Continuing the theme of security in the Internet age at SXSW 2014 in Austin, Texas, an even more timely discussion session involved former CIA computer specialist Edward Snowden. It was one of the highlights of the whole event. Like Julian Assange, whose previous SXSW session we recently analysed, Snowden is on the run from US government investigation, although in Snowden's case he has taken refuge in Russia. He joined the packed SXSW conference hall via a Google Hangout, using “seven proxies” to protect his stream, although this was a comic reference to a classic hacker meme and not actually true.
This session was hosted by Ben Wizner of the American Civil Liberties Union (ACLU), with
Christopher Soghoian (also from the ACLU) providing extra commentary. In a talk that one member of the US Congress (for Kansas) had requested not to occur, the conversation revolved around how Snowden's revelations would affect the technological community and how new law and policy might be able to ensure online safety, reining in US National Security Agency (NSA) spying.
By way of introduction, Soghoian argued that many of the tools we use every day are not secure. A key problem comes from the tension between high security and ease of use. “Users have a choice between a service that works out of the box and is easy to use, or a third-party tool that is hard to set up,” explains Soghoian. “Most people take the easy option.”
In a now legendary example of this, Glenn Greenwald himself (the Guardian journalist who first published Snowden's NSA allegations) was unable to use the PGP encryption system. “We need new UIs, to make it easy for people to interact with,” argued Snowden. “Tools need to pass the Glenn Greenwald test! If you have to go to the command line, people aren't going to use them.”
“Most people are going to use the software they already have,” continued Soghoian. “So most effort needs to be in pressuring big companies to take security seriously. Google turned on SLL for search by default in 2010, where previously it was a hidden option. But can you get people to pay for harder security, say $5 [£3] a month?” Snowden added that companies also need to ask why they are keeping data for so long. “They don't need to store data indefinitely. One company had my data from four years ago, and was hacked to find it. That didn't need to happen.”
Of course the key question in any discussion with Edward Snowden is whether his disclosures have weakened the nation's cyber-defences, as NSA Director Keith Alexander and his predecessor Michael Hayden have alleged. “NSA directors have elevated attack over defence,” was Snowden's response. “It makes no sense to attack rather than defend. We need to be able to trust our communications.”
On the question of whether it is better to defend ourselves from attack from China, or to attack China, Soghoian argued that “cyber-security is the greatest threat today, greater than terrorism. But we're not doing things to combat this. Nobody gets fired for not preventing phishing attacks. In fact, the US government has focused on collecting information, and has actively weakened security to help this. A system designed for surveillance is weakened for cyber-attack.”
The discussion then opened up to questions from Twitter, which fittingly began with a comment from founder of the web Tim Berners-Lee. After stating that Snowden's actions were profoundly in the national interest, Berners-Lee asked how he would make oversight more accountable, although Snowden didn't offer many suggestions on how to achieve this other than via the open courts already in use for other legislative procedures.
Soghoian argued that many of the tools we use on a daily basis are made by advertising companies, so for example Chrome is not privacy-focused, as it's tweaked to collect data. “This makes the NSA's job much easier. Advertising companies are not going to give us tools that will be privacy-preserving by default. Consumers need to rethink their relationships with big companies. If you're getting the service for free, they will not be focusing on security or privacy.”
However, it appears that the true legacy of Snowden's revelations will not just be their effect on the policy of US government and its allies, but how they have made all the technology companies beef up their security, because they have all been associated with bulk surveillance. Yahoo's belated adoption of SSL and Apple's fixing of an address book bug that allowed contact information to be transferred unencrypted are just two examples.
“Cryptographers are not happy campers,” argued Soghoian. “A group within the cryptographic community have become radicalised. Regular consumers do not pick crypto, security engineers at Google, Microsoft, and those at open source projects do. They're all really angry. New tools will be more secure because these guys feel they were lied to. Edward Snowden's disclosures have improved Internet security, not weakened national security. He has protected us from hackers in coffee shops and criminals trying to steal our information.”
“Everyone has something to lose from unwarranted interference,” continued Snowden. “If we allow the NSA to continue unopposed every other government will have the green light to do the same.” To which Soghoian added: “The whole world sends their data to the US. We send our photos, video, email and status updates. This gives the US a surveillance advantage. We need to respect people from other countries, because losing their trust will lose their business in the long run.”
When asked what the solution to all this would be, Snowden echoed earlier themes. “Encryption does work. We need to think about it not as an arcane black art, but a basic implementation.” However, he still suggested using tools most everyday consumers might not even have heard of, let alone be able to operate, in particular the Tor network. He was also sanguine about the limitations of encryption as a protection. “If there's a warrant out and the NSA is after you, they will still get you. But mass surveillance will be blocked.
“The US government has amassed a huge team to focus on me personally, but they have no idea what documents I have, and which ones I have given to journalists, because encryption works. If you make sure no single point of failure exists, they can't get in. But because they can't get in, the US government knows the Russian and Chinese governments don't have my stuff either. The NSA would notice the chatter from these governments if they did.”
Soghoian concluded: “They will hack into your device if they target you individually. But it doesn't scale. Encryption makes bulk surveillance too expensive. The goal is to make it so they aren't able to spy on innocent people simply because they can. Encryption means they have to have a good reason.”
Like Julian Assange, Edward Snowden has paid a high price for his disclosures. When asked whether he was satisfied with the global debate, and whether his exile was worth it, he argued that he was duty bound. “In early interviews with Glenn Greenwald my fear was that there would be no reaction. But I went public not because I wanted to override the government. I wanted to inform the public so they could make a decision about what should be done. I took an oath to uphold the constitution, and saw it had been violated. 'No search and seizure' had been reinterpreted as 'Any seizure is fine, just don't search it.'”
The Snowden session was one of the most high-profile and highly anticipated events of the SXSW schedule, with a preview on CNN amongst other international media outlets, and it didn't disappoint. The echoes from Snowden's allegations about the NSA are still resounding. Whether they will make the world more or less secure for everyday people very much remains up in the air – but it's clear that the impact will be great.