Ed: Well, thank you for the introduction. I will say SXSW and the technology community – people who are in the room in Austin they are the folks that really fix things who can enforce our rights for technical standards. Even when Congress hadn’t yet gotten to the point of creating legislation to protect our rights in the same manner. When we think about what is happening at the NSA for the past decade ________ the result has been an adversarial internet. Sort of global free fire zone for governments that is nothing that we ever asked for. It is not what we want. It is something that we need to protect against. We think about the policies that have been advanced the sort of erosion of ______amendment protections the proactive seizure of communications. There is a policy response that needs to occur. There is also a technical response that needs to occur. It is the development community that can really craft the solutions and make sure we are safe.
The NSA the sort of global mass surveillance that is occurring in all of these countries. Not just the US it is important to remember that this is a global issue. They are setting fire to the future of the internet. The people who are in this room now you guys are all the firefighters and we need you to help us fix this.
Ben: You heard Ed say the NSA offensive mass surveillance the manufacturing of vulnerabilities is setting fire to the future of the internet. Do you want to comment on that?
Chris: Sure. So many of the communications tools that we all rely on are not as secure as they could be. Particularly for the apps and services that are made by small companies and small groups of developers security is often an afterthought if it is a thought at all. And really what that has done is enable global passive surveillance by the US but by other governments too. What I think has been the most lasting impression for me from the last eight months is the fact the real technical problems the NSA seems to have are not how do we get people’s communications but how do we deal with the massive amount of communication data that we are collecting. The actual collection problem doesn’t seem to be a bottleneck for the NSA. That is because so many of the services that we are all relying on are not secure by default. I really think for this audience one of the things we should be thinking about and hopefully taking home is we need to lock things down. We need to make services secure out of the box and that is going to require a rethink by developers. It is going to require the developers to start to think about security early on rather than later on down the road.
Ben: Let me pick up on that. Ed, you submitted written testimony last week to the European Parliament. I want to quote a very short part of that and have you elaborate on it. You said in connection with mass surveillance the good news is that there are solutions. The weakness of mass surveillance is that it can very easily be made much more expensive through changes in technical standards. What kind of changes were you talking about and how can we ensure that we make mass surveillance more expensive and less practical?
Ed: The primary challenge that mass surveillance faces from any agency and any government in the world is not just how do you collect the communications as they cross the wires and find their way through the network, but how do you interpret them? How do you understand? How do you _____back down and analyze them? And ____ at least the easiest to _____ basis by encryption. There are two methods of encryption that are generally used. One is deeply problematic. One of those is what is called key _____ it is sort of what we are using with like Google type services ____ type services right now where I encrypt a video chat and I send it to Google. Google decrypts it and re-encrypts it to you guys. End to end encryption where it is from my computer directly to your computer makes mass surveillance impossible at the network level without a encrypting _____ and they are very expensive. By doing end to end encryption you force what they are called ______ global passive adversaries to go for the end points that is the ____ computers. And the result of that is a constitutional, more carefully overseeing sort of intelligence gathering model. Where if they want to gather somebody’s communications they have to target them specifically. They can’t just target everybody all the time and then when they want to read your stuff they go back in a time machine and say what did they say you know in 2006. They can’t pitch exploits in every computer in the world without getting caught. That is the value of end to end encryption and that is what we need to be thinking about. We need to go how can we enforce those protections in a simple, cheap, effective way that is invisible to users. I think that is the ____.
Ben: Chris, one of the problems with end to end encryption is that many of us get email service from advertising companies that need to be able to read the emails in order to serve us targeted ads. But what are steps that even a company like Google that is an advertising company but companies like that can do to make mass surveillance more difficult? Are there things or do we need new business models to accomplish what Ed is talking about?
Chris: In the last eight months the big Silicon Valley technology companies have really improved their security in a way that was surprising to many of us who have been urging them for years to do so. It took Yahoo – Yahoo was kicking and screaming the whole way but they finally turned on SSL encryption in January of this year after Bart Gellman and Ashkan Sholtani shamed them on the front page of the Washington Post. The companies have locked things down but only in a certain way. They have secured the connection between your computer and Google’s server or Yahoo’s server or Facebook’s server, which means that governments now have to go through Google or Facebook or Microsoft to get your data. Instead of getting it with AT&T’s help or Verizon’s help or Comcast’s or any party that watches the data as it goes over the network. I think it is going to be difficult for these companies to offer truly end to end encrypted service simply because it conflicts with their business model. Google wants to sit between you and everyone you interact with and provide some kind of added value. Whether that added value is advertising or some kind of information mining. Improved experience telling you when there are restaurants nearby where you can meet your friends. They want to be in that connection with you and that makes it difficult to secure those connections.
Ben: Is this the right time for a shout out to Google that is in this conversation with us right now?
Chris: So loo the irony that we are using Google Hangouts to talk to Ed Snowden has not been lost on me or uh our team here. And I should be clear – we are not getting any advertising support from Google here. The fact is that the tools that exist to enable secure end to end encrypted video conferencing are not very polished and particularly when you are having a conversation with someone who is in Russia and who is bouncing his connection through several proxies the secure communications tools tend to break. This in fact I think reflects the state of – the state of play with many services. You have to choose between a service that is easy to use and reliable and polished or a tool that is highly secure and impossible for the average person to use. I think that reflects the fact that the services that are used by large companies with the resources to put 100 developers on the user interface those are the ones that are not optimized for security and the tools that are designed with security as the first goal are typically made by independent developers and activists and hobbyists and they are typically tools made by geeks for geeks.
What that means is the regular users have to pick. They have to pick between a service they cannot figure out how to use or a service that is bundled with their phone or bundled with their laptop and works out of the box. And of course rational people choose the insecure tools because they are the ones that come with the devices they buy and work and are easy for people to figure out.
Ben: Let’s bring Ed back into this. In a way, this whole affair began with Glenn Greenwald not being able to use PGP which is somewhat of a joke in the tech community, but really not outside of the tech community. PGP is not easy to install. It is not easy to use. Using Tor, using Tails I feel like I need new IT support in my office just to be able to do this work. So you know you are addressing an audience that includes a lot of young technologists. Is there a call to arms for people to make this stuff more useable so that not only technologists can use it?
Ed: There is. I think we are actually seeing a lot of progress being made here. Whisper systems _____ of the world are focusing on new user experience, new UIs and basically ways for us to interact with cryptographic tools. This is the way it should be. What happens ____ the user it happens by default. We want secure services that aren’t opt in. It has to pass the Greenwald test. Any journalist in the world gets an email from somebody saying hey I have something the public might want to know about they need to be able to open it. They need to be able to access that information. They need ____ communications whether they are a journalist or an activist. This is something that people need to be able to access. The way we interact right now is not good. If you have to go to the command line people aren’t going to use it. If you have to go three menus deep people aren’t going to use it. It has to be out there. It has to happen automatically. It has to happen seamlessly. And that is ____.
Ben: Who are we talking to now, Chris? Are we talking to technology companies? Are we talking to foundations to support the development of more usable security? Are we talking to developers? Who is the audience for this call to arms?
Chris: I think the audience is everyone. But we should understand that most regular people are not going to go out and download an obscure encryption app. Most people are going to use the tools that they already have. That means that they are going to be using Facebook or Google or Skype. A lot of our work goes into pressuring those companies to protect their users. In January of 2010 Google turned on SSL. The lock icon on your web browser. They turn it on by default for Gmail and it previously had been available. It was available through an obscure setting. The 13 of 13 – 13 of 13th configuration options. Of course no one had turned it on. When Google turned that option on suddenly they made passive bulk surveillance of their users communications far more difficult for intelligence agencies. They did so without requiring that their users take any steps. One day their users just logged into their mail and it was secure. That is what we need. We need services to be building security in by default and enabled without any advanced configuration.
That doesn’t mean that small developers cannot play a role. There are going to be hot new communications tools. WhatsApp basically came out of nowhere a few years ago. What I want is for the next WhatsApp or next Twitter to be using encrypted end to end communications. This can be made easy to use. This can be made useable but you need to put a team of user experience developers on this. You need to optimize. You need to make it easy for the average person. If you are a start up and you are working on something bare in mind that it is going to be more difficult for the incumbents to deliver secure communications to their users because their business models are built around advertising supported services. You can more effectively and more easily deploy these services than they can. I think if you are looking for an angle here I think we are slowly getting to the point where telling your customers hey, $5.00 a month for encrypted communications no one can watch you. I think that is something that many consumers may be willing to pay for.
Ed: If I could actually ____ on that real quick. One of the things I would say to a large company is not that you can’t collect any data it is that you should only collect the data and hold it for as long as necessary for the operation of the business. Recently _____ one of the security ____ hacked and they actually stole my passport my passport and my registration forms and posted them to the internet when they faced the site. Now I submitted those forms back in 2010. Why were those still on a web facing server? Was it still necessary for business? That is a good example of why these things need a job. Whether you are Google or Facebook you can do these things in a responsible way where you can still get the value out of these that you need to run your business. _____ without the users ____.
Ben: So we didn’t have great audio here on that response, but what Ed was saying is that even companies whose business models rely on them to collect and aggregate data you don’t need to store it indefinitely once his primary use had been accomplished. His example was that some company was hacked and they found some of his data from four years ago. That clearly there was no business reason for them to still to be holding onto.
Let’s switch gears a little bit. Last week, Ed, General Keith Alexander who heads the NSA testified that he believes that the disclosures of the last eight months have weakened the country’s cyber defenses. Some people might think there is a pot and a kettle problem coming from him but what was your response to that testimony?
Ed: So it is very interesting to see officials like Keith Alexander talking about damage that has been done to the defense of our communications. Because more than anything there have been two officials in America who have harmed our internet security and actually our national security so much of our country’s economic success is based on our intellectual property. It is based on our ability to create and share and communicate and compete. Now those two officials are Michael Hayden and Keith Alexander, two directors of the National Security Agency in the post 9/11 era who made a very specific change. That is they elevated offensive operations that is attacking over the defense of our communications. They began ____ the protections of our communications. This is a problem for one primary reason – that is America has more to lose than everyone else when an Attack ______ when you are the one country in the world that has sort of a vault that is more full than anyone else’s it doesn’t make sense because if you attack it all day you never defended ______ and it makes even less sense when the standards for vaults worldwide to have a backdoor anyone can walk into. When he says these things have weakened national security no these are improving our national security. These are improving our national security. These are improving the communications not just around _____but everyone in the world because we rely on the same standards. We rely on the ability to trust our communications. Without that we don’t have anything. Our economy cannot succeed.
Ben: Chris, Richard Clarke testified a few weeks back it is more important for us to defend ourselves against attacks from China than to attack China using our cyber tools. I don’t think everybody understands there is any tension whatsoever with those two goals. Why are they in opposition to each other.
Chris: As a country we have public officials testifying in Washington saying that cyber security is now the greatest threat this country faces. Greater than terrorism. We have had both the director of the FBI and the director of National Intelligence say this in testimony to Congress. I think it is probably true that we face some sort of cyber security threat. I think that our systems are not as safe as they could be and we are all vulnerable to compromise in one way or another. What is clear is that this government isn’t really doing anything to keep us secure and safe. This is a government that has prioritized for offense rather than defense. You know, if there were 100% increase in murders in Baltimore next year the chief of police of Baltimore would be fired. If there were a 100% increase in phishing attacks successful phishing attacks where people’s credit card numbers get stolen, no one gets fired. As a country we have basically been left to ourselves. Every individual person is left to fend for themselves online and our government has been hoarding information about information security vulnerabilities. In some cases there was a disclosure in the New York Times a report in the New York Times last fall revealing the NSA has been partnering with US technology companies to intentionally weaken the security of the software that we all use and rely on. The government has really been prioritizing its efforts on information collection. There is this fundamental conflict there is tension that a system that is secure is difficult to surveil and a system that is designed to surveil is a target waiting to be attacked. Our networks have been designed with surveillance in mind.
We need to prioritize cyber security and that’s going to mean making surveillance more difficult. Of course the NSA and our partners in the intelligence world are not crazy about us going down that path.
Ben: So Ed, if the NSA is willing to take these steps that actually weaken security, that spread vulnerabilities that make it in some sense easier not just for us to do surveillance but for others to attack they must think there is an awfully good reason for doing that. That there are bolt collection programs that these activities facilitate the collected ____ _mentality that it really works. This is a very, very effective surveillance method that is keeping us safe. You sat on the inside of the surveillance systems for longer than people realize. Do these mass surveillance programs do what our intelligence officials promise to Congress that they do? Are they effective?
Ed: “They are not. That is actually something I’m a little bit sympathetic to and we got to turn back the block a little bit and remember that they thought ___ was a great idea but no one had done it before, at least publicly. So they went “hey! we can spy on the world all at once. It will be great, we’ll know everything.” But the reality is, when they did it, they found out that it didn’t work. But it was a ___ so successful in collecting data. So great at the contract that no one wanted to say no. But the reality is now, we have reached point where a majority of people’s telephone communication are being recorded – we got all these metadata that are being stored – years and years. But two independent White House investigations found that it is has not helped us at all, have not helped us. Beyond that, we got to think about what are we doing with those resources, what are we getting out of that? As I said in our European Parliament testimony, we’ve actually have tremendous intelligence failures because we’re monitoring the internet; we’re monitoring, you know, everybody’s communications instead of suspects’ communications. That lack of focus have caused us to miss news we should have had. Tamerlan Tsarnaev, the Boston Bombers. the Russians have warned us about it. But we didn’t a very poor job investigating, we didn’t have the resources, and we had people working on other things. If we followed the traditional model, we might have caught that. Umar Farouk Abdulmutallab the underwear bomber, same thing. His father walked into a US Embassy, he went to CIA officer and said my son is dangerous. Don’t let him go to your country. Get him help. We didn’t follow up, we didn’t actually investigate this guy. We didn’t get a dedicated team to figure what was going on because we spent all of this money, we spent all of this time hacking into Google and Facebook to look at their data center. What did we get out of that? We got nothing. And there are two White House investigations that confirm that.
Ben: Chris, if as Ed says these bulk collection programs are not that effective, the resources that go into this would be better directed at targeted surveillance. Why are they dangerous?
Chris: Why are they dangerous? Because the government is collecting, is creating this massive database of everyone’s private information. In an NSA building somewhere probably in Maryland there is a record of everyone who has ever called an abortion clinic, everyone who has called an Alcoholics Anonymous hotline, anyone who has ever called a gay bookstore. And they tell us don’t worry we aren’t looking at it or we aren’t looking at it in that way. We aren’t doing those kinds of searches but I think many Americans would have good reason to not want that information to exist. I think regardless of which side of the political spectrum you are you probably don’t want the government to know that you are calling an abortion clinic or calling a church or calling a gun store and you may think quite recently, that is none of the government’s business. I think when you understand that the government can collect this information on this scale they can hang onto it and figure out uses for it down the road I think many Americans are quite fearful of this slippery slope this surveillance that happens behind closed doors. Even if you trust this administration that we have right now you know the person who sits in the oval office changes every few years. You may not like the person who is going to sit there in a few years with that data that was collected today.
Ben: Ed, we lost you for a moment. Can you still hear us?
Ed: I can hear you.
Ben: Okay. Just before this began I got an email from Sir Tim Burners Lee the creator of the world wide web who asked for the privilege of the first question to you. I think I am willing to extend that to him. He wanted to thank you. He believes that your actions have been profoundly in the public interest.
Ed: Thank you.
Ben: That was applause if you couldn’t hear it. He asks if you could design from scratch an accountability system for governance over national security agencies what would you do? It is clear that intelligence agencies are going to be using the internet to collect information from all of us. Is there any way we can make oversite more accountable and improved?
Ed: You know that is a very interesting question. It is also a very difficult question. Oversight models these are things that are very complex. They have a lot of moving parts. And when you add in secrecy you add in public oversight it gets complex. We have got a good starting point. That is what you have to remember. We have an oversight model that could work. The problem is we overseers aren’t interested in oversight. When we’ve got seven intelligence communities, house intelligence communities that are _____ to the NSA instead of holding them accountable. When we have James Clapper the director of National Intelligence in front of them and he tells a lie that they all know is a lie because they are rigged on the program because they have the questions a day in advance. And no one says anything. Allowing all Americans to believe this is a true answer. That is an incredible dangerous thing. That’s the ____. When I would say how do we fix our oversight model, how do we structure the oversight model that works. The key fact is accountability. We can’t have officials like James Clapper who can lie to everyone in the country. Who can lie to the Congress and face no not even – not even a criticism. Not even a strong worded letter, the same thing with courts. In the United States we have open courts that are supposed to decide and settle constitutional issues to interpret and apply the law. We also have the FISA court which is a secret rubber stamp court. But they are only supposed to approve warrant applications. These happen in secret because you don’t at want people to know hey the government wants to surveil you. At the same time a secret court shouldn’t be interpreting the constitution when only NSA’s lawyers are making the case on how it should be viewed. Those are the two primary factors that I think need to change.
The other thing is we need public advocates. We need public representatives. We need public oversight. Some way for trusted public figures sort of civil rights champions to advocate for us and protect the structure and make sure it is been fairly applied. We need a watch dog that watches Congress. Something that can tell us hey these guys didn’t tell you that he just lied to you. Because otherwise how do we know? If we are not informed we can’t consent to these policies. And I think that is danger.
Ben: For what it’s worth my answer to Sir Tim is Ed Snowden. Before these disclosures all three branches of our government had gone to sleep on oversight. The courts had thrown cases out as he said, Congress allowed itself to be lied to. The executive branch did no reviews. Since Ed Snowden and since all of us have been read into these programs we are actually seeing reinvigorated oversight. It is the oversight that the constitution had in mind, but sometimes it needs a dusting off. And Ed has been the broom.
Chris: I just wanted to also note that without Ed’s disclosures many of the tech companies would not have improved their security either at all or at the rate that they did. The PRISM story although there was a lack of clarity initially on what it really said, put the names of billion dollar American companies on the front page of the newspaper and associated them with bulk surveillance. You saw the companies doing everything in their power publicly to distance themselves and also show that they were taking security seriously. You saw companies like Google and Microsoft and Facebook rushing to encrypt their data center to data center encryption. Connections rather. You saw companies like Yahoo finally turning on SSL encryption, Apple fixed a bug in its address book app that allowed Google users’ address books to be transmitted over networks in unencrypted form. Without Ed’s disclosures there wouldn’t have been as much pressure for these tech companies to encrypt their information.
There are going to be people in this audience and people listening at home who are going to think what Ed did was wrong. But let me be clear about one really important thing; his disclosures have improved internet security. And the security improvements we have gotten haven’t just protected us from bulk government surveillance. They have protected us from hackers at Starbucks who are monitoring our wifi connections. They have protected us from stalkers and identity thieves and common criminals. These companies should have been encrypting their information before and they weren’t. And it really took you know, unfortunately the largest and most profound whistle blower in history to get us to the point where these companies are finally prioritizing the security of their users’ communications between them and the companies, but we all have Ed to thank for us. I really just cannot emphasize enough without him we would not have Yahoo users getting SSL. We would not have this data going over the network in encrypted form. It shouldn’t have taken that. The company should have done it by themselves. There should have been regulation or privacy regulators who are forcing companies to do this, but that isn’t taking place. It took Ed to get us to a secure place.
Ben: Alright. Great. Remember the hashtag is askSnowden. We will take our first question. Please forgive pronunciations from Max Zurkenden. The question for Ed and Chris too – why is it less bad if big corporations get access to our information instead of the government? Ed, did you hear it?
Ed: Yes. I – I did. This is something that has actually been debated. We see people’s opinions – people’s sort of responses to this evolving which is good. This is why we need to have these conversations because we don’t know. Right now, my thinking, I think the majority’s thinking is that the government has the ability to deprive you of rights. Governments around the world whether it is the United States government, whether it is the Yemeni government whether it is Zair any country they have police powers, they have military powers, they have intelligence powers they can literally kill you, they can jail you, they can surveil you. Companies can surveil you to sell you products, to sell you information to other companies. That can be bad, but you have legal records. First off, it is typically a voluntary contract. Secondly, you have got court challenges you could use. If you challenge the government about these things and the ACLU itself has actually challenged some of these cases, but government throws it out on state secrecy and says you can’t even asked about this. The courts aren’t allowed to tell us whether it is legal or not because we are just going to do it anyway. That’s the difference and it is something we need to watch out for.
Ben: Chris, do you want to address it or should we take the next question?
Chris: Sure. Just quickly. I am not crazy about the amount of data that Google and Facebook collect. Of course, everything they get the government can come and ask for too. There is the collection that the government is doing by itself and then there is the data that they can go to Google and Facebook and force them to hand over. We should remember that the web browser you are most likely using, the most popular browser right now is Chrome, most popular mobile operating system is now Android, many of the tools that we are using whether web browsers or operating systems or apps are made by advertising companies. It is not a coincidence that Chrome is probably a less privacy preserving browser. It is tweaked to allow data collection by third parties. The Android operating system is designed to facilitate disclosure of data to third parties. Even if you are okay with the data the companies are collecting you should also note that the tools that we use to browse the web and the tools that ultimately permit our data to be shared or prevent it from being shared are made by advertising companies. This makes the NSA’s job a lot easier. If the web browsers we were using were locked down by default the NSA would have a much tougher time. But advertising companies are not going to give us tools that are privacy preserving by default.
Ben: Let’s take another question from Jodi Serrano. To Snowden from Spain. Do you think the US surveillance systems might encourage other countries to do the same?
Ed: Yes. This is actually one of the primary dangers not just of sort of the NSA’s activities but of not addressing and resolving the issues. It is important to remember that American’s benefit profoundly from this. Because again as we discussed we got the most to lose from being hacked. At the same time every citizen in every country has something to lose. We all are at risk of unfair, unjustified, unwarranted interference in our private lives. Throughout history we have seen governments sort of repeat the trend where it increased and they get to a point where they have crossed the line. We don’t’ resolve these issues if we allow the NSA to continue unrestrained. Every other government the international community will accept this as a sign, as the green light to do the same. And that is not what we want.
Chris: I mean I think there is a difference between surveillance performed by the NSA and surveillance performed by most other governments. It is not really illegal it is more of a technical one. That is the whole world sends their data to the United States. Americans are not sending their data to Spain, Americans are not sending their photographs to France. This means that the US because of Silicon Valley because of the density of tech companies throughout the country the US enjoys an unparalleled intelligence advantage that every other government just doesn’t have. And if want the rest of the world to keep using US tech companies. If we want the rest of the world to keep trusting their data to the United States then we need to respect them. We need to respect their privacy and the way that we protect the privacy of Americans right now. I think the revelations over the past eight months have given people of other countries very reasonable reason to question whether they should be trusting their data to United States companies. I think we can get that trust back through legal changes. I think tech companies can also do a lot to get that trust back by employing encryption and other privacy technologies. The best way to get your user’s trust is to be able to say when the government comes to you sorry we don’t have the data or sorry we don’t have the data in a form that will be of any use to you. That is how you win back the trust of people in Brazil and Germany and people around the world.
Ben: So let me just cut in with a question here. I do think that a certain degree of perhaps hopelessness may have crept in to the global public with this constant constant of stories about the the NSA’s capabilities the GCHQ’s capabilities and activities. All the ways to get around defenses. Chris I hear you and Ed going back to encryption again and again as being something that still works. Maybe if you take a moment Ed after the discussions we have had about how NSA has worked to weaken encryption should people still be confident that the basic encryption that we use protects us from surveillance or at least mass surveillance?
Ed: Right. The bottom line I have repeated this again and again is that encryption does work. We need to think of encryption not as this sort of arcane black art. What is sort of a basic protection it is a defense against the dark arts for the digital realm. This is something we all need to be not only implementing but actively researching and improving on an academic level. The grad students of today and tomorrow need to keep today’s threat on online to inform tomorrows. We need all those brilliant Belgian cryptographers to go alright we know that these encryption algorithms we are using today work typically it is the random number generators that are attacked as opposed to the encryption algorithms themselves. How can we make them ____ how can we test them? This is _____ it is not going to go away tomorrow, but it is the steps we take today. The moral commitment. The philosophical commitment, the commercial commitment to protect and enforce our liberties through technical standards to allow us to reclaim the open and trusted.
Ben: Chris, very briefly, you hang out with cryptographers. They are not happy campers these days.
Chris: No. Of all the stories that have come out the one that has had the biggest impact in the security community is the story – is the news that the NSA has subverted the design of cryptographic and random number generator algorithms. I think it is fair to say there is a group in the cryptographic community now who have become radicalized as a result of these disclosures and cryptographers actually can be radicals. They are not just mild mannered people. We should remember that regular consumers do not pick their own encryption algorithms. Regular consumers just use the services that are provided to them. The people that pick the crypto that pick particular algorithms, pick the key sizes they are the security engineers at Google and Facebook and Microsoft. And the cryptographers who are working with open source projects. And those people are all really pissed. And I think that’s good. Those people should be mad and those people can make a difference. The fact that these disclosures have so angered the security community I think is a really good sign. Ultimately, the tools that come out in six months or a year or two years are going to be far more secure than they were before. That is because that part of a tech community feel like they were lied to.
Ben: Let’s take a couple of more questions from Twitter. Melissa Nixsik I hope. What steps do you suggest the average person take now to ensure a more secure digital experience? Is there anything we can do on individual level to confront the issues of mass surveillance that we are talking about today. Ed, it’s okay if the answer is no.
Ed: There are basic steps it is a really complicated subject matter today. And that is the difficulty. Again it is the Glenn Greenwald test. How do you answer this? For me there are a couple of key technologies; there is full disk encryption to protect your actual physical computer and devices in case they are seized. Then there are network encryption which are things like SSL that added sort of transparency we can’t help that. You can install a couple of browser plug ins. NoScript to block Active X attempts in the browser, Ghostery to block ads and tracking cookies. But there is also TOR, TOR is a mixed routing network which is very important because it is encrypted from the user through the ISP to the end of sort of a cloud a network of routers that you go through. Because of this your ISP, your communications provider can no longer spy on you by default. The way they do now, today when you go to any website. By using TOR you shift their focus to either attacking the TOR cloud itself which is incredible difficult, or to try to monitor the exits from TOR and the entrances to TOR and then try to figure out what fits. And it is very difficult. Those basic steps will encrypt your hardware and you encrypt your network communications you are far, far more hardened than the average user – it becomes very difficult for any sort of a mass surveillance. You will still be vulnerable to targeted surveillance. If there is a warrant against you if the NSA is after you they are still going to get you. But mass surveillance that is untargeted and collect-it-all approach you will be much safer.
Ben: You know, when there is a question about average users and the answer is TOR we have failed.
Chris: We failed.
Chris: I will just add to what Ed said in saying that a privacy preserving experience may not be a secure experience and vice versa. I am constantly torn. I personally feel like Firefox is the more privacy preserving browser, but I know that Chrome is the more secure browser. I am stuck with this choice am I more worried about passive surveillance of my communications and my web browsing information or am I more worried about being attacked? I go back and forth on those. I think until we have a browser or a piece of software that optimizes for both privacy and security I think users are going to be sort of stuck with two bad choices. I’ll just note that in addition to what Ed said I mean I really think that consumers need to rethink their relationship with many of the companies to whom they entrust their private data. I really think what this comes down to is if you are getting the service for free the company isn’t going to be optimizing your experience with your best interest in mind. I am not going to say if you are not paying for the product you are the product. We pay for our telephone calls, we pay for our wireless service and those companies still treat us like crap. But you know if you want a secure online back up service you are going to have to pay for it. If you want a secure voice or video communications product you are going to have to pay for it. That doesn’t mean you have to pay thousands of dollars a year, but you have to pay something so that company has a sustainable business model that doesn’t revolve around collecting and monetizing your data.
Ben: Okay. We have another question about encryption from Sean. Isn’t it just a matter of time before NSA can decrypt even the best encryption? I am particularly interested in your answer to this in light of your confidence that data that you were able to take is secure and has remained secure.
Ed: Let’s put it this way – the United States government has assembled a massive investigation team into me personally, into my work with journalists and they still have no idea you know what – what documents were provided to the journalists, what they have, what they don’t have. Because of encryption works. Now the only way to get around that, is to have a computer that is so massive and so powerful you can work the entire universe into the energy power into this decryption machine and they still might not be able to do it. Or you break into the computer and try to steal their keys and bypass the encryption. That happens today and that happens every day. That is the way around it.
Now, there are still ways to protect and encrypt data that no one can break. That is by making sure the keys are never exposed. If the key itself can’t be observed the key can’t be stolen. THe encryption can’t be ______. And any cryptographer any mathematician in the world will tell you that the math is sound. The only way to get through encryption on a target basis particularly when you start railing encryption, not using one algorithm but every algorithm you are using _____ you are using all kinds of sophisticated techniques to make sure that no one person, no single point of failure exist there is no way in there is no way around it. That is going to continue to be the case I think until our understanding of mathematics and physics changes fundamentally.
Chris: I will just add that –
Ed: If I could follow up on that I would say the US government’s investigation supports that. We have both public and private acknowledgements that they know at this point the Russian government, the Chinese government any other government has possession of any of this information. And that would be easy for them to find out. Remember these are the guys that are spying on everyone in the world. They have got human intelligence assets embedded in these governments. They have got electronic signal assets in these governments. If suddenly the Chinese government knew everything the NSA is doing we would notice the changes. We would notice the changes, we would see official communicating and our assets will tell us hey somewhere they have a warehouse they put you know, a thousand of their most skilled researchers in there. That has never happened and it is never going to happen.
Chris: I will just add that I think Ed’s right. If the government really wants to get into your computer if they want to figure out what you are saying and who you are saying it to they will find a way. But that won’t involve breaking the encryption that will involve hacking into your device. Whether your phone or your laptop they will take advantage of either vulnerabilities that haven’t been patched or vulnerabilities that no one knows about. But hacking technologies don’t scale. If you are a target of the NSA it is going to be game over no matter what. Unless you are taking really, really sophisticated steps to protect yourself – but most people that will be beyond their reach. But encryption makes bulk surveillance too expensive. Really the goal here isn’t to blind the NSA. The goal isn’t to stop the government from going after legitimate surveillance targets. The goal here is to make it so that they cannot spy on innocent people because they can’t. RIght now so many of our communications our telephone calls, our text messages, our emails, our instant message are just there for the taking. And if we start using encrypted communication services suddenly it becomes too expensive for the NSA to spy on everyone. Suddenly they will need to actually have a good reason to dedicate those resources to either try and break the encryption or to try and hack into your device. So encryption technology even if imperfect has the potential to raise the cost of surveillance to the point that it no longer becomes economically feasible for the government to to spy on everyone.
Ben: Can we get another question on the screen from Twitter? Please? Thanks. Okay. Good question from David Myer. Is it possible to reap the benefits of big data on a societal level while not opening ourselves to constant mass surveillance? How do we enjoy the scientific benefits even some of the commercial benefits of this without turning ourselves into a dystopian surveillance state? In two minutes or less. Ed?
Ed: This is a really difficult question. There are a lot of advancements in things like encrypted search to make the data unreadable format, or supply warrants or something. But in general it is a difficult problem. The bottom line is data should not be collected without people’s knowledge and consent. If data is being clandestinely acquired and the public doesn’t have any way to review it and it is not legislatively authorized, it is not reviewed by courts, it is not consonant with our constitution that is a problem. So if we want to use that it makes the result of a public debate which has been ______ –
Ben: Chris, you want to take on that question?
Ben: We have another question that is about everyday users. Maybe you can give us another one because I think we have answered this one. Friends, backstage? Okay. From Tim Shurack[ph] Wasn’tSA mass surveillance the solution – Chris can you read that?
Chris: Wasn’t NSA’s mass surveillance a solution to the internet driven by privatization and the handing over of our signals intelligence analysis to SCIC – isn’t this a result of letting contractors in to run the show?
Ed: So the problem is when the NSA gets a pot of money they don’t typically develop the solutions themselves. They bring in a bunch of contractors the _____ SCIC’s the khakis they say hey what can you guys do for us? What solutions are you working on and they get the gigantic _____ works. And the problem is you got contractors and private companies at that point influencing policy. It was not uncommon for me at the NSA as a private employee to write the same point papers and kind of policy suggestion that I get as an official employee of the government at the CIA. The problem with that is you have people who aren’t accountable. They have no sort of government recourse against them who are saying yes let’s do that, let’s put all this money in mass surveillance _____pitch but it doesn’t serve the public interest. One thing you’ve seen recently is the government has gone and changed their talking points. They have moved their verbiage away from public interest into national interest. We should be concerned about that because with national interest talking about the state becomes distinct from the public interest, what benefits the people. We really are at the point where we have to marry those up or it gets harder and harder to control and we risk losing control of a representative democracy.
Ben: So Ed maybe let me ask you what will turn out to be a final question – in your early interviews with Glenn Greenwald and Laura Poitras you said that your biggest fear was that there would be little or no reaction to these disclosures. Where you sit now how satisfied are you with the global debate that you helped to launch and do you feel that it was worth the price that you’ve paid in order to bring us to this moment?
Ed: When I came public with this it wasn’t so i can sort of single-handedly change the government, tell them what to do and override what the public thinks was ____. What I wanted to do was inform the public so they could make a decision and provide their consent for what we should be doing. And the results of these revelations, the results of all the incredible responsible and careful reporting that by the way have been coordinated with the government, and the government never said any single one of these stories have risk a human life. The result is that the public has benefited, the government has benefited, and every society in the world has benefited. We are in secure place. We have more secure communications. And we are going to have a better sort of civic interaction as a result of understanding what’s being done in our name and what’s being done against us. And so when it comes to will I do this again, the answer is absolutely yes. Regardless of what happens to me, this is something we had the right to know. I took an oath to support and defend the constitution and I saw that the constituted was violated on a massive scale. The interpretation of the 4th amendment has been changed (clap). Thank you. The interpretation of the constitution has been changed in secret from no unreasonable search and seizure to hey, any seizure is fine, just don’t search it. That is something that the public ought to know about.
Ben: You can see behind Ed isa green screen of is that Article 1 of the constitution?
Ed: That is correct.
Ben: We the people – there is another organization here that is also interested in the constitution. I would be remiss if I didn’t say to all of you that the ACLU has a table – table 1144. I promise that it will not all be about surveillance. There will also be marijuana. So please come and say hi to us if you are not members of the ACLU it is cheap to sign up. We have ACLU whistles. We have t-shirts that you can get with membership. You can talk to me and CHris a little bit more about the work we are doing and our other ACLU colleagues. And with that I would really like all of us to thank Ed Snowden for choosing this venue for this conversation.
Ed: Thank you all very much.
# # #