Saturday, November 24, 2012

A few words on patronage

Over the past couple years, I've taken several big companies to task for their woeful privacy and security practices. Just as it is important to call out these flaws, I believe it is also important to give companies credit when they go the extra mile to protect their customers.

When Google began protecting Gmail with HTTPS by default, I praised the company. When it started voluntarily publishing statistics for government requests, I again praised the company. When AT&T protected its customers' voicemail accounts from caller ID spoofing by forcing users to enter PINs, I praised the company. When Twitter asked the government to unseal the 2703(d) order that it had obtained as part of its investigation into Wikileaks, I praised the company. When Facebook started to offer HTTPS, and then this month enabled it by default, I praised the company. When Mozilla switched to encrypted search by default for Firefox, I praised the organization.

You get the idea.

Of course, just because I praise a particular action by a company, it doesn't mean that I am suddenly giving the company or its products my seal of approval. As an example, I'm of course glad that Facebook is enabling transport encryption to protect its customers' communications from network based interception. That doesn't mean I suddenly love Facebook, or bless the company's other business practices. Turning on HTTPS by default is a great move, but it isn't enough to get me to open a Facebook account, or trust the company with my data.

It is unfortunate then that I must defend myself against Nadim Kobeissi's latest attempt at reputation assassination.

Earlier this month, I praised Silent Circle for the company's fantastic law enforcement compliance policy. [Silent Circle sent me an early draft of their policy, sought feedback, and even accepted some of my suggestions]. Compared to the industry norm, in which companies merely disclose that they will hand over their customers' data to the government when forced to do so, Silent Circle's policy is an absolutely stellar example of the ways in which companies can approach this issue in a clear, transparent and honest manner.

I have spent several years researching the ways in which law enforcement agencies force service providers to spy on their customers. Most companies are not willing to discuss their law enforcement policies, let alone publish them online. It is for that reason that I praised Silent Circle - because they have set a great example that I hope other companies will follow.

However, as with the numerous other examples I highlighted above, just because I praise a particular action by a company, it doesn't mean that I now stand behind the company or its products.

Although I have praised Silent Circle's legal policies, I've made no public statements regarding the technical merits of their products. When I've been questioned by journalists about the extent to which consumers should trust the company's technology, I've been consistently conservative. As I recently told Ryan Gallagher at Slate:

Christopher Soghoian, principal technologist at the ACLU's Speech Privacy and Technology Project, said he was excited to see a company like Silent Circle visibly competing on privacy and security but that he was waiting for it to go open source and be audited by independent security experts before he would feel comfortable using it for sensitive communications.

Nadim has suggested that I am endangering my independence and that I have some kind of conflict of interest regarding Silent Circle, possibly because the company loaned me an iPod Touch so that I could get a chance to try out the iOS version of their software while they work out the kinks in the Android version. (How does Nadim even know the company loaned me an iPod? Because I disclosed it in a discussion with him on a public mailing list.)

Let me be perfectly clear. I am not a consultant to Silent Circle or any other company. I am not on an advisory board for Silent Circle or any other company. The only employer I have is the American Civil Liberties Union. Yes, I regularly talk with people who work at the company, and offer suggestions for ways that they can better protect the privacy of their customers. However, I regularly give solicited (and even more frequently, unsolicited) feedback to many companies, big and small. Most ignore me, but some occasionally change their practices. I am a privacy activist, and that is what I do.


Glenn Fleishman said...

It is difficult for people with strong opinions who may themselves lack an agenda correlated with compensation to accept that others who disagree with them are not on the take. This seems very consistent, and gets affirmation because, as we discover regularly, people who present themselves as dispassionate observers turn out to be accepting consulting money or other fees from groups that have a vested interest in outcomes.

One of the reasons that I wanted to write an Economist profile of you, Chris, was that over several years, I had never seen any single bit of correlation or insinuation that you had any financial interest in the work you did (except, perhaps, to receive additional funding from foundations to pursue independent work without impediment). The same of true of several of your colleagues, some of whom have been or are affiliated with academic institutions that give them a layer of insulation against deprivation (salaries or fellowships) and litigation (in-house counsel and supportive department or program chairs).

I believe we've had so many decades of parties with hidden financial incentives that it remains a knee-jerk reaction to accuse others. Fighting that reaction is just as important as pursuing in a rigorous and fair fashion when conflicts of interest seem to appear.

The other part of the Silent Circle issue is that Phil Zimmermann has spent many a year on projects, even commercial, that have a greater benefit to everyone but him. The fact that he founds companies and sells things seems to produce concerns among purists who want everything to be contributed to free and fully available under GNU or similar licenses for use. This despite the fact that Phil is responsible for more innovation and dissemination of powerful ideas for personal protection than nearly any other single individual.

Anonymous said...

Brings up a question... do you have a list of recommendations?

Being new to the idea of needing to secure my information, it can be a little overwhelming when first jumping in.

I stumbled here looking for reasons why Google never implemented a built in PGP system in G-mail, and ended up reading most if not all the links from 2012.