[liberationtech] Op-ed—A plea to Google: Protect our e-mail privacy

[Lisa Brownlee]

Good luck w that! Peeing in wind but tysvm for trying!

On Sun, Dec 16, 2012 at 12:44 PM, Rebecca MacKinnon <
rebecca.mackinnon at gmail.com> wrote:

>
> http://arstechnica.com/tech-policy/2012/12/op-ed-a-plea-to-google-protect-our-e-mail-privacy/
>
> Op-ed—A plea to Google: Protect our e-mail privacy Rolling out strong
> encryption for Gmail would be a win-win situation for Google.
>
> by Julian Sanchez <http://arstechnica.com/author/julian-sanchez/>
>
>  - Dec 15 2012, 11:50am EST
>
> We recently learned that even the director of the CIA, David Petraeus, can’t
> seem to secure his private e-mail conversations properly<http://www.nytimes.com/2012/11/17/technology/trying-to-keep-your-e-mails-secret-when-the-cia-chief-couldnt.html>
>
> , and over the past month tech commentators have responded to that
> discovery with a familiar litany of depressing advice: Privacy doesn’t
> exist online, e-mail is as public as a postcard, and don’t say anything on
> the Internet you wouldn’t want to read in the newspaper. Civil
> libertarians, meanwhile, have urged the need for legal reforms—such as a
> proposal just approved by the Senate Judiciary Committee to require police
> to get a warrant before obtaining e-mails or personal files stored in the
> cloud, which Congress is likely to consider next year.
>
> Yet politics, as we all know, moves much more slowly than technology. The
> courts aren’t much better: It was only in 2010 that a federal appeals court
> first ruled that the Fourth Amendment does, in fact, apply to e-mail, while
> the status of other types of digital records remains murky. Yet there is
> one company in an ideal position to dramatically increase e-mail privacy
> for hundreds of millions of users overnight, offering protection from
> malicious hackers as well as nosy governments—the same company, ironically,
> from which the FBI obtained Petraeus’ e-mail: Google.
>
> Back in the 1990s, so-called Cypherpunks waged a successful battle to
> loosen regulations on strong encryption software, dreaming of the day when
> the everyday communications of ordinary Internet users were protected by
> unbreakable digital locks. That vision has been only partly realized: We
> now have a vibrant and growing digital economy made possible by the routine
> encryption of commercial traffic, but routine encryption of e-mail contents
> is still largely seen as the province of geeks and paranoids, too arcane
> for the average user.
>
> One reason is that encryption, like the telephone or e-mail itself, is
> what economists call a network good: Its value to the individual user
> depends crucially on how many *other* people are using it. An e-mail
> account isn’t much use if you’re the only person you know who’s got one,
> and spending time figuring out how to use a suite of encryption tools only
> make sense if the people you want to write are using compatible tools.
> Moreover, encrypted communication requires a trustworthy repository of
> public keys, tied to individuals’ identities or e-mail addresses, so that
> only the true intended recipient of an encrypted message can unlock it with
> their private key.
> 425 million and counting
>
> Google is in an ideal position to overcome these difficulties, and finally
> make strong e-mail encryption a mass phenomenon. Their Gmail service—the
> one David Petraeus was using to exchange steamy messages with his
> biographer and lover, Paula Broadwell—has some 425 million active users by
> last count. Many of those users access the service through a Web interface,
> which Google can change and update for all users simultaneously. That means
> we could all wake up tomorrow to find a handy new “Encrypt Message” button
> included in the familiar Gmail interface we’re already using. Meanwhile,
> Google (along with Facebook) has rapidly become a kind of universal
> Internet identity provider, with the Google Account used as a key not only
> to access Google’s own myriad offerings, but many other independent online
> services as well.
>
> Because truly strong encryption is “end to end”—meaning the end-users
> generate, store, and have sole access to their own private encryption
> keys—a robust content encryption system may require users to have
> appropriate client software installed on their own machines. Here, too,
> Google is well positioned to provide a solution: They already make a
> widely-used browser, Chrome, and a popular operating system for mobile
> devices, Android, which could be updated with the necessary functionality
> built-in, eliminating the need for a separate browser plug-in.
>
> Though it often takes flak from privacy advocates, Google has a history of
> taking steps to advance user privacy: In 2010, the company activated
> HTTPS as the default protocol for Gmail users<http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html>
>
> , ensuring that traffic between Google’s servers and the end-user would be
> automatically encrypted. (Facebook, another popular privacy whipping boy, followed
> suit only this year<http://www.computerworld.com/s/article/9233897/Facebook_to_roll_out_HTTPS_by_default_to_all_users>
>
> .) It also offers two-factor authentication, which helps guard against
> hackers by requiring a special code, sent by SMS to the user’s cell phone,
> whenever someone logs in from an unrecognized device. Yet because Google
> itself ultimately holds the keys to each account, these safeguards aren’t
> much use if the company’s own systems are compromised—as has already
> occurred<http://arstechnica.com/tech-policy/2010/01/furious-google-throws-down-gauntlet-to-china-over-censorship/>
>
>  in a series of recent attacks<http://online.wsj.com/article/SB10001424052702303657404576359770243517568.html>
>
>  targeting Chinese dissidents—or when a government (whether that of the
> United States or some nastier regime) comes knocking with a subpoena.
>
> So why hasn't it already rolled out strong encryption for end users? Well,
> because Google isn’t a charity: It's a business that is able to provide an
> incredible array of free services because they can profit from serving up
> highly targeted ads, enabled by sophisticated analysis of all the data
> their users generate. As “grandfather of the Internet” Vint Cerf, now
> Google’s Chief Internet Evangelist, explained to privacy activist Chris
> Soghoian at a panel last year<http://paranoia.dubfire.net/2011/11/two-honest-google-employees-our.html>
>
> , “we couldn't run our system if everything in it were encrypted because
> then we wouldn't know which ads to show you.” In other words, if your
> e-mails are secured with a lock that Google itself can’t open, then it
> can’t scan your e-mails for keywords in order to show you ads for Parisian
> restaurants when you’re writing your friends about an upcoming trip to
> France.
>
> Fair enough: Nobody expects Google to blow up the business model that
> makes possible all the cool free stuff it offers. But precisely because it
> has expanded into such a wide range of integrated services, Google is
> hardly dependent on keyword analysis of e-mail to target ads: It can still
> use all the information gleaned from users’ search histories, social or
> location profiles, and favorite YouTube videos. Moreover, even the most
> privacy-conscious Gmail users are hardly likely to encrypt “everything”:
> The vast majority of nonsensitive messages would probably still be sent in
> the clear. Meanwhile, Google would garner enormous goodwill from privacy
> advocates, reams of free press coverage, and an attractive new selling
> point, not only for Gmail  but for Chrome and Android as well. Encryption
> would likely be a particularly appealing feature for Google’s paying
> enterprise customers, whose messages may contain information that is not
> only private but highly valuable. At the very least, it’s worth running the
> numbers again to see whether offering strong encryption might now be a net
> boon to the company’s bottom line.
> Backdoors to come?
>
> There is, finally, a powerful *political* reason to introduce strong
> end-to-end encryption now, beyond the obvious benefits for individual
> users. The FBI, which fears that its digital wiretaps will “go dark” as
> encrypted communications become more popular, has been quietly but
> vigorously promoting<http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/>
>
>  an update to the Communications Assistance for Law Enforcement Act to
> cover providers of online communication services like Google and Skype.
> Just as phone companies have to build wiretap capability into their
> networks, they want Skype and Google to build in centralized backdoors for
> law enforcement: Strong end-to-end encryption would be out, as companies
> would be required to hold copies of the keys to all “secure” communications
> for police convenience. This myopic move would drastically reduce the
> security of everyone’s communications in the name of making it a bit easier
> to spy on a tiny handful of criminals. It’s also unlikely to do much good:
> If criminals know that Google can’t offer truly secure communications,
> there’s no way to stop them from simply employing their own unbreakable
> encryption.
>
> The government could still obtain the encrypted e-mails from Google, of
> course, but would need to get the key from the user in order to actually
> read them—but that's no greater burden than police have historically faced
> with an individual's private papers.
>
> While civil libertarians and privacy advocates are sure to resist any such
> proposal, the average Internet user, with little direct experience of truly
> secure communications, may not see what the fuss is about. It’s an iron law
> of politics: Because people are loss-averse, taking away something people
> already have and value can be all but impossible—while preventing them from
> getting it in the first place is far easier. By rolling out e-mail
> encryption now, Google can ensure that ordinary users see myopic efforts to
> regulate secure communications infrastructure as something that affects *
> all* of our privacy and security—not just that of faceless crooks or
> terrorists.
>
> Google has already transformed our daily lives in an astonishing variety
> of ways—from how we find information online to how we find a restaurant in
> a new city—but it has also been cast, from time to time, as a privacy
> villain in the process. Now it has an opportunity to transform how the
> public views the privacy of e-mail communications—while burnishing its own
> reputation in the process.
>
> --
> Rebecca MacKinnon
> Author, Consent of the Networked <http://consentofthenetworked.com/>
>
>
> Co-founder, Global Voices <http://globalvoicesonline.org/>
>
>
> Senior Fellow, New America Foundation <http://newamerica.net/user/303>
>
> Twitter: @rmack <http://twitter.com/rmack>
>
>
> Office: +1-202-596-3343
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>



-- 

-- 
Lisa M. Brownlee, Esq.
Mexico
Skype:  lisa.m.brownlee
lmbscholarly2 at gmail.com
lmbcontacts at yahoo.com
Author's website at West Thomson
Reuters<http://west.thomson.com/store/authorbio2.aspx?r=4889&product_id=15033039&aurec=2000017572Auth>
About my Law Journal Press
treatise<http://www.lawcatalog.com/product_detail.cfm?productID=15196&setlist=0&return=search_results&CFID=20088542&CFTOKEN=b6ddabf982b888e4-2F42CE2A-B3D2-E07B-503BCB3A910E5EEC>
Facebook: Lisa M
Brownlee<http://www.facebook.com/#%21/profile.php?id=1691642784&sk=info>

Author of:

Intellectual Property Due Diligence in Corporate Transactions: Investment,
Risk Assessment and Management (West Thomson Reuters)

Assets & Finance: Audits and Valuation of Intellectual Property (West
Thomson Reuters)

Federal Acquisition Regulations: Intellectual Property and Related Rights
(Law Journal Press)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20121217/44a3eda8/attachment.html>