In The Other Future, I shared my thoughts on the Surveillance State and outlined guidelines one could take to be a more secure, responsible netizen. Traditional technology companies have had a chance to react to surveillance revelations, as well, and at least one company has been strident in their recognition for privacy and security.
History will tell us if this is just opportunistic marketing, or a rare instance of a for-profit corporation demonstrating a taste for more than money. Regardless, the context within which the technology sector operates has changed, and in a Post-Snowden world, an examination of the major players seems warranted.
Before I get started, I need to recognize the incredible service that the Electronic Frontier Foundation has done for us all. They have created the Surveillance Self-Defense Guide, an excellent resource for people interested in safer online communications.
There is no other organization that is doing more to explain what is going on (and how to protect yourself) in a clear, easily understood way, than the EFF. If you care about the Internet and freedom, please consider becoming a recurring donor today.
The guide works like this. When you visit the site, you will see a slider advertising different roles that may apply to you (e.g., Activist, Protestor, Journalism Student). Overall, there is content overlap between each role, but clicking through will give you a customized version of the content that is germane for that position.
Each playlist has an easy-to-access index that is located in the bottom-right corner of the page, which lets you quickly jump to specific sections, in case you are already familiar with the topic they are discussing. If you come across an unfamiliar term, they even have a handy glossary.
If you just want a quick overview of the content the guide offers, check out the Index page. If there is one page to bookmark in the guide, it is this one.
The Surveillance Self-Defense Guide is amazing work. For many people unfamiliar with technology and security best practices, the surveillance revelations may have made them feel even more helpless and vulnerable than they did before. Good work like this helps people become empowered, and while the EFF is not yet well-known among the masses, I have no doubt that, in the future, they will receive the recognition they deserve.
Making a Stand
In September of 2014, Apple announced an important change to their mobile operating system, iOS 8, which placed a significant amount of power back into the hands of their users. Previously, only Apple's Mail and third-party apps received protection from their Data Protection system. In iOS 8, Apple expanded this list.
Furthermore, they redesigned their system so that the encryption that is used to protect your data is, in part, derived from the passcode that you select for your device. Effectively, this change implements a Trust no one solution where you, the user, are the sole possessor of your data's encryption key. Concurrently, iOS 8 included a plethora of changes that, in my opinion, made it once again competitive with Android, and, in some ways, superior.
On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.
Finally, Apple's CEO, Tim Cook, has taken powerful, public stances on social issues like equal rights for homosexuals and on philanthropy. Regardless of how cynical you may be, I think it is a net win when the leader of one of the most influential companies in history brings attention to the inequities that still plague our society.
For me, the sum of these changes indicate a re-vitalized Apple. For a company that seemed to be meandering in mediocrity (as Google and their Android operating system forged ahead), Apple appears to be making the right moves, and the excitement is palpable. These events have helped me remember why I became so enamored with technology in the first place, and I hope we see more companies following their lead.
On Android and Open Source
Previously, I wrote a piece on open source, hope, and the surveillance state, where I compared the contrasting approaches that Google and Apple took towards their mobile operating systems. Android is still open source, and iOS is still closed source, and I still hold to the general premise that I laid out.
That being said, it has become clear to me (as the EFF has emphasized) that there are no easy answers to the question of which computing platform is best for someone concerned with privacy and security. It is always better for a product's source code to be open for inspection, but there are myriad other factors that come into play when evaluating a product, and sometimes, a closed source solution may come closer to achieving a security/privacy goal than an open source one.
One of the most frequent questions asked of security trainers is “Should I buy Android or an iPhone?” or “Should I use a PC or a Mac?” or “What operating system should I use?.” There are no simple answers to these questions. The relative safety of software and devices is constantly shifting as new flaws are discovered and old bugs are fixed. Companies may compete with each other to provide you with better security, or they may all be under pressure from governments to weaken that security.
For example, there have been numerous instances where open source solutions have been found to be seriously compromised:
- Heartbleed vulnerability may have been exploited months before patch
- What is the Shellshock bug? Is it worse than Heartbleed?
These implementations had fully accessible source code, yet they contained serious vulnerabilities for years, and in the case of Shellshock, for decades.
An open source project is only as viable as the community that is maintaining it. If only a handful of inadequetly-funded people are working on a project, or if a product is widely-used, but never properly audited, is the open solution really better than the closed one?
Consider the bizarre turn of events that affected TrueCrypt, the widely known (and well-respected) piece of source-available freeware that could be used to encrypt files, folders, and drives. We might never know what really happened, but whether the anonymous developers simply did not want to shoulder the burden of maintaining a crucial tool in a Post-Snowden world, or they were intimidated into an early retirement, the outcome is disturbing.
Then, we have Android. Initially lauded as a more open, flexible, and permissive mobile operating system, many of Android's strengths now seem like liabilities. For example, every time you install an Android application, you will most likely be greeted with a laundry-list of permissions that the app requests. If you do not feel comfortable with the permissions that the app requires, then you have no choice but to not install the app.
Sometimes, an app developer has good reasons for requesting what seems like gratuitous permissions, and they go out of their way to explain this to the user. Most of the time (in my experience), they do not.
On the other hand, iOS has long been known for its centralized privacy controls. On their platform, it is easier to determine which apps have access to your device's hardware and your content, and granular controls let you toggle off which apps you would like to remove access for, without completely removing the apps from your device.
Lastly, there is Google. When I used to hear Android critics describe it as being openish, I balked. To me, the fact that Amazon used Android to create their own operating system and app ecosystem was proof enough that Android could be unequivocally called open.
However, as Android has gained popularity, Google has shown a steadily decreasing enthusiasm for contributing towards the Android Open Source Project (AOSP). Also, Google's grip on Android through its proprietary apps and services is increasingly being challenged.
Regardless of Google's intent, it can not be ignored that their business model depends on collecting your data to serve targeted ads. Whether they are cooperating with governments to betray your trust or not, Google's massive cache of data is an irresistible target for many parties. Going forward, it may make sense to withdraw from products and platforms that primarily maintain their vitality by collecting and storing your personal data.
When I return to this topic, I am going to discuss my thoughts on the Cloud and how the Surveillance State has changed my digital lifestyle.