One hop, two hop…

(… now, what was the question?)…

OK, I can deny it no longer. I love Eric Schmidt. But only because he is good blog-fodder. I want to tie together two news stories and a blog post today: the blog post is Wendy Grossman’s concise, accurate response to Eric’s “loopy” statements on encryption. Of the two news stories, one is about said “loopy” statements, and the other is a recent Guardian article about the NSA’s interception programmes.

First, let me say that I agree with the points Wendy makes; I just have another one to add to the reasons why encryption is not, despite Eric’s reported claims, the answer to government surveillance.

Here’s the first article – one of many that quotes Mr Schmidt as saying “The solution to government surveillance is to encrypt everything”. (Actually, some stories quote him as saying “The solution to government surveillance is to encrypt everyone“, which would, if anything, be even loopier. I have no idea how you encrypt a person, but it sounds like something very bad from the first Tron movie. And trying to decrypt someone with the wrong key would be incredibly messy).

The second article is this one, a Guardian piece which explains how the NSA and GCHQ did a deal allowing the former to exploit incidentally-collected metadata, rather than having to discard it. The original policy, apparently, was that data collected as a ‘side effect’ was to be discarded. Under the new deal, if an interception happened to capture traffic or metadata from an otherwise unsuspected UK citizen, the NSA could use that as the basis for a social graph analysis of that person’s contacts. However, the NSA also has a so-called “three hops” rule, under which it is authorised to examine the communications of the original person’s friends (one), their friends-of-friends (two) and their friends-of-friends-of-friends (three).

Social graphs are, in themselves, extremely revealing – of family and social relationships, social status, socio-economic grouping, and so on; this article by John Naughton gives a good introduction. There’s also research by Prof. Sandy Pentland (MIT), using mobile phone metadata to predict social behaviour, which shows just how revealing this kind of analysis can be. The Guardian’s own research suggests that, even using just the Facebook social graph of the average user, a three-hop link would net up to 5 million other users.

All this, remember, based on the metadata of a single individual whom there was no reason to investigate in the first place.

Encrypting the traffic does nothing to protect against this.

Many of you probably remember Eric Schmidt saying, on Dec 3rd 2009, “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place”. I used to think that he was expressing a personal opinion. However, we now know that 11 months earlier, on Jan 14th 2009, Google became one of the data feeds for the NSA’s PRISM interception system.

I now wonder whether, far from offering us his own view, Eric was just repeating his most recent advice from the NSA.