As the year comes to close and we look ahead to 2014, many of us turn our attention to New Year’s resolutions. Losing weight, quitting smoking or getting fit are all popular goals. But as our lives become more complex and harried, one resolution that I hear with increasing frequency is: I want to simplify my life.
Many of the world’s greatest thinkers have touted the virtues of simplicity:
Simplicity is the ultimate sophistication. – Leonard da Vinci
Our life is frittered away by detail…Simplify, simplify. – Henry Thoreau
Life is really simple, but we insist on making it complicated. – Confucius
And this got me thinking about simplifying security. Cyber security is becoming so complicated that you could argue that complexity is one of our biggest security challenges. The evolving trends of mobility, bring-your-own-device (BYOD), cloud computing and advanced targeted attacks are driving this complexity. Today’s networks go beyond traditional walls and include data centers, endpoints, virtual and mobile. These networks and their components constantly evolve and spawn new attack vectors including: mobile devices, web-enabled and mobile applications, hypervisors, social media, web browsers and home computers.
As threats and our IT environments have become increasingly sophisticated, they’ve collided with traditional security methods that have not followed suit. Is it possible to simplify security yet increase its ‘sophistication’?
Most organizations attempt to secure these extended networks with disparate technologies that don’t – and can’t – work together. Not only are these structures difficult to manage but they create security gaps sophisticated attackers exploit with methodical approaches that leverage time, patience and nearly imperceptible indicators of compromise to accomplish their mission. We find ourselves ‘frittering away’ too many resources manually managing more and more security tools, yet breaches happen and go undiscovered for much too long.
As a cyber security professional, if you’d like to make a New Year’s resolution to simplify your approach to security while enhancing your defenses, you need a new model that is threat-centric – meaning focused on the threats themselves versus merely policy or controls. It must provide broad coverage across all potential attack vectors, rapidly adjust to and learn from new attack methods, and implement that intelligence back into the infrastructure after each attack.
Technologies that incorporate the following capabilities can help simplify security.
Visibility: To harness local and global intelligence with the right context to make informed decisions and take immediate actions. This requires the ability to tap into the power of big data analytics for better insights; open interfaces to visibility tools and real-time vulnerability-based research to proactively identify and respond to threats anywhere and anytime; and an open architecture for transparency.
Control: To consistently enforce policies across the entire network and accelerate threat detection and response. This requires an enterprise security architecture to enable unified, automated enforcement of polices from the data center, to the cloud, to the endpoint; enterprise-class, integrated policy and event management for more consistent control and better visibility into security devices; and open interfaces to control platforms to eliminate security gaps and complexities of point solutions.
Advanced Threat Protection: To detect, understand and stop targeted malware and advanced persistent threats across the entire attack continuum. This requires threat protection across the entire organization, from network to endpoint, from mobile to virtual and from email to web; and pervasive protection before, during and after attack, across more attack vectors and points of vulnerability.
Flexibility: To deploy security in a way that best fits and adapts to your changing environment. This requires it to be available in multiple form factors – physical, virtual, cloud and services depending on your business model; and open APIs to manage and support existing and evolving security infrastructure.
You can’t afford to leave gaps in protection that today’s sophisticated attackers exploit. At the same time, you can’t keep adding disparate security solutions that don’t work together. With technologies that enable visibility, control, advanced threat protection and flexibility, it is possible to simplify security and increase effectiveness. We no longer need to ‘insist’ that security must be complex. Instead, we can simplify.
It’s that time of year again when everyone wants to wow you with their insights and predictions about what the next year will bring us in terms of technology and hacks in the security industry. Don’t get me wrong, always thinking ahead and applying a predictive approach to security is an idea and practice I fully endorse. However, I would like to ask the security community as a whole to please not waste our time with vagaries and statements that are so broad that they could apply to anything, and/or at the same time, nothing.
For those unfamiliar with the name or work, Michel de Nostredame, aka Nostradamus, was a French apothecary and reputed seer who published collections of prophecies that have become famous worldwide. While he is the most famous of the prognosticators, his predictions are largely panned by the scientific community as being too general as to be moldable to fit multiple scenarios and situations. His most famous of all predictions was that the world was going to end in 1994, and then again in 1998 or maybe it was 2000. No, it was definitely going to end on December 21, 2012. Well, I’m writing this in November of 2013 so I guess that didn’t quite work out the way he had envisioned after all.
The reason I bring this up is that if Nostradamus had envisioned our networked world of 2014 and had written predictions about the security challenges that existed, I’d expect them to look something like this:
– Hackers will target data in the cloud
– Attacks will continue to become more sophisticated
– Cybercriminals will be motivated by profit
– China and other nation states will remain a top security concern
– Mobile devices will be under increased scrutiny
Please raise your hand if any of these predictions have helped you shore up your security planning for 2014. Anyone? I didn’t think so. While I changed some of the wording to protect the guilty, the themes of each of these predictions was a direct pull from members of our industry. Forward-thinking and practical advice from experts is always appreciated, but we need to do a better job making constructive points in our observations.
What we need are view points and recommendations based on analytics and trends in data that will point us towards actual solutions to real problems. One of the better reports published each year is the Emerging Cyber Threats Report presented by the Georgia Tech Information Security Center (GTISC) and the Georgia Tech Research Institute (GTRI). While it’s a fairly lengthy report, it is well worth your time investment as it provides analysis and trends with straightforward explanations of the types of threats we should be actively preparing to deal with in the coming years. These are the types of reports that allow companies to plan for security based upon facts, data, and the analysis of the best minds in the security industry and law enforcement.
As I’ve written about in the past, we as an industry do a great job of hyping ourselves, but a poor job of explaining what we do and how we solve problems within an organization. This needs to change. As we move into 2014 and beyond, security will continue to take on increased importance within organizations, especially those who deal in sensitive data or areas of critical infrastructure. It will need to become more tightly integrated into business planning and the CISO will need to become an agent of change within the organization.
As I’m sure you could gather from the opening portion of my article, I’m not much into predictions. A clever sound bite can’t ever be a substitute for careful analysis and years of research and development aimed at solving the industry’s most technical challenges. Despite years of heavy investment in security, none of us can stand here today and say that we are winning. At the same time, we continue to face more sophisticated foes with increasingly well-funded technology capable of delivering significant attacks on our most valuable institutions.
While I won’t make a prediction per se, I will leave you with what I consider to be a statement of fact. We in the security industry need to do better. We need to continue to advance our technology and develop new and better ways of addressing security concerns and vulnerabilities. Due to the very nature of our business we will always be playing catch-up to the hackers, but that is a challenge we need to meet. I’m not sure who said it first, but the reality remains, in the security industry, we need to be right 100 percent of the time whereas the hacker only needs to be right once. Words to live by and ones that I’m pretty sure didn’t come from Nostradamus.
Summary: CryptoLocker has infected an estimated 250,000 victims, demands an average $300 payout, and is trailing millions in laundered Bitcoin. Dell SecureWorks’ new paper sheds light on the unstoppable ransomware.
Dell SecureWorks estimates that CryptoLocker has infected 250,000 victims. The average payout is $300 each, and millions in laundered Bitcoin have been tracked and traced to the ransomware’s money runners.
Spreading like wildfire from offices to homes, it arrives in email attachments (or over infected networks) to aggressively encrypt all files on a system (including mapped drives, Dropbox files, and all locally connected, network-attached, or cloud-based storage) – while an ominous onscreen timer demands payment within 72 hours.
Mess with the files or decline to pay and forget about ever opening your files again.
To date, no one has successfully defeated CryptoLocker. The Windows-only ransomware has held rapt the attention of malware fetishists since its formal appearance in September.
The Swansea, Massachusetts police department was hit in November.
The officers paid CryptoLocker’s ransom. Police Lt. Gregory Ryan told press that his department shelled out around $750 for two Bitcoin on November 10 – even then admitting his department had no idea what Bitcoin is, or how the malware functioned.
One Bitcoin address, one million dollars in a day
Dell’s CryptoLocker report cites a Computer Science thesis from an Italian grad student who looked at a few known CryptoLocker Bicoin payment addresses while examining BitIodine.
The thesis reported a stunning take for one CryptoLocker address on one day:
In total, we identified 771 ransoms, for 1226 BTC (approximately USD 1,100,000 on December 15, 2013).
After tracing another Bitcoin address belonging to CryptoLocker and watching it move over six million dollars they concluded, “This suggests that our estimate of their racket is very conservative.”
Dell SecureWorks released its detailed report on CryptoLocker Ransomware Wednesday, cementing what several researchers already knew about CryptoLocker’s cruelly smart extrotion system.
Dell’s unwillingness in its paper to estimate precise ransom payment statistics has confused press reports thus far: many articles incorrectly report $30 million (beginning with this updated URL, now citing an obviously incorrect $300K).
On our examination of Bitcoin addresses shared by victims online, the real number is likely in the hundreds of millions.
SecureWorks admits the true payout number is “very likely many times that” which its own paper suggested.
Bitcoin is “most cheap option”
CryptoLocker is criminally simple – and strangely eloquent, if you’re a supervillain.
Dell’s researchers estimate that between 200,000 and 250,000 systems were infected globally in the first 100 days after CryptoLocker’s release.
Carbonite, a cloud backup service, was reported in November to have been dealing with “several thousands” of phone calls from CryptoLocker-infected victims, and now have a dedicated team dealing with CryptoLocker recoveries.
In research for this article ZDnet traced four bitcoin addresses posted (and re-posted) in forums by multiple CryptoLocker victims, showing movement of 41,928 BTC between October 15 and December 18.
Based on the current Bitcoin value of $661, the malware ninjas have moved $27,780,000 through those four addresses alone – if CryptoLocker cashes out today.
If CryptoLocker’s supervillans cash out when Bitcoin soars back up to $1000, like it did on November 27… Well, $41.9 million isn’t bad for three months of work.
Many victims believe that CryptoLocker briefly moved its ransom sums through Bitcoin addresses to launder the bounty; just-dice.com was repeatedly cited as a digital “mixer” point.
The malware doesn’t appear to the victim until all files are successfully encrypted (and in case you thought it was safe to proceed, you’re not: CryptoLocker periodically scans for new files).
CryptoLocker hides its presence from victims until it has successfully contacted a command and control (C2) server and encrypted the files located on connected drives.
Prior to these actions, the malware ensures that it remains running on infected systems and that it persists across reboots.
When first executed, the malware creates a copy of itself in either %AppData% or %LocalAppData%. CryptoLocker then deletes the original executable file.
Then, your files are swiftly and silently owned.
The encryption process begins after CryptoLocker has established its presence on the system and successfully located, connected to, and communicated with an attacker-controlled C2 server. This communication provides the malware with the threat actors’ RSA public key, which is used throughout the encryption process.
(…) Instead of using a custom cryptographic implementation like many other malware families, CryptoLocker uses strong third-party certified cryptography offered by Microsoft’s CryptoAPI.
By using a sound implementation and following best practices, the malware authors have created a robust program that is difficult to circumvent.
Dell’s paper suggests CryptoLocker’s puppetmasters are in Russia and Eastern Europe, with primary targets in the United States, as well as other English-speaking countries.
A “bastard and fiendish” idea
When all files have been encrypted, each victim is then presented with an ugly splash screen with an ominous countdown timer, demanding payment.
CryptoLocker honors ransom payments.
Upon submitting payment, victims’ computers no longer show the threatening countdown screen and instead see a new payment activation window.
In Dell’s words, “During this payment validation phase, the malware connects to the C2 server every fifteen minutes to determine if the payment has been accepted. According to reports from victims, payments may be accepted within minutes or may take several weeks to process.”
If you didn’t pay, you gave up your files – and any new ones you made on your system after infection. To date, no one has successfully recovered files after CryptoLocker infection – unless they paid the ransom.
CryptoLocker’s ransom amount has varied since its debut in September, but currently sits at $300 (USD) and 300 Euro – the ransom price is typically listed in cash currency, and Bitcoin.
Bitcoin instability over the past few months has prompted CryptoLocker’s masterminds to reduce the ransom to 1 BTC, 0.5 BTC, and then to where it is currently: 0.3 BTC.
At first, CryptoLocker included [two known] static bitcoin addresses for everyone who was infected. The current versons of CryptoLocker dynamically generate new bitcoin payment addresses for each infection instance.
CryptoLocker cares
In early November, CryptoLocker’s clever writers added a new feature called the CryptoLocker Decryption Service.
SecureWorks explained, “This service gives victims who failed to pay the ransom before the timer expired a way to retrieve the encrypted files from their infected system.”
Not surprisingly, CryptoLocker’s “Decryption Service” is much more expensive than the original ransom – a hefty 10 BTC.
And what if a victim’s anti-virus software deletes the CryptoLocker executable before the ransom is paid?
Rather than leave you high and dry with encrypted files, a key, and no way to unlock them, CryproLocker detects the deletion of its executable files and shows victims a message that contains a link to a decryption tool that victims can download in case this happens.
BleepingComputer explains, “There are numerous reports that this download will not double-encrypt your files and will allow you to decrypt encrypted files.”
CryptoLocker has left such a wide swath of confused and angry victims that numerous forums where victims have been gathering online since September to share information about their experience, offering details in hopes of helping others.
Active IT threads on sites such as Reddit (r/sysadmin, r/techsupport, others) and BleepingComputer have ended up doubling as pseudo-support networks for those under CryptoLocker’s timed gun.
After taking everything in, one Redditor was moved to remark that CryptoLocker is a “bastard and fiendish idea.”
We’re sure they got the message.
It’s widely accepted that CryptoLocker’s masterminds lurk on blogs and forums about CryptoLocker (especially this thread), and have responded to infected user’s issues, as well as “give other messages on the home page of their Command and Control servers.”
Another Redditor writes,
The malware author has responded to people in forums, helping them pay and such, and has stated that the keys are not sent out on an automated process, but selected manually by him for deletion and sending for decryption.
He keeps the keys longer than the 4 days, and will troubleshoot moneypak codes not working, and will send the decrypt key as fast as he can after he gets the money. He knows each computer that has it, and each computer gets a unique key.
Still, no one has been able to draw a bead on who might be pocketing CryptoLocker’s spoils.
Dell’s new paper looks for clues in the malware authors’ behavior patterns:
Analysis of the IP addresses used by the threat actors reveals several patterns of behavior.
The first is that the threat actors use virtual private servers (VPS) located at different ISPs throughout the Russian Federation and in former Eastern bloc countries.
The extended use of some of these hosts, such as 93.189.44.187, 81.177.170.166, and 95.211.8.39, suggests that they are located at providers that are indifferent to criminal activity on their networks or are complicit in its execution (such as so-called “bulletproof” hosting providers). The remaining servers appear to be used for several days before disappearing.
The researchers say they don’t know if the servers are disappearing because ISPs are terminating CryptoLocker’s service, or if it’s because CryptoLocker’s crimewave gang prefers to stay a moving target.
Tell mom and dad not to open every damn email attachment
The first instances as reported by SecureWorks explains that the first wave of infection was through targeted emails with attachments, and this appears to remain a common vector.
The attachment, most of the time, is a .zip with a .PDF inside, which is actually an executable (.exe).
The flawless malware spread out of office networks, and currently targets home computer users as well.
Dell’s researchers noted that peer-to-peer (P2P) CryptoLocker infections began to appear in early October.
On October 7, 2013, CTU researchers observed CryptoLocker being distributed by the peer-to-peer (P2P) Gameover Zeus malware in a typical pay-per-installation arrangement. In this case, Gameover Zeus was distributed by the Cutwail spam botnet using lures consistent with previous malware distribution campaigns.
(…) Attached to the message is a ZIP archive containing a small (approximately 20KB) executable using a document extension in the filename and displaying an Adobe Reader icon. This Upatre malware downloads and executes Gameover Zeus, which in turn downloads and installs other malware families including CryptoLocker.
(…) As of this publication, Gameover Zeus remains the primary method of distributing CryptoLocker.
Dell’s report explains that the first email wave, targeted at businesses, lured clicks by addressing professionals to notify them of a formal complaint. But outside of Dell’s paper, victims report CryptoLocker emails coming from spoofed Xerox email addresses, emails about resumes, and a commonly cited subject line is “Payroll Report.”
Mine came from a business source we deal with that had an attachment labeled “stores parts.zip” and a title of “Sent by email: stores parts.zip” –wisdom_and_frivolity
The SecureWorks paper brought together much of what has already been written about CryproLocker, tied a number of threads, and provides a solid marker moving forward.
Now, if only Dell products were coded with the maddening target-objective mindset and frightening efficiency of CryptoLocker…
The main improvement that needed to be added to the site, as its creator Troy Hunt himself acknowledged, was a notification service to allow users to enter an email address and be notified in the future if their address appeared in any databases added to the service. Troy has now added the notification service.
haveibeenpwned.com allows you to check whether an email address is in one of several publicly-released databases of breached email addresses, with a total of 154 million email addresses. Troy says the site has been wildly popular and that, by far, the number one request for a notification service.
When you click “Notify me if my address gets pwned in the future” you are presented with the screen below. If you have searched on an email address already, it is pre-populated in the field. You must then fill a CAPTCHA (this is unfortunately necessary for several reasons) and click “notify me of pwnage”.
The service then sends a confirmation email to the address entered. Click the verify link in the email and you are registered for notifications. Troy provided this sample notification email:
It’s still a free service which is good, but note that this not his day job. In fact, it’s costing him some money, but not much: “less … than what I spend on coffee…” So he sees no reason to charge for it, but if there is another major breach and he’s busy, you might not be able to expect him to enter the database and notifications to follow immediately. Troy wrote the site, in part, as an exercise in learning to program Windows Azure services, and he says it’s a good demonstration of how powerful services can be built and operated inexpensively on Azure.
Next on Troy’s roadmap: domain-wide verifications. You can be notified if any address in a domain is in a database. A more stringent verification process of some kind will be necessary, since he needs to know that the person receiving notification for example.com is actually authoritative for that domain.
Comment Widespread ridicule has greeted the announcement that eight giant technology companies led by Google and including Facebook and LinkedIn were going to save us from the NSA.
The ridicule is thoroughly justified, for trusting giant corporations – whose business models rely on selling your identity to advertisers – to safeguard your privacy is like hiring a kleptomaniac to guard the sweet shop.
Thirty years after the Khmer Rouge declared war on “the Garden of the individual”, Silicon Valley was lauding the collective “hive mind” while stealthily dismantling the rights that protect the individual.
Both practically and philosophically, today’s giant web corporations are incapable of defending you – and how can they, when don’t really accept that the individual really exists? In Silicon Valley, the individual is merely a phantom: a collection of patterns, or a node secreting data into one of its giant analytical processing factories.
Before we can understand why tech/media companies can’t protect the individual, and why their “solutions” are impoverishing us, let us remind ourselves what’s happened. We need to see how complicit the data business was with the behaviour of the intelligence agencies.
Spooky action at a distance
Edward Snowden’s revelations confirmed that 20 years after it was opened to the public for commercial access, the internet is subject to the same casual warrant-free surveillance as the circuit-switched telephone network. Fantasies that the internet would put us beyond the reach of the spooks turned out to be just that: fantasies. Only a fraction of Snowden’s material has been released, and much of it is banal: spies spy on foreign powers, for example. But the material did confirm that the physical infrastructure of packet communication is completely compromised, andsecurity backdoors are apparently commonplace.
This week’s disclosures in Der Spiegel confirmed the lack of protection. Spiegel did not draw from the Snowden cache in its report, which details alleged offensive capabilities of the NSA’s Office of Tailored Access Operations (TAO).
According to the German magazine’s report, TAO’s operations range from Q-Branch-style custom hardware to directed hacks on suspected individuals, networks and infrastructure. It would be naive to think this didn’t already go on, given the capabilities of Russian and Chinese cyber-warfare teams against political and industrial targets. The sophisticated Stuxnet malware, believed to be a joint US-Israeli effort, was constructed to disable control systems in Iran’s nuclear fuel processing plant.
Yet at least the NSA is subject to democratic scrutiny. Technology companies are not. The scrutiny of the NSA may have been supine and ineffective, thanks to senators including Democrat grandee and chair of the Senate Intelligence Committee Dianne Feinstein – but the structure is there to provide better oversight.
The Great Data Slurp
What I find far more disturbing than anything in Snowden’s cache is the fact that Silicon Valley’s internet companies have been complicit in denuding citizens of the privacy an individual requires to be an individual.
Firstly, these companies are a data acquisition industry. They hired the best engineers and mathematicians of their generation and set them about creating a kind of derivatives bubble of inferred human behaviour. The gimmicky gadgets we feature – Android phones and Google Glasses – are simply subsidised data-capture devices. I am doubtful there is as much value in this data as the hypesters want us to believe – because economists always put more store by “revealed preferences” – what you actually spend on a good – than by second guessing what you mightspend.
Far from being bold and “disruptive”, Google and Facebook appear to be deeply conservative companies that seem loathe to stray from their comfort zones. They’d prosper from helping other industries build transaction-based markets, which makes the inferral analytics less important than traditional business skills. Why don’t they go there? Perhaps the nerds who run these web companies fear being smaller fish a bigger pond.
Yes, I like cat videos. What’s it to you?
However, if there is value in this data they capture, then we are giving it away too cheaply. New elites prosper on the back of this. This prompted Jaron Lanier to suggest that we charge them for it, receiving a micropayment when an ad is clicked. There are two drawbacks in Lanier’s suggestion. One is that it relies on micropayments, which only ever work in aggregate amounts – discrete micropayments are too expensive to process. The second, rather larger problem, is that there isn’t enough money there in the first place.
So, instead of conducting a real transactional business, or helping other people make operational IT efficiencies, they’ve created a ghost world of their own instead, in which we’re the product. This required a public relations effort to try to persuade us we don’t have any property rights over our data, anyway.
While you were out fighting SOPA, we left you this note
One of the most ironic sights of 2013 was seeing the fugitive Snowden open up a laptop emblazoned with stickers for the EFF, the Electronic Frontier Foundation. The EFF is just one of many groups that receives money from the technology industry – with Google leading the handouts – waging a ceaseless war on the individual’s digital rights, while claiming to defend them.
These groups also loudly claim to be privacy watchdogs – yet have turned their meek protest into a funding activity. And guess who’s doing the funding? When Google and Facebook settled their respective Buzz and Beacon privacy lawsuits, the biggest beneficiaries were not individuals but “organizations that are currently paid by [Defendant] to lobby for or to consult for the company” thanks to a quirk called cy-près. The EFF and ACLU each bagged $1m from the settlement, which for the EFF was more than it raised in donations. And it has some pretty wealthy donors.
So the poachers are paying off the gamekeepers.
The web giants have also paved the way for the NSA by driving a bus through legal loopholes. For example, The Washington Postreported how the NSA justified its infrastructure interceptions by arguing it wasn’t really doing interception.
The distinction is between “data at rest” and “data on the fly.” The NSA and GCHQ do not break into user accounts that are stored on Yahoo and Google computers. They intercept the information as it travels over fiber optic cables from one data center to another.
Sound familiar?
It should do, as it was the same argument Google used when it launched Gmail in 2004. Google was reading your email because it wanted to inject advertisements based on your private communication. So it sought to redefine “reading” as “not actually reading”. Here’s what security expert Mark Rasch predicted at the time.
Google will likely argue that its computers are not ‘people’ and therefore the company does not ‘learn the meaning’ of the communication. That’s where we need to be careful. We should nip this nonsensical argument in the bud before it’s taken too far, and the federal government follows…Imagine if the government were to put an Echelon-style content filter on routers and ISPs, where it examines billions of communications and ‘flags’ only a small fraction (based upon, say, indicia of terrorist activity). Even if the filters are perfect and point the finger only completely guilty people, this activity still invades the privacy rights of the billions of innocent individuals whose communications pass the filter. Simply put, if a computer programmed by people learns the contents of a communication, and takes action based on what it learns, it invades privacy.
So what’s to be done?
Why any Silicon Valley ‘bill of rights’ will guarantee you never have any
Well, you can adopt DIY crypto tools, and try to teach your neighbour to use them. But most will give up long before they’re proficient in them – which means affordable powerful legal tools for the individual to exercise against government and corporations are vital. Laws and procedures that recognise the individual as sovereign, the supreme owner of the data, of digital objects or things. The individual would then have contractual relationships with companies and governments, as need be. In other words, property rights that allow every individual to assert where their property is used and for how long. This has a name: habeas data.
And the very good news is these powerful individual legal rights to assert ownership and usage over stuff we create are already here. They’re called intellectual property laws. And now you can begin to see why technology companies have lobbied so hard and furiously to weaken them, particularly by weakening copyright. This is a classic misdirection. Invent a bogeyman, and divert the people’s attention to fighting it, while you quietly steal their rights. Try and persuade people they’re not rights at all, but restrictions on freedom. Lobby governments to make those rights ineffective. And if that fails, weaken the ability of the individual to get access to justice in enforcing those rights.
Alas, I expect lots of windy rhetoric about a “bill of rights”, in which web giants would promise to never, ever abuse your privacy… unless you allowed them to in a 94-page click-through contract. A government-blessed privacy right would be little more use, particularly as these things contain acres of exceptions that render the rights meaningless. (Example: ECHR Article 10, supposedly guaranteeing freedom of speech. Except when the shit hits the fan – and you don’t have any.)
Because the web industry has spent 20 years fighting the application of individual property rights to digital things, like data, we can expect it to fight very hard for a meaningless set of “rights” that don’t protect your privacy. Through campaigns branded with the over-used phrase “open data”, the web industry has even persuaded governments to give away potentially lucrative data for nothing, without a penny being returned to the investor: the taxpayer. Yet without being able to assert property-ish rights (rights that exclude others), you’ll never have any privacy.
The way forward should not be as complicated as you might fear. First we need to recognise the web industry with its “siren servers” isn’t our friend, or any defender of the individual – and that’s already happening, I think. It’s apparent with every feature on Google Glass. Then we can begin to assert that we own everything we produce, extending copyright rights and practice to our own data. Only then will the giant web companies – who have lots of positive things to contribute – realise that they need to show respect to the individual, too. The “collective externalised mind” is its own form of tyranny.
Is it too much to ask? We’ve seen a concerted effort to grant legal rights to trees and rivers – with lawyers ventriloquising on their behalf. If trees can gain rights, why must we lose ours? ®