I’m convinced that there’s a sociotechnical blind spot in how current technology handles access to personal devices. We, in the infosec community, need to start focusing more on allowing users the flexibility to handle situations of duress rather than just access control. Deniability and duress codes can go a long way in helping us get there.
Source: On Deniability and Duress
In recent months, and in the wake of a series of terrorist attacks across Europe, Germany, France and the United Kingdom — Europe’s biggest superpowers — have passed laws granting their surveillance agencies virtually unfettered power to conduct bulk interception of communications across Europe and beyond, with limited to no effective oversight or procedural safeguards from abuse.
Source: A New Era of Mass Surveillance is Emerging Across Europe | Just Security
“If an intelligence law is not well-conceived and rational, it could easily become a formidable weapon of repression. An intelligence law should not only protect citizens against terrorism, but also against the State. We in France are doing neither. There is a total absence of control in this law.”
— Marc Trévidic, former chief terrorism investigator for the French judicial system
America’s top spy and the future of surveillance.
“Is spying moral?”
After a pause, Clapper answered unapologetically: “We can do our job with a clear conscience, but we have to be careful. The history of the intelligence community is replete with violations of the trust of the American people.” That doesn’t mean that the job is immoral—it just means the job has to be done correctly. “I have always accepted intelligence was an honorable profession. We are all mindful of the need to comply with our moral values and the law.”
Source: America’s Top Spy James Clapper and the Future of Cyberwar and Surveillance | WIRED
If whistleblowers don’t dare reveal crimes and lies, we lose the last shred of effective control over our government and institutions. That’s why surveillance that enables the state to find out who has talked with a reporter is too much surveillance—too much for democracy to endure.
To have privacy, you must not throw it away: the first one who has to protect your privacy is you.
If we don’t want a total surveillance society, we must consider surveillance a kind of social pollution, and limit the surveillance impact of each new digital system just as we limit the environmental impact of physical construction.
Most data collection comes from people’s own digital activities. Usually the data is collected first by companies. But when it comes to the threat to privacy and democracy, it makes no difference whether surveillance is done directly by the state or farmed out to a business, because the data that the companies collect is systematically available to the state.
For the state to find criminals, it needs to be able to investigate specific crimes, or specific suspected planned crimes, under a court order. With the Internet, the power to tap phone conversations would naturally extend to the power to tap Internet connections. This power is easy to abuse for political reasons, but it is also necessary. Fortunately, this won’t make it possible to find whistleblowers after the fact, if (as I recommend) we prevent digital systems from accumulating massive dossiers before the fact.
Digital technology has brought about a tremendous increase in the level of surveillance of our movements, actions, and communications. … Unless we believe that our free countries previously suffered from a grave surveillance deficit, and ought to be surveilled more than the Soviet Union and East Germany were, we must reverse this increase.
Source: How Much Surveillance Can Democracy Withstand? – GNU Project – Free Software Foundation
Internet governance bodies agree that improving online security is important, but disagree on what a more secure internet would look like.
The tensions that arise around issues of security among different groups of internet governance stakeholders speak to the many tangled notions of what online security is and whom it is meant to protect that are espoused by the participants in multistakeholder governance forums. What makes these debates significant and unique in the context of internet governance is not that the different stakeholders often disagree (indeed, that is a common occurrence), but rather that they disagree while all using the same vocabulary of security to support their respective stances. Government stakeholders advocate for limitations on WHOIS privacy/proxy services in order to aid law enforcement and protect their citizens from crime and fraud. Civil society stakeholders advocate against those limitations in order to aid activists and minorities and protect those online users from harassment. Both sides would claim that their position promotes a more secure internet and a more secure society—and in a sense, both would be right, except that each promotes a differently secure internet and society, protecting different classes of people and behaviour from different threats.