The Case for Less NSA Spying

Cryptographer and security expert Bruce Schneier makes an eloquent case of less intrusion by the National Security Agency (NSA) into the private lives of US citizens.

From Technology Review:

Bruce Schneier, a cryptographer and author on security topics, last month took on a side gig: helping the Guardian newspaper pore through documents purloined from the U.S. National Security Agency by contractor Edward Snowden, lately of Moscow.

In recent months that newspaper and other media have issued a steady stream of revelations, including the vast scale at which the NSA accesses major cloud platforms, taps calls and text messages of wireless carriers, and tries to subvert encryption.

This year Schneier is also a fellow at Harvard’s Berkman Center for Internet and Society. In a conversation there with David Talbot, chief correspondent of MIT Technology Review, Schneier provided perspective on the revelations to date—and hinted that more were coming.

Taken together, what do all of the Snowden documents leaked thus far reveal that we didn’t know already?

Those of us in the security community who watch the NSA had made assumptions along the lines of what Snowden revealed. But there was scant evidence and no proof. What these leaks reveal is how robust NSA surveillance is, how pervasive it is, and to what degree the NSA has commandeered the entire Internet and turned it into a surveillance platform.

We are seeing the NSA collecting data from all of the cloud providers we use: Google and Facebook and Apple and Yahoo, etc. We see the NSA in partnerships with all the major telcos in the U.S., and many others around the world, to collect data on the backbone. We see the NSA deliberately subverting cryptography, through secret agreements with vendors, to make security systems less effective. The scope and scale are enormous.

The only analogy I can give is that it’s like death. We all know how the story ends. But seeing the actual details, and seeing the actual programs, is very different than knowing it theoretically.

The NSA mission is national security. How is the snooping really affecting the average person?

The NSA’s actions are making us all less safe. They’re not just spying on the bad guys, they’re deliberately weakening Internet security for everyone—including the good guys. It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create. Additionally, by eavesdropping on all Americans, they’re building the technical infrastructure for a police state.

We’re not there yet, but already we’ve learned that both the DEA and the IRS use NSA surveillance data in prosecutions and then lie about it in court. Power without accountability or oversight is dangerous to society at a very fundamental level.

Are you now looking at NSA documents that nobody has yet seen? Do they shed any light on whether ordinary people, and not just figures like al-Qaeda terrorists and North Korean generals, have been targeted?

I am reviewing some of the documents Snowden has provided to the Guardian. Because of the delicate nature of this, I cannot comment on what I have seen. What I can do is write news stories based on what I have learned, and I am doing that with Glenn Greenwald and the Guardian. My first story will be published soon.

Will the new stories contain new revelations at the scale we’ve seen to date?

They might.

There have been many allusions to NSA efforts to put back doors in consumer products and software. What’s the reality?

The reality is that we don’t know how pervasive this is; we just know that it happens. I have heard several stories from people and am working to get them published. The way it seems to go, it’s never an explicit request from the NSA. It’s more of a joking thing: “So, are you going to give us a back door?” If you act amenable, then the conversation progresses. If you don’t, it’s completely deniable. It’s like going out on a date. Sex might never be explicitly mentioned, but you know it’s on the table.

But what sorts of access, to what products, has been requested and given? What crypto is, and isn’t, back-doored or otherwise subverted? What has, and hasn’t, been fixed?

Near as I can tell, the answer on what has been requested is everything: deliberate weakenings of encryption algorithms, deliberate weakenings of random number generations, copies of master keys, encryption of the session key with an NSA-specific key … everything.

NSA surveillance is robust. I have no inside knowledge of which products are subverted and which are not. That’s probably the most frustrating thing. We have no choice but to mistrust everything. And we have no way of knowing if we’ve fixed anything.

Read the entire article (and let the NSA read it too), here.