The latest Snowden revelations about a hack by the NSA and the GCHQ into Gemalto’s computer network reportedly to steal sim-card encryption keys have understandably caused a bit of a global panic. Local mobile telecoms service providers such as NetOne, who are clients of Gemalto, have also likely been affected, and a concern persists whether their sim cards might be transmitting users’ information to the foreign government agencies.
The whole idea behind the Gemalto hack was to allegedly enable the US and British spy agencies to monitor a significant portion of global voice and data cellular communications by harvesting massive amounts of encryption keys for sim cards distributed to all corners of the world. It is basically an issue of privacy and security.
It is quite ironic though that Gemalto, arguably a global leader in digital security, did not anticipate a possible breach of their network, or think to secure the process of transmission of encryption keys between themselves and their global clients.
Nevertheless, one could wonder why any foreign spy agency would have an interest to drop eaves on the communications of ordinary people, particularly ones located here in Africa, and specifically Zimbabwe. The truth is, they may or may not have any direct-targeted interest here. For now. We know from these latest revelations, for example, that they have ‘priority targets’. This means that at any point in the near future, any country or individual can just wake up one day and suddenly be a ‘priority target’.
But what does this entire growing obsession to nicodemously collect people’s information mean?
Just recently again, we found out about Lenovo’s screw-up with the pre-installed superfish adware that was intended to create a security hole for the purposes of spying on users for advertising purposes.
Prior to that in December last year, Google’s Executive Chairman, Eric Schmidt, surprised many people when he declared that our information was safest in Google, even though we know that this is a fib, because it is not safe from Google itself. Google’s interest in our information is comparable to that of a pedophile’s benevolence to babysit your child. The relationship most people have with Google in particular is like that of a child still living under his parents’ roof and they tell him that his room is private and he can lock it and take away the key. But the child knows that his parents have a spare key and can always get in there at any point. It is the kind of privacy akin to that of glass walls; basically non-existent. You simply cannot control privacy, when you are using a medium that you have no control over, and without privacy we have no security.
Essentially, everybody that is somebody seems to be after getting their hands onto our information, albeit for different reasons. We are at the mercy of big corporations and governments in different ways, and there seems to be a strong realization that whoever controls the data, controls the future.
The NSA and the GCHQ are both government spy agencies. All governments worth their salt have intelligence ‘arrangements’ of spying on citizens and non-citizens alike for the purposes of combatting real or perceived national security threats, fighting terrorism, or for purely selfish reasons of simply monitoring potential trouble-makers, also known as ‘persons of interest’.
So, should Zimbabwean citizens be concerned that the NSA and GCHQ might be tapping into some of their communications? Probably. But it is also important to be aware of the bigger threats existing in our own backyards.
Closer to home, a bogeyman (the Zimbabwean government), is mulling a Cyber Security bill that will, among other things, have clauses that gives it blanket powers to snoop on the communications of individuals deemed to be ‘persons of interest’.
In 2013, the government enacted Statutory Instrument 142 on the Postal and Telecommunications Regulations (Subscriber Registration), which is problematic in many ways but mainly, how it endeavors to permit security agencies to spy into people’s telecommunications in ways that infringe on the right to privacy of communication. SI 142 also notoriously compels telecoms companies to sustain central databases of subscriber information as well as disclose subscriber information upon demand by government or law enforcement agents, without any process of adjudication or judicial oversight.
Along with this, the Interception of Communications Act (ICA) – requires Internet service providers (ISPs) to install – at their own expense – some hardware and software required for the state to carry out surveillance. A 2013 research report by the Zimbabwe NGO Forum on the surveillance on human rights defenders in the country suggested that majority of the ISPs have already complied with this requirement. Needless to say, the sheer naming of the ICA Act alone is chilling.
If all these local issues aren’t scarier than the NSA or GCHQ’s interests, I don’t know what is. There are many other things happening locally around the issue of surveillance that ordinary Zimbabweans aren’t engaging with. Therefore in this context of increased surveillance, perhaps the better question becomes: what should ordinary people do?
Taking measures to protect one’s privacy should no longer be just the preserve of the super-paranoid or those that perceive themselves to be ‘persons of interest.’ Indeed a wide range of free and open source mobile security software and tools can empower individuals to protect their communication through text and voice encryption, among other things.
However the fundamental issue here is about being aware of the existing threats not just overseas but locally, and taking steps to engage accordingly. In as much as foreign interests may affect us, perhaps we should first concentrate our energies on confronting and protesting the raping of our new Constitution and our rights to privacy.
Natasha Msonza is a digital security trainer and privacy advocate. She currently works for Her Zimbabwe, a non-profit organization that advocates for gender equality and seeks to bring important commentary to women’s issues.
image via howdonkey.com
Share
Home
7 comments
“…free and open source software can protect you…” who says that in this age where Windows has backdoor for NSA all those Windows updates are sending cookies stored on your PC and monitoring you when you use the Webcam….Don’t believe it try reading a book called 1984 written way before Snowden was Born
Interesting stuff!!!!!!!!!!!!
Way behind but good that you are finally covering matters to do with the security & privacy issues post-Snowden-leaks.
Didn’t our government compel our Mobile Network Operators to install call interception capabilities at the MNOs’ own expense? You have no need to worry about GCHQ decrypting your calls when there’s a local backdoor already (unless you’re the spook who is worried about your ‘secure’ calls being “illegally” intercepted by the neo-colonizers. The rest of us are screwed).
Too true
Digital Security is a time-space phenomena. The question is never if a security breach will happen, but rather when. Technically speaking all security in digital spaces works towards reducing the risk of data loss, theft or corruption. Once information has left the security of your brain, the risk of something undesirable happening to it increases with time and/or frequency of transfer. And yes one compromise we have to make when engaging with and in digital spaces is the continuously diminishing privacy and ultimately security. In my view this is and will always be a fair trade-off.
I cannot imagine how it can be technically possible to definitively secure digital space and guarantee privacy, its like craving a shower and not want to get wet, if you want the omelette the egg just has to be broken. If Google for example was to sincerely ‘look the other way’ while handling your data then there would simply just be no Google. Data, like any other high value commodity will be found on the shelf but will mostly be traded on the black market, obtained and shared clandestinely, its contraband of the future, which everybody wants, private companies and governments alike. The sooner we get with the program the better.
Theoretically, perfect security is achievable when using Perfect Forward Secrecy – even if communication is intercepted and stored – it cannot be cracked. In reality, people attack the implementation and/or neighbouring systems – including humans. It is easier to work around cryptography than to defeat it.
So I do agree, it’s only a matter of time for security to be breached. All it takes is 1 mistake.