Whenever I mention Facebook in my professional context at meetings, something interesting happens: The prevailing thought is that due to involvement with the information security scene, the use of Facebook becomes a direct and hard-to-justify misstep.

If you ask the critics of online services such as Facebook why they think the way they think, usually the same few arguments pop up. A current favourite seems to be If you’re not paying for it, you’re not the customer, you’re the product!”

I wouldn’t go as far as to say that this is wrong. I would like to say that it’s naïve, though. It doesn’t just imply that paid services are more secure and thus less problematic than free ones but also that the avoiding of social networks leads to a massive increase in personal security.

I am going to claim that this statement should be seen as basically false in the context of a central Europe of the 21st century. Especially when we’re looking at the Swiss law concerning the surveillance of the traffic of mail and telecommunications (that is the most accurate translation of the official name of said law which is called Bundesgesetz betreffend die Überwachung des Post- und Fernmeldeverkehrs (BÜPF) in German). But it also works just fine when we’re looking at much more common applications of information security. Looking at these cards that give you a discount if you scan them at supermarkets such as the Swiss Migros Cumulus or the Coop Superpunkte program, it seems overly dramatic and inconsistent to just address the subject of data security and privacy on that one front.

To uphold the integrity and the protection of their own data has become a herculean task that can’t be fit into the everyman’s daily life. E-Mail encryption has been possible for over a decade using PGP. Not a problem. Once installed, encrypting a mail is a matter of exactly one click. The experience of more than ten years of PGP-use has shown us one thing: That is one click too many.

There are examples aplenty: The number of users of the Messaging application WhatsApp is astronomically high. Competitors that seem to be more secure can only dream of such a high number of people using their service, even though their userbase is growing about as much as WhatsApp’s is. And the reactions of the users after Facebook has acquired WhatsApp show one thing: The proven path is far more popular than the more secure one.

That’s a bitter pill to swallow for many a newcomer into the Information Security. And that’s the fact that security is not always the highest of priorities. In fact, most of the time it’s something that comes way down the list. Security is, especially in the consumer market, not an argument for sales. It’s more of a silent expectation that customers have when faced with a professional product. This expectation then turns into outrage once there’s been an incident.

Now the question is: How much security and data protection does the everyday citizen need? And if the answer implies that it’s basically just a little bit of security, then the follow-up question is: How far can we expect the citizens to take care of it themselves?

It’s clear that most recent history, especially Snowden’s whistleblowing and the subsequent NSA Affair, has instilled a greater need of security. The argument “But I’ve got nothing to hide” has been questioned. Rightfully so. This due to the implied general suspicion that justifies mass surveillance of everyday people without any specific reason.

It’s not far off to suspect that the answer isn’t as absolute as expected. I don’t think that trivial communication that we do every day in a sheer inconceivable volume has to be encrypted. But that doesn’t mean that the solutions we use to communicate can’t be secure by default, which definitely is a step in the right direction

It’s obvious that we can’t solve one crucial problem despite all technology, if you want to see it as a problem: To a certain degree, the exposure to the world is in most cases deliberate. Everyone who posts on Facebook knows – or should know – that this is more or less visible to the public. Most owners of a customer card of a supermarket know that the company doesn’t just track the frequency of your purchases and how many bonus points they owe you, but they’re also collecting important marketing information. And everyone who’s ever sent a postcard knows that the mailman might know that the croissant at the Eiffel Tower was horrendously expensive but the weather was just lovely.

The hope remains that all the insecurity, that we as professionals get from our families and our friends, will eventually lead us into an age where security still isn’t a sales argument but a basic requirement.

This process will need time and it’s not done by forcing all our friends and colleagues to use Threema and PGP. How does the old saying go: Patience is a virtue.

About the Author

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

Links

• http://www.whatsapp.com
• https://www.threema.ch