Sunday, December 23, 2007

German Police, Skype, and Trojan Horses

A commentator on a podcast I recently listened to made an offhand comment that the German police were unhappy with Skype because they can't break Skype's encryption. My first thought was that such privacy is the point of encryption, right? Then I thought I should verify that the German police really were unhappy. That led me to this link at Yahoo Canada. It looks like the German Federal Police (BKA) don't have a problem with Skype in particular, but want to be able to tap phone calls. Their approach is to plant Trojans on suspected criminals' machines which, IMHO, is a pretty extreme step. Who's developing the Trojan? Is it someone the BKA can really trust? How do they ensure the Trojan doesn't leak data to anyone but the investigative team that planted it? Does the Trojan have any side effects that impact the performance or security of the suspect's machine?

Ask.com & the Customize Google Firefox Add-on

I was one of many who applauded ask.com last week for introducing the AskEraser, an option for a user to opt-out of search history collection. It seems the search engines, and anyone else, collecting a user's history should be opt-in, not opt-out, but nonetheless, it's a big step in the right direction, and I hope it generates enough buzz to increase Ask's small market share. Right now, for non-Firefox users, I'd be inclined to recommend Ask as the search engine of choice simply for this feature (and the fact that the search engine does a pretty good job, though the interface is clunkier than Google's).

For Firefox users, there's the Customize Google add-on. It looks good on paper (on screen?), but it's not easy to verify that it actually does keep Google from storing a search history. Of course, it's also hard to verify that the AskEraser works, but it would be quite a blow to Ask's credibility if it were just a placebo.

Another very nice feature of the Customize Google add-on is that you can set it to ensure that various Google connections, e.g., gmail, always use https connections. One of the few annoying features of gmail (yes, I'm a fan but leery of giving so much of my data to one company--even one that doesn't do evil) is that every once in awhile one glances at the lower right-hand side of the window and sees that the connection is not secure. This should correct that. How sensitive is most of my e-mail? Not very. How likely do I think it is that someone's eavesdropping on my gmail sessions? Not very. However, simply as a matter of principle, these things should be encrypted.

Now, back to AskEraser, Google, and not doing evil. Why does Google not offer a similar feature? And who will be the first to make such data collection opt-in, rather than opt-out?