When Government is an Adversary of IT Security

When the government works to undermine good data privacy practices, all our security is undermined.

Never Share Your Password.

Those four words fall into place for me like stone bricks — a system administrator’s mantra. In an ideal world, IT doesn’t know your password, and encourages you to never share it with anyone. Never Ever Share Your Password, intones an article on NC State University’s IT website. “Sharing your World of Warcraft account can compromise its security!” players are warned as they log into the game. “We’ll never send you messages asking you to provide us with your login information,” says your bank.

This is decades of IT security culture in action — a valiant attempt by sysadmins to inoculate their users against ransomware attacks, bank fraud, or even someone using their co-worker’s workstation to do something nasty. The message doesn’t always take (users still get tricked from time to time) but whenever I hear someone respond, “But they tell you not to share your password?” I feel a warm glow in my chest.

Unfortunately, it increasingly feels that governments and law enforcement are working against IT security best practices to advance an agenda of mass surveillance.

This year, U.S. Customs and Border Protection (CBP) has begun demanding that users hand over their device passcodes and social media passwords. This effort thus far has, somewhat predictably, focused on persons perceived as being of middle-eastern origin, as well as certain journalists. The issue came to a crescendo when a NASA scientist returning from an engineering competition abroad was forced to hand over the passcode to his work phone, potentially putting sensitive data from the Jet Propulsion Laboratory into the hands of border officials. 

Of course, all of this has troubling privacy and civil liberties implications, but as a sysadmin, I’m also professionally annoyed that governments are trying to undo the user-grooming that IT professionals have worked so hard to cultivate. Users should hesitate whenever someone asks for their password, rather than naturally acquiescing to perceived authority. 

Furthermore, this issue dovetails (horrifically) with law enforcement and governments’ strident campaign against encryption technologies. Law enforcement frequently complains about encryption being a barrier to lawful search. That’s a somewhat dubious claim, but the plainest fact is that encryption is the best tool IT has for keeping systems secure and users safe. As a technology, encryption either works properly or it doesn’t. The magical unicorn of “encryption that stops working when a policeman holds up a badge” simply isn’t feasible in reality. 

In a world where users are increasingly the victims of hacks and scams, compromising users’ security and reinforcing bad habits is movement in the wrong direction. In the long run, cannibalizing the public’s digital security and privacy in the name of public safety will be zero-sum progress.

For those who want to learn more about this issue, both Wired and Vice: Motherboard have more information on traversing customs without sacrificing your digital privacy.

Jesse Schooff is a veteran IT professional and technical communicator. As a volunteer blogger for OpenMedia he specializes in issues of privacy and information security. You can find more of his writing at geekman.ca