The problem isn't about the big corporations themselves but about the fact that the network itself is always listening and the systems the big corporations build tend to incentivize making as many metadata-leaking connections as possible, either in the name of advertising to you or in the name of Keeping You Safe™: https://en.wikipedia.org/wiki/Five_Eyes
Transparent WWW caching is one example of a pro-privacy setup that used to be possible and is no longer feasible due to pervasive TLS. I used to have this kind of setup in the late 2000s when I had a restrictive Comcast data cap. I had a FreeBSD gateway machine and had PF tied in to Squid so every HTTP request got cached on my edge and didn't hit the WAN at all if I reloaded the page or sent the link to a roommate. It's still technically possible if one can trust their own CA on every machine on their network, but in the age of unlimited data who would bother?
Other example: the Mac I'm typing this on phones home every app I open in the name of “““protecting””” me from malware. Everyone found this out the hard way in November 2020 and the only result was to encrypt the OCSP check in later versions. Later versions also exempt Apple-signed binaries from filters like Little Snitch so it's now even harder to block. Sending those requests at all effectively gives interested parties the ability to run a “Hey Siri, make a list of every American who has used Tor Browser” type of analysis if they wanted to: https://lapcatsoftware.com/articles/ocsp-privacy.html
The missed opportunity was to provide privacy protection before everyone stepped into the spotlight. The limitations on RSA key sizes etc (symmetric key lengths, 3DES limits) did not materially affect the outcomes as we can see today. What did happen is that regulation was passed to allow 13 year olds to participate online much to the detriment of our society. What did happen was that business including credit agencies leaked ludicrous amounts of PII with no real harm to the bottom lines of these entities. The GOP themselves leaked the name, SSN, sex, and religion of over a hundred million US voters again with no harm to the leaking entity.
We didn't go wrong in limiting export encryption strength to the evil 7, and we didn't go wrong in loosening encryption export restrictions. We entirely missed the boat on what matters by failing to define and protect the privacy rights of individuals until nearly all that mattered was publicly available to bad actors through negligence. This is part of the human propensity to prioritize today over tomorrow.
> What did happen is that regulation was passed to allow 13 year olds to participate online much to the detriment of our society.
That's a very hot take. Citation needed.
I remember when the US forced COP(P?)A into being. I helped run a site aimed at kids back in those days. Suddenly we had to tell half of those kids to fuck off because of a weird and arbitrary age limit. Those kids were part of a great community, had a sense of belonging which they often didn't have in their meatspace lives, they had a safe space to explore ideas and engage with people from all over the world.
But I'm sure that was all to the detriment of our society :eyeroll:.
Ad peddling, stealing and selling personal information, that has been detrimental. Having kids engage with other kids on the interwebs? I doubt it.
there was a huge chilling effect on both product and protocol design. In the 90s I had to fill out a form and submit it to RSA in order to get a copy of their library. Which I eventually got after waiting 6 months, but I had to agree not to redistribute it in any way.
Efforts to design foundational cryptographic protocols were completely hamstrung by the spectre of ITAR and the real possibility that designs would have to US only. Right around the time that the US gave up, the commercial community was taking off and they weren't at all interested in further standardization except was creating bouts for their business - which is why we're still stuck in the 90s as far at the network layer goes.
In a nutshell I dont think we would have seen much change - corporations only engage in security insofar as much as they are required to - we've seen that even in this "metastatic SSL enabled growth" we've basically sold out security to the lowest common denominator, and core actors in the industry just use these security features as a fig leaf to pretend they give a single crap.
Now, would CERTAIN industries exist without strong cryptography? Maybe not, but commerce doesn't really care about privacy in most cases, it cares about money changing hands.
I dont know, they sure make sure the paper-trail is shredded and shedded with the Azure Document Abo 365. When it comes to security from liability everything is top notch.
I haven't seen the talk, but it sounds plausible to me: Technical people got strong crypto so they didn't worry about legislating for privacy.
We still have this blind spot today: Google and Apple talk about security and privacy, but what they mean by those terms is making it so only they get your data.
> Technical people got strong crypto so they didn't worry about legislating for privacy.
The article debunks this, demonstrating that privacy was a primary concern (e.g. Cypherpunk's Manifesto) decades ago. Also that mass surveillance was already happening even further back.
I think it's fair to say that security has made significantly more progress over the decades than privacy has, but I don't think there is evidence of a causal link. Rather, privacy rights are held back because of other separate factors.
Downside of trading privacy for security: anything that makes a network connection creates metadata about you, and the metadata is the real danger for analyzing your social connections: https://kieranhealy.org/blog/archives/2013/06/09/using-metad...
The problem isn't about the big corporations themselves but about the fact that the network itself is always listening and the systems the big corporations build tend to incentivize making as many metadata-leaking connections as possible, either in the name of advertising to you or in the name of Keeping You Safe™: https://en.wikipedia.org/wiki/Five_Eyes
Transparent WWW caching is one example of a pro-privacy setup that used to be possible and is no longer feasible due to pervasive TLS. I used to have this kind of setup in the late 2000s when I had a restrictive Comcast data cap. I had a FreeBSD gateway machine and had PF tied in to Squid so every HTTP request got cached on my edge and didn't hit the WAN at all if I reloaded the page or sent the link to a roommate. It's still technically possible if one can trust their own CA on every machine on their network, but in the age of unlimited data who would bother?
Other example: the Mac I'm typing this on phones home every app I open in the name of “““protecting””” me from malware. Everyone found this out the hard way in November 2020 and the only result was to encrypt the OCSP check in later versions. Later versions also exempt Apple-signed binaries from filters like Little Snitch so it's now even harder to block. Sending those requests at all effectively gives interested parties the ability to run a “Hey Siri, make a list of every American who has used Tor Browser” type of analysis if they wanted to: https://lapcatsoftware.com/articles/ocsp-privacy.html
The missed opportunity was to provide privacy protection before everyone stepped into the spotlight. The limitations on RSA key sizes etc (symmetric key lengths, 3DES limits) did not materially affect the outcomes as we can see today. What did happen is that regulation was passed to allow 13 year olds to participate online much to the detriment of our society. What did happen was that business including credit agencies leaked ludicrous amounts of PII with no real harm to the bottom lines of these entities. The GOP themselves leaked the name, SSN, sex, and religion of over a hundred million US voters again with no harm to the leaking entity.
We didn't go wrong in limiting export encryption strength to the evil 7, and we didn't go wrong in loosening encryption export restrictions. We entirely missed the boat on what matters by failing to define and protect the privacy rights of individuals until nearly all that mattered was publicly available to bad actors through negligence. This is part of the human propensity to prioritize today over tomorrow.
> What did happen is that regulation was passed to allow 13 year olds to participate online much to the detriment of our society.
That's a very hot take. Citation needed.
I remember when the US forced COP(P?)A into being. I helped run a site aimed at kids back in those days. Suddenly we had to tell half of those kids to fuck off because of a weird and arbitrary age limit. Those kids were part of a great community, had a sense of belonging which they often didn't have in their meatspace lives, they had a safe space to explore ideas and engage with people from all over the world.
But I'm sure that was all to the detriment of our society :eyeroll:.
Ad peddling, stealing and selling personal information, that has been detrimental. Having kids engage with other kids on the interwebs? I doubt it.
One key part is that the crypto wars were around export, lest we forget "PGP Source Code and Internals".
If there was no international business, any-strength crypto would have been and could have been used.
there was a huge chilling effect on both product and protocol design. In the 90s I had to fill out a form and submit it to RSA in order to get a copy of their library. Which I eventually got after waiting 6 months, but I had to agree not to redistribute it in any way.
Efforts to design foundational cryptographic protocols were completely hamstrung by the spectre of ITAR and the real possibility that designs would have to US only. Right around the time that the US gave up, the commercial community was taking off and they weren't at all interested in further standardization except was creating bouts for their business - which is why we're still stuck in the 90s as far at the network layer goes.
In a nutshell I dont think we would have seen much change - corporations only engage in security insofar as much as they are required to - we've seen that even in this "metastatic SSL enabled growth" we've basically sold out security to the lowest common denominator, and core actors in the industry just use these security features as a fig leaf to pretend they give a single crap.
Now, would CERTAIN industries exist without strong cryptography? Maybe not, but commerce doesn't really care about privacy in most cases, it cares about money changing hands.
I dont know, they sure make sure the paper-trail is shredded and shedded with the Azure Document Abo 365. When it comes to security from liability everything is top notch.
I haven't seen the talk, but it sounds plausible to me: Technical people got strong crypto so they didn't worry about legislating for privacy.
We still have this blind spot today: Google and Apple talk about security and privacy, but what they mean by those terms is making it so only they get your data.
> Technical people got strong crypto so they didn't worry about legislating for privacy.
The article debunks this, demonstrating that privacy was a primary concern (e.g. Cypherpunk's Manifesto) decades ago. Also that mass surveillance was already happening even further back.
I think it's fair to say that security has made significantly more progress over the decades than privacy has, but I don't think there is evidence of a causal link. Rather, privacy rights are held back because of other separate factors.