1 minute read

After reading my Everything you say is likely compromised post, my friend Ross Henton asked,

“is it your contention that no commercial security or privacy product has a valid trust model?”

The argument I was trying to make is that most people make calls with the assumption that they are private; however, the truth is that there are free tools one can get off the internet to intercept pretty much any communication that happens today. I was simply trying to raise awareness.

This is especially important as we move into an age of surveillance. You likely don’t want a foreign state actor listening to your communications, or likely even your own government. Obama passed the NDAA, and in Canada Bill C-30 is on the table, allowing these governments to spy on their own people, without warrants. No matter what technology you’re using, it’s likely now that your neighbour can listen to you as well.

As any communication is open to interception, the bare minimum to prevent being eavesdropped upon is to encrypt communication; the challenge is that implementing strong encryption well is not trivial. As such, the minimum standard for trusting any communications has to be that the source code is open source, which would allow any cryptoanalyst to review the code and verify it’s not backdoored and that the encryption has been implemented correctly. So this is what I’m claiming is a minimum standard.

Before we discuss what the default standard should be, think about what communication systems you can trust? Is there a valid trust model that can be implemented with today’s technology, that a civilian with access to the internet couldn’t compromise?