Friday, February 15, 2008

Privacy in a Twittery World

Reliable Response is in an office building across from the Capital of Colorado. We get a lot of political groups in here. The most excellent Colorado Statesman is downstairs. The Colorado Right to Life group is next door. My favorite is Jim from the Colorado DLC. He and I talk occasionally. He lets me rant, and I help him with technical issues. Coming interviews with politicos around the state. Maybe he'll let me rant on camera.

Jim was asking me what I thought about the phone companies eavesdropping on us. Obviously, no one wants their private conversations to be listened to by anyone, especially some low-level government or telecom flunky. As a former low-level flunky, I can attest that we flunkies *love* listening in on internet traffic.

The fact is, to quote Scott McNealy, "Get over it. You have no privacy." I couldn't agree more. The government can't give it back to you. We can sue whomever we want, but the RBN will always be willing to sell your information to anyone who's willing to throw down a couple bucks for it. Try asking Putin to help...let me know how that turns out.

Anyone who knows me knows that I have worked in security, including a long-ish stint for RSA Security. I believe in encryption. I love it! Mostly because it puts the control over your privacy back in your hands.

To answer questions about telecommunications security, I will always say that counting on the government and the telecommunications companies to keep out of your business is naive at best. There's only one person you should trust. You. Make sure you have the best encryption you can use.

On the other hand, the government can, and should, make it easy for you to do that. To this end, the IETF has released RFC 3711, the Secure Real Time Protocol. This is an extension on top of the most popular VoIP protocol to provide real security. People should start using it. We should demand it's support for all VoIP phones, including Skype!

Reliable Response Notification doesn't use any of these mechanisms. It's a problem we're looking to address. We're publishing some pretty private information. Stuff like IT outages, purchase requests, and internal marketing communications. It keeps me up at night to think that someone might at AOL might be looking at these IMs streaming past. The problem is that the communication methods people use simply don't support these encryption standards. Even support for PGP, an encryption standard that was old 10 years ago, has seen so little uptake as to be considered effectively dead. This is a problem.

The government can help. Richard Clark's cybersecurity efforts are a start. The government should lead, promote and market security solutions. But, it should never make them mandatory. When there's critical mass, people will use them. I hope one day, people will tell me that they won't purchase Notification without built-in security.