Nico Sell Thinks Hackers Can Be a Force for Good

Nico Sell Thinks Hackers Can Be a Force for Good

Welcome to DEF CON, the largest gathering of hackers in the world. In the crowd is Nico Sell, founder and chairman of the online privacy organization, Wickr Foundation.

Sell is on a mission to change our perception of hackers. She knows that criminals hijacked the term, causing it to evoke thoughts of data leaks and identity theft. But Sell wants to show the world what hackers can be a force for good.

She believes hacking is a superpower; the most important skill set for the future of the world. And she wants to make sure those powers end up in the right hands. Sell started DEF CON Kids, now known as Rootz Asylum, to teach kids both how to hack and make sure they know the immense power their new-found talents hold. She wants to equip the next generation with the tools to thrive and protect themselves in our hyper-connected world.

Recommendations on cyber security for the 45th president… Use more hackers

Recommendations on cyber security for the 45th president… Use more hackers

The Unites States, the world’s most connected nation, and the rest of the world will face a deficit of 1.5 million cyber professionals over the nextfive years whose jobs are essential to protecting critical networks and securing personal information. Fortunately, this crisis also presents a significant opportunity.

Dear 45th President: Protect the United States by protecting the global web

Dear 45th President: Protect the United States by protecting the global web

If we are serious about building a long-term vision for cyber security, the defense vs. offense mindset dominating most policy conversations must be left behind. In such a complex environment where state and non-state actors deploy largely the same tools and methods to protect or attack the systems, developing an effective cyber policy requires understanding that the Web is a critical global space that is impossible to segregate to damage only criminals or foreign adversaries. From now on, rather than relying on an antiquated framing of cyber security, the focus should instead be on immunizing the Web by improving network reliability, quality of products, capabilities, and trust to ensure the long-term resilience of our economy and all internet-powered systems.

Cyber Security Recommendations for the 45th Presidency

 

Cybersecurity Recommendations Senator Sheldon Whitehouse (D-RI) and Representative Michael McCaul (R-TX) announced they would be introducing legislation that would consolidate federal cybersecurity operations into a single agency under the Department of Homeland Security. Representative McCaul, chair of the House Homeland Security Committee, said the bill would be one of the first pieces of legislation generated by his committee in the 115th Congress. The announcement came during a news conference in which the two lawmakers outlined the recommendations of the Cyber Policy Task Force they co-chaired at the Center for Strategic and International Studies in Washington. They were joined by a number of cybersecurity experts who worked on the task force’s recommendations, including Nico Sell of Wickr Foundation.

 

“Breaking Good” by teaching kids to hack at R00tz Asylum

r00tz-asylum-dc22_14754786350_o.jpg

Nico Sell & Rita Zolotova

First published by TechCrunch on August 17, 2016

The news of the DNC email hack has put the issue of securing the US election systems against foreign attacks and boosting the resilience of national critical infrastructure front and center. It has also raised the stakes for solving the shortage of cyber security professionals that can actually address these risks.

One way to widen the cyber talent pipeline is to start education early, very early in fact.

Today, most kids are avid technology users, spending countless hours on their devices, creating content and sharing deeply personal data — photos, networks and locations. Yet, very few have looked inside of a computer or had a chance to reverse-engineer an app to understand how it can be broken into, compromising its users.

r00tz Asylum, the longest running kids hacker conference taking place at the heart of DEF CON, has steadily grown to become one of the largest spaces for kids to explore cyber security, cryptography, hardware hacking among many other topics. r00tz has consistently been one of the most diverse programs in information security where girls and boys are equally supported to explore ethical hacking.

IMG_9133
DSC_0041

Although hacking is yet to overcome its bad rap among the general public, r00tz kids seem to be immune to its influence, embracing their newly acquired skills as superpowers that come with great ethical responsibility.

When they learn how easily the air traffic control systems can be compromised, they think of it as a personal security issue that may affect their families flying home from Las Vegas — something they now know can be solved with strong encryption and authentication protocols.

For young hackers that come to DEF CON every year, it requires no proof that without understanding how to break a system and then put it back together, it is impossible to make the tech they love and use more secure and resilient. Learning how to identify the weak points across web servers and break into designated websites teaches r00tz kids playing at this year’s pentester workstation to detect the attackers and understand their game.

IMG_9129
IMG_9325
IMG_9143.jpeg

Given how complex and interdependent the technology space that today’s kids will inherit has become, the r00tz mission is rather focused on instilling a hacker mindset than teaching a specific set of skills. And more than anything, the hacker mindset is about having the freedom to innovate and break things to understand how they work and how they can be made better.

Tellingly, two of the longest lines were for the junkyard and soldering stations where kids could break computers apart to see a motherboard for the first time and then (maybe) put them back together. As one of the r00tz kids explained:

“When we see a computer, we normally just see a box that works. But exploring what is inside was actually super empowering. Normally, we are never given a chance to break stuff without consequences. But that’s what helped me understand how the technology I use all the time actually works.”

Another r00tz hacker perceptively quipped: “Many kids at school don’t understand that the apps they use a million times a day are created by coders. They think it is just magically there." Indeed, it is much easier for kids to see themselves as creators rather than only consumers of technology when they have an idea of what is under the hood of a karaoke or a photo-sharing app.

Over the past 6 years, r00tz kids have learned from world-renowned hackers who openly share their “war stories” because they strongly believe it doesn’t benefit the global community if only a handful of people have critical knowledge. This year, almost half of r00tz speakers were kids – form 9-year-old Emmett sharing his experience of setting up Capture the Flag to 16-year-old GajetGirl talking about 3D printing.

Speaking at the end of this year’s r00tz, the legendary Dan Kaminsky challenged the kids to “go ahead, break stuff, that is how I got to where I am … Understand how it really works, understand how it really breaks. But also understand that your job doesn’t stop there. We have the Net to protect — you are going to be in a position to make things better.”

Many of the r00tz kids are eager to do just that.


We Can Still See You: Why Metadata Should Not Live Forever

Wickr-Foundation-website-.001-1.jpg

By Nico Sell and Rita Zolotova

Nico Sell is chairman and founder of Wickr Foundation, Wickr and r00tz Asylum. Rita Zolotova is Chief Strategy Officer and Managing Partner at Wickr Foundation, previously worked in nuclear nonproliferation and arms control.

 

 

The global surge in encrypted traffic and a wide adoption of end-to-end encryption by mainstream tech companies is a transformative shift in information security worth celebrating. Billions of online users now enjoy default peer-to-peer security, shielding the content of web communications from prying eyes of criminals and corporate surveillance. Yet the industry continues to collect and store massive amounts of metadata associated with every digital transaction – conversation, purchase, or data transfer. These extensive historical accounts of personal or business activities live forever and are shared and analyzed outside of user control, becoming a breeding ground for the next wave of cyber risks at all levels — reputational, financial, and national security.

It Is Only Metadata, Nothing to See Here

We have been led to believe that metadata – or rather activity logs – is nothing to worry about; it’s only the content that matters. This may have been true a couple of decades ago when the frequency of digital communications between people and systems was minimal and storage prohibitively expensive. Today, metadata collection and mining has become an industry of its own – accumulating and matching information across countless databases to produce detailed records of everyone’s activities and associations. The goals range from targeting users with relevant advertising to behavioral pattern recognition to aimless harvesting of records for yet unknown future use.

Every technology and service we use – from banking to communications to transport – combined with the massive visual surveillance we encounter daily generate a historically unprecedented amount of information about our whereabouts, mapping out countless connections between people, businesses, locations, and things. In practical terms, the depth and the historic nature of metadata collection would be similar to having someone follow you around 24/7 – online or offline – recording everything you do and who you do it with, only stopping short of listening to your conversations. This is clearly contrary to the dominating public narrative – metadata alone cannot be used to infer specific sensitive details about you.

With the Internet of Things bringing billions of new devices online in the next few years – from cars to smart homes to public utilities and healthcare systems – even more metadata will be fed into the global commercial databases, adding yet another rich and often unprotected layer of information about organizations, individuals and nations.

Today’s corporate data collection, particularly of metadata, is easy and cheap, and it often occurs without a meaningful user input and proper informed consent. Most people don’t know where their personal or business activity logs reside and for how long, how they are shared, what conclusions are derived from this data and how it may impact their personal lives or business prospects.

 

Blurring Lines Between Content & Metadata

We kill based on metadata, an infamous statement by the former NSA director Michael Hayden, is a reflection of the intelligence community’s understanding that activity logs have become so exhaustive that they are just as powerful in providing insight into people’s lives and minds as the content of their communications. A new study by Stanford University found “telephone metadata densely interconnected, susceptible to re-identification, and enabling highly sensitive inferences”. When metadata is used and correlated with other open source data without any restrictions, it can reveal profoundly intimate information about individuals. And, unlike the content of digital communications, it is not protected under the Fourth Amendment and can be surprisingly trivial to obtain without a warrant.

Our national policy discourse, so intensely focused on the precedence of digital content over metadata, only further exacerbates the misbalance in how the private industry – from global corporations to small start-ups – treat these two types of data. Most activity logs across global databases, as massive as they are, are stored unencrypted without much safeguards to protect data against exposure, nor are they properly secured or anonymized when shared with third parties.

Collecting and storing any information, metadata included, in an unsecure way clearly fails a duty of care companies owe to their users. As a result, the global attack surface is rapidly increasing to open up individuals, organizations and government systems to vulnerabilities, leading to unauthorized collection and use of sensitive data.

Digital Toxic Waste: Why Metadata Should Not Live Forever

With no defense being 100% impenetrable, the private companies as predominant data collectors and custodians of information, need to begin thinking long-term about why and how they collect and store our activity logs. When it becomes almost impossible to secure such large data sets, they turn into hazardous waste and a cause for user distrust rather than a source of cash flow.

Think about what you can learn about a person or a company by simply looking through their activity logs across different networks – the answer is likely ‘too much.’ While some data – content or otherwise – may need to be retained for several years for compliance or other reasons, there is a lot more information that does not need to live forever. The less time the metadata lives and the fewer servers it touches, the more secure we all are against targeted criminal attacks and cyber espionage.

As information security becomes a national priority with cyber threats reaching epidemic proportions, both the tech community and policy-makers must make it significantly harder and exponentially more expensive to exploit networks and databases containing the activity logs.

Here is an easy fix: limit metadata collection to retain what is essential to your business and only for a short period of time. In addition, anonymize and encrypt the data, while adhering to the responsible information disposal processes.

So long as we keep historically detailed activity logs across services – private or public – without effective means to clear the data that is no longer needed or can be secured, encryption remains a half-measure giving only a temporary and illusory sense of security.


Security vs. Privacy: Is there still a conflict?

Max-via-Flickr_3f17eb5d0a_k.jpg

By Nico Sell and Anja Kaspersen

Nico Sell, Founder of Wickr Foundation and a World Economic Forum Tech Entrepreneur & Anja Kaspersen, Head of International Security, World Economic Forum

First published by The Hill on July 12, 2016

At a time of the global information security crisis, we often hear that in order to achieve stronger security against emerging threats, including terrorism and cyber attacks, we must accept less privacy. This should apply to our communications, financial transactions, and all other internet-powered activities. Many simply assume that more visibility and state control automatically translate into more safety.

Coming at it with different sets of expertise and experiences, we argue against this alleged conflict between privacy and security. And here is why.

For centuries, only a handful of states have had the resources to wreak havoc on a massive scale. Today, technology is rapidly democratizing this destructive capability. Remote cyber attacks can now target any world region, disrupting or destroying digital assets – valuable information networks and physical objects – dams, power plants, and other industrial facilities.

International criminal groups run the bot armies of billions of puppet computers, which belong to unknowing victims around the world, to attack corporate systems. The attribution is clearly no easy tasks when cyber vulnerabilities are involved, thus traditional state-level deterrence strategies often prove futile.

In this complex and rapidly changing security environment, many domestic and international policy-makers appear to believe that the only “defense” to counter these emerging threats is the increased control over population. In their view, the premise seems straightforward – if individuals with destructive intent are able to communicate with complete privacy, it will have a negative impact on the law enforcement’s ability to uncover wrongdoings.

Hence, the security vs. privacy narrative equates privacy with potential for criminality, and security with government access to citizens’ data.

As a result, to keep the public safe, governments scale up the surveillance techniques historically relied upon to enforce security policy. With expanding connectivity, there is no longer the time-consuming need to bug phone lines individually and have human agents read the intercepted conversations. Instead, communications can be hoovered up en masse and analyzed to search the haystack of data for patterns and anomalies that might indicate potential threats.

The key question is whether these policies are effective in reaching their stated goals in a new increasingly decentralized cyber reality?

Recent world events cast some doubt on the effectiveness of this approach. In the aftermath of the Brussels and Paris terrorist attacks, we have learned that the problem has not been the lack of information, but rather ineffective data analysis and failed international cooperation in sharing intelligence in a timely fashion. When the haystack becomes so large, the chances are authorities may miss crucial intelligence.

However, even if data analytics and intelligence sharing mechanisms could be improved, the existence of mass data collection and the ongoing push for encryption backdoors imply that it is technically possible to exploit global networks en masse without creating the attack entry points accessible to others – criminals or foreign intelligence.

Today, the increasing connectivity, advancing technology, and a proliferation of internet-powered devices make it impossible to isolate backdoors to be only useful to particular governments and their needs for investigative powers. At a time when the record numbers of high-impact data breaches are reported almost daily, any and all vulnerabilities are indeed open for exploitation to anyone who can find them – be it in consumer applications, critical infrastructure, or government networks.

With the Web being a global ecosystem, we can no longer segregate it to weaken security for only bad actors, whose possible criminal activities may pose risks to national security. Injecting vulnerabilities in commonly used protocols or services indiscriminately affects the security of everyone using these technologies.

In addition, we are not guaranteed that bad actors will not create their own encryption tools or use stronger security offered by foreign companies. According to a recent global survey of encryption products, only one third of these tools are produced in the US while two thirds are developed elsewhere, with Germany, UK, Canada, France and Sweden being the top generators of crypto tech. The report also found that 44% of over 860 encryption products available are free, and 34% are open source.

In this complex technological environment, citizens, government systems, corporations, and critical infrastructure facilities are increasingly connected and everyone’s security is dependent on the same protocols and hardware while bad actors can still access strong encryption to secure their data. Thus, compromising the integrity of global networks appears unlikely to result in much gain in intelligence capabilities. Hence, the net outcome likely becomes less security and less privacy for all.

Interestingly, the existing mass data collection programs across the world have been long surrounded by secrecy regarding their very existence and the governments’ capabilities to infiltrate information networks. Such secrecy, aside from the public perception that it is undermining the social contract at the core of democratic governance, also puts national governments at a disadvantage by limiting the critical input they may receive from their citizenry in an effort to strengthen national security.

Considering a rise of cyber threats and a dire state of security in most technologies – consumer, enterprise or industrial, and the fact that 85% of all critical infrastructure is privately owned, it appears short-sighted to not actively engage the expert community and a broader public from contributing to this critical conversation. Information security and technology experts may offer valuable insights into the latest research and innovation occurring in the private sector, which can significantly influence the effectiveness of government data collection and defense strategies.

As technology redefines security, who can credibly provide it, and where the cyber attacks might be coming from, there is an urgent need to redefine a new social contract for the cyber age to ensure the sustainability of an increasingly connected global economy and reducing risks to the critical infrastructure.

While it would be unrealistic to expect no state secrecy regarding intelligence activities, the important question to think through is how to ensure that effective safeguards are in place to protect against potential abuse from all parties – government and corporate actors. This requires an agile and fit-for-purpose oversight regime so it is conducted in a most responsible and secure fashion minimizing the probability of citizens’ personal data being misused or compromised.

It is clearly time to broaden the dialogue to engage all stakeholders to think through these complex technological and policy issues, including the private industry that may often be overly focused on indiscriminate collection and infinite storage of consumer data.

There are no easy answers or solutions but one thing is sure: by creating a false tension between privacy and security, the issues that are far more pressing to the safety of global communications and information networks are not being addressed. Collecting more data does not guarantee intelligence efficacy. Surveillance and other intelligence mechanisms can play a legitimate role in curbing malicious behavior online of offline, but these powers should be used sparingly and strategically.

There is a need for greater literacy about security policies’ impact, consolidating and strengthening of the norms around the collection and use of data and a more inclusive dialogue on how to address shared vulnerabilities in a new increasingly decentralized world.


Wickr Foundation announces Whistler, an encrypted app for whistleblowers

Nioc-Srdja.jpeg

By Oiliver Franklin-Wallis

BY OLIVER FRANKLIN-WALLIS

Friday 27 May 2016

WIRED

 

Whistleblowers are under threat: whether, as Edward Snowden has argued, from Western governments, or from repressive regimes monitoring online activity to suppress dissent. This week at the Oslo Freedom Forum, the Wickr Foundation – a new nonprofit spin-off of popular encrypted messaging app Wickr – announced its first investment: Whistler, a secure app to let whistleblowers, and activists organise nonviolent protest and document human rights abuses. Whistler is the brainchild of Srdja Popović, the Serbian activist and author, and Wickr founder Nico Sell. “During the Arab Spring, everybody was talking about how the social networks were used for organising,” said Popović. “Now we are facing this reversal, because the bad guys are learning as well. They’re learning how to restrict your access to the internet, how to surveil you, how to track you down.”

Whistler, which is still in development, will have four key functions: secure messaging, reporting and file sharing, educational materials for nonviolent movements, and a panic button to erase files in case of illegal detention. “[Protesters] need to post safely and securely, so if you put a post on Facebook they don’t trace you back home. This is the first thing they will do in Thailand if you post about the military junta,” said Popović. “The second thing that’s most important is reporting. Not just images, but images with information, with metadata. You record somebody beating somebody, there will be geolocation, a timestamp.” The file sharing would allow citizen reporters to share evidence directly with media organisations, he explained.

007 make opppression backfire

The app will also give training in nonviolent protest techniques developed by CANVAS, Popovic’s nonprofit organisation that trains and assists activists living under oppressive regimes. But arguably most vital is a panic button, to inform relatives and lawyers in case of illegal detention. “The majority of human rights abuse and violations happen in an unknown location, where lawyers and journalists cannot reach you, so speed of discovery where you are is so important,” he said. By using the panic button, Whistler will wipe its own data – but only after messaging nominated friends, family or lawyers. It will also send a location tag to help investigators track your whereabouts.

“Talking to Srdja, there were features that these activists wanted to add to Wickr – and so that was one of the reasons I founded the Wickr Foundation, so that we could work on these features on top of a secure platform,” said Sell. The Wickr Foundation hopes to release Whistler on Android later this year.

“What this does, and what Srdja’s techniques do, is they give people the confidence to be able to speak out,” said Sell. “Because they know that they have got backing, and more confidence to be brave.”


Wickr Foundation invests in Whistler

Ron-Rothbart-Flickr.jpg

By Jonathan Shieber

Jonathan Shieber @jshieber

Published @ TechCrunch May 23, 2016

Earlier today at the Oslo Freedom Forum, the Wickr Foundation, a nonprofit organization dedicated to private communication and uncensored information, announced its first investment in a new secure communications and education app for human rights activists and citizen reporters called Whistler.

Around the world, thousands of citizen activists have turned to the Internet and social media as tools to expose oppression and organize non-violent resistance to incredibly violent regimes.

However, many of these tools leave their users exposed to potential acts of reprisal from the very powers they seek to challenge.

Whistler aims to change that.

Whistler 1

It’s the brain child of Srdja Popović, a Serbian dissident and political activist, and Nico Sell, the founder of the secure messaging service Wickrand the Wickr Foundation.

The two met at the Oslo Freedom Forum, a gathering devoted to increasing communication among human rights advocates and their supporters, and began discussing how to create secure tools for activists to use in crisis situations.

The need for these kinds of secure forums is something that Popović understands all too well. As a young activist in Serbia, he founded Otpor! (Resistance!) which was instrumental in ousting the repressive Yugoslavian president Slobodan Milošević.

Harnessing his work with Otpor!, Popović founded the Center for Applied Non-Violent Action and Strategies (Canvas), a non-governmental organization that aims to educate activists in successful ways to fight authoritarian regimes — drawing heavily from Popović’s own experiences.

And Whistler, the app under development with the financial support from Sell’s Wickr Foundation, is the next step in the evolution of Canvas’ mission.

Already, the curriculum that Popović has developed with Canvas has served as a blueprint for activists in countries including Iran, Zimbabwe, Ukraine, Palestine, Belarus, Tunisia and Egypt. And the organization took its mission a step further by providing a virtual curriculum for students globally through an initiative developed in conjunction with Harvard.

Whistler brings all of that to mobile phones through an app that takes advantage of all of the phone’s features as an audio and video recording device, as well as its Internet connectivity.

Initially built for the Android operating system, Whistler will be designed with functions that allow for the easy dissemination of photos, video and audio; secure communications among activists, NGOs, and journalists locally and internationally; access to training resources on digital safety and non-violent activism; and finally a “panic button” that will alert an individual’s social network securely in the event of an arrest, detention or extreme surveillance.

The button will also act as a data shredder, and provide geo-location updates in case an activist is brought to a black site (one that’s off the grid and not officially sanctioned, but where security forces typically disappear political agitators).

“What we are talking about with Nico is trying to find out about the needs of people in oppressed societies and what technology can offer them,” says Popović of Whistler’s mission.

It turns out that while technology can offer activists a lot, it’s very much a double-edged sword — at least when it comes to publicly available tools like Facebook, Twitter, Skype and others.

Here is where Sell’s experience with security and encryption become vitally important.

Sell warns that the tools employed by normal civil societies are built for consumers who don’t have to deal with the problems of authoritarian censorship or surveillance. Most services collect user information to monetize their audiences, Sell’s organization warns. And governments take advantage of that openness, and the inexperience of users in oppressive regimes to target, intimidate and prosecute activists.

Hence, the need for Whistler.

“What you try to do is you want to give a built-in tool for the oppressed,” says Popović.

So, the Wickr Foundation is giving Popović the money and support to develop this built-in tool. Whistler is, in fact, a business, but one that will kick all of its revenues back into the company to make the product better.

For Srdja, perhaps the most powerful aspect of Whistler is the ability to network activists from around the globe.

“I’m more interested in how activists can learn from each other,” he said. “There aren’t so many ways where activists in the Ukraine can see a viral video from Venezuela. One of the most powerful things about this is seeing that the recipes for successful non-violent struggle are low-risk and replicable.”


The two misconceptions dominating the encryption debate

Cyber security is a massive challenge affecting everyone – start-ups, government, corporate systems and consumers, costing the global economy billions of dollars annually. Ironically, the one solution we are seriously considering – mandating encryption backdoors – will undermine the integrity of our networks, as confirmed by information security experts and the government’s own defense and intelligence officials.

For the tech industry to become more effective in making its case for strong security to the public and US policy-makers, we all need to understand and rebut two critical misconceptions currently dominating the policy debate.

“Going Dark” or Blinded by Too Much Data?

The key assumption is that law enforcement does not have enough data to combat crime and must therefore boost its capability to intercept and decrypt web communications. Let’s look into what data the government already has access to and whether it is being utilized effectively.

The majority of global networks – including Facebook, Google, Twitter, and Skype – operate with full visibility into user accounts and often their activities, rendering this data available to law enforcement with a warrant request. That includes metadata, a rich unencrypted layer in our expanding profiles – who we talk to, where and how often, where we spend time and with whom, and what our interests are.

Widespread visual surveillance – from cameras on public utility polls and transport to commercial data collectors time-stamping and geo-tagging billions of photos of license plates – supplies an exhaustive picture of our physical activity. Law enforcement has access to a historically unprecedented amount of information, capable of mapping out countless connections between people, businesses, locations, and things – sometimes with and sometimes without a warrant.

Current trends in technology are only adding to the pool of data that law enforcement can draw from. By 2020, the IoT industry will add as many as 50 billion new connected devices – from smart TVs capable of listening to ambient noise to cars equipped with GPS and voice-activated systems to toys and baby monitors with recording features. Many of these technologies operate with minimal data safeguards, expanding not only the attack surface for criminals but also real-time surveillance opportunities for law enforcement.

“Big Data” is a buzzword for a reason – the majority of tech businesses are built around collecting and analyzing data that people around the globe generate while using services. This trend is unlikely to substantially change in the near future as we add more products feeding data into global systems.

Thus, the quantity of data and information channels available to law enforcement provides ample opportunities to obtain lawful intelligence. However, as investigations following the Paris attacks have demonstrated, governments have yet to establish data analytics capabilities allowing the massive amount of data already collected to be timely and effectively analyzed in order to extract actionable intelligence.

Backdoor for Only Exceptional Circumstances

With its access to countless data streams and targeted information sources, the government is now faced with an urgent need to secure public and corporate information systems. Both are now a high target for foreign state actors and criminals alike. Following OPM and other major breaches of national networks, it became clear to many within the defense sector that maintaining the integrity of encryption is key to securing data in transit and at rest and it must become a national security priority.

However, no matter how numerous and loud the expert voices are in confirming that it is technologically impossible to limit backdoor privileges to one party without making the whole system vulnerable, some officials continue to dismiss the tech industry as uncooperative and uninventive, completely rejecting the mathematics behind strong crypto. Unfortunately, the result of this misunderstanding is a demand to force the private sector to work against public interests, which may cost us all a gravely compromised national cyber defense.

Due to the lack of security awareness, for many non-technical folks this argument remains too abstract – simply an obstacle to providing law enforcement with a backdoor access it wants. Meanwhile, a case where an intentionally built-in backdoor was possibly repurposed against US government systems is currently under investigation by the House Oversight Committee. A severe vulnerability discovered last December in Screen OS by Juniper Networks – employed across government agencies and global corporations – may have allowed foreign hackers to infiltrate networks and decrypt traffic. As with many cyber intrusions, especially of this magnitude, it is hardly a trivial task to determine when the breach occurred, what information has been compromised and whether hackers still retain a persistent presence within the network.

A Changing Cyber Space: Security For All or For No One

When vulnerability is injected into technology used worldwide, it becomes everyone’s liability. If mandated, today’s crypto backdoor is likely to become a “ticking time bomb,” open to exploitation by foreign intelligence and criminals harvesting data and communications. With the Web being a borderless global space, intelligence needs to be targeted, expensive and therefore accessible to only the most sophisticated state actors. Otherwise, we risk weakening everyone’ security to harvest data without a cause to the detriment of our own rights, economic freedoms, and political stability.

The demand for compelled cooperation to alter technology against public interests has a powerful negative impact on the relationship between the industry and the government. It not only limits the possibility for every-day open and effective collaboration, but also creates a deep distrust at a time when cyber threats are rising, requiring all of us to work together to strengthen the security of our critical information systems.

Unless we are prepared to live with the consequences of inadvertently enabling foreign nations and hackers to exploit a government-mandated backdoor, we must shift the national dialogue to examining how law enforcement can effectively use and secure the data it already has access to. The government and the tech industry can work together to enhance national security by applying innovative technologies and data safeguards to critical networks, rather than battling over access to data which most likely will not assist lawful investigations, but will guarantee weaker security for all.


The death of sharing: 20/20 with Wickr’s Nico Sell

7221714496_Chris-Brown-Flickr.jpg

By Eoghan McNeill

March 10, 2016

Four years’ time. What’s the world going to look like in 2020? We’re asking people in our network just that for our new interview series 20/20.

Delete the pictures of the espresso martinis you had last weekend. Lose the snaps of your mates having a few mid-week pints. Think whether you need to tweet about whether you’re feeling the Bern or ready for Hillary. We can all guess you’re not a fan of Donald.

Whether anyone cares about what you share is debatable. Perhaps worse, it’s going out of fashion. That’s according to Nico Sell, the evangelist for keeping yourself to yourself online and co-founder of secure messaging service Wickr.

Nico takes pride in her paranoia. Look for a photograph of her without her trademark dark shades – you’ll come up short. She wears them in an effort to minimise her digital footprint. There’s less of her person online, even if it’s just her eyes. She stays away from ‘pay with your privacy’ social networks such as Facebook and Twitter. She says that posting pictures of your children online is irresponsible.

Nico has worked in online security for over 20 years. In 2012 Wickr, considered the most impenetrable platform of its kind. Forget your password and you’re locked out of your account for good. Find a vulnerability in Wickr, and Nico will pay you $100,000.

Hackers have superpowers

Nico has spent a career fighting hacking. She’s now teaching children the art with r00tz Asylum, an organization where kids aged 8-16 can learn just how easily they can be spied on through oversharing on social networks. It’s here that she can see a shift in attitude regarding how much personal information should be shared online.

#DEFCON isn't normally where u bring kids, but wait, there's #r00tz! viahttps://t.co/0gid2Ij8W1#hackerfunpic.twitter.com/IVrhURA1mD

— r00tz (@r00tzasylum) September 17, 2015

r00tz Asylum teaches children how to hack so they may never be a victim of one

“I think it’s really just a trend right now in society. The generation before these kids never had the chance to publish something to the world publicly. That was a really difficult thing to do, so when they got the chance, everyone wanted to do it. The novelty is starting to wear off,” says Nico.

She says that the youth are beginning to gravitate toward more private lives and starting to value anonymity. The r00tz Asylum hackers don’t use Facebook, instead preferring anonymous Tumblr accounts. They’re not posting pictures of themselves at parties; they’re blogging about their favourite TV show.

The threat posed by over-sharing personal information online first became apparent to Nico when she received her own hacker’s education. Having spent time as a professional snowboarder in her teens, she began hanging out at hackers’ gathering DEF CON and helping founder Jeff Moss with the event. She learned just how easy it is from hackers themselves.

“I’m actually a very trusting, optimistic person, ironically. But once you’ve been educated by hackers, you can’t ever go back. As soon as you learn how easy it is to eavesdrop on cellphone calls, or break into sites like Facebook and Twitter, you can’t think the same ever again,” says Nico.

Nico owes her life philosophy to the hacker community. She recognizes that hackers are often thought of negatively by the mainstream, but says that we could all learn from them. Hacking is just a set of skills.

“I have to remind people that hacking can be used for good and bad. It’s actually one of the most powerful skills, definitely for the next four years. Hackers are the ones who have the superpowers,” she says.

Nico turned down the FBI – why can’t Apple?

It’s easy to guess whose side Nico takes in Apple v FBI. The two are locked in a legal fight to determine whether the tech firm should be compelled to help the law enforcement agency break into an iPhone. The phone was recovered at the scene of the San Bernardino attack in December 2015, and the FBI maintain information stored on it will help with their investigations.

“I would rather that the government would stand up for a strong democracy. I think it’s their job. But instead Tim Cook is having to be the national security hero in this instance,” says Nico.

The FBI made a similar request of Wickr in 2012. The agency didn’t get into specifics with Nico, they simply requested a backdoor into the app. They wanted access to the personal details of Wickr users. They were were turned down.

Nico says that Wickr’s refusal to accede to the demand was influenced by her work at DEF CON, where she was shown firsthand how easily lawful intercept machines could be broken into. She realized the ease with which the code could be used for wrong.

“I told the FBI agent that I’d been taught how to break into these machines, and as soon as you understand how easily that can happen, it’s clear that a backdoor for the good guys is always a backdoor for the bad guys,” says Nico.

George Orwell missed something

Nico says that George Orwell forgot about one thing in 1984. New technologies can empower just as easily as oppress. The internet can facilitate the mass surveillance of nation states across the globe. It can equally mobilise mass social movements against such authoritarianism.

Wickr is not merely a service for those looking to maintain privacy. It’s also being used by those on the offensive. Through the Human Rights Foundation, Wickr work with dissidents committed to overthrowing Kim Jong-un. The worst dictator of our time, as Nico puts it. “North Korea will come down even sooner than we think,” she says.

Nico interviews a North Korean activist

“Surveillance and encryption are just tools. Really powerful tools. The people who can use these tools best will win. That’s why we’re really dedicated to teaching activists how to use them better than authoritarian regimes,” she says.

Nico says that social movements will be the next great weapon of the coming decade, and that for these movements to be effective, secure lines of communication are paramount. She says that Wickr is the perfect tool for those fighting totalitarian regimes across the world, and that these regimes can’t survive in the information age.

From oversharing to overthrowing, it’s all about who teaches you how to use the tools of life spent online.


Tech Community Supports Apple In Its Fight For Encryption

Screen-Shot-2016-06-22-at-10.19.43-AM.png

By Brian Barrett

WIRED

March 3, 2016

IN A WIDE-RANGING show of solidarity, dozens of Apple’s tech industry competitors and contemporaries filed amicus briefs today in support of the company’s stand against the FBI. In one instance, heavyweights including Google, Microsoft, and Facebook set aside their corporate rivalries to file jointly. Twitter, Airbnb, Ebay, Reddit, and a half dozen other Internet luminaries joined forces to file another brief.

The briefs, which argue that Apple should not be compelled to create software to help the FBI break into an iPhone that had been in possession of San Bernardino shooter Syed Farook, are meant to bolster the Cupertino company’s legal case. Intel and AT&T—yes, the same AT&T that had a secret spying pact with the NSA—filed their briefs solo. The ACLU, Access Now, and the Wickr Foundation, and a group of security experts have lent their support as well, with more companies, experts, and institutions expected to join in by the end of the Thursday deadline set by the case’s judge Sheri Pym.

While this seems like a natural cause for the technology industry to rally behind, many tech leaders were initially slow to express support for Apple in the matter. As the New York Times reports, several companies also hesitated to support Apple publicly. Some expressed concern over whether this was the right fight to pick, while others worried about public perception.

Those concerns appear to have been allayed, at least on the part of the companies who filed Thursday. Their briefs in support of Apple are unequivocal, and use language as forceful as the company’s own.


Encrypted Messaging App Co-Founder: Tim Cook Is A 'National Security Hero'

February 18, 2016

Heard on All Things Considered

NPR's Robert Siegel talks with Nico Sell, co-founder and co-chairman of Wickr, an encrypted messaging app, about Apple's fight against the FBI's order to unlock an iPhone owned by a terrorist.

 

ROBERT SIEGEL, HOST:

Here is some of what Tim Cook, the CEO of Apple, said about his company's products when I spoke to him last fall.

(SOUNDBITE OF ARCHIVED BROADCAST)

TIM COOK: Privacy is designed into the product, and security is designed in. Some of our most personal data is on the phone - our financial data, our health information, our conversations with our friends and family and coworkers. And so instead of us taking that data into Apple, we've kept data on the phone, and it's encrypted by you. You control it.

SIEGEL: But does that mean that if a clever terrorist encrypts his texts, it really doesn't matter whether the government has access to that or not?

COOK: National security always matters, obviously, but the reality is that if you have an open door in your software for the good guys, the bad guys get in there, too. We think that our customers want us to help them keep their data safe.

SIEGEL: That was last October. Now the CEO of Apple has locked horns with the government. The company is vowing to fight a court order to help the FBI unlock an iPhone that was used by a terrorist, Syed Farook, in San Bernardino, Calif., last year. When Tim Cook says privacy is designed into the product, he's expressing an idea promoted by privacy advocates, Privacy by Design. And here to talk about what that means in this case is Nico Sell, who's co-chairman and co-founder of Wickr, which is an app designed for privacy. It allows people to send encrypted messages that self-destruct after time. Welcome to the program.

NICO SELL: Thanks for having me, Robert.

SIEGEL: If you were CEO of Apple, would you comply with a court order or oppose it as long as you could?

SELL: I hope I could be as brave as Tim Cook and do the exact same thing. I think he's a national security hero right now, and more of us need to follow him.

SIEGEL: On the other hand, Wickr's stated privacy policy is to comply with subpoenas, lawful court orders.

SELL: Definitely. I'm sure that Apple's is the exact same. I mean, all of us want to comply. The problem here is there is an unprecedented ask by creating this backdoor. And this is a backdoor. It will be used for the bad guys. And by Tim Cook agreeing to not build this, he's helping protect all of us.

SIEGEL: The request to open up the San Bernardino iPhone is about the strongest case the government could make. The user of the phone is dead. He was a mass murderer. He's been linked to a group that espouses mass murderers and is said to be plotting some more. The owner of the phone was actually Farook's employer, and it says the FBI can have at it. You don't think that iPhone users, other customers would cut Apple a little slack on this one?

SELL: I think they would cut it slack, but anyone in the technology industry understands that there is absolutely no way to build this for just one phone. What the FBI is asking Apple to do is to create an amazingly strong weapon that would actually - could be used to devastate the United States and the world. Beyond national security, it's also the legal precedent they sent, what we do to innovation to drive it away from the country and all the economy.

SIEGEL: You think it could devastate the country and the world?

SELL: Yes, I do. You know, the most important lessons I've learned in my life are from hackers. And as soon as you understand how to break in and abuse one of these pieces of code, you clearly understand why this is something that we would never want to do because it endangers our security greatly.

SIEGEL: I understand the fear of the government possessing a key to unlock every iPhone. But if Apple, say, developed such a key, kept control of it, received the iPhone in question, applied this key and then sent the unlocked phone to the FBI, would such a hypothetical file pose a danger just because it existed within the corporate confines of Apple and a few people knew about it?

SELL: It would. The U.S. government and Apple are two of the very best companies in the world at security, and they've both had major breaches. And we always think about with Wickr, too - it's really, you know - we say, can we survive the black van scenario? If someone did take one of us, would we be able to change it? And the answer is no.

SIEGEL: You have said that someone claiming to be from the FBI has approached you in the past about designing a way to allow the government to retrieve information from users of Wickr, your app.

SELL: Correct.

SIEGEL: You say you declined to do that. Can you imagine circumstances - I mean, the threat of detonating a nuclear weapon, something like that - where you would say, OK, that's my line; I would, at that point, do whatever I could?

SELL: No. So I think - like I said, I think this is one of the most devastating weapons that we could ever see if you have this. I mean, if you look at Wickr, we take our job really seriously because people fighting terrorists use and depend on Wickr every day as well as activists fighting totalitarian regimes. So let's say this does take precedent and Apple does this. Then we could have the FBI and numerous other agencies in 200 other countries coming to us forcing us to change our software, which is really concerning.

SIEGEL: Nico Sell, thanks for sharing your views with us.

SELL: Thanks for having me, Robert.

SIEGEL: That's Nico Sell, co-founder and co-chair of Wickr, an encrypted messaging app.


Davos 2016: Privacy is a right, says Wickr Foundation

Davos 2016

Reuters

January 21, 2016

Messaging app Wickr promises secure communications that cannot be snooped on by anyone, including spy agencies. That’s great for anyone who wants privacy, but is it also a gift for wrongdoers? Reuters reporter Julian Satterthwaite put the question to Nico Sell, Founder of Wickr Foundation, on a trip on the Davos cable car.


How Far Are We Willing to Go to Achieve Cyber Security?

earth_night_rotate_lrg.jpg

By Nico Sell and Gilman Louie

With every high-profile data breach and emerging global terrorist threat, public discourse on cyber security and encryption becomes increasingly polarized and unproductive. The recent terrorist attacks in Paris claimed by ISIS have re-launched the international encryption backdoor debate. The proponents of mandatory backdoors have continuously argued that end-to-end encryption makes it impossible for law enforcement to combat criminal activity, including terrorism. On another front, the growing threat of foreign, quasi–state attacks often attributed to Chinese, Russian and Iranian hackers compels private companies to ramp up their cyber defenses prompting rapid adoption of strong crypto to protect commercial IP and customer data. Focusing the public dialogue on the dichotomy of these seemingly competing priorities inevitably prevents us from advancing global security, which is why it is time to directly address security challenges by first looking for a fact-based starting point we can all agree upon.

At a time of understandably heightened concerns over potential terrorist attacks around the world, many governments view control of and visibility into citizens’ communications as a key prerequisite to preventing extremism, both domestically and internationally. The only publicly discussed means to achieving such control and visibility is the so-called backdoor into encryption technology designed to protect digital communications from being listened to – by criminals or governments.

While having access on the backend of countless web networks will enable mostly unobstructed data access, the question is to what extent would this capability compromise the government’s own ability to secure its citizens?

As the Web continues to grow, it is adding an unprecedented number of devices constantly engaged in information sharing – some more sensitive than the rest, with most data still transmitted in the clear. Increased connectivity has facilitated the rapid growth of successful attacks aimed to steal valuable personal, business and government data. The only defense for data in transit is encryption, properly implemented to ensure information is only accessible by the intended recipient, not by criminals. Often unnoticed, encryption secures countless core applications – from satellite and power control systems to instant messaging, to air traffic communications, to healthcare and stock exchange transactions. It literally is the first line of defense for any information we deem sensitive or proprietary.

As a thought experiment, let’s play out the backdoor scenario to its logical end.

Tech companies developing technology for banking, medicine, the energy sector and the auto industry are now required to introduce a US government-mandated backdoor in their systems. The government is entrusted to safeguard the decryption keys that access the backdoors of information networks. Law enforcement agencies still have to obtain a warrant or perhaps a FISA court order to decrypt the information – all for national security purposes. However, unless government systems undergo a seismic overhaul of their information security, the encryption key repository will be breached sooner rather than later, as countless other national databases have been, with OPM alone leaking over 20 million of the most sensitive background check records.

Following the US or UK precedent, the Chinese government, with a different set of national security targets and interests – potentially including dissidents and foreign companies – will ask for similar access to encrypted data. Others including Russia, France, and UK will demand the same. Most technology companies, including US–based enterprises, are global players, and will face a choice – comply with national laws to continue to operate internationally or risk losing a hard-earned share in Chinese, French and UK markets.

A capability that was sought by one or two governments as a defense against terrorist threats now becomes a liability that will be exploited by other nation states for offensive operations against US economic or national security interests. Of course, with vulnerabilities mandatorily built into security systems, criminal hacks will become even easier to carry out. To defend business IP and customer data, the private sector will be left to rely on protecting windows, garage doors and the chimney, while the backdoor into their systems is wide open to criminal breaches that are often supported by foreign national interests.

So how do we navigate our collective way out of this dead-end debate the outcome of which does not serve anyone’s interests?

It is time to shift the focus from seeking special access to serve political needs or give one nation an advantage over another to keeping the Web safe for all its beneficiaries – whether they are governments, businesses or citizens. Because when the Web is not secure, it is not secure for all.

Developing an effective global cyber security approach must therefore address technology and policy at both levels –government and private sector.

At the international policy level, the challenge lies in bringing everyone to the table to develop a set of unified rules for what we can and cannot do to advance national interests on the Web. Clearly, it will take time and commitment to truly understand the technology in question and engage in diplomatic craftsmanship. What we can do today is begin designing bilateral and multilateral agreements with our closest allies, including the private industry, to join forces to secure the global digital space. Critical to the success of this strategy is our ability to negotiate credible enforcement mechanisms for such international agreements including the recently announced cyber framework between the US and China focused on protecting intellectual property and the economy.

Building a working model for domestic and international threat information sharing is a good first step in preempting and investigating attacks that may compromise financial or other critical information systems. It requires mutually beneficial cooperation between the government and private companies whose networks may be targeted by state and non-state actors. Timely sharing of threat indicators is key to a government’s ability to effectively protect its citizens and national infrastructure, and bring certain threats to the attention of our international partners.

However, since the state has not maintained a particularly impeccable information security track record, the private industry is legitimately concerned about sharing critical data that may contain sensitive business and user information with a partner that cannot guarantee its protection. If we are serious about bringing technology companies to the table to jointly counter criminal intrusion threats, it is time for significant improvement of government security practices, including wide adoption of encryption across the board.

For its part, the private sector, including e-commerce, financial services and internet tech companies, has built unprecedented collections of information that are a rich target for criminal hackers and nation states. The cost of largely inevitable security breaches is only going to grow as more information is mined for further monetization. In the short term, we, as an industry, need to carefully assess our capability to secure data and refrain from collecting information we cannot protect.

It is in companies’ economic interest to establish a policy of transparency about data collection and innovate ways for users to opt out of information repositories that retain personally identifiable data. The idea that we all need to have greater control of our personal information is fundamental for the development of digital economy. Although potentially expensive, it must become a long-term goal for the industry to rethink our business strategies around data collection, similar to the car industry lowering emission and fuel consumption levels, which once was considered impossible.

In parallel, the same security overhaul required for government information systems is overdue across all enterprise industries. Proper protection of business assets including IP, high value communications and most importantly critical digital infrastructure will become key factors in growth and business evaluation. As the cost of cyber breaches to the global economy continues to grow, security ratings will undoubtedly play a much larger role in determining companies’ resilience and financial longevity. Audits of digital protocols and infrastructure may well become a decisive factor in determining key financial indicators and opportunities including insurance rates and long-term credit ratings for businesses and countries. Today, we all – including enterprises and governments – need to work towards establishing a set of new standards that will govern the Web as a global resource and economic engine.

Since the inception of the internet, we have come a long way in improving its security and expanding its benefits globally. Last year, around 29% of the North American web traffic, including online communications, banking and shopping transactions, was protected by encryption of various degrees of sophistication. That number has been steadily growing over the past few years, recorded at around 2.3% just two years ago.

To collectively build up the Web’s resilience to global security challenges, its various stakeholders – nation states, technology companies and citizens – have to realize that even though we may have different goals related to the internet, the means to achieve those goals are rooted in a fundamental question: how do we keep it safe? Because when the Web is safe, it is safe for all.

Nico Sell is Co-Founder of Wickr Foundation and Co-Chair and Co-Founder of Wickr Inc., a secure communications platform providing end-to-end encryption to users in over 190 countries. Sell serves as an advisor to various security start-ups including AllClear ID, Crowdstrike, and Lookout, and has helped to organize DEF CON, the largest hacker convention in the world.

Gilman Louie is Co-Founder and Partner with Alsop Louie Partners, a venture firm based in San Francisco. Gilman serves as a member of the Markle Foundation Task Force on National Security in the Information Age, serves as a member of the Technical Advisory Group for the United States Senate Select Committee on Intelligence, chairs the committee on Persistent Forecasting of Disruptive Technologies for the National Academies, and was appointed as member of the National Commission for Review of Research and Development Programs of the United States Intelligence Community.


Davos 2016: Your Digital Footprint & your Security

CNBC-Davos.png

By Matthew J. Belvedere

weforum-logo

Davos 2016

Matthew J. Belvedere - @Matt_Belvedere

January 20, 2016

CNBC

It's commonplace for many people nowadays to broadcast their lives on the Internet through social media platforms such as Facebook and Twitter.

But openly providing personal information online can result in identity theft, said Nico Sell, co-founder of Wickr, a smartphone app that says it provides military-grade encryption of peer-to-peer text, photo, audio and video messages.

"Think about the digital footprint that you're leaving online everyday and try minimize it in ways that are easy enough for you to do," Sell told CNBC's "Squawk Box" in an interview from the World Economic Forum in Davos, Switzerland.

In one of the most visible aspects of her own privacy measures, Sell wears sunglasses whenever cameras are around. "It's really not for facial recognition, it's more human recognition," she said. "It's amazing people from high school won't recognize me [with glasses]. I take off my sunglasses and walk around and [other] people don't recognize me."

Sell believes she's not alone in wanting to remain as anonymous as possible. She said younger teenagers generally look to protect their online presence perhaps more than their older classmates or the 20-somethings and 30-somethings who share their lives with abandon.

Wickr says it does not collect user data. As more and more people seek privacy online, Sell said, "The business model that will rule the next decade is one that is not made off of big data because big data is really hard to secure."

"I think hoarding it will cause more harm," she added, referring to sites that use personal data to sell advertising.

As an offshoot of the for-profit Wickr, Sell has created the nonprofit Wickr Foundation, which advocates for secure communications around the world.

"It's a real mistake to say privacy and security are not on the same side," Sell said, reacting to questions about whether Wickr app provides terrorists with the ability to conduct untraceable communications.

"Those people fighting terrorists use Wickr everyday," she continued. "I'm also all about protecting us from terrorists. And this is how we do it, by having secure communications."

Sell said there's no "backdoor" into Wickr's platform. "It makes both dealing with law enforcement a lot easier because we don't have anything that we could give them. It makes a lot easier to defend from hackers."

"The more data that you have the more you have to protect," she stressed.

These kinds of discussions about navigating the evolution of the digital age are central to the theme at Davos this year, "Mastering the Fourth Industrial Revolution," as technologies blur the lines between the physical, digital, and biological spheres.


It's Time to Build the Private Web

What the US post office teaches us about privacy

George Washington could have become a king, but instead devoted his life to giving power back to the people. This is why his political heritage remains so strong today, inspiring millions around the world to continue striving for liberty and democracy. One of my favorite US presidents, Washington proved that great leaders rule by empowering the people, not by usurping the power.

In the next decade, billions of online citizens will join the web making national borders less relevant and the world more connected. Technology and the hopes it fuels have empowered millions of people across the globe to demand social and political change from some of the most oppressive governments. Yet, the same technology is being used to suppress and monitor more than half of the world’s population that still live under undemocratic regimes and lack basic rights.

The United States Postal Service was one of the most visionary civil liberties ideas of its time – deeply rooted in Washington’s belief that a strong state and society can only exist if every citizen has access to uncensored information and can freely communicate without government’s prying eyes. The Postal Act of 1792 that began the history of a modern post office established free speech and a right to private communications, going as far as imposing the death penalty for robbing mail service personnel. The newly established post office was envisioned to be the antipode of the crown post operated by the British government, which frequently opened and censored correspondence.

The same commitment to privacy and access to free, uncensored information is the reason we started Wickr. Our vision is to bring this service to billions by making strong trusted encryption incredibly easy and intuitive for personal or business use.

Today, we need to breathe new life into Washington’s idea of the post office to provide these basic rights to all 3 billion people already connected to the web, and to those who will be coming online in the next decade. We need to collectively balance our global web to ensure the internet remains a platform for free speech and uncensored information, where privacy and real human connection enable strong social discourse and economic prosperity.

I call that space the private web.

The public web has brought us incredible innovations that have improved lives and celebrated human creativity. But as we all move online, it becomes increasingly clear that the internet requires a long overdue fine-tuning, just as any complex and ever evolving system.

We, as web users, are generating millions of pieces of information about the most personal aspects of our lives on a daily basis, creating dangerous treasure troves of detailed and calibrated information.

Once in the open, we lose ownership of that information, to the point that we do not even know who is collecting it. Businesses increasingly depend on technology, becoming more and more vulnerable to critical data security breaches.

Global financial, transport and security systems are being compromised almost weekly – either through targeted attacks or as a result of poor and outdated safeguards.

To expand the benefits of the internet, we need to continue building the private web – through applications, technology, policies and norms – to power innovation, develop ideas, protect our assets and strengthen human rights for all. Although achieving privacy and universal access to free, uncensored information will always be a moving target as technology evolves, our ability to intentionally choose a right mode of communications, private or public, is a critical step towards bringing George Washington’s vision closer.

Today, it is essential to set the ground rules that will govern our networks and infrastructure systems in the future. Strong encryption is a key component of the private web. Having trusted encryption without a backdoor – for either governments or criminals – will enable us to keep out not only prying eyes of totalitarian regimes but cyber criminals as well.

A recent debate around technology backdoors has raised a critical point. Is it possible to weaken encryption in a way that would only allow access to the “good” government and never to criminals or authoritarian regimes? The answer has been a loud resounding “no” from many prominent technologists. Considering that most American internet companies are operating as global entities that must comply with local laws, we should never adopt a policy that we would not want another government to adopt and take advantage of. If the US government passes a law that requires a backdoor to operate in America, then what would stop the Chinese and Russian governments from doing the same, requiring US companies to give backdoor access to them as well?

Many questions remain regarding how exactly to achieve that vision in the hyper connected, digital world. How will the private and public web coexist? What should the standards of data collection be? How can companies that profit today from leveraging our personal and business information innovate around new business models? How do we establish trust with companies we let host our most sensitive and valuable information? How do we verify public promises companies and governments make about their data retention and usage practices? Who has the duty of care to our children’s data, our health and financial information? How do we promote encryption by default? There are many more questions we all need to consider if, as a society, we value the progress we’ve made and the rights we continue to fight so hard for, both offline and online.

The US Post Office served as a catalyst for building strong political and social discourse. For the first time, citizens were able to engage in political conversations without fear of being persecuted.

Speech is only free when we have direct control of our communications – whether public or private – without the need to self-censor or fear that a piece of communication can be used out of context many years after it was sent.

It is time to invest our energy, creativity and resources into building the web’s private hemisphere to carry on the tradition of private communications, uncensored information and ownership of our assets.


'Encryption should be a global human right, Mr Cameron'

Screen-Shot-2016-06-22-at-10.02.26-AM.png

BY NICO SELL

Nico Sell

16 February 2015

Dear Prime Minister Cameron,

Those of us who care about privacy were shocked to hear your statements last month in support of outlawing encrypted civilian communication. To strip us of our right to keep our words and thoughts private from the government would be the ultimate victory for terrorists who seek to destroy our society.

Today in America, we are celebrating the Presidents who have led our country. Our first President and those who came with him to America had many aspirations for the country they founded. But central to their inspiration was the belief that every citizen's right to communicate freely was of greater importance than any need of government.

George Washington had his own central thesis about freedom of speech. To build a strong social system, all citizens must have these rights:

  • private communication that can be kept hidden from the government's prying eyes
  • freedom of information without government censorship

Washington learned the importance of these rights from the over-reaching British before him. This is why he founded the United States Post Office. In the United States, the First Amendment and the Fourth Amendment protect free and uncensored communication.

But, today around the world, the right to private communication that can be hidden from the government's prying eyes has become a human rights issue. Two of the articles in the United Nations Universal Declaration of Human Rights make this very case.

Article 12 argues: "No citizen should be subjected to arbitrary interference of their privacy, family, home or correspondence."

Article 19 of this same declaration states: "Everyone has the right to freedom of opinion and expression; this right includes the freedom to hold opinions without interference."

The few countries in the world that ban encryption are also the most totalitarian nation states on the planet -- Iran, Syria, Burma, Sudan and North Korea. I do not believe that is the kind of company British citizens want to keep.

I believe free and uncensored communication for every citizen is how we make a strong social system worldwide. These rights enable evolution instead of revolution. We need more technologies that let us preserve our privacy, not less. Government cannot go so far in this war on terror that citizen's very rights to life, liberty and the pursuit of happiness are sacrificed. We cannot let our fear of terrorism and its violence become an excuse for turning our back on human rights.

I urge you to join the growing chorus of those who think free and open communication without government intervention or restriction should be recognised as a global human right. Instead, you seek to make this right a crime. I would love to sit down and chat with you more about this perspective.

Please feel free to contact me anytime on Wickr. My username is

*********. Better do it quick before it becomes illegal. Actually, no need to hurry. If that happens, just download Wickr through another country using a VPN to change your IP address location ;)

I hope to hear from you soon.

Respectfully,

Nico Sell