Mongering Fear

I’ve read two significant responses to the Nick Bilton piece in the New York Times, and both of them mentioned something that stuck in my craw. The first was by Mike Arrington:

First, it’s more than a bit of a stretch to suggest that carelessness by Path could lead to “roundups and arrests” or dissidents in Egypt. My educated guess is Path is unlikely to sell, or give, any user data to the Egyptian authorities. Instead, they were using the data to make intelligent friend suggestions, which is significantly less evil.

The second was by MG Siegler:

But in attempting to do so, Nick went too far, and made some mistakes. Did he really imply that Path could be used to out dissidents in Egypt and Tunisia? Yep. Did he have a ridiculous fear-monger-ish title? Yep.

I think Bilton had a chance to make a better point, but missed the mark. But the casual dismissal of his argument by Arrington and Siegler that data security vulnerabilities can be used by authoritarian governments to attack dissidents bothers me, mostly because of a few events that have happened over the last couple of years.¹

In 2010, Google and Adobe, among other companies, announced that they had been the target of a sophisticated attack originating in China. Hackers went after source code repositories and access to the Gmail accounts of political activists. This wasn’t a bunch of script kiddies:

“We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack,” says Dmitri Alperovitch, vice president of threat research for McAfee. “It’s totally changing the threat model.”

The companies affected weren’t fly-by-night operations trying to scam user information. This was Google and Adobe — two of the biggest tech companies in the world. And leaks from the U.S. government strongly suggest that the Chinese government played some part in attack. And if the Chinese government did have access to dissident’s emails, what are the chances that they didn’t go through their contacts and who they emailed to put together a watch list? Pretty close to zero, I’d think.

This isn’t an isolated incident. Less than six months ago, a hacker or group of hackers in Iran compromised SSL certificates — the same tech that Siegler likens to an armored car — and were able to spy on hundreds of thousands Iranian citizens through fraudulent Google, Facebook and Twitter certificates.

None of the companies involved had any “evil” motives. But there were fuck-ups along the way. Here in the U.S. the fuck-ups could maybe lead to identify theft. A hassle and a problem, but nothing compared to what can happen in other countries.

Right now 20 bloggers and online dissidents are imprisoned in Iran. 68 are imprisoned in China.

Obviously, it’s impossible to draw a straight line between either the Chinese or Iranian attacks and what’s going on with the people currently languishing in prisons. Many of them have been imprisoned for years. But is there any doubt that authorities and hackers in totalitarian regimes are deeply interested in compromising the security of American tech firms to spy on their own citizens?

No one is seriously suggesting Arrington’s straw man argument about Path cooperating with Egyptian authorities. But the way that companies both transmit and store data — whether it be Path, Instagram, Google or Skype — could have very serious, very real implications. It’s a conversation that we should be having. More importantly, it’s time that tech firms start being completely open about how they deal with data.