Simply Secure is not simply private

Another week, another security collaboration launch!

“Simply Secure” calls itself “a small but growing organization [with] expertise in usability research, design, software development, and product management”. Their mission has to do with improving the security functions that built-in so badly in most software today. Simply Secure is backed by Google and Dropbox, and supported by a diverse advisory board.

It’s early days (actually early day, singular) so it might be churlish to point out that Simply Secure’s strategic messaging is a little uneven … except that the words being used to describe it shed light on the clarity of the thinking.

My first exposure to Simply Secure came last night, when I read an article in the Guardian by Cory Doctorow (who is one of their advisers). Doctorow places enormous emphasis on privacy; the word “privacy” outnumbers “security” 16 to three in the body of his column. Another admittedly shorter report about the launch by The Next Web doesn’t mention privacy at all. And then there’s the Simply Secure blog post, which cites privacy a great deal but every single time in conjunction with security, as in “security and privacy”. That repeated phrasing conveys, to me at least, some discomfort. As I say, it’s early days and the team is doubtless sorting out how to weigh and progress these closely related objectives.

But I hope they do it quickly. On the face of it, Simply Secure might only scratch the surface of privacy.

Doctorow’s Guardian article is mostly concerned with encryption and the terrible implementations that have plagued us since the dawn of the Internet. It’s definitely important that we improve here – and radically. If the Simply Secure initiative does nothing but make encryption easier to integrate into commodity software, that would be a great thing. I’m all for it. But it won’t necessarily or even probably lead to better privacy, because privacy is about restraint not secrecy or anonymity.
As we go about our lives, we actually want to be known by others, but we want those who know us to be restrained in what they do with the knowledge they have about us. Privacy is the protection you need when your affairs are not secret.

I know Doctorow knows this – I’ve seen his terrific little speech on the steps on Comic-Con about PRISM. So I’m confused by his focus on cryptography.

How far does encryption get us? If we’re using social networks, or if we’re shopping and opting in to loyalty programs or selected targeted marketing, or if we’re sharing our medical records with relatives, medicos, hospitals and researchers, then encryption becomes moot. We need mechanisms to restrain what the receivers of our personal information do with it. We all know the business model at work behind “free” online services; using encryption to protect privacy in social networking for instance would be like using an armoured van to deliver your valuables to Bernie Madoff.

Another limitation of user-centric or user-managed encryption has to do with Big Data. A great deal of personal information about us is created and collected unseen behind our backs, by sensors, and by analytics processes than manage to work out who we are by linking disparate data streams together. How could SS ameliorate those sorts of problems? If the SS vision includes encryption at rest as well as in transit, then how will the user control or even see all the secondary uses of their encrypted personal information?

There’s a combativeness in Doctorow’s explanation of Simply Secure and his tweets from yesterday on the topic. His aim is expressly to thwart the surveillance state, which in his view includes a symbiosis (if not conspiracy) between government and internet companies, where the former gets their dirty work done by the latter. I’m sure he and I both find that abhorrent in equal measure. But I argue the proper response to these egregious behaviours is political not technological (and political in the broad sense; I love that Snowden talks as much about accountability, legal processes, transparency and research as he does about encryption). If you think the government is exploiting the exploiters, then DIY encryption is a pretty narrow counter-measure. This is not the sort of society we want to live in, so let’s work to change the establishment, rather than try to take it on in a crypto shoot-out.

Yes security technology is important but it’s not nearly as important for privacy as the Rule of Law. Data privacy regimes instil restraint. The majority of businesses come to know that they are not at liberty to over-collect personal information, nor to re-use personal information unexpectedly and without consent. A minority of organisations flout data privacy principles, for example by slyly refining raw data into valuable personal knowledge, exploiting the trust citizens and users put in them. Some of these outfits flourish in the United States – the Canary Islands of privacy. Worldwide, the policing of privacy is patchy indeed, yet there have been spectacular legal victories in Europe and elsewhere against the excessive practices of really big companies like Facebook with their biometric data mining of photo albums, and Google’s drift net-like harvesting of traffic from unencrypted Wi-Fi networks.

Pragmatically, I’m afraid encryption is such a fragile privacy measure. Once secrecy is penetrated, we need regulations to stem exploitation of our personal information.

By all means, let’s improve cryptographic engineering and I wish the Simply Secure initiative all the best. So long as they don’t call security privacy.