The techies versus the NSA


Edward Snowden was interviewed live yesterday at the SXSW festival in Austin, Texas before a crowd of over three thousand. The moderator was his ACLU attorney Ben Wizner and Chris Soghoian who is the principal technologist for the ACLU was also part of the panel. The event lasted an hour. You can read a live blog of the session or watch it below.

I watched the interview as it was live streamed. Snowden’s appearance was via seven proxies to foil the NSA tracking system from locating him and the end result was that the video feed kept freezing up although the sound was mostly intact.

Much of the discussion involved what to do about privacy and security. In response to a question from Wizner as to how he was so confident the data he took is still secure, Snowden replied that “The Unites States government has assembled a massive investigation team into me personally, into my work with the journalists, and they still have no idea what documents were provided to the journalists what they have, what they don’t have, because encryption works. ” Snowden said that currently available encryption systems at the highest level are powerful enough that they cannot be broken even by the NSA.

But as Soghoian pointed out, that kind of encryption is outside the range of skills of ordinary people and they are not going to go to the trouble of installing PGP or using Tor to secure their data. A new phrase the ‘Greenwald test’ has entered the lexicon and was used repeatedly during the interview and refers to the fact that Snowden had a hard time initially getting his chosen conduit for release (Glenn Greenwald) to learn and use the encryption technology at the level necessary to keep their conversations secure. Snowden said that we need to create a level of security that is powerful enough to foil those seeking to spy on us and yet easy enough to use that at least journalists are able to use it.

(In his own later livestreamed appearance at SXSW before another packed audience, Greenwald joked that he had seen the entire Snowden interview “Including the part where he very generously held me up as the face of journalistic ineptitude, when it comes to technological challenges.” Julian Assange also spoke at the festival and promised the release of more information soon though he did not give any details.)

Snowden and Soghoian said that we will have to depend upon the companies that create browsers, social media platforms, and other internet software to incorporate high-enough quality security measures into their systems as the default option so that it is pretty much invisible to the end user. If they do that, then the sweeping up of everyone’s data that leads to all manner of abuses can be stopped. People may not be able to evade targeted snooping by the government unless they choose to go even further on their own but that kind of targeting, if backed by judicial search warrants, is part of regular law enforcement and few are suggesting that governments be denied even that capability. Properly supervised and monitored and constitutional searches are not the real problem. As Snowden said, the Fourth Amendment prohibits “unreasonable searches and seizures” and the security agencies are currently seizing everyone’s personal data even if they are not searching all of it. He further said that the built-in security systems should be such that it is becomes too costly for the government to conduct mass surveillance.

As Soghoian said, it is thanks to Snowden that the big companies are tightening up their security systems at all, largely due to the avalanche of negative publicity that the releases have generated that seemed to show their collusion with the government. For example, in another SXSW talk, Google CEO Eric Schmidt said that “the [Snowden] material alerted his company to the fact the U.S. government was intercepting data from Google’s servers” and that as a result “the company has since enhanced its encryption and is “pretty sure” the government can’t access the data.” Still, he said that “the company must comply with court orders for information.”

The crowd seemed overwhelmingly favorable to Snowden and seemed to respond positively when, according to this NPR report, he “told the assembled technologists in Austin that they should start building end-to-end encryption into all their products. He called it the defense against the dark arts of mass surveillance.” Soghoian said that the systems people who implement security at these companies are really ticked off that the government, using the National Institute of Standards and Technology (NIST), deliberately weakened the encryption standards in order to give the NSA and GCHQ easier access.

One thing that is becoming increasingly clear is that a key sector of the tech world, those who are systems administrators and in similar positions who are the most knowledgeable about security, are largely supportive of what Snowden did. This was also apparent in the way that attendees at the earlier 30C3 conference in Germany reacted to the fascinating talk by Jacob Appelbaum titled To Protect and Infect: The Militarization of the Internet and to the session that Appelbaum moderated in which Julian Assange spoke and at which Sarah Harrison also made an appearance. Assange called on audience to infiltrate the system and expose information from within. The large audience consisting of systems administrators responded enthusiastically to their call to join in combating government spying.

I was glad to see Harrison get a massive ovation when she appeared on stage at 30C3. She is a little-known journalist who works for WikiLeaks and has played a huge role, being the person who flew with Snowden to Russia and helped negotiate his stay there and thus saved him from a life in prison. For her efforts, she cannot now return to her native UK because she will be arrested. In her talk, she said something that I was unaware of, that due to the public outcry, MasterCard and PayPal had retracted their earlier bans on sending money to WikiLeaks.

All this support for Snowden and WikiLeaks must worry the NSA because they too desperately need the tech savvy young people to do their work. If such people cannot be trusted to swear unswerving loyalty to the interests of the national security state, then the NSA is destined to suffer from one serious exposure after another because the number of Snowden emulators will be endless.

Comments

  1. Dunc says

    The problem is, can you really trust any encryption system you didn’t set up yourself and don’t understand? Then there’s the minor matter that, as we have recently seen with Apple, even the most well-meaning of companies can utterly fail to implement even very mature security protocols correctly.

  2. says

    There are solutions for email and internet security. When the servers are located in the US or Canada (i.e. Google, Yahoo, etc.) they are subject to the US Patriot Act. That means that when the government (NSA, IRS, etc.) requests information on us those companies MUST comply – and all without a search warrant. This is against the US Constitution’s 4th Amendment. Check out ForHisGlory.PrivacyAbroad.com for established Swiss-based companies that ARE NOT under US jurisdiction! Let’s take back our Fourth Amendment rights!!

  3. astrosmashley says

    How so? When was the last time you saw such a disconnect between a government position on a person or persons and public opinion on the same people? Not only public opinion but also’ opinion’ of major corporations. This is a very weird redrawing of alliances where even the corporations can be on the’ people’s’ side (even if selfishly motivated) against the government that greases its wheels…Interesting times.

  4. jamessweet says

    @Dunc, fair points, but getting 95% of the way there is a lot better than being 2% of the way there. I was actually thinking that https is an excellent model for this. It is pretty damn effective overall, despite a handful of high profile gaffes, and it’s easy enough for just about any user to interact with it. (Configuring it on the server side is another story, as I have some rather frustrating recent experience with…. but even then, it’s not THAT hard, all things considered.)

    I think you are still in the model of “How do I ensure absolute perfect secrecy even if somebody is trying to eavesdrop on me specifically?” But this talk and this post are about something else: Making it so that it is not trivially easy to snoop on the average person, the way it is now. Imagine a world with just as much e-commerce as today, but with no https. It would be a disaster. (Actually, it would never have happened, so you’ll have to suspend disbelief a lot to even follow the thought experiment) Anybody could harvest any online transaction at any time, with virtually no effort. In our reality, online commerce is actually pretty safe — certainly safer than handing your credit card to a waiter at a restaurant! There are flaws, but it mostly works.

    That’s the goal here, is to make it so that there are few enough holes that it’s just not worth it to do massive untargeted data collection.

  5. Dunc says

    James, my main worry is that we end up with what everybody thinks is a 95% solution, but is actually a 0% solution because either the underlying standards or the implementations are deliberately compromised by providers acting in collusion with the spooks. Remember, people used to trust RSA, until we found out they’d put an NSA backdoor in a key algorithm… The well-documented instances of incompetence simply illustrate how easy it would be – if Apple can ship an HTTPS implementation that’s completely (and fairly obviously) borked without anybody noticing, how long would it take to discover if they were doing something really sneaky?

  6. Pierce R. Butler says

    … installing PGP …

    Hasn’t that been exposed as compromised already?

    … we will have to depend upon the companies that create browsers, social media platforms, and other internet software to incorporate high-enough quality security measures into their systems …

    Yeah, sure, Google will create and release a Google-proof browser.

    And Hermione Granger will beam herself to Narnia to resurrect Rorschach.

  7. Compuholic says

    The problem is, can you really trust any encryption system you didn’t set up yourself and don’t understand?

    Well I agree if you don’t understand a system (at least on an abstract level). You are right, it is very much possible that the system won’t protect you because you could be using it wrong. I also agree that with closed-source software you are always at the mercy of the software developer.

    At least in theory open-source software should help you to be somewhat secure. If there are weaknesses in the code, they will be found sooner or later when any person in the world can look into the code.

    And even if that is not the case it still doesn’t really matter. There is no such thing as perfect security in this world. There is always a chance that encryption can be broken. However, only in very rare cases that means that all communication is effortlessly readable. Even if the cryptosystem is weak it usually means that the attacker has to invest quite a bit of computational power in order to break the code.

    While that doesn’t prevent government organizations from reading your email since they have the necessary resources it prevents them from automatically collecting and analyzing your data. They have to really be interested in you in order to spend those resources. And that is good enough for me. I want them to have a reasonable suspicion in order to invade someones privacy.

  8. Compuholic says

    … installing PGP …
    Hasn’t that been exposed as compromised already?

    I would be interested to know if you have any links. If it was compromised I would suspect it was though a weak random number generator. I am certain I would have heard if the algorithm itself was broken as that would have been big news in the computer science community.

    What is known is that RSA (the company) cooperated with the NSA. And while PGP relies on the RSA cryptosystem that has very little to do with the company RSA other than the people who founded RSA invented it.

  9. doublereed says

    Yea, RSA is still fine as an encryption scheme. You just probably don’t want to use RSA’s cryptography modules because they may have backdoors or something.

  10. dysomniak "They are unanimous in their hate for me, and I welcome their hatred!" says

    Maybe in the future people who don’t understand the difference between a cryptosystem and it’s implementation should refrain from shooting their yaps off about what’s been “broken?”

  11. Pierce R. Butler says

    Compuholic @ # 10 – On further reflection, I need to do some retracting: what I had read about from serious sources involved RSA, and what I heard about PGP was speculation.

  12. Dunc says

    At least in theory open-source software should help you to be somewhat secure. If there are weaknesses in the code, they will be found sooner or later when any person in the world can look into the code.

    As a professional software developer, I’m hugely sceptical about this claim. I’m sceptical about it when it comes to relatively simple and easily understood software problems, and crypto is neither of those.

  13. jonP says

    If such people cannot be trusted to swear unswerving loyalty to the interests of the national security state, then the NSA is destined to suffer from one serious exposure after another because the number of Snowden emulators will be endless.
    Despite the technological issues involved with creating and implementing cryptography to keep data secure, I am at least a little comforted by this idea. If the security state can access anyone’s information at any time for any reason, then this would include the people who work in the national security state. They are probably even more at risk because they are under the direct scrutiny of this apparatus, and especially so if they can not be 100% trustable. Everyone, including people who work for the government, have a common interest in preventing anyone in government from accessing everyone’s data.

    Perhaps paradoxically, government efforts to make more data accessible also makes government data more accessible. Perhaps by trying to limit privacy, the government also creates limitations (or incentives for limiting) government secrecy. Even if the mechanisms for these secrecy limitations are Snowdens who are aware of the problem, have direct access to the information, and are willing to risk government retribution. We can only hope more Snowdens exist.

Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *