This week EPFL pulled together 6 world-renowned privacy experts for a one day conference. There’s a detailed transcript at the Guardian. Read the whole thing if you have time. I was at the conference and here’s my summary:
There’s a lot of surveillance
The US and some European states are doing this, and who knows what China and Russia are up to. Intelligence agencies have everyone’s social graph from phone calls (forcing the telcos to give them this), email (via sniffing the main internet cables), and social sites (public data and who knows what). They have your metadata, and some of your data: probably the text of your emails (as theses come through the main internet cables unencrypted); probably IM (eg. skype) and possibly some encrypted traffic (through security weaknesses and having got hold of some server SSL keys).
Politically the US isn’t going to stop unrestricted spying on foreigners
Since the Snowden revelations, in the US there’s a backlash against unrestricted surveillance – this is a backlash both in the US government and grass roots. They’re focused on fixing this for US residents only. Foreign companies & individuals are not going to get any guarantees anytime soon about spying happening on their data in US clouds & internet companies.
One of the reasons for fixing it for only US residents is the interpretation of the 4th amendment:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized
Recent judgements rule that the people refers to the people of the US only. So fixing excessive spying for US residents can be done starting with the US constitution, but for foreigners it can’t.
The political process is difficult enough anyway so to address spying on residents and foreigners together would slow down the process of protecting US citizens. So that’s the way it’s heading and the US Internet industry will not be able to host foreign data safely for a long time. There’s an opportunity for Europe to build clouds to compete with Amazon AWS, MS Azure, etc.
Europe has a history of declaring rights but then not enforcing them
Europe is a mess too. The latest privacy legislation going through the EU covers businesses, doesn’t really cover police, and doesn’t even mention state intelligence organisations.
And we know a bunch of European countries are doing similar stuff to the US intelligence community and some even sharing data with them. So if Europeans put their data in European clouds we would not get any guarantees against unrestricted spying. It will take a big political process to change this. Will we see European businesses & individuals putting their data locally?
All in all it’s a big mess
We can’t solve privacy quickly with technology. Building a totally secure Internet architecture would be a gradual process.
None of the speakers thought privacy would be fixed anytime soon.