Minding the Gaps: WikiLeaks and Internet Security in the 21st Century

A symposium with Laura DeNardis (Yale Information Society Project), and UWM faculty Sandra Braman (Communication) and Richard Grusin (C21, English).

The title of our symposium comes from the ubiquitous pre-recorded security voice on the London Tube, reminding passengers to “mind the gap” between train cars and platforms. Unlike the physical gaps of 20th century transportation technologies like the Underground, the information gaps of 21st century communication technologies like the Internet pose security issues of a very different kind—as epitomized by the ongoing conflict between WikiLeaks and (especially) the US government.

This symposium will address the questions of WikiLeaks and Internet security from three different perspectives—political, legal, and medial—in order to come to terms with the ways in which WikiLeaks crystallizes some of the major security questions of the 21st century.

Friday, February 4, 2011
2:00 pm, Curtin 175

The open letter is signed by 38 researchers and academics in the fields of computer science, information security and privacy law — myself included. The letter was spearheaded by Christopher Soghoian, a computer researcher, programmer and privacy activist, and it has already received some press coverage at Wired and NY Times.

From the letter’s executive summary:

This six page letter to Google’s CEO, Eric Schmidt, is signed by 38 researchers and academics in the fields of computer science, information security and privacy law. Together, they ask Google to honor the important privacy promises it has made to its customers and protect users’ communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.

Google already uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption  technology to protect customers’ login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

Google supports HTTPS encryption for the entire Gmail, Docs or Calendar session.  However, this is disabled by default, and the configuration option controlling this security mechanism is not easy to discover. Few users know the risks they face when logging into Google’s Web applications from an unsecured network, and Google’s existing efforts are little help.

Support for HTTPS is built into every Web browser and is widely used in the finance and health industries to protect consumers’ sensitive information. Google even uses HTTPS encryption, enabled by default, to protect customers using Google Voice, Health, AdSense and Adwords. Google should now extend this degree of protection to users of Gmail, Docs and Calendar.

Rather than forcing its customers to “opt-in” to adequate security, Google should make security and privacy the default.

HTTPS is commonly used by banks and e-commerce websites to protect sensitive user information in transit; it ensures that anyone “snooping” on the network cannot see your password or credit card information “in the clear”. While Google does use HTTPS when you log into your GMail or Docs account, thereby protecting your password, the remainder of your activities on those applications occur unencrypted, leaving everything you do and type susceptible to snooping. Google does allow users to turn on HTTPS for all of their activities, but the default setting is for less-secure processing, and Google does a poor job of promoting and explaining the benfits of using a secured connetion (sound familiar?).

The letter asks the following of Google:

[R]ather than forcing users to “opt-in” to adequate security, we strongly urge you to make security and privacy the default setting, and allow informed users to “opt-out” of the encryption if they feel it is an unnecessary burden.

If Google insists on not enabling these encryption-based protective measures by default, the company should at least make the consequences of this decision more prominent, so that users make a fully informed choice. Few users know the risks they face when logging into Google’s Web applications from an unsecured network, and Google’s existing efforts are little help. We suggest that, at minimum, Google do four things:

1. Place a link or checkbox on the login page for Gmail, Docs, and Calendar, that causes that session to be conducted entirely over HTTPS. This is similar to the “remember me on this computer” option already listed on various Google login pages. As an example, the text next to the option could read “protect all my data using encryption.”
2. Increase visibility of the “always use https” configuration option in Gmail. It should not be the last option on the Settings page, and users should not need to scroll down to see it.
3. Rename this option to increase clarity, and expand the accompanying description so that its importance and functionality is understandable to the average user.
4. Make the “always use https” option universal, so that it applies to all of Google’s products.  Gmail users who set this option should have their Docs and Calendar sessions equally protected.

Google has responded, acknowledging these concerns, but stating they “want to more completely understand the impact on people’s experience” before making HTTPS the default. Google seems most concerned about HTTPS’s impact on speed, asking rhetorically “Does it load fast enough? Is it responsive enough?”. These are loaded questions, since users typically don’t know what “enough” is, especially when they aren’t fully told the security risks of not using HTTPS.

We further address this issue of latency in the letter:

Once a user has loaded Google Mail or Docs in their browser, performance does not depend upon a low latency Internet connection. The user’s interactions with Google’s applications typically do not depend on an immediate response from Google’s servers. This separation of the application from the Internet connection enables Google to offer ‘offline’ versions of its most popular Web applications.

Even when low latency is important, financial firms such as Bank of America and American Express have demonstrated how to provide users with a pleasant, low-latency browsing experience, while still implementing strong encryption by default. Likewise, Adobe’s cloud-based Photoshop Express lets users interactively edit images via a Web application that is 100% encrypted by default.

Other Google applications demonstrate that security need not come at the cost of performance. Google’s Health service enables users to browse through and manage their private health information online. Google’s Voice service lets customers initiate VOIP phone calls, send text messages, and manage voicemail inboxes.  However, unlike with its Gmail, Docs, and Calendar products, Google only provides access to Health and Voice via HTTPS encrypted communications sessions, recognizing the highly sensitive health and call record information users entrust to Google.  Likewise, Google’s AdWords and AdSense products, which are the backbone of Google’s advertising business, can only be managed by customers using a secure HTTPS connection.

Google’s engineers have created a low-latency, enjoyable experience for users of Health, Voice, AdWords and AdSense – we are confident that these same skilled engineers can make any necessary tweaks to make Gmail, Docs, and Calendar work equally well in order to enable encryption by default.

I hope Google does the right thing and put the privacy and security of its customers first by making the changes described in this important letter.

In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study’s participants could guess the correct answers to the participant’s secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.

…

The least-secure questions are simple ones whose answers can be guessed with no existing knowledge of the subject, the researchers say. For example, the answers to the questions “What is your favorite town?” and “What is your favorite sports team?” were relatively easy for participants to guess. All told, 30 percent and 57 percent of the correct answers, respectively, appeared in the top-five list of guesses.

But answers that require only a little personal knowledge to guess should also be considered unsafe, the researchers warn. Of people that participants would not trust with their password, 45 percent could still answer a question about where they were born, and 40 percent could correctly give their pet’s name, the researchers found.

This is the same security flaw that allowed someone to hack into Sarah Palin’s e-mail account, and a student in my “Information Technology Ethics” class demonstrated the ease of hacking into an e-mail account by using information from a Facebook profile to correctly answer the “secret questions.”

While some companies are recognizing the limitations of secret questions (Ebay, for example, suggests using “incorrect or irrelevant” answers to their secret questions), it is hard not to agree with what Bruce Schneier pointed out years ago: if the answer to the secret question is much easier to guess than the password, and the information is much more public, there is little use for either.