 |
| Photo by Jack Plunkett/Invision/AP |
At SXSW, Edward Snowden was present for his interview virtually, using a Google Hangout. He was piped through seven proxies in an attempt to keep his location as secure as possible. While this caused the video to be very choppy, the audio was clear.
Christopher Soghoian, a technologist of the ACLU, and Ben Wizner, Snowden's legal adviser from the ACLU, conducted the interview. Before I dig into the meat of the discussion, I want to level-set the scope of the NSA files released to date.
What has been revealed in the NSA files?
This timeline is derived from the EFF's comprehensive list of events. I will bold particularly troubling attacks on tech privacy.
- June 5th, 2013 - "Dragnet" NSA is collecting every Verizon user's cellphone call metadata.
- June 6th, 2013 - "Prism" NSA is tapping into Google, Microsoft, Yahoo!, systems, collecting user data.
- June 9th, 2013 - "Boundless Informant" NSA's tool that allows broad searching of collected data by other programs revealed.
- June15th, 2013 - Additional NSA programs "Mainway", "Marina", & "Nucleon" revealed. Includes how Nucleon process the spoken words of phone conversations.
- June 21st, 2013 - GCHQ revealed to be collecting Facebook, internet history, & phone calls. Shares data with NSA.
- June 27th, 2013 - NSA Inspector General's detailed history of domestic surveillance shared.
- July 6th, 2013 - Details on how US companies are working with government agencies.
- July 11th, 2013 - Details on Microsoft's relationship with U.S. Government.
- July 11th, 2013 - "XKeyScore" detailed. Monitors Google Maps activity, collected phone, email, login, internet activity for international users.
- Aug 5th, 2013 - DEA is using collected data and funneling it to police across the nation.
- Aug 7th, 2013 - IRS, FBI, & CIA also using collected data.
- Aug 9th, 2013 - Legal loophole used to authorize NSA programs is revealed.
- Aug 15th, 2013 - Internal NSA audit detailed thousands of privacy violations revealed.
- Aug 20th, 2013 - Depth of penetration of the U.S. internet backbone is revealed with details on cooperation by U.S. ISPs.
- Aug 23rd, 2013 - "Loveint", or violations of privacy by NSA employees searching for information about romantic interests detailed.
- Aug 29th, 2013 - "Black Budget", 56.2 billion for 2013, the funding for the secret programs is revealed.
- Sept 1st, 2013 - "Hemisphere Project" details of AT&T's and U.S. government's partnership, with storage of 20 years worth of phone call data that moved through any of AT&T's systems.
- Sept 5th, 2013 - NSA & GCHQ have hacked encryption protocols and exercise control of their use with various companies.
- Sept 28th, 2013 - NSA is using collection of data to map American social network activity/data in order to "identify their associates, their locations at certain times, their traveling companions and other personal information". Included storing phone location data for 2 years.
- Sept 30th, 2013 - NSA storing everyone's data up to a year.
- Oct 4th, 2013 - Details of how NSA attacks the TOR network through Firefox. Includes details on how NSA collects data with taps into the fiber network using programs called "Stormbrew", "Fairview", "Oakstar", "Blarney". Several other programs also revealed, including "FoxAcid" and "Quantum".
- Oct 30th, 2013 - "Muscular" - Revelation of how NSA captures data from Google & Yahoo!'s systems.
- Nov 11th, 2013 - "Quantum Insert" - Program that used fake LinkedIn pages to infect engineer's computers withe malware for the GCHQ detailed.
- Nov 14th, 2013 - CIA collecting bank transfer data.
- Nov 26th, 2013 - NSA will collect porn-browsing habits to discredit targets. Details 6 Muslim targets and examples.
- Dec 2nd, 2013 - Australian agencies share raw citizen data with NSA, GCHQ, and other foreign agencies.
- Dec 4th, 2013 - "CoTraveler" NSA collecting billions of cell phone location data points across the world every day.
- Dec 9th, 2013 - NSA & GCHQ collected data from online video games.
- Dec 10th, 2013 - "Fast Follower, Happyfoot, Fascia" - uses collected cell phone data to build map of relationships between people and locations.
NSA uses Google's browser cookies to home in on a single individual & observe their online behavior/communications. - Dec 20th, 2013 - NSA paid 20 million to RSA in order to provide an encryption "back door".
- Dec 29th, 2013 - "ANT" 50-page catalog leaked that details NSA's physical tools for infecting/interfacing with computers and physical networks.
- Jan 16th, 2014 - "Dishfire" NSA/GCHQ collects millions of text messages every day.
- Jan 27th, 2014 - NSA uses unsecure mobile apps to collect data about users.
- Jan 27th, 2014 - "Squeaky Dolphin" GCHQ tapped directly into fiber cables in order to watch YouTube user's browsing in real time.
- Feb 27th, 2014 - "Optic Nerve" GCHQ captured millions of images of Yahoo! users through the user's webcams.
- Feb 27th, 2014 - "JTIRG" actively uses denial of service, false flag, & fake social posts to discredit and attack targets, such as Anonymous. Includes viruses spying on journalists, jamming phones/computers & sex traps.
- Mar 12th, 2014 - "Turbine" NSA/GCHQ actively spread malware in an automated manner. Use spam emails & will masquerade as popular servers, like Facebook, in order to infect user's computers.
The list is extensive and startling. Having attempted to pay close attention to this issue, I'm sure I experienced some "NSA fatigue" and ignored or missed a bunch of stories. Now looking back to the actual timeline and information published in the media, my eyes cross and my stomach sinks. The penetration is thorough. It goes to the very base of the software in the encryption keys, to the very base of the physical infrastructure in tapping the fiber lines directly.
 |
| Slide published by the Washington Post detailing PRISM. |
First and foremost, the level of penetration indicates one thing: it's been too easy. What's more is that we don't know who else is listening to our data. And let's be clear, that data represents just about everything: telephone conversation, email conversation, instant messenger conversation, video chat, what websites you browse and therefore what your interests are, your location, who you pay and how much you pay them, who you associate with, who your friends are and how close you are to them, what products you buy and what stores you buy them from, and what TV shows and movies you like.
It is your identity and the keys to your identity.
That all the NSA, GCHQ, and other agencies had to do was tap into the network reveals a disturbing truth about the internet that we've built: it's too easy to snoop. It's incredibly easy to snoop. The first hurdle for anyone, government or not, to eavesdrop on our data should be how they're going to snoop. Someone can always tap the physical fiber lines moving data between servers. That so much of the data is "in the clear" is the problem.
Even Google was caught with its pants down. Nevermind Yahoo! and Microsoft.
We should be encrypting everything. Yes, the NSA has the keys to the RSA , who provides many of our encryption keys. But now that we know, separate groups can begin providing them - groups not affiliated with any particular government or corporation.
This is, in fact, what's happening. Mr. Soghoian pushed the point that these revelations have radicalized segments of the IT world. Individuals are building better systems to provide better data privacy. In his words, there are lots of engineers that are "pissed". It should be very hard for the government or anyone to siphon any meaningful data from our networks.
This quote stresses this: "data should not be collected without people's knowledge and consent."
More importantly, perhaps, is that decryption does not scale. The amount of compute cycles needed to decrypt a message without the key is vastly greater than that needed to encrypt it. As the amount of encrypted data increases, the computation horse power needed to brute-force decrypt all of it rises exponentially. It is our greatest defense of our digital presence.
This quote stresses this: "data should not be collected without people's knowledge and consent."
More importantly, perhaps, is that decryption does not scale. The amount of compute cycles needed to decrypt a message without the key is vastly greater than that needed to encrypt it. As the amount of encrypted data increases, the computation horse power needed to brute-force decrypt all of it rises exponentially. It is our greatest defense of our digital presence.
Point Two - You Are Stewards Of User Data.
To bring this back home to the "every man" working for some web/mobile app company, we need to clean up our acts. Snowden stresses the point that Privacy should be first and awareness that we are the stewards of our user's data should be second in how we construct our systems.
Once a user gives consent to hand their data to us, it is our responsibility to protect it.
We do this by only asking for the minimum data we need to perform our services. Only retain that data for the minimum amount of time necessary. All of the data we collect should have a time to live attached to it. Once that time frame has passed, the data is purged.
The crucial point here is: encrypt everything and all data expires.
This helps secure our user's privacy and security not just from a government agency, but also anyone who may break into our systems. Let's not forget what happened to Target. We have a tendency to think that once inside our firewalls, all data is safe. Target's failure indicates that once a malicious organization gets past your firewall, they can very easily cause catastrophic losses.
Point Three - Google is not your friend.
I use quite a few Google products and while this point seems obvious, I found it eye-opening. Google is what? An advertising company. By nature, Google's goal is to analyze your behavior and expose that data to various services. At some point using those services you are served advertisements. That is, after all, how Google makes their billions, right?
This inherently makes their software vulnerable to attack. Google would never build a browser that provides end to end encryption. If they did, they couldn't read the data being sent back and forth and build an analysis of your habits. It would make Google Now useless. GMail could serve no advertisements to you.
I use Google as an example here. Microsoft, Yahoo!, neither of these guys are really our friend either. It is going to take some group in the tech community to get together and build an OpenSource end to end encrypted browser. If Google or IBM were to take on this task, as Mr. Soghoian stressed, you better believe that it will not be free. They would have to make up the lost revenue dollars somehow and charging a monthly fee for access to the software is a likely avenue.
Point Four - The NSA is too focused on cyber-offense and not on real-world clues.
This portion of the conversation elicited some groans from the audience. Snowden was making the point that the NSA's single-minded focus on gathering as much data as it could has made it blind to the data that matters most: what's happening in the real world. His argument followed these lines :
Before the underwear bomber ever got on a plane, his father went to the United States embassy and told them to watch his son and get him help. Before the Boston bombings, Russia told the U.S. Government to watch Tamerlan Tsarnaev. What the NSA should be doing is working to make our networks the most secure they can be. Instead they're focused on weakening them through back doors, compromised hardware, and direct taps. Perhaps if they worried more about security than attempting to gather every piece of data they could, strong signals like those from the underwear bomber's dad or the Russian's embassy would not have been ignored.
With two reports, one from left-leaning New American Foundation and the other from the right-leaning Hoover Institute, having come to the same conclusion of the system's ineffectiveness in stopping any terrorist attacks makes one wonder at the the amount of money spent and scope of the data collection. The processes have borne no fruit and yet we are spending 55 billion on them?
We should focus those dollars on a more-secure internet and real-world police work, not exploiting every vulnerability that can be found.
Point Five - Why is all of this bad?
The question came in from the audience: "Why is it bad for a government to have your private data, but okay for a company?"
The answer came in two parts, the first from Snowden: governments can take away your Rights, companies cannot. Google can't send the police to your home for violating some new law, but the U.S. Government could.
The second part of the answer is that it's not good for corporations to have all of your data either. If their systems become compromised, there goes your data and maybe your identity. Which is exactly how the NSA and other agencies around the world have acquired these vast amounts of information.
Don't forget that even if you're okay with who is running the government today, you may not tomorrow nor do you know what laws may be passed tomorrow. The only way to be truly secure in your privacy is for your data to not persist anywhere.
Point Six - Change starts with technology.
Snowden and Soghoian stressed this point several times. While there is certainly a political response necessary to unfettered government access to our data, the primary response will come from the technologists. It will be us who constructs secure systems to ensure the privacy of our data. If we improve our standards, then it won't matter who is trying to access our data, it can remain secure. We'll be the ones who build the next generation browsers and network protocols.
It was this point that Snowden said is why he spoke to SXSW Interactive. It was the best way to reach the most technology professionals and send this specific message.
This point resonated with me. There's a cultural change that needs to happen in technology. Security and privacy cannot be tertiary thoughts. It has to be our primary thought in our designs. Those measures have to be agnostic of who is trying to access the data. Our Right to Privacy is not just privacy from a neighbor, it's privacy from anyone, including the government.
Closing Notes.
Snowden ended the interview on an interesting note. I'll share the quote (with link to clip) :
"...the interpretation of the Fourth Amendment has been changed - in secret - from no unreasonable search and seizure to 'hey, any seizure is fine, just don't search it' and that's something public ought to know about. "
Just this month Google has finished updating their infrastructure to encrypt all of the internal data. Earlier last year Yahoo promised to do the same by March of this year. Large American tech companies have faced significant losses and are spending billions to move their data centers off of U.S. soil. These disclosures will continue to reverberate throughout the technology, political, and economic worlds. The pressure has pushed the United States Government to consider ending its bulk surveillance.
Regardless of what you think of Snowden, these reverberations, while painful in the short term, will only make our software and networks more secure. The better they become, the more secure we can feel about our online privacy. Our "papers" as referenced in the Fourth Amendment have evolved into digital documents and correspondence. They should be as private as the same papers that are sitting in your filing cabinet, free from search and seizure. They should be as private as the letters you put in the mailbox.
We technologists are in a very unique position to shape the digital future. We should be thinking of and implementing methods that can improve our privacy and the security of our networks rather than waiting for a political response. It is clear that the government will break the rules in secrecy to get what they want. If we want to defeat that we need to build better defenses so no one can collect our digital identities.
It starts with you and me.
Interview Video
Once a user gives consent to hand their data to us, it is our responsibility to protect it.
We do this by only asking for the minimum data we need to perform our services. Only retain that data for the minimum amount of time necessary. All of the data we collect should have a time to live attached to it. Once that time frame has passed, the data is purged.
The crucial point here is: encrypt everything and all data expires.
This helps secure our user's privacy and security not just from a government agency, but also anyone who may break into our systems. Let's not forget what happened to Target. We have a tendency to think that once inside our firewalls, all data is safe. Target's failure indicates that once a malicious organization gets past your firewall, they can very easily cause catastrophic losses.
 |
| NSA slide published by Washington Post detailing how they are syphoning internal Google data. Note the SSL encryption note. |
I use quite a few Google products and while this point seems obvious, I found it eye-opening. Google is what? An advertising company. By nature, Google's goal is to analyze your behavior and expose that data to various services. At some point using those services you are served advertisements. That is, after all, how Google makes their billions, right?
This inherently makes their software vulnerable to attack. Google would never build a browser that provides end to end encryption. If they did, they couldn't read the data being sent back and forth and build an analysis of your habits. It would make Google Now useless. GMail could serve no advertisements to you.
I use Google as an example here. Microsoft, Yahoo!, neither of these guys are really our friend either. It is going to take some group in the tech community to get together and build an OpenSource end to end encrypted browser. If Google or IBM were to take on this task, as Mr. Soghoian stressed, you better believe that it will not be free. They would have to make up the lost revenue dollars somehow and charging a monthly fee for access to the software is a likely avenue.
Point Four - The NSA is too focused on cyber-offense and not on real-world clues.
This portion of the conversation elicited some groans from the audience. Snowden was making the point that the NSA's single-minded focus on gathering as much data as it could has made it blind to the data that matters most: what's happening in the real world. His argument followed these lines :
Before the underwear bomber ever got on a plane, his father went to the United States embassy and told them to watch his son and get him help. Before the Boston bombings, Russia told the U.S. Government to watch Tamerlan Tsarnaev. What the NSA should be doing is working to make our networks the most secure they can be. Instead they're focused on weakening them through back doors, compromised hardware, and direct taps. Perhaps if they worried more about security than attempting to gather every piece of data they could, strong signals like those from the underwear bomber's dad or the Russian's embassy would not have been ignored.
With two reports, one from left-leaning New American Foundation and the other from the right-leaning Hoover Institute, having come to the same conclusion of the system's ineffectiveness in stopping any terrorist attacks makes one wonder at the the amount of money spent and scope of the data collection. The processes have borne no fruit and yet we are spending 55 billion on them?
We should focus those dollars on a more-secure internet and real-world police work, not exploiting every vulnerability that can be found.
The question came in from the audience: "Why is it bad for a government to have your private data, but okay for a company?"
The answer came in two parts, the first from Snowden: governments can take away your Rights, companies cannot. Google can't send the police to your home for violating some new law, but the U.S. Government could.
The second part of the answer is that it's not good for corporations to have all of your data either. If their systems become compromised, there goes your data and maybe your identity. Which is exactly how the NSA and other agencies around the world have acquired these vast amounts of information.
Don't forget that even if you're okay with who is running the government today, you may not tomorrow nor do you know what laws may be passed tomorrow. The only way to be truly secure in your privacy is for your data to not persist anywhere.
Point Six - Change starts with technology.
Snowden and Soghoian stressed this point several times. While there is certainly a political response necessary to unfettered government access to our data, the primary response will come from the technologists. It will be us who constructs secure systems to ensure the privacy of our data. If we improve our standards, then it won't matter who is trying to access our data, it can remain secure. We'll be the ones who build the next generation browsers and network protocols.
It was this point that Snowden said is why he spoke to SXSW Interactive. It was the best way to reach the most technology professionals and send this specific message.
This point resonated with me. There's a cultural change that needs to happen in technology. Security and privacy cannot be tertiary thoughts. It has to be our primary thought in our designs. Those measures have to be agnostic of who is trying to access the data. Our Right to Privacy is not just privacy from a neighbor, it's privacy from anyone, including the government.
Closing Notes.
Snowden ended the interview on an interesting note. I'll share the quote (with link to clip) :
"...the interpretation of the Fourth Amendment has been changed - in secret - from no unreasonable search and seizure to 'hey, any seizure is fine, just don't search it' and that's something public ought to know about. "
Just this month Google has finished updating their infrastructure to encrypt all of the internal data. Earlier last year Yahoo promised to do the same by March of this year. Large American tech companies have faced significant losses and are spending billions to move their data centers off of U.S. soil. These disclosures will continue to reverberate throughout the technology, political, and economic worlds. The pressure has pushed the United States Government to consider ending its bulk surveillance.
Regardless of what you think of Snowden, these reverberations, while painful in the short term, will only make our software and networks more secure. The better they become, the more secure we can feel about our online privacy. Our "papers" as referenced in the Fourth Amendment have evolved into digital documents and correspondence. They should be as private as the same papers that are sitting in your filing cabinet, free from search and seizure. They should be as private as the letters you put in the mailbox.
We technologists are in a very unique position to shape the digital future. We should be thinking of and implementing methods that can improve our privacy and the security of our networks rather than waiting for a political response. It is clear that the government will break the rules in secrecy to get what they want. If we want to defeat that we need to build better defenses so no one can collect our digital identities.
It starts with you and me.
Interview Video
