11 March 2014
Edward Snowden at SXSW
A sends:
Snowden's text file from SXSW
http://blog.inside.com/blog/2014/3/10/edward-snowden-sxsw-full-transcription-and-video
The ACLU posted a Youtube video of the whole 1 hour plus conversation and
the playback is all messed up. You can imagine how this was "manufactured",
really the word is probobly altered.
https://www.youtube.com/watch?v=CPrDqoaHHSY&feature=share
Edward
Snowden SXSW: Full Transcription and Video
MAR
10, 2014
As a service to the public and fellow news junkies, we transcribed Snowden's
SXSW conversation today. For the Inside live blog, including video clips,
click
here.
Ben Wizner: Okay. I think we’ll get started. There
wasn’t a lot of applause when we came on stage. I guess you are here
to see somebody else. My name is Ben Wizner I’m joined by my colleague
Chris Soghoian from the ACLU. And maybe we can bring up on screen the main
attraction.
Edward Snowden: Hello.
Ben: With his very clever green screen. Please bear with
us today. The technology may have some kinks. The video may be a little bit
choppy. Our friend is appearing through seven proxys so if the video is a
little slow - you are joining us for the event that one member of Congress
from the great state of Kansas hoped would not occur. He wrote to the organizers
of SXSW urging them to rescind the invitation to Mr. Snowden. The letter
included this very curious line, “The ACLU would surely concede that
freedom of expression for Mr. Snowden has declined since he departed American
soil.” Now no one disputes that freedom of expression is stronger here
than there but if there is one person for whom that is not true, it’s
Ed Snowden. If he were here in the United States he would be in a solitary
cell subject to special administrative measures that would prevent him from
communicating to the public and participate in the historic debate that he
helped launch. We are really delighted to be here.
One more bit of housekeeping as I’m sure most of you know you can ask
questions for Mr. Snowden on Twitter using the hashtag asksnowden some group
of people back stage will decide which of these questions we see here and
will try to leave at least 20 minutes or so for those questions.
As I said, Ed Snowden’s revelations and courageous journalism of people
like Bart Gellman who you heard and Glen Greenwald, Poitras and others has
really launched an extraordinary global debate. You might think of that debate
as occurring over two tracks. There is a debate in Washington in the halls
of power about law and policy about what democratic controls we need to rein
in NSA spying. That takes place in courts that are considering the legality,
the constitutionality of these programs in the legislature considering
legislation. There is a very different conversation that you hear in conference
rooms in technology companies. Particularly among people working on security
issues. And those people are talking less about the warrant requirement for
meta data and more about why the hell the NSA is systematically undermining
common encryption standards that we all use. Why is the NSA targeting
telecommunications companies, internet companies, hacking them to try to
steal their customer data. Basically manufacturing vulnerabilities to poke
holes in the communication systems that we all rely on. We are hoping to
mostly focus on that latter conversation here and with that in mind, Ed,
if you’re with us maybe you could say a few words about why you chose
for your first public remarks to speak to the technology community rather
than say the policy community in Washington.
Ed: Well, thank you for the introduction. I will say SXSW
and the technology community - people who are in the room in Austin they
are the folks that really fix things who can enforce our rights for technical
standards. Even when Congress hadn’t yet gotten to the point of creating
legislation to protect our rights in the same manner. When we think about
what is happening at the NSA for the past decade ________ the result has
been an adversarial internet. Sort of global free fire zone for governments
that is nothing that we ever asked for. It is not what we want. It is something
that we need to protect against. We think about the policies that have been
advanced the sort of erosion of ______amendment protections the proactive
seizure of communications. There is a policy response that needs to occur.
There is also a technical response that needs to occur. It is the development
community that can really craft the solutions and make sure we are
safe.
The NSA the sort of global mass surveillance that is occurring in all of
these countries. Not just the US it is important to remember that this is
a global issue. They are setting fire to the future of the internet. The
people who are in this room now you guys are all the firefighters and we
need you to help us fix this.
Ben: You heard Ed say the NSA offensive mass surveillance
the manufacturing of vulnerabilities is setting fire to the future of the
internet. Do you want to comment on that?
Chris: Sure. So many of the communications tools that we
all rely on are not as secure as they could be. Particularly for the apps
and services that are made by small companies and small groups of developers
security is often an afterthought if it is a thought at all. And really what
that has done is enable global passive surveillance by the US but by other
governments too. What I think has been the most lasting impression for me
from the last eight months is the fact the real technical problems the NSA
seems to have are not how do we get people’s communications but how
do we deal with the massive amount of communication data that we are collecting.
The actual collection problem doesn’t seem to be a bottleneck for the
NSA. That is because so many of the services that we are all relying on are
not secure by default. I really think for this audience one of the things
we should be thinking about and hopefully taking home is we need to lock
things down. We need to make services secure out of the box and that is going
to require a rethink by developers. It is going to require the developers
to start to think about security early on rather than later on down the
road.
Ben: Let me pick up on that. Ed, you submitted written
testimony last week to the European Parliament. I want to quote a very short
part of that and have you elaborate on it. You said in connection with mass
surveillance the good news is that there are solutions. The weakness of mass
surveillance is that it can very easily be made much more expensive through
changes in technical standards. What kind of changes were you talking about
and how can we ensure that we make mass surveillance more expensive and less
practical?
Ed: The primary challenge that mass surveillance faces
from any agency and any government in the world is not just how do you collect
the communications as they cross the wires and find their way through the
network, but how do you interpret them? How do you understand? How do you
_____back down and analyze them? And ____ at least the easiest to _____ basis
by encryption. There are two methods of encryption that are generally used.
One is deeply problematic. One of those is what is called key _____ it is
sort of what we are using with like Google type services ____ type services
right now where I encrypt a video chat and I send it to Google. Google decrypts
it and re-encrypts it to you guys. End to end encryption where it is from
my computer directly to your computer makes mass surveillance impossible
at the network level without a encrypting _____ and they are very expensive.
By doing end to end encryption you force what they are called ______ global
passive adversaries to go for the end points that is the ____ computers.
And the result of that is a constitutional, more carefully overseeing sort
of intelligence gathering model. Where if they want to gather somebody’s
communications they have to target them specifically. They can’t just
target everybody all the time and then when they want to read your stuff
they go back in a time machine and say what did they say you know in 2006.
They can’t pitch exploits in every computer in the world without getting
caught. That is the value of end to end encryption and that is what we need
to be thinking about. We need to go how can we enforce those protections
in a simple, cheap, effective way that is invisible to users. I think that
is the ____.
Ben: Chris, one of the problems with end to end encryption
is that many of us get email service from advertising companies that need
to be able to read the emails in order to serve us targeted ads. But what
are steps that even a company like Google that is an advertising company
but companies like that can do to make mass surveillance more difficult?
Are there things or do we need new business models to accomplish what Ed
is talking about?
Chris: In the last eight months the big Silicon Valley
technology companies have really improved their security in a way that was
surprising to many of us who have been urging them for years to do so. It
took Yahoo - Yahoo was kicking and screaming the whole way but they finally
turned on SSL encryption in January of this year after Bart Gellman and Ashkan
Sholtani shamed them on the front page of the Washington Post. The companies
have locked things down but only in a certain way. They have secured the
connection between your computer and Google’s server or Yahoo’s
server or Facebook’s server, which means that governments now have to
go through Google or Facebook or Microsoft to get your data. Instead of getting
it with AT&T’s help or Verizon’s help or Comcast’s or
any party that watches the data as it goes over the network. I think it is
going to be difficult for these companies to offer truly end to end encrypted
service simply because it conflicts with their business model. Google wants
to sit between you and everyone you interact with and provide some kind of
added value. Whether that added value is advertising or some kind of information
mining. Improved experience telling you when there are restaurants nearby
where you can meet your friends. They want to be in that connection with
you and that makes it difficult to secure those connections.
Ben: Is this the right time for a shout out to Google that
is in this conversation with us right now?
Chris: So loo the irony that we are using Google Hangouts
to talk to Ed Snowden has not been lost on me or uh our team here. And I
should be clear - we are not getting any advertising support from Google
here. The fact is that the tools that exist to enable secure end to end encrypted
video conferencing are not very polished and particularly when you are having
a conversation with someone who is in Russia and who is bouncing his connection
through several proxies the secure communications tools tend to break. This
in fact I think reflects the state of - the state of play with many services.
You have to choose between a service that is easy to use and reliable and
polished or a tool that is highly secure and impossible for the average person
to use. I think that reflects the fact that the services that are used by
large companies with the resources to put 100 developers on the user interface
those are the ones that are not optimized for security and the tools
that are designed with security as the first goal are typically made by
independent developers and activists and hobbyists and they are typically
tools made by geeks for geeks.
What that means is the regular users have to pick. They have to pick between
a service they cannot figure out how to use or a service that is bundled
with their phone or bundled with their laptop and works out of the box. And
of course rational people choose the insecure tools because they are the
ones that come with the devices they buy and work and are easy for people
to figure out.
Ben: Let’s bring Ed back into this. In a way, this
whole affair began with Glenn Greenwald not being able to use PGP which is
somewhat of a joke in the tech community, but really not outside of the tech
community. PGP is not easy to install. It is not easy to use. Using Tor,
using Tails I feel like I need new IT support in my office just to be able
to do this work. So you know you are addressing an audience that includes
a lot of young technologists. Is there a call to arms for people to make
this stuff more useable so that not only technologists can use it?
Ed: There is. I think we are actually seeing a lot of progress
being made here. Whisper systems _____ of the world are focusing on new user
experience, new UIs and basically ways for us to interact with cryptographic
tools. This is the way it should be. What happens ____ the user it happens
by default. We want secure services that aren’t opt in. It has to pass
the Greenwald test. Any journalist in the world gets an email from somebody
saying hey I have something the public might want to know about they need
to be able to open it. They need to be able to access that information. They
need ____ communications whether they are a journalist or an activist. This
is something that people need to be able to access. The way we interact right
now is not good. If you have to go to the command line people aren’t
going to use it. If you have to go three menus deep people aren’t going
to use it. It has to be out there. It has to happen automatically. It has
to happen seamlessly. And that is ____.
Ben: Who are we talking to now, Chris? Are we talking to
technology companies? Are we talking to foundations to support the development
of more usable security? Are we talking to developers? Who is the audience
for this call to arms?
Chris: I think the audience is everyone. But we should
understand that most regular people are not going to go out and download
an obscure encryption app. Most people are going to use the tools that they
already have. That means that they are going to be using Facebook or Google
or Skype. A lot of our work goes into pressuring those companies to protect
their users. In January of 2010 Google turned on SSL. The lock icon on your
web browser. They turn it on by default for Gmail and it previously had been
available. It was available through an obscure setting. The 13 of 13 - 13
of 13th configuration options. Of course no one had turned it on. When Google
turned that option on suddenly they made passive bulk surveillance of their
users communications far more difficult for intelligence agencies. They did
so without requiring that their users take any steps. One day their users
just logged into their mail and it was secure. That is what we need. We need
services to be building security in by default and enabled without any advanced
configuration.
That doesn’t mean that small developers cannot play a role. There are
going to be hot new communications tools. WhatsApp basically came out of
nowhere a few years ago. What I want is for the next WhatsApp or next Twitter
to be using encrypted end to end communications. This can be made easy to
use. This can be made useable but you need to put a team of user experience
developers on this. You need to optimize. You need to make it easy for the
average person. If you are a start up and you are working on something bare
in mind that it is going to be more difficult for the incumbents to deliver
secure communications to their users because their business models are built
around advertising supported services. You can more effectively and more
easily deploy these services than they can. I think if you are looking for
an angle here I think we are slowly getting to the point where telling your
customers hey, $5.00 a month for encrypted communications no one can watch
you. I think that is something that many consumers may be willing to pay
for.
Ed: If I could actually ____ on that real quick. One of
the things I would say to a large company is not that you can’t collect
any data it is that you should only collect the data and hold it for as long
as necessary for the operation of the business. Recently _____ one of the
security ____ hacked and they actually stole my passport my passport and
my registration forms and posted them to the internet when they faced the
site. Now I submitted those forms back in 2010. Why were those still on a
web facing server? Was it still necessary for business? That is a good example
of why these things need a job. Whether you are Google or Facebook you can
do these things in a responsible way where you can still get the value out
of these that you need to run your business. _____ without the users
____.
Ben: So we didn’t have great audio here on that response,
but what Ed was saying is that even companies whose business models rely
on them to collect and aggregate data you don’t need to store it
indefinitely once his primary use had been accomplished. His example was
that some company was hacked and they found some of his data from four years
ago. That clearly there was no business reason for them to still to be holding
onto.
Let’s switch gears a little bit. Last week, Ed, General Keith Alexander
who heads the NSA testified that he believes that the disclosures of the
last eight months have weakened the country’s cyber defenses. Some people
might think there is a pot and a kettle problem coming from him but what
was your response to that testimony?
Ed: So it is very interesting to see officials like Keith
Alexander talking about damage that has been done to the defense of our
communications. Because more than anything there have been two officials
in America who have harmed our internet security and actually our national
security so much of our country’s economic success is based on
our intellectual property. It is based on our ability to create and share
and communicate and compete. Now those two officials are Michael Hayden and
Keith Alexander, two directors of the National Security Agency in the post
9/11 era who made a very specific change. That is they elevated offensive
operations that is attacking over the defense of our communications. They
began ____ the protections of our communications. This is a problem for one
primary reason - that is America has more to lose than everyone else when
an Attack ______ when you are the one country in the world that has sort
of a vault that is more full than anyone else’s it doesn’t make
sense because if you attack it all day you never defended ______ and it makes
even less sense when the standards for vaults worldwide to have a backdoor
anyone can walk into. When he says these things have weakened national security
no these are improving our national security. These are improving our national
security. These are improving the communications not just around _____but
everyone in the world because we rely on the same standards. We rely on the
ability to trust our communications. Without that we don’t have anything.
Our economy cannot succeed.
Ben: Chris, Richard Clarke testified a few weeks back it
is more important for us to defend ourselves against attacks from China than
to attack China using our cyber tools. I don’t think everybody understands
there is any tension whatsoever with those two goals. Why are they in opposition
to each other.
Chris: As a country we have public officials testifying
in Washington saying that cyber security is now the greatest threat this
country faces. Greater than terrorism. We have had both the director of the
FBI and the director of National Intelligence say this in testimony to Congress.
I think it is probably true that we face some sort of cyber security threat.
I think that our systems are not as safe as they could be and we are all
vulnerable to compromise in one way or another. What is clear is that this
government isn’t really doing anything to keep us secure and safe. This
is a government that has prioritized for offense rather than defense. You
know, if there were 100% increase in murders in Baltimore next year the chief
of police of Baltimore would be fired. If there were a 100% increase in phishing
attacks successful phishing attacks where people’s credit card numbers
get stolen, no one gets fired. As a country we have basically been left to
ourselves. Every individual person is left to fend for themselves online
and our government has been hoarding information about information security
vulnerabilities. In some cases there was a disclosure in the New York Times
a report in the New York Times last fall revealing the NSA has been partnering
with US technology companies to intentionally weaken the security of the
software that we all use and rely on. The government has really been prioritizing
its efforts on information collection. There is this fundamental conflict
there is tension that a system that is secure is difficult to surveil and
a system that is designed to surveil is a target waiting to be attacked.
Our networks have been designed with surveillance in mind.
We need to prioritize cyber security and that’s going to mean making
surveillance more difficult. Of course the NSA and our partners in the
intelligence world are not crazy about us going down that path.
Ben: So Ed, if the NSA is willing to take these steps that
actually weaken security, that spread vulnerabilities that make it in some
sense easier not just for us to do surveillance but for others to attack
they must think there is an awfully good reason for doing that. That there
are bolt collection programs that these activities facilitate the collected
____ _mentality that it really works. This is a very, very effective surveillance
method that is keeping us safe. You sat on the inside of the surveillance
systems for longer than people realize. Do these mass surveillance programs
do what our intelligence officials promise to Congress that they do?
Are they effective?
Ed: “They are not. That is actually something I’m a little bit
sympathetic to and we got to turn back the block a little bit and remember
that they thought ___ was a great idea but no one had done it before, at
least publicly. So they went “hey! we can spy on the world all at once.
It will be great, we’ll know everything.” But the reality is, when
they did it, they found out that it didn’t work. But it was a ___ so
successful in collecting data. So great at the contract that no one wanted
to say no. But the reality is now, we have reached point where a majority
of people’s telephone communication are being recorded - we got all
these metadata that are being stored - years and years. But two independent
White House investigations found that it is has not helped us at all, have
not helped us. Beyond that, we got to think about what are we doing with
those resources, what are we getting out of that? As I said in our European
Parliament testimony, we’ve actually have tremendous intelligence failures
because we’re monitoring the internet; we’re monitoring, you know,
everybody’s communications instead of suspects’ communications.
That lack of focus have caused us to miss news we should have had.
Tamerlan Tsarnaev, the Boston Bombers. the Russians have warned us about
it. But we didn’t a very poor job investigating, we didn't have the
resources, and we had people working on other things. If we followed the
traditional model, we might have caught that. Umar Farouk Abdulmutallab the
underwear bomber, same thing. His father walked into a US Embassy, he went
to CIA officer and said my son is dangerous. Don’t let him go to your
country. Get him help. We didn’t follow up, we didn’t actually
investigate this guy. We didn’t get a dedicated team to figure what
was going on because we spent all of this money, we spent all of this time
hacking into Google and Facebook to look at their data center. What did we
get out of that? We got nothing. And there are two White House investigations
that confirm that.
Ben: Chris, if as Ed says these bulk collection programs
are not that effective, the resources that go into this would be better directed
at targeted surveillance. Why are they dangerous?
Chris: Why are they dangerous? Because the government is
collecting, is creating this massive database of everyone’s private
information. In an NSA building somewhere probably in Maryland there is a
record of everyone who has ever called an abortion clinic, everyone who has
called an Alcoholics Anonymous hotline, anyone who has ever called
a gay bookstore. And they tell us don’t worry we aren’t looking
at it or we aren’t looking at it in that way. We aren’t doing those
kinds of searches but I think many Americans would have good reason to not
want that information to exist. I think regardless of which side of the political
spectrum you are you probably don’t want the government to know that
you are calling an abortion clinic or calling a church or calling a gun store
and you may think quite recently, that is none of the government’s business.
I think when you understand that the government can collect this information
on this scale they can hang onto it and figure out uses for it down the road
I think many Americans are quite fearful of this slippery slope this surveillance
that happens behind closed doors. Even if you trust this administration that
we have right now you know the person who sits in the oval office changes
every few years. You may not like the person who is going to sit there in
a few years with that data that was collected today.
Ben: Ed, we lost you for a moment. Can you still hear
us?
Ed: I can hear you.
Ben: Okay. Just before this began I got an email
from Sir Tim Burners Lee the creator of the world wide web who asked for
the privilege of the first question to you. I think I am willing to extend
that to him. He wanted to thank you. He believes that your actions have been
profoundly in the public interest.
Ed: Thank you.
Ben: That was applause if you couldn’t hear it. He
asks if you could design from scratch an accountability system for governance
over national security agencies what would you do? It is clear that intelligence
agencies are going to be using the internet to collect information from all
of us. Is there any way we can make oversite more accountable and
improved?
Ed: You know that is a very interesting question. It is
also a very difficult question. Oversight models these are things that are
very complex. They have a lot of moving parts. And when you add in secrecy
you add in public oversight it gets complex. We have got a good starting
point. That is what you have to remember. We have an oversight model that
could work. The problem is we overseers aren’t interested in oversight.
When we’ve got seven intelligence communities, house intelligence
communities that are _____ to the NSA instead of holding them accountable.
When we have James Clapper the director of National Intelligence in front
of them and he tells a lie that they all know is a lie because they are rigged
on the program because they have the questions a day in advance. And no one
says anything. Allowing all Americans to believe this is a true answer. That
is an incredible dangerous thing. That’s the ____. When I would say
how do we fix our oversight model, how do we structure the oversight model
that works. The key fact is accountability. We can’t have officials
like James Clapper who can lie to everyone in the country. Who can lie to
the Congress and face no not even - not even a criticism. Not even a strong
worded letter, the same thing with courts. In the United States we have open
courts that are supposed to decide and settle constitutional issues to interpret
and apply the law. We also have the FISA court which is a secret rubber stamp
court . But they are only supposed to approve warrant applications. These
happen in secret because you don’t at want people to know hey the government
wants to surveil you. At the same time a secret court shouldn’t be
interpreting the constitution when only NSA’s lawyers are making the
case on how it should be viewed. Those are the two primary factors that I
think need to change.
The other thing is we need public advocates. We need public representatives.
We need public oversight. Some way for trusted public figures sort of civil
rights champions to advocate for us and protect the structure and make sure
it is been fairly applied. We need a watch dog that watches Congress. Something
that can tell us hey these guys didn’t tell you that he just lied to
you. Because otherwise how do we know? If we are not informed we can’t
consent to these policies. And I think that is danger.
Ben: For what it’s worth my answer to Sir Tim is Ed
Snowden. Before these disclosures all three branches of our government had
gone to sleep on oversight. The courts had thrown cases out as he said, Congress
allowed itself to be lied to. The executive branch did no reviews. Since
Ed Snowden and since all of us have been read into these programs we are
actually seeing reinvigorated oversight. It is the oversight that the
constitution had in mind, but sometimes it needs a dusting off. And Ed has
been the broom.
Chris: I just wanted to also note that without Ed’s
disclosures many of the tech companies would not have improved their security
either at all or at the rate that they did. The PRISM story although there
was a lack of clarity initially on what it really said, put the names of
billion dollar American companies on the front page of the newspaper and
associated them with bulk surveillance. You saw the companies doing everything
in their power publicly to distance themselves and also show that they were
taking security seriously. You saw companies like Google and Microsoft and
Facebook rushing to encrypt their data center to data center encryption.
Connections rather. You saw companies like Yahoo finally turning on SSL
encryption, Apple fixed a bug in its address book app that allowed Google
users’ address books to be transmitted over networks in unencrypted
form. Without Ed’s disclosures there wouldn’t have been as much
pressure for these tech companies to encrypt their information.
There are going to be people in this audience and people listening at home
who are going to think what Ed did was wrong. But let me be clear about one
really important thing; his disclosures have improved internet security.
And the security improvements we have gotten haven’t just protected
us from bulk government surveillance. They have protected us from hackers
at Starbucks who are monitoring our wifi connections. They have protected
us from stalkers and identity thieves and common criminals. These companies
should have beene encrypting their information before and they weren't. And
it really took you know, unfortunately the largest and most profound whistle
blower in history to get us to the point where these companies are finally
prioritizing the security of their users’ communications between them
and the companies, but we all have Ed to thank for us. I really just cannot
emphasize enough without him we would not have Yahoo users getting SSL. We
would not have this data going over the network in encrypted form. It
shouldn’t have taken that. The company should have done it by themselves.
There should have been regulation or privacy regulators who are forcing companies
to do this, but that isn’t taking place. It took Ed to get us to a secure
place.
Ben: Alright. Great. Remember the hashtag is askSnowden.
We will take our first question. Please forgive pronunciations from Max
Zurkenden. The question for Ed and Chris too - why is it less bad if big
corporations get access to our information instead of the government? Ed,
did you hear it?
Ed: Yes. I - I did. This is something that has actually
been debated. We see people’s opinions - people’s sort of responses
to this evolving which is good. This is why we need to have these conversations
because we don’t know. Right now, my thinking, I think the majority’s
thinking is that the government has the ability to deprive you of rights.
Governments around the world whether it is the United States government,
whether it is the Yemeni government whether it is Zair any country they have
police powers, they have military powers, they have intelligence powers they
can literally kill you, they can jail you, they can surveil you. Companies
can surveil you to sell you products, to sell you information to other companies.
That can be bad, but you have legal records. First off, it is typically a
voluntary contract. Secondly, you have got court challenges you could use.
If you challenge the government about these things and the ACLU itself has
actually challenged some of these cases, but government throws it out on
state secrecy and says you can’t even asked about this. The courts
aren’t allowed to tell us whether it is legal or not because we are
just going to do it anyway. That’s the difference and it is something
we need to watch out for.
Ben: Chris, do you want to address it or should we take
the next question?
Chris: Sure. Just quickly. I am not crazy about the amount
of data that Google and Facebook collect. Of course, everything they get
the government can come and ask for too. There is the collection that the
government is doing by itself and then there is the data that they can go
to Google and Facebook and force them to hand over. We should remember that
the web browser you are most likely using, the most popular browser right
now is Chrome, most popular mobile operating system is now Android, many
of the tools that we are using whether web browsers or operating systems
or apps are made by advertising companies. It is not a coincidence that Chrome
is probably a less privacy preserving browser. It is tweaked to allow data
collection by third parties. The Android operating system is designed to
facilitate disclosure of data to third parties. Even if you are okay with
the data the companies are collecting you should also note that the tools
that we use to browse the web and the tools that ultimately permit our data
to be shared or prevent it from being shared are made by advertising companies.
This makes the NSA’s job a lot easier. If the web browsers we were using
were locked down by default the NSA would have a much tougher time. But
advertising companies are not going to give us tools that are privacy preserving
by default.
Ben: Let’s take another question from Jodi Serrano.
To Snowden from Spain. Do you think the US surveillance systems might encourage
other countries to do the same?
Ed: Yes. This is actually one of the primary dangers not
just of sort of the NSA’s activities but of not addressing and resolving
the issues. It is important to remember that American’s benefit profoundly
from this. Because again as we discussed we got the most to lose from being
hacked. At the same time every citizen in every country has something to
lose. We all are at risk of unfair, unjustified, unwarranted interference
in our private lives. Throughout history we have seen governments sort of
repeat the trend where it increased and they get to a point where they have
crossed the line. We don't’ resolve these issues if we allow the NSA
to continue unrestrained. Every other government the international community
will accept this as a sign, as the green light to do the same. And that is
not what we want.
Chris: I mean I think there is a difference between
surveillance performed by the NSA and surveillance performed by most other
governments. It is not really illegal it is more of a technical one. That
is the whole world sends their data to the United States. Americans are not
sending their data to Spain, Americans are not sending their photographs
to France. This means that the US because of Silicon Valley because of the
density of tech companies throughout the country the US enjoys an unparalleled
intelligence advantage that every other government just doesn’t have.
And if want the rest of the world to keep using US tech companies. If we
want the rest of the world to keep trusting their data to the United States
then we need to respect them. We need to respect their privacy and the way
that we protect the privacy of Americans right now. I think the revelations
over the past eight months have given people of other countries very reasonable
reason to question whether they should be trusting their data to United States
companies. I think we can get that trust back through legal changes. I think
tech companies can also do a lot to get that trust back by employing encryption
and other privacy technologies. The best way to get your user’s trust
is to be able to say when the government comes to you sorry we don’t
have the data or sorry we don’t have the data in a form that will be
of any use to you. That is how you win back the trust of people in Brazil
and Germany and people around the world.
Ben: So let me just cut in with a question here. I do think
that a certain degree of perhaps hopelessness may have crept in to the global
public with this constant constant of stories about the the NSA’s
capabilities the GCHQ’s capabilities and activities. All the ways to
get around defenses. Chris I hear you and Ed going back to encryption again
and again as being something that still works. Maybe if you take a moment
Ed after the discussions we have had about how NSA has worked to weaken
encryption should people still be confident that the basic encryption that
we use protects us from surveillance or at least mass surveillance?
Ed: Right. The bottom line I have repeated this again and
again is that encryption does work. We need to think of encryption not as
this sort of arcane black art. What is sort of a basic protection it is a
defense against the dark arts for the digital realm. This is something we
all need to be not only implementing but actively researching and improving
on an academic level. The grad students of today and tomorrow need to keep
today’s threat on online to inform tomorrows. We need all those brilliant
Belgian cryptographers to go alright we know that these encryption algorithms
we are using today work typically it is the random number generators that
are attacked as opposed to the encryption algorithms themselves. How can
we make them ____ how can we test them? This is _____ it is not going to
go away tomorrow, but it is the steps we take today. The moral commitment.
The philosophical commitment, the commercial commitment to protect and enforce
our liberties through technical standards to allow us to reclaim the open
and trusted.
Ben: Chris, very briefly, you hang out with cryptographers.
They are not happy campers these days.
Chris: No. Of all the stories that have come out the one
that has had the biggest impact in the security community is the story -
is the news that the NSA has subverted the design of cryptographic and random
number generator algorithms. I think it is fair to say there is a group in
the cryptographic community now who have become radicalized as a result of
these disclosures and cryptographers actually can be radicals. They are not
just mild mannered people. We should remember that regular consumers do not
pick their own encryption algorithms. Regular consumers just use the services
that are provided to them. The people that pick the crypto that pick particular
algorithms, pick the key sizes they are the security engineers at Google
and Facebook and Microsoft. And the cryptographers who are working with open
source projects. And those people are all really pissed. And I think that’s
good. Those people should be mad and those people can make a difference.
The fact that these disclosures have so angered the security community I
think is a really good sign. Ultimately, the tools that come out in six months
or a year or two years are going to be far more secure than they were before.
That is because that part of a tech community feel like they were lied
to.
Ben: Let’s take a couple of more questions from Twitter.
Melissa Nixsik I hope. What steps do you suggest the average person take
now to ensure a more secure digital experience? Is there anything we can
do on individual level to confront the issues of mass surveillance that we
are talking about today. Ed, it’s okay if the answer is no.
Ed: There are basic steps it is a really complicated subject
matter today. And that is the difficulty. Again it is the Glenn Greenwald
test. How do you answer this? For me there are a couple of key technologies;
there is full disk encryption to protect your actual physical computer and
devices in case they are seized. Then there are network encryption which
are things like SSL that added sort of transparency we can’t help that.
You can install a couple of browser plug ins. NoScript to block Active X
attempts in the browser, Ghostery to block ads and tracking cookies. But
there is also TOR, TOR T O R is a mixed routing network which is very important
because it is encrypted from the user through the ISP to the end of sort
of a cloud a network of routers that you go through. Because of this your
ISP, your communications provider can no longer spy on you be default. The
way they do now, today when you go to any website. By using TOR you shift
their focus to either attacking the TOR cloud itself which is incredible
difficult, or to try to monitor the exits from TOR and the entrances to TOR
and then try to figure out what fits. And it is very difficult. Those basic
steps will encrypt your hardware and you encrypt your network communications
you are far, far more hardened than the average user - it becomes very difficult
for any sort of a mass surveillance. You will still be vulnerable to targeted
surveillance. If there is a warrant against you if the NSA is after you they
are still going to get you. But mass surveillance that is untargeted and
collect-it-all approach you will be much safer.
Ben: You know, when there is a question about average users
and the answer is TOR we have failed.
Chris: We failed.
Ben: Right?
Chris: I will just add to what Ed said in saying that a
privacy preserving experience may not be a secure experience and vice versa.
I am constantly torn. I personally feel like FIrefox is the more privacy
preserving browser, but I know that Chrome is the more secure browser. I
am stuck with this choice am I more worried about passive surveillance of
my communications and my web browsing information or am I more worried about
being attacked? I go back and forth on those. I think until we have a browser
or a piece of software that optimizes for both privacy and security I think
users are going to be sort of stuck with two bad choices. I’ll just
note that in addition to what Ed said I mean I really think that consumers
need to rethink their relationship with many of the companies to whom they
entrust their private data. I really think what this comes down to is if
you are getting the service for free the company isn’t going to be
optimizing your experience with your best interest in mind. I am not going
to say if you are not paying for the product you are the product. We pay
for our telephone calls, we pay for our wireless service and those companies
still treat us like crap. But you know if you want a secure online back up
service you are going to have to pay for it. If you want a secure voice or
video communications product you are going to have to pay for it. That
doesn’t mean you have to pay thousands of dollars a year, but you have
to pay something so that company has a sustainable business model that
doesn’t revolve around collecting and monetizing your data.
Ben: Okay. We have another question about encryption from
Sean. Isn’t it just a matter of time before NSA can decrypt even the
best encryption? I am particularly interested in your answer to this in light
of your confidence that data that you were able to take is secure and has
remained secure.
Ed: Let’s put it this way - the United States government
has assembled a massive investigation team into me personally, into my work
with journalists and they still have no idea you know what - what documents
were provided to the journalists, what they have, what they don’t have.
Because of encryption works. Now the only way to get around that, is to have
a computer that is so massive and so powerful you can work the entire universe
into the energy power into this decryption machine and they still might not
be able to do it. Or you break into the computer and try to steal their keys
and bypass the encryption. That happens today and that happens every day.
That is the way around it.
Now, there are still ways to protect and encrypt data that no one can break.
That is by making sure the keys are never exposed. If the key itself can’t
be observed the key can’t be stolen. THe encryption can’t be ______.
And any cryptographer any mathematician in the world will tell you that the
math is sound. The only way to get through encryption on a target basis
particularly when you start railing encryption, not using one algorithm but
every algorithm you are using _____ you are using all kinds of sophisticated
techniques to make sure that no one person, no single point of failure exist
there is no way in there is no way around it. That is going to continue to
be the case I think until our understanding of mathematics and physics changes
fundamentally.
Chris: I will just add that -
Ed: If I could follow up on that I would say the US
government’s investigation supports that. We have both public and private
acknowledgements that they know at this point the Russian government, the
Chinese government any other government has possession of any of this
information. And that would be easy for them to find out. Remember these
are the guys that are spying on everyone in the world. They have got human
intelligence assets embedded in these governments. They have got electronic
signal assets in these governments. If suddenly the Chinese government knew
everything the NSA is doing we would notice the changes. We would notice
the changes, we would see official communicating and our assets will tell
us hey somewhere they have a warehouse they put you know, a thousand of their
most skilled researchers in there. That has never happened and it is never
going to happen.
Chris: I will just add that I think Ed’s right. If
the government really wants to get into your computer if they want to figure
out what you are saying and who you are saying it to they will find a way.
But that won’t involve breaking the encryption that will involve hacking
into your device. Whether your phone or your laptop they will take advantage
of either vulnerabilities that haven’t been patched or vulnerabilities
that no one knows about. But hacking technologies don’t scale. If you
are a target of the NSA it is going to be game over no matter what. Unless
you are taking really, really sophisticated steps to protect yourself - but
most people that will be beyond their reach. But encryption makes bulk
surveillance too expensive. Really the goal here isn’t to blind the
NSA. The goal isn’t to stop the government from going after legitimate
surveillance targets. The goal here is to make it so that they cannot spy
on innocent people because they can’t. RIght now so many of our
communications our telephone calls, our text messages, our emails, our instant
message are just there for the taking. And if we start using encrypted
communication services suddenly it becomes too expensive for the NSA to spy
on everyone. Suddenly they will need to actually have a good reason to dedicate
those resources to either try and break the encryption or to try and hack
into your device. So encryption technology even if imperfect has the potential
to raise the cost of surveillance to the point that it no longer becomes
economically feasible for the government to to spy on everyone.
Ben: Can we get another question on the screen from Twitter?
Please? Thanks. Okay. Good question from David Myer. Is it possible to reap
the benefits of big data on a societal level while not opening ourselves
to constant mass surveillance? How do we enjoy the scientific benefits even
some of the commercial benefits of this without turning ourselves into a
dystopian surveillance state? In two minutes or less. Ed?
Ed: This is a really difficult question. There are a lot
of advancements in things like encrypted search to make the data unreadable
format, or supply warrants or something. But in general it is a difficult
problem. The bottom line is data should not be collected without people’s
knowledge and consent. If data is being clandestinely acquired and the public
doesn’t have any way to review it and it is not legislatively authorized,
it is not reviewed by courts, it is not consonant with our constitution that
is a problem. So if we want to use that it makes the result of a public debate
which has been ______ -
Ben: Chris, you want to take on that question?
Chris: No.
Ben: We have another question that is about everyday users.
Maybe you can give us another one because I think we have answered this one.
Friends, backstage? Okay. From Tim Shurack[ph] Wasn'tSA mass surveillance
the solution - Chris can you read that?
Chris: Wasn’t NSA’s mass surveillance a
solution to the internet driven by privatization and the handing over of
our signals intelligence analysis to SCIC - isn’t this a result of letting
contractors in to run the show?
Ed: So the problem is when the NSA gets a pot of money
they don’t typically develop the solutions themselves. They bring in
a bunch of contractors the _____ SCIC’s the khakis they say hey what
can you guys do for us? What solutions are you working on and they get the
gigantic _____ works. And the problem is you got contractors and private
companies at that point influencing policy. It was not uncommon for me at
the NSA as a private employee to write the same point papers and kind of
policy suggestion that I get as an official employee of the government at
the CIA. The problem with that is you have people who aren’t accountable.
They have no sort of government recourse against them who are saying yes
let’s do that, let’s put all this money in mass surveillance _____pitch
but it doesn’t serve the public interest. One thing you’ve seen
recently is the government has gone and changed their talking points. They
have moved their verbiage away from public interest into national interest.
We should be concerned about that because with national interest talking
about the state becomes distinct from the public interest, what benefits
the people. We really are at the point where we have to marry those up or
it gets harder and harder to control and we risk losing control of a
representative democracy.
Ben: So Ed maybe let me ask you what will turn out to be
a final question - in your early interviews with Glenn Greenwald and Laura
Poitras you said that your biggest fear was that there would be little or
no reaction to these disclosures. Where you sit now how satisfied are you
with the global debate that you helped to launch and do you feel that it
was worth the price that you’ve paid in order to bring us to this
moment?
Ed: When I came public with this it wasn’t so
i can sort of single-handedly change the government, tell them what to do
and override what the public thinks was ____. What I wanted to do was inform
the public so they could make a decision and provide their consent for what
we should be doing. And the results of these revelations, the results of
all the incredible responsible and careful reporting that by the way have
been coordinated with the government, and the government never said any single
one of these stories have risk a human life. The result is that the public
has benefited, the government has benefited, and every society in the world
has benefited. We are in secure place. We have more secure communications.
And we are going to have a better sort of civic interaction as a result of
understanding what’s being done in our name and what’s being done
against us. And so when it comes to will I do this again, the answer is
absolutely yes. Regardless of what happens to me, this is something we had
the right to know. I took an oath to support and defend the constitution
and I saw that the constituted was violated on a massive scale. The
interpretation of the 4th amendment has been changed (clap). Thank you. The
interpretation of the constitution has been changed in secret from no
unreasonable search and seizure to hey, any seizure is fine, just don’t
search it. That is something that the public ought to know about.
Ben: You can see behind Ed isa green screen of is that
Article 1 of the constitution?
Ed: That is correct.
Ben: We the people - there is another organization here
that is also interested in the constitution. I would be remiss if I didn’t
say to all of you that the ACLU has a table - table 1144. I promise that
it will not all be about surveillance. There will also be marijuana. So please
come and say hi to us if you are not members of the ACLU it is cheap to sign
up. We have ACLU whistles. We have t-shirts that you can get with membership.
You can talk to me and CHris a little bit more about the work we are doing
and our other ACLU colleagues. And with that I would really like all of us
to thank Ed Snowden for choosing this venue for this conversation.
Ed: Thank you all very much.
# # #
|
