Taurus leak: When it comes to privacy, it’s all or nothing The German Taurus leak shows one thing very clearly: encrypted and secure communication does not work for the few. Instead, it must become the standard for everyone. 23.03.2024 um 07:20 Uhr - Gastbeitrag, Meredith Whittaker
An alarming breach of state secrecy recently rocked German newswires. On March 1, Margarita Simonjan, head of Russian TV network RT, published confidential communications between German military officials, turning strategically sensitive deliberations into public news and further polarizing an already fierce debate centered on Europe’s support for Ukraine–or lack thereof. How did this happen? The alleged culprit was the German military’s reliance on insecure communications systems. According to official sources, one of the officials involved in the conversation joined using not sufficiently secure software or an insecure line. Software that enables encryption as an option, not as the default, will always undermine privacy eventually. Because it takes only one person forgetting to “turn on” encryption to ruin it for everyone – and just like that, to enable a breach. This incident underscores something important: private communications only work if everyone participates. If one person or endpoint is compromised, the whole network goes with it. Which means that digital privacy and security must be embedded at the core of our digital infrastructure. As we saw with the German military, relegating privacy to the status of optional „add ons“ or institutional infrastructure for a privileged few means that they will, at some point, fail. And when they do, they will fail everyone. Encryption is a collective endeavor For decades, the human right to communicate privately has been a fractious proposition, with security services and law enforcement agencies frequently voicing opposition to the idea of digital privacy as the default for everyone. This oppositional position was cemented in the 1990s, as the internet moved from a hypothetical to the infrastructure of daily life. And the arguments made against privacy then are familiar today, namely that widespread encryption and the privacy it enables would facilitate criminal activities. Of course, the same entities arguing against privacy for us were not so keen on exposing their own communications and operations. At the same time that they argued for backdoors and weak privacy for the masses, they worked to ensure that their own communications remained protected by encryption. Ultimately, their stance amounted to: „privacy for me, not for thee“. And as we see, this stance results in “no privacy for any of us” in practice. This truth lies at the heart of the recent German military breach. Often overlooked in discussions surrounding digital privacy and security is the fact that end-to-end-encryption is a collective endeavor and should be the default. The integrity of encrypted communication is only as strong as its weakest link. A single participant using an insecure connection can compromise the privacy of the entire network, making the widespread adoption of end-to-end-encrypted communications one of the few strategies that can mitigate against such risks. Encryption should not be optional This incident illuminates the inherent fallacy of perceiving encryption as an optional feature or relying solely on closed, intra-organizational tools for secure communication. The reality of our interconnected world necessitates constant communication with individuals within and outside any single organization’s bubble – be it for sharing critical intelligence, coordinating with allies, or the mundane yet essential exchanges of daily life. Further, the networks and people a given person or organization is required to communicate with changes frequently, as the exigencies and focus of their work and the world they’re situated in shifts. What does not shift is the need for these communications to remain secure and private. Ironically, it was Stewart Baker, former head of the US National Security Agency, who articulated this dilemma in the 1990s, albeit from a perspective that opposed mass privacy. He highlighted the fact that if encryption wasn’t default, it would not be widely used. And this would thus leave even those endeavoring to apply encryption in bespoke or selective contexts (criminals, in his selective example) exposed to surveillance. Because, somewhere, somehow, they would slip up. Or, they would need to contact their father, or friends, or accountant on an unencrypted line. Thus, their “conspiracy”, in his words, would be discoverable by security services, due to the fact that only default encryption ‘for everyone’ is capable of truly protecting privacy for anyone. While he was arguing against the principle of privacy for everyone, Baker’s analogy unwittingly underscores the crux of the problem we currently face: without ubiquitous end-to-end encryption by default, every organization, be it a governmental body or otherwise, is left permanently exposed. Encryption goes beyond technology This also highlights the fact that to understand private communications, we cannot simply focus on technology. We must also appreciate the nature of how people communicate. Namely, that each one of us has many relationships with others around us; from our families, to our friends, to our colleagues. And that these boundaries are constantly shifting and blurred. Organizations partner with third parties routinely. Colleagues become friends. Family can be estranged. And it is frequently necessary to check in with a partner or friend about our location, our plans, and other intimate information. If only some of these conversations are private, the rest of them provide a surface area for interception and ultimately violation of privacy. Just as Baker noted. Each of us, always, communicates across a dynamic network that extends well beyond our workplace and profession. It is this fact that makes systems where end to end encryption is an option for some communications, but not the default for all, insufficient. The recent breach in German military communications serves as a compelling argument for the adoption of universally accessible, secure communication platforms. And this is why truly private messengers like Signal offer simple, unified messaging apps, capable of connecting with any other person using it. Communication platforms and tools are critical infrastructure These mass platforms and standards are not merely tools. They must be understood as critical infrastructure for the digital age, ensuring that privacy and security are not privileges but rights accessible to all. By making end-to-end encryption the default, and ensuring that this default is available to everyone not siloed within a given company or institution, we safeguard not just the communication between high-ranking officials but the human right to privacy of every individual. A right that to be honored for anyone, anywhere, must transcend organizational boundaries and national borders. To ensure privacy for anyone, we must champion systems that provide privacy to everyone. „Privacy for me but not for thee“ is an idea that, even in the 1990s, was understood to be fatally flawed. Those of us who believe in the human right to privacy must champion options that provide this right to the masses. Because if we don’t, everything from journalism, to dissent, to the sensitive communications of high ranking German military officials will be put at risk. https://netzpolitik.org/2024/taurus-leak-when-it-comes-to-privacy-its-all-or-nothing/ _______________________________________________ nexa mailing list nexa@server-nexa.polito.it https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
