I’ve been reading and thinking a lot about digital privacy in the past two weeks. It’s disconcerting that so many AMericans are resigned about the current state of digital surveillance. Before the Snowden leaks, one could plausibly deny the vast extent of mass digital surveillance, but in this post-Snowden era, this is increasingly hard to do without appearing like you live under a rock.
I recently watched two videos which explain the disturbing extent to which intelligence agencies like the NSA have gone to subvert encryption algorithms and to sabotage critical Internet infrastructure. In this video, Jacob Appelbaum and Laura Poitras talk about how reading through documents leaked by Snowden has led them to believe the spooks have compromised everything including PPTP, IPSec, and even SSH. Everything except for PGP (implementations include GnuPG), OTR (implementions include Pidgin and Adium), and ZRTP (implementations include the Signal and RedPhone mobile apps).
The second video I watched was a talk by Poul-Henning Kamp in which he pretends to be an NSA officer giving a status report to NATO. Kamp talks about the various technical and psychological operations the NSA and its associated intelligence agencies use to collect all digital communications. I’m not sure how much of what Kamp says is true as some parts are deliberately tongue in cheek, but none of them seem impossible. Here are just a few:
- The NSA spots a startup that’s developing a product that strengthens privacy and thus makes the NSA’s job harder. They send someone who poses as a venture capitalist. He invests money in the startup and gets insider knowledge on what they’re making. NSA looks through their Rolodex of friendly companies for someone with a patent that’s related to the startup’s product. They convince the company to let loose some patent lawyer trolls on the startup. The startup folds or needs to work on something else under legal duress. The founders call the fake VC back saying how sorry they were to waste the VC’s money. The NSA bites its tongue trying not to laugh and busts out the champange bottles.
- Skype’s encrypted VoIP product was a threat to the NSA being able to listen in on all telephone calls. Skype didn’t use standard protocols, was closed-source, was outside the jurisdiction of the FTC, and the NSA couldn’t bribe the founders of Skype to stop. So the NSA pressured eBay to acquire the company which eBay did. But eBay’s lawyers bungled the deal and didn’t get access to the source code or control the infrastructure. So the NSA made eBay sell it back to the founders at a loss. eBay wasn’t too happy about this. And then the NSA had to spend a lot more money making Microsoft acquire Skype. But it was worth it because this time Microsoft got all of Skype and made the traffic go through Microsoft servers where it could be decrypted.
- How the NSA regularly derails and slows down open source work by appealing to people’s fear, uncertainty, and doubt; playing the GPL vs BSD card; spawning bikeshed discussions; and soaking up mental bandwidth with bogus crypto proposals.
I’ve tried to verify for myself what Appelbaum and Poitras said. There’s a lot of discussion on what the intelligence agencies have cracked and what’s still safe. Has the NSA compromised SSH in general or only in targeted cases? But I wonder if this discussion is useful or if it misses the point as Kamp inspiringly points out at the end of his talk.
So the standard reaction in the open source environment to Edward Snowden’s disclosures have been, “We need to strengthen the protocols! We need to have SSL everywhere.” And I think that misses the point by a large margin. The things that have been published by the Snowden documents by now are the things that the general public can understand reading their newspaper. The stuff we would be interested in have not been published and maybe never will. And attempting to add more encryption is most likely just going to have more broken encryption on the Internet. **This is not a technical problem. This is a political problem. It must be solved by political means.** That means find politicians in your country who can understand this and make sure they understand it. If you cannot find politicians, get you some politicians who can understand it. Political will is a renewable resource. Use your pencil when you vote. Or run yourself. **This is your children’s and grandchildren’s future society you’re looking at. And we’re the guys who sort of missed the boat.**
If a guy who’s been committing to the FreeBSD kernel for over 15 years says he doesn’t see a technical solution to mass digital surveillance, he’s probably got a point. He doesn’t see a technical solution because he cited the enormous amounts of money and manpower intelligence agencies have compared with the measly resources of open source contributors. The Director of National Intelligence, the overseer of all US intelligence agencies, requested $53.9 billion for the National Intelligence Program’s budget in 2016. Even if a small portion of that funded domestic spying programs, that’s still a lot of money. Meanwhile, up until recently, Werner Koch who wrote GnuPG, a crucial piece of the world’s encryption software, was struggling to raise just $25,000 a year.
I’ve been struggling to understand why we Americans are either too apathetic or resigned to fight for our privacy rights. I think it’s because digital privacy is hard to understand and it’s not in-your-face spying like finding a camera in your bedroom or a GPS tracker underneath your car. Some people believe the costs of giving up their privacy is outweighed by the supposed effectiveness in stopping terrorism. In most of my conversations, people believe domestic spying is wrong but think resistance is futile. They simply say “I have nothing to hide.”
This simple statement is pernicious and damaging to not just civil society as a whole but also for our future generations. Mass surveillance isn’t an individual problem. It’s a collective problem. I don’t have anything to hide from the spooks, but that doesn’t mean I’m going to give my government a free pass for spying on its citizens. Just because I’m doing well as an individual doesn’t mean I throw the group to which I belong under the bus. We don’t live in a vacuum, and each of our actions or inactions affect those around us.
I’ve drawn a flow chart of my argument of why we should stop mass surveillance below.