I think all of us may have had some hazy idea that “the government”, whomever that may be where you live, was investigating all manner of things. I happen to live in the United States of America, but I know our situation is not unique. If you think back a few years, the government of India, for instance, told Blackberry that they would not let it operate in that country unless it put servers there and gave them the backdoor keys. I tend to think that may just have been the first crack the lead to Blackberry being on the verge of disappearing. Their whole selling point was that they could deliver secure communications, and India proved that governments will not tolerate secure communications. That leads me to formulate O’Brien’s First Law of Privacy:
Every government regards the privacy and freedom of its citizens as a flaw, and seeks to fix that flaw.
I am sure someone, somewhere said something similar to this previously, but until I get a citation to that effect I am claiming it. 😉 And they don’t exactly do it because they are evil, though surely some of them are. But I would imagine many of these security folks have the highest motives, and believe they are doing this “for our own good.” If they can just monitor all of the communications, surely that will let them prevent the next 9/11, or the next 7/7. And we would want them to do that, wouldn’t we? And if I thought that reading all of our communications would in fact do that without any nasty unintended consequences, I might even go along with it. But the fact is that you cannot do this without a lot of unintended consequences. One of them is that no citizen has any privacy at all. And when the government then decides, for any reason, that you are the enemy, they can crush you like a bug. And you know what? They have already decided that you are the enemy. We know that from the transcripts released by Edward Snowden. The NSA refers to the citizens of the U.S., as well as the rest of the world, as “adversaries.” So even if you don’t want to be in a conflict, they have already decided that you are.
I realize that every country is different, and we all have different cultural backgrounds. So some of the things that motivate me may not motivate all of you to the same extent. But in the U.S. we like to think that we are a free people, and that the government is limited in its powers. and many of us remember the words of Benjamin Franklin, one of our most revered Founding Fathers, who said:
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
Many of us in the U.S. would rather live as free people than have an over-bearing government looking into all of our affairs. In fact, there is an excellent argument that free speech is endangered by this. If you know that your every communication is being recorded, read, and monitored by the government you will probably censor yourself, and we see this happening now. To go to Benjamin Franklin one more time:
Freedom of speech is a principal pillar of a free government; when this support is taken away, the constitution of a free society is dissolved, and tyranny is erected on its ruins.
So that is why I think we need privacy and security from our government. And the problem is that they have gotten very good at seizing the opportunities presented to them by the bad guys. After 9/11 they were able to seize a lot of power in the U.S., and I think the same thing happened in England after 7/7. In England, home of George Orwell, author of 1984, they have been able to put cameras pretty much everywhere and most people don’t seem to find anything odd about that. These encroachments on our privacy seem to have a ratchet effect, which leads to O’Brien’s Second Law of Privacy:
The tendency over time is for government to intrude more, never less.
So every time there is a crisis more gets surrendered, and those losses become permanent. And at the next crisis they push the boundary even further, until no one has any privacy at all. Which satisfies the imperative in O’Brien’s first Law of Privacy. 😉
Now the next hurdle for many people is that they think it is no use. The government has lots of very smart scientists, they have super computers, they have massive resources to use. So it no use to even try to be private. But in fact this is not correct. Bruce Schneier, the renowned security expert, looked into some of the recent revelations about NSA activity, and reported back “You can trust the math.” The NSA or GCHQ has not achieved any kind of breakthrough that renders encryption useless. Done properly, you can have secure communications that they cannot read. And your data can be secure, you can exchange files securely, and so on. It turns out to be not that hard.
If you look at what the NSA did, it turns out that they just subverted the human side of the equation. If someone else has the keys to your stuff, all they need to do is get them to turn the keys over. And that is a lot of what the NSA did. And the rest was subverting the standards. So let’s look at the evidence. First, there was a claim that they had direct access to the servers at places like Google, Yahoo, and Microsoft. And those companies strenuously rejected that. So who is right? Well, we already had the answer if we had paid attention. The NSA did not need direct access to the servers as long as they had direct access to the data. And they can do that from the switching rooms of the telecom and network providers. We know they did this because it was exposed in 2006. Check out the history of Room 641A in the NSA’s spying program. What we can infer from this is that the NSA set up the switching rooms just outside of the companies involved and just captured all traffic in and out. And another clue is that this program is called Prism. A prism is a device for splitting a beam of light, and the NSA was splitting the traffic on optical cables and copying it all to their servers. Now, if all of this traffic was “in the clear”, i.e. unencrypted text, they have all they need. But if it was encrypted, they have a problem of needing the keys. Without the keys all they have a blob random or pseudo-random nonsense, and they are right now powerless to crack it if you do it correctly. That is what Bruce Schneier meant by “Trust the math.”
In the subverting the standards part, look at the NIST standard for Elliptical Curve Encryption. NSA participated in the formulation of this standard, and security experts who have looked at it say that it is so complicated it cannot even be assessed by them. That should be a big fat hairy clue. There is nothing wrong with Elliptical Curve Encryption as a general approach, in fact it is a distinct improvement on some current methods. But the version the NSA “guided” is most likely crippled in a way that they can use.
So the general pattern of evidence tells us the NSA cannot simply break any code. It is practical to securely encrypt your communications. And I would argue that if you place any value on freedom it is your duty to employ these methods. The only way to change what the government is doing is by resisting, and the more of us who do so the less they can do anything to stop it.
And to those who say that if you have nothing to hide you shouldn’t object to government spying, I invite you to publicly post the URL for the Web Cam you installed in your bathroom.
This is not an exhaustive list by any means, but it should give you some ideas of how to educate yourself about what is going on.
- Cory Doctorow – Cory has published some excellent books that explore the struggle between citizens and government to control our lives. Two of them are Little Brother and its sequel Homeland. You can find both at his Web site craphound.com.
- The Command Line – Thomas Gideon does this podcast, and the content varies according to his interests. But he is a strong proponent of privacy, and these topics are frequently featured. You can find it at thecommandline.net.
- The Codebreakers – David Kahn’s classic book on the history of “secret writing” was at one point considered a danger to the U.S., but really is just a good history of how folks tried to secure their communications over the millenia. If you can find it used, it is worth picking up. Currently Amazon lists it for $75.00, and I wouldn’t spend that amount for it. A more practical option might be…
- The Code Book – Simon Singh wrote this book, and it is available in convenient Kindle editions as well. Get it from Amazon, or from your local bookseller.
- The Puzzle Palace – James Banford goes inside the NSA. Look for a used copy and maybe save some cash, this one has been out for a while. But you can get it on Amazon if you prefer.
- Security Now – This podcast features Steve Gibson, usually with Leo Laporte, and is on the Twit network. Highly recommended for a non-sensational view of what is going on in the world of security, what the NSA is doing, and so on. As far as I know, Steve was the first person to correctly figure just what the NSA was doing with Prism. Subscribe to this at Twit.tv. Highly recommended.
- Hak 5 – This video podcast combines good advice on security with a distinctly hacker sensibility. Subscribe to it at hak5.org. Also highly recommended.
- Bruce Schneier – I have an autographed copy of Schneier on Security that is a treasured item on my bookshelf. Bruce is one of the top people in the field, and has published many books. Any of them are worth reading, but for our purposes I will recommend the Schneier on Security, which as always can be found on Amazon. But if you want an overview of security in general and how to think about it, you might want to check out his book Beyond Fear, which he wrote after 9/11 to counter the hysteria. He also publishes a great newsletter called The Crypto-Gram which is a monthly e-mail that costs nothing and has great information, and also has a blog, which is called Schneier on Security. Subscribe at his web site schneier.com.
- SANS Institute – http://www.sans.org is the Web site, and you can read blogs, get on a mailing list, and check out a lot of useful material.
- Krebs on Security – http://krebsonsecurity.com/ is the site, and you can read his blog to keep up on the latest security news.
OK, that seems like enough for this article. Next time, we start looking at specifics.
Listen to the audio version of this post on Hacker Public Radio!