Surveillance on the general public is bought by employers/businesses not security services. Yet all these articles keep mentioning law enforcement. 90% of people don’t care if the NSA/FBI are mining their communication for criminal activity. They would care if they realized it affected their job offers, they would care if they realized it means lower wages, less competition, less political freedom.
The USA has long aspired to be a place of outstanding liberty; to run your own business, to say what you want, to own what you want, and in a less corrupt landscape relative to the rest of the world. With its lead in citizen surveillance it is fast becoming the opposite.
The problem with the FBI/NSA mining their communication "for criminal activity" is that they probably don't do it exclusively for that. After Snowden we found out that sometimes NSA employees would use this snooping to stalk people they wanted to be in a relationship with, spy on their neighbors and other such unsavory things.
The other angle, besides just personal abuse (Ala loversgate), that far too many people fail to consider is this:
If the executive branch has such ubiquitous surveillance powers, given their history of manual blackmail and compromise operations, they are highly likely to seek to expand those blackmail style ops to a level heretofor impossible, essentially removing some of the last vestiges of the already under attack principle of seperation of powers and the checks and balances system which is a foundational part of the intended American political structure.
This happens yes. When I send my tax returns in the mail directly to the IRS, even if months late, the same week I start getting scam calls. So someone in the IRS sells that data. Though I doubt it is on an industrial scale, more like bad actors within these organizations, so a small percentage.
So I find articles about privacy that raise concerns about the NSA/FBI, have the effect of just deflecting and dampening where our concerns should be really focused.
Also we have already built and running mass-oppression infrastructure which could be used for incredibly evil things as soon as someone high up in the executive branch (or congress if they passed a law) said so. Makes us incredibly insecure in the event of a dictatorship-type overthrow
And even if it was solely for criminal activity it would still not be good. After all a lot of victimless "crimes" were, are, and will be illegal in a lot of countries.
I agree with most of the sentiment of your comment here,
however I do not think 90% is accurate. I have no polls to point to, but thinking about how certain demographics are seemingly deathly afraid of patrol police in general these days, and given that many people have some friend or family member that may be going through a bad phase, I think it would be more like 50% if you included something like "knowing that metadata from your phone and net devices can be used to spy on your friends and family, do you think it's no big deal if a long list of agencies has unfettered access to your data?
Something like that.
I agree that we need to educate people more about how things like jobs, loans, and other things can be affected by data trails easily gobbled up by many different apps and devices.
In my small amount of speaking to people, it seems to me that people older than 35 don't worry about hackers or fbk, or three letter agency spy on all their pics and messages. However most of them pause when I explain that apps like messenger can steal all of their kids' pics in the background, services like instagram sell me pics off their kids phones for a few cents, and there are some pervs at whichever agency and computer company that can access all of their kids stuff for example.
To me the biggest concern about recording and storing all this information is the ability of corps and guv agencies being able to rewind time and pressure would be powerful public figures or other people into doing shady things in order to keep that recorded data in cold storage and off the next leak that ends up in the wild and reported in whatever-news.
So there are many educational points with all this that people should be educated about.
When I mention that divorce lawyers may have a field day with the flirting pms / dms that their friends may have sent and that have been stored by zucks servers, I often get "wow never thought of that" - which of course could be used to change financial futures, kids custoday, etc.
Then of course the marketers using data to get you to do things, and banks selling your debit card data about sexual purchases and such. There are many important things to consider when it comes to privacy.
How meta data alone can be used to infer relationships and such can be damaging with serious legal consequences beyond the marketing sales.
If polls were run with a little info added about how data can be used. I would hope that less than 50% of people don't care.
Signal on the other hand has made eliminated their access to much of the metadata, including contact information [1] (using SGX sandboxes which is no perfect solution but better what Facebook has) and information about who has sent a specific message [2].
We need fully bootstrapping libre hardware avoiding the trusting trust problem YESTERDAY. If we had that, this entire load of problems would disappear and becomes one of cryptographically certified agent-to-agent, end-to-end trust provenance attesting.
The entire concept of a "compromisable system" only exists because we let the industry get away with closed hardware bullshit and because we put our fingers in our ears and go "LALALALALA CAN'T HEAR YOU" whenever someone brings up the trusting trust problem.
I suspect we do that because it, for quite a while now, has let us avoid confronting the age old philosophical questioning of the risks & uncertainties of inter- & intrapersonal placement & position of trust & doubt.
Quite similar to how philosophers tend to pack up and run away screaming any time someone brings up the Münchhausen trilemma, because, to quote rationalwiki:
"it breaks the legs of philosophy, science, and any other possible approach to reality."
> The Facebook outrage mob reminds me of my slashdot days when everyone referred to Microsoft as Micro$oft.
The fight against old Microsoft is a win-win success story (for now, I'm keeping an eye on all big players and so should everyone else.)
Microsoft is nicer and I think more profitable than ever. They don't call our code or favourite OS cancer anymore but actively support us. My understanding is even a lot of MS employees prefer the new Microsoft.
If we can manage to do the same with Facebook then feel free to come up with a similar stupid name for them. Because right now I think they deserve it as much as old M$ did.
It took Microsoft a top-level executive change (Satya) to fix itself. Facebook shows no signs of an executive change until Mark retires and devotes himself to full time philanthropy so the world doesn’t remember him as evil (who else does that remind you of...)
I feel like this does a disservice to the prior open source efforts that Microsoft slowly went through during the Ballmer era. Sure they were not as impressive but they were the start of it all imho.
>...come up with a similar stupid name for them...
Farcebook? Been guilty of that one for 8 years. Never had an account, so the label is all hearsay ... but what i kept hearing made me afraid to become a Farce of myself ... so i said to myself "stay away". Hard enough to be self-effacing.
i do still hope we will find a way to communicate easily with relevant others without doing violence to our communication methods for the sake of (what is essentially) a random nudnick's business plan and profit model.
Farcebook likes to go around and break as many things as fast as possible. Before them we had serious people and thought oriented to finding compatible methods. They still exist, but all the oxygen in the room is depleted by Farcebook.
Facebork is the other one I've heard, and occasionally use. Problem is that neither really captures a sense of the rapacious amorality of which facebook is, I believe, being accused.
Heh! Ifn i had it to do over i would prolly say FarceBorg. Not only do they encourage their users to make a Farce of themselves but they actively try to assimilate the web, and indeed the internet (the Basics).
To be honest I can't remember a time when the stories on Facebook were good.
I can remember such a time for Google. I can even remember such a time for Microsoft, back when people stayed in line for Windows 95. I was 13 back then and got my first computer.
Sure, investors were pleased with Facebook's rapid growth and people liked it because its UI didn't suck like MySpace. But Facebook has always been morally bankrupt due to its leadership and this has been visible for quite some time.
In our country we have a saying that applies perfectly: a fish rots from the head down ;-)
In 2008 and 2012 FB got praised for being the platform that Obama used to win the elections - I remember multiple articles about it (and someone from the Obama campaign later admitted that they did the same thing that got the CA scandal started). In that period of time there were also multiple newspapers writing that "privacy is dead, and it's a good thing". There was not a lot of discussion about privacy when they bought whatsapp and instagram too, IIRC.
Frankly newspapers really changed idea only after Trump won the elections.
I find somewhat fun that some of the recent news about facebook being evil actually talk a lot about that period (ex: the recent news about the "friendly fraud" class action) and some are the consequences of the (naive, as we a lot of us were at the time - me included!) choices facebook made back them (wanting to be a platform, without really understanding what it meant) before pivoting to the current model (which is AFAIK far more similar to google's).
I think it’s less to due with the direct choices FB has made or even their impact on the election, but that FB’s complete and total lack of awareness of how their actions have impacted the world. It wasn’t Trump winning that did it, it was that Trump won with the assistance of data that Facebook was unable to properly protect.
Facebook has lost the trust of the public in ways that other major tech firms haven’t.
> It wasn’t Trump winning that did it, it was that Trump won with the assistance of data that Facebook was unable to properly protect.
I agree that Facebook is certainly a convenient scapegoat to hide all the other issues that plagued the Clinton campaign (from the DNC scandal, to the unlikeable candidate, through some controversial phrases she said during the campaign itself, and so on). Also it helps newspapers since they have to take no blame for what happened (and do no real analysis on why democrats lost).
I'm pretty convinced that if Clinton had won - even if Clinton had used CA data to do so - there would be far (far) less media coverage about the "evil of Facebook", regardless of the impact of their incompetence in the election. That was the case with Obama already after all.
Part of that is just what happens when you go from small start-up to entrenched big player. I remember when PayPal started. It was so cool and everyone who understood what it was was very enthused about it. Now it's all gripes and complaints.
> I remember when PayPal started. It was so cool and everyone who understood what it was was very enthused about it. Now it's all gripes and complaints.
Not what I see here on HN:
I see complaints from merchants (mostly with legitimate issues it seems) and praise from end users.
I actually used to hate PayPal as an end user because, used relatively infrequently, they'd often block or delay transactions, causing me headaches and wasting my time. They felt like they were actively trying to hinder rather than help commerce. They do seem to have improved in the last couple of years though.
If I could snap my fingers and everyone would switch to Matrix [1] I would, but as it stands hundreds of millions of people use these services daily and getting them more privacy will be useful.
They probably can already do everything you say, eg: cross reference and internally "trade" (meta)data between facebook, instagram and whatsapp backends and deliver that to law enforcement. I'm pretty sure their ability to do analytics is advanced enough (though even technical people sometimes really overestimate how "good" those big companies are at it).
At least at that point they will not have the contents of your messages. Which now they do (with the exception of whatsapp).
Rule of law doesn't imply strong privacy. In fact, I'd argue that privacy and rule of law are fundamentally in tension. Privacy favors scofflaws, particularly those trying to corrupt the law, so in any social system with privacy there's going to be a tendency toward asymmetry of privacy in favor of the corrupt.
The ideal scenario for rule of law is no privacy. However, privacy has intrinsic value of its own so we're stuck trying to maximize privacy while minimizing the corruption. It's an ongoing balancing act; every society will do it differently and it will change over time.
If we can assume Facebook's apps aren't lying (i.e. E2E is properly implemented - this seems to be the case with WhatsApp) then this is better for those exact purposes.
Even the star child Signal [1] has to store metadata...
What other people do on fbook and whatsapp and messenger does affect me. I need articles and discussions like this so I can try to educate those who use those services.
If I could somehow make it so fbook would auto remove my name from any messages, delete any pictures with me uploaded by anyone, and ignore (not store) my name and phone number when it takes the contacts off of friends phones for example . Do not store the location of my residence if one of my friends is messaging their "whatever" from my place. I don't want to be associated with location sharing of whatever people are doing on their phone.
- I'd gladly file whatever 'right to be forgotten / never known' request with fbook.
In the meantime, we need to know as much as possible as to what this beast is doing with data.
It's really annoying how so much facebook 'news' and conspiracy theory makes it to the front page of HN. I hereby propose renaming Hacker News to Facebook News.
Edit: there's no way that this comment is any more off topic that the vast majority of the facebook crap posted here.
I read another tech journalist twitter thread that hypothesized it was to make it harder for a regulator to break up the company because once combined it would be near impossible to break up without negatively impacting users.
Facebook encrypted messaging! What's next, military intelligence? How about a vegan big-mac? Maybe a quality automobile by GM?
I think steganography is an excellent way to deliver encrypted messaging to consumers. It has so many inherent features that I'm surprised it isn't already widely used. Let's see:
- easy to recognize but hard to detect
- can pass through any channel that accepts images
- massive storage capacity (10MB+ depending on how you roll)
- encryption easily baked in!
- many additional use cases (store your kids ssc or passwords, store encrypted notes, anonymous communication by just posting an image online somewhere).
Everyone should know Facebook encryption is about as good as free (or maybe most) VPN encryption. But with steganography all you need is an open source application that you can trust or a popular codec.
If anyone is interested I have a stalled steganography project that I'm waiting to get back to (once I finish a ASP.NET Core book) https://github.com/smchughinfo/steganographyjr. I'm making it as easy to use as possible (UWP, iOS, Android, a website, Web API, Nuget, and possibly a native app for Debian if I get the time) Most of that work, though, you get for free with .NET Standard + Xamarin but it's still a lot of work.
Steganographic communication as a substitute for encrypted text is a baffling misinterpretation of the reason for encryption in a chat program. The use cases and potential userbase barely overlap at all.
I don’t want my conversations with my mother to be public. But we are not going to communicate in secret messages hidden in images as if we are espionage agents, and most assuredly 98% of the public will not, either. Not to mention that steganography has a security by obscurity aspect - the more you raise knowledge that textual messages may be concealed in images, and present a common mechanism for doing so, the less effective it is for escaping scrutiny.
Also, I’d note for your points that stegonography has no ‘storage capacity’. That’s a characteristic of the underlying medium. It is not a standalone communication system - if I’m sending secret spy image messages to my tow truck company instead of normal text messages, the storage is foremost limited by the text message system.
> Steganographic communication as a substitute for encrypted text is a baffling misinterpretation of the reason for encryption in a chat program.
I agree with you, but couldn't you say the same thing about using end-to-end encryption in a chat program as a substitute for messaging that's just encrypted in transit?
> Steganographic communication as a substitute for encrypted text is a baffling misinterpretation of the reason for encryption in a chat program.
> I agree with you, but couldn't you say the same thing about using end-to-end encryption in a chat program as a substitute for messaging that's just encrypted in transit?
I just want to point out, again, that this is not an argument that I tried to make.
But what are you saying people should do? Only communicate information that I don’t mind being public using traditional non-secure messaging systems, and use stegonagraphy whenever one wants to communicate private information?
Steganography+encryption has a number of use cases. The one I think is most interesting is being able to store encrypted data locally with ease. Right now if I want to encrypt some text I have a number of options.
I can encrypt the hard drive. I can encrypt a text file to a binary encrypted file. I can encrypt a text file to a text file with something like pgp. But none of those are what I would call user friendly. But through the magic of steganography you could do all that and save it to an image file. Now we have something that people might be comfortable using.
As for secure chat idk. I wouldn't trust Windows, iOS, Android, my ISP, my VPN, the NSA (and whoever else), the spyware my mom has installed on her computer that neither of us know about, etc. I'd probably just google for something but I wouldn't be under any illusion that it's totally secure.
Can you elaborate on the logic of why saving encrypted text to an image file is more user-friendly than saving it to a text file? Why would that make people more comfortable?
Because people are more comfortable dealing with image files than .enc files or whatever extension one might use. Plus you dont just have to encode text. You can encode any file type. Look, I don't know what this is to the various participants in this thread but to me it's been really sad. I feel like I'm arguing politics. I don't think I've said anything unduly disrespectful or even incorrect yet I've been arguing about this with people who apparently think they know better but consistently get basic facts wrong or appear to be disingenuous to help win a debate. I'm not here to connect every dot for you. You're not holding my ideas up to the light of truth or whatever you think you may be doing. I really regret logging on to hackernews today.
Sure, for a chat conversation you would want something faster than steganography. But if you will notice I did not propose a solution for encrypted chat. I proposed a solution for making encryption easier to use, yes? I hope that debaffles you a little.
Steganography alone is just security through obscurity? I guess I'm not sure which algorithm you are thinking of but regardless it's very easy to encrypt your data before writing it to the image so in any case, that is a non-problem. The same goes with your sentence about the use of steganography detection. Maybe it's possible for some algorithms, I don't know, but I have very strong doubts about that and again, it's encrypted.
The amount of data you can write to an image using a steganographic algorithm could be rightly called its "storage capacity", yes? Or do you believe that for each image there is an exact maximum storage capacity regardless of the way you encode data to it?
“I think steganography is an excellent way to deliver encrypted messaging to consumers.” is in your prior post.
If you are not using stegonagraphy for the obscurity aspect, why use it at all? Why not just encrypted plaintext that can be decrypted?
Stegonagraphy is intended to conceal that a message is being sent at all, other than the apparent message of an image. If my recipient and I are both using Cool Stegonagraphy Messaging App, or you are marketing CSMA to the general public, that removes that crucial feature.
As far as storage capacity, I mean is not a concept that stegonagraphy envelops. The amount of data you could include would be limited by the lower level transmission systems - whatever software and hardware you are using to actually transmit, device, store and view images such as image format and your phone storage.
I meant messaging in a more general context. It does not remove that feature at all. Why do you think that two people using the same app or algorithm automatically reveals the presence of a hidden byte array? You just vary the way data is read out of the image using the same password used for encryption. Even if they could recover every single bit using statistics (which they can't) they would have no idea what order to put them in. That's just one way of doing it too. If you put a real math wizard on the case I'm sure they could do even better.
Storage capacity IS a function of the algorithm and the image. That's simply a fact. For example, say we are just bit flipping a 512x512px image and we take up all 8 bits in each color channel in each pixel. That lets us write 512 * 512 * 8 * 3 = 6291456 bits or about 6Mb. ...I can see how it looks like I was talking about real time communication because I said messaging. That was a mistake and honestly I have been playing around with the thought of if/how steganography could be used for chat but that really was not how I meant it to sound. I was thinking about how steganography might be able to make encryption more user friendly.
I’m not saying that the message isn’t secure in an encryption sense. It’s just that embedding it in an image has no advantage in an encryption sense, and if the advantage is not secrecy about the presence of a message at all, what is it?
Sure, stegonagraphy has a capacity for information that based on the image format utilized. But the real upper capacity is dependent upon the other layers.
The way to make it user friendly is to make it transparent. I don’t see how this would do that.
Speaking of layers that's how I want to answer the first part. Encryption makes it secure but steganography makes it portable. Steganography is the sugar that makes the medicine go down. That's how I think it could work anyways, I'm not saying that is what would happen.
Certainly for most things I would prefer whatever encryption in transit and whatever data is received is destroyed after viewing. Some people think snapchat is like that, and it's a big reason that many people use it like they do.
However I can imagine some use cases where others would want to keep say a kinky fantasy story someone wrote to them, but need to keep it in a form that if discovered may be difficult to discern that it was a naughty message at all.
Like the "calculator app" that many of the younger folks are using to hide nudes... you'd have a "cool cat memes with friends app" - with some of the images shared having extra data embedded...
some parents and others are getting smarter about seeing the most used apps on a phone, so they are able to question why someone used "hidden locker calculator" 8 hours each day. If you had "cat meme share" being used 8 hours a day, you could open said app and show your parents/lover/ whoever the funny memes.. and they may not know that extra info could be embedded for example.
This may save some people doing bad things, but may also save some people from being outted about their <insert small niche not socially well accepted interest / lover / friend here>
> can pass through any channel that accepts images
No. Any online service worth its salt is going to reencode images to serve proper sizes and maybe do other processing. Along the way stuff like EXIF data and other worthless (for displaying the image) chuff will get stripped from the image. Alternatively, if you mean not somehow embedding in the file but encoding in the actual pixels of the image, that data will get lost as well when the image is resized and resampled. To survive most image manipulations, the data will have to be quite crude and you'll have low bandwidth with this kind of encryption.
An exception would be some photographer oriented services like Flickr that allow you to download the original file but those are a minority.
Yes. Any algorithm designed to be resilient to common processing steps will pass this test with flying colors. Also, EXIF data is not used in steganography, by definition.
Hence why I mentioned that if you encode the data in the actual image (the part that's guaranteed to survive processing,) you cannot do it with very fine elements, like subtly shifting the colors of individual pixels or the like, because an average Facebook JPEG algorithm, for example, will just destroy that. You need to use data points that could survive heavy JPEG artifacting, and that means very few data points per image, and low bandwidth.
That’s a moving target with no guarantees to stay true. Steganography in the use cases you’ve described adds complexity and additional portability challenges over a plain encrypted file.
Steganography has a bad connotation because it's heavily used in the pedophilia realm which would limit it's uptake, somewhat like torrents. Perfectly valid and useful tech that gets used by a few but not by most.
I think Telegram, even with it's flaws, is the closest I've come to an easy to use encrypted messaging app that I can get my mother to use and like.
I don't think anyone cares if pedophiles use it. They only care if it will work for them. Heck, if it keeps pedophiles safe that's a pretty good endorsement. I think the primary road block for most people is not seeing a use case combined with the technology not being readily available (excluding a few apps that aren't compatible with each other).
I think you're grossly under selling the emotional response the larger public user base would have to being associated with paedophilia. Albeit, even if it's tangibly associated via an app.
Unfortunately that's the nature of the beast. You and I, in addition to our peers would probably see it as an endorsement (as you coffecfly stated). But we're not Joe Bloggs.
The feeling of disgust is so easily manipulated amongst the greater public.
Is it? I associate steganography with espionage and consumer printer identification. It's not convenient or practical for most things, but I don't think it has the dark reputation you suggest.
as a teenager, I was a vegitarian. I remember once I was the new guy at a computer repair place, so it was my job to go across the street and get everyone's burgers. This was, of course, the late '90s, and burger king did not have a vegiburger
Anyhow, I go up to the counter and rattle off everyone's order from my list. I'm making conversation with the person at the checkout, and mention I'm a vegitarian (I think sometimes it's a little like crossfit, in that regard) Anyhow, this person mentioned that burger king had vegiburgers, and they could make me one. Excited to have something other than just french fries, I accepted.
So I get back to the office and hand out the burgers. I go to dig into mine, and it's just a bun with way too much mayonase and some lettuce. It was so disappointing.
I'm not a vegitarian anymore, but I do still enjoy vegiburgers, so I will have to go try this out.
I suppose you could and I am certainly no expert so it might even be better that way. A couple cons to that are that it looks cryptic so it's a little easier to detect, that you have to share the URL somehow (as opposed to hanging out in usersub on imgur), it's usually more difficult to deal with large amounts of raw text than an image, and if you use PGP instead of AES->base64 (or something like that) you would have to know the recievers key. I guess that last bit depends on the use case.
I'm not saying either approach is better. Maybe one is better, I don't really know.
maybe trump paved the way for twitter posts to become leading news, but this is hardly more than a rando on the internet speculating. whatever it takes to keep that narrative up i guess
This article specifically talks about sex workers using whatsapp and the fact that because of meta data sharing, IF a warrant comes from the government to find users associated with a certain group (such as sex workers groups) on Facebook, it indirectly brings whatsapp users into that group as well through indirect means.
Interesting issue yet so many "if"s. The reality is that Facebook needs to make money from whatsapp at some point. If keeping end to end message encryption is important, then they are left with three equally bad options:
# Charge for the service (whatsapp will lose 90% of its userbase in a month)
# Show generic ads (worse value than even TV ads, because at least TV ads know a little bit about the viewers of a certain show but whatsapp has no idea)
The big issue I have with this is that facebook can already do this, IF a warrant comes from the government.
The issue about being careful about using those metadata for friends/"you could know" (which was always terrible for me) and related functionality is legit though. They should give the user the option of opting out (ex: I don't want you to show my FB profile to people I only have in whatsapp/instagram). Even better, they should allow for opting in and opt out everyone by default.
>Don't you know that our plans have your interests -- not ours -- in mind? Who else could wade through the sea of garbage you people produce, retrieve valuable truths and even interpret their meaning for later generations?
The title seems to suggest an announcement but the article is essentially speculation. Sure, it's likely that Facebook will exploit the mega-chatosphere for its data in the same way it currently does with each service individually (and cross service if you count account linkage). However, this article is essentially sensationalism for the sake of plugging their own privacy focused chat app.
I suggest the title be renamed to something less official sounding.
