After the spying scandals of NSA and their European partner organizations, the question of how to product oneself and who to protect oneself from has become a primary concern for more than just IT experts. In the below interview with Seth Schoen of the Electronic Frontier Foundation tries to enlighten the reader about the possibilities and limits we are all facing. The interview was originally published in Norwegian on the site Radikal Portal.
Johannes Wilm (JW): What tools can you use to avoid spying from the NSA and other possible spy agencies? What about end users and what about organizations that want to avoid being spied upon?
Seth Schoen (SS): It’s really difficult. I used to think they were primarily just intercepting cables, but now we know they spend a lot of time trying to find security holes in software without telling the developers about it. So it’s really impossible to tell what they can get in to. Of course they are not using magic to do this, but think of it like this: tens of thousands of people are all trying to figure out a way to break into your software. And they are all highly trained people, so it’s very likely that they’ll find a way to do it.
Of course those people are all analyzing the software to look for bugs that they can exploit, and it’s not guaranteed that there will be exploitable bugs, but in practice the developers seem to have made mistakes, and it’s hard to write software correctly, so there end up being bugs. And there was a saying that “given enough eyeballs, all bugs are shallow”, or they become obvious if only enough people look at the code. Unfortunately it looks like the people who are actually having many eyeballs looking closely at software code to find bugs are now the attackers rather than the defenders.
So people need to be using encryption tools to encrypt their communications on the wire and on disk, but we’ve learned that there is a widespread practice of breaking into infrastructure, and breaking into people’s own devices, to bypass that.
We do have a document called Surveillance Self-Defense that talks about tools and strategies for protecting yourself against surveillance. Right now a new edition is in preparation because the first edition has gone out of date.
JW: Is it an alternative to just use mainstream tools, like Gmail and Facebook chat and hope that your communications get lost in the mass?
SS: The problem is that they have some very powerful search tools. So hiding your communications may not really be possible. It’s not like a human being has to read every single message.
And some of the tools can also analyze relationships among people and make automatic inferences. This has been an active field of research, to determine the nature of relationships within groups automatically by analyzing their communications. There are also computational linguistics tools like sentiment analysis and topic analysis where a robot can examine a text and make a guess about what the subject matter is, and whether the author is happy or unhappy about it.
JW: What about tools like Mailpile instead of Gmail and Friendica/Diaspora instead of Facebook and Cryptocat for Chat? Will they help at all?
SS: They help a lot because alternative is sending your communications to service providers who are willing to hand them over and sending them through cables that may be tapped. So using things that are architecturally designed to protect your stuff makes sense.
Browsers are not very good at handling encryption right now. I mean encryption that’s meant to protect against the server even if the server is trying to spy on the user data. When looking at a web application in a browser, the user cannot check whether what the application has been tampered with. So if someone has hacked the server and changed the application so that it breaks the security policy and transmits information to others, the user won’t notice. The way to get around that problem right now is to use browser extensions. You only download them once, so they cannot replace an original version with a hacked version without breaking into your computer somehow. But I think there are developers working on that, to figure out how to bring that level of security to other web applications.
The US government’s position is apparently that they can get a court to order someone to redesign a technology to trick a user to use a corrupted version of a software program and spy on that user. Before the Lavabit case we didn’t know that the government saw it that way.
JW: Will it help to create new physical infrastructure for the internet, for example extra cables like that from Brazil to Europe help?
SS: If you are afraid of the US spying on you, it’s probably a good idea to not send your communications through the US. However, there are so many other ways to get the data. For example, they could hack the routers on either end of the cable and divert some part of the traffic. And we know they can use a submarine to intercept the communications going through a cable.
Even in the 1990s we said metaphorically that you should assume that communications networks are compromised. We said that you should design and act as if your networks are directly run and controlled by your adversaries. And that’s the core value of encryption, so that you can communicate safely, in some sense, over an untrusted and even hostile network. It turns out that the idea of compromised and hostile networks is not a metaphor.
We don’t even know all of the ways in which the networks have been compromised but I think it’s not appropriate to trust that new physical infrastructure can’t be compromised.
JW: Looking at what has been released of previous spying for example on the political left in the past, it’s quite clear that the spies are not the most intelligent. For them it’s a job. They don’t necessarily understand nor care about what’s going on in the conversations. Can that knowledge give some extra security?
SS: I’m not sure what to answer to that. But there have certainly been cases when there was a lack of understanding of the context. If you’re in an unfamiliar social context it might be hard to understand whether something is a joke or is irony or sarcasm. After the 9/11 attacks there were cases when they simply didn’t have enough people who understood Arabic to efficiently spy on certain sectors. The Arabic language is still seen as quite suspect among many in the US and there have been political controversies about not having enough Arabic speakers to engage with the Arab world really on any level, whether it’s spying or talking to people or even reading the newspaper.
JW: Ok, but isn’t that how it was with Russian during the cold war? And haven’t most people realized that the government always vilifies some country or other that doesn’t fit with its own vision, but that the US government doesn’t always act in the interest of everybody living in the US?
SS: I am not sure this is the mainstream. When I listen to my own tech friends, they are generally very concerned about how this country is spying on others and are very sorry about it. But on Twitter one can easily find many other groups of people with very different views. I have noticed two groups who defend the extent of the spying by the US government: Some think the US should have this power because it’s the “good guy.” For them, the US government is more legitimate than other governments. It’s the idea of American exceptionalism. Or they may feel that, apart from these questions of legitimacy, the US has a unique role as the “sole superpower” in maintaining international order and needs access to monitor things worldwide in order to do so. Another group argues that it’s natural for states to compete and to spy on one another and that this will always be the case under all circumstances.
It is true that many other governments would likely spy just as much, and that it’s not because everybody else has higher morals that this doesn’t take place as much. I think we will find out more over time about surveillance by other states, which I do think is already an highly international activity. We know that sometimes civilian government authorities don’t know what their own intelligence services do, or how they work together with other countries.
Overall, the US government simply spends more money, I assume, than any other state on its spying apparatus. And it has higher ambitions in terms of what expects to be able to find out. Other states don’t have as many resources, and they don’t expect to find out as much or to have as broad a reach. This is also because the US uses other kinds of powers and relationships it has to get this power in the field of online spying. For example, they will use treaty negotiations as leverage, or they will offer to share certain information learned through spying in exchange for access.
JW: Edward Snowden recommends using encryption to shield communications. But he also says that mostly when encryption is used, the NSA has a way of getting around it by hacking the computers at the end of it. Why do you think it still makes sense to use encryption?
SS: Intelligence agencies will likely not break into every computer in the world, because there is always a risk someone may notice the break-in. If encryption were used a lot, tapping cables would not be enough to listen in one someone’s conversation. A cable may carry communications of 1 million internet users, so to get all the same information if it’s encrypted, one would need to hack that many computers. If it’s not encrypted, it can be intercepted all at once from the cable at a single location.
JW: Does it make sense for people outside the US to host their mail in their own country? Or in a larger country in the neighborhood?
SS: There is a difficult trade-off. The main form of it is that the more prominent and wealthy the email host is, the more susceptible they may be to legal pressure. In the sense that it’s easy to locate them and they have a lot to lose. There are examples where large companies have been asked explicitly to redesign a service to make it less secure, and large companies are willing to comply with that, maybe because they have so much money at stake. They may argue about it in secret, but they may end up giving in or finding a compromise if they think the alternative is to stop doing business in a certain country. The consequence of these pressures is directly visible if it’s about content blocking but less visible when it’s about technical aspects of security and privacy. That has happened in India where the government asked large companies to remove security features. You could imagine that a company could say no, but most of them are willing to say yes. It’s easier to apply this pressure to companies with business interests and offices in more countries because a government can say that they will seize their assets or fine or arrest their staff or make them shut down those offices.
There is speculation that Microsoft was pressured to remove security features from Skype from the US and possible elsewhere. There is a documented case that in China Skype had to have a local partner and the local partner added a backdoor to let the government censor and spy on people’s communications. There is speculation that they have done something similar in a more subtle way in the US. This is the disadvantage of using large major companies.
There are also advantages of using large and foreign companies: They have the money to pay a large security fee. They have sophisticated research and development in the area of IT security and they are thinking about it every day. Google has state sponsored attack warning — they warn a user of government attacks. It refers to trying to break-in by technical means, not if it’s through a court order, so if Google thinks that a government is sending malicious attachments to your e-mail account, they tell you about it, in general terms. However, I don’t know if this warning ever happens in the case of the US. Their security team is large and well-funded and the members are really knowledgeable. If you make your own service, you don’t have this kind of security staff. And if you make your own service you don’t have thousands of people upgrading and maintaining the software the way Google does. So having the resources of a large company can be significant. The infrastructure is stronger.
It may be beneficial to have your communications in another country if you are afraid of the surveillance of your own country. We’ve seen people consciously make this choice because they say that they will accept having US security services possibly read their mail if it reduces the chance that the local security services can do it.
JW: What if you are a government institution?
SS: If you are a government, you are among the most appealing targets to attack. The cost to defend yourself against attacks from foreign governments may require a large staff, and the question is if you willing to invest in that. This is not just about upgrading software, but studying attacks and defenses on an ongoing basis.
I mean, there have been laboratories looking into what is possible as a matter of attack and defense, considering very elaborate details, the leakage of information in radio signals from computing devices and telephones, the manufacture and detection of bugging devices, remote imaging capabilities, and whatever. If you read computer security literature from the last decade you see university researchers looking into the problem of information leakage in unexpected channels. For example, the computer consumes more power when it does one operation than another, so if you measure the power consumption accurately you can figure out what the computer is doing, even sometimes the exact contents of what it’s calculating. Or the keyboard makes a different sound when you press one key than another, or the computer makes a different whine depending on the kind of calculation it’s doing, or there are radio signals coming out of the screen that reveal information about what’s displayed, or the light levels in the room are correlated with the flickering of the beam that draws the picture on the monitor, pixel by pixel by pixel. But it also turns out that government labs have been seriously studying all these issues for decades. And they have sophisticated ideas and sophisticated understandings and sophisticated capabilities, and they got there by spending a lot of money, where openly-published science is proceeding much more slowly.
I looked at a project in Brazil to provide email to the whole country by the government and the software they were originally going to use for this national email system. It had been created by a very small open source developer team, probably for small businesses. And I thought, “I am sure this software has bugs, and I’m sure if they just put this up that other countries’ spy agencies will find these bugs quickly.” I didn’t hear about the government hiring people to try to protect it. There is a very high rate of exploitable bugs in such software. The US was complaining about the Chinese government looking for such bugs and hacking into communications infrastructure, and now we know the US itself is doing it. So this is really a core concern about hosting something domestically.
If you want to talk about hosting a foreign government’s information in the US, in part it’s a question of laws and whether intelligence agencies respect those laws. The US has a strange legal norm where if a foreign government stores data in the US, the US government automatically has the right to look at that data, just because it’s stored by a foreign government, even if it is a civilian department of an ally country. They don’t have to argue that the foreign government is doing something “bad.” That is a good argument to not store that data in the US, because in a certain sense it will have no legal protection at all.
We may have a conversation again about the advantages and disadvantages of hosting in particular jurisdictions, at many different levels. There is a political question about whether hosting abroad could violate data protection regulations, if you can’t guarantee that the government in the jurisdiction that you’re hosting in won’t access the data for what would be an impermissible reason under your data protection laws. People have worried about this for years but I think the question is still very live, and there’s a question of legal norms and of credibility.
But at a technical level, if China, Israel, Russia or France are your threat, it may still be better secured in the US – a company like Google may defend your data against those countries. At least, it may have better odds than a smaller organization would of resisting sophisticated technical attacks.
JW: What is that about bugs in software and why aren’t they fixed when found?
SS: There are markets where you can buy information about bugs in software to break into computers. The secrecy gives the bugs economic value for attack purposes because they aren’t known to the software developer and so they won’t have been fixed. For popular desktop software, the cost can be 100,000 USD to break into for example a web browser. Governments are actively bidding in these markets. Some governments are hiring their own researchers to find bugs. Or they may be doing both.
Partly because there are so many bugs, the US government uses several physically separate networks disconnected form the internet for its own usage. They built parallel infrastructure. They make a rule that these networks must not be connected to the internet. They don’t use the same computers on those networks and on the internet. They do this because even though they invest so much money into security, they don’t know if they can control this. Also, they are afraid of insider threats. So the “air gap” is a precaution that they’ll take, which is, in part, saying that they don’t know that they can ever make software secure. So certain computer just can’t be physically connected to public networks.
Even for the most powerful government in the world, it’s difficult to have confidence that they can have control over their networks if they’re accessible over the Internet. Government officials have different email accounts on different networks to communicate about different things.
Snowden’s documents show that US agencies follow many rules – but mainly only when it comes to US citizens. At least the motivation for putting the rules in place was to provide protections for US citizens and residents. But those rules have many more loopholes than what US citizens thought. The US government’s interpretation of the law is at times secret, and that’s one part to it.
JW: Secret service organizations have not always been able to stop the collapse of the government they support, even when they were extremely big. With 4.2 million people with security clearances and something like 1.4 million with top secret clearance, isn’t there a chance all this will disappear eventually just because it gets too big?
SS: It appears that the US intelligence agencies weren’t able to predict certain historical events, or at least not stop them. For example, people say they didn’t predict the end of the Soviet Union, and some people say they didn’t predict the Arab Spring, and some people say they didn’t anticipate the aftermath of the Ukrainian revolution. So there is the idea that even agencies with incredible technical capabilities aren’t omniscient.
When you talk about millions of people with security clearance, it is amazing to think of the level of secrecy. But not all those clearances are related to espionage or surveillance in any way. A lot of those are related to military aircraft, missiles, anti-satellite missiles, drones, etc., or to creating or maintaining infrastructure that the U.S. government uses for its own purposes. Sometimes it’s even just working in the same building where some people are talking about secret things, because a worker in that building might overhear something.
But I don’t know what to believe. There has been so much secret history. During the cold war the public heard a lot about clandestine activities, and in the U.S. people had the impression it was all about the cold war. But it seems like all of these things have existed at a much larger scale and with other purposes than what the public has really understood. And we don’t really hear about what the intelligence agencies do, to whom or where and who decided that they should, although various states are spending billions of dollars for at least partially clandestine purposes.
So it does raise the prospect that history is very different from what we hear. Because there may have been a clandestine component of every historical event, not only because of espionage. At NSA headquarters they have this memorial for people who have been killed while working for the NSA. It’s more than 100 people. And the NSA is not a human intelligence agency, but a technological one.
It just makes me think there are these large areas of human activity that are never analyzed or reported upon. Even when espionage is detected, it is rarely fully exposed. When spies are caught, if they have diplomatic cover, they are simply deported, citing a formula that their activities were incompatible with their diplomatic status, and we rarely hear what they did and how they were caught and what they were about to do. That happens very frequently, but we very seldom hear about the underlying reasons.