I had the pleasure of being invited to give a presentation at the Thai Netizen Network’s end of year conference recently where I addressed an audience and fellow speakers who were obviously saddened by how freedom and privacy have been eroded over the last year here in the Land of Smiles.
Much of my presentation focused on what I had found out about the Single Gateway project (the one that was dismissed as a clerical error by the person jotting down cabinet meeting minutes), backdoors in LINE IM past and present (metadata still leaks) and the port 25 TLS degradation man-in-the-middle attack that potentially compromises all email sent across the Thai border.
I went to the venue in full tinfoil-hat mode with pen and paper and just a burner phone on me without any of my usual apps or logins, half expecting to be taken away for attitude adjustment, adding to the list of 751 others who have been detained since the coup.
To my dismay, the army grunts only stayed for the uneventful morning telecom session and didn’t bother to even show up after lunch for the human rights and censorship talks.
But despite the doom and gloom of the presentations, the Q&A did liven up proceedings.
Asked what to do when arrested, as the army now regularly demands your Facebook and email password, one of the lawyers at the event showed a document with your rights under Thai law (not that it helps much to know them when you are taken to a windowless room in army barracks).
I told the audience to make sure you enable two-factor authentication on all your main accounts and use a Yubico Yubikey for 2FA. Then, when arrested, simply eat the Yubikey. The room laughed.
I had actually asked Yubico if a Yubikey could be eaten and they did reply to me that one user’s key was eaten by his dog and it worked fine the next day after being cleaned up. I actually hoped that digestive juices would have destroyed the key but that is an idea for a future model.
Then there was the question of encryption and access by law enforcement. In my opinion, the encryption train has already left the station. While repressive regimes (and the UK) try to ban end to end encryption be it in phones or in Whatsapp, there is nothing to stop someone using an app with a backdoor to send a PGP encrypted message.
Now, the argument that law enforcement needs a backdoor kind of falls apart when you think that scenario through enough. Even if a country outlawed mathematics (a.k.a. encryption) except in cases where they had a backdoor, they would need to use the backdoor to check each and every message to see if strong encryption was being used. Or if they did not check each and every message in a wanton act of mass surveillance, they would not know that bad people were using illegal encryption embedded in the legal encryption until it was too late.
The tech industry is saying that backdoors are bad for everyone. I say that backdoors would effectively force mass surveillance where today there is none just to ensure compliance.
You might as well ban terrorism rather than ban encryption.
So what do you do? Hire more intelligent police, hire more spies and by all means conduct targeted surveillance. If the problem is so big that a large portion of your country is conspiring to overthrow you (not in Thailand where 99.5% love the PM) then perhaps a better solution than banning encryption and mass surveillance would be to enact policies that people actually like for a change. Or leave. Take your pick.
Since the single gateway project made the news, there has been an explosion in the use of PGP in my circles. In fact, I often make a point of cc’ing the ICT Minister with my encrypted messages pointing out the futility of a single gateway for surveillance.
Then there is the Grugq’s argument that anyone using encryption sticks out like a Mongolian transvestite in a desert and that the best way to stay safe is to stay under the radar. I beg to differ and said that the other way of looking at it is that if everyone uses strong encryption all the time, they would be providing cover for those who really need it.
Another point is the oxymoron that is the secure app. An app by definition has someone publishing it and that publisher is open to coercion. Rather, it is better to trust only standards that have multiple implementations independent of the standard. OTR messaging is one such example, as is ZRTP voice over IP.
I am pretty sure that when Snowden said we can trust Signal, the authors of Signal were bumped up the NSA to-do list.
A lot of the Q&A also revolved around network-level obfuscation. At home I am now using multipath TCP to bond together my bad quality links into something that is half-decent and also fault-tolerant. It also has the added bonus of dividing one encrypted data stream into multiple paths to reach the destination VPN endpoint which would complicate the government’s surveillance attempts.
Another favorite, conceptually, is BitMessage though it fails the single implementation rule. There is no metadata in sending the messages as every message is sent to every node on the network through a bitcoin-like blockchain. This defeats traffic analysis. Instead, every node tries to decrypt every message and one only knows if a message is addressed to that user if his key fits.
Technology taketh away and techology giveth. In the ruins of a generation that we thought would grow up never knowing the concept of privacy, the enthusiasm of a few young participants in that audience did give me hope in the knowledge that there are some of the new generation who actually care and want to understand about privacy in our age of mass surveillance.
Merry Encryptmas and a Happy New Year.