As I See It: The Sleeping Giant

It was high noon at the SXSW corral. Ed Snowden, seated before an enlarged image of the constitution (ours, not Russia’s) called out the tech community. Of course it’s hard to sound intimidating when you’re calling people out from an undisclosed location through seven proxies. But in a time when speaking the truth is considered seditious, extreme caution has become de rigueur.

Snowden’s message was simple, although the telling of it is fraught with complexities. His famous/infamous (chose your modifier) revelations about the NSA’s drift toward global Big Brotherhood have been met with applause and condemnation. Hero/traitor, courageous/cowardly: how software developers judge Snowden’s actions will determine how receptive they will be to his message. Stated simply, Snowden believes that the tech community is the last line of defense. It is the responsibility of developers, he said, “to craft the solutions and make sure we are safe.”

My guess is that the techies didn’t require a lot of convincing because the NSA not only messed with their data, but with the integrity of their software, which is the digital equivalent of scribbling a mustache on the Mona Lisa and hoping the artist doesn’t mind.

In truth, developers contributed to the Hoovering of personal information by frequently relegating security to an afterthought. That, coupled with a widely exploited business model that monetizes personal data, ensured that bulk data collection could proceed with little impediment. As Chris Soghoian of the ACLU noted, “the real technical problems the NSA seems to have are not how do we get people’s communications, but how do we deal with the massive amount of data that we are collecting.”

Fortuitously, storage and retrieval are not the only weaknesses of mass surveillance. Ben Wizner, Snowden’s attorney (who along with Soghoian hosted the video conference with the felon in exile), noted that snooping “can very easily be made much more expensive through changes in technical standards.”

Snowden advocates end-to-end encryption, which would make network-level surveillance extremely lugubrious if not altogether impossible. If the NSA “wanted to gather somebody’s communications,” says Snowden, “they would have to target them specifically.” In other words, it would either have to pilfer the encryption key, or gain access to the decrypted data on the target computer. Snowden doesn’t doubt the NSA is capable of such things, but argues that individual targeting would be more conducive to legal oversight.

But who oversees the overseers? The hush-hush Foreign Intelligence Surveillance Court presently only hears testimony from the Justice Department and, like a Downton Abbey footman, it is there to serve its masters. Since 9/11, its function surreptitiously expanded from its original task of approving wiretap requests to blessing the bulk collection of phone calls and emails. And while irrelevant public information was previously redacted before data was shared with other agencies, now unfiltered personal information is passed around like popcorn. For the intelligence community, the laws are made of Lycra, and the court stretched them to fit the expanding profile of the NSA.

General Keith Alexander, chief hunter/gatherer of the NSA, predictably condemned Snowden’s heist, testifying before Congress that a breach of cyber security is now the greatest threat facing our nation, and that Snowden’s disclosures have weakened the country’s cyber defenses. The General may be indulging in a bit of hyperbole since our networks were not designed for optimal security, and the NSA has actively sought to increase their vulnerabilities.

As the New York Times revealed last fall, the NSA has been partnering with American technology companies to “intentionally weaken the security of the software that we all use and rely on.” Soghoian correctly concludes that the government’s strategy is offensive in nature–that is, it wants the unfettered capability to spy on everyone–rather than a defensive strategy that would seek to prevent spying altogether.

But if Snowden’s revelations have not measurably slowed the conductors of the surveillance train, they have shamed their collaborators. After initial denials, then reluctant admissions of their collusion, Yahoo and Google finally turned on SSL encryption. Now, instead of snatching our data from Verizon, AT&T, or Comcast as it travels across the network, the NSA will have to get it directly from the originating service provider. Of course, Google, Facebook, and others will continue to collect our personal data but, at least for the moment, Google is not empowered to arrest us, render us to an undisclosed location in North Dakota, or deprive us of legal representation. That comes later.

The hoopla surrounding Snowden would be much more sensible if there was proof that data vacuuming actually achieved its desired end. Two White House reviews suggest that it hasn’t. We’re too busy gathering everything to focus on anything. Even when agencies receive warnings about specific people, the alerts get lost in the data shuffle. Snowden recounts that the Russians warned us about Tamerlan Tsarnaev, the Boston Bomber, to no effect. The father of Umar Farouk Abdulmutallab, the underwear bomber, actually walked into the U.S. Embassy and told a CIA officer that his son was crazy and should not be allowed into our country. So while the practice of gathering data has been enormously successful (and sometimes laughably simple), its actual usefulness remains uncertain.

As if to underscore the irony, Diane Feinstein, who fully supports having the NSA spy on the rest of us, was shocked, shocked, I tell you, to hear that the CIA was spying on her Intelligence Committee, which just happened to be investigating that same agency. If nothing else, it points out the limitations of Snowden’s impact on government.

The NSA, like the CIA, does things because it can, not because they’re legal. The agency operates in secret, its methods are covert, and access to its facilities is restricted. What makes anyone think the agency has any more respect for Congress than the American people do? It will deny, obfuscate, stonewall, and continue doing what it thinks is in the best interest of the nation. Perhaps Snowden is right and the best we can do is to make that process difficult.

Somewhere along the line, the national interest diverged from the public interest. Snowden’s lasting legacy may well be the mobilization of the tech community and the enlistment of privacy activists on behalf of the public. A clever group calling itself the 10th Amendment Center has formed a coalition to stop the NSA by, of all things, cutting off its water supply. They’ve convinced Utah’s legislators to introduce a bill to do precisely that: 1.7 million gallons of water are required daily just to cool the agency’s computers.

Legislatures in Maryland, California, Oklahoma, and Indiana have also introduced bills to thwart the NSA. Privacy is one of the few issues with the power to bring conservatives, liberals, and libertarians together.

In its commitment to security, the technology community has been a sleeping giant. By having pulled back the veil, Snowden poked the giant and provided the impetus for a new generation of secure applications that could alter the trajectory of the surveillance state. In a contest between private sector geeks and government geeks, I’ll put my money on the former. The only way the NSA wins is through legal coercion or threat of imprisonment. And if that happens, we’ve lost the war already.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot