• United States



Contributing Columnist

Honesty is not the best privacy policy

Apr 17, 20177 mins

Hackers, tech companies and governments want our personal information. Only lies can save us now.

messaging apps threats security privacy thought bubbles
Credit: Thinkstock

Digital privacy invasion is more than a theoretical or actual threat to our freedoms. It’s also a huge distraction.

Take MIT genius Steven Smith. He’s recently taken time away from his specialties of radar, sonar, and signal processing at MIT’s Lincoln Laboratory to automate the pollution of his family’s web traffic with thousands of arbitrary searches and sites.

His code essentially lies about internet activity to whomever is listening.

The software is an artful liar. According to a piece in The Atlantic, Smith’s algorithm uses web activity-spoofing software called PhantomJS to conduct searches in a way and on a timeline that mimics normal human online behavior.

Welcome to the age of disinformation, the new way to protect your privacy.

Halt! Show me your passwords!

You’ve been hearing (from people like me) for years about the need for strong passwords. But even the best password is worthless if you share it.

The U.S. Department of Homeland Security announced this week that border and airport searches of phones and laptops nearly doubled in the past six months (from 8,383 to 14,993 searches). Most of these devices are password-protected, and accessed is gained by travelers sharing passwords with border agents or unlocking the devices “voluntarily.” (One report projects that such border searches are on track to hit 60,000 this year.)

President Trump’s promise of “extreme vetting” may include a demand that visitors and U.S. citizens hand over social network passwords, so Homeland Security can see who you follow and what you post on social sites, even privately.

These aren’t just devices and profiles. They likely contain everything someone needs to determine where you’ve been, who you know, what you read, what your financial and medical situations are and much more.

The legal status of border searches is that they’re exempt from fourth amendment constitutional protections against “unreasonable searches.” The government considers it a loophole in the Constitution.

Homeland Security says the rate of searches is based on “current threat information.” So unless the Age of Aquarius spontaneously dawns and all mankind lives in peace, love and harmony, we can expect the rise in password demands and border searches to continue.

Meanwhile, Congress recently and unceremoniously reversed new privacy rules enacted last year by the Federal Communications Commission. Internet service providers are now legally allowed to share your browsing history for profit. The idea is to improve advertising, but it will be trivially easy for spy agencies, hackers and others to pose as advertisers and grab all this data.

Another disturbing precedent is the practice of law enforcement dragnets on Google Search data. Police in Edina, Minnesota, recently got a warrant to search Google servers for the names, account information, IP addresses and email addresses of everyone in town as part of a fraud investigation. That puts us one step away from using such searches as Orwellian “fishing expeditions,” looking for evidence of crimes in online activity.

It’s tempting to think about privacy violations as something that could happen in the far future or to other people. But as recent events reveal, we’re likely to find out that our personal data has been stolen long after the exposure has taken place. For example, by the time we learned about an enormous Yahoo email breach affecting more than a billion users, we also learned that the theft happened more than two years ago.

Such violations can happen to you. While the demand for passwords appears to target limited cases and suspicious foreign visitors, you should note that nearly all airport security practices spread globally. What the U.S. does to a few travelers now, all countries may do to all travelers in the future.

When concealment fails

Until now, the best approach to privacy has been concealment — hiding your personal data behind passwords, two-factor authentication, encryption and virtual private networks (VPNs).

The concealment approach is breaking down.

Hackers are cracking passwords, and governments are outright demanding them as a condition of travel.

Governments are on the brink of forcing major companies like Apple, Google, Facebook and others to provide encryption “backdoors” to messaging apps. This looks like it could start in the UK and Europe, then spread globally.

Even VPNs can’t always protect you. (VPN companies encrypt traffic from your computer to their servers, so your web activity appears to originate from their servers, rather than with you.)

For starters, VPNs simply transfer access to your browsing history from the ISP to the VPN. Is your VPN more trustworthy than your ISP? It’s not easy to know.

Some VPNs have been caught selling user data. Others don’t work well. Some of the encryption keys used by a few VPNs are compromised and out in the open. Still others are fraudulent hacking enterprises posing as VPNs.

The bottom line is that if governments, corporations and hackers want access to your personal data, they can often get it despite your best efforts at concealment.

Disinformation is the new normal

In theory, there’s nothing new going on here. People have always tried to keep their secrets; others have tried to steal them. The combination of concealment and disinformation has always worked best.

During World War II, the Allies won in part by combining concealment and disinformation, while the Nazis mostly relied on concealment.

Hitler may have believed his secret code-generating Enigma machine was uncrackable, but the Allies eventually cracked it. And the Nazis cracked back, breaking crucial American and British naval codes.

But the Allies became masters of disinformation, most famously before the invasion at Normandy in early June 1944. A program called Operation Fortitude was aimed at convincing the Germans that the invasion would take place at multiple locations, but not at Normandy. They used fake aircraft and phony airfields and inflatable tanks — the famous “Ghost Army” of World War II — (as well as misleading leaks and false communication) to convince the Germans to divert resources to the defense of shores where no actual invasion was planned.

As our own efforts at concealing our private data increasingly fail, we’ll also inevitably embrace disinformation as well.

The art of faking it

For starters, it’s probably a good idea to create fake Facebook and Twitter accounts now so they can have a history by the time you need them. Best practices around this deception haven’t been fully developed by security experts, but it probably begins with using your real picture for the fake accounts and a picture of something other than your face for the real ones. When border agents demand the passwords to your social accounts, you can give them access to the fake accounts.

Increasingly, people with business or other secrets may buy a second phone to carry while traveling, and leave the real one behind — or at least in checked luggage.

And finally, there’s the pollution solution, as demonstrated by MIT’s Steven Smith.

You probably won’t have to roll your own. I expect to see an emerging industry of traffic-spoofing browser plug-ins and something similar for messaging apps. These will create phony activity to essentially make it difficult for snoops to figure out what you’re really doing. (In fact, such products are already emerging.

A browser plugin called Noiszy claims to visit websites from within your browser, “leaving misleading digital footprints around the internet.”) A project called RuinMyHistory uses a popup to create somewhat random web activity.

These are just the beginning. Expect many more products coming out over the coming year. As concealment fails to protect our privacy, we’ll increasingly add disinformation to the mix as well.

Lying is wrong. But when it comes to privacy, honesty is no longer the best policy.