The difference between Privacy, Security and Anonymity explained
What is Privacy? Wikipedia describes privacy as “the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively” and I would largely agree that the definition provided fits the mold. However, I would suggest another definition as well. “Privacy allows everyone else in the world to see your life through a selective lens of your choosing.” It means to have the choice to not allow your neighbours to view your bank account information. It means only displaying certain information about your Facebook profile to the general public. And it means having curtains on your bedroom windows to conceal your sexual acts from onlookers. In information security circles, privacy is often synonymous with encryption, whereas anonymity deals more with the transportion and discoverability of one's information.
Well Then What is Security? Security is what keeps us safe. Privacy is the idea; security is the thing. In the online world, security is what safe guards our information from hackers, thieves, Joe sitting next to you at the coffee shop, and even Government bodies who want a little more control. It encompasses a wide range of “things” that we use to keep our data compliant with the Privacy Rules we, or the organizations and services we use, specify. Security would be things like encryption, or strong passwords. Privacy would be not letting a co-worker watch you type in these passwords.
Okay, So What About Anonymity? Privacy and security are very closely related and anonymity is just the distant uncle who always shows up the party in socks and sandals. I say this because everyone makes fun of him at first, until it starts to rain and they all wish they had his nice warm wool socks on their feet to protect them. Anonymity is the concept of not being identifiable as your true self online. It seems to get a really bad reputation because a lot of hackers and online criminals are referred to as being anonymous. But it is also a very positive thing. Like in cases where a teenager who is questioning their sexuality wants to conceal their online activities from their parents or school until they are ready to make that big coming out moment. Or for a police officer doing undercover work to takedown a child pornography ring. Countless individuals around the globe use anonymity in some form or another every single day. As a final note, I think it is also important to understand that anonymity isn’t always just important for people as individuals but people as a collective. To have a truly open democratic system, anonymity plays a huge roll. It grants us free speech, allows us to question without negative repercussions, and gives us a means by which we have choice.
Let Me Explain Further..
Based on the arguments I have had with people in the past, I don’t think simply explaining what security, privacy, and anonymity are will be enough for many of the readers taking a look at The Crypto Paper. I think part of this comes from the mindset people have while using the Internet, but I also think part of it comes down to people just not knowing how serious the issue of privacy and security is. Let me give an extended explanation.
The primary reason for curtains/blinds/drapes covering our windows in our house is to stop people from being able to see in. The reason we don’t want them to see in is because we consider much of what we do inside our homes to be private. Whether that be having dinner at the table, watching a movie with your kids, or even engaging in intimate or sexual acts with your partner. None of these things are illegal by any means but even knowing this, we still keep the curtains and blinds on our windows. We clearly have this strong desire for privacy when it comes to our personal life and the public. The same is true for our personal affects in not so personal places – like using an ATM (with your debit card) or paying with Interact at a grocery store (not such a personal place). It would be foolish to not cover your pin while it was being entered or to make sure the person beside you in line wasn’t recording you while you entered it in. You are keeping your PIN private, which is directly increasing your personal security. Even if we aren’t consciously being safe about these things, our subconscious has our back most of the time. Think of this: If there were 5-6 rough looking individuals joking around by the ATM in the entrance of a bank, do you think many of the women looking to get cash out would be feel comfortable going in to do the transaction? Or do you think they might wait until the group left? In so many ways we have this consideration and desire for security and privacy but then we move into a digital environment, really beginning to harness the capabilities of the Internet, and many of us just throw it all away.
It’s hard to think of all the ways where we put our very personal information out into the world, while holding this belief that it “has to be safe. Just because.” so here are some examples:
- Many Debit and ATM machines only use the 3DES encryption algorithm to keep your financial information safe. 3DES was developed in the 1970s and is significantly weaker than the new and much more cryptographically sound AES algorithm. http://blog.erratasec.com/2013/12/target-displays-its-incompetence.html
- You pay for a catalog order by calling the company and telling them your credit card number over the phone. The representative then reads the number back to you for verification.
- You keep an agenda book in your purse with your passwords written down in it.
- You use the same PIN to unlock your phone that you do with your debit card or credit card.
- You use the same email for your online banking, PayPal, iCloud (important accounts) that you hand out to the cashier while out shopping.
- You have texted someone a password, piece of financial information, SSN/SIN.
- You use less than 5 different passwords for everything online.
I would have liked a way to record people’s facial reactions while they read the bulleted list above. I am curious to know how many of you went down all 7 items and said quietly to yourself “yup, I do that too”. But these typically aren’t things we consider to be insecure. You deleted that message you sent to your husband with your social security number in it so you must be safe, right? Not quite. The digital world is so vast and is comprised of numerous “levels”, for lack of a better word. You as an Internet user would be one level, a system administrator doing work on your bank’s server would be another level, your bank itself would be another level, the people setting rules and regulations for that bank another, and high level government organizations are usually the final level at the top. So even something so simple as logging into your bank account has the potential to hit tons of these “levels”. This is both good and bad. On one hand, it means our information is being looked after by a varying amount of people, companies, and organizations – no better way to determine the faults in our security. But on the other hand, HOLY SHIT! OUR INFORMATION (that we probably want to be private) IS BEING LOOKED AFTER BY WHO KNOWS HOW MANY DIFFERENT PEOPLE, COMPANIES, AND ORGANIZATIONS. You wouldn’t likely walk outside to go to work and tell your neighbor “Yup, had some really great sex last night with my fiancé!” But… you might text that to a best friend over SMS where there is a potential for one of these people or organizations to have a little peek at it? And that's where it doesn't really make sense.
The NSA (National Security Agency) has been running a program called Dishfire that collects up to 200 million text messages per day from users globally. For reference see here: http://www.theguardian.com/world/interactive/2014/jan/16/nsa-dishfire-text-messages-documents, here: https://en.wikipedia.org/wiki/Dishfire, and here: http://www.belfasttelegraph.co.uk/technology/gchq-given-access-to-us-dishfire-system-that-reads-hundreds-of-millions-of-text-messages-from-around-the-world-according-to-nsa-documents-leaked-by-edward-snowden-29924715.html
This means that the text message you sent your buddy about the wonderful sex, could have been read by a member of either the NSA or the similar GCHQ in Britain (whom they have granted almost unrestricted access to Dishfire data). Think about that for a second. Someone you don’t even know, from a country you may have never even have visited, knows about your sex life, all because you texted it to a friend. This is just the beginning too! The NSA has been rumored to have a program capable of crawling the Internet and mining (collecting) mass amount of data for later analysis. Due to the classified nature of really anything the NSA has in its possession, we obviously don’t know what information, or how much information is being gathered (if any at all) but based on the size of the NSA datacenter (https://nsa.gov1.info/utah-data-center/udc-photo.html), I would say an astronomical amount containing the sum of EVERYTHING. You don’t have a datacenter that large without a purpose.
If it doesn’t concern you that a member of your government is able to see everything you are doing online, read the text messages you are sending, or even listen in on the calls you are making, it should scare you to know that companies like your Internet or mobile service provider likely have the capabilities to do this as well. See: http://hotair.com/archives/2015/08/16/attverizon-nsa-partnership-shows-why-government-and-businesses-shouldnt-mix/ and http://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order “But they are just doing it to keep us safe! And besides, I have nothing to hide!” – These statements are valid for you to make, but really based on false ground. Think about the argument I made earlier concerning the blinds and curtains in your house. They keep you safe and allow you to go about your daily lives in private. Not that we are being secret about any of our life, or that we close the curtains just so we can commit illegal acts. We use them because we don’t like the fact that someone walking by at night could see, watch, and even record everything we are doing. Imagine what it would be like without those blinds. Would you still feel comfortable engaging in many of the same activities that you do? Would you still masturbate in your bedroom where the neighbours had plain view from their kitchen window?
So if we aren’t going to give the public ready-made access into the details of our daily lives, why are we making an exception for our governments? Because technically, the same governments we are making exceptions for, are made up of these individuals from the same public who we do not want knowing and seeing this information. They are people with whom we can’t verify the intentions or motives of. They could be watching your every move (with or without the consent of their superiors) and you would be clueless. The same goes for the individuals in the same room as the lady you read your credit card information to while making that catalog order over the phone. Was there someone else in the room with malicious intent writing down the number, expiration data, and CVV code while this representative read it back to you for “verification”? I guess you’ll have to be okay with the fact that you will never know and trust the individuals at your bank to alert you if something goes astray.
This is why privacy and security matter. This is why we need to implement strong encryption and NOT let anyone have a backdoor in the code. Although we may have good intentions as individuals, we can’t rely on the assumption that other individuals will match our same intentions. If we do not hold the companies who are storing our personal information (like our bank, PayPal, Facebook, etc) accountable and responsible for keeping our information and identify safe, we will willingly be moving into the unknown. Into a digital era where it is more common for a random onlooker to know more about your personal life, financials, and account information than another member of your family. Mozilla put it best: Privacy Lets You Be You. https://advocacy.mozilla.org/encrypt/social/1
So keep this in mind when you are reading the remainder of this paper. I didn’t do a lot of explaining with precise examples as to “why” you need the security, privacy, and even anonymity as showcased in the next 50 pages… but it shouldn’t be rocket science. We can’t really assume that backdoors, government surveillance, and poorly developed security measures are keeping us safe just because we trust the people using and implementing them, can we? Because if so, then you should take a look at this breach that compromised 20,000 FBI and 9,000 DHS employees and imagine how secure your life would be if you left it in someone else’s hands: https://motherboard.vice.com/read/hacker-plans-to-dump-alleged-details-of-20000-fbi-9000-dhs-employees
Watch: https://www.youtube.com/watch?v=VPBH1eW28mo. It explains locks + technology.
Watch: https://www.youtube.com/watch?v=V9_PjdU3Mpo. It explains mass surveillance.