Saturday, November 24, 2012

A few words on patronage

Over the past couple years, I've taken several big companies to task for their woeful privacy and security practices. Just as it is important to call out these flaws, I believe it is also important to give companies credit when they go the extra mile to protect their customers.

When Google began protecting Gmail with HTTPS by default, I praised the company. When it started voluntarily publishing statistics for government requests, I again praised the company. When AT&T protected its customers' voicemail accounts from caller ID spoofing by forcing users to enter PINs, I praised the company. When Twitter asked the government to unseal the 2703(d) order that it had obtained as part of its investigation into Wikileaks, I praised the company. When Facebook started to offer HTTPS, and then this month enabled it by default, I praised the company. When Mozilla switched to encrypted search by default for Firefox, I praised the organization.

You get the idea.

Of course, just because I praise a particular action by a company, it doesn't mean that I am suddenly giving the company or its products my seal of approval. As an example, I'm of course glad that Facebook is enabling transport encryption to protect its customers' communications from network based interception. That doesn't mean I suddenly love Facebook, or bless the company's other business practices. Turning on HTTPS by default is a great move, but it isn't enough to get me to open a Facebook account, or trust the company with my data.

It is unfortunate then that I must defend myself against Nadim Kobeissi's latest attempt at reputation assassination.

Earlier this month, I praised Silent Circle for the company's fantastic law enforcement compliance policy. [Silent Circle sent me an early draft of their policy, sought feedback, and even accepted some of my suggestions]. Compared to the industry norm, in which companies merely disclose that they will hand over their customers' data to the government when forced to do so, Silent Circle's policy is an absolutely stellar example of the ways in which companies can approach this issue in a clear, transparent and honest manner.

I have spent several years researching the ways in which law enforcement agencies force service providers to spy on their customers. Most companies are not willing to discuss their law enforcement policies, let alone publish them online. It is for that reason that I praised Silent Circle - because they have set a great example that I hope other companies will follow.

However, as with the numerous other examples I highlighted above, just because I praise a particular action by a company, it doesn't mean that I now stand behind the company or its products.

Although I have praised Silent Circle's legal policies, I've made no public statements regarding the technical merits of their products. When I've been questioned by journalists about the extent to which consumers should trust the company's technology, I've been consistently conservative. As I recently told Ryan Gallagher at Slate:

Christopher Soghoian, principal technologist at the ACLU's Speech Privacy and Technology Project, said he was excited to see a company like Silent Circle visibly competing on privacy and security but that he was waiting for it to go open source and be audited by independent security experts before he would feel comfortable using it for sensitive communications.

Nadim has suggested that I am endangering my independence and that I have some kind of conflict of interest regarding Silent Circle, possibly because the company loaned me an iPod Touch so that I could get a chance to try out the iOS version of their software while they work out the kinks in the Android version. (How does Nadim even know the company loaned me an iPod? Because I disclosed it in a discussion with him on a public mailing list.)

Let me be perfectly clear. I am not a consultant to Silent Circle or any other company. I am not on an advisory board for Silent Circle or any other company. The only employer I have is the American Civil Liberties Union. Yes, I regularly talk with people who work at the company, and offer suggestions for ways that they can better protect the privacy of their customers. However, I regularly give solicited (and even more frequently, unsolicited) feedback to many companies, big and small. Most ignore me, but some occasionally change their practices. I am a privacy activist, and that is what I do.