In previous columns, I’ve explained the chain of trust and the weak links in various methods of security. But reader Duane asked a few days ago, regarding my column on using VPNs to protect coffeeshop and other last-mile vulnerable connections, “How do you know the VPN operator isn’t stealing your info?”
This is an absurdly important question, and one that extends far beyond VPNs and specific issues with Apple hardware and software. Trust is a difficult commodity to measure, made more difficult by the subversion of parties that are in the chain of trust we use every day by the National Security Agency (NSA) and agencies of other governments. These security groups have been shown to weaken standards, find exploits and use them rather than disclose to improve for all, and possibly suborn employees or place undercover agents in firms. In some countries, these sorts of weaknesses can mean your door is bashed in by the authorities and you’re taken away.
Beyond government agents, we have reason to be concerned about employees of companies, companies themselves, and criminals or harassers who interpose themselves in networks. These are harder to root out, and usually exposed only when information is leaked, a law-enforcement operation finds culprits, or your credit-card statement arrives.
There’s no way to prove incorruptibility, but there are methods companies can use to put themselves beyond needing to be trusted. That is, a company can create a secure product that is impenetrable to its own ability to access your data, whether stored or in transit.
Can your data be subpoenaed?
Let’s start with the top, Apple, which says it has such a regime in place for iMessage, two-step verification with Apple ID, FileVault 2 in Mac OS X, and other systems. Tim Cook told Charlie Rose, “If the government laid a subpoena to get iMessages, we can’t provide it. It’s encrypted and we don’t have a key.”
Apple can’t be compelled to provide your FileVault recovery key to law enforcement.
FileVault 2 uses an encryption system that lets you store a recovery key in escrow with Apple (which I’ll talk about in a future column), but you don’t have to. Without that escrow, lose your password and recovery key, and your hard drive’s contents are forever gone. And we’ve already talked in this column about how two-factor verification as implemented by Apple prevents even Apple from regaining access to your account if you lose two of the three components.
We have no reason to believe Cook would lie: as the head of a publicly traded company, such a lie would have financial consequences, and potentially legal ones, if it came out. Nor has it been shown that Apple is misrepresenting its other security. The company says and ostensibly cannot get into your encrypted sessions or data.
Has the code been checked?
However, iMessage and these other options aren’t open to outside review or “code auditing,” which would allow unaffiliated parties to examine the software both to confirm that there are no intentional back doors and to find and help repair any flaws that were missed. Many open-source projects not only provide the programming code freely, but also eagerly accept patches.
The lack of outside review cost Apple a point in a guide put out last year by the Electronic Frontier Foundation (EFF), its “ Secure Messaging Scorecard.” The EFF set seven measures by which it could evaluate the security (encryption choices) and integrity (the ability to avoid interception or exploitation).
iMessage and FaceTime both received 5 out of 7, one for not allowing outside code review and another for providing no method to validate the identity of someone with whom you’re in contact. By contrast, Skype (owned by Microsoft) scored 1 out of 7 and Facebook’s WhatsApp got just 2. By these measures, Apple is certainly providing better overall mechanisms to secure messaging, but it could do better.
iMessage is encrypted, and while Apple doesn’t provide the code for review, the EFF scored iMessage’s security higher than Skype and WhatsApp.
WhatsApp is transitioning its internal messaging system to use TextSecure, an open-source messaging module that scored 7 out of 7 in the EFF’s report. Android users already have access, and it will be rolled out to other platforms in the future, setting the bar higher for mass-market encryption.
Apple’s assurances, taken at face value, are quite good, but because it controls all the pieces of its systems and allows no public outside inspection, there’s no way on an ongoing basis to know quite how secure it is. After a claim in mid–2013 by security researchers that Apple could potentially intercept messages, the current chief technologist at the FTC Askhan Soltani wrote in the Washington Post, “So, is iMessage interception possible? Yes, of course. When you control the entire stack, anything is possible.” (The stack here refers to the set of interconnected messaging and networking protocols and software that implements them.)
Apple is at the top of our list: it’s a giant company with much to lose and so far has seemingly met the test of what it claims. Can we trust Apple with our messages and other data? Probably as much as any company, though they could do more to provide independent assurance of such. That’s as much reassurance as I can offer.
Deciding whom to trust
To return to Duane’s question: how do we trust other companies? A VPN firm of the scale of Cloak, which has three employees, has to rely on reputation and action, but also on implementation. Cloak developed its own wrapper around existing software that it keeps up to date. The underlying software is well vetted and has SSL/TLS at its core, and uses Apple’s own mechanisms to install security certificates that validate connections.
To trust Cloak or a similar company, we have to believe that it lacks the motivation to engage in theft and possesses the competence to configure its systems well and keep them up to date. The test of both of these is often time: we need to know how they perform longitudinally and when faced with threats. One code-hosting and project management firm shut down last June when its “full redundancy” and “real-time backups” were shown to be hollow, as all its infrastructure was protected by the same Web services credentials.
Duane, I’d like to say the real answer is that most businesses engage in ethical behavior, whether it’s because the owners want to do the right thing or because the cost of ethical or legal violations is so high it deters them. Can we ever know for sure that a given company deserves our trust? No. But we can calculate the odds by looking at the technical and legal factors that underlie why we grant trust to any business.
Author: Glenn Fleishman, Senior Contributor
Glenn Fleishman’s most recent books include Take Control of iOS and iPadOS Privacy and Security, Take Control of Calendar and Reminders, and Take Control of Securing Your Mac. In his spare time, he writes about printing and type history. He’s a senior contributor to Macworld, where he writes Mac 911.