Security Expert: Trusting Service Providers With Security Is Dangerous

In the days of feudalism, serfs and minor lords pledged allegiance to the king and received protection in return. As long as the king held up his end of the bargain, the system worked. If he didn't, the system would crumble, as it eventually did in Europe around the 15th century.

Bruce Schneier, CTO of BT Managed Security Solutions, sees the feudalism dynamic happening today on the Web, where users of social networking and other online services must blindly trust that the companies providing those services are paying enough attention to security. And given the power these firms wield, that is by no means a safe assumption.

Service providers are getting better at collecting user's data, a trend that could pose problems for serfs down the road, Schneier said in a Tuesday afternoon talk at the RSA Conference 2013 in San Francisco.

[Related: 8 Cool Network Security Products At RSA 2013 ]

"Remember when Microsoft was the big company we were all worried about? Now it's Google, Amazon and Facebook," Schneier said. "Already, Google knows more about my interests than my wife does. ... We as users have to trust these vendors."

In the traditional security model, the onus was on the user to choose the right products for their needs, such as antivirus and firewall, and to configure it on their networks. Now that traditional model is breaking, according to Schneier.

He chalks this up to the rise of devices such as the iPad and iPhone, over which Apple exerts complete control; and cloud services, which vendors maintain completely on their own, affording zero visibility to the end user.

"You can't control security on Gmail or Facebook," Schneier told RSA attendees. "You get what they provide. With this model, someone else is taking care of it. When we trust Facebook security, we do it blindly."

Governments and corporations hold the lion's share of power at the moment, and they're increasingly using the Internet to further strengthen their position. Under the banner of combating digital piracy, media companies are using the government to enforce their business models with proposed legislation like the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA), said Schneier.

"Right now the powerful are winning these debates, whether it's law enforcement or a large corporation," Schneier said.

NEXT: Can We Trust Service Providers Not To Screw Up?

Security in online services is inherently standardized, and users have no ability to customize security on the system. But this arrangement has its risks, BT's Schneier said: Vendors can make mistakes or employ heavy-handed methods of keeping users tied to their services, for example.

"We all now carry tracking devices in our pockets, and we're even turning on [GPS] to get better maps. Government and corporate power controls your data now, not users," Schneier said. "And what's happening now is that the powerful are trying to change the rules of the game to fit their agendas."

For example, media content companies are trying to change laws in order to shore up their copyright enforcement abilities. As companies get more control in such fashion, they're going to have more control over security as well, Schneier said.

Schneier believes we're headed for even more intense battles. He's advocating more research into surveillance, censorship and propaganda, both from the government and corporate sides.

Safe places for the anonymous publication of information are also needed; WikiLeaks provided that, but U.S. authorities made clear it would not tolerate copycats, he noted.

Basically, what's needed at this point are mechanisms to tip the balance of power back to the serfs, Schneier said. "We need good government to enforce obligations on these companies instead of just giving them rights," he said.

PUBLISHED FEB. 26, 2013