Recent revelations about automated and semi-automated surveillance technologies, capabilities, budgets possessed by well-funded state and non-state actors since 2008, and in particular the vulnerabilities they have devised, purchased or discovered – in the server-side, Internet traffic nodes, end-user devices and Internet security standards – have dramatically reduced the reasonable expectation about the risk and cost of the remote continuous abuse of the privacy of any given individual by such actors, as well as by many other public or private entities with even moderate skills, resources and/or privileged access (the contractors, staff, rogue admins, crackers, and entities connected to them) which may have acquired or independently developed knowledge of such vulnerabilities and means to exploit them.
It is more and more widely acknowledged that with relatively low cost and effort anyone interested in snooping on anyone else – from a business or political competitor to a former spouse – to purchase the mostly-illegal services of such entities to listen and record all calls, read all email, copy all documents of a given user or company. The exploitation of the legal zero-day exploits market is indicative of how large a market exists, surprisingly legal, for such tools and techniques. No clear data is available on the illegal zero-day exploits market, but it is reasonable to assume that it is an even more extensive market.
That is the rationale behind recent market reports state that following the NSA surveillance scandal consumer and businesses are predicted to move away from US cloud services at the tune of tens of billions or even $180bn according to Forrester Research20.
Many privacy-conscious consumers and businesses are therefore moving away from current leading providers that are mostly US-based and/or involved in the US market, and looking for alternative providers that locate their operations (and possibly HQs) in privacy-respecting countries, AND which provide a all new level of very-high end-to-end privacy guarantees.
But no valid alternatives are currently available, though many market claims.
The scandal, in fact, is as much about NSA, as it is about the overall technologies, organizational settings and oversight procedures, that current provider have in place that have proven to be much weaker than previously.
UVST would offer such unprecedented level of assurance, for very basic text and voice features, and would therefore constitute a great market value, not only to high-worth, powerful and privacy-sensitive individuals, but also to ordinary citizens and businesses that are even moderately security or privacy conscious, as the service and devices would be much cheaper and more secure than current solutions, it would be easy and would include substantial additional functionalities.
UVST would be appealing to organizations (both high- and mid-worth) since, in the case of company-provided telephones, as in UVST would provide substantially higher levels of security and privacy than those provided by typical secure or ultra-secure dual persona use cases (like Telefonica Dual Persona Service, Blackberry Balance and similar), or cryptophones, as well as other high security device+cloud services.
Several public and private organizations are publicly looking to develop or purchase alternative solutions for themselves or for their clients. Brazil has committed to designing an anti-NSA email system for its organizations, to be extended to all businesses and citizens21; Deutsche Telekom is building private NSA proof email system for Germany-to-Germany emails22 and investing heavily in new cryptophones23; India plans to outlaw US-based emails for governmental use24. Market for privacy-enhancing technologies is booming.
Some recent news point to great market opportunities for alternative mobile platforms (especially Ubuntu) mobile and end-to-end mobile+cloud services, Gigaom sees an emerging gap market of ultra–secure mobile devices (and related cloud services) after the demise of Blackberry and the security doubt in regards to iOS and Android in the wake of Datagate. As of early sep 2013, Mozilla and OpenPGP have started collaborating with Deutsche Telekom25– which also declared to aim at providing espionage-proof email service in Germany26 – to embed openPGP infrastructure in both the client and server sides, obviously higher levels of security than just on the server-side and transit.
A key marketing point for UVST will be constituted by levels of assurance – resulting from the R&D process and extremely thorough and intensive testing – that would enable a (small or medium-sized) UVST CivicProvider to reasonably “sale” privacy with a money-back guaranteed policy, in a financially sustainable way, from several thousands to tens of thousands per user, for the coverage of damages due to the provisioning of the UVST services.
In a global market where all communications – business, personal and entertainment – rapidly converge into a few leading mobile Internet platforms, and where recent state surveillance revelations have enormously raised the bar for security and privacy, privacy-sensitive and ordinary consumers feel an increasing need – alongside their commercial devices – for user-friendly voice, text and Web communications that can offer levels of privacy and security that they can truly trust, that are widely-adopted or adoptable by their interlocutors. Until recently, such high level of trust was gained by providers through hefty security claims, backed by brand name and track record. After Snowden such claims are increasingly perceived as far from sufficient. In this new global scenario, highest levels of trust in a communications solution can be gained and maintained only if there is no-one to be trusted, as every single technical component and administrative process involved, including device manufacturing, is both openly verifiable and very extensively verified (paid and volunteer) by world’s leading independent IT security experts, including ethical hackers.
According to a September 2013 Pew Research Center Survey on Anonymity, Privacy, and Security Online27, it appears that “86% of internet users have taken steps online to remove or mask their digital footprints—ranging from clearing cookies to encrypting their email.”But despite of such precautions, “21% of internet users have had an email or social networking account compromised or taken over by someone else without permission”. It seems therefore that users want and try but fail to find proper solutions.
“In word and deed, most Americans would like the ability to be anonymous and untracked online at least every once in a while. A clear majority – 59%? say that people should have the ability to use the internet completely anonymously. When internet users are directly asked, 18% say they use the internet in a way that hides or masks their identity. Yet when a broader battery of activities about masking behavior or content is asked of respondents, 81% say they do at least one of these obscuring activities”. It goes on to say that 14% have been using both encrypted email and Tor software, that aims not allowing firms to track their online movements.
“[…]users were asked: Suppose you said something critical about a product online, and you didn’t use your real name. How easy do you think it would be for the company to find out who you are anyway? … Those who had not taken any steps to obscure their online activities were much more likely to say it would be “very easy” for a company to trace them (56% said so).”
“Those who have taken steps to try to avoid observation by others (e.g. tried to avoid hackers or advertisers or people from their past) and those who have taken more general steps to be anonymous (e.g. cleared cookies, used fake names, used encryption or VPNs) are more likely than others to have each of these items of personal information posted online. This reinforces the notion that privacy is not an all?or?nothing proposition for internet users. People choose different strategies for different activities, for different content, to mask themselves from different people, at different times in their lives.”
This last conclusion reinforces the value of a solution like UVST that wants to complement, rather than, replace the ordinary non-private and non-secure mobile/PC platforms that the user is normally using.
A recent Italian survey from Censis describes a similar demand and value of privacy28.
Furthermore from the Pew study:
- 55% of internet users have taken steps to avoid observation by specific people, organizations, or the government
- 33% of internet users said they had tried to hide their activities from hackers or criminals
- 28% said they had tried to hide their activities from advertisers
- 19% said they had tried to hide their activities from people in their past
- 19% said they had tried to hide their activities from certain friends
- 17% said they had tried to hide their activities from people who might criticize, harass, or target them
- 14% said they had tried to hide their activities from family members or a romantic partner
- 11% said they had tried to hide their activities from an employer, supervisor, or coworkers
- 12% have been stalked or harassed online.
- 11 % have had important personal information stolen such as their Social Security Number, credit card, or bank account information.
- 6% have been the victim of an online scam and lost money.
- 6% have had their reputation damaged because of something that happened online.
- 4% have been led into physical danger because of something that happened online.
- 6% said they had tried to hide their activities from companies or people who run the websites they visit