We recently ran two user surveys concurrently at RSA 2016 in San Francisco as well as online with the Spiceworks community of IT professionals. The RSA and Spiceworks surveys gathered 987 and 605 responses respectively. We combined both sets of responses. The full report is available now. Here's a summary of our results:
- Almost two-thirds (64 percent) of those working in IT security do not expect to be able to have a private conversation on any device
- When it comes to the Apple/FBI debate, nearly two-thirds of those in the IT security industry support Apple in their fight against the FBI
- More than half (51 percent) of respondents believe the FBI is using the case to set a new legal precedent to be able to have the right to unlock all devices made by Apple and/or other tech companies
- 35 percent of participants believe that individual rights are more important than national security, vs 19 percent who believe that the opposite is true
To Comply or Not to Comply
Apple has polarized public opinion with its stance on encryption. In the case of the San Bernardino shooter’s phone, the FBI has requested that Apple weaken its security to allow the FBI to gain access to the encrypted contents. If Apple complies, this could potentially impact all Apple products and could significantly weaken its security posture overall.
Public debate and opinion around the topic remains somewhat divided. However, the opinions of security and technology professionals largely align with 47 percent stating that weakening security is a step that Apple should never take.
At the other end of the spectrum, only 17 percent of respondents fully supported the FBI’s request and felt that Apple should comply.
On the surface, this may seem like technologists protecting their walled gardens. However, digging a bit deeper, we begin to uncover some of the underlying root causes. When asked about the reasons the FBI wanted Apple’s help, the majority of respondents, (51 percent) believe that the FBI wants to set a new legal precedent to be able to unlock all Apple devices.
However, this is not restricted to Apple devices alone and could potentially affect the devices of other tech companies as well. While 61 percent of respondents believe that if Apple gives into the FBI’s demands it would weaken its overall product security, only a third of respondents (33 percent) believe that such measures would be effective in helping law enforcement catch criminals or terrorists before it’s too late.
However, it’s not the case that security and technology professionals do not want to co-operate with law enforcement in preventing crime and terrorism. 62 percent of respondents would support allowing governments to be able to legally intercept communications relating to terrorism and 41 percent would support the interception of those related to criminal activity.
If professionals are supportive of using technology to combat crime and terrorism, why then is there a general reluctance to comply with the demands of the FBI in this case? One of the major contributing factors is the lack of understanding of how technology works. If a ‘backdoor’ is created that gives law enforcement the ability to extract data from the phone, it would be akin to letting the genie out of the bottle. There would no longer be control over which devices the technique could be used against – and even more worrisome, there can be no guarantee that this access will remain out of the hands of the bad guys.
Looking at the issues broadly paints a grim picture. 48 percent of participants believed that if the FBI is successful in getting Apple to meet its demands, the FBI would leverage the position to force other technology companies to do the same. This is a move that could materially weaken all technology products and leave them vulnerable to attack by any motivated party.
The World Stage
The ramifications of weak security and lax privacy controls extends far beyond the US borders and onto the global stage. 48 percent of participants believed a lack of privacy could have a detrimental impact on the level of trust placed in US-based firms.
Perhaps more importantly though, 58 percent of participants believed that a lack of privacy that would allow mass surveillance could lead to governments prosecuting people based on their private conversations. This is a slippery path as it could lead to people being prosecuted based on merely thinking or uttering words related to a potential crime, as opposed to actually committing a criminal act. Simply thinking a thought or communicating it does not make one a criminal.
Globally, the implications get even more severe. Certain governments target individuals based on their political views, especially when they aim to document cases of oppression or mock the practices of the ruling elite. If the FBI is successful in weakening security for Apple, or any technology products, then other governments will undoubtedly also want to have the same level of access.
It is due to this, that 52 percent of participants believed that a lack of privacy could lead to an increase in the use of tools like TOR by users attempting to maintain a level of online anonymity.
Based on these contributing factors, it is perhaps not surprising that even where national security is cited, the majority of participants (54 percent) believed that governments should not be allowed to monitor mass communications, either because they believe individual rights are more important than national security (35 percent) or for other reasons (19 percent).
Privacy, Privacy! Wherefore art thou, Privacy?
The debate around whether or not the governments can or should force technology firms to weaken products is ongoing. But one has to wonder whether it’s too little, too late.
Opinion is almost divided straight down the middle as to whether current mobile security and encryption provides adequate protection for the average user.
However, when it comes to privacy, nearly two thirds (64 percent) believe that privacy is already dead and don’t have any reasonable expectation of privacy when communicating on any device.
We also asked participants what could be done to protect privacy online. The majority indicated that stronger encryption would be the most effective measure.
However, protecting online privacy is more than just a technical challenge. There is no doubt that technology can go a long way towards helping, but a large part of it also depends on users and what kinds of information they choose to share.
With the view that privacy today is largely dead, with governments actively taking steps to erode it further, there is little doubt that users need to be more proactive in taking steps to safeguard their own privacy.
Uneasy Lies the Company Entrusted with Privacy
Security and technology professionals can be a cynical group at the best of times, with a tendency to question and second-guess the intent and motives of nearly everyone around them.
There is certainly little faith put in the motivations of governments and the FBI when it comes to security and privacy. But how does this same group of participants feel about companies that discuss privacy issues in the media?
In response to this question, we saw a near even split between three opinions of companies’ motives: being truly concerned about privacy issues, being self-serving in protecting their brand identity, and the most cynical view, that companies only want to use such opportunities to generate PR.
It appears as if the jury is still out on the motives and intent of different companies who try to engage the community in the discussion around privacy issues. The response will likely vary depending on the type of company and its track record in handling customer privacy.
The privacy debate is not a new one. But it is one that seems to resurface on a cyclical basis, opening up the debate once again under a slightly different guise. What expectation should one have of privacy when online? What details can a company reasonably gather from its users? How can & should that information be used? None of these questions are easy to answer – and indeed there may not be a global answer either.
However, the FBI vs Apple case has put another spin on this ongoing argument. Professionals largely support government and law enforcement initiatives to prevent and apprehend criminals and terrorists. However, the fracture occurs in ‘how’ this can or should be achieved, and professionals largely agree that weakening device security will have irreversible ramifications on individual privacy on a global level.
But is the debate itself actually moot? Two thirds of professionals already believe that privacy is all but non-existent online. So perhaps the best course of action is for people to take privacy back in their own way by employing good operational security (opsec) practices through which they limit and control what personal data is shared online and with service providers.