Our country changed so quickly in the past week that it feels like the pod doors have been sealed shut and an antigravity switch flipped inside our borders. From the outside, it probably looks like a snowglobe scene of hell. The Doomsday Clock advanced, "thanks to Trump," and it's now only two and a half minutes to nuclear midnight, while The Economist's Democracy Index downgraded the US from "full democracy" to "flawed."
The Trump era has people afraid of malicious government tracking and spying in ways set to exceed the panic of the NSA-PRISM revelations. Infosec, hackers, and the general public have changed their attitudes about security and privacy practices in the short time since Trump took power. Use of encrypted apps has spiked among the general public. Email service Lavabit relaunched with a distinctly anti-Trump sales pitch. And now a significant number of infosec professionals are saying they don't want to engage with the new administration.
In a Twitter poll, 230 information security professionals were asked if they are more or less inclined to engage with US-government-led cyber initiatives under a Trump presidency. Forty-one percent said that the Trump administration has a negative effect on their willingness to participate.
Some infosec professionals who run companies are taking a more public position.
Email service Lavabit relaunched on Inauguration Day in the United States to make a statement. Under pressure from a federal gag order in late 2013, Lavabit founder Ladar Levison shut down his email service to avoid complying with a US government request for his users' emails. Lavabit returned with what they're calling a Dark Internet Mail Environment (DIME), "a revolutionary end-to-end encrypted global standard."
In "Lavabit Reloaded," Levison wrote:
"Former Lavabit users will be able to access their accounts in "Trustful" mode and update their credentials to the new DIME standard. Anyone who wants a future Lavabit account can pre-register for our next release available in all security modes... Today, the democratic power we transfer to keep identities safe is our own."
Timing is everything. Right now the internet is seeing a burst in guides to keeping things private in Trump's America, as well as how to avoid Big Brother. Perhaps that's why the reporting on Lavabit was more than a little too eager. Some reporters must've heard trumpets calling to arms against government surveillance; many praised Lavabit's pros while forgetting to remind everyone of the cons.
For instance, Lavabit doesn't yet have end-to-end encryption. And as ProtonMail detailed in a Reddit post:
"Lavabit claims to have solved their fatal SSL weakness using a hardware security module (HSM). However, this is disingenuous at best, deceptive at worst. Now instead of asking for the SSL key, the US govt will simply ask for the HSM. In other words, the original problem that killed Lavabit still exists."
And Lavabit had a lot of problems to begin with. A big one being that it's located in the United States.
Which brings us back to the original issue.
Hackers and frontline workers aren't the only ones who don't want to engage with a government they're more afraid to turn their backs on than before. The general public has a newfound interest in anti-surveillance communications, jettisoning anything that might let the US government in on their privacy and security. We've witnessed this before, but this time it's distinctly different.
There's no doubt that Trump's winning the election helped launch Signal into the mainstream. The secure chat app's downloads grew 70 percent globally near the end of 2016 (half a million were in the US alone). According to the press, "the app is getting more sustained daily downloads than Open Whisper's encrypted products did after its second biggest boost: Edward Snowden's revelations about the surveillance conducted by the NSA."
It's not unusual for a flood of new users and heightened activity on encrypted communication services when a government blocks a service or an app. When Brazil ordered cell phone carriers to block WhatsApp for 72 hours, interest in Telegram and iMessage spiked. These numbers usually calm back down -- but this time they're not.
According to its developer, the Android Tor browser Orbot has seen downloads in the United States go up 30 percent since the election -- and they're not declining. "We'll see a time-bound spike for a day or a week and then things go back to normal. What's different in this case," Freitas told the press, "is things don't go back to normal."
And I doubt they will. We're seeing a growing trend of people flocking to secure messaging and educating themselves about security and privacy. Which is really good.
Especially considering that the new administration has shown that it's both careless and ambivalent about security.
Presidential infosec, post-DNC hack— Thomas Rid (@RidT) January 26, 2017
—@POTUS uses private email
—"old, unsecured" Android phone
—@POTUS has no 2FA
—Spicer tweets password 2x pic.twitter.com/sdOvLKrWLu
We'll probably also see infosec communities struggle and split. There will be painful moments when companies have to make heartbreaking decisions. They'll be forced to face working toward a more secure world versus working for an administration that doesn't care about security or tomorrow. One that loves to punish anything and anyone it perceives as a threat. The users will be caught in the cross fire, of course. And they'll be awash in three times as many snake oil security products hitting app stores as we saw after the revelations of NSA spying.
All of this signals a genuine crisis. It's one where we feel shell-shocked, and ache for a time not all that long ago when we felt hopeful about the encryption argument. But if there's anything to be gleaned from all these open expressions of government mistrust, it's that we're ready to fight for our privacy and security like never before.
Images: Andy Katz/Pacific Press/LightRocket via Getty Images (Man and phone, lead); Lavabit (Bird with email, from Lavabit DIME specifications document)