Kyle Rankin

Kyle Rankin

Chief Security Officer
PGP ID: 0xBD83B92B2F4BFD99
Fingerprint: 7B85 0961 8D82 0DF6 39241BB6 BD83 B92B 2F4B FD99
Kyle Rankin

Latest posts by Kyle Rankin (see all)

This has been a good week for keynotes about privacy and human rights, and a bad week for companies who make the bulk of their revenue by collecting and exploiting user data.

First, on Monday, October 22nd, Purism’s CEO Todd Weaver spoke at All Things Open on “The Future of Computing and Why You Should Care” where he highlighted how the drive for greater profits in big tech companies has led to a present where people’s rights are ignored while their data is captured and exploited. In this talk Todd introduced the idea of five fundamental digital rights critical to protect the future of computing:

  1. Right to Change Providers: If a person wants to change a service provider, they can easily move to another (Decentralized Services).
  2. Right to Protect Personal Data: A person owns and controls their own master keys to encrypt all data and communication, nobody else (User-controlled Encryption).
  3. Right to Verify: Society has the freedom to inspect the source of all software used, and can run it as they wish, for any purpose (Software Freedom).
  4. Right to be Forgotten: A service provider only stores the minimal personal data necessary to provide the service. Once the data is no longer required, it is deleted (Minimal Data Retention).
  5. Right to Access: A person must not be discriminated against nor forced to agree to any terms and conditions before accessing a service (Personal Liberty).

Then on Wednesday, October 24th, Apple’s CEO Tim Cook spoke at the International Conference of Data Protection and Privacy Commissioners and spoke out in favor of GDPR legislation and privacy as a human right and against what he termed the “data industrial complex.” In the talk he laid out four principles of his own:

  1. Companies should challenge themselves to de-identify customer data or not collect that data in the first place.
  2. Users should always know what data is being collected from them and what it’s being collected for. This is the only way to empower users to decide what collection is legitimate and what isn’t. Anything less is a sham.
  3. Companies should recognize that data belongs to users and we should make it easy for people to get a copy of their personal data, as well as correct and delete it.
  4. Everyone has a right to the security of their data. Security is at the heart of all data privacy and privacy rights.

Apple is Right about Privacy

First, we’d like to applaud Apple for joining Purism and other companies in speaking out in favor of user privacy and against the unethical data collection practices that fund so many tech companies. Having a high-profile company speak about privacy as a human right helps bring further awareness of these issues and puts even more pressure on big tech companies to change their practices. As more people become aware these issues, they hopefully will feel empowered to make decisions about what companies they want to support and what technology they want to use based on who best respects their rights.

The advent of the Internet as a universal medium for sharing information combined with an always-on and connected computer everyone carries with them and the prevalence of voice-operated computers in every home means that the steady stream of data every individual sends to big tech companies is enormous and hard to wrap your head around. It’s even harder for the average person to figure out just how that data is being used and abused. Yet when you look at the revenues for these big tech companies you can see one thing–this data is valuable. The data is so valuable in fact, there’s no real incentive for these companies to change their practices on their own.

If you look at the four principles Tim Cook laid out, the first three largely can be summarized by Todd’s “Right to be Forgotten” digital right. Indeed, the way that the tech industry operates today means that people are not in control of their own data. Big tech companies capture as much data as they can and are continually coming up with new ways to capture more in the name of providing you more targeted advertising.

Apple is Wrong about Freedom

It’s in Tim Cook’s fourth principle where on the surface it seems Purism and Apple seem eye to eye (and on the surface we do) but when you dig into the principle our paths starts to diverge. Compare these two statements:

  • Purism: Right to Protect Personal Data: A person owns and controls their own master keys to encrypt all data and communication, nobody else (User-controlled Encryption).
  • Apple: Everyone has a right to the security of their data. Security is at the heart of all data privacy and privacy rights.

We agree with Apple that security is at the heart of all data privacy and privacy rights. Where we disagree is in who holds the keys. Your data isn’t truly private or secure, if someone else holds the keys. It’s true that Apple goes to great lengths to lock down their devices from attackers, but like with Google and other proprietary vendors, those locks also lock you out. These devices tightly restrict what applications can run on them in the name of security, but that restriction conveniently also means that everyone has to get the vendor’s permission to install their software.

More importantly, these locks mean that you don’t have freedom or control. In fact, some device vendors are paid to install applications by default that you aren’t allowed to remove. You only have to look at the underground market of sketchy software that promises to “root” your phone to see the lengths that people have to go to so they can try to wrench control of their hardware back from vendors.

This isn’t just a hypothetical argument about freedom. Apple’s decision to hold all the keys to their hardware has real world impacts on freedom and human rights. Alex Stamos (Stanford professor, previously Chief Security Officer at Facebook) gives a great example of the real world impacts these locks can have:

I agree with almost everything Tim Cook said in his privacy speech today, which is why it is so sad to see the media credulously covering his statements without the context of Apple’s actions in China. The missing context? Apple uses hardware-rooted DRM to deny Chinese users the ability to install the VPN and E2E messaging apps that would allow them to avoid pervasive censorship and surveillance. Apple moved iCloud data into a PRC-controlled joint venture with unclear impacts.

Real Privacy Depends on Freedom

We agree that privacy is a human right, but you shouldn’t have to exchange your freedom for your privacy. We believe that freedom is essential to security and privacy and any solution that aims to secure your privacy must also protect your freedom. This means avoiding software solutions that restrict what you can do with your own devices and building security solutions that ensure that you hold the keys. Removing the freedom to control your own hardware and software, even if it’s in the name of security, (but more likely for vendor lock-in) is not enough to protect your rights.