Human Voices, Episode 4: Jon Callas on Entrepreneurship in Cybersecurity

Welcome back to Human Voices, humanID’s podcast talking cybersecurity, privacy, and news in tech! This week, we have expert Jon Callas joining us and shedding light on President Trump’s TikTok ban, COVID tracking apps, and what it’s like to be an entrepreneur in the cybersecurity industry. He is a senior technology fellow at the American Civil Liberties Union. You might know him as the creator of PGP Corporation, makers of Pretty Good Privacy universal serve, The Blackphone, and an early developer of operating system software at Apple. He’s done everything from security and privacy as a developer, creating standards, being an author and entrepreneur, and running companies.

You can listen along to Human Voices right here or on Spotify, Apple Podcasts, Anchor, or ListenNotes! The below teaser has been edited for clarity and brevity by Ariana Garcia.

humanID:  What is there to learn? What are some of the big lessons you took away, for entrepreneurs that want to make a difference in cybersecurity and privacy?

Callas:  The two main things that are really difficult to figure out, are who’s going to use this thing, and how you design something for them. The people who buy your things really do consider it to be only a tool that they’re going to look at, like you would pick up a knife to use in the kitchen. If you buy a knife, you want to know how well it cuts, how easy it’s going to be to resharpen, not the details of how it was made and so on and so forth. 

humanID: That’s a great metaphor for  what definitely happens a lot in both cybersecurity and the crypto space. I feel like the easiest way to connect is to the Blackphone. That’s like the one that’s probably the easiest one to explain to the audience; it’s just a very secure phone that I would get excited about, but again, I’m not the normal user either. Is that one example of what you just talked about?

Callas: Our goal for that was, we were going to make an Android phone, and at the time, because this was 2013, if you want an Android phone, here’s 20 things you ought to do to make it a secure phone. Our thought was that we would make a phone that came out of the box with all of those things already done. I have friends who are good Android security people, and so the thought was that say one of my Android security conscious friends might buy this phone, and then not do any customization on it. Later on, Blackphone 2 was for people who were not very security savvy. One of the reviewers of it said, this is the phone that your CISO wants your CEO to carry. It was going to be the thing that the security expert would want the non-security experts to have in their hands.

humanID: Now, forward to 2020 with privacy being a bigger topic, in part, thanks to your work and effort, and also thanks to the misconducts from some companies like Facebook. Privacy’s now really being much more sought after. You’ve been quoted saying that tech companies are a bigger risk to privacy than governments. Can you elaborate on this, and specifically, how does it compare with what you just talked about?

Callas:  You get into the old question of What’s your threat model? What are you really afraid of? Who do you really think is your adversary? In my Blackphone days, our customers were people who were doing business in places like China, or Russia, or the Middle East, where the threat of being spied on by the local government was relatively high. In Europe, US, Canada, Japan, I’m less worried about the governments because commerce is more separated from the government. In China, for example, almost all companies are at least partially owned by the government. And that just comes from the way that they run their economic system. It is a thing that it is very easy to misunderstand both the reality and the xenophobic fear. You can see that right now in the whole fuss about Tik Tok. Tik Tok is every bit as much of scooping up your information as Instagram, Facebook, you name it. They’re all picking lots of information and monetizing you. We also know that there’s weird company connections between them and the Chinese government. I believe that the fears about the connections are probably overblown. Still, it’s a social network that is certainly no better than any of the other social networks going on.

To pull it back, this really is What are you actually protecting against? No secure phone that you have is going to protect you against something like a targeted ad campaign that is trying to sway your beliefs in a direction. That’s not the security that we do in operating systems and cryptography and so on. 

humanID: But somebody needs to do that work, and what if Apple doesn’t do it?

Callas: If I walk into a physical brick and mortar store, I expect that if I buy a bottle of water, it is a safe bottle of water. The store has a certain responsibility and accountability to me. That includes the store talking to its suppliers to make sure that they have been following safety standards. If you end up in a situation where the people selling the water to the store lied about passing the safety standards, where does the accountability fall? The store is going to say, I did everything that I possibly could. It doesn’t necessarily fall to any one place, it falls to civil society to come up with the rules that we think that people ought to follow. It falls to the marketplaces themselves. It falls to the producers of the products. All of them down the line. We have to figure out what the analog would be in the software world. 

That is the large problem that we’re trying to figure out right now: Who is responsible for what.