Anchor
17th August 2013, 23:33
Bruce Schneier has been writing these newsletters for sometime. Obviously recently he has been all over the NSA issue, this installment is a very good read.
Permission is given to repost this and forward, so long as nothing is changed.
Anchor..
---------------
CRYPTO-GRAM
August 15, 2013
by Bruce Schneier
BT Security Futurologist
schneier@schneier.com
http://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-1308.html>. These same essays and
news items appear in the "Schneier on Security" blog at
<http://www.schneier.com/blog>, along with a lively and intelligent
comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
The Public/Private Surveillance Partnership
The NSA is Commandeering the Internet
Restoring Trust in Government and the Internet
News
Book Review: "Rise of the Warrior Cop"
Schneier News
Michael Hayden on the Effects of Snowden's Whistleblowing
Counterterrorism Mission Creep
** *** ***** ******* *********** *************
The Public/Private Surveillance Partnership
Imagine the government passed a law requiring all citizens to carry a
tracking device. Such a law would immediately be found unconstitutional.
Yet we all carry mobile phones.
If the National Security Agency required us to notify it whenever we
made a new friend, the nation would rebel. Yet we notify Facebook. If
the Federal Bureau of Investigation demanded copies of all our
conversations and correspondence, it would be laughed at. Yet we provide
copies of our e-mail to Google, Microsoft or whoever our mail host is;
we provide copies of our text messages to Verizon, AT&T and Sprint; and
we provide copies of other conversations to Twitter, Facebook, LinkedIn,
or whatever other site is hosting them.
The primary business model of the Internet is built on mass
surveillance, and our government's intelligence-gathering agencies have
become addicted to that data. Understanding how we got here is critical
to understanding how we undo the damage.
Computers and networks inherently produce data, and our constant
interactions with them allow corporations to collect an enormous amount
of intensely personal data about us as we go about our daily lives.
Sometimes we produce this data inadvertently simply by using our phones,
credit cards, computers and other devices. Sometimes we give
corporations this data directly on Google, Facebook, Apple Inc.'s iCloud
and so on in exchange for whatever free or cheap service we receive from
the Internet in return.
The NSA is also in the business of spying on everyone, and it has
realized it's far easier to collect all the data from these corporations
rather than from us directly. In some cases, the NSA asks for this data
nicely. In other cases, it makes use of subtle threats or overt
pressure. If that doesn't work, it uses tools like national security
letters.
The result is a corporate-government surveillance partnership, one that
allows both the government and corporations to get away with things they
couldn't otherwise.
There are two types of laws in the U.S., each designed to constrain a
different type of power: constitutional law, which places limitations on
government, and regulatory law, which constrains corporations.
Historically, these two areas have largely remained separate, but today
each group has learned how to use the other's laws to bypass their own
restrictions. The government uses corporations to get around its limits,
and corporations use the government to get around their limits.
This partnership manifests itself in various ways. The government uses
corporations to circumvent its prohibitions against eavesdropping
domestically on its citizens. Corporations rely on the government to
ensure that they have unfettered use of the data they collect.
Here's an example: It would be reasonable for our government to debate
the circumstances under which corporations can collect and use our data,
and to provide for protections against misuse. But if the government is
using that very data for its own surveillance purposes, it has an
incentive to oppose any laws to limit data collection. And because
corporations see no need to give consumers any choice in this matter --
because it would only reduce their profits -- the market isn't going to
protect consumers, either.
Our elected officials are often supported, endorsed and funded by these
corporations as well, setting up an incestuous relationship between
corporations, lawmakers and the intelligence community.
The losers are us, the people, who are left with no one to stand up for
our interests. Our elected government, which is supposed to be
responsible to us, is not. And corporations, which in a market economy
are supposed to be responsive to our needs, are not. What we have now is
death to privacy -- and that's very dangerous to democracy and liberty.
The simple answer is to blame consumers, who shouldn't use mobile
phones, credit cards, banks or the Internet if they don't want to be
tracked. But that argument deliberately ignores the reality of today's
world. Everything we do involves computers, even if we're not using them
directly. And by their nature, computers produce tracking data. We can't
go back to a world where we don't use computers, the Internet or social
networking. We have no choice but to share our personal information with
these corporations, because that's how our world works today.
Curbing the power of the corporate-private surveillance partnership
requires limitations on both what corporations can do with the data we
choose to give them and restrictions on how and when the government can
demand access to that data. Because both of these changes go against the
interests of corporations and the government, we have to demand them as
citizens and voters. We can lobby our government to operate more
transparently -- disclosing the opinions of the Foreign Intelligence
Surveillance Court would be a good start -- and hold our lawmakers
accountable when it doesn't. But it's not going to be easy. There are
strong interests doing their best to ensure that the steady stream of
data keeps flowing.
This essay originally appeared on Bloomberg.com.
http://www.bloomberg.com/news/2013-07-31/the-public-private-surveillance-partnership.html
or http://tinyurl.com/me4bpsx
Corporations collecting data:
http://www.schneier.com/essay-324.html
http://www.schneier.com/essay-423.html
http://www.nationaljournal.com/magazine/how-america-s-top-tech-companies-created-the-surveillance-state-20130725
or http://tinyurl.com/mpy6tbz
Corporations cooperating with the NSA:
http://news.cnet.com/8301-13578_3-57593538-38/how-the-u.s-forces-net-firms-to-cooperate-on-surveillance/
or http://tinyurl.com/jw7f4ob
http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys
or http://tinyurl.com/l4ztclv
http://www.newyorker.com/online/blogs/elements/2013/06/what-its-like-to-get-a-national-security-letter.html
or http://tinyurl.com/ntd3ffe
http://news.cnet.com/8301-13578_3-57595529-38/feds-tell-web-firms-to-turn-over-user-account-passwords/
or http://tinyurl.com/osj2zps
How the partnership manifests itself:
http://www.bloomberg.com/news/2013-06-28/anti-hacking-bill-aiding-verizon-delayed-by-snowden-leaks.html?cmpid=yhoo
or http://tinyurl.com/myc3gtl
http://www.bloomberg.com/news/2013-06-30/fbi-s-data-mining-needs-scrutiny-too.html
or http://tinyurl.com/kkcyqej
Congress attempt to rein in NSA:
http://www.nytimes.com/2013/07/25/us/politics/house-defeats-effort-to-rein-in-nsa-data-gathering.html
or http://tinyurl.com/msvoc7k
The death of privacy:
https://www.schneier.com/essay-418.html
Disclosing FISA opinions:
http://www.bloomberg.com/news/2013-07-09/fisa-court-missing-checks-and-balances.html
or http://tinyurl.com/kevlx6c
** *** ***** ******* *********** *************
The NSA is Commandeering the Internet
It turns out that the NSA's domestic and world-wide surveillance
apparatus is even more extensive than we thought. Bluntly: The
government has commandeered the Internet. Most of the largest Internet
companies provide information to the NSA, betraying their users. Some,
as we've learned, fight and lose. Others cooperate, either out of
patriotism or because they believe it's easier that way.
I have one message to the executives of those companies: fight.
Do you remember those old spy movies, when the higher ups in government
decide that the mission is more important than the spy's life? It's
going to be the same way with you. You might think that your friendly
relationship with the government means that they're going to protect
you, but they won't. The NSA doesn't care about you or your customers,
and will burn you the moment it's convenient to do so.
We're already starting to see that. Google, Yahoo, Microsoft and others
are pleading with the government to allow them to explain details of
what information they provided in response to National Security Letters
and other government demands. They've lost the trust of their
customers, and explaining what they do -- and don't do -- is how to get
it back. The government has refused; they don't care.
It will be the same with you. There are lots more high-tech companies
who have cooperated with the government. Most of those company names
are somewhere in the thousands of documents that Edward Snowden took
with him, and sooner or later they'll be released to the public. The
NSA probably told you that your cooperation would forever remain secret,
but they're sloppy. They'll put your company name on presentations
delivered to thousands of people: government employees, contractors,
probably even foreign nationals. If Snowden doesn't have a copy, the
next whistleblower will.
This is why you have to fight. When it becomes public that the NSA has
been hoovering up all of your users' communications and personal files,
what's going to save you in the eyes of those users is whether or not
you fought. Fighting will cost you money in the short term, but
capitulating will cost you more in the long term.
Already companies are taking their data and communications out of the US.
The extreme case of fighting is shutting down entirely. The secure
e-mail service Lavabit did that last week, abruptly. Ladar Levison,
that site's owner, wrote on his homepage: "I have been forced to make a
difficult decision: to become complicit in crimes against the American
people or walk away from nearly ten years of hard work by shutting down
Lavabit. After significant soul searching, I have decided to suspend
operations. I wish that I could legally share with you the events that
led to my decision."
The same day, Silent Circle followed suit, shutting down their e-mail
service in advance of any government strong-arm tactics: "We see the
writing the wall, and we have decided that it is best for us to shut
down Silent Mail now. We have not received subpoenas, warrants, security
letters, or anything else by any government, and this is why we are
acting now." I realize that this is extreme. Both of those companies
can do it because they're small. Google or Facebook couldn't possibly
shut themselves off rather than cooperate with the government. They're
too large; they're public. They have to do what's economically
rational, not what's moral.
But they can fight. You, an executive in one of those companies, can
fight. You'll probably lose, but you need to take the stand. And you
might win. It's time we called the government's actions what they really
are: commandeering. Commandeering is a practice we're used to in
wartime, where commercial ships are taken for military use, or
production lines are converted to military production. But now it's
happening in peacetime. Vast swaths of the Internet are being
commandeered to support this surveillance state.
If this is happening to your company, do what you can to isolate the
actions. Do you have employees with security clearances who can't tell
you what they're doing? Cut off all automatic lines of communication
with them, and make sure that only specific, required, authorized acts
are being taken on behalf of government. Only then can you look your
customers and the public in the face and say that you don't know what is
going on -- that your company has been commandeered.
Journalism professor Jeff Jarvis recently wrote in the "Guardian":
"Technology companies: now is the moment when you must answer for us,
your users, whether you are collaborators in the US government's efforts
to 'collect it all' -- our every move on the internet -- or whether you,
too, are victims of its overreach."
So while I'm sure it's cool to have a secret White House meeting with
President Obama -- I'm talking to you, Google, Apple, AT&T, and whoever
else was in the room -- resist. Attend the meeting, but fight the
secrecy. Whose side are you on?
The NSA isn't going to remain above the law forever. Already public
opinion is changing, against the government and their corporate
collaborators. If you want to keep your users' trust, demonstrate that
you were on their side.
This essay originally appeared on TheAtlantic.com.
http://www.theatlantic.com/technology/archive/2013/08/the-nsa-is-commandeering-the-internet/278572/
or http://tinyurl.com/koa9bzc
Corporations and the NSA surveillance apparatus:
http://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html
http://www.schneier.com/essay-436.html
http://www.theatlanticwire.com/technology/2013/06/how-yahoo-fought-prism-and-lost/66233/
or http://tinyurl.com/ldxkpkt
http://www.wired.com/threatlevel/2013/04/google-fights-nsl/
http://news.cnet.com/8301-13578_3-57593538-38/how-the-u.s-forces-net-firms-to-cooperate-on-surveillance/
or http://tinyurl.com/jw7f4ob
http://www.newyorker.com/online/blogs/elements/2013/06/what-its-like-to-get-a-national-security-letter.html
or http://tinyurl.com/ntd3ffe
Companies wanting more disclosure:
http://business.time.com/2013/07/18/apple-google-facebook-join-civil-liberties-groups-for-nsa-transparency-push/
or http://tinyurl.com/mcn9xjr
Whistleblowing as civil disobedience:
http://www.zephoria.org/thoughts/archives/2013/07/19/edward-snowden-whistleblower.html
or http://tinyurl.com/jwbcgom
Cooperating with NSA surveillance costs companies money:
http://boingboing.net/2013/08/08/us-businesses-stand-to-lose-up.html
Lavabit:
http://www.schneier.com/blog/archives/2013/08/lavabit_e-mail.html
http://boingboing.net/2013/08/08/lavabit-email-service-snowden.html
http://lavabit.com/
http://www.forbes.com/sites/kashmirhill/2013/08/09/lavabits-ladar-levison-if-you-knew-what-i-know-about-email-you-might-not-use-it/
or http://tinyurl.com/loe4dfd
Silent Circle:
http://silentcircle.wordpress.com/2013/08/09/to-our-customers/
Jarvis essay:
http://www.theguardian.com/commentisfree/2013/aug/07/big-tech-protect-big-brother
or http://tinyurl.com/mpr8x2k
Tech companies meet with Obama:
http://www.huffingtonpost.com/2013/08/09/tim-cook-obama_n_3731630.html
or http://tinyurl.com/mpr8x2k
NSA is a criminal organization:
http://www.nytimes.com/2013/06/28/opinion/the-criminal-nsa.html
Regaining trust:
http://www.schneier.com/essay-435.html
Slashdot thread:
http://news.slashdot.org/story/13/08/12/1850229/schneier-the-nsa-is-commandeering-the-internet#
or http://tinyurl.com/ns9hk8v
** *** ***** ******* *********** *************
Restoring Trust in Government and the Internet
In July 2012, responding to allegations that the video-chat service
Skype -- owned by Microsoft -- was changing its protocols to make it
possible for the government to eavesdrop on users, Corporate Vice
President Mark Gillett took to the company's blog to deny it.
Turns out that wasn't quite true.
Or at least he -- or the company's lawyers -- carefully crafted a
statement that could be defended as true while completely deceiving the
reader. You see, Skype wasn't changing its protocols to make it possible
for the government to eavesdrop on users, because the government was
already able to eavesdrop on users.
At a Senate hearing in March, Director of National Intelligence James
Clapper assured the committee that his agency didn't collect data on
hundreds of millions of Americans. He was lying, too. He later defended
his lie by inventing a new definition of the word "collect," an excuse
that didn't even pass the laugh test.
As Edward Snowden's documents reveal more about the NSA's activities,
it's becoming clear that we can't trust anything anyone official says
about these programs.
Google and Facebook insist that the NSA has no "direct access" to their
servers. Of course not; the smart way for the NSA to get all the data is
through sniffers.
Apple says it's never heard of PRISM. Of course not; that's the internal
name of the NSA database. Companies are publishing reports purporting to
show how few requests for customer-data access they've received, a
meaningless number when a single Verizon request can cover all of their
customers. The Guardian reported that Microsoft secretly worked with the
NSA to subvert the security of Outlook, something it carefully denies.
Even President Obama's justifications and denials are phrased with the
intent that the listener will take his words very literally and not
wonder what they really mean.
NSA Director Gen. Keith Alexander has claimed that the NSA's massive
surveillance and data mining programs have helped stop more than 50
terrorist plots, 10 inside the U.S. Do you believe him? I think it
depends on your definition of "helped." We're not told whether these
programs were instrumental in foiling the plots or whether they just
happened to be of minor help because the data was there. It also depends
on your definition of "terrorist plots." An examination of plots that
that FBI claims to have foiled since 9/11 reveals that would-be
terrorists have commonly been delusional, and most have been egged on by
FBI undercover agents or informants.
Left alone, few were likely to have accomplished much of anything.
Both government agencies and corporations have cloaked themselves in so
much secrecy that it's impossible to verify anything they say;
revelation after revelation demonstrates that they've been lying to us
regularly and tell the truth only when there's no alternative.
There's much more to come. Right now, the press has published only a
tiny percentage of the documents Snowden took with him. And Snowden's
files are only a tiny percentage of the number of secrets our government
is keeping, awaiting the next whistle-blower.
Ronald Reagan once said "trust but verify." That works only if we can
verify. In a world where everyone lies to us all the time, we have no
choice but to trust blindly, and we have no reason to believe that
anyone is worthy of blind trust. It's no wonder that most people are
ignoring the story; it's just too much cognitive dissonance to try to
cope with it.
This sort of thing can destroy our country. Trust is essential in our
society. And if we can't trust either our government or the corporations
that have intimate access into so much of our lives, society suffers.
Study after study demonstrates the value of living in a high-trust
society and the costs of living in a low-trust one.
Rebuilding trust is not easy, as anyone who has betrayed or been
betrayed by a friend or lover knows, but the path involves transparency,
oversight and accountability. Transparency first involves coming clean.
Not a little bit at a time, not only when you have to, but complete
disclosure about everything. Then it involves continuing disclosure. No
more secret rulings by secret courts about secret laws. No more secret
programs whose costs and benefits remain hidden.
Oversight involves meaningful constraints on the NSA, the FBI and
others. This will be a combination of things: a court system that acts
as a third-party advocate for the rule of law rather than a rubber-stamp
organization, a legislature that understands what these organizations
are doing and regularly debates requests for increased power, and
vibrant public-sector watchdog groups that analyze and debate the
government's actions.
Accountability means that those who break the law, lie to Congress or
deceive the American people are held accountable. The NSA has gone
rogue, and while it's probably not possible to prosecute people for what
they did under the enormous veil of secrecy it currently enjoys, we need
to make it clear that this behavior will not be tolerated in the future.
Accountability also means voting, which means voters need to know what
our leaders are doing in our name.
This is the only way we can restore trust. A market economy doesn't work
unless consumers can make intelligent buying decisions based on accurate
product information. That's why we have agencies like the FDA,
truth-in-packaging laws and prohibitions against false advertising.
In the same way, democracy can't work unless voters know what the
government is doing in their name. That's why we have open-government
laws. Secret courts making secret rulings on secret laws, and companies
flagrantly lying to consumers about the insecurity of their products and
services, undermine the very foundations of our society.
Since the Snowden documents became public, I have been receiving e-mails
from people seeking advice on whom to trust. As a security and privacy
expert, I'm expected to know which companies protect their users'
privacy and which encryption programs the NSA can't break. The truth is,
I have no idea. No one outside the classified government world does. I
tell people that they have no choice but to decide whom they trust and
to then trust them as a matter of faith. It's a lousy answer, but until
our government starts down the path of regaining our trust, it's the
only thing we can do.
This essay originally appeared on CNN.com.
http://www.cnn.com/2013/07/31/opinion/schneier-nsa-trust/index.html
Skype story:
http://blogs.skype.com/2012/07/26/what-does-skypes-architecture-do
http://www.bbc.co.uk/news/technology-19012415
http://www.nytimes.com/2013/06/20/technology/silicon-valley-and-spy-agency-bound-by-strengthening-web.html
or http://tinyurl.com/q833uj7
http://www.slate.com/blogs/future_tense/2013/07/12/skype_surveillance_a_timeline_of_public_claims_and_private_government_dealings.html
or http://tinyurl.com/kmjfj27
Clapper story:
http://nymag.com/daily/intelligencer/2013/06/wyden-clapper-nsa-video-congress-spying.html
or http://tinyurl.com/lvs5z9g
http://www.eff.org/deeplinks/2013/06/director-national-intelligences-word-games-explained-how-government-deceived
or http://tinyurl.com/mhtg7rz
Government lies:
http://www.eff.org/nsa-spying/wordgames
How NSA sniffers actually work:
http://fabiusmaximus.com/2013/06/11/nsa-surveillance-51264/
Published reports of NSA surveillance requests:
https://www.schneier.com/blog/archives/2013/06/details_of_nsa.html
http://www.wired.com/threatlevel/2013/06/nsa-numbers
Microsoft Outlook story:
http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data
or http://tinyurl.com/p3n2x5m
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/07/16/responding-to-government-legal-demands-for-customer-data.aspx
or http://tinyurl.com/mnuxbsu
General Alexander's justification:
http://www.washingtonpost.com/blogs/post-politics/wp/2013/06/18/nsa-head-surveillance-helped-thwart-more-than-50-terror-attempts/
or http://tinyurl.com/ms7gzv6
Examining terrorist plots:
http://politicalscience.osu.edu/faculty/jmueller/absisfin.pdf
The value of trust:
http://www.schneier.com/essay-412.html
http://www.worldvaluessurvey.org
Two more links describing how the US government lies about NSA surveillance.
http://www.slate.com/articles/news_and_politics/politics/2013/07/nsa_lexicon_how_james_clapper_and_other_u_s_officials_mislead_the_american.html
or http://tinyurl.com/mgm8osg
https://projects.propublica.org/graphics/nsa-claims
[continued in next post]
Permission is given to repost this and forward, so long as nothing is changed.
Anchor..
---------------
CRYPTO-GRAM
August 15, 2013
by Bruce Schneier
BT Security Futurologist
schneier@schneier.com
http://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-1308.html>. These same essays and
news items appear in the "Schneier on Security" blog at
<http://www.schneier.com/blog>, along with a lively and intelligent
comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
The Public/Private Surveillance Partnership
The NSA is Commandeering the Internet
Restoring Trust in Government and the Internet
News
Book Review: "Rise of the Warrior Cop"
Schneier News
Michael Hayden on the Effects of Snowden's Whistleblowing
Counterterrorism Mission Creep
** *** ***** ******* *********** *************
The Public/Private Surveillance Partnership
Imagine the government passed a law requiring all citizens to carry a
tracking device. Such a law would immediately be found unconstitutional.
Yet we all carry mobile phones.
If the National Security Agency required us to notify it whenever we
made a new friend, the nation would rebel. Yet we notify Facebook. If
the Federal Bureau of Investigation demanded copies of all our
conversations and correspondence, it would be laughed at. Yet we provide
copies of our e-mail to Google, Microsoft or whoever our mail host is;
we provide copies of our text messages to Verizon, AT&T and Sprint; and
we provide copies of other conversations to Twitter, Facebook, LinkedIn,
or whatever other site is hosting them.
The primary business model of the Internet is built on mass
surveillance, and our government's intelligence-gathering agencies have
become addicted to that data. Understanding how we got here is critical
to understanding how we undo the damage.
Computers and networks inherently produce data, and our constant
interactions with them allow corporations to collect an enormous amount
of intensely personal data about us as we go about our daily lives.
Sometimes we produce this data inadvertently simply by using our phones,
credit cards, computers and other devices. Sometimes we give
corporations this data directly on Google, Facebook, Apple Inc.'s iCloud
and so on in exchange for whatever free or cheap service we receive from
the Internet in return.
The NSA is also in the business of spying on everyone, and it has
realized it's far easier to collect all the data from these corporations
rather than from us directly. In some cases, the NSA asks for this data
nicely. In other cases, it makes use of subtle threats or overt
pressure. If that doesn't work, it uses tools like national security
letters.
The result is a corporate-government surveillance partnership, one that
allows both the government and corporations to get away with things they
couldn't otherwise.
There are two types of laws in the U.S., each designed to constrain a
different type of power: constitutional law, which places limitations on
government, and regulatory law, which constrains corporations.
Historically, these two areas have largely remained separate, but today
each group has learned how to use the other's laws to bypass their own
restrictions. The government uses corporations to get around its limits,
and corporations use the government to get around their limits.
This partnership manifests itself in various ways. The government uses
corporations to circumvent its prohibitions against eavesdropping
domestically on its citizens. Corporations rely on the government to
ensure that they have unfettered use of the data they collect.
Here's an example: It would be reasonable for our government to debate
the circumstances under which corporations can collect and use our data,
and to provide for protections against misuse. But if the government is
using that very data for its own surveillance purposes, it has an
incentive to oppose any laws to limit data collection. And because
corporations see no need to give consumers any choice in this matter --
because it would only reduce their profits -- the market isn't going to
protect consumers, either.
Our elected officials are often supported, endorsed and funded by these
corporations as well, setting up an incestuous relationship between
corporations, lawmakers and the intelligence community.
The losers are us, the people, who are left with no one to stand up for
our interests. Our elected government, which is supposed to be
responsible to us, is not. And corporations, which in a market economy
are supposed to be responsive to our needs, are not. What we have now is
death to privacy -- and that's very dangerous to democracy and liberty.
The simple answer is to blame consumers, who shouldn't use mobile
phones, credit cards, banks or the Internet if they don't want to be
tracked. But that argument deliberately ignores the reality of today's
world. Everything we do involves computers, even if we're not using them
directly. And by their nature, computers produce tracking data. We can't
go back to a world where we don't use computers, the Internet or social
networking. We have no choice but to share our personal information with
these corporations, because that's how our world works today.
Curbing the power of the corporate-private surveillance partnership
requires limitations on both what corporations can do with the data we
choose to give them and restrictions on how and when the government can
demand access to that data. Because both of these changes go against the
interests of corporations and the government, we have to demand them as
citizens and voters. We can lobby our government to operate more
transparently -- disclosing the opinions of the Foreign Intelligence
Surveillance Court would be a good start -- and hold our lawmakers
accountable when it doesn't. But it's not going to be easy. There are
strong interests doing their best to ensure that the steady stream of
data keeps flowing.
This essay originally appeared on Bloomberg.com.
http://www.bloomberg.com/news/2013-07-31/the-public-private-surveillance-partnership.html
or http://tinyurl.com/me4bpsx
Corporations collecting data:
http://www.schneier.com/essay-324.html
http://www.schneier.com/essay-423.html
http://www.nationaljournal.com/magazine/how-america-s-top-tech-companies-created-the-surveillance-state-20130725
or http://tinyurl.com/mpy6tbz
Corporations cooperating with the NSA:
http://news.cnet.com/8301-13578_3-57593538-38/how-the-u.s-forces-net-firms-to-cooperate-on-surveillance/
or http://tinyurl.com/jw7f4ob
http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys
or http://tinyurl.com/l4ztclv
http://www.newyorker.com/online/blogs/elements/2013/06/what-its-like-to-get-a-national-security-letter.html
or http://tinyurl.com/ntd3ffe
http://news.cnet.com/8301-13578_3-57595529-38/feds-tell-web-firms-to-turn-over-user-account-passwords/
or http://tinyurl.com/osj2zps
How the partnership manifests itself:
http://www.bloomberg.com/news/2013-06-28/anti-hacking-bill-aiding-verizon-delayed-by-snowden-leaks.html?cmpid=yhoo
or http://tinyurl.com/myc3gtl
http://www.bloomberg.com/news/2013-06-30/fbi-s-data-mining-needs-scrutiny-too.html
or http://tinyurl.com/kkcyqej
Congress attempt to rein in NSA:
http://www.nytimes.com/2013/07/25/us/politics/house-defeats-effort-to-rein-in-nsa-data-gathering.html
or http://tinyurl.com/msvoc7k
The death of privacy:
https://www.schneier.com/essay-418.html
Disclosing FISA opinions:
http://www.bloomberg.com/news/2013-07-09/fisa-court-missing-checks-and-balances.html
or http://tinyurl.com/kevlx6c
** *** ***** ******* *********** *************
The NSA is Commandeering the Internet
It turns out that the NSA's domestic and world-wide surveillance
apparatus is even more extensive than we thought. Bluntly: The
government has commandeered the Internet. Most of the largest Internet
companies provide information to the NSA, betraying their users. Some,
as we've learned, fight and lose. Others cooperate, either out of
patriotism or because they believe it's easier that way.
I have one message to the executives of those companies: fight.
Do you remember those old spy movies, when the higher ups in government
decide that the mission is more important than the spy's life? It's
going to be the same way with you. You might think that your friendly
relationship with the government means that they're going to protect
you, but they won't. The NSA doesn't care about you or your customers,
and will burn you the moment it's convenient to do so.
We're already starting to see that. Google, Yahoo, Microsoft and others
are pleading with the government to allow them to explain details of
what information they provided in response to National Security Letters
and other government demands. They've lost the trust of their
customers, and explaining what they do -- and don't do -- is how to get
it back. The government has refused; they don't care.
It will be the same with you. There are lots more high-tech companies
who have cooperated with the government. Most of those company names
are somewhere in the thousands of documents that Edward Snowden took
with him, and sooner or later they'll be released to the public. The
NSA probably told you that your cooperation would forever remain secret,
but they're sloppy. They'll put your company name on presentations
delivered to thousands of people: government employees, contractors,
probably even foreign nationals. If Snowden doesn't have a copy, the
next whistleblower will.
This is why you have to fight. When it becomes public that the NSA has
been hoovering up all of your users' communications and personal files,
what's going to save you in the eyes of those users is whether or not
you fought. Fighting will cost you money in the short term, but
capitulating will cost you more in the long term.
Already companies are taking their data and communications out of the US.
The extreme case of fighting is shutting down entirely. The secure
e-mail service Lavabit did that last week, abruptly. Ladar Levison,
that site's owner, wrote on his homepage: "I have been forced to make a
difficult decision: to become complicit in crimes against the American
people or walk away from nearly ten years of hard work by shutting down
Lavabit. After significant soul searching, I have decided to suspend
operations. I wish that I could legally share with you the events that
led to my decision."
The same day, Silent Circle followed suit, shutting down their e-mail
service in advance of any government strong-arm tactics: "We see the
writing the wall, and we have decided that it is best for us to shut
down Silent Mail now. We have not received subpoenas, warrants, security
letters, or anything else by any government, and this is why we are
acting now." I realize that this is extreme. Both of those companies
can do it because they're small. Google or Facebook couldn't possibly
shut themselves off rather than cooperate with the government. They're
too large; they're public. They have to do what's economically
rational, not what's moral.
But they can fight. You, an executive in one of those companies, can
fight. You'll probably lose, but you need to take the stand. And you
might win. It's time we called the government's actions what they really
are: commandeering. Commandeering is a practice we're used to in
wartime, where commercial ships are taken for military use, or
production lines are converted to military production. But now it's
happening in peacetime. Vast swaths of the Internet are being
commandeered to support this surveillance state.
If this is happening to your company, do what you can to isolate the
actions. Do you have employees with security clearances who can't tell
you what they're doing? Cut off all automatic lines of communication
with them, and make sure that only specific, required, authorized acts
are being taken on behalf of government. Only then can you look your
customers and the public in the face and say that you don't know what is
going on -- that your company has been commandeered.
Journalism professor Jeff Jarvis recently wrote in the "Guardian":
"Technology companies: now is the moment when you must answer for us,
your users, whether you are collaborators in the US government's efforts
to 'collect it all' -- our every move on the internet -- or whether you,
too, are victims of its overreach."
So while I'm sure it's cool to have a secret White House meeting with
President Obama -- I'm talking to you, Google, Apple, AT&T, and whoever
else was in the room -- resist. Attend the meeting, but fight the
secrecy. Whose side are you on?
The NSA isn't going to remain above the law forever. Already public
opinion is changing, against the government and their corporate
collaborators. If you want to keep your users' trust, demonstrate that
you were on their side.
This essay originally appeared on TheAtlantic.com.
http://www.theatlantic.com/technology/archive/2013/08/the-nsa-is-commandeering-the-internet/278572/
or http://tinyurl.com/koa9bzc
Corporations and the NSA surveillance apparatus:
http://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html
http://www.schneier.com/essay-436.html
http://www.theatlanticwire.com/technology/2013/06/how-yahoo-fought-prism-and-lost/66233/
or http://tinyurl.com/ldxkpkt
http://www.wired.com/threatlevel/2013/04/google-fights-nsl/
http://news.cnet.com/8301-13578_3-57593538-38/how-the-u.s-forces-net-firms-to-cooperate-on-surveillance/
or http://tinyurl.com/jw7f4ob
http://www.newyorker.com/online/blogs/elements/2013/06/what-its-like-to-get-a-national-security-letter.html
or http://tinyurl.com/ntd3ffe
Companies wanting more disclosure:
http://business.time.com/2013/07/18/apple-google-facebook-join-civil-liberties-groups-for-nsa-transparency-push/
or http://tinyurl.com/mcn9xjr
Whistleblowing as civil disobedience:
http://www.zephoria.org/thoughts/archives/2013/07/19/edward-snowden-whistleblower.html
or http://tinyurl.com/jwbcgom
Cooperating with NSA surveillance costs companies money:
http://boingboing.net/2013/08/08/us-businesses-stand-to-lose-up.html
Lavabit:
http://www.schneier.com/blog/archives/2013/08/lavabit_e-mail.html
http://boingboing.net/2013/08/08/lavabit-email-service-snowden.html
http://lavabit.com/
http://www.forbes.com/sites/kashmirhill/2013/08/09/lavabits-ladar-levison-if-you-knew-what-i-know-about-email-you-might-not-use-it/
or http://tinyurl.com/loe4dfd
Silent Circle:
http://silentcircle.wordpress.com/2013/08/09/to-our-customers/
Jarvis essay:
http://www.theguardian.com/commentisfree/2013/aug/07/big-tech-protect-big-brother
or http://tinyurl.com/mpr8x2k
Tech companies meet with Obama:
http://www.huffingtonpost.com/2013/08/09/tim-cook-obama_n_3731630.html
or http://tinyurl.com/mpr8x2k
NSA is a criminal organization:
http://www.nytimes.com/2013/06/28/opinion/the-criminal-nsa.html
Regaining trust:
http://www.schneier.com/essay-435.html
Slashdot thread:
http://news.slashdot.org/story/13/08/12/1850229/schneier-the-nsa-is-commandeering-the-internet#
or http://tinyurl.com/ns9hk8v
** *** ***** ******* *********** *************
Restoring Trust in Government and the Internet
In July 2012, responding to allegations that the video-chat service
Skype -- owned by Microsoft -- was changing its protocols to make it
possible for the government to eavesdrop on users, Corporate Vice
President Mark Gillett took to the company's blog to deny it.
Turns out that wasn't quite true.
Or at least he -- or the company's lawyers -- carefully crafted a
statement that could be defended as true while completely deceiving the
reader. You see, Skype wasn't changing its protocols to make it possible
for the government to eavesdrop on users, because the government was
already able to eavesdrop on users.
At a Senate hearing in March, Director of National Intelligence James
Clapper assured the committee that his agency didn't collect data on
hundreds of millions of Americans. He was lying, too. He later defended
his lie by inventing a new definition of the word "collect," an excuse
that didn't even pass the laugh test.
As Edward Snowden's documents reveal more about the NSA's activities,
it's becoming clear that we can't trust anything anyone official says
about these programs.
Google and Facebook insist that the NSA has no "direct access" to their
servers. Of course not; the smart way for the NSA to get all the data is
through sniffers.
Apple says it's never heard of PRISM. Of course not; that's the internal
name of the NSA database. Companies are publishing reports purporting to
show how few requests for customer-data access they've received, a
meaningless number when a single Verizon request can cover all of their
customers. The Guardian reported that Microsoft secretly worked with the
NSA to subvert the security of Outlook, something it carefully denies.
Even President Obama's justifications and denials are phrased with the
intent that the listener will take his words very literally and not
wonder what they really mean.
NSA Director Gen. Keith Alexander has claimed that the NSA's massive
surveillance and data mining programs have helped stop more than 50
terrorist plots, 10 inside the U.S. Do you believe him? I think it
depends on your definition of "helped." We're not told whether these
programs were instrumental in foiling the plots or whether they just
happened to be of minor help because the data was there. It also depends
on your definition of "terrorist plots." An examination of plots that
that FBI claims to have foiled since 9/11 reveals that would-be
terrorists have commonly been delusional, and most have been egged on by
FBI undercover agents or informants.
Left alone, few were likely to have accomplished much of anything.
Both government agencies and corporations have cloaked themselves in so
much secrecy that it's impossible to verify anything they say;
revelation after revelation demonstrates that they've been lying to us
regularly and tell the truth only when there's no alternative.
There's much more to come. Right now, the press has published only a
tiny percentage of the documents Snowden took with him. And Snowden's
files are only a tiny percentage of the number of secrets our government
is keeping, awaiting the next whistle-blower.
Ronald Reagan once said "trust but verify." That works only if we can
verify. In a world where everyone lies to us all the time, we have no
choice but to trust blindly, and we have no reason to believe that
anyone is worthy of blind trust. It's no wonder that most people are
ignoring the story; it's just too much cognitive dissonance to try to
cope with it.
This sort of thing can destroy our country. Trust is essential in our
society. And if we can't trust either our government or the corporations
that have intimate access into so much of our lives, society suffers.
Study after study demonstrates the value of living in a high-trust
society and the costs of living in a low-trust one.
Rebuilding trust is not easy, as anyone who has betrayed or been
betrayed by a friend or lover knows, but the path involves transparency,
oversight and accountability. Transparency first involves coming clean.
Not a little bit at a time, not only when you have to, but complete
disclosure about everything. Then it involves continuing disclosure. No
more secret rulings by secret courts about secret laws. No more secret
programs whose costs and benefits remain hidden.
Oversight involves meaningful constraints on the NSA, the FBI and
others. This will be a combination of things: a court system that acts
as a third-party advocate for the rule of law rather than a rubber-stamp
organization, a legislature that understands what these organizations
are doing and regularly debates requests for increased power, and
vibrant public-sector watchdog groups that analyze and debate the
government's actions.
Accountability means that those who break the law, lie to Congress or
deceive the American people are held accountable. The NSA has gone
rogue, and while it's probably not possible to prosecute people for what
they did under the enormous veil of secrecy it currently enjoys, we need
to make it clear that this behavior will not be tolerated in the future.
Accountability also means voting, which means voters need to know what
our leaders are doing in our name.
This is the only way we can restore trust. A market economy doesn't work
unless consumers can make intelligent buying decisions based on accurate
product information. That's why we have agencies like the FDA,
truth-in-packaging laws and prohibitions against false advertising.
In the same way, democracy can't work unless voters know what the
government is doing in their name. That's why we have open-government
laws. Secret courts making secret rulings on secret laws, and companies
flagrantly lying to consumers about the insecurity of their products and
services, undermine the very foundations of our society.
Since the Snowden documents became public, I have been receiving e-mails
from people seeking advice on whom to trust. As a security and privacy
expert, I'm expected to know which companies protect their users'
privacy and which encryption programs the NSA can't break. The truth is,
I have no idea. No one outside the classified government world does. I
tell people that they have no choice but to decide whom they trust and
to then trust them as a matter of faith. It's a lousy answer, but until
our government starts down the path of regaining our trust, it's the
only thing we can do.
This essay originally appeared on CNN.com.
http://www.cnn.com/2013/07/31/opinion/schneier-nsa-trust/index.html
Skype story:
http://blogs.skype.com/2012/07/26/what-does-skypes-architecture-do
http://www.bbc.co.uk/news/technology-19012415
http://www.nytimes.com/2013/06/20/technology/silicon-valley-and-spy-agency-bound-by-strengthening-web.html
or http://tinyurl.com/q833uj7
http://www.slate.com/blogs/future_tense/2013/07/12/skype_surveillance_a_timeline_of_public_claims_and_private_government_dealings.html
or http://tinyurl.com/kmjfj27
Clapper story:
http://nymag.com/daily/intelligencer/2013/06/wyden-clapper-nsa-video-congress-spying.html
or http://tinyurl.com/lvs5z9g
http://www.eff.org/deeplinks/2013/06/director-national-intelligences-word-games-explained-how-government-deceived
or http://tinyurl.com/mhtg7rz
Government lies:
http://www.eff.org/nsa-spying/wordgames
How NSA sniffers actually work:
http://fabiusmaximus.com/2013/06/11/nsa-surveillance-51264/
Published reports of NSA surveillance requests:
https://www.schneier.com/blog/archives/2013/06/details_of_nsa.html
http://www.wired.com/threatlevel/2013/06/nsa-numbers
Microsoft Outlook story:
http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data
or http://tinyurl.com/p3n2x5m
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/07/16/responding-to-government-legal-demands-for-customer-data.aspx
or http://tinyurl.com/mnuxbsu
General Alexander's justification:
http://www.washingtonpost.com/blogs/post-politics/wp/2013/06/18/nsa-head-surveillance-helped-thwart-more-than-50-terror-attempts/
or http://tinyurl.com/ms7gzv6
Examining terrorist plots:
http://politicalscience.osu.edu/faculty/jmueller/absisfin.pdf
The value of trust:
http://www.schneier.com/essay-412.html
http://www.worldvaluessurvey.org
Two more links describing how the US government lies about NSA surveillance.
http://www.slate.com/articles/news_and_politics/politics/2013/07/nsa_lexicon_how_james_clapper_and_other_u_s_officials_mislead_the_american.html
or http://tinyurl.com/mgm8osg
https://projects.propublica.org/graphics/nsa-claims
[continued in next post]