Six weeks ago I was out drinking in a Kipling-themed bar in Rangoon, Myanmar — as you do — and happened to find myself next to a table of high-powered international telecommunications consultants, overhearing juicy lines like “Skype and Viber are going to kill us.” Needless to say I told Twitter right away. Then an old friend who’s also a genuine International Man Of Mystery got in touch and asked if we could chat about Myanmar’s proposed ban on VOIP. Securely.
He has his very good reasons to insist on secure communications. But to my embarrassment and dismay, given that I’m a software pro with scads of hacker friends, I was largely unprepared for that request. The sad truth is that real online security has never seemed worth the hassle to me. Oh, I switched my Facebook connections to HTTPS-only as soon as I could; I select/Control-C/Control-V a portion of every password I enter when in Internet cafes; and I disabled Java when its huge security hole was revealed earlier this year. But truly secure communications? That’s always seemed like more trouble than it’s worth.
I felt foolish and credulous and unprepared — until earlier this month. So I’d just like to thank David Petraeus for making me feel a whole lot better about the situation:
You'd think the head of the CIA would be better at keeping secrets.
— Aaron Levie 🇺🇸 (@levie) November 10, 2012
The sad truth is that real online security, while possible — ignore the conspiracy theorists who claim that hackers can break into absolutely anything — is hard to do right and easy to screw up. This is a big deal and a big problem. Not just for Syrian activists today; as the panopticon society grows up around us, soon online privacy will be just about the only kind of privacy we’ll have at all.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Alas, right now it seems that many-to-most people value conformity more than privacy. What’s more, instead of worrying about security ourselves, we trust others — Amazon, Apple, Facebook, Google — to take care of it for us. As the great Bruce Schneier points out, in some ways we’ve regressed to a feudal notion of security.
The problem is, you can’t trust a feudal lord. For instance, Andrew Auernheimer, aka “weev,” was recently found guilty of hacking in a case which has been analogized — correctly, in my view — to finding someone guilty of trespassing because they looked past the sign on a shop window to see what goods were on sale within. This is, well, insane.
Being an ass is not a crime. Running a script is not a crime. Exceeding authorized access is, but the AT&T site was coded to spill data.
— Jennifer Stisa Granick (@granick) November 21, 2012
https://twitter.com/Asher_Wolf/status/271057050178564096
https://twitter.com/skry/status/271054648910151680
The CFAA continues to be a terrifying broad law that's getting interpreted as "if you do something tricky with computers, it's illegal."
— D J Capelis (@djcapelis) November 21, 2012
https://twitter.com/midnite_runr/status/271032161472233472
If the government wanted to drive vulnerability research/disclosure underground they just accomplished that swimmingly.
— Shane MacDougall (@planet_shane) November 20, 2012
https://twitter.com/semiboganman/status/271004798512402433
https://twitter.com/AdamOfDc949/status/271022582113918978
@maradydd @graydon2 The implication is that the powerful can interpret the law arbitrarily to punish those who challenge them.
— erratarob.bsky.social (@ErrataRob) November 20, 2012
(All tweets above via Meredith Patterson.)
Even worse, it will have a deadly chilling effect on security researchers everywhere. We need people like weev to find security flaws, and disclose them in a (relatively) responsible manner before serious black-hat bad guys do. Security through obscurity is no security at all, and feudal security isn’t much better. Ask David Petraeus.
Security is, by its very nature, something most people generally hardly worry about at all – until and unless that one awful day comes when it’s the only thing they worry about. By then it’s usually too late to start taking it seriously. But even if/when people realize this, and start taking responsibility for their own online privacy and security, if security tools aren’t dead-easy to use, they’ll be used incorrectly or not at all.
What can you do? Well, the EFF recently posted “Don’t Be Petraeus: A Tutorial On Anonymous Email Accounts,” which everyone should read. And next week I’m going to post a brief overview of some other security tools out there now. Be advised in advance that I’ll probably get some things wrong: I’m a good software developer but no security expert. Let’s hope that in a few years’ time the tools are easy enough that even non-techies can use them without fear — because increasingly, if you don’t have privacy and security online, you won’t have it at all.
Image credit: yours truly, Flickr.
