The issue of security on the Web and Internet (they’re not the same thing) has again been raised by a reader. This is going to be my definitive commentary on the subject, that I can link to when someone asks, henceforth and forevermore.

So pay attention. This is the straight skinny about security in cyberspace.

The first thing we need to understand is that the Internet is an unimaginably huge network, not really any different in concept from a home network except for one thing: as users, we have no control over the Net, as opposed to varying degrees of control over our home network or the Local Area Network (LAN) at work. As the Bard wrote, “Ay, there’s the rub.”

Here’s the deal, in a very basic way.

• My computer is connected to a modem that, in turn, connects to AT&T, my Internet Service Provider (ISP), over a high-speed Digital Subscriber Line (DSL).
• The DSL line takes my data to my ISP’s local Point of Presence (POP). This is a room full of modems that connect to and receive data from my DSL modem and send it onward. You may connect via a phone line, a wireless hotpoint or a cable connection, but for our purposes there’s no important difference.
• In my case, ATT is also the phone company, so it uses its own fiber optic system to transmit my data onward. In other cases, the ISP might lease fiber from the phone company to connect its various POPs to…
• A Network Access Point (NAP), where the network we’ve just described is able to connect with other, similar networks. It does this by means of “routers,” computers that make sure data goes where it’s addressed and (theoretically) not where it wasn’t intended. (Hold that thought.)

However — and this is a big “however” — the NAP is not connected directly to the computer of Bob, our editor here at Lockergnome. At the very least, my data will go through a reversed process, from “my” NAP along the Internet “Backbone” to Bob’s, thence to “his” phone company, “his” POP, and finally to his network or computer at home or at work. By the time it gets to Bob’s screen, my data will have been through an absolute minimum of 5 computers that were — in theory, at least — capable of accessing it before Bob reads it, including Bob’s. In fact, because we publish through a third party site, the minimum is likely eight or nine.

And, in reality, the picture is far more complicated yet. It’s unlikely — astronomically unlikely — that there is a single piece of “Internet” connecting my NAP with Bob’s. The Net is made up of fiber optic Backbones that connect NAPs run by hundreds of corporations, governments and other groups worldwide, and the transmission of data by the routers depends on which NAPs they are connected to. At those connections, in turn, the routers make decisions on the best way to get my data from Florida to California. Neither I nor Bob have any control over those decisions at all. It would not be impossible — nor especially unlikely — for my data to pass through fifteen or twenty routers on its travels, although generally the connections would be fewer.Those routers could be anywhere in the world, under the control of just about anyone, and my data could be flagged and acquired at any one of them if someone was interested.

In addition to that, many data centers pull data off the Net and store it for periods of time, your mail service, for example. Unless I delete my Gmail, Google will keep it indefinitely — because I want them to. They have my complete permission. So does your webmail provider, even if you didn’t give it in so many words. In fact, unless you’re running your own mail server in your own home or office, you can bet that every single piece of email you send, every photo you attach and a lot of what you download is stored someplace for lengths of time varying from minutes to years, and the same thing is true of P2P transmissions. (How much do you trust those folks, anyway?)

And why do people store stuff? So they, or someone else, can retrieve it later.

Them’s the facts. I don’t write ‘em, I just report ‘em.

When it comes to the issue of who gets access to those sites and that data, it hardly matters whether your ISP caves in to the Feds and coughs up your stuff or not. Anyone with access to the routers can siphon off data if they want to. Obviously, it’s easier to deal with the folks who are most likely to have handled the data to begin with — our ISPs — but, in fact, the government runs a lot of the routers themselves, as do other governments. Furthermore, lacking cooperation, how long do you think it would take the NSA to hack Earthlink’s system (if they haven’t already)? And we haven’t even talked about the private parties who go poking around for their own purposes. (Without getting into a lot of detail on that, your data stored on your friends’ computers is probably more at risk than anything on the Net. Think worms, trojans and things that go bump in the PC night.)

Your ISP has no vested interest in keeping your stuff confidential, nor does anyone else out there. They’d rather you didn’t know it’s vulnerable but, in reality, it makes no difference. You either need to use the net or you don’t. If you do, you need them.

Repeat after me: if it’s in cyberspace, it’s vulnerable, period, unless it’s encrypted with strong encryption and a good password, in which case it might attract attention, but it would be unreadable. As far as we know. Today, anyway. Which brings us to a subject for another day.

[tags]internet security, web security, computer security, email security, internet structure, encryption[/tags]