KPMG partner calls for privacy protection
KPMG partner Stephen Bonner gave a bravura performance at Tuesday's BSides London conference that involved him wearing makeup, wigs and an electric shock device in the cause of protesting against our lack of privacy.
KPMG partner calls for privacy protection
Past surveys have shown that the security community is less shocked than the general public at the ‘Snowden revelations', but Bonner told the BSides audience that there is almost no way to protect people's privacy in the physical space and “no effective way to protect yourself online.” And rather than take the attitude ‘get over it', he urged security professionals to “stand up and do something about it.
“Start making tools that make a difference. Because privacy is an important principle for all of us.”
Bonner's initial appearance in a shirt and tie gave no clue to the eccentric - and massively well-received -presentation that followed.
He launched in by saying: “I sometimes get angry. I sometimes rant. I tell people off in a rude and offensive way because I really care about this subject. For me the basis of our entire democracy is based in privacy. The idea that we have a private ballot is key. Privacy is a fundamental human right, right up here with the right not to be a slave, with the right not to be tortured.”
Bonner then talked his audience through the threats to both physical and online privacy. Physically, he illustrated the pervasive nature of CCTV in a demo which involved him getting an electric shock every time a CCTV camera was seen.
He ran through ways to circumvent CCTV, as well as facial recognition technology (hence the makeup and wigs), and showed a video of what happens when someone wearing a balaclava walks into a bank to try and open an account (they are variously thrown out, wrestled to the ground and the police called).
The point of his presentation was there were no workable solutions to this surveillance – and the next step, the Internet of Things (IoT), takes the threat one stage further, he said.
“The Internet of Things provides a level of tracking that's unprecedented. That means that the adversaries don't even need to deploy cameras, people choose to carry their own things that record what they're doing and broadcast their position,” he said.
Again Bonner highlighted the difficulty of finding a workable solution to combat this, including a serious MIT research paper that looked at the (successful) use of tinfoil to block signals coming in and out of electronic devices.
He went on to consider the online privacy threat, and the solutions that the security community have so far developed. He considered using the Tor network for private communication (“a great idea”), but highlighted one crucial problem.
“Nobody uses it. So if you are the US Government, one of the easiest ways to identify targets is if they use Tor.”
Bonner also looked at PGP email encryption (largely unusable), using a secure Blackphone (“the user is saying please hack me”), VPNs (“brilliant if you want to use iPlayer on holiday but that's about it”), and the Lavabit private email system (“don't use any service that Edward Snowden uses”).
He concluded: “There's no effective way to protect yourself in the physical space except tinfoil and there's no effective way to protect yourself online.”
To prove his point that no privacy solutions so far work, Bonner confided: “I was speaking to someone who works on an offensive nation-state team that looks into breaking into things for the nation that they work for. He explained that there is nothing he can't break into.”
And while solutions like the Blackphone might provide individual security, Bonner said this is not enough. “Privacy should not be limited to a select few handsets for individuals who have something to hide. Privacy should be the default for all.”
He told his audience: “We're building a world in which we're building electronic systems which are not constrained by morals. We're building an infrastructure that monitors everything we do.
“It seems like something worth being worried about. Maybe we shouldn't build a massive surveillance infrastructure not only because bad people might get access to it but particularly because the coming AI (artificial intelligence) apocalypse is going to get access to it.
“Currently we don't have any privacy. It's not ‘get over it', it's ‘stand up and do something about it'. Start making tools that make a difference. Because privacy is an important principle for all of us. The answer is not building private solutions, but building privacy into all our solutions.”