Edward Snowden, the former NSA contractor now exiled in Russia who leaked several documents about the government's spy programs, spoke through a Skype link during a panel discussion at last week's SXSW conference in Austin, Texas. The discussion focused upon the impact of NSA surveillance on the technology community. The panel included Christopher Soghoian, the American Civil Liberties Union’s principal technologist, and Ben Wizner, Director of the ACLU's Speech, Privacy & Technology Project. The public submitted questions via Twitter for Snowden.
I watched a video of the discussion afterwards, which gave me the opportunity to replay hard-to-understand sections of the discussion. Snowden's comments were garbled at times, due to a Skype connection routed through several proxy servers. I want to thank the SXSW conference organizers, ACLU, and Google for making this event happen. A huge hat-tip to Inside for providing a transcript of the discussion.
After listening to the discussion, I see ten important takeaways consumers should know:
1. Some elected government officials don't want American citizens to have any discussion about privacy and mass surveillance. Wizner said during opening remarks to the panel discussion:
"... you are joining us for the event that one member of Congress from the great state of Kansas hoped would not occur. He wrote to the organizers of SXSW urging them to rescind the invitation to Mr. Snowden. The letter included this very curious line, “The ACLU would surely concede that freedom of expression for Mr. Snowden has declined since he departed American soil.” Now no one disputes that freedom of expression is stronger here than there but if there is one person for whom that is not true, it’s Ed Snowden. If he were here in the United States he would be in a solitary cell subject to special administrative measures that would prevent him from communicating to the public and participate in the historic debate that he helped launch."
I imagine there are more elected officials who feels as this representative from Kansas felt. It is important to out them all. For the US government to be responsible to its citizens, there has to be openness and transparency about what it is doing. A poll earlier this year found that the public's confidence in online privacy has fallen for three straight years. Experts have warned that NSA mass surveillance could cost U.S.-based cloud-services vendors $35 billion in lost revenues.
There were protests worldwide and in the USA in February about government surveillance. This past week, we learned about the development by the NSA of more offensive malware surveillance weapons to infect consumers' computers. Consumers are starting to look at companies' privacy capabilities, as the industry grapples with transparency restrictions and projected revenue losses from mass surveillance. When a government forces corporations to lie, it breaks the public's trust with both. Perhaps more importantly, a government can't simply ignore or walk away from the Fourth Amendment of the U.S. Constitution:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
So, only a fool (or a spy-industry apologist) would ignore these facts and want to stop citizens from having any discussion about the role they want their government ot play in mass surveillance the appropriate democratic controls by all three branches of government: executive, legislative, and judicial.
I think that it's fair to conclude that without Snowden's disclosures about NSA spying programs, we American citizens probably would not have the discussion we've had about privacy, mass surveillance, and the role we want our government to play. So, thanks to Mr. Snowden.
2. The communications tools companies and consumers use today are not secure. There have been several news reports that spy agencies seek to break all online encryption methods. Wizner's opening remarks included:
"... conversation that you hear in conference rooms in technology companies. Particularly among people working on security issues. And those people are talking less about the warrant requirement for metadata and more about why the hell the NSA is systematically undermining common encryption standards that we all use. Why is the NSA targeting telecommunications companies, internet companies, hacking them to try to steal their customer data. Basically manufacturing vulnerabilities to poke holes in the communication systems that we all rely on..."
"... I will say SXSW and the technology community - people who are in the room in Austin they are the folks that really fix things who can enforce our rights for technical standards. Even when Congress hadn’t yet gotten to the point of creating legislation to protect our rights.. There is a policy response that needs to occur. There is also a technical response that needs to occur. It is the development community that can really craft the solutions and make sure we are safe..."
Soghoian emphasized that there are still privacy gaps with current products and services:
"In the last eight months the big Silicon Valley technology companies have really improved their security in a way that was surprising to many of us who have been urging them for years to do so... The companies have locked things down but only in a certain way. They have secured the connection between your computer and Google’s server or Yahoo’s server or Facebook’s server, which means that governments now have to go through Google or Facebook or Microsoft to get your data. Instead of getting it with AT&T’s help or Verizon’s help or Comcast’s..."
And the NSA simultaneously works with technology companies to undermine the security of online products and services:
"... there was a disclosure in the New York Times a report in the New York Times last fall revealing the NSA has been partnering with US technology companies to intentionally weaken the security of the software that we all use and rely on. The government has really been prioritizing its efforts on information collection. There is this fundamental conflict there is tension that a system that is secure is difficult to surveil and a system that is designed to surveil is a target waiting to be attacked. Our networks have been designed with surveillance in mind."
The bottomline: surveillance-friendly products and services don't really protect information. Vendors' resources need to be focused on information protection. You can read about the NSA's encryption-breaking efforts InfoWorld and at ProPublica sites.
3. Advertising companies are not interested in consumers' privacy. Since these companies offer services to consumers for free, they make money via mass surveillance: collecting, archiving, and manipulating consumers' sensitive personal information. Wizner said:
"... one of the problems with end to end encryption is that many of us get email service from advertising companies that need to be able to read the emails in order to serve us targeted ads. But what are steps that even a company like Google that is an advertising company but companies like that can do to make mass surveillance more difficult?"
"I think it is going to be difficult for these companies to offer truly end to end encrypted service simply because it conflicts with their business model. Google wants to sit between you and everyone you interact with and provide some kind of added value. Whether that added value is advertising or some kind of information mining. Improved experience telling you when there are restaurants nearby where you can meet your friends. They want to be in that connection with you and that makes it difficult to secure those connections... "
Later during the discussion, in response to a viewer's question about data collection by companies, Soghoian added:
"... the web browser you are most likely using, the most popular browser right now is Chrome, most popular mobile operating system is now Android, many of the tools that we are using whether web browsers or operating systems or apps are made by advertising companies. It is not a coincidence that Chrome is probably a less privacy preserving browser. It is tweaked to allow data collection by third parties. The Android operating system is designed to facilitate disclosure of data to third parties. Even if you are okay with the data the companies are collecting you should also note that the tools that we use to browse the web and the tools that ultimately permit our data to be shared or prevent it from being shared are made by advertising companies. This makes the NSA’s job a lot easier. If the web browsers we were using were locked down by default the NSA would have a much tougher time. But advertising companies are not going to give us tools that are privacy preserving by default."
4. Scure communication tools that are easy for the average Internet user are not yet available. Internet technology companies need to do more. Soghoian said:
"... tools that exist to enable secure end to end encrypted video conferencing are not very polished and particularly when you are having a conversation with someone who is in Russia and who is bouncing his connection through several proxies the secure communications tools tend to break. This in fact I think reflects the state of - the state of play with many services. You have to choose between a service that is easy to use and reliable and polished or a tool that is highly secure and impossible for the average person to use... the tools that are designed with security as the first goal are typically made by independent developers and activists and hobbyists and they are typically tools made by geeks for geeks."
Snowden added (links added):
"Whisper systems [unintelligible] of the world are focusing on new user experience, new UIs and basically ways for us to interact with cryptographic tools. This is the way it should be... We want secure services that aren’t opt in. It has to pass the Greenwald test. Any journalist in the world gets an email from somebody saying hey I have something the public might want to know about they need to be able to open it. They need to be able to access that information... The way we interact right now is not good. If you have to go to the command line people aren’t going to use it. If you have to go three menus deep people aren’t going to use it."
Faced with this choice, consumers (have and continue to) select the easy-to-use (and not secure) communications tools, products and services. There clearly is a hole in the marketplace for companies to provide consumers with easy-to-use and secure products and services.
5. Companies archive consumers' sensitive information online longer than necessary. Too many companies don't purge their Internet-connected systems of archived information when it is no longer needed. Snowden said:
"One of the things I would say to a large company is not that you can’t collect any data it is that you should only collect the data and hold it for as long as necessary for the operation of the business. Recently [unintelligible] one of the security [unintelligible] hacked and they actually stole my passport and my registration forms and posted them to the internet... I submitted those forms back in 2010. Why were those still on a web facing server? Was it still necessary for business?"
6. Mass surveillance on everyone is unproductive and wastes resources. When asked about whether mass surveillance programs are effective, Snowden answered:
"That is actually something I’m a little bit sympathetic to and we got to turn back the block a little bit and remember that [the NSA] thought [unintelligible] was a great idea but no one had done it before, at least publicly. So they went “hey! we can spy on the world all at once. It will be great, we’ll know everything.” But the reality is, when they did it, they found out that it didn’t work. But it was a [unintelligible] so successful in collecting data. So great at the contract that no one wanted to say no. But the reality is now, we have reached point where a majority of people’s telephone communication are being recorded - we got all these metadata that are being stored - years and years. But two independent White House investigations found that it is has not helped us at all, have not helped us. Beyond that, we got to think about what are we doing with those resources, what are we getting out of that? As I said in our European Parliament testimony, we’ve actually have tremendous intelligence failures because we’re monitoring the internet; we’re monitoring, you know, everybody’s communications instead of suspects’ communications. That lack of focus have caused us to miss news we should have had. Tamerlan Tsarnaev, the Boston Bombers. the Russians have warned us about it. But we didn’t a very poor job investigating, we didn't have the resources, and we had people working on other things. If we followed the traditional model, we might have caught that. Umar Farouk Abdulmutallab the underwear bomber, same thing. His father walked into a US Embassy, he went to CIA officer and said my son is dangerous. Don’t let him go to your country. Get him help. We didn’t follow up, we didn’t actually investigate this guy. We didn’t get a dedicated team to figure what was going on because we spent all of this money, we spent all of this time hacking into Google and Facebook to look at their data center. What did we get out of that? We got nothing. And there are two White House investigations that confirm that."
The panelists also discussed the fact that online products with truly strong encryption and security have the added benefit of forcing spy agencies to focus only on spying on true targets (e.g., terrorism suspects, wanted criminals, etc.) and not everyone. Why? Truly strong encryption makes it unfeasible and uneconomical to spy on everyone. Right now the spy agencies spy on everyone because they can.
7. Effective oversight is critical to balancing privacy versus surveillance needs. It is clear that spy agencies will continue to use the Internet for surveillance. When asked what oversight model could work, Snowden said that with accountability and transparency the US model could work:
"We have got a good starting point... We have an oversight model that could work. The problem is we overseers aren’t interested in oversight. When we’ve got seven intelligence communities, house intelligence communities that are [unintelligible] to the NSA instead of holding them accountable. When we have James Clapper the director of National Intelligence in front of [Congress] and he tells a lie that they all know is a lie because they are rigged on the program because they have the questions a day in advance. And no one says anything. Allowing all Americans to believe this is a true answer. That is an incredible dangerous thing... how do we fix our oversight model, how do we structure the oversight model that works. The key fact is accountability. We can’t have officials like James Clapper who can lie to everyone in the country. Who can lie to the Congress and face no not even - not even a criticism. Not even a strong worded letter, the same thing with courts. In the United States we have open courts that are supposed to decide and settle constitutional issues to interpret and apply the law. We also have the FISA court which is a secret rubber stamp court . But they are only supposed to approve warrant applications. These happen in secret because [spy agencies] don’t want people to know hey the government wants to surveil you. At the same time a secret court shouldn’t be interpreting the constitution when only NSA’s lawyers are making the case on how it should be viewed. The other thing is we need public advocates. We need public representatives. We need public oversight. Some way for trusted public figures sort of civil rights champions to advocate for us and protect the structure and make sure it is been fairly applied. We need a watch dog that watches Congress."
Things could work as long as the executive and legislative branches of the government don't all themselves to be lied to.
8. Snowden's disclosures have made the Internet more secure. Soghoian said:
"The PRISM story although there was a lack of clarity initially on what it really said, put the names of billion dollar American companies on the front page of the newspaper and associated them with bulk surveillance. You saw the companies doing everything in their power publicly to distance themselves and also show that they were taking security seriously. You saw companies like Google and Microsoft and Facebook rushing to encrypt their data center to data center encryption. Connections rather. You saw companies like Yahoo finally turning on SSL encryption, Apple fixed a bug in its address book app that allowed Google users’ address books to be transmitted over networks in unencrypted form. Without Ed’s disclosures there wouldn’t have been as much pressure for these tech companies to encrypt their information... his disclosures have improved internet security. And the security improvements we have gotten haven’t just protected us from bulk government surveillance. They have protected us from hackers at Starbucks who are monitoring our WiFi connections. They have protected us from stalkers and identity thieves and common criminals. These companies should have beene encrypting their information before and they weren't. And it really took you know, unfortunately the largest and most profound whistle blower in history to get us to the point where these companies are finally prioritizing the security of their users’ communications..."
9. The NSA's surveillance actions will encourage other countries' spy agencies to do the same. In response to a viewer's question about consequences, Snowden answered:
"This is actually one of the primary dangers not just of sort of the NSA’s activities but of not addressing and resolving the issues. It is important to remember that American’s benefit profoundly from this. Because again as we discussed we got the most to lose from being hacked. At the same time every citizen in every country has something to lose. We all are at risk of unfair, unjustified, unwarranted interference in our private lives. Throughout history we have seen governments sort of repeat the trend where it increased and they get to a point where they have crossed the line. We don't’ resolve these issues if we allow the NSA to continue unrestrained. Every other government in the international community will accept this as a sign, as the green light to do the same. And that is not what we want."
10. The spy agencies' actions have hurt national security, not Snowden's disclosures. Wizner said (link added):
"Last week, Ed, General Keith Alexander who heads the NSA testified that he believes that the disclosures of the last eight months have weakened the country’s cyber defenses."
"... there have been two officials in America who have harmed our internet security and actually our national security so much of our country’s economic success is based on our intellectual property. It is based on our ability to create and share and communicate and compete. Now those two officials are Michael Hayden and Keith Alexander, two directors of the National Security Agency in the post 9/11 era who made a very specific change. That is they elevated offensive operations that is attacking over the defense of our communications... This is a problem for one primary reason - that is America has more to lose than everyone else... when you are the one country in the world that has sort of a vault that is more full than anyone else’s it doesn’t make sense because if you attack it... and it makes even less sense when the standards for vaults worldwide to have a backdoor anyone can walk into. When he says these [disclosures] have weakened national security no these are improving our national security... we rely on the same standards. We rely on the ability to trust our communications. Without that we don’t have anything. Our economy cannot succeed."
By focusing upon offensive surveillance technologies, the NSA hasn't made our coutnry's systems safer with defensive techniques. Government officials have to have a broad perspective, since there are consequences. One consequence: attorney-client communications require privacy which mass surveillance interrupts, hampering a healty economy. Another consequence: experts have warned that the massive NSA government spying program could cost U.S.-based cloud-services vendors $35 billion in lost revenues. In simpler terms:
Lost revenues by U.S. high-tech companies = lost American jobs = lost tax revenues to U.S. federal, state, and local governments
I know some people believe that what Snowden did was wrong. Webster's Diction defines a patriot as:
"... one who loves and loyally or zealously supports one's country."
After considering the selective documents Snowden disclosed so Americans could have an informed discussion and debate about how we want our government to operate (a debate that Congress has failed at), and his reasoned, well-considered, and thoughtful answers during the SXSW discussion, the result has been a good thing. Snowden gave up his freedom and chance to live in his home country, so that the rest of us Americans could discuss what needs to be discussed to maintain our Constitution and democracy. That sounds like the actions of a zealous patriot to me. Thanks Ed.
Now, it's up to the rest of us to hold technology vendors, our government, and elected officials accountable; and demand transparency from them all.