Our third episode of the Digital Guardian Podcast takes a look at the important issues impacting privacy in 2017, with Cortex Insight CEO Adrian Mahieu and Digital Guardian global security advocate Thomas Fischer discussing the rise of mobile encryption apps and the impact of S.J.Res.34 and the GDPR on privacy and security.

For the privacy-conscious among us, special guest Adrian Mahieu says it best: "We live in interesting times." Episode 03 of the Digital Guardian Podcast focuses on the current events impacting privacy — for better or worse — today, including the rising popularity of mobile encryption apps and how governments are responding, the U.S.'s recent passing of S.J.Res.34, and the effects the GDPR will have on individuals and businesses. You can stream the audio below or scroll down to read a transcript of the conversation. Enjoy!

Highlights from this episode include:

1:00 - The rising popularity of mobile encryption apps and the renewal of the backdoor debate between the public and private sectors

4:40 - The passing of S.J.Res.34/rollback of the Broadband Privacy Bill and the risks it poses for individuals and ISPs

17:50 - What GDPR means for personal privacy and organizational security

Intro/outro music: "Groovy Baby" by Jason Shaw, licensed under CC BY 3.0 US

Transcript

[music]

00:10 Nate Lord: Hello and welcome to the third episode of the Digital Guardian Podcast. I’m your host, Nate Lord, and joining me today are my coworker and Digital Guardian Global Security Advocate, Thomas Fischer, as well as special guest Adrian Mahieu. He is CEO and co-founder of Cortex Insight, director of Alien8e security, and events director for 44CON in London. Thomas and Adrian thanks for joining us today and please take a moment to introduce yourselves.

00:36 Adrian Mahieu: Hi, I’m Adrian Mahieu, and as Nate said I head up Cortex Insight and co-founder, event director of 44CON and Alien8 Security where we deal with immunity in Europe.

00:47 Thomas Fischer: Hi everybody, I’m Thomas Fischer, and so, I work for Digital Guardian as Global Security Advocate and I also help run B-Sides London, which is coming up in June.

So, we’re gathered here today to discuss some recent issues about privacy. When we came up with this podcast direction it brought me back to the 1990s when McNealy was quoted as saying “you have zero privacy anyway--get over it.” It was kind of taken a little bit out of context, maybe, but perhaps not so much when we see what is going on today in our world where terrorism is pushing politicians to do stupid things, and we also have reversals of certain bills in the United States. The first part we can talk about, Adrian, is, maybe, what's going on in the UK right now and in Europe because the EU Parliament is following suit as well where they’re calling for backdoors into encrypted products following terrorists activities. So I’d like to get your thoughts on that and let’s see how we progress with that.

01:47 AM: Well, I think the first thing in hitting this head on is something Alec Muffett said, “there is no such thing as a secure back door,” and as much as you want, say, a backdoor into an encryption standard--you think it’s great we can get the data, but so can other nation-states and other serious adversaries. So, and really that’s not being considered as part of this discussion.

02:14 TF: Definitely, and when you think about it they're targeting a very small group of people, but they are going to hit everybody and impact everybody. Google and other companies are pushing for SSL everywhere, including the EFF, you know, and TLS everywhere or security everywhere for every website. I saw that even Google nowadays they’re--they’ll rank your search results higher if you’re using encrypted web pages instead of standard http protocol. So, there is a push from the technology side to give us some sense of privacy, but then you have the governments coming out with “well, no, we need to be able to get access to that data that you’re sending across the internet.” My fundamental problem with that, too, is that, yes, it’s, you know, you're risking everybody’s security, but on the other hand, it’s not--we’re not talking about something that can fundamentally work, if you think about it--if people know that you are decrypting their messages, the easiest way to get around that is to come up with another layer of encryption. I could call you offline or, you know, meet with you in person ahead of time, discuss a, let’s say, coded way of talking to each other, and listeners would have absolutely no understanding of what we would be saying, you know, we would be speaking Latin to them if they decrypted our messages. So, it’s very flawed to come out and say “well, we should have a backdoor to be able to see what’s going on or to detect messages.”

03:40 AM: Right, and, with the Vault disclosures, it became clear that efforts were not really being made to break the encryption of applications--it was more about taking over the platform that the applications were running on. Which, to me, seems like a much better way of doing it because that's very, very targeted and very precise.

04:00 TF: Yeah, and it’s easier, if you think about it--it’s a lot easier to, say, social engineer somebody to put something that you could monitor, before the messages get encrypted and you see what their actually typing, rather than trying to figure out how to decrypt the back end, or how to get access to the actual communications. It’s kind of sensible, right? Just go where it’s easiest--where it’s already unencrypted. On the other side, we recently saw in the U.S., where it’s not really about, I mean outside of the Vault--the release of some of the NSA and CIA techniques--we’ve seen recently the U.S. government push to revoke a FCC rule from last year which protected citizens’ privacies when browsing the web. So, this weekend we saw S.J.34 being voted, and, on Monday, President Trump signed it into law, and that essentially allows ISPs to collect data on you, and to sell that data to the highest bidder--let’s just say to the highest bidder.

04:58 AM: From the ISPs’ perspective, though, this is--this is fairly reasonable because, in their view, people like Google and Facebook are already doing this, and, so, why shouldn’t they? And what they are already having to comply with, as ISPs, are things like lawful intercept requests--so, let’s steer this away from the governmental side of life, but the governments and states, in general, do have access to ISP data if they want it. So, that’s fine, but now you’re looking at an invasion of your privacy, and the side product of this is, if you believe social media upticks--you’d see a lot more mention of VPNs; you’d see a lot more mention of cryptography amongst groups that previously would not have used it. So, now, when you do your lawful intercepts, you’re gonna get a ton more VPN traffic, making your life a lot more difficult.

05:49 TF: Precisely, and the--I mean, ISPs--if you’re going to https sites, or if you’re going to, you know, TLS protected sites, you're not going to actually see that traffic anyway--they'll only just get some information to the connections you’ve made--they won’t actually see which websites you’re visiting. While, as Google still is able to actually see what you’re typing in and searching for, and I agree with that, and most people are not gonna go to VPNs because, you know, I mean, c’mon--it’s--a VPNs good for some things, but for daily activity?

[laughter]

06:19 AM: Well, for starters, until Netflix changes their policy, you’re not going to be watching Netflix over a VPN. So, it’s [laughter] but it is down to, really, what the men and women on the street really think. A few years ago, a taxi driver in London said to me “how can I stop the NSA reading my email?” This was after the press stories about email interception and the like, that came out with a certain Snowden character, [laughter] and, basically, he was actually very surprised that it's actually GCHQ doing the interception--not the NSA, for example, but he still wanted to know how he could--could stop his letters to his mother being intercepted by a foreign nation-state, and, if you link this also to what I’ve seen as a vast increase in the millennial age group, the use of cryptography--there was a conference in New York a few months ago I spoke at and, really, the number of people that have installed Signal was amazing--it was almost the default messaging application for over two-thirds of the audience.

07:22 TF: I saw a rise in my contact list suddenly appearing in Signal as well. It was quite interesting--especially after the November elections in the U.S. What else came up during that conversation? I mean, because we know we often talk about privacy versus security--typically when I try to discuss this I compare it to, well, if you step out into the street, you no longer have your privacy, but you still want to have some security, so you follow, maybe, some rules or, you know, you're being monitored by the police or by, you know, services to protect you. Do you think that's a reasonable comparison?

07:59 AM: I’d view it as, in description terms, slightly differently. I view privacy as the drapes or the curtains across your window, and that really stops people looking in--it means you can't look out, generally, as well, but, that's fine--that's privacy. Security are the bars across your windows that stop someone from the outside breaking in. Now, you can have security--you can have those bars on your window--and have no privacy because your curtains or drapes are open. But you can't--if your drapes are closed and you don't have those bars, someone can still get in, and that breaches privacy.

08:39 NL: So, with this rollback of the broadband privacy bill, and the passing of S.J.Res.34 yesterday--what impact do you guys see that having on end user privacy and security, and where do you think it has the more severe implications?

08:55 AM: You're already seeing, I think, data loss of epic proportions in the US. I don't think there is a Health Organization that hasn't been breached. Look at every single organization that collects data and stories that they have been breached within the last couple of years, and it just means the ISPs who are gathering this information are also going to be targets for those people that like that type of data, and, if anything, because they've recorded it they get more personalized data because they see the sites you go to--maybe they get copies of your cookies, see some authentication credentials in the clear--it’s data that is probably very, very valuable when combined with these other sources of data loss.

09:44 TF: Correct, I think I have the same understanding as well of some of the risks that could be associated with this. There's also a more practical aspect of it. What's the cost going to be for ISPs? I mean, it's not easy to gather all of this, you know--I think it was last year, our then Home Secretary in the UK--now our Prime Minister, wanted to push for data collection of every website you visit from the ISPs, but from a practical term, it's just really difficult to actually imagine that being cataloged by certain ISPs. We don't--just don't have the means to do it, right? It's a lot of data that you're gonna be storing, and you have to store it somewhere. So, again it becomes, you know, critical that these things are going to be vulnerable to something, right? You're gonna have to look at how are you going to store this--how you’re gonna store it safely, and what are you actually going to do with the data, right? Because we're talking about personal data to a certain extent. I mean, if I go to my bank, right, what are they going to actually capture? Are they just going to capture that I went to my bank’s homepage, or are they going to capture every single piece of transaction that’s sent over the, you know--every single connection that's sent over the browser? I think, on the other side too, there's been so much noise about it--people are starting to say “well, what do I do, what do I do?”

11:07 AM: Well, what would you recommend to family members? I mean, the first thing I got asked is “well, look--I don’t want to install lots of things on each of my devices--that would cost a fortune. Is there anything I could just plug in?” And yeah, you know, there are solutions like the InvizBox, which are really easy to plug in and they just seem to work. They move the point where your data is exposed down the line--you still end up--your local ISP won’t see it--someone will still see it.

11:38 TF: And, that’s--will that someone be affected by the same rules? We don’t know.

11:43 AM: Right, because if you’re choosing to VPN to a different country, suddenly, you know, it’s a whole different rule game. But, also--and this is a more general thing about buying VPN services--how do you know you can trust the people you’re buying the VPN service from?

11:59 TF: That’s exactly true--what are they logging, what--you know, what are they showing--what do they have available to--in the same way as an ISP? They’re like a virtual ISP, to a certain extent--you’re still transmitting your traffic over them and it's exiting some point somewhere else, maybe, but you still got data that’s visible.

12:19 AM: Right, and what is there in S.J.Res.34 that--or even the broadband privacy bill in the past--that would’ve stopped that VPN provider selling your data? Well, nothing really, and what’s to stop them collecting that data? And as some of these organizations do--VPN services are quite small--what are their policies and safeguards against data loss? Do they have any? Do they store data at rest in the encrypted form? No one knows--they are private companies.

12:49 TF: In the same way that, even if you take out the ISP aspect, you’re still going to some website, and that website can do things to you, right? They can collect data about you--they can collect the cookies--they can access your cookies. They can do exactly the same things that the ISP could do, and what do they do with the data? I love the expression, you know, “if the service is free--you’re the commodity,” right? Because, you know, [laughter] one of those websites--when you go to those websites and you sign up for a free service, why do you think it’s free? You know, it’s like--they have to make money somehow. It’s either the number of people that they have--it’s either the potential ad spamming that they can do on the people that they have registered, or it’s they’re collecting your information. They’re trying to analyze what you’re doing. I’m always amazed at Google, right? So, I have a Nexus 5 phone, and I love the thing, right? I’ve given up my privacy, I’ll admit it--I’ve given up my privacy, but, you know, when I’m on my phone and I’m like thinking, you know, “where the hell did I park my car?” It tells me where I parked my car, right? I mean it will tell you, and Google knows what I’ve been searching for. So, on my “today” page on my phone, I have a list of articles that would be interesting to me, and gives me reading for the tube-ride down to the office, right? I mean, there’s some benefits of losing your privacy, but on the other hand, how much do we really want to give up? And, we were talking about “what do you tell your family,” and my family, I tell them “well, if you think there’s something that you don’t want people to know, just don’t put it on the internet,” right?

14:26 AM: Right.

[laughter]

14:28 TF: You know, it’s like, if you don’t want the person to see that naked picture of you that you took to, you know, send to your boyfriend and to your girlfriend, just don’t put it on your phone--don’t put it on the internet, right? Let’s be reasonable. I mean, we still have control over what we do with our private life, to a certain extent.

14:47 AM: I don’t think we want to go to the phone thing in this chat--

[laughter]

14:50 TF: Yeah, let’s not go there.

14:52 AM: ‘Cause that will end up--yeah. Yeah, I did do quite a long diatribe against non-technical people using Android [laughter] with Dave Lewis in Forbes a few weeks ago that got some interesting feedback, but it is interesting that now the average person is being forced to think about privacy beyond their privacy in their private property.

15:19 TF: I think it’s a good cycle, too, because it’s waking us up. Unfortunately, my problem is with a lot of what’s going on in the S.J.--you know, with S.J.Res.34, and even with some of the things going on in the UK about the backdoors into encrypted communications. The problem is we--I think we need to get more politicians that aren’t career politicians and understand the newest technology. Unfortunately, I see French politics, I see German politics, I see UK politics, I see US politics--all of it’s run by, let’s say, a generation that’s mostly comprised of lawyers or professional politicians, and they have absolutely no idea what technology is, and they’re making these really bad assumptions based on something they don’t understand, and I wish they would just try to--someday, hopefully, things will happen where we’ll get more technical people into politics, and some of these bills will start to go away naturally and will be more sensible versus some of this fancy, wishful thinking that they are trying to push through nowadays.

16:23 AM: This is what concerns me--I mean, surely it’s occurred to them, you know, “we’re about to say something about cryptography that we don’t really understand, something about networks we don’t really understand. Let’s go check with someone who does know about these things--whether what we’re proposing can actually work,” before they say it. It seems that they’re not doing this. And, yet, if you look for some of the things that they talk about, this is something they would do for other things they talked about. Why is this so different? Is it because they view it as a virtual world still?

16:56 TF: I think it’s just they don’t understand it, and, well, in the case of the S.J.Res.34, it’s more about responding to the pressure of lobbyists. I think, you know, the ISPs--they were lobbying hard, and trying to get this through so that they could revert the rule that was introduced by FCC last year so they could make some additional money, right? On the other hand, the backdoors into programs like Whatsapp, that’s just, I think, a complete misunderstanding of how things are doing. I mean, it’s just--they found the guy using Whatsapp. So, oh of course, we have to break Whatsapp, you know? It’s--for me, it’s just a complete misunderstanding and a very reactive aspect of having to deal with, say, something where you have nothing else to say, right? Trying to push through ways to circumvent existing laws, or just ways to, kind of, bring pressure on companies just to stop a minority, unfortunately. On the other hand, we do have some good things that have come into play. If you think about GDPR, that got enacted last year in the EU, that will come into effect in May, 2018, and more recently--I think it was March 1st--the New York Financial Regulatory Board introduced DFS--these, actually, are trying to help companies while they’re putting down, I’d say, a certain level of structure to the ways companies need to deal with personal information that they’re storing, or personal information that they’re using.

18:24 AM: So, some interesting things have happened with both, given recent developments. So, in the UK, after the Brexit announcement was put in, there was some survey done where 40% of businesses, that because of that Brexit thing, they had basically decided that they weren’t going to look at GDPR because they thought it was a European-only thing. Ah well, news for them--it’s not--it’s actually a UK thing as well, and DFS, although it applies to anyone that’s managed by--well, is licensed by the Department of Federal Services in New York State--it actually also applies to third-parties that supply services to those organizations. So, it is far reaching in terms of liability and in terms of audit requirements.

19:13 TF: It’s very similar to GDPR as well ‘cause--

19:16 AM: Yeah, it will--it will change the game, and with DFS it will be the first prosecution or the first breach, and what is actually going to come out as a result of this, especially given the notification requirements, and what’s actually going to happen to organizations? Because we already know what GDPR will do to low-margin, high-turnover companies--it will kill them.

19:40 TF: Yeah, I mean ten million or four percent is not a small amount, right? You know, that 72-hour notification after breach-detection is gonna be tough for companies, and I think that news report in the UK about UK businesses and GDPR--you know, they cited Brexit as a reason, but I just think companies are not prepared. They’re just--they need to work--you know, they still have a lot of work to do and they’re not realizing how detrimental it might be. I mean, I’ve heard comments from certain organizations where they basically have just turned around--”well they’ll never be able to enforce the fines.” Yeah, okay, fine--you won’t be able to enforce the fines, but, you know, the EU is trying to protect information of its citizens. What’s going to happen if you don’t pay the fine? Do you think you’re gonna be able to carry on doing business in the EU countries without, you know, without some form of retribution? I, you know, I think companies have to realize that it--this is something serious and some of the implications around that privacy aspect of protecting the person’s information needs to be acted upon. It’s no longer just a wishful thinking thing--it’s like you need--they need to start thinking about how they’re actually going to manage and store all of that personal information in the ways that are going to help them protect themselves against potential loss, and being affected by heavy fines.

20:58 AM: This won’t be easy either because they don’t have the staff to do this. This isn’t--they aren’t traditional people within some of their types of organization.

21:07 NL: Those challenges that companies are going to face early on, and when GDPR starts being enforced and fines are being levied--those aside, do you think in the long-term it’s going to have the positive impact on EU citizen privacy that it’s intended to have, or is it just going to be something that is burdensome for companies and without really having that positive affect?

21:27 AM: Well, it--in some respects would you view that the horse is already bolted? There’s been so much data loss that’s happened--maybe enough data has leaked that it doesn’t make a difference anymore.

[laughter]

21:42 AM: From a very cynical viewpoint, that might be the case. In other respects, it’s another layer of bureaucracy, in some people’s eyes, they have to adhere to and it’s increasing their cost of doing business. If it comes down to it, and a company is breached and all the data at rest is encrypted in the right way, it can only be a good thing.

22:06 TF: Well, I just agree with you, Adrian--it can only be a good thing, and I think what will happen is we’ll just see when the first case actually comes up after, you know, May 2018. When that first breach gets detected and the first fines start to fall down, it’ll be interesting to see how companies react.

22:25 NL: Definitely.

22:25 TF: It’s like any legislation, you know, we need to take action on it, but how much action can we really take? What’s going to be the alternatives, right? Are we gonna be able to buy--we’ll call it what it is; cyber insurance as the insurers call it--to protect us against potential data loss? They’re already companies that do that, but then when you read some of the reasons why they pay out or don’t pay out, you have to do the actions to protect the data anyway. So, you might as well try and do it properly first time, and be in compliance with the regulation, and deal with the--with any potential data loss in the right way, which is to have that data at rest or that data encrypted, or even to stop it from leaving the organization if you have the right tools in place.

23:05 NL: Absolutely. Well, thanks guys. I think we’re getting close to our wrapping point, but, Thomas and Adrian, any closing thoughts on the current state of privacy or security today?

23:16 AM: We live in interesting times.

23:19 TF: Is that your final word, Adrian?

[laughter]

23:22 AM: If listeners are in the infosec community, they know that this is just another hurdle that we’ll come to, you know, and that it’s something that means that information security, whether people like it or not, is going to be embedded into organizations for a very, very long time to come.

23:42 NL: Alright, I think we’re gonna conclude our third episode of the Digital Guardian Podcast here. Thomas and Adrian--thanks so much for joining us, and for listeners--stay tuned for episode four coming up in a couple weeks, featuring Dan Cohen from RSA. Thanks for tuning in, and keep an eye out for our next episode soon.

23:59 TF: Thanks, Nate.

24:00 AM: Thanks, Nate.

24:01 NL: Thanks, guys.

[music]