Within recent weeks, a plethora of vendors have announced massive security changes to their products and platforms. From Google's migration of all web certificates to 2048-bit encryption keys to Twitter's implementation of session-specific encryption keys via forward secrecy, vendors are rapidly implementing security controls across their infrastructure, often at substantial cost.
The driver behind this flurry of activity is, of course, customer privacy, prompted by recent revelations of the scope of surveillance employed by the federal government across Internet-facing services. Mobilized by a wave of protest, vendors have scrambled to plug gaps in their security where governments—including their own—are likely to wedge a foothold in order to conduct broad-based surveillance. With incongruous alliances between competitive vendors such as Apple, Microsoft, Google, and AOL, all complaining to lawmakers on Capitol Hill in unison about the erosion of privacy, these are strange days indeed.
While this reaction by vendors may be based on concerns over customer privacy, the reality is these security changes are good for customers, vendors, and the Internet at large, regardless of the driver behind the effort. With government agencies now "outed" as having the capability to capture fairly deep data across massive swaths of infrastructure, personal privacy has moved from a sideshow discussion into the forefront. This is now driving a sea change for technology vendors. Vendors must now answer customers' questions about privacy in terms of how well they're implementing security controls or face the wrath of a grassroots campaign that hasn't seen backlash like this since the Clipper chip controversy of the mid-1990s.
This has not always been the case. For decades, security has always taken a backseat to functionality and performance in technology products, including both hardware and software. From a vendors' point of view, this makes sense. Performance and functionality are differentiators that customers have been willing to pay for, whereas security mostly has not. Technology vendors follow the money, and implement the capabilities their customers' demand. This time, however, what customers are demanding is that privacy, by way of security, be put into the forefront. When customers demand better privacy to thwart government surveillance, what they're actually demanding is better security. More importantly, those enhanced security controls will also help to better protect them against other, more traditional threats. For example, most of the specific enhanced security controls—and by extension, privacy controls—that vendors have put in place so far fall squarely in the realm of cryptography. Stronger, more consistent encryption of data, both at rest and in transmission, will help to alleviate attacks that seek to intercept traffic or collect stored data.
These early security improvements are not the only changes on the horizon. The next logical step is improved authentication, authorization, and access control. The specific form that will take is hard to say, but improvements in areas such as biometrics and geospatial identification are likely to yield additional improvements to vendor products and services in the near future. Other areas of security, including improved event and incident reporting as well as anomaly detection, will deliver additional incremental improvements to privacy by making it easier for vendors to identify when their customers are an unwilling target of surveillance—and coincidentally providing protection against other threats.
Privacy is certainly gaining interest as a topic; at RSA 2014, I expect that government surveillance will be near the top of J. Trevor Hughes' session on "20 in 2014: The Top Privacy Issues to Watch." Regardless of where you stand on the issue of federal government surveillance, we should all appreciate the efforts that vendors are finally taking to improve security, and by extension, customer privacy. Their rationale may not be entirely altruistic; after all, who really wants rioting customers? However, regardless of the reason, we are getting improved security capabilities that have been sorely needed for a very long time. If the current advances in the securing of popular services technologies by vendors is any indication, then government surveillance—and the security and privacy that are trying to counter it—may actually be working hand-in-hand to give us all a more secure Internet.