Mass surveillance is setting fire to the future of the internet

At the SXSW conference 2014 in Austin (Texas), Edward Snowden addressed the tech community, encouraging them to play the role of ‘firefighters’ who have the ability to craft solutions and make society safer. Answering questions submitted via twitter, he reflects on differences between data mining done by companies and governmental surveillance, the role of private contractors to the development of policies, and steps everyone can take to counter mass surveillance.

  • Date of recording: Mon, 2014-03-10
  • Language(s) spoken:

hypervideo Player

Download this file

0:13 Introduction

Ben Wizner: Not a lot of applause for us.

Chris Saghoian: I know.

Ben Wizner: Are they ready?

 Chris Saghoian: I think so.

Ben Wizner: Ok, I think we’ll get started. Thank you all so much for being here. There wasn’t a lot of applause when we came on stage so I guess you’re here to see somebody else.

My name is Ben Wizner; I’m joined by my colleague Chris Saghoian from the ACLU. Maybe we can bring up on screen the main attraction.

Edward Snowden: Hello.

Ben Wizner: With his very clever green screen. Please bear with us today, the technology may have some kinks. The video may be a little bit choppy. Our friend is appearing through 7 proxies so if the video is a little slow.

You’re joining us for the event that one member of congress from the great state of Kansas hoped would not occur. He wrote to the organizers or SXSW urging them rescind the invitation to Mr. Snowden. The letter included this very curious line, “The ACLU would surely concede that freedom expression for Mr. Snowden has declined since he departed American soil”.

No one disputes that freedom of expression is stronger here than there but if there’s one person for whom that’s not true, it’s Ed Snowden. If he were here in the United States he would be in a solitary cell, subject probably to special administrative measures that would prevent him from being able to communicate to the public and participate in the historic debate that he helped launch.

We’re really delighted to be here. One more bit of housekeeping. As I’m sure most of you know, you can ask questions for Mr. Snowden on twitter using the hash tag AskSnowden. Some group of people backstage will decide which of those questions we see here. We’ll try to leave at least 20 minutes or so for those questions.

As I said, Ed Snowden’s revelations and the courageous journalism of people like Bart Gellman who you just heard, Glenn Greenwald, Laura Poitras, and others has really launched an extraordinary global debate. You might think of that debate as occurring over 2 tracks. There is a debate in Washington in the halls of power about law and policy about what democratic controls we need to reign in NSA spying that takes place in courts that are considering the legality, the constitutionality of these programs in the legislature, considering legislation.

There’s a very different conversation that you here in conference rooms in technology companies, particularly among people working on security issues. Those people are talking less about the warrant requirement for meta data and more about why the hell the NSA is systematically undermining common encryption standards that we all use.

Why is the NSA targeting telecommunication companies, internet companies, hacking them to try to steal their customer data, basically manufacturing vulnerabilities to poke holes in the communication systems that we all rely on? We’re hoping to mostly focus on that latter conversation here.

With that in mind, Ed if you’re with us, maybe you could say a few words about why you chose for some of your first public remarks to speak to the technology community rather than say the policy community in Washington.

4:27 Trust in technological advances

Edward Snowden: Well thank you for the introduction. I will say SXSW and the technology community, the people who are in the room at Austin right now, they’re the folks who can really fix things.

Who can enforce our rights through technical standards even when congress hasn’t yet gotten to the point of creating legislation to protect our rights in the same manner? When we think about what’s happened with the NSA in the last decade, in the post 9/11 era…

The result has been an adversarial internet, a sort of global free fire zone for governments that’s nothing that we ever asked for. It’s not what we wanted. It’s something we need to protect against.

When we think about the policies that have been advanced… sort of erosion of fourth amendment protections, the proactive seizure of communications, there’s a policy of response that needs to occur. There’s also a technical response that needs to occur. It’s the makers, it’s the thinkers, it’s the development community that can really craft those solutions and make sure we are safe.

The NSA … the sort of global mass surveillance that’s prying at all of these countries not just the US, and it’s important to remember that this is a global issue, they’re setting fire to the future of the internet. The people who are in this room now, you guys are all the firefighters.We need you to help us fix this.

6:09 Security needs to be a priority for developers

Ben Wizner: So Chris, you heard Ed say that the NSA offensive mass surveillance programs, the sort of manufacturing of vulnerabilities, is setting fire to the future of the internet. Do you want to comment on that?

Chris Saghoian: Sure. Many of the communications tools that we all rely on are not as secure as they could be. Particularly for the apps and services that are made by small companies and small groups of developers, security is often an afterthought if it’s a thought at all.What that’s done is enable global passive surveillance by the US but other governments too.

What I think has been the most lasting impression for me from the last 8 months is the fact that the real technical problems that the NSA seems to have are not, “How do we get people’s communications” but, “How do we deal with the massive amounts of communication data that we’re collecting?” The actual collection problem doesn’t seem to be a bottleneck for the NSA.

That’s because so many of the services that we’re all relying on are not secure by default. I really think for this audience, one of the things that we should be thinking about and hopefully taking home is the fact that we need to lock things down. We need to make services secure out of the box. That’s going to require a rethink by developers. It’s going to require the developers start to think about security early on rather than later on down the road.

Ben Wizner: Let me pick up on that. Ed, you submitted written testimony last week to the European parliament. I want to quote a very short part of that and have you elaborate on it.

You said, “In connection with mass surveillance, the good news is that there are solutions. The weakness of mass surveillance is that it can very easily be made much more expensive through changes in technical standards”.

What kind of changes were you talking about and how can we ensure that we make mass surveillance more expensive and less practical?

8:13 On encryption methods

Edward Snowden: The primary challenge that mass surveillance faces from any agency, any government of the world, is not just how do you collect to communications as they cross the wires, as they sort of find their way through the global network, but how do you interpret them? How do you understand them? How do you direct them back out and analyze them? [inaudible :35] at least on the easiest, the simplest, most cost effective basis by encryption.

There are 2 methods of encryption that are generally used, one which is deeply problematic. One of those is what’s called key escrow. It’s sort of what we’re using with Google type services, Skype type services, right now where I encrypt a video chat and I send it to Google. Google decrypts it and then re-encrypts it to you guys and we have it.

End-to-end encryption, where it’s from my computer directly to your computer, makes mass surveillance impossible at the network level without a crypto break. They are incredibly rare and they normally don’t work. They’re very expensive.

By doing end-to-end encryption, you force what are called threat model global passive adversaries to go through the end heads, that is the individual computers. The result of that is a more constitutional, more carefully overseen sort of intelligence gathering model, law enforcement model, where if they want to gather somebody’s communications, they’d have to target them specifically.

They can’t just target everybody all the time and then when they want to read your stuff, they go back in a time machine and they say, “What did they say in 2006?” They can’t pitch exploits in every computer in the world without getting caught. That’s the value of end-to-end encryption and that’s what we need to be thinking about.

We need to go, “How can we enforce these protections in a simple, cheap, and effective way that’s invisible to [users :17]. I think that’s the way to do it.

Ben Wizner: So Chris, one of the obstacles to widespread end-to-end encryption is that many of us get our e-mail service from advertising companies that need to be able to read the e-mails in order to serve us targeted ads.

What are steps that even a company like Google that’s an advertising company or companies like that can do to make mass surveillance more difficult? Are there things or do we really need new business models to accomplish what Ed is talking about?

Chris Saghoian: In the last 8 months, the big Silicon Valley technology companies have really improved their security in a way that was surprising to many of us who have been urging them for years to do so.

Yahoo was kicking and screaming the whole way but they finally turned on SSL encryption in January of this year after Bart Gellman and Ashkan Soltani shamed them on the front page of the Washington Post. The companies have locked things down, but only in a certain way.

They’ve secured the connection between your computer and Google’s server or Yahoo’s server or Facebook’s server which means that governments have to now go through Google or Facebook or Microsoft to get your data instead of getting it with AT&T’s help or Verizon’s help or Comcast or any party that watches the data as it goes over the network.

I think it’s going to be difficult for these companies to offer truly end-to-end encrypted service simply because it conflicts with their business model. Google wants to sit between you and everyone you interact with and provide some kind of added value whether that added value is advertising or some kind of information mining, improved experience, telling you when there are restaurants nearby, where you can meet your friends. They want to be in that connection with you. That makes it difficult to secure those connections.

Ben Wizner: Is this the right time for a shout out to Google that is in this conversation with us right now?

12:08 Tools for geeks made by geeks

Chris Saghoian: The irony that we’re using Google hangouts to talk to Ed Snowden has not been lost on me or our team here. I should be clear; we’re not getting any advertising support from Google here. The fact is that the tools that exist to enable secure end-to-end encrypted video conferencing are not very polished.

Particularly when you’re having a conversation with someone who’s in Russia and who’s bouncing his connection through several proxies, the secure communications tools tend to break. This I think reflects the state of play with many services.

You have to choose between a service that’s easy to use and reliable and polished or a tool that is highly secure and impossible for the average person to use. I think that reflects the fact that the services that are developed by large companies with the resources to put 100 developers on the user interface, those are the ones that are optimized for security.

The tools that are designed with security as the first goal are typically made by independent developers, activists, and hobbyists. They’re typically tools made by geeks for geeks.What that means is the world … the regular users have to pick. They have to pick between a service they cannot figure out how to use or a service that is bundled with their phone or bundled with their laptop and works out of the box. Of course rational people choose the insecure tools because they’re the ones that come with the devices they buy and work and are easy for people to figure out.

13:40 A need for better usability

Ben Wizner: Let’s bring Ed back into this.

In a way, this whole affair began with Glenn Greenwald not being able to use PGP which is somewhat of a joke in the tech community but really not outside the tech community. PGP is not easy to install and it’s not easy to use. Using Tor, using Tails … I feel like I need new IT support in my office just to be able to do this work.

You’re addressing an audience that includes a lot of young technologists. Is there a call to arms for people to make this stuff more usable so that not only technologists can use it?

 Edward Snowden: There is. I think we’re actually seeing a lot of progress being made here.

Whisper Systems, the sort of Moxie Marlinspike of the world, are focusing on new user experiences, new UIs. Basically ways for us to interact with cryptographic tools which is the way it should be, where it happens invisible to the user, where it happens by default. We want secure services that aren’t [opt in :46].

It’s got to pass the Glenn Greenwald test. If any journalist in the world gets an e-mail from somebody saying, “Hey, I have something that the public might want to know about” they need to be able to open it. They need to be able to access that information. They need to be able to have those communications whether they’re a journalist, an activist, or it could be your grandma. This is something that people have to be able to access.

The way we interact with it right now is not good. If you have to go to command log, people aren’t going to use it. If you have to go 3 menus deep, people aren’t going to use it. It has to be out there. It has to have it automatically. It has to happen seamlessly. That’s [inaudible ].

Ben Wizner: So who are we talking to, Chris? Are we talking now to technology companies? Are we talking to foundations to support the development of more usable security? Are we talking just to developers? Who’s the audience for this call to arms?

Chris Saghoian: I think the audience is everyone. We should understand that most regular people are not going to go out and download an obscure encryption app.

Most regular people are going to use the tools that they already have. That means they’re going to be using Facebook or Google or Skype. A lot of our work goes into pressuring those companies to protect their users.

In January of 2010, Google turned on SSL, the lock icon on your web browser. They turned it on by default for Gmail. It had previously been available but it had been available through an obscure setting, the 13th of 13 configuration options. Of course, no one turned it on.

When Google turned that option on, suddenly they made passive bulk surveillance of their users’ communications far more difficult for intelligence agencies. They did so without requiring that their users take any steps. One day their users logged into their mail and it was secure. That’s what we need.

We need services to be building security in by default an enabled without any advanced configuration. That doesn’t mean that small developers cannot play a role. There are going to be hot new communications tools. WhatsApp basically came out of nowhere a few years ago.

What I want is for the next WhatsApp or the next Twitter to be using encrypted end-to-end communication. This can be made easy to use. This can be made useable. You need to put a team of user experience developers on this. You need to optimize. You need to make it easy for the average person.

If you’re a startup and you’re working on something, bear in mind that it’s going to be more difficult for the incumbents to deliver secure communications to their users because their business models are built around advertising supported services. You can more effectively and more easily deploy these services than they can.

If you’re looking for an angle here, we’re slowly getting to the point where telling your customers, “Hey, 5 dollars a month for encrypted communications. No one can watch you” I think that’s something many consumers might be willing to pay for.

17:47 Limits to data storage by companies

Edward Snowden: If I could actually take you back on that real quick, one of the things that I want to say is for the larger company, it’s not that you can’t collect any data. It’s that you should only collect the data and hold it for as long as necessary for the operation of the business.

Recently EC-Council, one of the security certification providers intact, they actually spilled my passport, a copy of my passport and my registration, and posted them to the internet when they defaced the site. I submitted those forms back in 2010. Why was that still [inaudible :20]? Was it still necessary for the business? That’s a good example of why these things need to age [off :26]. Whether you’re Google or Facebook, you can do these things in a responsible way. You can still get the value out of these that you need to run your business [inaudible :38] without [inaudible :40]

Ben Wizner: We didn’t have great audio here that response but what Ed was saying is that even companies whose business model relies on them to collect and aggregate data don’t need to store it indefinitely once its primary use has been accomplished. His example was that some company was hacked and they found some of his data from 4 years ago that clearly there was no business reason for them still to be holding on to.

19:04 National security and cyber defenses

Ben Wizner: Let’s switch gears a little bit. Last week General Keith Alexander who heads the NSA testified that the disclosures of the last 8 months have weakened the country’s cyber defenses. Some people might think there’s a pot in the kettle problem coming from him but what was your response to that testimony?

Edward Snowden: It’s very interesting to see officials like Keith Alexander talking about damage that’s been done to the defense of our communications.

More than anything, there have been 2 officials in America who have harmed our internet security and actually our national security because so much of our country’ economic success is based on our intellectual property. It’s based on our ability to create, share, communicate, and compete.

Those two Officials are Michael Hayden and Keith Alexander, two directors of the National Security Agency in the post 9/11 era who made a very specific change. That is they elevated offensive operations, that is attacking, over the defense of our communications. They began eroding the protections of our communications in order to get an attacking advantage.

This is a problem for 1 primary reason. America has more to lose than anyone else when every attack succeeds. When you are the one country in the world that has a vault that’s more full than anyone else’s, it doesn’t make sense for you to be attacking all day and never defending your full vault. It makes even less sense when you set standards for vaults worldwide to have a big back door that anybody can walk into. That’s what we’re running into today.

When he says these things have weakened national security … these are improving our national security. These are improving the communications not just of Americans but everyone in the world. When you rely on the same standard, we rely on the ability to trust our communications. Without that, we don’t have anything. Our economy cannot succeed.

Ben Wizner: So Chris, Richard Clarke testified a few weeks back that it’s more important for us to be able to defend ourselves against attacks from China than to be able to attack China using our cyber tools. I don’t think everybody understands that there is any tension whatsoever between those 2 goals. Why are they in opposition to each other?

Chris Saghoian: As a country, we have public officials testifying in Washington saying that cyber security is the greatest threat this country now faces, greater than terrorism. We’ve had both the director of the FBI and the director of National Intelligence say this in testimony to congress.

I think it’s probably true that we do in fact face some kind of cyber security threat. Our systems are not as safe as they could be and we are all vulnerable to compromise in one way or another. What should be clear is that this government isn’t really doing anything to keep us secure and safe.

This is a government that has prioritized for offense rather than defense. If there were 100% increase in murders in Baltimore next year, the Chief of Police of Baltimore would be fired. If there was 100% increase in fishing attacks, successful fishing attacks where people’s credit card numbers get stolen, no one gets fired.

As a country, we have basically been left to ourselves. Every individual person is left to defend themselves online. The government has been hoarding information about information security vulnerabilities. In some cases, there was a disclosure in the New York Times last fall revealing the NSA has been partnering with US technology companies to intentionally weaken the security of the software that we all use and rely on. The government has really been prioritizing its efforts on information collection. There is this fundamental conflict.

There’s a tension which is that a system that is secure is difficult to surveil and a system that is designed to be surveiled is a target waiting to be attacked. Our networks have been designed with surveillance in mind. We need to prioritize cyber security. That’s going to mean making surveillance more difficult. Of course the NSA and their partners in the intelligence world are not crazy about us going down that path.

23:46 Surveillance weakens cyber security

Ben Wizner: So Ed, if the NSA is willing to take these steps that actually weaken security, that spread vulnerabilities that make is sometimes easier not just for us to do surveillance but for others to attack, they must think there’s an awfully good reason for doing that.

Their bulk collection programs that these activities facilitate, the collected mentality, that it really works. This is a very, very effective surveillance method in keeping us safe. You sat on the inside of these systems for longer than people realize. Do these mass surveillance programs do what our intelligence officials promise to congress that they do? Are they effective?

Edward Snowden: They’re not. That’s actually something that I’m a little bit sympathetic to because we got to turn back the clock a little bit and remember that they thought it was a great idea but no one had ever done it before, at least publically.

They went, “Hey, we can spy on everybody in the world all at once. It’ll be great. We’ll know everything”. The reality is when they did it, they found out it didn’t work. It was such [inaudible  :58].

It was so successful in securing funding and so great at getting [inaudible  :02]; it was so great at winning new contracts that nobody wanted to say no. The reality is now, we have reached a point where the majority of Americans’ telephone communications are being recorded. We got all this meta data that’s being stored for years and years and years. Too many White House investigations have found it has no value at all. It’s never helped us.

Beyond that, we’ve got to think about what are we doing with those resources? What are we getting out of it? As I said in my European parliament testimony, we actually had tremendous intelligence failures because we’re monitoring the internet. We’re monitoring everybody’s communications instead of suspects’ communications.

That lack of focus has caused us to miss leads that we should have had, Tamerlan Tsarnaev of the Boston bombers. The Russians had warned us about it but we did a very poor effort investigating [inaudible :04]. We had people looking at other things. If we hadn’t spent so much on mass surveillance, if we followed the traditional models, we might have caught that.

Umar Farouk Abdulmutallab, the underwear bomber, same thing. His father walked into a US embassy, he went to a CIA officer, he said, “My son is dangerous. Don’t let him go to your country. Get him help”. We didn’t follow up. We didn’t actually investigate this guy. We didn’t dedicate a team to figure out what was going on because we all this money, we spent all of this time, hacking into Google and Facebook’s back ends to look at their data center communications. What did we get out of it? We got nothing and two White House investigations that confirmed that.

Ben Wizner: Chris, if as Ed says these bulk collection programs are not all that effective, that the resources that go into this would be better directed at targeted surveillance, why are they dangerous?

Chris Saghoian: Because the government has created this massive database of everyone’s private information. In an NSA building somewhere probably in Maryland, there is a record of everyone who’s called an abortion clinic, everyone who’s called an alcoholics anonymous hotline, everyone who’s called a gay bookstore. They tell us, “Don’t worry, we’re not looking at it” or “We’re not looking at It in that way. We’re not doing those kinds of searches” but I think many Americans would have good reason to not want that information to exist.

Regardless of which side of the political spectrum you are, you probably don’t want the government to know that you’re calling an abortion clinic, a church, or a gun store. You may think quite reasonably that that is none of the government’s business.

I think when you understand that the government can collect this information at this scale, they can hang onto it and figure out uses for it down the road, I think many Americans are quite fearful of this slippery slope, this surveillance that happens behind closed doors. Even if you trust this administration we have right now, the person who sits in the oval office changes every few years. You may not like the person who’s going to sit there in a few years with that data that was collected today.

Ben Wizner: Ed we lost you for a moment but can you still hear us?

Edward Snowden: I can hear you.

28:37 How to ensure control over intelligence agencies

Ben Wizner: Ok.

Just before this began, I got an e-mail from Sir Tim Berners-Lee, the creator of the World Wide Web who asked for the privilege of the first question to you. I think I’m willing to extend that to him.

He wanted to thank you. He believes that your actions have been profoundly in the public interest. That was applause if you couldn’t hear it.

He asks if you could design from scratch an accountability system for governments over national security agencies, what would you do? It’s clear that intelligence agencies are going to be using the internet to collect information from all of us. Is there any way that we can make oversight more accountable and improved?

Edward Snowden: That’s a really interesting question. It’s also a very difficult question. Oversight models, [inaudible :41] models, these are things that are very complex. They’ve got a lot of moving parts. When you add in [inaudible :47], when you add in public oversight, it gets complex.

We’ve got a good starting point and that’s what we have to remember. We have an oversight model that could work. The problem is when the overseers aren’t interested in oversight, when we’ve got 7 intelligence committees, house intelligence committees that are cheerleading for the NSA instead of holding them to account.

When we have James Clapper the Director of National Intelligence in front of them and he tells a lie that they all know is a lie because they’re briefed on the program because they got the collections a day in advance and no one says it, allowing all the American people to believe that this is a true answer, that’s an incredibly dangerous thing. That’s the biggest [inaudible :36].

When I would say, “How do we fix our oversight model? How do we structure an oversight model that works?” the key factor is accountability. We can’t have officials like James Clapper who can lie to everyone in the country, who can lie to the congress, and face not even a criticism. Not even a strongly worded letter.

The same thing with courts. In the United States we’ve got open courts that are supposed to decide [inaudible :06] constitutional issues to interpret and apply the law. We also have the FISA court, which is a secret rubber stamped court, but they’re only supposed to approve warrant applications. These happen in secret because you don’t want people to know the government wants to surveil.

At the same time, a secret court shouldn’t be interpreting the constitution when only NSA’s lawyers are making the case about how it should be [inaudible :40]. Those are the 2 primary factors that I think need to change.

The other thing is we need public advocates. We need public representatives. We need public oversight. Some way for trusted public figures, sort of civil rights champions, to advocate for us and to protect the structure and make sure it’s been fairly applied. We need a watchdog that watches congress.

Something that can tell us these guys didn’t tell you that you were just lied to. Otherwise, how do we vote? If we’re not informed, we can’t consent to these policies.I think that’s damaging.

32:28 Consequences of Snowden’s disclosures for technological development

Ben Wizner: For what it’s worth, my answer to Sir Tim is Ed Snowden. Before these disclosures, all 3 branches of our government had gone to sleep on oversight. The courts had thrown cases out, as he said. Congress allowed itself to be lied to. The executive branch did no reviews.

Since Ed Snowden and since all of us have been read in to these programs, we’re actually seeing reinvigorated oversight. It’s the oversight that the constitution had in mind but sometimes it needs a dusting off. Ed has been the broom.

Chris Saghoian: I just wanted to also note that without Ed’s disclosures, many of the tech companies would not have improved their security either at all or at the rate that they did.

The prism story, although there was a lack of clarity initially about what it really said, put the names of billion dollar American companies on the front page of the newspaper and associated them with bulk surveillance. You saw the companies doing everything in their power publically to distance themselves and also show that they were taking security seriously.

You saw companies like Google, Microsoft, and Facebook rushing to encrypt their data centers with data center connections. You saw companies like Yahoo! finally turning on SSL encryption. Apple fixed a bug in its address book app that allowed Google users’ address books to be transmitted over networks in an unencrypted form.

Without Ed’s disclosures, there wouldn’t have been as much pressure for these tech companies to encrypt their information. There are going to be people in this audience and people who are listening at home who think that what Ed did is wrong. Let me be clear about one really important thing. His disclosures have improved internet security.

The security improvements we’ve gotten haven’t just protected us from bulk government surveillance. They’ve protected us from hackers at Starbucks who are monitoring our Wi-Fi connections; they’ve protected us from stalkers, identity thieves, and common criminals. These companies should have been encrypting their communications before and they weren’t.

It really took, unfortunately, the largest and most profound whistle blower in history to get us to this point where these companies are finally prioritizing the security of their users’ communications between them and the companies.

We all have Ed to thank for this. I cannot emphasize enough. Without him, we would not have Yahoo! users getting SSL, we would not have this data going over the network in encrypted form. It shouldn’t have taken that. The companies should have done it by themselves. There should be regulation or privacy regulators who are forcing these companies to do this. That isn’t taking place so it took Ed to get us to a secure place.

Ben Wizner: Great.

35:29 Is the government more dangerous than big corporations?

Ben Wizner: Remember the hash tag is AskSnowden. We’ll take our first question, please forgive pronunciations, from Max [Zerk-an-tin :36].

The question for Ed and Chris to, why is it less bad if big corporations get access to our information instead of the government? Ed, did you hear it?

Edward Snowden: Yes, I did.

This is something that’s actually been debated. We see people’s opinions, people’s responses to this evolving which is good. This is why we need to have these conversations.

We don’t know. Right now my thinking, and I believe the majority’s thinking, is that the government has the ability to deprive you of rights. Governments around the world, whether it’s the United Stated Government, whether it’s the Yemeni government, whether it’s Zaire, any country, they have police powers, they have military powers, they have intelligence powers. They can literally kill you. They can jail you. They can surveil you.

Companies can surveil you to sell you products, to sell your information to other companies, and that can be bad but you have legal [inaudible :41]. First off, it’s typically a voluntary contract. Secondly, you’ve got court challenges you use.

If you challenge the government about these things, and the ACLU itself has actually challenged some of these cases, the government throws [inaudible :58] and says, “You can’t even ask about this”. The courts aren’t allowed to tell us whether this is legal or not because we’re just going to do it anyway.

That’s the difference and it’s something we need to watch out for.

Ben Wizner: Chris do you want to address it or should we take the next question?

Chris Saghoian: Sure, just quickly.

I’m not crazy about the amount of data that Google and Facebook collect. Of course everything they get, the government can come and ask for too. There’s the collection the government is doing by itself, and then there’s the data that they can go to Google and Facebook and force them to hand over.

We should remember that the web browser that you’re likely using, the most popular browser right now is Chrome. The most popular mobile operating system is now Android. Many of the tools that we’re using, whether web browsers or operating systems or apps, are made by advertising companies.

It’s not a coincidence that Chrome is probably a less privacy-preserving browser. It’s tweaked to allow data collection by third parties. The android operating system is designed to facilitate disclosure of data to third parties. Even if you’re ok with the data that companies are collecting, we should also note that the tools that we use to browse the web and the tools that ultimately will either permit our data to be shared or prevent it from being shared are made by advertising companies.

This makes the NSA’s job a lot easier. If the web browsers we were using were locked down by default, the NSA would have a much tougher time but advertising companies are not going to give us tools that are privacy preserving by default.

38:30 US practices as a model for other countries

Ben Wizner: Let’s take another question from [Jodi Se-ra-no :31] to Snowden from Spain.

Do you think the US surveillance systems might encourage other countries to do the same?

 Edward Snowden: Yes.

This is actually one of the primary dangers not just of the NSA’s activities but in not addressing and resolving these issues. It’s important to remember that Americans benefit profoundly on this because again, as we discussed, we’ve got the most to lose from being hacked.

At the same time, every citizen in every country has something to lose. We all are at risk of unfair, unjustified, unwarranted interference in our private lives. Through our history, we’ve seen governments sort of repeat the trend where it increases and it gets to a point where they crossed the line.

If we don’t resolve these issues, if we allow the NSA to continue unrestrained, every other government, the international community, will accept that sort of as the green light to do the same. That’s not what we want.

Chris Saghoian: I think there’s a difference between surveillance performed by the NSA and surveillance performed by most other governments. It’s not really illegal when it’s more of a technical one and that is the whole world sends their data to United States.

Americans are not sending their e-mail to Spain; Americans are not sending their photographs to France. This means that the US, because of silicon valley, because of the density of tech companies in this country, the US enjoys an unparalleled intelligence advantage that every other government just doesn’t have.

If we want the rest of the world to keep using US tech companies, if we want the rest of the world to keep trusting their data with the United States, then we need to respect them. We need to respect their privacy in the way that we protect the privacy of Americans right now.

I think the revelation to the last 8 months have given many people in other countries a very reasonable reason to question whether they should be trusting their data to United States companies. I think we can get that trust back through legal changes but I think tech companies can also do a lot to earn that trust back by employing encryption and other privacy protecting technologies.

The best way to get your user’s trust is to be able to say when the government comes to you, “Sorry, we don’t have the data” or “Sorry, we don’t have the data that’s going to be in a form that will be of any use to you. That’s how you win back the trust of people in Brazil, in Germany, and people around the world.

41:10 Does encryption even work?

Ben Wizner: Let me just cut in with a question here because I do think that a certain degree of perhaps hopelessness may have crept in to the global public with this constant barrage of stories about the NSA’s capabilities, the GCHQ’s capabilities and their activities, all the ways that they’re able to get around defenses.

I hear, Chris, you and Ed both coming back to encryption again and again as something that still works. Maybe we could just take a moment, Ed, after the discussions that we’ve had about has NSA has worked to weaken encryption.

Should people still be confident that the basic encryption that we user protects us from surveillance or at least mass surveillance?

Edward Snowden: The bottom line, and I’ve repeated this again and again, is that encryption does work. We need to think about encryption not as this sort of arcane black art but sort of a basic protection. It’s the defense against the dark arts of the digital world. This is something we all need to be [inaudible :21].

Not only implemented, but actively researching and improving on the academic level. The grad students of today, tomorrow, need to keep today’s [inaudible :33] online to inform tomorrow’s. We need all those brilliant [inaudible :38] cryptographers to go, “All right, we know that these encryption algorithms we’re using today work.

Typically it’s the random number generators that are attacked is if they were to be encryption algorithms themselves. How can we make them [fool proof :52]? How can we test them? This is [inaudible :54].

It’s not going to going to go away tomorrow but it’s the steps that we take today, it’s the moral commitment, the philosophical commitment, the commercial commitment to protect and enforce our liberties through technical standards that’s going to take us through [tomorrow :11] and allow us to reclaim the open and trusted [inaudible :15].

Ben Wizner: Chris very briefly, you hand out with cryptographers. They’re not happy campers these days.

Chris Saghoian: No.

Of all the stories that have come out, the one that has really had the biggest impact in the security community is the news that the NSA has subverted the design of cryptographic and random number generator algorithms. I think it’s fair to say that there is a group within the cryptographic community now who have become radicalized as a result of these disclosures.

Cryptographers actually can be radicals. They’re not just mild mannered people. We should remember that regular consumers do not pick their own encryption algorithms. Regular consumers just use the services that are provided to them. The people who pick the crypto, who pick the particular algorithms, who pick the key sizes; they are the security engineers at Google and Facebook and Microsoft.

The cryptographers who are working with open source projects, those people are all really pissed. I think that’s good. Those people should be mad. Those people can make a difference.

The fact that these disclosures have so angered the security community is a really good sign because ultimately the tools that come out in 6 months or a year or 2 years are going to be far more secure than they were before. That’s because that part of the tech community feel like they were lied to.

44:37 Confronting security concerns on an individual level

Ben Wizner: Let’s take a couple more questions from Twitter.

Melissa [nick sick :40] I hope.

What steps do you suggest the average person take now to ensure a more secure digital experience? Is there anything we can do at the individual level to confront the issues of mass surveillance that we’re talking about today? Ed, it’s ok if the answer is no.

Edward Snowden: There are basic steps. It’s a really complicated subject matter today and that’s the difficulty. Again, it’s the Glenn Greenwald test.

How do you answer this? [inaudible :11] For me, there are a couple of key technologies. There’s full disc encryption to protect your actual physical computer and devices in case they’re seized. There’s network encryption which are things like SSL but that happens sort of transparently, you can’t help that. You can install a couple browser plugins, NoScript to block active exploitation attempts in the browser, Ghostery to block ads and tracking cookies.

But there’s also Tor. Tor, t-o-r, is a mixed routing network which is very important because it’s encrypted from the user through the ISP to the end of a cloud, a network of routers that you go through. Because if this, your ISP, your telecommunications provider can no longer spy on you by default. The way they do now, today, when you go to any website.

By using Tor, you shift their focus to either attacking the Tor cloud itself which is incredibly difficult, or to try to monitor the exits from the Tor and the entrances to Tor, and then try to figure out what fits. That’s very difficult.

[inaudible :31] those basic steps. You encrypt your hardware and you encrypt your network communication. You’re far, far more hardened than the average user. It becomes very difficult for any sort of a mass surveillance to be applied to you. You’ll still be vulnerable to some targeted surveillance.

If there’s a warrant against you, if the NSA is after you, they’re still going to get you. Mass surveillance, this untargeted collect it all approach, you’ll be much safer.

Ben Wizner: When there’s a question about average users and the answer is Tor, we failed, right?

Chris Saghoian: Yeah, I mean ill just add to what Ed said in saying that a privacy preserving experience may not be a secure experience and vice versa.

I’m constantly torn. I personally feel like Firefox is the more privacy preserving browser but I know that Chrome is the more secure browser. I’m stuck with this choice … am I more worried about passive surveillance of my communications and my web browsing information or am I more worried about being attacked? I go back and forth on those.

I think until we have a browser or a piece of software that optimizes for both privacy and security, I think users are going to be stuck with 2 bad choices. I’ll just not that in addition to what Ed said, I really think that consumers need to rethink their relationship with many of the companies to whom they entrust their private data.

I really think what this comes down to is if you’re getting the service for free, the customer isn’t going to be optimizing the experience with your best interest in mind. I’m not going to say if you’re not paying for the product, you are the product because we pay for our wireless service and those companies still treat us like crap.

If you want a secure online backup service, you’re going to have to pay for it. If you want a secure voice or video communications product, you’re going to have to pay for it. That doesn’t mean you have to pay thousands of dollars a year but you need to pay something so that that company has a sustainable business model that doesn’t revolve around collecting and monetizing your data.

48:41 An arms race between encryption developers and surveillance

Ben Wizner: We have another question about encryption from Sean.

Isn’t it just a matter of time before NSA can decrypt even the best encryption? Ed, I’m particularly interested in your answer to this in light of your confidence that data that you were able to take is secure and has remained secure.

Edward Snowden: Well, let’s put it this way.

The Unites States Government has assembled a massive investigation team into me personally, into my work with the journalists, and they still have no idea what documents were provided to the journalists, what they have, what they don’t have because encryption worked.

The only way to get around that even over Tor is either have a computer that’s so massive and so powerful you convert the entire universe into the energy powering this crypto breaking machine and it’s still might not have enough to it, or you can break in a computer disc and try to steal the keys and bypass that encryption. That happens today. That happens every day. That’s the way around it.

There are still ways to protect encrypted data that no one can break. That’s by making sure the keys are never exposed. The key itself cannot be observed. They key can’t be stolen. It can’t be captured. The encryption can’t be [inaudible :13]. Any cryptographer, any mathematician in the world will tell you that the math is sound.

The only way to get through encryption on a targeted basis, particularly when you start layering encryption, you’re not using one algorithm, you’re using every algorithm You’re using key splitting, you’re using all kinds of sort of sophisticated techniques to make sure that no one person, no single point of failure exists.

There’s no way in. There’s no way around it. That’s going to continue to be the case until our understanding of mathematics and physics changes on a fundamental level. Actually if I could follow up on that, I would say the US government’s investigation actually supports that.

We’ve had both public and private acknowledgements that they know at this point neither the Russian government, nor the Chinese government, nor any other government has possession of any of this information. That would be easy for them to find out. Remember, these are the guys who are spying on everybody in the world.

They’ve got human intelligence assets embedded in these governments. They’ve got electronic signals assets in these governments. Suddenly, if the Chinese government knew everything the NSA was doing, we would notice the changes. We would notice the chatter. We would see officials communicating and our assets would tell us, “Hey, suddenly they got a warehouse. They put a thousand of their most skilled researches in there”. That’s never happened and it’s never going to happen.

Chris Saghoian: I’ll just add that I think Ed’s right.

If the government really wants to get into your computer, if they want to figure out what you’re saying and who you’re saying it to, they will find a way. That won’t involve breaking the encryption. That will involve hacking into your device. Whether your phone or your laptop, they’ll take advantage of either vulnerabilities that haven’t been patched or vulnerabilities that no one knows about. Hacking technologies don’t scale.

If you are a target of the NSA, it’s going to be game over no matter what unless you are taking really, really sophisticated steps to protect yourself but for most people that will be beyond their reach. Encryption makes bulk surveillance too expensive. The goal here isn’t to blind the NSA. The goal isn’t to stop the government from going after legitimate surveillance targets. The goal here is to make it so they cannot spy on innocent people because they can.

Right now so many of our communications, our telephone calls, our e-mails, our text messages, our instant messages, are just there for the taking. If we start using encrypted communication services, suddenly it becomes too expensive for the NSA to spy on everyone. Suddenly they’ll need to actually have a good reason to dedicate those resources to either try and break the encryption or to try and hack into your device.

Encryption technology, even if imperfect, has the potential to raise the cost of surveillance to the point that it no longer becomes economically feasible for the government to spy on everyone.

53:21 Can we benefit from big data without being vulnerable to mass surveillance?

Ben Wizner: Can we get another question on the screen from Twitter? Please? Thanks.

Good question from David Meyer.

Is it possible to reap the benefits of big data on a societal level while not opening ourselves to constant mass surveillance? How do we enjoy the scientific benefits, even some of the commercial benefits of this without turning ourselves into a dystopian surveillance state? In 2 minutes or less.


Edward Snowden: This is a really difficult question.

There are a lot of advancements and things like encrypted search that make it possible for the data to be an unreadable format, until [inaudible :10] or something. In general, it’s a difficult problem.

The bottom line is data should not be collected without people’s knowledge and consent. If data is being clandestinely acquired and the public doesn’t have any way to review it and it’s not legislatively authorized, it’s not reviewed by courts, it’s not [constant :33] with our constitution, that’s a problem. If we want to use that, it needs to be the result of a public debate in which people’s [inaudible :43].

Ben Wizner: Chris, do you want to take on that question?

Chris Saghoian: No.

Ben Wizner: We have another question that is about every day users. Maybe you can give us another one because I think we’ve answered this one.

54:58 Private contractors and the public interest

Ben Wizner: Friends backstage? Ok, from Tim [Sho-ruck :04].

Wasn’t NSA mass surveillance the solution…

Chris can you read that?

Chris Saghoian: Wasn’t NSA’s mass surveillance solution to the internet driven by privatization and handling of our signals intelligence analysis to SCIC, Booz Allen so…

Ben Wizner: I don’t understand.

Chris Saghoian: Tim is basically saying, “Isn’t this a result of letting the contractors in to run the show?”

Edward Snowden: The problem is when the NSA gets a pot of money, they don’t typically develop the solutions themselves. They bring in a bunch of contractors. The Booz Allens, the SCICs, the [khakis :42], and they go, “Hey, what can you guys do for us? What solutions are you working on?” These guys get a gigantic [inaudible :50] song and dance.

I actually used to do it professionally, I know how it works. The problem is you got contractors and private companies at that point influencing policy.It was not uncommon for me at the NSA as a private employee to write the same point papers and sort of policy suggestions that I did as an official employee of the government at the CIA.

The problem with that is you got people who aren’t accountable, they’ve got no sort of government recourse against them who are saying, “Let’s do this. Let’s do that. Let’s put all this money in mass surveillance because it’ll be great. We’ll all get rich” but it doesn’t serve the public interest.

One thing you’ve seen recently is the government’s gone and changed its talking points. They moved their verbiage away from public interest into national interest. We should be concerned about that because when the national interest, talking about the [sake :51] becomes distinct from the public interest, what benefits the people, we are at a point where we have to marry those up where it gets harder and harder to control and we risk losing control of a representative democracy.

Ben Wizner: So Ed, maybe let me ask you what will turn out to be a final question. In your early interviews with Glenn Greenwald and Laura Poitras, you said that your biggest fear was that there would be little or no reaction to these disclosures.

Where you sit now, how satisfied are you with the global debate that you helped to launch and do you feel that it was worth the price that you paid in order to bring us to this moment?

 Edward Snowden: One of the things that I told Bart Gellman was when I came public with this, it wasn’t so I could single handedly change the government, tell them what to do, and sort of override what the public thinks is [inaudible :59].

What I wanted to do was inform the public so they could make a decision, they could provide the consent for what we should be doing. The results of these revelations, the results of all the incredibly responsible, careful reporting that by the way has been coordinated with the government.

The government’s never said any single one of these stories have risked a human life. The result is that the public has benefitted. The government has benefitted. Every society in the world has benefitted. We live in a more secure place, we have more secure communications, and we’re going to have a better civic interaction as a result of understanding what’s being done in our name and what’s being done [inaudible  :52].

When it comes to “Would I do this again?” the answer is “absolutely yes.” Regardless of what happens to me, this is something we had a right to. I took an oath to support and defend the constitution and I saw that the constitution was violated on a massive scale. The interpretation of the fourth amendment had been changed [inaudible :14]. Thank you.

The interpretation of the constitution had been changed in secret from no unreasonable search and seizure to “Any seizure is fine, just don’t search it.” That’s something the public ought to know about.

59:53 Closing

Ben Wizner: You can see behind Ed is a green screen of … is that Article 1 of the Constitution?

Edward Snowden: That’s correct.

Ben Wizner: “We the people”…

There’s also another organization here that is also interested in the Constitution. I’d be [re-missed :07] if I didn’t say to all of you that the ACLU has a table 1144. I promise that it will not be all about surveillance. Please come and say hi to us.

If you’re not members of the ACLU, it’s cheap to sign up.

We have ACLU whistles, we have t-shirts that you can get with membership, you can talk to me and Chris a little bit more about the other work that we are going and our ACLU colleagues.

With that, I’d like all of us to thank Ed Snowden for choosing this venue for this kind of conversation.

Edward Snowden: Thank you all very much. Thank you Austin