Facebook Messenger is not the privacy threat you should be concerned about

Many people are focused on the permissions they give Facebook when they install Facebook Messenger and are concerned that they are giving Facebook excessive access to their devices. This isn’t necessarily the case and this growing panic may be more a function of how Android permissions have to be obtained than a real privacy threat which many have read into those permissions.

Facebook _Messenger_iOS_6_RGB smallI found myself listening to a discussion on 94.7 this morning about Facebook Messenger. The breakfast team was talking about these permissions that have attracted so much attention as if installing Messenger instantly compromises users and leaves them exposed to all sorts of privacy invasions when microphones and cameras turn on at someone else’s behest.

The panic level rose a few more notches when the breakfast team received a call from an anonymous listener who told the team that part of his work involves remotely accessing people’s devices (presumably part of lawful investigations) and exploiting these sorts of permissions. It wouldn’t be unreasonable to draw the conclusion that giving Facebook these permissions to access your phone’s microphone, camera and other features somehow makes all of those features available to anyone wishing to exploit that level of access and spy on you.

Fortunately it isn’t as simple as that. Leaving aside the risk that Facebook, itself, grants access to your devices to 3rd parties without your knowledge or that its apps have vulnerabilities which are not patched and are exploited by unscrupulous 3rd parties, Facebook isn’t the threat. I spoke to Liron Segev, an IT Consultant and one of the first people I think about when I need some help with the technical aspects of IT security. He explained that the threats to consumers come from various sources and that poor security awareness on consumers’ part is a contributing factor.

To begin with, it is possible for a 3rd party developer to introduce apps to app stores that appear to have a particular functionality but, below the surface, these apps will scan installed apps on your device, attempt to impersonate or even supplant those apps and exploit the access permissions you gave to the legitimate app. These trojan apps would then take advantage of the sorts of permissions you grant Facebook Messenger to access your device microphone, camera and other features. Avoiding this risk largely comes down to only installing apps you trust and how well the app marketplace is regulated and protected from this sort of malware. More and more security experts recommend installing anti-virus software on your mobile devices to help protect you from these sorts of attacks.

A hidden threat few people outside the security industry are aware of comes from the mobile networks we use every day. Mobile networks have the technical ability to gather data from our devices and even remotely install applications without us being aware of this in order to use that data and access to our devices’ features for a variety of reasons ranging from network performance management to remote surveillance and law enforcement. On the one hand, there are good reasons for networks and governments to have the capability to monitor criminal threats (for example, the somewhat misunderstood capability Google has to monitor Gmail for child porn using an existing database of problematic images). We live in a world where the bad people use advanced encryption and digital tools to plan and conceal their activities. On the other hand, there is also scope for governments and companies to use these capabilities to spy on citizens, infringe their rights and exploit their personal information for profit. As I mentioned in my htxt.africa article “Much ado about Facebook Messenger privacy settings, but is it nothing?” –

Whether you use Messenger should be informed by the extent to which you trust Facebook, not by the very explicit and informative permissions Facebook seeks from you in order to use Messenger. If anything, Facebook is just proving that it has come to a long overdue realisation that there is no benefit in deceiving users.

It is possible that Facebook may turn on your phone’s camera and microphone while you are getting dressed in the morning but highly unlikely. What is more likely is that Facebook requires those permissions to enable Messenger to do what you want and expect it to do. That said, you can’t be complacent and install every app on your device that seems amusing. Take the time to satisfy yourself that the app is from a credible source and look into anti-malware software for your devices. As for mobile networks and governments, there is little you can do except reconsider your device choices if you are concerned about this. Segev pointed out that Blackberry devices are still secure options and Blackberry 10.x is a flexible option even if it isn’t popular media’s darling.

Wanting privacy shouldn’t be conflated with having something to hide

Memeburn has a good article titled Privacy is worth protecting, even if you have nothing to hide which is a great reminder that privacy isn’t about having something to hide. There are many valid reasons to insist that your right to privacy be respected:

The reason most often given for failing to consider digital privacy in our day-to-day lives is that, if we have nothing to hide, there’s no need to. Others, meanwhile, take the line of thinking proffered by those institutions caught eavesdropping and argue that monitoring metadata alone — information about, for example, which telephone number you called when and for how long, rather than the content of the call itself — doesn’t amount to an infringement of privacy.

Both of these arguments are fundamentally flawed. Wanting privacy shouldn’t be conflated with having something to hide. There are plenty of legitimate reasons for people to want to keep certain things private – from their religious or political affiliation to their sexual orientation or drunken photos they’d rather family or employers (current or potential) didn’t see. For political dissidents living under repressive regimes, meanwhile, privacy can be a matter of life or death.

Here are two other perspectives:

NSA spying negates attorney-client privilege

Revelations about US and UK intelligence agencies’ global Internet surveillance campaigns have highlighted the need for lawyers to take further steps to secure client data using more robust encryption technologies.

To say recent revelations about the US National Security Agency’s global surveillance campaign are unsettling is an understatement. While we are still getting to terms with the extent of the surveillance we have all been subject to, a few things are pretty clear:

  • The NSA has been collecting both the metadata relating to our digital communications as well as their content (the US government has maintained that it does not collect the content of US citizens’ communications but that has been challenged).
  • Internet services we rely on are not immune to the NSA’s campaign. On the contrary, their data is being accessed, either directly or indirectly, and stored for future reference in case they do something illegal or problematic in the future.

You may think that if you don’t rely on the larger Web service providers (apparently with the exception of Twitter which, as I understand it, refuses to co-operate with the NSA) you are immune from scrutiny but that is a fallacy. The NSA has basically tied itself into the Internet’s backbone and monitors all traffic passing through the routers and infrastucture it can see. What this means is that if the data you send or receive passes through any of the Web services that have been co-opted by the NSA under the USA’s secrecy laws or the very Internet infrastructure the NSA is monitoring, your data is exposed to the NSA’s scrutiny.

What we don’t know is just how the NSA analyses the data and to what extent. Certainly as non-US citizens, we are being targeted and all our communications are potentially being captured and stored for analysis. The Guardian has also reported that this isn’t limited to the NSA. The British GCHQ (the equivalent of the NSA) is also monitoring data passing through the UK. We already know that the South African government has the mechanisms in place to monitor our communications through legislation like the Regulation of Interception of Communications and Provision of Communication-related Information Act which essentially mandates storage of users’ identities and their mobile device data. It is conceivable that our government’s programs are more extensive. The NSA’s and GCHQ’s programs certainly seem to grant other nations implicit permission to run similar programs.

Aside from the dramatic erosion of privacy, one significant concern is how these programs impact legal professional privilege (which incorporates attorney-client privilege). The Electronic Freedom Foundation recently published a detailed review of what has come to light about the NSA’s surveillance programs and dealt specifically with attorney-client privilege:

Attorney-Client Privilege Means Nothing

The attorney client privilege is a long-standing feature of American law, one of the oldest and most cherished privileges through out the ages. As one court explained, it is the cornerstone of the privilege is “that one who seeks advice or aid from a lawyer should be completely free of any fear that his secrets will be uncovered.”

The NSA document shows they cut through this privilege like a hot knife through butter. The NSA only has to stop looking at the communication if the person is known to be under criminal indictment in the United States and communicating with her attorney for that particular matter.

This remarkably myopic view of the privilege means communications between attorneys and clients in many cases will be unduly spied on. This is exactly what the ACLU was worried about when they challenged the constitutionality of the FISA Amendments Act. They alleged that attorneys working with clients overseas had an ethical obligation not to electronically communicate with them because the NSA was likely able to read their emails. While the Supreme Court dismissed their suit for lack of standing, these documents at least in part, confirm their fears.

This could also mean any attorney-client communications with someone like Julian Assange of WikiLeaks, who has never been publicly acknowledged as indicted in the U.S., would be fair game.

Even where the privilege applies, the NSA does not destroy the information. The privileged nature is noted in the log, to “protect it” from use in criminal prosecutions, but the NSA is free to retain and use the information for other purposes. No limits on other uses, so long as the NSA General Counsel approves. This is a complete perversion of the attorney-client privilege. The privilege is designed to allow free communication of attorneys and those who they represent, so the client can get good counsel without hiding the truth from his attorney. It is not simply about preventing that communication from being used as evidence in a criminal case.

Legal professional privilege, at least in our law, is actually the client’s privilege that binds the client’s lawyers and protects communications between the client and his or her lawyers from disclosure. The Constitutional Court dealt with the legal professional privilege at common law (the Court wasn’t asked to consider privilege as a Constitutional right) in the 2008 Thint (Pty) Ltd v National Director of Public Prosecutions and Others, Zuma and Another v National Director of Public Prosecutions and Others case:

The right to legal professional privilege is a general rule of our common law which states that communications between a legal advisor and his or her client are protected from disclosure, provided that certain requirements are met. The rationale of this right has changed over time. It is now generally accepted that these communications should be protected in order to facilitate the proper functioning of an adversarial system of justice, because it encourages full and frank disclosure between advisors and clients. This, in turn, promotes fairness in litigation. In the context of criminal proceedings, moreover, the right to have privileged communications with a lawyer protected is necessary to uphold the right to a fair trial in terms of section 35 of the Constitution, and for that reason it is to be taken very seriously indeed.

Accordingly, privileged materials may not be admitted as evidence without consent. Nor may they be seized under a search warrant. They need not be disclosed during the discovery process. The person in whom the right vests may not be obliged to testify about the content of the privileged material. It should, however, be emphasised that the common-law right to legal professional privilege must be claimed by the right-holder or by the right-holder’s legal representative. The right is not absolute; it may, depending upon the facts of a specific case, be outweighed by countervailing considerations.

The general principle that lawyers not disclose (or permit to be disclosed) confidential information is practically universally accepted as an essential component of legal professional privilege (or its equivalents in various jurisdictions). The Law Society of South Africa’s Information Security Guidelines quotes what appears to be an early version of the International Bar Association’s International Code of Ethics governing lawyers’ conduct as an example of the expectations of lawyers. Rule 4, in particular, states the following:

Rule 4. All communications between attorney and client relating to the subject matter of the lawyer’s representation are privileged and may not be disclosed without the client’s express or implicit permission, except to the extent they relate to future conduct that may be criminal or fraudulent. In-house attorneys are included within the scope of this Rule.

Rule 6 goes on to state the following:

Rule 6. Lawyers should never disclose, unless lawfully ordered to do so by a proper Court with jurisdiction or as required by Statute or in a lawsuit with the client, what has been communicated to them in their capacity as lawyers even after they have ceased to be the client’s counsel. This duty extends to their partners, to junior lawyers assisting them and to their employees.

Complying with information security requirements generally involves exercising due diligence in assessing a service’s security features and taking reasonable steps to secure client data. Storing client data on a centrally located server within a firm’s offices may be relatively secure from the perspective that the server may not be susceptible to scrutiny from external parties but the days of an offline server a an effective resource are likely over as lawyers are increasingly expected to work flexibly and remotely. It also isn’t always feasible to manage servers and their security requirements in-house, particularly for smaller firms so lawyers look to cloud services for flexible, hosted and secure solutions.

In a time where foreign agencies weren’t conducting indiscriminate and pervasive surveillance campaigns (you have to wonder when there was such a time, in retrospect), it was probably sufficient to ensure that the cloud service was adequate encryption (both for data being transmitted as well as being stored) and sufficient physical access control policies to protect the data from foreseeable attacks. That doesn’t seem to be enough anymore and lawyers are going to have to beef up their security protocols to meet their ethical and legal confidentiality requirements.

What this likely means is that lawyers are going to need to seriously consider implementing encryption technologies for email and their cloud services. The NSA whistleblower, Edward Snowden, seems to think that making use of encryption is adequate protection, provided it is properly implemented:

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

What this means is that lawyers have to consider their email communications (and data transmission and storage, generally) holistically. Encrypting email requires that recipients also make use of encryption tools to be able to decrypt the email and will also need to make more consistent use of these tools to communicate securely with their lawyers.

Another implication for the NSA/GCHQ revelations is that services which are subject to government surveillance and access are probably not satisfactory options for lawyers anymore, at least not without modification. It seems that lawyers are going to have to integrate data security practices into their day to day workflows and take steps to educate their clients about the need to do likewise. Both parties should begin encrypting (or, at least, digitally signing) their communications to prevent (or, in the case of digitally signed communications, detecting) interceptions and unauthorised data access. Ars Technica has a pretty good guide to popular email encryption options for Mac, Windows and Linux users. This is not a quick fix. It requires a pretty extensive review of how you approach email but we, the legal profession, just don’t seem to have much choice.

The irony is that encrypting your data makes you a bigger target for the NSA. As the EFF points out –

More appallingly, the NSA is allowed to hold onto communications solely because you use encryption. Whether the communication is domestic or foreign, the NSA will hang on to the encrypted message forever, or at least until it is decrypted. And then at least five more years.

The benefit of encrypting your data is that good encryption (presumably) takes considerably more resources to crack and affords clients far better protection of their data. It also means lawyers are more capable of complying with their obligations to protect their clients’ privilege.

Our digital world has been shaken to its core and as legal professionals, we have little choice but to adapt and take data security more seriously. That means rethinking how we communicate with our clients and which services we use to do that. It also means we have to begin sooner rather than later. Each email or file uploaded to a cloud services is more data exposed to scrutiny by agencies that seem to have little regard for legal professional privilege or privacy.

Update (2013-06-24): It’s also worth reading this CNet article titled “How Web mail providers leave door open for NSA surveillance” for perspective on what some of the major Web mail providers are doing (or not) to secure your emails. It turns out that Google is doing more than most.