Almost every weekday I board a bus, find a seat, and tether my laptop to my mobile phone so I can check my email. Now, I am one of the most security-conscious (paranoid?) people you are likely to meet, but in the one simple act of checking my email, I place unquestioning trust in thousands of people around the world.

(photo captured from the movie “Safety Last”, now in the public domain)

It is easy for us to lose perspective on how much of our daily life is utterly dependent on trusting other people. Sometimes that trust is broken or undermined, but the vast majority of the time everything goes exactly according to expectations and we all benefit. In this post, I am using the simple example of checking my email from the bus to illustrate a few of the layers of trust we all depend on. In the spirit of “the exception proves the rule”, I will also link examples of when each layer of trust was purposefully violated.

The Location

I type my laptop password and unlock my phone.

This is a commuter bus, so I sit next to a subset of the same 90+ people every day. I do what I can to hide my keystrokes, but shoulder surfing is a thing that really happens. Also there are cameras everywhere, much to Kanye West’s chagrin. But, you know, it makes little sense to have a mobile computer if I refuse to use it when I am mobile.

The Equipment

I tether my laptop to my mobile phone.

Whatever the manufacturer of the mobile devices, there are dozens, if not hundreds of different suppliers involved in creating, assembling, and testing the components. Every person involved has an opportunity to implant hardware components that might contain hidden or even openly hostile features and flaws. Sometimes even the simplest component, like the cable I use to connect my laptop and phone, can be counterfeit and malicious, even if bought from a reputable source.

The Network

I configure my mobile phone to allow the laptop to access the Internet.

The SIM card in my mobile phone identifies my device, and me by extension, to the mobile phone network. My mobile provider is usually very good about security, but mistakes happen. The unique identifiers and other information on the SIM allow mobile activity to be traced back to me, so it would be very bad if someone were able to steal that information and create a copy. Another good thing about my mobile provider is that they provide 4G LTE service, which encrypts data between my phone and the base station. Assuming it actually connects to the base station, my data is safe and I can be sure no extra activity is added and attributed to me.

The Software

I open the VPN software that allows me to connect to my secure network.

Innumerable people were involved in writing, security testing, managing, distributing, and patching the operating systems and hundreds of software packages, development platforms, and libraries on my laptop and phone. I have no way of controlling, or even selecting, most of the software involved in my daily life. All I can do is trust that most of the people involved are well-intentioned and applying good security practices. Certainly, some of them are smart enough to do almost anything they want with near impossibility of being caught.

The Encryption

I connect the VPN and download my email.

Several layers of cryptographic functions are applied in the various authentication and encryption layers involved in checking my email. Connecting the VPN requires me to enter a frequently-changing number generated by physical token that I carry with me. The combined information is somehow used to encrypt the VPN tunnel. As long as the password is stored securely, the generated number is unguessable, and all of the computers involved with encryption are not being watched, my network traffic is safe. Logging into my email requires a separate password and another authentication factor. I do not use text messages to receive codes, opting instead for a better, but not perfect, physical token. I feel good about the security of this connection because it the connection is encrypted, but I really just have to hope that my browser is behaving and that a relatively secure set of encryption algorithms are negotiated for the connection. Of course, since public key encryption is involved, I hope that all of the root and intermediate certificate authorities trusted by my browser are in full control of their private keys and are not actively performing man-in-the-middle attacks.

The Point I am Trying to Make

I save my attachments to my cloud drive.

We all trust many thousands of people with every action we take online. There are a lot of ways that trust can be broken, as demonstrated by the twenty or so examples (there are many, many more) referenced in the above text. So, with that in mind, does it really make sense to be afraid of entrusting your data to companies that pay one of the major cloud providers store it and to keep it safe? Is it realistic to worry that the cloud provider might steal the data and do terrible things with it, in violation of multiple contracts and laws? Personally, I think there are other things to worry about.