Por F. H. Uribe | Amaca Tech
- Actualizado: 1 de octubre, 2022 -
(NOTA: Por el momento, este documento está disponible solo en inglés)
Nowadays, almost all aspects of our lives have been repurposed into exploitable goods—turned against us to better empty our wallets, manipulate our actions, and influence our thinking. Today's dredgers and custodians of our private matters hide their true intentions behind legal jargon and, time and again, have proven themselves fickle, unreliable, untrustworthy. Governments aren't helping much either. Depending on where you live, privacy laws and their enforcement have been lacking at best, nonexistent at worst. But part of the responsibility lies with us—the general public. We have naively surrendered our privacy for convenience. Turns out corporate greed, lack of proper regulation, and public complacency have stirred up a recipe for disaster. People are sobering up to the fact that their trust was misplaced, their privacy mishandled. They want to regain control of their privacy. But how? Encryption is an obvious, if complex, solution. When it comes to securing communications, end-to-end encryption—which requires no user intervention—is an excellent solution to many problems. But not all. For, what are people to do when the key-holders and wardens of their encrypted data are the very ones who misuse their power and fail to act with the public's best interest in mind? Responsible, law-abiding citizens deserve effective means to directly protect their privacy. Here, we propose a solution to this problem. It's called Amaca—an easy, safe, and free online tool empowering individuals to encrypt their own written content for sharing and safekeeping. Amaca lets users create and control their own encryption keys. No unwanted third party holds the power to encrypt or decrypt their private written data, and no technical knowledge is required. It's accessible to all.
Until recently, privacy was not a topic of great concern. In most people’s minds, protecting their privacy meant having a set of keys to lock a few doors and cabinets; maybe storing some valuables inside a safe in the closet or at the local bank.
Today, our most intimate data lives in servers and databases beyond our reach. Our every move, email, text message, and post captured by smart devices or shared online is ingested by the likes of Facebook, Google, Twitter, and Amazon.
And it's all for sale.
Almost all aspects of our lives have been repurposed into exploitable goods—turned against us to better empty our wallets, manipulate our actions, and influence our thinking. “But not to worry,” they tell us. “We’re just sharing metadata.” As if nothing of consequence could be extracted from the mountains of intelligence mined from us over the years. And let's be perfectly clear, they are hawking more than just metadata. [1] [2] [3]
Today's dredgers and custodians of our private matters hide their true intentions behind legal jargon. They make it hard, if not impossible, for users to change their accounts’ (weak-by-default) privacy settings, confident that most people won’t adjust them. And even if they do, it isn’t much guarantee of anything. [4] [5]
When first questioned, the companies claimed their practices were benign and necessary for them to stay in business. When these assertions were challenged, they promised to change their ways. They didn’t, not really. Truth is, these self-appointed superintendents have time and again proven themselves fickle, unreliable, and untrustworthy. [6] [7] [8] [9] [10] [11] [12]
Then, there's the role of government. Depending on where you live, privacy laws and their enforcement have been lacking at best, nonexistent at worst. While more than 150 national constitutions mention the right to privacy (the US Constitution isn't one of them), most world governments have been slow, if not unwilling, to create or update privacy-related regulations that meet today’s challenges.
When, in the early-2000s, Google adopted the motto “Don’t Be Evil”, we cheered them on. With good reason. When Facebook a few years later pledged, “We do not and will not use cookies to collect private information from any user,” we believed them. Why wouldn’t we?
As we signed up and joined fates with them in digital bliss, ours became a marriage of convenience. Later, things began to change. First in baby steps, then in giant strides, they proceeded to plunder and peddle our data; we went on to surrender our privacy. “I have nothing to hide,” we assured ourselves. [13] [14] [15] [16]
Turns out corporated greed, inadequate governmental protections, and our own complacency stirred up a recipe for disaster—a volatile, foul mixture that ended up exploding in our faces. Google’s devious harvesting of personally-identifiable information, Facebook’s Cambridge Analytica political scandal, and Amazon’s Alexa privacy controversies are but a few early examples. [17] [18] [19] [20] [21]
People are sobering up to the fact that their trust was misplaced, their privacy mishandled. The abuse and the gullibility—both need to stop. It’s time for people to regain control of their privacy.
But how?
In pursuing sensible solutions to privacy issues, one important hurdle is complexity.
Digital privacy and security rely on math and cryptography. One major component is encryption: a process of encoding information so that only authorized parties can access it. Encryption is a highly technical affair. Both common sense and industry best practices indicate that it’s wiser to leave such complicated matters to the experts. When it comes to encoding communications, one excellent solution is end-to-end encryption—a system that doesn't require user intervention. However, end-to-end encryption doesn't solve every problem. [22] [23] [24]
Responsible, law-abiding citizens deserve effective means to directly protect their privacy.
Just as companies have the right to protect their investments and make an honest profit; just as governments have the duty to protect the rule of law; individuals have the right to protect their privacy from unchecked corporate greed and unwarranted government intrusion. Not to mention meddlers, bad actors, and foreign intruders.
To this end, we are launching a new online tool to help people get some measure of control over their privacy. One that is as simple as it is effective.
It’s called Amaca®.
Amaca (by Amaca Tech, LLC) is a web-base application that empowers individuals to easily and securely create their own encryption keys, and to encrypt their written content for safekeeping and sharing. To encrypt written information, a user simply enters a unique keyphrase, then types or pastes the text to encrypt, and clicks.
In granting non-expert users full control over the encryption process, Amaca tackles potential risks in secure, novel, and effective ways. Among them:
In the encryption process, the first step is creating the encryption key—a long string of numbers constituting the components of a formula used to encrypt and decrypt data. In cryptography, randomness is important because the more random a cryptographic key is, the more difficult it is to break—even by costly computer-generated attacks. When creating encryption keys, it is standard to use computer algorithms that generate random or pseudo-random numbers. [26]
However, for the creation of its encryption keys Amaca doesn’t use computer-based generators that result in impossible-to-remember keys. Instead, Amaca users themselves determine a “keyphrase” (a long, written phrase made up of any characters from any language or writing system, even emojis) that makes complete sense to them, but not to others.
How can such a user-created keyphrase be random to any safe degree?
First, Amaca keyphrases have these qualities:
Second, Amaca encourages users to be thoughtful and get creative, and to come up with all kinds of things that are incredibly easy for them to remember, but practically impossible for others (or even keyword-breaking algorithms) to guess.
JAMAL. To create his keyphrases, Jamal uses a silly poem he wrote back in high school. Only Jamal and his girlfriend know it, and they use different lines from this poem as keyphrases to encrypt their shared messages.
HANNAH. To safely store and exchange private information with her family, Hannah creates keyphrases generated from a lullaby her mother made up and would sing to her when she was a toddler. The lullaby is in Korean, and it’s only known by Hannah, her partner, and their 2 teenage children. Hannah and her family write their keyphrases using Hangul script, even though the messages being encrypted are in English.
ALEX. Alex is a human rights activist and organizer. To exchange critical private information with their group, Alex creates a keyphrase protocol that generates over a hundred keyphrases and even new protocols with little to no additional communication. The protocol is a breeze for the group to remember and minimizes the risk of a keyphrase being intercepted or figured out by unwanted third parties.
GABRIELA. Gabriela heads her own business. To safely store and exchange private information with her partner, they agree on using a different keyphrase every week. So they settle on a simple protocol: Their keyphrase for any given week will be the last sentence from the last email Gabriela sent her partner the previous Friday of said week.
Now, imagine a very large number of users—say, in the millions—coming up with millions of weird, random keyphrases, all in different languages, using different writing systems including emojis, and different lengths. That’s about as random as random gets.
The term “herd immunity” comes from the field of medicine. It refers to a form of indirect protection from infectious disease that occurs when a large percentage of a population has—through vaccination—become immune to an infection, thus providing a measure of protection for individuals who are not immune. [27]
Similarly, the Amaca herd immunity effect (or Amaca effect, for short) offers indirect protection to those users who may not have been sufficiently careful and responsible during the encryption process by, for example, using an easy-to-guess encrypting keyphrase.
When a large company or organization stores extensive amounts of valuable data, they spend millions of dollars protecting their networks and servers. Breaking into these systems requires equally colossal resources. If malicious hackers consider that the potential bounty extractable from a system is valuable enough, they might be willing (and able!) to allocate gigantic amounts of money, time, and resources trying to break in. Such a system under attack constitutes a single point of failure because, if the attackers are successful, they could potentially gain access to all the data contained therein and jeopardize the security of millions of people. All in a single blow. Think of the damaging attacks done on credit reporting firm Equifax in 2017, and more recently on the facial recognition technology startup Clearview AI. [28] [29]
In contrast, if thousands of individuals use Amaca regularly to create thousands of encryption keys and encrypted messages that they themselves store, the risk of an attack gets widely dissipated.
No user data is ever transferred to—or stored in—Amaca or third-party servers, so there’s no single-point-of-failure to attack there.
The time, money and effort it would take a malicious attacker to figure out a single encryption key or decrypt a single message would still be considerable due to the strength of Amaca’s secure algorithm.
But even if an attack on a key or message were successful, the attacker would be gaining access to only a single key or message, from one individual. In the mind of a malicious hacker, would an attack rendering such a potentially minuscule bounty at a potentially huge cost be worth their trouble? Probably not.
Here are a few examples of how Amaca can help people take back control of their privacy…
Social security and passport numbers; safe box and lock combinations; sensitive travel, medical, banking or insurance information; instructions for emergency situations.
To share and protect email and text messages from being understood by unintended recipients and/or snoopers.
Surprise party invites, sharing secret family recipes, holiday gift planning, party planning, etc.
To safely notify/report on situations such as: domestic abuse, sexual harassment, sexual abuse, rape, child molestation, child abuse, child endangerment, child neglect, elderly abuse, etc.
To safely store and share confidential personal information with: lawyer, therapist, doctor, accountant, banker, financial consultant, professor, mentor, investor, insurance agent, etc.
To encrypt posts intended for a specific group of people, and without the platforms being able to decode the content (and misuse or exploit it for commercial or other purposes).
To safely share confidential transactional information such as: credit card and bank account info, address/delivery details, non-disclosure agreements, letters of agreement, and so on.
To safely store and share confidential internal communications, quotes, inter-office documents, contracts, bank account information, wire-transfer requests, financial market-related instructions, accounting information.
To secure sensitive digital communications with full anonymity.
For quick copy/paste encryption, decryption and reconstruction of Excel and other spreadsheet tables.
To encrypt and store important written data before uploading it to a cloud service such as Dropbox, Microsoft OneDrive, or Google Drive. By using Amaca to encrypt your written content with your own key, you ensure that, once in the cloud, your content will be safe from snooping and immune to potential back door access by unwanted third parties.
Encrypting your written content with Amaca and then uploading it to a cloud service is a highly effective, safe and instant way to travel with your confidential data, and to share it with others anywhere in the world.
To protect and secure sensitive digital communications with full anonymity.
To safely notify on secretive information or activity deemed illegal, unethical or inappropriate within an organization.
To securely exchange information with confidential sources. To safely store and exchange manuscripts, drafts, or not-yet-published finished works.
To add an extra layer of encryption to cryptocurrency private keys and transactions. Also, to encrypt PINs and recovery phrases.
Into the future, protecting people’s right to privacy will require an ongoing and deliberate effort...
Amaca aims to be one small but effective piece of this vital privacy puzzle. We hope the public finds it useful.
For more information, please visit: https://amaca.tech
[1] Duncan, Geoff (June 17, 2010). "Open letter urges Facebook to strengthen privacy". Digital Trends.
[2] (November 29, 2011) "Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises". FTC.
[3] Mullin, Joe (August 27, 2013) In ACLU lawsuit, scientist demolishes NSA’s “It’s just metadata” excuse. Ars Technica.
[4] Rasool, Aqsa (February 7, 2019) “Google Does Not Respect Users’ Privacy, Claimed DuckDuckGo”. Digital Information World.
[5] (August 27, 2013) “Social networks: can robots violate user privacy?”. ImmuniWeb.com.
[6] Wakabayashi, Daisuke (June 2, 2020). “Suit Claims Google’s Tracking Violates Federal Wiretap Law”. The New York Times.
[7] (March 25, 2018). “Facebook boss apologises in UK and US newspaper ads”. BBC.
[8] Timberg, Craig; Romm, Tony (March 18, 2018). "Facebook may have violated FTC privacy deal, say former federal officials, triggering risk of massive fines". The Washington Post.
[9] Fowler, Geoffrey A.; Esteban, Chiqui (April 9, 2018). "14 years of Mark Zuckerberg saying sorry, not sorry". The Washington Post.
[10] Simpson, David; Brown, Pamela (September 30, 2013). "NSA mines Facebook, including Americans' profiles". cnn.com.
[11] Van Grove, Jennifer (January 2, 2014). "Facebook sued for allegedly intercepting private messages". CNet.
[12] Prigg, Mark (November 26, 2014). “Privacy backlash as Twitter starts to snoop on EVERY app users have on their phone”. DailyMail.com.
[13] Davies, Harry (December 11, 2015). "Ted Cruz campaign using firm that harvested data on millions of unwitting Facebook users". the Guardian.
[14] Ingram, David; Fioretti, Julia (March 28,1018). Facebook cuts ties to data brokers in blow to targeted ads. Reuters.
[15] Lapowsky, Issie (April 10, 2018). "Cambridge Analytica Could Also Access Private Facebook Messages". Wired.
[16] Baig, Eduard (April 13, 2018). "How Facebook can have your data even if you're not on Facebook". USA TODAY.
[17] Angwin, Julia (October 21, 2016). "Google Has Quietly Dropped Ban on Personally Identifiable Web Tracking". ProPublica.
[18] Graham-Harrison, Emma; Cadwalladr, Carole (March 17, 2018). "Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach". the Guardian.
[19] Kozlowska, Hanna (April 4, 2018). "The Cambridge Analytica scandal affected 87 million people, Facebook says". Quartz.
[20] McCarthy, Kieren (December 20, 2018). "2018 ain't done yet... Amazon sent Alexa recordings of man and girlfriend to stranger". The Register.
[21] Wasson, Linda (November 21, 2018). “Alexa, is that you? Amazon exposes user data in mystery breach, issues creepy non-explanation”. Reuters.
[22] End-to-End encryption (E2EE). technopedia.
[23] Greenberg, Andy (November 24, 2014). "Hacker Lexicon: What is End-to-End Encryption?" Wired.
[24] Surveillance Self-Defense – “End-to-end encryption”. SSD.EFF.ORG
[25] Vigliarolo, Brandon (November 30, 2018). “Man-in-the-middle attacks: A cheat sheet”. TechRepublic.
[26] Schiller, J. (Motorola Laboratories); Crocker, S. (MIT). RFC 4086 - Randomness Requirements for Security.
[27] Fine, P.; Eames, K.; Heymann, D. L. (1 April 2011). "Herd immunity": A rough guide". Clinical Infectious Diseases.
[28] Haselton, Todd (September 7, 2017). “Credit reporting firm Equifax says data breach could potentially affect 143 million US consumers”. CNBC.
[29] Valinsky, Jordan (February 26, 2020). “Clearview AI has billions of our photos. Its entire client list was just stolen”. CNN Business.
Regresar a Tips y guías