hiding our communication? It's become a bit more difficult to figure out we talk, but not by very much, IMHO. And it's still beyond the technical capabilities of most people. And even for you and me - shall we create new online identities using Tor and never, ever, ever do anything without Tor or with our existing accounts, emails, etc., again?

    [*] Reaching to my copy of Cryptonomicon on the top shelf. They seemed to have a solution based on a particular legal regime in a country that was independently wealthy. Yes, on the top shelf - who mentioned Kindle?

  12. Homer 1
    Big Brother

    The solution...

    The solution isn't a technical one, in the long term. It needs to be addressed via the democratic process, assuming there still is one, or by (dare I say it) revolution otherwise.

    In the interim the best you can do is little more than a futile exercise in risk reduction, which is basically just a placebo. Running Free Software helps. A lot. And I mean everything, from the OS itself, the networking stack, encryption and other security tools, to your own personal "Cloud" (hosted at home, naturally, and hidden behind an ssh tunnel on a closed, non-standard, high port that you open by knocking).

    Will that help? A bit, but then you need to be clear about your objective, which should be determined by threat analysis. To me, the biggest threat is Western (primarily US) corporations and their political lackeys, so whatever measures I take need to focus on protecting myself from that threat, and not have the delusional objective of being totally anonymous and secure against all possible threats.

    That means moving the end point of my communications outside Western jurisdictions (using VPN), into territories considered "hostile" by those corporations and governments (i.e. the enemy of my enemy is my friend). I don't care (and moreover can't afford to care) that some Russian/Chinese data centre operator is able to monitor my online activities - neither he nor his country is the threat, my own country is, and it's not like he can do anything to me with that information anyway (OK, maybe identity theft and bank fraud, if I'm not paying attention). I don't have privacy, anonymity and security from the whole world, but I do have it from the thing that actually threatens my freedom - my own jurisdiction. Hopefully.

    Although it's debatable if any Western-hostile territories exist any more, given that most of them have been annexed by the US, by force or otherwise. For now I use Russia, which is really just a Western "ally" in name only, but in practice is a fairly safe harbour. China might also be an option, if it had anything resembling a reliable Internet service (I do have a proxy there, but it's basically useless). China also suffers the problem of censorship, but then so does the West (DMCA, EUCD, etc.), so that's not really a determining factor.

    What else could I do?

    Short of giving up on the Internet completely, and probably giving up on computing in the process, not much.

  13. Werner McGoole

    Still to be convinced there's an easy solution

    I doubt this issue is going to spawn a new huge market, but it could well get enough interest to substantially increase the sales of security companies, which is presumably what this AVG spin is all about.

    But then you have to trust AVG, or whoever you go with. So now they're no. 1 target for NSA infiltration. Ultimately, I don't see the proper solution being reached by going down that route unless the security firms can find some sort of distributed trust system that doesn't give them any privilege. But that's probably incompatible with the profit motive. So I'm inclined to think FOSS is pretty much essential here. Too bad that generally fails so badly on ease-of-use.

    Even with end-to-end encryption - if it can be made practical for the novice - metadata and traffic analysis is still way too powerful to be ignored. Unfortunately, the options here are pretty limited. Re-mailers, VPNs and the like all place trust in those providing the service. Various dark nets have addressed the issue in a distributed manner but nothing of much practical use seems to have emerged. Tor is perhaps a borderline exception, but I don't think it handles most messaging requirements too well (not even email). Also, the fact it hasn't already been shut down makes me think the security services aren't too much troubled by it.

    Possibly that might change if Tor were to become large enough that it's impossible to observe enough of it to draw conclusions, but that's unlikely to happen as, being FOSS, ease-of-use isn't exactly high. Possibly if someone were to market a small Tor appliance that would plug into a home router, though, that might make a difference to take-up.

    But on the whole, I'm not optimistic that this whole snooping issue will lead to anything more than a whole lot more bloat in existing security suites.

    1. Pascal Monett Silver badge

      I totally agree with you. Any solution will have to Open Source by nature, so that multiple eyes can guarantee the absence of any backdoor, given that government guarantees in this domain are totally not credible (hey NSA, remember that little thing called the Constitution ?).

      It will also have to be idiot-proof, which is a major stumbling block right there. Finally, all operators will have to agree to use it, which will mean setting aside their own solution - and that will be another major issue.

      Since AVG has brought this issue to light after having purchased a company dealing in securing privacy, it seems obvious that this is a ploy to trumpet their own horn and it will be that more difficult for them to abandon the investment and adopt an Open Source solution.

      So, right from the start this whole issue seems practically moot already.

      Although I do agree that privacy is going to become a more important concern than it is now, but given that it's level of concern is currently nil (otherwise Facebook, Google and the US government would be facing quite stiffer resistence), that doesn't seem to mean much.

  14. This post has been deleted by its author

This topic is closed for new posts.

Other stories you might like