Skip to main content

"If privacy is important to you, don't trust tech companies": An audience with security expert Graham Cluley

"The Internet is fabulous," Graham Cluley says. "But we have this new enemy – government. What they're doing? If we were doing it, it would be illegal."

And so began my chat with the security guru, until recently an anchorman of the Sophos Naked Security blog but now a man of his own destiny.

Fresh off the burner from his main stage speaking slot at Web Summit 2013, Cluley was in typically combative form. Opining on all things security, he drew particular attention to personal privacy, an issue that recently hit the catwalk courtesy of Edward Snowden's NSA leaks. More specifically, he had firm words for Western governments seemingly operating outside of the normal legal framework.

"If China had done this, there would be the most enormous diplomatic incident. Three years ago, China was accused of hacking into Google's servers, and the [US] State Department was waving a finger and demanding answers. It turns out the Americans were doing something worse," he told us.

Cluley added: "There should be appropriate oversight to make sure that law enforcement aren't overstepping the mark. On the surveillance side of things, there's been too much done. Without the knowledge of ministers and Prime Ministers and Presidents? So far, we only know what's been leaked – who knows what else is going on? There's a lot of cooperation between Google and Yahoo with law enforcement in the US but it looks like that wasn't enough to satisfy the spying services in America. They didn't want the encumbrance of going through legal processes."

It becomes increasingly clear that the tension between personal privacy and the government's desire to safeguard its citizens is a major pain point for the technology industry. Unfortunately, there isn't a quick fix solution. But, according to Cluley, there are a couple of simple things individuals - and the tech world as a whole - can do to help deflect unwanted attention.

"One is open source software. Any flaws can be found, you can run the software yourself, and you can run a server under your own country's legal system. The other is to turn your back on these services. If you used an Irish equivalent of Dropbox, at least you have the power of vote. You can kick out the government, demand that the government does something. There's nothing we can do as Europeans to change US operations."

"The other thing is for us to become more privacy conscious. Any time you copy something into Dropbox? Encrypt it first. Start using OpenPGP on your email. Any time you encrypt something, even though the NSA has the right to store encrypted communications, at least it makes it harder."

Unfortunately, the initial public furore surrounding the PRISM scandal has subtly eroded, and we risk returning a state of general ambivalence, EastEnders marathons, and microwave fish finger suppers.

"No one is going give up their Gmail and leave Facebook," Cluley concedes. "If privacy is important to you don't trust tech companies - trust yourself"

The answer, potentially, lies within an improved legal framework, and Cluley contends that increased – and more transparent – governmental oversight is necessary to avoid another NSA-style scandal in the future.

"Historically, Europe has been much hotter on privacy than America. It's something we hold dearer. But GCHQ is doing it as well -recently, they hacked Belgium's leading telecoms company, putting spying devices in to intercept communications. We presume it was communications coming from the Middle East, but it was being done outside of the law."

"If normal hackers did that, the authorities would be on it like a ton of bricks. But somehow it's acceptable for government to do this. Obama apparently didn't authorise it? Someone must have given the green light."

Is there a legitimate reason why our privacy should be compromised in this way? Rounding out our chat, Cluley admitted that many serious crimes did demand a serious governmental online presence, but insisted that the current scale of operations was out of proportion to the threat.

"The justification is terrorism and serious organised crime – drugs, child porn and so forth. There's no question, we don't want that. But the number of people who've been killed in the UK by terrorists in the last 15 years is about 60 – most of which happened [as a result of] the 7/7 bombings. A horrible thing, but more people than that die each week driving. Is that level of risk enough to justify all of us having our privacy and security eroded? Is that an acceptable risk? Why do we let people drive? Why don't we shut down the roads?"

Unfortunately, digital rights are at risk of becoming a niche issue. The early uproar following Snowden's leaks appears to have died down, and despite the efforts of various campaigning journalists, concern over government snooping is now once again marginalised where it should be increasingly scrutinised.

"It's not an election issue," Cluley concludes. "People act outraged but it slowly begins to fade."

A case of sad but true? Cliched queries aside, the burden is on the tech community to ensure that these issues remain under the microscope, as opposed to being consigned to the digital graveyard.