Regular columnist Bill Thompson wonders if it is time to create web services that can be trusted.
Like most journalists I know I'm very sloppy about keeping my online communications secure.
I rarely encrypt e-mail messages, leaving them to be read by anyone in the electronic chain between me and the intended recipient.
And I use public chat services like MSN Messenger and iChat, even though they send messages as plain text across the network.
Partly this is because the tools needed to make communications secure can be cumbersome and complicated, even for someone with a technical background.
But partly it is because I have not often been involved in researching stories that are going to bring me to the attention of those with the capabilities needed to tap even insecure online communications.
But you never know.
Each year I tell my students on the online journalism course at City University that they should take care to protect their files and e-mail.
And I point out that once someone e-mails them from a work address then that person can never be guaranteed anonymity in future, simply because it is so easy for employers or the police to get access to e-mail traffic records.
They may not know what was said, as reading the contents of e-mail requires permission under the Regulation of Investigatory Powers Act, but they can find out that messages were exchanged.
In the past I've suggested that they get an account with Hushmail, the Canadian company that offers secure encrypted e-mail for its customers. 
But using commercial services for campaigning or organising raises the same sorts of issues as we see with Hushmail, because the interests of the owners are not the same as those of the users. 
But after revelations that Hushmail has passed on details of supposedly secure e-mails to the Canadian police I think I'll stop.
I like Hushmail because it works in your web browser. When you sign in it downloads an application written in the Java programming language, and this encrypts and decrypts your message using your secret keys.
Hushmail never sees your e-mail, and so it can't hand it over to the authorities even if they come with a warrant.
But the company also offers an easier to use service which does the hard work on its server rather than your computer. And when it does that it has to have access to your original message, at least briefly.
So when the Canadian police asked it for copies of e-mail sent and received by someone suspected of the illegal manufacture and distribution of anabolic steroids it could not deny that it could read them.
The company has been open about what happened, although it does not seem to have got around to mentioning it on its website yet.
But being open isn't good enough, as the issue has highlighted a fundamental flaw in its security model, one that it will be all but impossible to get around.
Even its more secure service could be undermined if the company agreed to add a 'backdoor' to its code at the authorities' request.
The problem is that Hushmail, like other companies that store and process personal information, is bound by the laws of the country in which it is based and sometimes those laws will require it to betray the confidence of its customers.
A newspaper editor in the UK has to decide whether to go to court or hand over leaked documents; a manager at an net service firm has to decide whether to allow the police to access e-mail logs; and someone running a secure e-mail company has to decide whether the privacy of a suspected drug dealer is worth a jail sentence.
Usually they do what is asked, and often they are not even allowed to tell users what they have done because of gagging orders.
The issue goes much wider than trying to decide who to trust with confidential or possibly incriminating data. It also has an impact on the tools we use to contact our friends or organise activities. 
The National Union of Journalists is currently having an occasionally fractious internal discussion about the impact of new media on the profession, and the use of social network sites has been raised several times.
Some of the participants are simply opposed to these new-fangled technologies, a position that I have little sympathy with.
I remember meeting Tony Benn, former MP and lifelong campaigner for socialism, and being pleasantly surprised at his enthusiasm for YouTube and the ways it could be used to amplify a political message.
But using commercial services for campaigning or organising raises the same sorts of issues as we see with Hushmail, because the interests of the owners are not the same as those of the users.
Trade union activist and online campaigner Eric Lee put it succinctly in a recent blog post when he noted that 'Facebook is a poor replacement for a real online campaigning strategy for unions. And it makes us vulnerable to the whims of those who own the company'.
Hushmail seems to offer a good service, but its 'simple' service offers little real security when it matters. Far better to install your own encryption software, like the freely available GnuPG, and take responsibility for your own security.
And Facebook may make it easy to set up a group, but it will never be as good as having your own server, your own code and your own security mechanisms in place. Organise a group on Facebook and it belongs to them; organise it on your own server and it belongs to you.
Of course doing this takes time, costs money and requires expertise that many campaigners simply do not possess. Perhaps the time is right for a co-operative social network site, one owned by its members and run in their interests.
It might never be worth $15 billion, but it could make the world a better place.Source :: BBC
0 comments:
Post a Comment