“A few years back we were in the golden age for spying on the general public,” says Jimmy Wales, founder of Wikipedia. He is giving the keynote address at the IP Expo Europe in London, and it’s clear that he is confident of two things: total internet encryption is coming, and this is a very good thing.
“Virtually all chat was not encrypted at all, it all went in the clear, anybody could sniff your connection, whether it was the NSA or somebody in your local network, [they] could see what you were saying on chat,” he continues. “It was a really bad situation. A lot of privacy activists, security people were worried about this, but no one was really listening. It was very, very easy to spy on people.”
A lot has happened since then, including a dramatic drop in the cost of encryption-supporting servers and Edward Snowden’s leak of the NSA’s data spying practices. In other words, just as encryption has become more feasible to implement, the demand for it has surged.
“There is a massive trend going on, on the internet, towards SSL: secure connections. So you know when you go to a website and it says https – that’s a secure connection,” Wales explains. “This is what you used to find, mainly in places like when you’d go to your bank – that would be an SSL connection. Most websites were unencrypted, and we didn’t worry too much about it.”
But things have changed. According to data company Sandvine, 29.1% of data packets sent over the internet in April 2015 were encrypted. By 2016, this number is expected to jump to 64.7%, as Netflix switches completely to SSL. Wales believes that this will prompt a steady move across the web, until only the very smallest sites remain, as he calls it, ‘in the clear’.
“Over the next couple of years that’s going to end up being a 5 to6% slice [that isn’t encrypted], and it’s going to be some very small websites and things like that which haven’t bothered to do it,” he says.
“All major internet traffic is going to be encrypted very, very soon, that’s a very, very good thing when you think about all of the issues around stolen credit card numbers, people sniffing networks, stolen passwords, identity theft. All of these things become much, much harder when your passwords and your data information aren’t flying over the clear every time they’re on an open network.”
Jimmy Wales’ guide to encryption
While SSL is the standard way to encrypt webpages, when it comes to chat applications, things are a little different.
“People are using chat on their phone, using chat on their computer, talking to friends – this is a huge proportion of internet communication, and something that is generally very personal,” says Wales.
However, there are two types of encryption available for chat, and knowing how they differ is quite important if you are serious about privacy.
“The first level would be encryption between you and the chat company, but then they can read your message – you’re just sending it to them so nobody can spy in between and they get your message, and they send it on to the person you’re chatting with, and that connection is also encrypted,” explains Wales.
“So that is a pretty good level of encryption – it stops people on your local network from spying on you and things like that – but it leaves a huge vulnerability in the middle, which is inside that company.”
If you trust the company in question, you may feel your data is safe with this method, but according to Wales this still leaves your data vulnerable.
End-to-end encryption is really important. It’s something we want to see for all channels and discussions
“One of the shocking revelations from Ed Snowden is that the NSA had tapped into cables between Google data centres,” he says. “So when Google thought ‘alright, your Gmail is safe from out there to in here; it’s safe in our data centre, it’s safe there’, there was a hole inside the data centre because they were tapping into those cables and therefore were able to read a lot of internal Google traffic that they thought had been secure.”
The best solution, then, is end-to-end encryption, something which Edward Snowden has also called for.
“So when you type a message on your phone, it’s encrypted by your phone, it is sent to your friend through the servers and back down to them, it’s encrypted all the way and its decrypted at the other end,” Wales explains.
“This is the best level of security, and as long as the encryption protocols work, as long as the math works. And this is the one I do believe: the math works. Sometimes I’ve heard people who are sceptical and not very well informed saying ‘oh well the NSA’s probably cracked all of the encryption algorithms anyway’. There is no evidence to suggest that they’ve done it, and no evidence to suggest that they are going to be able to do it anytime soon.
“End-to-end encryption is really important. It’s something we want to see for all channels and discussions so that everything you’re saying to your friend in private is actually held in private.”
A spy-free internet
Wales is keen to point out the irony of this move to end-to-end encryption, which has gained considerable support in the wake of Snowden’s NSA revelations.
“The overreaching efforts to spy on the public have made it actually harder – and permanently harder – to engage in lawful, warranted investigations,” he says.
“If we lived in a world where I wasn’t concerned about the NSA hacking into a chat company, for example, to steal everybody’s chats, if we didn’t live in that world I would say ‘I don’t mind if there are points in the network where with a warrant, with appropriate judicial oversight, you can actually listen in on people’.
“That’s not an absolute right. But because they’ve been so ridiculous and so overreaching people are moving, and I recommend you move to end-to-end encryption.”
Of course, if everyone follows Wales’ advice then the NSA and similar agencies will lose the chance to ever access such data, even if they have a just cause for doing so.
“There is a bit of an irony that the overreach has actually cost the security services any hope of doing what they hope to do in a legitimate sense,” he says.
It’s a common misconception that SSL is only important when websites are handling private data
Wikipedia itself is now completely encrypted, having undergone a rapid transition to SSL following the NSA leak.
“Wikipedia used to be totally in the clear and unencrypted, and so then we went through a long period of technical evaluation and preparation, which was massively accelerated when we saw one of the slides from the NSA that made clear that the NSA considered Wikipedia traffic to be an easy target,” says Wales.
“It was a site that was transmitted in the clear, so it was easy for them to spy on everything that you’re reading and everything that you’re doing on Wikipedia. We’ve now gone to SSL everywhere. So everywhere in the world, when you visit Wikipedia it’s an encrypted connection.”
It’s a common misconception that SSL is only important when websites are handling private data, however this was not the reason Wikipedia was transitioned.Instead, it was the ability for governments with poor human rights records to tell when citizens were reading articles covering controversial or anti-government topics, and arresting them as a result. It may seem like something out of dystopian fiction, but Wales is adamant that this situation occurs, and says he is aware of particular Wikipedia editors being affected.
As a result, he believes newspaper websites, which often do not have SSL, should be making far greater efforts in this area.
“If you’re a newspaper that cares about freedom of expression and freedom of speech, it’s probably not good to allow the government of the Maldives to be profiling people in their communities based on what news stories they’re reading, and if you aren’t secure you’re allowing that to happen – it’s a really important point,” he says.
[For those of you at this point wondering why we haven’t taken his advice, we’re currently in the process of persuading our IT department to do just that.]
Dealing with China
It would be inappropriate for us, given our mission of free knowledge for the world, to ever participate in government censorship
For Wikipedia, however, switching to SSL has produced another dent in its interactions with China.
“We’ve been subject over the years to a lot of different problems in China: one of the biggest problems has been direct censorship,” Wales says. “For a long period of time, for about three years, we were completely banned in China.”
While some digital heavyweights have tried to cooperate with China, Wales makes it clear that compromising Wikipedia to get it unblocked in the country is something he was never prepared to do.
“My view is that access to knowledge is a fundamental human right, it’s a corollary of the right to freedom of expression, and it would be inappropriate for us, given our mission of free knowledge for the world, to ever participate in government censorship,” he says.
However, without concessions being made by Wikipedia, China changed its approach to the website in 2008, when the world’s focus was on the country.
“Around the time of the Beijing Olympics Wikipedia was opened up, the Chinese had a period of liberalisation of the internet, and they opened up and they allowed access to almost all of Wikipedia,” adds Wales. “But they were filtering certain pages, they were filtering about the usual suspects: things that are sensitive issues in China. So the Tiananmen Square incident; the artist Ai Weiwei; there’s a religious cult called Falun Gong; anything to do with Taiwanese independence -these are the kinds of things they were filtering, just those pages.”
This continued for some time without change, but with SSL on the horizon, China once again changed its approach.
“There was a long equilibrium for a long time, they were filtering certain pages, but as we were working to move to SSL — we had implemented in many countries, we were rolling it out country-by-country to make sure it was robust — just before we were going to roll out in China, they blocked Wikipedia again,” says Wales.
The reason for this sudden re-blocking is likely to be that under SSL, China wouldn’t have the option to selectively block particular Wikipedia entries: it forces the country to take an all-or-nothing approach.
“With https, the only thing that the Chinese authorities can see today is if you’re talking to Wikipedia or not, they can’t see which pages you’re joining, which means they no longer have the ability to filter on a page-by-page basis, so they can’t block just Tiananmen Square,” says Wales. “They now have a very stark choice: the entire country of China can do without Wikipedia, or they can accept all of Wikipedia.”
At present, this means that Wikipedia is not accessible in mainland China, but Wales remains optimistic about the future.
“Right now they’ve made the choice to ban all of Wikipedia, so it’s a bit of a standoff, it’s all or nothing, so they’ve invited me to China and I’m going there in the next few weeks to meet with them and see what we can do,” he says.
“It’s a funny bit of my career that I started as a technologist and now I’m some kind of diplomat and I have to go and talk to the Chinese government. It’s kind of fun.”