Control what you create
Soon after very private celebrity photos were released to the public, Ricky Gervais posted (and then swiftly deleted) the following note:
Celebrities, make it harder for people to get nude pics of you from your computer by not putting nude pics of yourself on your computer.
It was an awful, tone deaf, thing to say. And the victims are not at fault. But it actually crystallised my thinking about how we can, and in fact need to, control what we create.
Posting these very personal photos on the internet is an ugly demonstration of why we need to actively control our:
But our choices are not simple. For private information, we need to choose between privacy and backups. And for public information, we need to choose between control and convenience.
Chris Leishmann used to share a study with a friend of his at College. Chris and his friend would try to break into each other’s running computer (server). I didn’t know Chris' friend, but Chris is an extraordinarily clever technology professional, and he could not figure out a way to stop his friend from breaking into his running server.
I recently discussed this issue with some very smart Amazon AWS security professionals. I won’t name them because I promised not to. But they confirmed that there is no such thing as a (commercially available) encrypted operating system. This means that your (malicious) cloud provider will always have access to all of your data, even if you encrypt the data (unless your cloud provider just provides “dumb” storage of your encrypted files, and does not process those files).
Therefore, because phones and computers always break eventually, our choice is to either:
Up until recently, most people just chose backups over privacy. Choosing to backup (and choosing to backup is almost always the right choice) is based on the assumption that your cloud provider’s host systems are secure. And based on the assumption that your cloud provider is not malicious. But as Ricky points out, the downside of trusting cloud providers is now clearly apparent.
It is unclear who first said that if your internet service is free then you are the product and not the customer (it was certainly mentioned on Bruce Schneier’s website in 2010). And if a service is free, then your social media provider will use your personal information to make money, for example by selling your personal information to advertisers.
This is not a bad thing. Useful social networks (like Linkedin) would not exist without a critical mass of users providing personal information. But social media, and free services in particular, come at a price (Community Services - Waffle):
The reason I don’t like social media is that it takes two things that are polar opposites and duct tapes them together. Your own utility – to save links, to write text, to move files or materials, to keep notes, to communicate with yourself in the future, to communicate with some other specific people – and the social media outlet’s desire to fulfil its own objectives first.
This is a recipe for tone-deafness at best. But it’s also an explanation of why so many people are so uneasy with social media … Social media has come to symbolise, for me, … the inability to define my own boundaries and the uncertainty about what’s going to happen tomorrow to the fundamental structure of this tool that I’m using – all the while someone … makes money off of me.
If Facebook, or Twitter, or Linkedin, or your free email provider, disappeared tomorrow, or decided to remove or hide some or all of your data, will you lose any irreplaceable comments or photos or emails?
We benefit from the convenience of social networks. But we lose control of our personal information.
It’s sad. But we now need to assume that any device (e.g. computer or phone) that is connected to the internet can be broken into (i.e. cracked).
So it is not fair to say. And it is not fair that it’s true. But if we are about to create something that will cause us immense pain if posted on the internet. Be it naked photos, or emails that we would rather no-one ever see. Then we should consider not creating the thing that will cause us pain in the first place.
It’s ugly. I’m sorry. But please don’t shoot the messenger.
 Even if our data is encrypted on cloud servers, malicious cloud providers can still monitor our running operating system, and access any data processed by that operating system. And the only way to ensure that your cloud provider cannot access your data is to encrypt the data at your end (i.e. before you send it to the cloud provider). But cloud services can only work that way if your cloud provider just provides “dumb” storage of your encrypted files, and does not access, process, or use your information in any way. So cloud services rarely work that way.
This post originally appeared at iainmclaren.com. Thanks to Elaine Bevington and Josh Morris for reviewing early drafts. These opinions are mine. They are not necessarily those of my employer.