Discover more from Heuristic Security
What Are You Trying to Hide?
The battle to protect your digital privacy from government and corporate snooping never ends, and if anything is escalating
What are you trying to hide? That seems to be the message that big tech corporations and “free” governments around the world are increasingly pushing when it comes to digital privacy. While you would expect this type of behavior in terms of how Russia or China treat their citizens, it is increasingly and worryingly becoming more common in the US as well.
The rise in companies, let alone governments, examining your data without your permission is a serious threat to your privacy and security. With the recent report that Microsoft is scanning encrypted zip files you upload to the cloud, this issue has once again raised its head as a reminder of how prevalent this trend is.
Microsoft Scanning Encrypted Zip Files
In May 2023, several security researchers reported that Microsoft's cloud services, such as SharePoint and OneDrive, are scanning password-protected zip files for malware . This means that Microsoft will attempt to decrypt, open and scan any zip file that you upload to its cloud servers, even if you protect it with a password. Microsoft claims that this is a necessary measure to prevent the distribution of malicious files through its cloud services. However, this also raises serious privacy and security concerns for users who store sensitive or personal data in zip files on Microsoft's cloud. For example, malware researchers who need to share samples with colleagues may lose access to their files if they are flagged by Microsoft. Moreover, Microsoft's ability to decrypt zip files may expose them to hackers or government requests for access.
Apple Scanning Photos for Child Abuse Material
In August 2021, Apple announced that it will use its CSAM detection technology to scan photos on iCloud storage for containing known child sexual abuse material (CSAM). Apple said that it will compare the hashes of photos on iCloud with hashes of known CSAM images provided by child safety organizations, such as the National Center for Missing and Exploited Children (NCMEC). If a user uploads 30 or more photos that match the hashes of CSAM images, Apple will disable their account and report them to the NCMEC and law enforcement. Apple also said that it will scan photos in the Messages app on children's phones and send notifications if it detects explicit content. Apple said that its CSAM detection technology is designed to protect user privacy and security, as it only scans for specific hashes of known CSAM images and does not access the content of the photos.
However, this announcement immediately sparked extensive protests from civil rights groups, privacy advocates, and security experts (including myself) arguing that it undermines end-to-end encryption and would create a dangerous precedent for government surveillance and censorship. In September 2023, Apple agreed to put this initiative on hold, saying that it would take more time to collect feedback and make improvements. As of December 2021, Apple has quietly deleted all mentions of the CSAM plan from its website, raising questions about whether the feature will ever be implemented.
Back Doors into Software to Bypass End-to-End Encryption
End-to-end encryption is a technology that ensures that only the sender and the receiver of a message can read its content, and no one else, not even the service provider or the government can even if they have intercepted the encrypted transmission. End-to-end encryption is widely used by popular messaging apps, such as WhatsApp and Signal, to protect user privacy and security. However, governments are increasingly pushing for back doors to be added to software to bypass end-to-end encryption and allow access to user data for law enforcement or national security purposes.
For example, in 2019, US Attorney General William Barr called for tech companies to provide law enforcement with lawful access to encrypted communications. Similarly, in July 2019, the governments of the United Kingdom, United States, Australia, New Zealand, and Canada issued a joint statement urging tech companies to embed back doors into their products and services to enable lawful access to encrypted data. These governments claim that back doors are necessary to combat terrorism, crime, and child exploitation.
However, many tech companies, civil rights groups, and security experts oppose back doors, arguing that they weaken encryption and create more risks than benefits. They (and I) contend that back doors can be exploited by hackers, criminals, or foreign adversaries who can access user data without authorization or oversight. They also assert that back doors violate user privacy and human rights by enabling mass surveillance and censorship. As I have said, there is no such thing as a “safe and secure” backdoor - it is by definition an oxymoron.
What Can You Do to Protect Yourself?
Given the rise in companies examining your data without your permission and the push to add back doors into applications to bypass end-to-end encryption, you may wonder how you can protect yourself from such snooping. While there are unfortunately no foolproof solutions, that does not mean we should make it easy for data thieves. Here are some steps to consider if you are concerned by these trends:
Use strong encryption tools that do not have back doors or vulnerabilities. For example, you can use VeraCrypt to encrypt your files and folders on your computer or external drive; you can use Tor Browser or a VPN service to browse the web anonymously.
Avoid using cloud services that scan your data or cooperate with government requests. For example, you can use ProtonMail or Tutanota for secure email; you can use secure messaging apps, such as WhatsApp and Signal for both secure messages and encrypted video calls.
Most important, educate yourself and others about the importance of encryption and privacy, and the ways in which companies and governments are attempting to circumvent these measures, all in the name of your “security”.
Privacy and Security are not tradeoffs, they are two sides of the same coin whose name is liberty. If we don’t protect it against those who attempt to steal it away, it will be gone before we know it, and the costs to regain it will be immensely greater than the efforts to save it.
Thanks for reading Heuristic Security! Subscribe for free to receive new posts and support my work.