The political fallout resulting from discovery of the NSA’s total-panopticon agenda is fairly well known. As usual, the politicians are trying to deliver the minimum amount of “reform” that will keep the torches and pitchforks away.
The real solutions, IMO, will come from the tech industry, which has suffered an outrageous affront to its most sacred principle. I refer, of course, to money:
One example of privacy-based infrastructure improvement the horizon:
Ultimately, it seems, the establishment and its apologists can posture as much as they like – the invisible hand of the marketplace will first give them the finger and then sweep them aside.
Well, email encryption is nothing new…we’ve been doing it here for years. And there are all sorts of other types of encryption…you can encrypt stuff up the wazoo if you want too. The tech has been there for quite a while. Not sure why CISCO would be singled out, but I doubt they are too worried about folks not buying their stuff. Their Meraki line of products especially breaks the mold and is pretty cool stuff.
IMHO, it’s not the tech that’s the issue…it’s always the human element that seems to be in play. You are more likely to be hacked because of bad policies, poor enforcement, lack security groups and your own employees than because of the big bad wolf of the NSA. And while what Snowden might have brought out perhaps shocked some, it’s pretty well known that there are a lot of hackers out there…the NSA is only one of many. I’d be more worried about the Chinese or Russians on the hacking front than the NSA…to be honest, they seem more capable from what I’ve read. The only difference is that people seem to think the US is the big bad evil, and ignore everyone else. On this new frontier, a LOT of countries are major players (the Iranians for instance, have a very capable cyber group), and you also need to consider companies, private groups and even individuals. Even after all that’s happened, people don’t seem to take cyber security seriously (until they get burned in a big way).
The significance of the Google move (and others that I expect to see coming down the pike) is that it greatly reduces the need for special hoop-jumping from the “human element”, thus deploying more security in practice even if the underlying technology is nothing new.
Well, I don’t know much about Google’s plan here, but it’s probably some version of PGP…which means there is still a key involved somewhere. That key will still have to be passed between the people who want to read each others encrypted emails, which puts this right back at the same old problem…that of the human element in the mix.
That said, I’m all for people becoming more aware of threats and taking this stuff more seriously. If it’s fear of the NSA that makes people scared enough to start taking this stuff seriously then I’m cool with that, even if the NSA is only one of many threats out there, and probably not the biggest one. Sometimes I feel like the sole Cassandra, always being the Chicken Little and predicting doom, DOOM DOOOMMMM!
The whole point of a public-key encryption system is that the people who want to exchange messages don’t need to directly exchange keys – the sender simply needs to look up the recipient’s public key (and check the signature to verify its authenticity). Apparently the new feature does the lookup automagically as part of the e-mail sending process.