It was quite an honour to present the first CryptoParty meetup in the UK, which had a much bigger turnout than expected. The London CryptoParty is holding theirs next weekend, and that looks to be much bigger.
Actually our meetup was rather hastily arranged rather than organised, but we already spent a few weeks debating how to approach this. CryptoParty meetups are intended for a broad range of people, so I couldn’t dive straight into the details of how encryption works. We had to start from basics. What better place to start than by addressing the reason cryptography is used? Our first talk was about the old ‘If you’ve got nothing to hide, you’ve got nothing to fear’ argument. The presentation file can be downloaded here.
The presentation went very well, I’m happy to say – quick and painless. As it happened, most the others were also tech-heads, and so there was a lengthy discussion on security, Bitcoins, SSL/HTTPS and other things.
We’re also pretty much decided on the subject for the next meetup. It’s going to include a practical on TrueCrypt, GPG and possibly the KeePass software – stuff that should work on Windows, Mac and Linux without too many problems.
Here’s a quick overview of the presentation: As the title suggests, this was about busting the ‘Nothing to Hide, Nothing to Fear’ argument (really a mantra), which privacy campaigners encounter a lot, and which can be disproved a thousand ways right off the bat. It’s evident that we actually do have something to hide, since things like logins, confidentiality agreements, PIN numbers, SSL/HTTPS, etc. exist for a reason. It’s also evident that people get busted for what’s openly said on FaceBook or Twitter. But pointing this out would have been too easy. I wanted the presentation to last a good 30 minutes.
The truth is those who genuinely think they have ‘nothing to hide’, and therefore totally disgregard their own privacy (more accurately, their security), face a real risk of having someone else’s loans in their name, their bank accounts emptied, or they could find themelves raided by the Old Bill for some child porn or terrorism-related offence. They are compliant law-abiding bootlickers with ‘nothing to hide’, so how could it happen? The short answer is we don’t live in a world in which people have nothing to hide. Scaremongering? Maybe, but the presentation took the ‘nothing to hide’ argument to its logical conclusion.
The first questions to ask are: Who’s collecting the information, and for what purpose? How is the information being processed, stored and protected? Who else has access to that information? Unless we’re all technical analysts auditing the system ourselves, the simple answer is we cannot know.
So, the next step is to look at what happens when personal information goes somewhere else. From the individual’s perspective, it’s out there, perhaps accumulated in databases and traded between entities who are rather lax in how they protect it. Remember the majority of those firms deal with other firms and not Joe Average (who is really the commodity here), and so their reputations wouldn’t really suffer as a result of a data breach. At worst, they’d carry on business under a different name. What if it’s our government collecting the data? Well, a database was copied by a junior civil servant onto CDs that went missing sometime around 2007…
In any case, with all this personal data being accumulated in God-only-knows how many databases, some of those being prize targets where financial transactions are concerned, there’s a reasonable chance the information will eventually end up in the wrong hands. And it’s not just about databases – the scope of what information needs protecting and how we protect it, from client to organisation, is huge. Criminals will either use that information to commit whatever crime, or they trade it with other criminals.
We could argue that most online crime is facilitated at some point by identity fraud, which in turn happens because of identity theft. The main reason for this is most online criminals won’t commit whatever offences using their own identities or their own networks. They’ll use someone else’s, and this is where that someone, with ‘nothing to hide’, can get into difficulties.
Another thing to understand is identity fraud doesn’t necessarily involve credit cards, passports or tangible forms of identification – it could be through the simple act of impersonation with the right data. This is where New Labour got it so wrong with their National Identity Register scheme.
* Identity Fraud: Uses details like date of birth, mother’s maiden name, or whatever to open bank accounts, get loans paid into them under the victim’s name, etc.
* Financial Theft: Basically robbing someone’s bank details and emptying the account, or using this to buy stuff. In some (rare) cases, the crime is investigated and traced back to the poor sod who had his/her personal details used (as with Operation Ore).
* Compromising Organisations: Learning the full name of a person, the organisation that person’s working for, the position held, names of colleagues, email addresses, etc. This information enables a criminal to impersonate an employee, and possibly commit one of the above acts later.
The take away from all this? The more personal information out there, the higher the risk to the individual.