American Tech Companies Wasting Their Time With Perfect Forward Secrecy

Perfect forward secrecyHave you ever heard of “Perfect Forward Secrecy”? It is a method that was devised for maintaining security on encrypted systems by changing out the encryption and decryption keys used in every transaction.

Older secure communications systems issue “keys” to users. When you send a secure message to someone, your software uses your key to encrypt your text. The receiving person has a matching key that is used to decrypt the message.

Irrational fears have been spreading across the Internet about the vulnerability of online communications in the wake of the Edward Snowden scandal. Snowden, an American citizen who plotted to steal secret data from the National Security Agency by hacking into their system from his job at security contractor Booz Allen Hamilton, launched a wave of embarrassing news stories in which he accused the NSA of spying on American citizens (and the citizens of other countries).

As the allegations have been challenged and investigated by the US Congress, facts reveal that Snowden and his accomplices (led by Glenn Greenwald) have been sharing only part of the picture with the public, either because they don’t have all the information or because they want to deceive people into believing that the National Security Agency is brazenly violating its mandates and restrictions placed upon it by the secret FISA court that oversees the NSA data collection programs.

To date, what can be confirmed is that the NSA collected immense amounts of data about American and foreign communications in order to identify patterns of connections between users. The NSA also collected and decrypted the contents of large volumes of communications and private user accounts from major tech companies; but this decrypted data was placed in a tightly controlled database which is designed to only provide a very minimal amount of information when queried. The queries are supposed to be run only with proper authorization from a court.

Edward Snowden lied when he claimed that as a contractor he had access to a large amount of information and that he was authorized to wiretap anyone. As facts have come to light it turns out that he used his position as a network administrator to deceive various NSA contractors and/or employees into giving him their login credentials. He then used their access (which he gained unlawfully) to download most of the files he has turned over to unscrupulous journalists like Glenn Greenwald.

As Greenwald and his allies release new embarrassing allegations, many members of the American technology community — people who regularly devise and distribute software that American corporations use to violate users’ security and privacy on a much broader scale than the NSA has — have expressed outrage over the NSA data collection. Despite the fact that the NSA is clearly only interested in finding and tracking operatives and allies of Al Qaeda, the American technology community has begun devising schemes to foil NSA data collection.

Their latest flawed approach is to implement Perfect Forward Secrecy on popular platforms. Twitter is only the latest company to announce that it will now use Perfect Forward Secrecy. In effect, every secure transaction between Twitter and its users (or between Twitter’s users) will use new encryption/decryption keys. The thinking behind this strategy is that even if one set of keys are hacked, that won’t help with decrypting other communications.

Of course, the most advanced decryption technologies (such as that used by governmental spy organizations around the world) don’t invest any resources into decrypting keys. They just decrypt the data regardless of what the keys look like. So changing encryption keys frequently will have virtually no impact on any government projects that seek to decrypt user data.

This latest round of security updates appears to be nothing more than a publicity stunt aimed at assuaging public anger and re-establishing a bond of trust between the companies that monetize people’s privacy for their own gain and the general public, the people whose privacy is really not being impacted by all these government projects.

In the United States most citizens are now subject to regular government surveillance through traffic and postal systems. That is why it is so easy for the authorities to track people down through the mail and motor vehicle license plates. There have been numerous incidents in recent years where police agencies have released video footage tracking suspects as they move through communities.

Google itself recently argued in court that GMail users have no reasonable expectation of privacy; Google is being sued because its mail software scans your incoming emails to determine what kind of advertising you will see. You agree to allow Google to do this when you sign up for a GMail account.

The United States government has been monitoring electronic communications since it first tapped telegraph lines during the Civil War in 1863. Protections have been put in place to ensure that citizens remain secure against unreasonable search and seizure, but these protections sometimes fail to keep up with current technologies. The US Supreme Court did rule several decades ago that the collection of metadata (data about data) is not restricted by the fourth amendment to the US constitution. Much of the NSA data collection technology has been applied under the protection of that ruling, although recent (lawful) government disclosures show that the FISA courts have expressed some reservations about the broad application of these rulings to modern data systems.

Technology companies are not interested protecting users’ privacy. They are only interested in making a profit by bringing more people in to use their software. Because of the Edward Snowden scandal many American technology companies have been caught acting in complicity with governments around the world. In fact, these companies are only fulfilling their lawful obligations to hand over user data when they receive a court order.

But the egos of some technology programmers have been wounded by revelations that their “secure” systems are so easily compromised by government security agencies. Losing perspective (this is, after all, all about catching Al Qaeda operatives before they can unleash new terror attacks against the USA and its allies), some of these programmers have decided to side with Al Qaeda in working to foil the NSA and other governmental agencies. These programmers are increasingly making public ideas that can easily be adapted by Al Qaeda to improve its own security as it plans new terror attacks against the West.

A conspiracy theorist might argue that these companies continue to work with the NSA by planting false seeds of hope on the Internet, implying that these communications will be safer from governmental prying than in the past. It’s possible but not probable, since the US government does not directly work with anyone who doesn’t have a security clearance. And in the wake of scandals like the Snowden affair and the Bradley Manning scandal, US government agencies have been tightening access to classified materials in an attempt to limit the fallout from any future breaches in the system of trust.

The false promises these technology companies are making to users are driven by corporate greed because these companies are only interested in profiting from the constant monitoring and analysis of user data. Maybe only when the majority of private citizens turn to open-source peer-to-peer technologies will the real spies — American technology companies — be deprived of the opportunity to trick users into believing they have any reasonable expectation of privacy.

For all their political hijinx, Google at least have finally come forward and said you have no reasonable expectation of privacy. Therefore, you have no reason to believe they are putting your best interests at heart when they ask you to sign petitions related to the Edward Snowden and Bradley Manning scandals.

This isn’t about privacy, it’s about money.