When it comes to security, who can you trust?

In previous columns, I've explained the chain of trust and the weak links in various methods of security. But reader Duane asked a few days ago, regarding my column on using VPNs to protect coffeeshop and other last-mile vulnerable connections, "How do you know the VPN operator isn't stealing your info?"

This is an absurdly important question, and one that extends far beyond VPNs and specific issues with Apple hardware and software. Trust is a difficult commodity to measure, made more difficult by the subversion of parties that are in the chain of trust we use every day by the National Security Agency (NSA) and agencies of other governments. These security groups have been shown to weaken standards, find exploits and use them rather than disclose to improve for all, and possibly suborn employees or place undercover agents in firms. In some countries, these sorts of weaknesses can mean your door is bashed in by the authorities and you're taken away.

Beyond government agents, we have reason to be concerned about employees of companies, companies themselves, and criminals or harassers who interpose themselves in networks. These are harder to root out, and usually exposed only when information is leaked, a law-enforcement operation finds culprits, or your credit-card statement arrives.

There's no way to prove incorruptibility, but there are methods companies can use to put themselves beyond needing to be trusted. That is, a company can create a secure product that is impenetrable to its own ability to access your data, whether stored or in transit.

Can your data be subpoenaed?

Let's start with the top, Apple, which says it has such a regime in place for iMessage, two-step verification with Apple ID, FileVault 2 in Mac OS X, and other systems. Tim Cook told Charlie Rose, "If the government laid a subpoena to get iMessages, we can't provide it. It's encrypted and we don't have a key."

FileVault 2 uses an encryption system that lets you store a recovery key in escrow with Apple (which I'll talk about in a future column), but you don't have to. Without that escrow, lose your password and recovery key, and your hard drive's contents are forever gone. And we've already talked in this column about how two-factor verification as implemented by Apple prevents even Apple from regaining access to your account if you lose two of the three components.

We have no reason to believe Cook would lie: as the head of a publicly traded company, such a lie would have financial consequences, and potentially legal ones, if it came out. Nor has it been shown that Apple is misrepresenting its other security. The company says and ostensibly cannot get into your encrypted sessions or data.

Has the code been checked?

However, iMessage and these other options aren't open to outside review or "code auditing," which would allow unaffiliated parties to examine the software both to confirm that there are no intentional back doors and to find and help repair any flaws that were missed. Many open-source projects not only provide the programming code freely, but also eagerly accept patches.

The lack of outside review cost Apple a point in a guide put out last year by the Electronic Frontier Foundation (EFF), its "Secure Messaging Scorecard." The EFF set seven measures by which it could evaluate the security (encryption choices) and integrity (the ability to avoid interception or exploitation).

iMessage and FaceTime both received 5 out of 7, one for not allowing outside code review and another for providing no method to validate the identity of someone with whom you're in contact. By contrast, Skype (owned by Microsoft) scored 1 out of 7 and Facebook's WhatsApp got just 2. By these measures, Apple is certainly providing better overall mechanisms to secure messaging, but it could do better.

WhatsApp is transitioning its internal messaging system to use TextSecure, an open-source messaging module that scored 7 out of 7 in the EFF's report. Android users already have access, and it will be rolled out to other platforms in the future, setting the bar higher for mass-market encryption.

Apple's assurances, taken at face value, are quite good, but because it controls all the pieces of its systems and allows no public outside inspection, there's no way on an ongoing basis to know quite how secure it is. After a claim in mid--2013 by security researchers that Apple could potentially intercept messages, the current chief technologist at the FTC Askhan Soltani wrote in the Washington Post, "So, is iMessage interception possible? Yes, of course. When you control the entire stack, anything is possible." (The stack here refers to the set of interconnected messaging and networking protocols and software that implements them.)

Apple is at the top of our list: it's a giant company with much to lose and so far has seemingly met the test of what it claims. Can we trust Apple with our messages and other data? Probably as much as any company, though they could do more to provide independent assurance of such. That's as much reassurance as I can offer.

Deciding whom to trust

To return to Duane's question: how do we trust other companies? A VPN firm of the scale of Cloak, which has three employees, has to rely on reputation and action, but also on implementation. Cloak developed its own wrapper around existing software that it keeps up to date. The underlying software is well vetted and has SSL/TLS at its core, and uses Apple's own mechanisms to install security certificates that validate connections.

To trust Cloak or a similar company, we have to believe that it lacks the motivation to engage in theft and possesses the competence to configure its systems well and keep them up to date. The test of both of these is often time: we need to know how they perform longitudinally and when faced with threats. One code-hosting and project management firm shut down last June when its "full redundancy" and "real-time backups" were shown to be hollow, as all its infrastructure was protected by the same Web services credentials.

Duane, I'd like to say the real answer is that most businesses engage in ethical behavior, whether it's because the owners want to do the right thing or because the cost of ethical or legal violations is so high it deters them. Can we ever know for sure that a given company deserves our trust? No. But we can calculate the odds by looking at the technical and legal factors that underlie why we grant trust to any business.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleNational Security Agency2FANetworkingsecuritynsavpnimessageprivacy

More about AppleEFFElectronic Frontier FoundationFacebookFaceTimeFTCMicrosoftNational Security AgencyNSARoseSkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place