Do you mind being mined?

WIRED: WHO IS listening into your net communications? At this point, it might be safer to ask - who isn't? Governments across…

WIRED:
WHO IS listening into your net communications? At this point, it might be safer to ask - who isn't? Governments across the world are seeking powers to spy on everyone online and ISPs seem keen to hand over the data: to them, or to private companies who will pay them for personal information being sent by their customers.

There are ways we can all fight back and preserve our privacy but they may require changes in how we build businesses and consume online.

This week, in Sweden and in the United States, two governments are seeking to gain the power to conduct widespread wiretapping of the portion of the internet that passes through their territory.

In the US, the debate is a retrospective one. While much evidence suggests that the US's National Security Agency (NSA) has already been siphoning off internet traffic and analysing it wholesale, doing so would be almost certainly illegal under the US law and the US constitution.

What is being argued in Congress is whether those who took part in that surveillance should be punished, or whether the programme of monitoring innocent Americans should be quietly ignored.

READ MORE

In Sweden, the debate is far fresher: the Swedish National Defence Radio Establishment (Försvarets radioanstalt, or FRA), the Swedish equivalent of the NSA, has proposed a new law that gives it the power to employ the same data-mining that the US government is suspected of conducting, on every cable entering and leaving Sweden.

The reason for both these states' interest in those digital pipes is the vulnerability of the data they carry.

Due to a historical accident, most traffic on the internet is sent in a form that's perfect for mass collection and analysis. It's in what's called "plain text" - which is to say that when your e-mail passes from one computer to another across the net, each of them can read every word, just as though you'd sent it on a postcard.

The same is true for most of your web traffic and instant messaging. It doesn't have to be this way. It's relatively easy to encode net communications in a way that prevents anyone from snooping on your chatter - even the NSA.

When net users get paranoid enough, they have great protections: the same protections that kick in when you type in a credit card in a secure transaction can be applied to all internet traffic. It's called strong cryptography and it doesn't just lock your data from prying eyes as it travels through the net; it can also guarantee that data's integrity and even ensure that it came from you, rather than some random hacker or ID thief.

If strong cryptography is such a great privacy protector, why isn't it used for all internet communications? Unfortunately, for most of the internet's early life, strong crypto was embroiled in a domestic US political fight.

The NSA was concerned that such a powerful tool would be dangerous in the hands of anyone but the NSA, so the US government sought to have any software that contained it classified as a "munition", forbidden from export out of the US.

Eventually, the US courts understood that banning what was essentially a mathematical formula was a violation of free speech, and the export ban was lifted. But the damage had been done: most net software today defaults to plain text, and only turns on encryption when it's felt to be absolutely necessary.

Since then, the assumption has been that net users value speed and responsiveness over a theoretical ideal of privacy.

Adding encryption back into software would take a little computational overhead on the customer's side, as well as entail extra hardware costs on the server side.

Even companies with computing power to spare dissuade their users from using encryption: for instance, Google's GMail chooses to leave even personal e-mails unprotected, unless you specifically visit the site using the https://mail.google.com/ address, instead of the usual http://mail.google.com (the extra "s" stands for "secure").

Times are changing, however. Even if everyday users aren't concerned by the US or Swedish government's rifling through their private communications, the ISPs that allow the government into their data centres are also selling the same data to the highest bidder.

Companies like Phorm in the UK and NebuAd in the US are paying ISPs to place data-mining servers in the internet exchanges that their customers' data passes through: instead of being sent directly to their destination, internet packets are first examined and analysed by these marketing companies so that you can receive "better" and more targeted advertising.

A private e-mail conversation about a medical condition will quickly show up as an opportunity to display advertisements offering expensive solutions. Handy if you're looking for a fix for a crooked smile.

More sinister if you're worried that you're HIV positive, or that you're looking for information on battered spouse refuges on your shared home computer.

Faced with our plain text being held out in plain view by everyone from Swedish spooks to advertising salesmen, perhaps its about time we revisited ubiquitous encryption: the time may have come for us to ask for privacy as a right, not just an added extra on the internet.