Whose side are they on?

This is an interview in Wired with the principal deputy director of national intelligence (of the US). It’s all about how the tech industry should work closer with the goverment (US). It starts out in classic paranoid fashion:

“SUE GORDON, THE principal deputy director of national intelligence, wakes up every day at 3 am, jumps on a Peloton, and reads up on all the ways the world is trying to destroy the United States.1

…and goes on to:

“I think there’s a lot of misconception about those of us who work in national security and intelligence,” she says. “We swear to uphold and defend the Constitution of the United States. That means we believe in and swear to uphold privacy and civil liberties.”

Not once is there a mention in the text that “the” government is actually just one government. Not once does Gordon or the reporter reflect on that working closely with the (US) government means taking sides against the rest of the world. There is less and less common interest between the US government and the rest of the western world, not to mention the non-western world, so any initiative the tech companies join in with the US government is a big red flag for the market outside the US. Think Huawei.

I’m pretty certain the major tech companies do realize that the majority of their customers are not US patriots, and that being too cozy with the US intelligence services may not be good for business. Increasingly so.

I’m amazed, though, that this wasn’t even considered when interviewing for and writing that article. Maybe it would be a good idea not to distribute arguments like this beyond the US. Why do they even let us read “patriotic” claptrap like this? I can’t imagine the tech companies liking it much.

That includes Trump himself

A number of tech companies have filed an amicus brief in a suit against Trump’s executive order:

“Immigrants or their children founded more than 200 of the companies on the Fortune 500 list, including Apple, Kraft, Ford, General Electric, AT&T, Google, McDonald’s, Boeing, and Disney,” it said. The briefing also notes prominent immigrant and refugee writers, scholars and Nobel Laureates.

Now, that actually includes Trump himself. His mother and all his grandparents were immigrants.

(I’m talking about “immigrants or their children”, not “scholars and Nobel Laureates”, obviously.)

Horrible little law

Feinstein-Burr senate bill, it’s getting crazier by the day:

No, this slippery little act says that when a company or person gets a court order asking for encrypted emails or files to be handed over and decrypted, compliance is the law.

How compliance actually happens isn’t specified. They don’t care how user security was broken (or if it were nonexistent), and the senators are making it clear that from now on, this isn’t their problem.

Enemy number one

The US gov is quickly turning into corporate threat number one:

Apple has long suspected that servers it ordered from the traditional supply chain were intercepted during shipping, with additional chips and firmware added to them by unknown third parties in order to make them vulnerable to infiltration, according to a person familiar with the matter. 

If this is really the case, if the US govt is tapping servers like this at any significant scale, then having Apple implementing encryption end-to-end in most of their products must mean that the govt is losing a hell of a lot more data catches than just the data they could get with a warrant. 

The ability to recover data with a warrant is then just a marginal thing. The real problem is that their illegal taps stop working. Which means that the FBI case is a sham on a deeper level than it appears. The real panic is then about the server compromises failing. 

And, of course, the end-to-end encryption with no keys server-side is also the solution for Apple. Implants in the servers then have relatively little impact, at least on their customers. The server-to-client communications (SSL) would be compromised, but not the content of the messages inside.

If the govt loses this battle, which I’m pretty sure they will, the next frontier must be the client devices. Not just targeted client devices, which can already be compromised in hardware and software, but we’re talking massive compromises of *all* devices. Having modifications in the chips and firmware of every device coming off the production lines. Anything less than this would mean “going dark” as seen from the pathological viewpoint of the government.

Interestingly, Apple has always tended to try to own their primary technologies, for all kinds of reasons. This is one reason more. As they’re practically the only company in a position to achieve that, to own their designs, their foundries, their assembly lines, with the right technology they could become the only trustworthy vendor of client devices in the world. No, they don’t own their foundries or assembly lines yet, but they could.

If this threat becomes real, or maybe is real already, a whole new set of technologies are needed to verify the integrity of designs, chips, boards, packaging, and software. That in itself will change the market significantly.

The opportunity of taking the high road to protect their customers against all evildoers, including their own governments, *and* finding themselves in almost a monopoly situation when it comes to privacy at the same time, is breathtaking. So breathtaking, in fact, that it would, in extremis, make a move of the whole corporation out of the US to some island somewhere not seem so farfetched at all. Almost reasonable, in fact.

Apple could become the first corporate state. They would need an army, though.

As a PS… maybe someone could calculate the cost to the USA of all this happening? 

Even the briefest of cost/benefit calculations as seen from the government’s viewpoint leads one to the conclusion that the leadership of Apple is the most vulnerable target. There is now every incentive for the government to have them replaced by more government-friendly people.

I can think of: smear campaigns, “accidents”, and even buying up of a majority share in Apple through strawmen and have another board elected.

Number one, defending against smear campaigns, could partly explain the proactive “coming out” of Tim Cook.

After having come to the conclusion that the US govt has a definite interest in decapitating Apple, one has to realize this will only work if the culture of resistance to the government is limited to the very top. If eliminating Tim Cook would lead to an organisation more amenable to the wishes of the government.

From this, it’s easy to see that Apple needs to ensure that this culture of resistance, this culture of fighting for privacy, is pervasive in the organisation. Only if they can make that happen, and make it clear to outsiders that it is pervasive, only then will it become unlikely that the government will try, one way or the other, to get Tim Cook replaced.

Interestingly, only the last week, a number of important but unnamed engineers at Apple have talked to news organisations, telling them that they’d rather quit than help enforce any court orders against Apple in this dispute. This coordinated leak makes a lot more sense to me now. It’s a message that makes clear that replacing Tim Cook, or even the whole executive gang, may not get the govt what it wants, anyway.

I’m sure Apple is internally making as sure as it possibly can that the leadership cadre is all on the same page. And that the government gets to realize that before they do something stupid (again).

Adpocalypse, or not

Everybody’s on about the end of the web due to more and more people using adblockers. In one camp are the ones (me included) who are sick and tired of ads and tracking, and on the other side the ones accusing me and my kind of stealing content.

What ad providers try to do is to serve us as many ads as possible, hoping we’re interested in any one of them. At the same time, the whole tracking deal is to find out which ads we could be more interested in. That latter almost seems like it’s in our interest. Or would be if it worked better and didn’t involve the general creepiness of advertisers trying to read our minds and share it with others. 

But I think there is a solution. 

Imagine if you had a settings sheet in the browser or in an extension, where you as a user could declare what kind of thing interests you in general. The browser presents this selection to sites you go to, allowing them to present you with targeted advertising without a lot of second guessing. I, as a user, would be less frustrated, and wouldn’t want or need adblocking. The advertiser would have a much higher conversion rate. And the site owner could make such a preference header a requirement to visit the site. In exchange, there’s no need for tracking to try to guess my preferences; I already told you myself.

How stupid can you be…

Read this in Jerusalem Post, couldn’t believe it. I know Swedes can be real useful idiots, or useful real idiots, but this? Did a quick search, and yes, Swedes can be even greater idiots than I ever imagined. They actually did it. It’s true. Rewarding voluntary ISIS fighters after homecoming. Way to go.

Congrats, Sweden. If there was a dumbass competition for city councils, Stockholm should get first price.

You cannot trust

Caspar Bowden spoke at the 31c3 conference. Snippets:

I told my technology officers at MicroSoft that if you sell cloud computing services to your own governments, this means that the NSA can do unlimited surveillance on that data. […] two months later they did fire me.

“Technology officers” represent MicroSoft in their respective countries.

On the “FISA Amendment Act of 2008 (Sec 702)”:

This means if you are not American, you cannot trust U.S. software services!!

Exactly.

The US congress was laughing, laughing at the idea that you have privacy rights. That is the climate of the US privacy debate.

“You”, in that sentence, refers to non-US persons outside the US.

FISAAA offers zero protection to foreigner’s data in US clouds. 

US is “exceptionally exceptional”: The number of references in surveillance law that discriminate by citizenship/nationality (NOT geography of communication path), per country:

US: 40, UK: zero, Germany: 1, Canada: 2, New Zeeland: 2, Australia: 2. No others.

On whistleblowers:

We need to give them watertight asylum, and probably some incentives, some rewards. I actually proposed to the parliament [EU parliament] that the whistleblower should get 25% of any fines subsequently exacted.

 Big applause from the audience…

How do people know politicians and officials aren’t influenced by fear of NSA spying in their own private life? […] this is highly corrosive to democracy!

Finally:

The thoughts that Edward Snowden has put in the minds of people cannot now be unthought.

What this all means, in practice, relating back to medical applications, is that we (Europeans) can’t use US software or services, which includes medical records such as EPIC, data analysis services such as IMS Health, data storage such as Amazon, Azure, iCloud, backup solutions (unless encrypted client side), or even US operating systems such as Android, iOS, OSX, Windows, a series of embedded OS, etc. At least not if we care about our patient’s right to privacy.