nsa

Encryption and security booming in post-Snowden Internet, but will it help or hinder?

As people discover the extent of US government spying on just about everyone, they're reasonably turning to encryption and security solutions. But how well do those solutions work?

The very concept of the Internet changed in people's minds with whistleblower Edward Snowden's revelations last summer. Before Snowden, we thought it was the information superhighway: a place where we could research, play, shop, and hang out with friends, even if we had to worry a bit about security and privacy.

But when Snowden blew his whistle, we discovered what the Internet really was: a US-made, digital version of the Stasi--the East German secret police determined to know everything about everyone. Even if criminal hackers don't get their hands on your private information, the government will.

The natural and entirely justifiable response for users is to encrypt everything you can. For software entrepreneurs, the natural response is to offer new programs to protect people's privacy--even if some of those programs aren't very good. According to an Associated Press article by Martha Mendoza, "the flood of new computer security services is of variable quality, and much of it, experts say, can bog down computers and isn't likely to keep out spies."

"Every time a situation like this erupts you're going to have a frenzy of snake oil sellers who are going to throw their products into the street," warns CloudPassage CEO Carson Sweet. CloudPassage offers security for cloud environments--and if anything needs security, it's the cloud. The trick is to use encryption and security at your end, and not in the cloud, where someone else can control it.

I've seen enough flawed security products over the years to believe Sweet's claim. Consider Cryptocat, an encrypted instant messaging service first introduced in 2011. Last year, Quinn Norton praised Crypotcat highly in a Wired article titled This Cute Chat Site Could Save Your Life and Help Overthrow Your Government. But only a few weeks later, another Wired author, Patrick Ball, found Cryptocat not so cute. In fact, "your security depends entirely the security of the host. This means that in practice, CryptoCat is no more secure than Yahoo chat…no better than having no crypto at all."

Since Snowden's revelations, new security offerings keep springing up. For instance, Pirate Bay co-founder Peter Sunde released Heml.is--named after the Swedish word for secret. But Sunde has refused to make Heml.is' code open source. When a program is open source, anybody with the technical skills can read the code and look for flaws. While this may seem like a security breach, it actually results in more reliable and secure programs. According to security expert Bruce Schneier, "In the cryptography world, we consider open source necessary for good security; we have for decades."

Considering the massive computing power available to the NSA for cracking encryption, some companies feel that the only secure option is to get out of the United States. San Francisco-based data storage provider Pogoplug is doing just that, moving cabinets and cables across the Atlantic at the request of a major client, Paris-based Bouygues Telecom. PogoPlug CEO Daniel Putterman told AP's Mendoza that "They want French law to apply, not U.S. law." They're planning a similar move for an Israeli client.

The government is spying on you. So are criminals and corporations. And not all the companies selling solutions are trustworthy. If you’re concerned about privacy, keep your cards close to your vest and your ear to the ground – the game is changing on a daily basis, and the players are some of the biggest organizations in the world.

Subscribe to the Security Watch Newsletter