Monday, September 29, 2014

Privacy should be a priority

Ever since Snowden started telling the World about the doings of the NSA and other government agencies, privacy has become much more of a focus area for a lot of people - this includes Tim Bray, who debuted a new talk at GOTO Copenhagen called "Privacy and Security, Policy and Tech".

At GOTO Copenhagen, the room was unfortunately full, and I didn't get to see it, which is why I was quite happy to get a second chance the week after at GOTO Aarhus.

The overall message of Tim Bray's session was that privacy is important, and that we, as developers, should make sure to project the privacy of our users' information as much as we can.

A lot of people have a quite relaxed opinion about privacy and security, though this has started to change after Snowden. As Tim Bray said:

A lot of people has realized that the internet is a bad place, and that their information is hanging out places where it shouldn't be.
Also, people have started to realize that just because they have nothing to hide now, it doesn't mean that they won't have in the future - if nothing else, then when laws change, and formerly perfectly legal things become illegal.

A historical example of that could be membership of certain political organizations in the US, which was prefectly legal, until the red scare and McCarthyism kicked in.

Another, more recent example, is simply being a LGBT activist in Uganda, which carries high risks of prosecution, even if their "kill the Gays" law was Struck Down.

Again, quoting (or rather, paraphrasing) Tim Bray:
Most people at this conference probably live where the government is fairly civilized, and won't get their door kicked in at the middle of the night. But while it is probably true for people at this conference, it is not true for a majority of the World population as a whole.
This is an important point. Even if we have nothing to hide, and don't expect ever to have anything to hide, the same doesn't hold true for most of the World's population, perhaps including a large proportion of your end users.

This should be obvious, but a lot of people tend to forget that, and don't even enforce the most basic of methods for enabling privacy such as HTTPS.

HTTPS was an area that Tim Bray dedicated a lot of time to, exactly since it is such a basic method, and so many systems don't support it.

This has to change.

Using HTTPS is such a low-cost, easy solution that there is absolutely no reason not to use it at all times, no matter whether privacy is needed. And as Tim Bray also pointed out, there is an asymmetrical cost to using vs. not using HTTPS. Using HTTPS costs a little all the time even when it is not needed, but not using HTTPS can come at a huge cost when it was needed. This is an unacceptable risk.

One thing Tim Bray didn't get into, which I also find important, is that if everybody runs HTTPS, and thus encrypts their Communications, it offers a type of herd immunity to those who really need to protect their privacy - their communication doesn't stand out from the rest.

This is the reason why Google encrypts its user's traffic (they were actually inspired by Cory Doctorow's book Little Brother).

So, all in all, the overall message of the session was that we need to think about how we can protect the privacy of the end users, and at the very minimum we need to ensure basic privacy measures like HTTPS.

No comments:

Post a Comment

If the post is more than 14 days old, your comments will go into moderation. Sorry, but otherwise it will be filled up with spam.