Thursday, March 27, 2014

On SXSW 2014 : Data Privacy after Edward Snowden.

Photo by Jack Plunkett/Invision/AP
First things first:  this post is not a judgement for or against Edward Snowden.  What this is going to be is an analysis of the impact, response, reality of the aftermath of the documents that have been shared, and what we should be doing about it.  There is a direct impact upon the technology community.  One that touches the very basic responsibility we have as the builders and stewards of the software and data that are driving the 21st century's economic engine.

At SXSW, Edward Snowden was present for his interview virtually, using a Google Hangout.  He was piped through seven proxies in an attempt to keep his location as secure as possible.  While this caused the video to be very choppy, the audio was clear.

Christopher Soghoian, a technologist of the ACLU, and Ben Wizner, Snowden's legal adviser from the ACLU, conducted the interview.  Before I dig into the meat of the discussion, I want to level-set the scope of the NSA files released to date.

What has been revealed in the NSA files?
This timeline is derived from the EFF's comprehensive list of events.  I will bold particularly troubling attacks on tech privacy.
The list is extensive and startling.  Having attempted to pay close attention to this issue, I'm sure I experienced some "NSA fatigue" and ignored or missed a bunch of stories.  Now looking back to the actual timeline and information published in the media, my eyes cross and my stomach sinks.  The penetration is thorough.  It goes to the very base of the software in the encryption keys, to the very base of the physical infrastructure in tapping the fiber lines directly.

Slide published by the Washington Post detailing PRISM.
Point One - It's way too easy.
First and foremost, the level of penetration indicates one thing:  it's been too easy.  What's more is that we don't know who else is listening to our data.  And let's be clear, that data represents just about everything:  telephone conversation, email conversation, instant messenger conversation, video chat, what websites you browse and therefore what your interests are, your location, who you pay and how much you pay them, who you associate with, who your friends are and how close you are to them, what products you buy and what stores you buy them from, and what TV shows and movies you like.

It is your identity and the keys to your identity.

That all the NSA, GCHQ, and other agencies had to do was tap into the network reveals a disturbing truth about the internet that we've built:  it's too easy to snoop.  It's incredibly easy to snoop.  The first hurdle for anyone, government or not, to eavesdrop on our data should be how they're going to snoop.  Someone can always tap the physical fiber lines moving data between servers.  That so much of the data is "in the clear" is the problem.

Even Google was caught with its pants down.  Nevermind Yahoo! and Microsoft.

We should be encrypting everything.  Yes, the NSA has the keys to the RSA , who provides many of our encryption keys.  But now that we know, separate groups can begin providing them - groups not affiliated with any particular government or corporation.

This is, in fact, what's happening.  Mr. Soghoian pushed the point that these revelations have radicalized segments of the IT world.  Individuals are building better systems to provide better data  privacy.  In his words, there are lots of engineers that are "pissed".  It should be very hard for the government or anyone to siphon any meaningful data from our networks.

This quote stresses this:  "data should not be collected without people's knowledge and consent."

More importantly, perhaps, is that decryption does not scale.  The amount of compute cycles needed to decrypt a message without the key is vastly greater than that needed to encrypt it.  As the amount of encrypted data increases, the computation horse power needed to brute-force decrypt all of it rises exponentially.  It is our greatest defense of our digital presence.

Point Two - You Are Stewards Of User Data.
To bring this back home to the "every man" working for some web/mobile app company, we need to clean up our acts.  Snowden stresses the point that Privacy should be first and awareness that we are the stewards of our user's data should be second in how we construct our systems.

Once a user gives consent to hand their data to us, it is our responsibility to protect it.

We do this by only asking for the minimum data we need to perform our services.  Only retain that data for the minimum amount of time necessary.  All of the data we collect should have a time to live attached to it.  Once that time frame has passed, the data is purged.

The crucial point here is:  encrypt everything and all data expires.

This helps secure our user's privacy and security not just from a government agency, but also anyone who may break into our systems.  Let's not forget what happened to Target.  We have a tendency to think that once inside our firewalls, all data is safe.  Target's failure indicates that once a malicious organization gets past your firewall, they can very easily cause catastrophic losses.


NSA slide published by Washington Post detailing how they are syphoning internal Google data.  Note the SSL encryption note.
Point Three - Google is not your friend.

I use quite a few Google products and while this point seems obvious, I found it eye-opening.  Google is what?  An advertising company.  By nature, Google's goal is to analyze your behavior and expose that data to various services.  At some point using those services you are served advertisements.  That is, after all, how Google makes their billions, right?

This inherently makes their software vulnerable to attack.  Google would never build a browser that provides end to end encryption.  If they did, they couldn't read the data being sent back and forth and build an analysis of your habits.  It would make Google Now useless.  GMail could serve no advertisements to you.

I use Google as an example here.  Microsoft, Yahoo!, neither of these guys are really our friend either.  It is going to take some group in the tech community to get together and build an OpenSource end to end encrypted browser.  If Google or IBM were to take on this task, as Mr. Soghoian stressed, you better believe that it will not be free.  They would have to make up the lost revenue dollars somehow and charging a monthly fee for access to the software is a likely avenue.

Point Four - The NSA is too focused on cyber-offense and not on real-world clues.
This portion of the conversation elicited some groans from the audience.  Snowden was making the point that the NSA's single-minded focus on gathering as much data as it could has made it blind to the data that matters most:  what's happening in the real world.  His argument followed these lines :

Before the underwear bomber ever got on a plane, his father went to the United States embassy and told them to watch his son and get him help.  Before the Boston bombings, Russia told the U.S. Government to watch Tamerlan Tsarnaev.  What the NSA should be doing is working to make our networks the most secure they can be.  Instead they're focused on weakening them through back doors, compromised hardware, and direct taps.  Perhaps if they worried more about security than attempting to gather every piece of data they could, strong signals like those from the underwear bomber's dad or the Russian's embassy would not have been ignored.

With two reports, one from left-leaning New American Foundation and the other from the right-leaning Hoover Institute, having come to the same conclusion of the system's ineffectiveness in stopping any terrorist attacks makes one wonder at the the amount of money spent and scope of the data collection.  The processes have borne no fruit and yet we are spending 55 billion on them?

We should focus those dollars on a more-secure internet and real-world police work, not exploiting every vulnerability that can be found.

Point Five - Why is all of this bad?
The question came in from the audience:  "Why is it bad for a government to have your private data, but okay for a company?"

The answer came in two parts, the first from Snowden:  governments can take away your Rights, companies cannot.  Google can't send the police to your home for violating some new law, but the U.S. Government could.

The second part of the answer is that it's not good for corporations to have all of your data either.  If their systems become compromised, there goes your data and maybe your identity.  Which is exactly how the NSA and other agencies around the world have acquired these vast amounts of information.

Don't forget that even if you're okay with who is running the government today, you may not tomorrow nor do you know what laws may be passed tomorrow.  The only way to be truly secure in your privacy is for your data to not persist anywhere.

Point Six - Change starts with technology.
Snowden and Soghoian stressed this point several times.  While there is certainly a political response necessary to unfettered government access to our data, the primary response will come from the technologists.  It will be us who constructs secure systems to ensure the privacy of our data.  If we improve our standards, then it won't matter who is trying to access our data, it can remain secure.  We'll be the ones who build the next generation browsers and network protocols.

It was this point that Snowden said is why he spoke to SXSW Interactive.  It was the best way to reach the most technology professionals and send this specific message.

This point resonated with me.  There's a cultural change that needs to happen in technology.  Security and privacy cannot be tertiary thoughts.  It has to be our primary thought in our designs.  Those measures have to be agnostic of who is trying to access the data.  Our Right to Privacy is not just privacy from a neighbor, it's privacy from anyone, including the government.

Closing Notes.
Snowden ended the interview on an interesting note.  I'll share the quote (with link to clip) :
"...the interpretation of the Fourth Amendment has been changed - in secret - from no unreasonable search and seizure to 'hey, any seizure is fine, just don't search it' and that's something public ought to know about. "

Just this month Google has finished updating their infrastructure to encrypt all of the internal data.  Earlier last year Yahoo promised to do the same by March of this year.  Large American tech companies have faced significant losses and are spending billions to move their data centers off of U.S. soil.  These disclosures will continue to reverberate throughout the technology, political, and economic worlds.  The pressure has pushed the United States Government to consider ending its bulk surveillance.

Regardless of what you think of Snowden, these reverberations, while painful in the short term, will only make our software and networks more secure.  The better they become, the more secure we can feel about our online privacy.  Our "papers" as referenced in the Fourth Amendment have evolved into digital documents and correspondence.  They should be as private as the same papers that are sitting in your filing cabinet, free from search and seizure.  They should be as private as the letters you put in the mailbox.

We technologists are in a very unique position to shape the digital future.  We should be thinking of and implementing methods that can improve our privacy and the security of our networks rather than waiting for a political response.  It is clear that the government will break the rules in secrecy to get what they want.  If we want to defeat that we need to build better defenses so no one can collect our digital identities.

It starts with you and me.

Interview Video

No comments:

Post a Comment