There's a great talk, Haunted by Data, by Maciej Ceglowski about how tech companies are making a mistake by wanting to collect more and more data on their users, because governments are just going to want to come in and take it.
I want you to go through
a visualization exercise
with me. Really imagine
it.
Nixon's in your datacenter.
He's got his laptop open.
He's logged in! He's got
root! What does he find?
If you didn't break into a
cold sweat at the thought,
congratulations. You are a
good steward of data.
But if Tricky Dick in your
data center scares you,
then consider what you're
doing.
Wouldn't that be the ideal place for companies? If a government is dependent on a company to collect data, wouldn't that government support the company in hard times? Sure, if it was a choice between surviving and throwing the company under the bus, the government would choose the later, but if given the choice, wouldn't the government try to keep one of it's most powerful tools?
And it was "good" for IG Farben to supply Zyklon B to the Nazis. Until they lost and several company executives served prison sentences for crimes against humanity. Amorality certainly pays the bills.
It works in Russia, China, and less so (perhaps) America (e.g. telcos). It's similarly practical for a government to have unlimited intelligence on its populace.
That doesn't mean its good for anyone not working for the government, explicitly (as an employee or contractor) or implicitly (as a data collecting company which can be forced to share).
IMO a) collecting data on users and b) doing it in a way that does not preserve user privacy makes you complicit to mass surveillance.
> That doesn't mean its good for anyone not working for the government directly or indirectly.
I totally agree. I'd argue that it's objectively bad for anyone not working for the government. But I'm talking about from the company's point of view.
Horrible analogy, as what did Nixon do with data towards citizens? It'd be more like the FBI, Hoover, CIA, NSA, etc... who have the capacity to bend the data to invent facts to fit some crime and then act on it with force without fear of repurcussion/retaliation.
Also, if there were a proponent of this kind of collection, wouldn't it be fine for a company like Google, Facebook, Microsoft, etc... if someone with the position of US President wanted to "sit in the datacenter with an open laptop"? Because then they'd be using data as a currency, which they are already very comfortable and capable of doing to meet their own and the "gov" agendas.
But convicing people that their own government can come in with a subphoena is easier than convicing people that their security just isn't likely to be good enough to stop each and every external hacker that tries.
No matter how many examples we get of far better funded companies getting hacked.
The IPB is slightly tainted by the Snowden disclosures. It's an interesting thought experiment to apply Snowden's revelations to newly implemented surveillance measures by any government. Snowden produced documents which gave us all an intimate understanding of the mechanics and operational details of the NSA & GCHQ. It is clear that the apparatus is already in place for spying and is only a quick click away from being galvanized by broad and sweeping laws which allow such apparatus to operate out in the open.
I think the masses are not scared enough to encrypt their communications and that's why such an apparatus has crept in so brashly and abruptly, sort of a 'surveillance creep'.
The moment the masses are conscious of the fact we are going through our second 'crypto war' is also the moment they might encrypt. Not that crypto is some munition they can use, as is wrongly spouted by the cypherpunks (IMHO), but that crypto can provide viable amounts of privacy for their needs and it doesn't need to be absolute privacy as spouted by the 'go dark' movement. Just enough that I can surf the web without my eyeball hours being monetized or that the pressure cooker I am interested in buying is not a potential tool to be used in a terrorist attack several weeks later.
Or the story about how the Dutch thought it would be a swell idea to have the religious affiliation of all citizens in their government files. Nowhere else the rounding up of the Jews went as smoothly as there, once the SS got their paws on those files.
According the the book, the French too, I can't quite remember the story but the guy in charge of the data managed to delay and confuse so not quite as smooth.
If the recently announced Yahoo data breach (which affects a lot of other sites as well if users re-used their passwords, and we know many did) taught us anything is that data is a liability not an asset, and that's how both governments and corporations should treat it. The government at least should've learned that with the OPM hack.
Except that it's only hurting Yahoo because they're trying to sell. Counterexamples include the UK telco TalkTalk, who has managed to increase users and revenue despite the lack of basic security features.
It just doesn't matter that much, because the inconvenience is minimal for the average person, so the backlash is minimal. I mean, most people cannot even be bothered to use different passwords (!). That's how low the bar is. Say something gets hacked, unless you experience identity theft, nothing happens. Banks will reverse any fraudulent charges. Not even a minor inconvenience. So people won't learn and won't care. Brand damage is minimal. Not worth spending on infosec if the maximum fine is less than your CEO earns in a month. Meh.
Video: https://youtube.com/watch?v=GAXLHM-1Psk