Sign in Subscribe
INFOSEC

Red Notice Blizzard Warning: Secure Communications & Willful Ignorance

Sitting in front of a criminal or extremist and explaining the benefits of risk mitigation is not wise if your best defense is that encryption is a human right.

Graham Penrose

3 min read
Red Notice Blizzard Warning: Secure Communications & Willful Ignorance

There is a great deal of bandwagoning around the privacy debate by dodgy secure comms providers talking about 'democratizing' access to encryption.

The supply of non dual-use publicly available tech to a citizen is perfectly fine. The supply of the tech, both hardware and software, in a self service e-commerce environment wrapped in AML / KYC compliant registration procedures makes abundant sense. It gives those providers with good product and good value pricing access to the increasing number of private citizens who worry about their privacy.

Developing Demand from Proactive Paranoia

The secure comms providers best business development tool is the media, specifically the wall-to-wall media coverage of:

  1. The increasingly alarming rise in and the nature of the claims made by whistle blowers;
  2. Continued deep state intelligence agency antics;
  3. The dangers Facebook & Google and their inability to control their impulse to break the trust of their users and slice and dice their behaviour data for sinister usage;
  4. Increasing numbers of populist leaders globally with questionable agendas or in some cases questionable sanity who have access to mass surveillance programs; and
  5. The general socmed giants and government privacy abuses which when exposed result in little or no sanction.

There is almost a perfect storm of "proactive paranoia" driving demand.

animated_atrocities_brian_the_closer_by_thecynamaticals-dbc1jug

Ignorance of the Law is not a Defence under the Law

Pitching the obvious benefits of protecting your privacy to a private citizen, a C-suite exec, a private contractor in a high risk area, a journalist, or an activist is a no-brainer to attract the ready made customer base to your product.

Pointing out in the process the flexibility, cost effectiveness, and reliability of your product configuration choices. Allowing the customer to design a pick and mix offering from your products depending on their perceived risk profile is the closer.

However, sitting in front of a known criminal or extremist and explaining risk mitigation benefits in terms of a reduction in the number of intercepted shipments of dummy dust or the reduced number of your freedom fighters incarcerated, is not wise if your best defence is that encryption is a human right.

Less blaringly silly but still a cul-de-sac strategy is sitting in an office and allowing unidentified individuals help themselves to your tech via a website without having a credible Anti Money Laundering (AML) / Know Your Client (KYC) process in place.

The returns are huge but you will be hard pressed to use them to make your concrete mattress more comfortable as you do time for joint enterprise or the offence of criminal organisation (the tests for guilt in that offence are not complex).

Ask the gents from Phantom Secure.

Unwittingly Engaging in the Offence of Criminal Organisation

For example if JQ1 asks me for JQ2's home address and I know that JQ1 in all likelihood will pass that info to JQ3 who bears a grudge against JQ2 and an offence is subsequently committed by JQ3 against JQ2 then I am as culpable as JQ3 in the eyes of the law.

Same applies for the general application of the tech to assist in the risk mitigation strategy of fringe elements.

For now outfits like Phantom Secure who blatantly sought out international cartel operators as customers are the focus. In the near future that will trickle down to the providers who just don't check all the compliance boxes.

In the absence of public licensing or the registration of secure comms providers, legislation governing classification of encryption as dual use or restricted tech, or specific statutes then if as an industry we want to avoid these measures - which one can almost be certain will be draconian - then secure comms providers need to demonstrate responsibility, self regulate, and subscribe to an industry code of conduct.

Ignorance of the law is not a defence under the law.

Watch out mates, it's in the post. Make sure you do not fall victim to the appeal of allegedly "easy money" and a naive defence.

Cos just when you think that you are a clever bugger ....

Main Image Credit : The awesome piece of artwork used to head this article is called 'Interpol Stripes' and it was created by graphic designer Tadd Martin.