/ 19 January 2015

Precocious privacy warriors

Hacking.
The United Nations special rapporteur on data and privacy protection says South Africa is dragging its feet behind other countries when it comes to implementing legislation that is supposed to safeguard the personal information of citizens.

At first glance Nadim Kobeissi looks about 14 years old. Yet the baby-faced PHD student is part of a new wave of entrepreneur-activists who are finding new ways to protect our privacy online, to the horror of governments around the world.

Born in Lebanon in 1990, Kobeissi is already a veteran of the privacy wars. At age 20 he organised a march in his adopted home of Montreal in support of Wikileaks. In 2012 he was detained by the USA’s Department of Homeland Security when he entered the country and was questioned closely about Cryptocat, the secure chat system he had released a few months earlier.

Why would one of America’s most powerful federal agencies care about the pet project of a 22-year-old geek? Simple – Cryptocat employs a form of security that makes it impossible for even the most powerful governments to listen in on conversations. 

This technology – called end-to-end encryption – essentially scrambles all data sent between the people chatting. Only someone with a matching software key can read any of these messages, and these keys are so secure that it would take literally millions of years to unscramble the messages without them.

Encryption, historically, has been quite painful to use, even for the technologically inclined. Glenn Greenwald, the journalist who broke the Edward Snowden story, nearly missed the scoop because setting up encrypted emails proved so tricky. What Cryptocat does is make that encryption invisible to the user – they know it’s there but they don’t have to know how it works.

But how is this different from that friendly green lock we see when we use internet banking or Facebook? Isn’t that encryption? Yes, but that only covers the link between your computer and whatever service you’re using. When Facebook receives your data, it decrypts it using the key that you share with it. It then stores your data in one of its huge data centres, in unencrypted form.

This is extremely convenient for services such as Facebook and Google, which make money by targeting users with adverts based on their private data. But it also means that the data is a sitting duck for both hackers and unscrupulous government agencies. Both these groups have had a field day over the last decade, stealing or confiscating the private data of millions of ordinary people. 

That problem is the inspiration for Kobeissi’s latest project, Peerio. The service offers email and file sharing with built in end-to-end encryption. Files and messages are stored on Peerio’s servers in encrypted format and Peerio never has access to the decryption keys. 

So neither hackers nor the NSA would be able to use that data even if they could gain access to Peerio’s servers. With typical precocity Kobeissi is pitching his service as a replacement for blockbuster services such as Gmail and Dropbox. But while that may be somewhat unrealistic, he is clearly tapping into the growing privacy zeitgeist. People are tired of feeling like they’re being watched. 

That’s what led WhatsApp, the world’s largest mobile chat service, to quietly implement end-to-end encryption in November last year. Other mobile chat services, such as Snapchat and Apple’s iChat, are also encrypted in the same way (although WhatsApp’s encryption is particularly secure).

This trend is clearly frightening to the world’s governments. David Cameron, prime minister of Britain, has threatened to block services such as WhatsApp if he is reelected. Speaking to the media he said: “In our country, do we want to allow a means of communication between people which […] we cannot read.” – the “we” here being the UK government.  

To politicians such as Cameron the imperatives of national security outweigh those of individual privacy. But what he fails to understand is that the encryption genie is out of its bottle. There are already a thousand Nadim Kobeissi’s around the world, all gleefully bent on giving privacy back to ordinary people. 

If Cameron or his counterparts in other governments block one service, another will spring up in its place. Technology changes much faster than governments, and few things spur innovation more than outrage. The age of mass surveillance is not yet over, but the seeds of its destruction have already been sown.