Bruce Schneier, a cryptographer and author on security topics, last month took on a side gig: helping the Guardian newspaper pore through documents purloined from the U.S. National Security Agency by contractor Edward Snowden, lately of Moscow.
In recent months that newspaper and other media have issued a steady stream of revelations, including the vast scale at which the NSA accesses major cloud platforms, taps calls and text messages of wireless carriers, and tries to subvert encryption.
This year Schneier is also a fellow at Harvard’s Berkman Center for Internet and Society. In a conversation there with David Talbot, chief correspondent of MIT Technology Review, Schneier provided perspective on the revelations to date—and hinted that more were coming.
Taken together, what do all of the Snowden documents leaked thus far reveal that we didn’t know already?
Those of us in the security community who watch the NSA had made assumptions along the lines of what Snowden revealed. But there was scant evidence and no proof. What these leaks reveal is how robust NSA surveillance is, how pervasive it is, and to what degree the NSA has commandeered the entire Internet and turned it into a surveillance platform.
We are seeing the NSA collecting data from all of the cloud providers we use: Google and Facebook and Apple and Yahoo, etc. We see the NSA in partnerships with all the major telcos in the U.S., and many others around the world, to collect data on the backbone. We see the NSA deliberately subverting cryptography, through secret agreements with vendors, to make security systems less effective. The scope and scale are enormous.
The only analogy I can give is that it’s like death. We all know how the story ends. But seeing the actual details, and seeing the actual programs, is very different than knowing it theoretically.
The NSA mission is national security. How is the snooping really affecting the average person?
The NSA’s actions are making us all less safe. They’re not just spying on the bad guys, they’re deliberately weakening Internet security for everyone—including the good guys. It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create. Additionally, by eavesdropping on all Americans, they’re building the technical infrastructure for a police state.
We’re not there yet, but already we’ve learned that both the DEA and the IRS use NSA surveillance data in prosecutions and then lie about it in court. Power without accountability or oversight is dangerous to society at a very fundamental level.
Are you now looking at NSA documents that nobody has yet seen? Do they shed any light on whether ordinary people, and not just figures like al-Qaeda terrorists and North Korean generals, have been targeted?
I am reviewing some of the documents Snowden has provided to the Guardian. Because of the delicate nature of this, I cannot comment on what I have seen. What I can do is write news stories based on what I have learned, and I am doing that with Glenn Greenwald and the Guardian. My first story will be published soon.
Will the new stories contain new revelations at the scale we’ve seen to date?
There have been many allusions to NSA efforts to put back doors in consumer products and software. What’s the reality?
The reality is that we don’t know how pervasive this is; we just know that it happens. I have heard several stories from people and am working to get them published. The way it seems to go, it’s never an explicit request from the NSA. It’s more of a joking thing: “So, are you going to give us a back door?” If you act amenable, then the conversation progresses. If you don’t, it’s completely deniable. It’s like going out on a date. Sex might never be explicitly mentioned, but you know it’s on the table.
But what sorts of access, to what products, has been requested and given? What crypto is, and isn’t, back-doored or otherwise subverted? What has, and hasn’t, been fixed?
Near as I can tell, the answer on what has been requested is everything: deliberate weakenings of encryption algorithms, deliberate weakenings of random number generations, copies of master keys, encryption of the session key with an NSA-specific key … everything.
NSA surveillance is robust. I have no inside knowledge of which products are subverted and which are not. That’s probably the most frustrating thing. We have no choice but to mistrust everything. And we have no way of knowing if we’ve fixed anything.
Great. So you’ve recently suggested five tips for how people can make it much harder, if not impossible, to get snooped on. These include using various encryption technologies and location-obscuring methods. Is that the solution?
My five tips suck. They are not things the average person can use. One of them is to use PGP [a data-encryption program]. But my mother can’t use PGP. Maybe some people who read your publication will use my tips, but most people won’t.
Basically, the average user is screwed. You can’t say “Don’t use Google”—that’s a useless piece of advice. Or “Don’t use Facebook,” because then you don’t talk to your friends, you don’t get invited to parties, you don’t get laid. It’s like libertarians saying “Don’t use credit cards”; it just doesn’t work in the real world.
The Internet has become essential to our lives, and it has been subverted into a gigantic surveillance platform. The solutions have to be political. The best advice for the average person is to agitate for political change.
Hear more from Google at EmTech Digital.