PS Down vote is annoying. This is precisely why I use Wickr for some communications. It gives me a text message like experience with messages that are automatically deleted from my phone and recipient's.
That assumes you can trust 1) the (proprietary) application on the recipient's end to delete the message, 2) the recipient to not save the message some other way, and 3) the opaqueness of the protocol preventing anyone from writing a replacement client that doesn't delete messages.
There's no way to guarantee deletion; if the recipient can read it, the recipient can save it.
In the end it will always come down to the 'analog hole' - no matter how airtight the digital implementation, you'll never stop the user at the other end from taking a photo of the screen.
Not an analog photo, no. However, an airtight digital implementation would absolutely do stop anyone from recording anything they're not allowed to record -- and it wouldn't be really airtight if ownership of non-aligned equipment was tolerated :P
Can we trust Wickr? I have used it for some communications I would not like to get to wrong hands (but the consequences of getting lost are not too harsh), yet I have roughly zero confidence that the messages aren't stored and that they are delivered end-to-end secure.
It's not open source (?) so it can't be audited. The server infrastructure may be wiretapped and/or backdoored by law enforcement together with a gag order. It's headquartered in the US, which I don't trust. They claim to be end-to-end encrypted but how can I tell, let alone the general public who aren't familiar with crypto.
I've used Wickr because the other parties I was communicating with were using it. But since I wasn't trusting the other party (cryptography can only assure trust, not create it) so I might have been using smoke signals instead.
For my use, it still does beat text messages because at worst it's security by obscurity and my local (non-US) law enforcement can't easily get their hands on the data.
For something I don't want to get into the hands of local law enforcement (outside US), Wickr might be better than text messages.
But I trust my network provider more when it comes to keeping the data safe, if I don't mind that local LEO agencies can readily access it. They are under strong legal and contractual obligations not to disclose the information to third parties and have better funding than Wickr.
Wickr probably does a pretty good job, but they might be backdoored (ie. keep plaintext of communications and/or metadata) and might get hacked and leak the data and release it in the internet.
It is interesting that the aides's solution is similar (BlackBerry instant messages) which, apparently, RIM does not archive (though I'll bet the Canadian CSE does).
An interesting property of BBM is that organisational policy can be enforced for message deletion. It is not implausible that future iphones will have to supply some proof of being un-tampered before being allowed to join Apple's overlay network.
In the short term, switch to Signal or WhatsApp, and don't send anything naughty. Have a scheduled deletion policy written down and follow it.
And while it frequently afflicts those utterly disenfranchised (see the parallel HN item on asset forfeitures, aided by scanning or having employees hand over travel records), it also hits those in power. The difference is that whilst the disenfranchised may find themselves arrested or disencashed, the powerful seem to find a harsh spotlight shined on them, but largely avoid harsher penalties.
Not always, and not entirely successfully. But information, it turns out, is not power, but a power multiplier. If you have a great deal of power, information used against you diminishes that somewhat, but can only multiply your attackers' own power by so much.
I wish politicians used that mantra, too, and made laws that basically split information into various classes or levels of sensitivity. Companies would still be free to collect whatever data they want. But the higher the sensitivity level, the punishment becomes progressively bigger, too, in case of a data breach that exposes that information (and the punishment should be almost automatic when it happens).
I believe that should give companies enough incentive to:
1) collect only the absolutely necessary data that they need
2) if they do collect more sensitive data, invest heavily in protecting it
I disagree. Cynical me thinks this plan would first and foremost give companies incentive to gain control about whichever agency is tasked with setting the sensitivity levels - and make sure all interesting data is classified as "minimum sensitive"...
You could even use this as a tool to gain an unfair market advantage:
1) develop some proprietary (reversable) obfuscation algorithm
2) market the algorithm as "data anonymization" and lobby to get the "anonymized" data classified as insensitive
3) you can now collect the same data as your competitors but have to obey lesser security standards than they have. Unless they purchase the algorithm from you.
4) profit!
But even if that scheme worked, it doesn't seem to protect the end user against things companies intentionally do with the data that are not in the user's interest. Including "intentional data breaches", aka selling the data to third parties. (or getting acquired by a third party)
I'll take a guess that you believe real name, home address, and phone number are way up there on the "extremely sensitive" side.
Most of the American public remembers phone books. I don't think they're going to vote to make publishing the White Pages punishable by serious jail time.
It is (or was) difficult to process a phone book at the rate of 100,000 entries in a few minutes or seconds. Electronic data gives you that capability.
The information in a phone book is now the backing and access data, at least in some cases, to other online systems and services. "Who are you?" is the most expensive question in information technology. No matter how you get it wrong, you're fucked.
There are a great many systems which now can use the information in a phone book, or which starting from a phone book you can access, to commit fraud (it's called "identity theft", but it's still just plain old impersonation fraud). Unfortunately, this becomes, in many jurisdictions, the victim's problem.
It's not so much that phone books have changed (though that too), but the world around them certainly has.
Identity theft is possible for the sole reason that privacy advocates consistently defeat proposals to build any system of identification/authentication less broken than forgeable drivers licenses and shared-secret SSNs. People actually get angry when we make it harder to forge IDs! Propose any sort of PKI or .gov OAuth provider or something, and you're basically Big Brother himself. It's like the ability to commit identity theft is considered a right.
Trying to authenticate people by their knowledge of data that's in or easily deduced from the public record (or "shared secrets" shared with every entity they've ever done business with) is an objectively wrong security design and we need to stop using it. Making those public records harder to access is an absurdly circuitous fix to something other than the real problem.
This is pretty much exactly what European data protection law says. Although it doesn't put very much emphasis on protection against accidental disclosure, it's more intended against deliberate disclosure.
My challenge to the Surveillance Business Sector (Google, Facebook, Apple, Amazon, banking, etc.) is to figure out how to offer services with minimal, or better, zero, user tracking. That's challenging, as even incidental signatures leave traces, but what's currently happening is, IMO, either untenable or leads to quite horrible things.
Consider: in a world in which any conceivable piece of information is available on a person, then any conceivable claim becomes credible. It's McCarthy's "binders" on steroids. Insinuation alone can be devastating.
On the matter of "collecting only the necessary data" for a given transaction, there's a post I tried submitting on Ello (oddly: specific content seems to break their submissions, they're aware of this) of my experience clicking on "log in via Google+" on TypePad.
For the service of authenticating to TypePad, I was expected to divluge:
1. All people in my Circles. Including non-public Circles.
2. My own demographics.
3. My email address.
4. Permission to "manage" my Google profile.
Under what Orwellian Hell would I provide access to my entire damned Google profile to some third party for the ability to post a comment on a blog?
Who possibly, at TypePad, or Google, possibly thought this was a good idea?
(I've got quite the rant written on this, waiting for Ello to fix their bug so I can post it.)
Another truth often forgotten: the recipient's phone remembers everything, too. You might use full-disk encryption on your phone, but that doesn't matter if the recipient doesn't.
And the networks on both the sender's and receiver's side keep a copy of the messages for a certain time. Depending on local data retention laws, these may then be kept for some mandatory longer period.
and the networks also keep more than just the messages: they keep the location the phones where at when sending and receiving the messages. and the locations of any other phones nearby, at the same time.
It's a good idea to assume that texts are stored forever. There's no technical reason to remove ~140 bytes of data when storage is cheap.
Your local data retention laws and the network's practices may vary or they may be under pressure from law enforcement to keep things longer than necessary. They will not disclose in public how long they are stored, so better assume forever.
Another forgotten truth: most chat apps don't use end-to-end encryption by default, and the majority of the few that do, don't self-destruct the messages (you hear that Signal/Whatsapp teams?!).
Self-destructing messages are security theatre with no guarantee that it's actually happened, I believe that was Moxie's answer when that was last asked. From what I recall, anyway!
The Compartmented Mode Workstations with all their security features weren't rated to stop skilled hackers. So, what where the restrictions for? Answer: to prevent users from inadvertantly screwing up their own security plus make casual attackers work for it a bit. Making stuff automatically disappear unless you mark it permanent automatically reduces the amount of stuff someone will get from snatching your phone. That's why it's a good idea.
Side effect: may reduce information overload or search time for important messages. Unproven. Just a guess.
He's wrong, oddly. For many scenarios, Signal would be better off if it offered a timer. After all, it offers a count-based deletion system (delete messages when conversation > X msg).
The only issue is in pretending this removes the message from the other side (like Telegram). Bury it in advanced options, put up a big warning or whatever. But to say people will get too confused and think it magically deletes other people's data ... that's a poor deal for serious users.
As-is, Signal users must diligently wipe information in case they are, for instance, stopped by police. Or in any other situation where they might be deprived of access for a bit, then be compelled to open the device. Perhaps they were in the middle of talking to someone. With a 1-5 minute timer, Signal can be useful enough to chat, while not risking too much if it's forcefully removed from you.
It's also just good hygiene in general. Most people are probably better off having old data get wiped automatically some time later. Opt in to perma-save. It's not comprehensive, but it sure helps users avoid an accidental disclosure.
And no, length limits are not good enough since they span an arbitrary amount of data and time. In fact, I'm not even sure of the point, unless it's to speed up the UI or something.
In fact, it's a lot easier these days to assume that what you broadcast through any medium is archived, you're on video and audio. You're not always, but it's easier to work on that assumption than accurately figure out when you really are.
Disclaimer: Statement obviously does not apply outside of Canada, US, UK, etc.
i'm not sure the problem is the careless messages - its the bad behaviour that is 'let slip'
i know its not exactly the point of the article, but the way i deal with my frustration over this is by doing whatever i can whenever i can. if everyone did this our leaders might actually be doing the important work of maintaining and improving society, law and order instead of the bullshit work of being power hungry scum.
the fact that we call them politicians says it all imo...
I guess the point of that proverb is that even if you dance badly, you'll at most be ridiculed, but possibly become a hit. You will likely not be imprisoned.
(Well, in Western countries anyway... except if the dance contains hand movements or such that are illegal. I mean, if it's just a dance, no problem.)
Exactly, and once these sorts of videos become common enough in society that everyone has at least one, they won't even harm your chances at employment.
You probably don't think about your IME that much. I started thinking about it when it made typing various strings of pinyin (input of Romanised Chinese) much easier because it recognised what I was typing.
Screenshots prove nothing. A better choice are 3rd-party archives (EG: Internet Archive) where you can view a page or take a "snapshot" of what the page looked like at a certain time.
While it isn't arguably 100% secure - it is far more trustworthy than random screenshots since it adds several steps before anyone can say "it is manipulated".
This is interesting - I can't tell from the article if the text message was divulged by the receiving party or through a subpoena. I understand that SMS can be captured by the provider and they can be subpoenad, but what about messages sent via a third party service (iMessage, WhatsApp, etc) that are (at least notionally) encrypted and not visible to the service? Would an individual be compelled to present these in court?
48 comments
[ 24.8 ms ] story [ 4243 ms ] threadPS Down vote is annoying. This is precisely why I use Wickr for some communications. It gives me a text message like experience with messages that are automatically deleted from my phone and recipient's.
There's no way to guarantee deletion; if the recipient can read it, the recipient can save it.
It's not open source (?) so it can't be audited. The server infrastructure may be wiretapped and/or backdoored by law enforcement together with a gag order. It's headquartered in the US, which I don't trust. They claim to be end-to-end encrypted but how can I tell, let alone the general public who aren't familiar with crypto.
I've used Wickr because the other parties I was communicating with were using it. But since I wasn't trusting the other party (cryptography can only assure trust, not create it) so I might have been using smoke signals instead.
For my use, it still does beat text messages because at worst it's security by obscurity and my local (non-US) law enforcement can't easily get their hands on the data.
For something I don't want to get into the hands of local law enforcement (outside US), Wickr might be better than text messages.
But I trust my network provider more when it comes to keeping the data safe, if I don't mind that local LEO agencies can readily access it. They are under strong legal and contractual obligations not to disclose the information to third parties and have better funding than Wickr.
Wickr probably does a pretty good job, but they might be backdoored (ie. keep plaintext of communications and/or metadata) and might get hacked and leak the data and release it in the internet.
An interesting property of BBM is that organisational policy can be enforced for message deletion. It is not implausible that future iphones will have to supply some proof of being un-tampered before being allowed to join Apple's overlay network.
In the short term, switch to Signal or WhatsApp, and don't send anything naughty. Have a scheduled deletion policy written down and follow it.
And while it frequently afflicts those utterly disenfranchised (see the parallel HN item on asset forfeitures, aided by scanning or having employees hand over travel records), it also hits those in power. The difference is that whilst the disenfranchised may find themselves arrested or disencashed, the powerful seem to find a harsh spotlight shined on them, but largely avoid harsher penalties.
Not always, and not entirely successfully. But information, it turns out, is not power, but a power multiplier. If you have a great deal of power, information used against you diminishes that somewhat, but can only multiply your attackers' own power by so much.
It's a rather interesting dynamic.
I believe that should give companies enough incentive to:
1) collect only the absolutely necessary data that they need
2) if they do collect more sensitive data, invest heavily in protecting it
You could even use this as a tool to gain an unfair market advantage:
1) develop some proprietary (reversable) obfuscation algorithm
2) market the algorithm as "data anonymization" and lobby to get the "anonymized" data classified as insensitive
3) you can now collect the same data as your competitors but have to obey lesser security standards than they have. Unless they purchase the algorithm from you.
4) profit!
But even if that scheme worked, it doesn't seem to protect the end user against things companies intentionally do with the data that are not in the user's interest. Including "intentional data breaches", aka selling the data to third parties. (or getting acquired by a third party)
Cynical me says 95% of everything in this area is profit, to hell with anything else.
Most of the American public remembers phone books. I don't think they're going to vote to make publishing the White Pages punishable by serious jail time.
The information in a phone book is now the backing and access data, at least in some cases, to other online systems and services. "Who are you?" is the most expensive question in information technology. No matter how you get it wrong, you're fucked.
There are a great many systems which now can use the information in a phone book, or which starting from a phone book you can access, to commit fraud (it's called "identity theft", but it's still just plain old impersonation fraud). Unfortunately, this becomes, in many jurisdictions, the victim's problem.
It's not so much that phone books have changed (though that too), but the world around them certainly has.
Trying to authenticate people by their knowledge of data that's in or easily deduced from the public record (or "shared secrets" shared with every entity they've ever done business with) is an objectively wrong security design and we need to stop using it. Making those public records harder to access is an absurdly circuitous fix to something other than the real problem.
My challenge to the Surveillance Business Sector (Google, Facebook, Apple, Amazon, banking, etc.) is to figure out how to offer services with minimal, or better, zero, user tracking. That's challenging, as even incidental signatures leave traces, but what's currently happening is, IMO, either untenable or leads to quite horrible things.
Consider: in a world in which any conceivable piece of information is available on a person, then any conceivable claim becomes credible. It's McCarthy's "binders" on steroids. Insinuation alone can be devastating.
On the matter of "collecting only the necessary data" for a given transaction, there's a post I tried submitting on Ello (oddly: specific content seems to break their submissions, they're aware of this) of my experience clicking on "log in via Google+" on TypePad.
For the service of authenticating to TypePad, I was expected to divluge:
1. All people in my Circles. Including non-public Circles.
2. My own demographics.
3. My email address.
4. Permission to "manage" my Google profile.
Under what Orwellian Hell would I provide access to my entire damned Google profile to some third party for the ability to post a comment on a blog?
Who possibly, at TypePad, or Google, possibly thought this was a good idea?
(I've got quite the rant written on this, waiting for Ello to fix their bug so I can post it.)
Your local data retention laws and the network's practices may vary or they may be under pressure from law enforcement to keep things longer than necessary. They will not disclose in public how long they are stored, so better assume forever.
Side effect: may reduce information overload or search time for important messages. Unproven. Just a guess.
The only issue is in pretending this removes the message from the other side (like Telegram). Bury it in advanced options, put up a big warning or whatever. But to say people will get too confused and think it magically deletes other people's data ... that's a poor deal for serious users.
As-is, Signal users must diligently wipe information in case they are, for instance, stopped by police. Or in any other situation where they might be deprived of access for a bit, then be compelled to open the device. Perhaps they were in the middle of talking to someone. With a 1-5 minute timer, Signal can be useful enough to chat, while not risking too much if it's forcefully removed from you.
It's also just good hygiene in general. Most people are probably better off having old data get wiped automatically some time later. Opt in to perma-save. It's not comprehensive, but it sure helps users avoid an accidental disclosure.
And no, length limits are not good enough since they span an arbitrary amount of data and time. In fact, I'm not even sure of the point, unless it's to speed up the UI or something.
https://maqp3d.wordpress.com/2015/10/03/wickr/
Disclaimer: Statement obviously does not apply outside of Canada, US, UK, etc.
i know its not exactly the point of the article, but the way i deal with my frustration over this is by doing whatever i can whenever i can. if everyone did this our leaders might actually be doing the important work of maintaining and improving society, law and order instead of the bullshit work of being power hungry scum.
the fact that we call them politicians says it all imo...
(Well, in Western countries anyway... except if the dance contains hand movements or such that are illegal. I mean, if it's just a dance, no problem.)
You probably don't think about your IME that much. I started thinking about it when it made typing various strings of pinyin (input of Romanised Chinese) much easier because it recognised what I was typing.
What great journalism.
*they = could be anyone.
Screenshots prove nothing. A better choice are 3rd-party archives (EG: Internet Archive) where you can view a page or take a "snapshot" of what the page looked like at a certain time.
While it isn't arguably 100% secure - it is far more trustworthy than random screenshots since it adds several steps before anyone can say "it is manipulated".