[Cryptography] upgrade mechanisms and policies

Michael Kjörling michael at kjorling.se
Sat Apr 18 16:53:20 EDT 2015 

On 17 Apr 2015 19:15 +0100, from iang at iang.org (ianG):
> Now, if we went back to actual privacy considerations -- not your
> constructed but well learnt theory -- and asked what Alice and Bob
> wanted to do privately:
> 
>   1. do you want your messages to be secret?
>   2. do you want your contacts to be secret?
>   3. do you want your activity to be untracked?
> 
> The answer to the above is typically YES, YES, YES [1].  My business
> is my own.

/.../

> Go back to those thoughts: "let's say that Alice and Bob are fine
> with Eve and Mallory knowing _that_ they are communicating with each
> other."  That's not true.  That's you telling Alice and Bob what
> they are allowed to do in order to benefit from your system.

While I do believe the points you're making are valid to some degree,
they are not what I see when I talk to non-technical people. Many
don't even care about blanket mass nation-state surveillance. More
than one person I have tried to introduce to the concept has
_literally_ responded with something very close to "if they think I am
that interesting, then for all I care they can listen in". This even
when suggesting things that can be done with next to _zero_ negative
impact for the individual, such as using OTR on top of already
established IM communications, or installing a browser plugin like
HTTPS Everywhere. These are things that take minutes or less to set
up, are basically maintenance-free, yet still help improve (and
certainly don't detract from) the security of their communications. We
aren't even talking about things like Certificate Patrol, which _can_
cause user inconvenience in some legitimate cases.

That's where the threat acceptance I suggested comes from. My
experience is simply that _people don't care if the fact that Alice
and Bob are communicating is known._ They might, however, care about
the content of those communications being known; what has been
jokingly referred to as the NSA "DICKPICS" program.

This is also most likely a major reason why we don't have a huge
uproar in Sweden _right now_ because, in spite of the ECJ decision _a
year ago_ that the EU Data Retention directive violates _basic human
rights_ by virtue of enacting blanket mass nation-state surveillance
(of communications metadata), the Swedish law (which the Swedish
government claimed was only enacted because we were _forced_ to do so
by the EU, never mind that Sweden was one of the driving countries
behind the directive) that requires blanket mass surveillance and
storage of communications metadata _is still in place and in effect_,
and the government claiming that this is not a problem.

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

More information about the cryptography mailing list