Pages

2016-02-25

Trust is the biggest threat to privacy & security

Part of the reason I trust Google is because I assume that people who work there have values like me. If unethical marching orders came in one day then engineers might resist them or one person might leak it. It took just one technician to blow the lid off of Room 641A. Google's past record of exiting mainland China because of Chinese spying should illustrate the commitment of Google to its users. This serves as an effective deterrent to people that might think of coercing Google to abuse its power. (Let's ignore the fact that Google did NOT leave the US market when the NSA tapped its server room interlinks.)

Unfortunately, this is not enough. The biggest risk to privacy and security is trust itself. The FBI / Apple case has made obvious that Apple has the ability to collect information from iPhones (before 5s). The effort would be herculean, but is it possible.

Bo Xilai is a political dissident in China and was jailed by premier Xi Jinping for conspiring to take over the national party. The level of assurance provided by Apple's iPhone 5c was not enough for Mr. Bo to conduct his operations. It is assumed that Apple's 5s and on are beyond even the reach of Apple.

In summary, when considering the privacy and security assurances of a system, it is usually the human element or the implementation details that are weakest. This can be quantified with the "ransom factor": 
How many people would need to be served National Security Letters, served with All Writs Act injunctions or have their children taken ransom would it take to break the system?