Linked by Thom Holwerda on Fri 7th Jun 2013 11:40 UTC
Legal This story is getting bigger and bigger. Even though most Americans probably already knew, it is now official: the United States government, through its National Security Agency, is collecting the communications and data of all American citizens, and of non-Americans using American services, through a wide collaboration with the large companies in technology, like Apple, Google, Microsoft, Facebook, and so on. Interestingly enough, the NSA itself, as well as the US government, have repeatedly and firmly denied this massive spying on Americans and non-Americans took place at all.
Permalink for comment 564047
To read all comments associated with this story, please click here.
Doc Pain
Member since:

Most of the interesting data resides on servers, not clients.

Of course servers offer a more centralized access to data, but it is basically generated on the client's side. So if the access to the client is easier, you trade the centralization for distribution, and maybe that's cheaper. You don't need any new regulation to access stuff on servers when you can easily access the "buffered" data from the ISP in "clean plaintext".

If't usually easier to crack into a (moderately secured) server to steal user data (such as usernames and passwords) than to attack all the users, simply due to the "number of parts involved", but the equation needs to take into account that client systems are in many cases much less secured than servers, and those who run them do not care. "If the PC says I have to enter my name and credit card number, I will have to enter my name and credit card number, because the PC knows what it does." ;-)

Here's a comparison from reality: There are cash terminals that read your card, you enter your PIN, the transaction is being processed by the bank to pay the stuff you have just bought. Some specific models are vulnerable to an attack vector which allows reading the card data (the data stripe content) and the PIN you entered via network. No fiddling with the device itself is needed. Deploy that attack on a big supermarket. It's easier to get all this data delivererd by the individual devices via network than to attack one of the transaction servers involved.

Think of e.g. e-mail: all the interesting stuff is there on the servers and accessible and whatever client you choose won't change that fact and as such the protection of your e-mail secrets and privacy is placed on the shoulders of the entity running the servers.

Fully correct. By using any service, being paid or "for free", you need to trust the company running that service to keep their systems clean and not hand data to whatever governmental agency might ask for it. However, this is subject to law.

You usually have the situation that there is some basic law, a constitution or something comparable which states that your personal mail is secret. Then there are other laws at lower level that discuss exceptions. And finally, everything can be accumulated under the umbrella "exception" and therefore be fully legal, even when it invalidates your citizen's right stating that your mail is secret.

Web browsers are an even better example of this: the client only handles input/output, the servers handle all the raw stuff, and no matter which client you choose Facebook or whatever can still access all your stuff.

Browsers have caches that can be exploited. Some operating systems have sufficient vulnerabilities to avoid any further encryption on the service's server, and you get all the precious details from within the web browser. Even "lower level" down, key loggers can record anything, and means of web diagnostics can be used to record even mouse movements (even if the browser is minimized). Again, this is an argument for "distribution vs. centralisation", and it depends on what you want to spy at, and at what "costs".

With the increasing use of JavaScript in web pages, along with "rich content" and interactivity, getting data from the browsers becomes more complicated, so accessing the "compressed results" from the servers is much more appealing. Insecure servers or company guidelines not valuing their users' privacy are a big threat.

The protection starts from servers.

Those who run the servers are not primarily interested protecting them because it won't add a financial benefit. And as long as the information on its way to the server can be easily wiretapped, securing the servers (and the services as a whole) against spying won't help much.

Protection has to start in the users' heads.

When they (1st) demand protection of their privacy and (2nd) become able to verify (!) the claims of the service providers, those will actually start acting.

Users with a more advanced skillset will of course run their own mail and web servers, avoid "data collectors" such as "Facebook", pay attention to what they enter where, and be more conscious about all the steps involved in their communication habits. This sadly is nothing a comany (or, one company) can offer as a "ready-made solution" at the moment.

This is the only way to prevent a "two classes society" regarding information privacy and security. As long as people don't care, nothing will happen. But the more steps they include to make it harder for dubious agencies to spy at whatever they do, and the more they demand service provider to value their privacy, the better the situation will become.

Sometimes I tend to imagine that the opposite approach could also work: What would happen if massive security breachers would happen and personal and financial data of politicians, high level executives and self-proclaimed "professionals" and "experts" would visibly leak to the public, together with secret contracts and calculations? When those who can actually decide about the course would become victims of spying, being personally exposed and identifyable? Would that change something? The mentality of "this doesn't happen to me, it always happens to the others" would need to change to a more reasonable "it could also happen to me, so I need to take actions to prevent it"...

Okay, call me a pessimist, but I'm long enough in IT security research that I don't trust those microchips any further than I can throw them. :-)

Reply Parent Score: 4