BlogsRSS

Don Sambandaraksa

Crossing the LINE

I must admit to having underestimated the influence of Naver’s LINE IM app when I set out to write those stories exposing how it turned off encryption when on 3G and sent every message in plain text.

In retrospect, an app with nearly a quarter of a billion users enjoys a level of respect, or perhaps fear, such that while I may have been the kid calling the emperor naked, I was the one chastised and thrown out of mainstream society, not them.

To paraphrase the Bald Monk, there are two kinds of people in society - the young who do not care about privacy and the old who do care but are too naive to believe that there is actually mass surveillance going on. As for people such as myself, perhaps we were never part of mainstream society to begin with, born outside of the Matrix so to speak.

From a software design point of view, turning off encryption when on 3G makes no sense. Yes, it does lighten the server load a smidgen, but it is hardly worth the risk of exposing all the data to everyone in the middle from your telco to the cable carriers halfway across the world, unless that was the intention.

In my humble opinion, the only logical explanation for such a design choice would be to facilitate spying by authorities without the need for court orders and due process. The commander of Thailand’s technology crime suppression division said that LINE was secretly helping them to gain access to chat logs, and the design choice to not encrypt anything and allow historical chat logs to be pulled with plain-text, reusable tokens fits that claim. LINE said that the Thai police had not contacted them, but of course, with such a design, it did not need to.

In the US, we talk of NSA spying and weakening encryption standards and introducing bugdoors. In Japan, apparently they do not even need to pretend to be secure.

I approached Dr Ian Brown, associate director of the Oxford University’s cyber security centre with my story and asked him what he thought of it, especially in the context of LINE’s 10 million users in Spain, a fellow EU country.

Brown agreed that it was odd that encryption existed on WiFi and not 3G and said that he could not see any reason beyond making it easier to intercept.

In cross-border terrorism cases, there already is a system where law enforcement agencies have joint investigations and bilateral agreements and court orders are sought to order the company to release data.

From a privacy view, while it is true that the EU has strong data protection laws, enforcement is often lagging. He said he cannot remember any case where national data protection agencies have gone after an app for failure to safeguard citizen information. Often, these laws are only invoked after a breach has happened and the data protection agencies ask why encryption was not used when, say, discs or laptops are lost.

“Of course, the Spanish users could make a complaint to their data protection watchdog, but I doubt they would leap into action,” he said.

He disagreed with the Bald Monk (in fact a telecoms exec who later declined to give an on-the-record comment) though and said research shows that young people do care about privacy. While it is true that they spend more time online and on social networks, they are also more adept at using Facebook’s privacy controls to control what they share and it was the older users who often do not understand and end up sharing vast amounts of personal data online.

I asked Dr Brown if the Britain was like Thailand, a state of denial, one which simply did not care about privacy, especially given the lack of mainstream media traction on the NSA files aside from the Guardian.

On this point, he explained that the UK government has an official system of issuing D-notices to media on subjects that affect national security, asking them not to talk about the spying done by GCHQ, for instance.

Interesting.

Away from Oxford what was interesting was the lack of any support from the analysts and operator community. Aside from a quote from an executive from AIS, the industry proved frustratingly reluctant to criticise Naver, as if a spell or curse had been cast upon them. Or perhaps it was just fear of upsetting the next big giant.

One analyst went so far as to suggest that I give my story to a daily newspaper instead.

Ouch.

I asked my friends at Symantec if LINE should be labelled as spyware and got a sensible response that software should be designed with security in mind, but users and organisations using it should conduct due diligence before using it for any confidential correspondence.

However, Symantec did also say, “Publishing the details of the security flaw or the design flaw when it is not addressed is not only irresponsible, it also puts a lot of other users using LINE at risk.”

Double ouch. Yes sir, the Emperor’s new clothes are exquisite indeed.

Not that it mattered as over a month has passed since publication and nothing has been fixed and old tokens can still pull historical chat logs.

But perhaps it was a visit to a Dtac shop as I tried (and sort of failed) to get my number ported to its new 2.1-GHz 3G network that made me realise just how powerful LINE was in Thailand, a country of 65 million people and 18 million LINE users - virtually everyone with a smartphone. I spent more than half an hour in a Dtac shop with LINE dolls everywhere. There even were cut-outs with LINE sticker characters where a user could poke their head in and have their picture taken. Oh, and the special Dtac sponsored LINE stickers were on display too.

As I watched the clerk mash the keyboard in vain trying to make sense of my ancient account, I noticed that so most of the other users were there not for billing enquiries. Most came in for help in setting up Dtac’s WiFi Hetnet, closely followed by those seeking advice on installing and using LINE.

One person came in to ask if their LINE chat history would be intact if they upgraded to a new phone. So that’s why they need all that historical chat logs in an easy to access format.

The ordeal meant it was clear where the balance of power lies. Dtac was, like many other companies, totally in bed with LINE and riding its wave of popularity to get the entry level end of the market onto data using smartphones and increase ARPU. Of course they were not going to suddenly stand up and criticise their close partner Naver or to warn people of the privacy implications of the app and risk an exodus to the other more sympathetic networks.

Because people in society do not care, obviously the telcos had everything to lose and nothing to gain in joining this quixotic quest exposing LINE for what they are.

The sad thing is that in a more enlightened society, privacy could and should be a selling point, not cute teddy-bear stickers and cut-outs in telco shops. It should have been an opportunity for a telco to stand up and protect its users and earn their respect for doing so, not one where they are clearly reduced to being the junior partner.

This battle with irresponsible apps such as LINE is just part of the bigger battle against a Big Brother state. It is one that must be won, for failure would mean that they are able to shape our thoughts and minds until the concept of freedom and privacy is long forgotten. Failure to win would result in a world that would have made Orwell seem timid in his prophetic predictions of the future.