Breaking Down a Privacy Service: What's Really Under the Rug?
By now, the hope is that you have really begun to look at the services you are using on a day-to-day basis. Maybe you have run a few SSL tests on the websites you login to, or checked out some privacy policies to see how they handle your information, or even gone so far as to contact them to get some details on the encryption standards they have. Either way, you are beginning to break down the services you use to see what is really under the rug. Another really awesome way to do this is to not go straight to the company but to other sources on the Internet. Typically, and rightfully so, they will be biased towards their own service; especially if it means they could make some money off of you. So those companies might not be completely honest. A little white lie here and there never hurts anyone, right? Wrong! It is hurting you. So go to the companies for the little details, but then take to the Internet for a bigger, broader idea of what is really under the rug. Type, “ is [COMPANY/SERVICE HERE] safe” into Google and see what comes up. Here’s one as an example: https://www.google.com/search?q=is+bitlocker+safe. The very first link that shows up when I click that is titled, Can the NSA Break Microsoft’s BitLocker?
Not every company you use is going to be 100% when it comes to securing your online identity, keeping your information, data, and communications private, or giving you a full-scale shield of anonymity. But you should still be concerned with the companies that are claiming to do that. Take Wickr and Signal for example. They are prime examples of companies that are very proactive in protecting our right to privacy online, but have some “flaws” that are only really seen when we pull up the rug. For starters, Wickr isn’t open source. Which in and of itself is the biggest flaw for the company. You can’t verify that they haven’t installed a backdoor for a third party. You can’t confirm that the encryption they are using is as strong as they claim it to be. And you can’t vouch for their motives on the same level as a company like Open Whisper Systems who runs/develops Signal. But on the other hand, Signal isn’t this miracle product either. It jumps through hoops and climbs mountains to keep our communications secure and private, has one hell of an encryption backbone, AND is committed to an open-source company model. However, through all this privacy and security the anonymity we need is lost the second we have to input our phone number and use it as a method of other people to contact us securely. That means I would have to post my cell phone number in a public form like on my website or Twitter Bio for someone to hit me up on Signal. This isn’t happening, ever. My Cell phone number isn’t something that should be public knowledge. If it were to be public knowledge, my online identity and personal security becomes shot.
Privacy by design, by choice or both?
Once you start to break down the companies you use or the ones you are looking at using in the future, you should start to get this idea of which companies are building their products to be secure, private, and anonymous by design, which companies are building them to be secure, private, and anonymous but on their choice to not disclose information, and which ones are doing both. Wickr would be a company that is doing it by choice, as they seem to be completely dedicated to sticking up for our right to privacy but can't prove it 100% because they lack an open-source product. ProtonMail would be a company that is doing both. They have designed a service that is secure by design and are choosing to hold up values and beliefs that protect our privacy in the digital world.
Ideally, choosing products & services that are doing both is the way to go. The people behind the scenes need to be making products now that are secure by design. I like the term that was used in the recent struggle between the FBI & Apple over the San Bernadino’s Phone:
I can’t say for certain who it was, but on my Twitter Feed, the term “Warrant Proof” surfaced and geez do I love it. The basis behind the terminology is that a company develops something that even a warrant isn’t going to break. Which is really awesome because it both shows the commitment on the company to build a device that even they can’t get into, and their devotion to holding up good principles that strive to protect their customers and users.