“We need more sensational data scandals.”

Adrian Dabrowski ​works at the Secure Systems Lab at the University of Technology. The security expert works with subjects including RFID technology, facial recognition, and surveillance systems. Dabrowski spoke with futurezone about the PRISM scandal, possible countermeasures, and the role of the media in the data protection debate.

The PRISM scandal has gotten people talking about government surveillance on the Net. Are Internet users at more risk from government agencies than from other attackers?
Hackers usually have financial motives, like getting credit card information. They usually don’t care about your private life. So the risk to your private life is greater from government agencies and intelligence services. They also have different means at their disposal – they can use the legal system to force providers and other companies to release large amounts of data, for example.

Were you surprised by the extent of spying activities on the Net?
We probably don’t even know the full extent of this today. It came as no surprise that intelligence services are prowling the Net. But the scope of the activities was surprising.

How bad do you think the massive collection of data by intelligence services is?
It is most certainly bad in England, the USA, and some other countries. I am not aware of much in Austria. Large-scale monitoring is not likely here, they probably obtain data from the USA. But there are probably some interesting targets here, as well, like at the UN.

Can anyone really defend themselves?
Intelligence services can crack encrypted messages and can gain access to a large number of services. There is no absolute security. All a user can do is increase the effort and costs required to access their data as much as possible. That is easy to do for mass attacks directed at thousands of users; more concerted efforts quickly become too costly. In the event of targeted attacks, for example when someone wants to steal building plans from a company, it is much more difficult because the attacker is willing to commit more resources.

Does it make sense to use encryption or services like TOR?
It does make sense, but is only practical in individual cases. Large-scale encryption is not possible because there is no universal method. And the use of web mail, mobile phones, and computers makes things more complex. Encryption and TOR are hardly practical for daily use for the general public because they are too complicated and slow.

Are intelligence services even interested in private individuals? Aren’t companies much more interesting?
Companies are certainly more likely to have interesting information, but this does not mean that private individuals will not be monitored. And this can cause problems, for example when people are put on a no-fly list because they are subject to surveillance. But private individuals are usually not targeted, it’s usually companies. John Doe will more likely fall victim to mass surveillance programs like PRISM.

Have new technologies led to an increase in corporate espionage?
Corporate espionage has always been interesting, including for the military security agencies like the CIA and NSA. ECHELON, a worldwide surveillance network for wireless and satellite communication, was set up many years ago. Later, the fiber optic cables were tapped.

Are programs like PRISM used primary for corporate espionage?
I can only speculate about that. National security is always used as a pretense. But one goal is certainly to gain an economic or technical advantage. ECHELON was also used to find out what the highest bids for contracts were.

Photo: Adrian Dabrowski

In Europe, most politicians reacted to the NSA revelations with shock. Do you believe that?
I don’t know to what extent the politicians were informed. They often know little, and can easily deny knowledge. But I think that the politicians should have had a basic idea of what was happening.

How can it be that the executive branch does not know exactly what the intelligence services are doing?
It is simply impossible to control the giant bureaucracies in some countries. And many people act outraged in public, but then toe the line when the United States demands something, for example in the case of Morales.

Is data protection in Europe better than in the US?
There is more legal certainty in Europe, data protection is stronger overall. In the USA, only US citizens are entitled to data protection, while data protection applies to everyone in Europe.

But many Europeans save their information with US providers.
Many people are not aware that this is a problem. The products from Google and other such providers are free and offer a lot of space. It seems that most private users do not care that the data is automatically analyzed.

What are the alternatives?
Users can run their own clouds, or use providers with servers in Europe. But this usually costs something. It is in any case the better solution for sensitive data.

Why does a large part of the population apparently not care about data protection?
Many people offer up their information to providers on a silver tablet, and accept that they will receive targeted advertising. I think that we have not seen enough examples of misuse go public yet. Awareness of the problem is building slowly. This is kind of like with environmental protection, it took decades for the issue to become mainstream. I fear that we will need something that is akin to the environmental disasters that jarred the public into action, we need some sensational data scandals.

It took too long with the environment. Isn’t it almost too late already to prevent a real catastrophe with data protection?
You can’t hide data that has already been released. Many young people today are not critical enough, as we can see by what they put on Facebook. The government and parents need to educate them about this.

Isn’t the government interested in having this data available?
There is a contract between the government and society that governs the relationship between security and freedom. This has been shifting quickly in one direction for ten years now. Security trumps everything else. This will only change when the citizens put pressure on the government.

Can the PRISM scandal help motivate people?
The media often talk about Snowden’s asylum problems, and not the actual scandal. I don’t know if this is intentional, but it is a good distraction in any case. But we have not seen more than a few PowerPoint slides and denials up until now. We have little information, and an independent party needs to look into this. They always only admit what they can no longer deny.

There have been cases where companies did not properly protect the data entrusted to them. How safe is user data at companies?
Accidents can always happen. What is important is how the companies react. They design their systems to be secure, but often have no plan of what to do when something happens. Good communication is especially important in this. When Anonymous Austria broke into GIS, they denied that anything had happened for weeks. This was scandalous, but also dangerous for the affected people. In contrast, Bank Austria responded proactively by sending a letter to the affected customers when their log files were stolen, even though there was no actual danger. I think this is the more honest solution. Maybe others will follow their example.

Are such incidents often kept secret?
My experience has shown that much goes unreported. Companies usually don’t go public unless the attackers threaten to release the stolen data. Openness can help a lot here and can give users the opportunity to take their own action.