ekoivune

There are lots of things that average citizen can do.

To begin with, good security and reasonable levels of privacy do not require big investments in terms of money. Just make sure that whatever devices it is that you use to get online are properly patched and hardened.

The biggest investment is in terms on personal time: good privacy means good operational security posture. Surf "incognito" and shy away from active content, cookies and anything that tracks you. Hide your tracks. Limit your damage by e.g. choosing individualized passwords. Spread up your online presence by setting multiple an non-linked accounts to the services you use.

Nobody can get away from network tapping but everybody can influence how much data their devices leak and send out over the wire.

Whatever you do, please have realistic view of what is your digital footprint. That determines who you have to trust, regardless of whether you want to.

Good, thanks for the question.

Governments have a responsibility to provide us a safe and secure environment. Most of us would be terrified to know what kind of loonies and extremists walk amongst us. It is only natural that LE and counter terrorism folks want tools to not only track dangerous individuals, groups and other entities but to also identify and anticipate them.

I personally come from an CERT (as in computer security incident response) community. To some extent I can fully relate to the "collect-it-all" mindset. If your job is to trace anomalies, reconstruct timelines of past events and to provide early-warning information, it is only natural that you want to be where the data sits or flows and to be able to tap into that source. There is, however, much to be said (which I am not going to dive into now) about the mission-creep and too much focus on the haystack instead of the needle.

In my mind, the governments are doing a lousy job calculating the true costs (both in terms of monetary terms and societal effects) of forcing everybody and their cousins to collect, retain and disclose to authorities all this digital evidence. It is easy to demand unreasonable things when somebody else pays the bill. Hardly a "right to be forgotten" mentality, is it?

Where the CERT philosophy differs from the SIGINT philosophy, is that CERTs always operate with the consent of the users whose systems they tap. The SIGINT authorities "collect it all" with the orders (at best) of the national parliament or (as is the case in many countries) by the orders of the president/prime minister/king/queen. I love systems where the monitoring subject can revoke their consent at any time. :-)

I hope I was able to cover that topic. :-)

UK is pretty bad and it shows. :-)

FR appears less in the public debate but - yeah - they collect lots of material in bulk.

DE has a reputation of being privacy-concious. And at the same time their intelligence services have repeatedlly been exposed of conducting something nasty.

SE was markedly open in their intentions, I give them plus on that one.

FI is now following the lead of .. yeah, whose..?

You are right that most corporate solutions would be too expensive and would be too heavy to deploy and maintain for home use. And yet at the same time, it is not that uncommon to find that members of a family carry dozens of computers, tablets, mobile phones and park a number of other gadgets in their kitchen, living room, study and kids' rooms.

First, there is and will be need for so-called endpoint protection. That is, security software installed on your device. That may be anti-virus, it may be application-aware firewall, it may be VPN and it may be remote management agent. Whatever fits your need. One should really seek to make use of such security features and products if they are available. The licensing schemes are getting much more attractive to acknowledge the needs of connected families. This, in addition with the patch-harden-lock-up and good credential management makes your endpoints a tough nut to crack.

Second, there is an increasing number of devices that you are not able to patch (at least with the frequency that you'd wish) and that offer little in terms of configuration options to secure the system. You cannot install anti-virus or VPN to your smart telly, your cheap NAS or your Wi-Fi operated lightbulbs. These devices expect that the security is provided for them by the surrounding network. And you are correct in recognizing that the home routers are generally speaking not up to the task.

An enterprise level solution would be to segment the networks, deploy lan-to-lan VPNs, IDS and hook the system to SOCs monitoring routine. The home user can segment their networks (use the "guest LAN" if your router allows that) but that's about it. We have a solution up in our sleeve - we expect that it will available at the end of the year.

I am glad to see consumer protection authorities step up their act. If more similar decisions will be handed out, they may even change the way IoT manufacturers approach security. I am not holding my breath, however. More like eating popcorn. :-)

The system's tendency to abuse the powers it has been granted is something that the authorities have hard time acknowledging. The oversight mechanisms appear to be more of an checkbox exercise where the government tries to get away by merely stating that "we have oversight".

There is now big enough body of evidence to suggest that the so-called double-lock mechanisms, documented procedures and after-the-fact inspections are not enought. There is pronounced need for whistleblower mechanisms (and protections for the whistleblowers) as well.

One single most effective mechanism to tackle abuse of powers is to keep the authority powers at minimum. For instance, in the UK context that would mean that instead of discussing on which terms an authority can access the bulk data, there would be point in NOT COLLECTING such big amounts of data in the first place.