In our interview, cryptologist Jörn Müller-Quade tells us how we can really protect our data. Start of a series in the context of the Science Year "The Digital Society"
Mr Müller-Quade, can we still trust our own computers?
Unfortunately, the answer is a clear no. The effectiveness of the security programmes on our computers remains incomprehensible for us. Thus, we cannot really trust them. All we can do is believe the manufacturer. This may be appropriate with regards to protection from fraud through cyber criminals. Yet when it comes to industrial espionage and the work of intelligence services, we should in future be more critical regarding what the computer and software industry tells us and no longer simply accept what is dished out.
Is one hundred per cent protection at all possible?
Of course we cannot navigate the Internet with one hundred per cent security. The technology develops very fast, whereas in many fields the development of security measures lags behind. But we are working on it. To avoid IT security constantly being in a state of subsequent improvement, we need a systematic approach similar to that of natural science: theory construction and real life implementation that corresponds to the experiment. In future, we would gain insights through security gaps and continuously improve our models and theories.
You are a cryptologist and specialist in data encryption. In how far do encrypted messages guarantee protection of personal data?
Strong encryption processes such as the PGP programme (Pretty Good Privacy), which uses a clearly assigned pair of keys for email encryption, are currently pretty much the only trustworthy protection for our data. The problem is that we cannot trust the systems doing the encryption. In practice, this means your computer sees all data before it is encrypted. So, for instance, if you cannot trust the operating system on your computer, nothing remains safe. Clearly speaking, the system could pass on your data to potential attackers.
This sounds like a major challenge.
We have to stop focusing on protecting data only in the moment of transfer and start protecting the entire system.
What can happen, when others read my emails or learn with whom I am friends? After all, I have nothing to hide.
Presumably, this is not that grave for many people. Yet personally, I consider this highly questionable. We reveal many private and personal matters in emails, which, on the one hand, is just what intelligence services are waiting for. On the other hand, commercial enterprises profit from your data. They compile personal profiles and advertise their products in an accordingly personalised manner.
Many people assume that, for example, their online banking transactions are protected by their password. In how far are passwords really safe?
Passwords do not provide good protection and unfortunately still play too large a role, which we must get away from. They lead the user to believe in a security that does not exist. Rather, we should aim at two-factor authentication. This means I identify myself with a combination of something I own, such as a hardware component, a so-called security token, and something only I can know, for example, a password that activates the hardware in the first place. If someone then still wants to break into my data, they would have to steal my personalised device and know how to activate it. Although in principle attackers could achieve this, it is difficult and in particular not possible from a distance or on a large scale. As long as this two-factor solution is not used by way of a standard, we seem to have to be content with passwords.
What makes a secure password?
The fact is: as long as passwords are limited to, for example, eight characters, they can be easily cracked. To enable people to remember long passwords in the first place, I recommend a phrase or meaningless sentence. A password like "The horse rarely sits in the lettuce" does the trick. It is very difficult indeed to get that and can hardly be achieved by a full search in the dictionary.
Could anybody accidentally find themselves targeted by intelligence services?
Definitely, because intelligence services monitor masses of people worldwide – without any specific reason. They compare names, travel data and birth data from people who resemble suspicious persons. Thus, anybody can be targeted by intelligence services purely on the basis of chance and totally without reason.
And if that happens, how do we get out of it again?
Most likely, you would not even notice that you are on the list. Since intelligence services do not act on the basis of presumed innocence, a once recorded person is likely to remain registered for life. And remain under increased surveillance.
How could users protect themselves most easily?
With only a few simple steps. A start would be to gather information regarding potential security mechanisms and measures. For example, I recommend attending a crypto party.
A crypto party?
This is where users and IT specialists meet. Using simple examples and instant participation on site, the specialists provide advice for more security in the Internet. Recently, Karlsruhe extended an invitation for the second season of the so-called Anti Prism Party. Security and encryption experts from Karlsruhe have demonstrated how everybody can easily protect themselves – from secure online banking over email encryption to anonymous surfing the Web.
Do you really achieve more widespread user awareness with this?
Unfortunately, there is the paradox that people place great importance on data protection while at the same time readily revealing much about themselves. I think that first of all people have to become aware which conclusions may be drawn about a person on the basis of this published data. Only then they might develop an awareness for the fact that they have to protect themselves and what options they have available for doing so.
What do politicians do for improved protection of Internet users and their data?
A lot actually. Yet the questions remain the same: how effective are the measures? How can we assess them and monitor their effectiveness? It is also important to think in the long-term and to develop infrastructures that are deserving of trust. In the long term, infrastructures such as cloud storage, routers and mobile communication should feature verifiable security so that blind trust is no longer necessary. The brief cry for fast improvement of security does not help.
What, do you think, will be the next development step of digital communication?
I think that the next step will be to network factories and to connect them to the Internet. This means that in the near future we are likely to have transparent factories, which are read down to the smallest sensor and are controllable down to the last process step. This will bring with it many security concerns, since technology in production facilities is used for a very long time. Many factory devices feature correspondingly old operating systems that were not designed for being connected to the Internet. Another major development is the smart home: technical procedures and systems within living spaces that are designed to improve the quality of life through networked devices, installations and automated processes, for example, by networking all lamps in the house and subsequently switching them on and off with one device. Here, too, the ideas and applications are one step ahead of the security measures.
Will we have the same data protection standards on an international level in the near future?
This is likely to be a long time off, because the cultural differences are considerable. Data protection in Germany does not mean the same as in the United States of America. In Germany, person-related data is generally considered worthy of protection, whereas in the US the private sphere is limited to the home, so that every movement in public is not part of the private sphere. In Asia, too, data protection has a different meaning, where, for example, the copying of inventions or solutions is considered to be a compliment rather than a crime. Uniform standards should be the goal at least in Europe to avoid everybody in the Internet choosing which standards to follow.
Is such a degree of data protection generally free of controversy?
Of course, many commercial enterprises do not desire it. The better they know their customers, the better their sales options. However, I hope that the population adopts a different view and that policy makers act accordingly.