a quick reminder that NSA surveillance is not just a post 9/11 phenomenon. “Echelon” was a US industrial espionage program in Germany. See this post from 2000 calling for the shutdown of the program.
“Germany’s national intelligence agency, Verfassungsschutz, openly warns its business and industry community against Echelon. Germany’s intelligence agencies do more than just warn against the spying, however.
They also instruct German industry in how to protect themselves against the illegal espionage network. Since June 1999, the German intelligence service has been recommending German companies to encrypt all important information, i.e. encode it to prevent Echelon’s spies from listening in.”
According to BBC news report: An NSA spokeswoman, speaking on condition of anonymity, said that Echelons tasks would be performed by “other technologies” once it shuts down. (Source: BBC Saturday, 2 June, 2001)
According to Snowden, the NSA does not limit its espionage to issues of national security and he cited German engineering firm, Siemens as one target.
“If there’s information at Siemens that’s beneficial to U.S. national interests – even if it doesn’t have anything to do with national security – then they’ll take that information nevertheless,” Snowden said, according to ARD, which recorded the interview in Russia where he has claimed asylum.
What can you do as a company to limit exposure to attacks? The bad news is that,
if you’re the target of a nation state, you’re going to have a bad time!
But that doesn’t mean you shouldn’t do everything in your power to tighten security and make it as hard as possible. Here are some random thoughts (some quite political but it’s hard to talk privacy without taking politics into account):
- Don’t use Apple, Google, Microsoft products and especially don’t use google business services. If you are a big company chances are you have anyway your own infrastructure in place. Sorry, … that was unfair to single out these companies: Don’t use any US (and 5 eyes) based cloud service that handles your BI or communication systems, until they stop treating the rest of the world like their enemy. Any right to privacy you may have does not extend to foreign nationals or foreign companies. So in other words it doesn’t matter if your company operates in Pyongyang or Berlin. As a foreign company you are a target and you have no right to privacy under US law.
- Tighten and audit your suppliers. I know of several tier-1 suppliers providing research and mission critical services to other (very large EU based) companies. These suppliers thought it was a good idea to build their internal email infrastructure on Google-mail. So anything that you communicated with such a supplier is at risk – even you run your own network.
- Individuals are encouraged to use Tor to maintain privacy. As a company you might want to consider setting up Tor on behalf of your employees and routing any requests that go to external sites (Google, Facebook, Yahoo or even all external traffic) through the Tor network.
- Stop using Skype and Google hangouts. There are many alternatives out there which all work, offer strong encryption and are mature enough to be deployed with minimum effort.
- If you are technology company you will have noticed by now that the centralized server model where all traffic is routed via a specific node (either to lock you in or to harvest your data) is getting old. P2P and decentralization are the future and have a lot to offer to protect privacy. As an engineer you should pay attention and think because those in your organization not technically skilled will come to you for advice about product strategy. Make sure privacy isn’t just an afterthought because it’s your ethical duty to think about the implications of your work.
- Encrypt your communication. Using encryption is incredibly easy. Even non-tech users can learn how to encrypt using GnuPG. It’s free, …
- Train your employees on OPSEC and COMSEC – everyone should know the basics!
As an engineer, is it still your dream to one day work for Google, Facebook or Microsoft?
Think about it hard because politics sometimes change fast. There was a time in Germany where people who have worked for the Stasi, didn’t exactly have an easy time finding employment after the wall came down.
EDIT 17/02/2015: Obama recently said in his Interview with Kara Swisher about privacy & security:
“We have owned the Internet. Our companies have expanded it, perfected it, European companies who you know, can’t compete with ours, essentially trying to set up roadblocks.”
Is this the type of talk that installs confidence in cloud computing, software-as-a-service, the connected-car, e-health and many other technologies which US companies are trying to sell around the globe?
- COMSEC Beyond Encryption by @thegrugq: http://grugq.github.io/presentations/COMSEC%20beyond%20encryption.pdf
- The fifteen year struggle of decentralizing privacy-enhancing technology http://arxiv.org/pdf/1404.4818v1.pdf
Valbonne Consulting provides Research & Consulting for emerging technologies in Internet/Web of Things (WoT/IoT/M2M) and Emerging-Tech. We specialise in decentralisation, security and privacy. We work across a variety of traditional industry verticals (Telecommunications, Automotive, Energy, ...). We support Open Source and technologies built on open standards.