Jan 7, 17 / Aqu 07, 01 12:20 UTC
Security concerns ¶
With the recent "don't share your ID" notice I started wondering about how Asgardia treats online security issues. Not very well in my opinion, at least as far as I can tell since nobody really addressed any concerns raised by me or others. First let's talk about this ID Number. It was sent to us in an email, as plain text. Now, whatever the server that sent it does, as soon as a plain text email is out on the internet, it's practically defenseless. Which means that every device between there and our computers had a chance to read and store it. Now, because it has the line ID Number followed by a number in it, it's probably stored by countless bots immediately and linked to our names and email addresses, by now everybody doing data mining has it all over the world. Also services like gmail and outlook can also read and store unprotected emails, and although they might not be a single person who ever reads any of them, their algorithms certainly scan and fetch seemingly important information. Not to mention that in many countries all service providers are legally bound to make every information stored and going through their servers available to the authorities, which is not just unethical but also a serious security risk. So there's a 99.99% chance that none of our IDs are actually private anymore, if this ID will be used as a future method of validating our identity, they are already compromised. Also the emails were not just unencrypted, they didn't even have digital signatures. There's a reason why no authority, bank or any serious organization sends or asks for sensitive information by email. So why does Asgardia?
Furthermore, what does Asgardia do to protect our identities and personal information anyway? We don't know where the servers are (or if there are no dedicated servers owned by AIRC, who hosts everything we use), what security measures they take against attacks, how do they keep Google and other search engines out, what will Asgardia do when some authority asks for its database containing our personal information, etc. Even this website uses the Let's Encrypt service which is fine for private use of a single person's own website but very far from what you'd expect from a project that intends to create a new nation in the future.
I know this is the beginning, but every serious undertaking must have a detailed plan, especially if it concerns online privacy, and even the initial stages must have appropriate security measures to protect the participating individuals and address their concerns.