Today I‘m wearing my tinfoil paranoid hat!
I think a lot about privacy, and I think a lot about privacy while traveling, in particular what happens to our data when we are traveling and using cloud services such as Dropbox, Google Drive, iCloud or Facebook. I'm also going to make two assumptions, that are questionable:
- Everything can be decrypted, and as time goes on cost of decryption is cheaper.
- Product should think about security and privacy, and not rely on people using add-on features i.e. customers don't have to install Virtual Private Network on their own, if VPN is needed, it should be bundled with app.
Now let's imagine Alice, she is business development consultant, she uses Dropbox to sync her files between her work computer, laptop and tablet and she is about to go to Berlin and later to Hong Kong from London.
When Alice opens her laptop in Berlin, her Dropbox will start syncing and German government will have an eye into some bits and pieces of her information, later in Hong Kong same will happen again. Generally Alice will be sharing bits and pieces of her information with various governments every time her laptop is connected to internet and active because all popular and affordable cloud file storage systems to my knowlege will do it.
Let‘s take Robert, who is in a process of traveling around North America and Europe to fund raise. He‘s using Wunderlist cloud based to-do app, and LastPass - password messanger, iCloud and Evernote.
As he travels from United States to Canada, from Canada to United Kingdom and then to France and Russia he constantly updates his Wunderlist, sometimes updates passwords in LastPass and journals in Evernote and updates contacts on his iPhone. All his data whie encrypted will fall out in all the countries he has visited.
Here is what happens to data as we use our apps and websites:
- Data leaves your app, and goes to Device‘s OS.
- From OS it goes to local network, such as home, office, cafe or hotel WiFi.
- It goes to Internet Provider, and we can assume that various government agencies have ways of obtaining this information.
- It goes from government to government as data travels from country you are now, to the country data center located.
I mean it's not that bad, thanks to global efforts among information secuirty community over past dozen years all respected services are encrypted. But encryption is not panacea, and as time goes on decryption (i.e. breaking encryption) will be easier and easier.
Unfortunately I don't have a good solution. There are few ideas I would like to throw around though, I'm going to use LastPass as an example, because leakage of passwords can be catastrophic.
- If LastPass detects that it's on insecure network such as free cafe wifi or hotel it should pause syncing, and notify customer.
- If LastPass detects that it's in other country, it should attempt to use local wifi syncing. Ideally it would create wifi from Mobile phone or laptop and sync between them without connecting to third party.
- Software should be able to work in offline mode for extended period of time, and reconcile differences once in safe harbour.
This topic is near and dear to me, because side project of mine is cloud based GTD app, and I think one can learn a lot about my potential customers if they learn their detailed planned actions for next few months.