Earlier this week I was privileged to be invited to speak at the Fiji National University (FNU) cybersecurity symposium out at the new multipurpose theatre/centre opened just last week in Nasinu.
It was great to be able to exchange information and the new FNU vicechancellor, director IT services (a former colleague from my Telecom Fiji days) and chief guest, the acting permanent secretary for Communications were all very much on board with the theme and general consensus that cybersecurity, critical infrastructure and cyber capacity building in Fiji and the Pacific needs to be stepped up a level.
I no longer feel like a pariah (or not) or lone voice in the wilderness.
I’m always optimistic that following up closely with these initiatives are a great step to much needed constructive development in this area.
Incidentally I got a lot of questions, offline and outside the centre on the upcoming election next month.
While apolitical (or nonpolitical) due to my cybersecurity work with many organisations in private sector and government (Fiji and the region), I was able to clarify that public opinion based on social media and other websites is not specifically controlled by government or other political parties outside of what may be officially reported in the media and from the Fijian Elections Office (FEO).
In fact I referred all queries to the FEO as the official authority in as far as voter registration, electronic counting and officially all election matters when results are announced etc.
While some questions and debate over coffee were interesting I do not speculate on the many issues that require a personal opinion which I prefer to keep private.
Further to social media (Facebook, Instagram and Twitter), the many apps now available on your smartphone include encrypted messenger apps like Viber, WhatsApp, Telecom and Signal for android. Apple obviously has their iMessage. TheVerge.com recently interviewed Meredith Whittaker (which I picked out valid points from); current president of Signal, the popular messaging app that offers encrypted communication.
She was an AI researcher at Google and one of the organisers of the Google walkout, during which 20,000 employees protested the company’s handling of sexual misconduct.
Meredith also protested the company’s work on military contracts before leaving in 2019. Messaging apps – especially encrypted messaging apps – are a complicated business.
Governments around the world really dislike encrypted messaging and often push companies to put in backdoors for surveillance and law enforcement because criminals use encrypted messaging for all sorts of, well criminal activities.
But there’s no half step to breaking encryption, so companies like Signal often find themselves in the difficult position of refusing to help governments.
You might recall that Apple has often refused to help governments break into iPhones, for example.
Currently Signal is one of the most widely used, truly private messaging apps on the market. It’s used by millions and millions of people globally, and for people who use Signal, it may feel similar to other messaging apps.
You open it, you send a meme, you get party directions, and you close it when you’re done talking to your friends. But below the surface, Signal is very different. It is truly private.
The difference – the Signal Messenger LLC is under a nonprofit umbrella and the foundation exists solely to support the messaging app.
So in simple terms, we can think of Signal as a non-profit. This means they are not structurally incentivised to prioritise profit and growth over a core mission of service.
Incidentally WhatsApp uses the Signal encryption protocol which is open source, to provide encryption for its messages.
That was absolutely a visionary choice that Brian and his team led back in the day – and big props to them for doing that.
But you can’t just look at that and then stop at message protection. WhatsApp does not protect metadata the way that Signal does.
Signal knows nothing about who you are. It doesn’t have your profile information and it has introduced group encryption protections.
WhatsApp, on the other hand, collects the information about your profile, your profile photo, who is talking to whom, who is a group member.0
That is powerful metadata. It is particularly powerful – and this is where we have to back out into a structural argument – for a company to collect the data that is also owned by Meta/Facebook.
Facebook has a huge amount, just incredible volumes, of intimate information about billions of people across the globe! It is not trivial to point out that WhatsApp metadata could easily be joined with Facebook data, and that it could easily reveal extremely intimate information about people.
The choice to remove or enhance the encryption protocols is still in the hands of Facebook. It’s this desire, particularly by state and state sponsored cyber actors, to break encryption for their purposes, without understanding that that breaks it fundamentally across the board.
This may sound a little bit dated, but there is no compromising with math. If encryption is broken, it is broken.
Apple’s solution to this problem – because China for example is a gigantic market for Apple and its devices – is to say iMessage is encrypted, but then allow a state-operated company to actually run the iCloud data centers in China.
They have threaded the needle in a way that allows them to claim the thing they want to claim, even though the Chinese government holds the encryption keys. “But what if hackers did it?”
I think that question is compelling and is often very emotionally charged.
The truth remains, however, that you cannot provide a service that truly protects the privacy of good actors – many of whom often have a lot less power than the people they are not wanting to be surveilled and tracked by – while opening up that service to allow surveillance of bad actors.
There is easy response or compromise without breaking some other issue like privacy relating to basic human rights.
When you have a company like Apple, it is very unclear if the US government or another state could mandate scanning for just a little extra through some national security letter or another mechanism. It is an extremely dangerous, slippery slope that is right at the nexus of state corporate surveillance.
These techniques, whatever you call them, need to be understood as backdoors into privacy and encryption.
A company and Messenger App, like Signal, has absolutely no plans to scan anyone’s messages to decide which messages are OK or not.
That is the general stance there. Just by way of comparison, there is a stat I have thrown around. WhatsApp has over 1000 engineers – and that is just their engineering team. If you added support, policy, et cetera, you are looking at many thousands of people just sustaining WhatsApp. That is not Meta.
Telegram has somewhere around 500 employees, so that is fairly big. Signal is 40 people. That is 40 people maintaining an app across three clients.
It’s hard, thankless, focussed work. Incidentally, if you didn’t know, SMS (or basic texting) gives your messages in plain text to your telecom provider.
That is the opposite of encrypted Messenger Apps like Signal’s mission. Note: this has been a feature that has been in the Android clients for almost a decade at this point.
And in that decade, a lot has changed. SMS has always been insecure, but SMS basically gives your messages in plain text to your telecom provider.
So that is the opposite of Signal’s stance and Signal’s mission and frankly this was confusing to people. People didn’t realise the difference between SMS and a Signal message.
And this can be existentially dangerous for some people who are using Signal in some high-risk situations especially in Authoritarian states.
For an app controlled by Google, it is pretty easy to join that metadata with a lot of the other wildly intimate and personal data that Google has and make conclusions about people. If you’re looking at an app that is controlled by Google, it is pretty trivial to join that metadata with a lot of the other wildly intimate and personal data that Google has and sort of make conclusions about people.
Be aware and careful of the social media and Messenger Apps that you use, especially when voicing out personal and private opinions that you may want to keep private.
Some great rugby this weekend and good luck to all the Fiji teams participating in all codes! Go Fiji Go! God bless and stay safe in both digital and physical worlds this weekend.
• ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and are not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@ cyberbati.com
