Sure, encrypt your email – while your shiny IoT toothbrush spies on you

Harvard's internet arm frets about gizmo security


Analysis The increasingly noisy debate over encryption is nothing to worry about, eggheads at Harvard have announced today: it's your toothbrush you need to worry about.

In a 37-page paper titled Don't Panic: Making Progress on the 'Going Dark' Debate [PDF], a team from the Berkman Center has summarized discussions between themselves, security experts, and a number of unnamed people from the US intelligence community.

The goal of the discussions was to bridge the gap that has opened up between law enforcement and politicians – who have been asking for backdoors in software products and access to encrypted information – and tech companies and security bods, who have been arguing that strong encryption is critical for our digital future.

The end result is a very readable summary of the current situation with respect to encryption and why the FBI feels end-to-end encryption is a danger. Ultimately though, beyond producing a useful article for Wikipedia, the paper boils down to two things:

  1. The Feds shouldn't worry too much about encryption because it's not in tech companies' financial interests to provide it, and
  2. Whatever evidence is lost from the end-to-end encryption of, say, text messages will be more than made up with the expansion of Internet of Things products that have horrible security.

The first point: "First, many companies' business models rely on access to user data. Second, products are increasingly being offered as services, and architectures have become more centralized through cloud computing and data centers."

So because it's not in companies' interests to do so, they won't create truly secure end-to-end encryption for everything. Which means eavesdroppers will still, somewhere along the line, have access to sensitive stuff like encryption keys: law enforcement can get a court order (or otherwise pressure the corporation) to hand over the necessary information or cough up the knowhow to successfully wiretap internet-connected gadgets.

The paper notes two additional elements in favor of this argument: one, fully secure encryption is technically complex and can have a performance hit on low-end devices, and; two, the ecosystem of electronic devices is so broad that it is a pain to introduce a system that will provide trustworthy end-to-end encryption.

We can see you

As to the second, scarier point: the internet of things super-surveillance net.

The paper has this to say: "The Internet of Things promises a new frontier for networking objects, machines, and environments in ways that we are just beginning to understand. When, say, a television has a microphone and a network connection, and is reprogrammable by its vendor, it could be used to listen in to one side of a telephone conversation taking place in its room – no matter how encrypted the telephone service itself might be. These forces are on a trajectory towards a future with more opportunities for surveillance."

The paper uses recent examples, including the Samsung TV, the listening Barbie dolls, and Amazon's Echo. It also makes reference to an interesting case back in 2001 when the FBI tried to get a car company to use its roadside assistance service to record conversations in a vehicle. The company took the matter to the US Court of Appeals, which shot the FBI's case down but, according to the Berkman Center, not on surveillance grounds. By extension, it says that it is possible your car could act as a bug against you so long as your car's security features aren't impacted.

For some reason however, the paper doesn't then point to the high-profile recent cases of cars being hacked.

It's not just cars though: "Appliances and products ranging from televisions and toasters to bed sheets, light bulbs, cameras, toothbrushes, door locks, cars, watches and other wearables are being packed with sensors and wireless connectivity."

The argument is that this wealth of devices is going to provide intelligence services with the ability to track and listen in to people far beyond what they can do now. Hence: let's not worry about encryption – your kitchens and bathrooms are being bugged anyway.


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022