Sign in with
Sign up | Sign in

How the Tech Industry Can Fight the NSA

By - Source: Tom's Guide US | B 2 comments
Tags :

SAN FRANCISCO — The technology industry needs to change the way it does business in order to prevent further spying by the National Security Agency, a prominent privacy advocate said here today.

Christopher Soghoian, principal technologist and policy analyst with the American Civil Liberties Union, told the audience at the B-Sides SF security conference that the government's pursuit of encrypted data should raise alarms across the technology sector.

MORE: Aviator: Hands-On With the Most Secure Web Browser

"Our threat model has changed," Soghoian said. "In the post-Snowden world, where we know governments will lie, bribe, steal and cheat to get access to information, we need to design new systems."

Soghoian cited the case of Lavabit, a small provider of secure email that happened to have NSA leaker Edward Snowden as a client.

Last summer, a federal judge ordered Lavabit to give the FBI all its encryption keys so that it could track whom Snowden communicated with — an order which would have exposed all Lavabit's clients and destroyed its business. Rather than comply, Lavabit shut down.

"It should be terrifying that the government can do this to a company," Soghoian said,

He added that the order set a precedent ensuring that similar court orders could be imposed on any American firm that uses encrypted data as part of its normal business.

"Every company that runs an app store or pushes out signed software updates should be worried about the Lavabit case," Soghoian said.

Making it harder to spy

Soghoian explained that before 2010, it was easy for the NSA and other communications-intelligence agencies to passively intercept Internet communications because few companies bothered to encrypt data sent to and from their servers.

"The NSA's methods of interception have largely relied on other people's laziness," he said.

But in January 2010, Google began to encrypt all Gmail communications using the Secure Sockets Layer (SSL) protocol. Over the next three years, Facebook, Microsoft and others followed suit.

"Suddenly, hundreds of millions of people were protected against passive government surveillance," Soghoian said.

The lockdown of Internet communications only accelerated after documents leaked by Snowden revealed the extent to which the NSA and other Western intelligence agencies had been collecting unencrypted data.

By the end of 2013, most of the largest Web services, including Yahoo and LinkedIn, were encrypting their Web communications with users.

"SSL everywhere now," Soghoian said, "and part of that is because of Edward Snowden. Whatever you think of him and his motives, there shouold be no debate that the Internet is more secure today than it was a year ago."

The full force of the law

However, Soghoian warned, the narrowing of opportunities to collect data from users will lead to greater government pressure on technology companies to hand over data.

"How will governments respond to mass deployment of cryptography?" he asked. "They're not going to be happy that your new $600 smartphone has encryption turned on by default. There's going to be a response from Washington, D.C., and it's not going to be particularly pretty."

MORE: How to Encrypt Your Files and Folders

As an example, Soghoian pointed out that the Internet-telephone service Skype had once claimed it was completely secure, and even provided evidence of it.

When Microsoft bought Estonia-based Skype in 2011, the service became subject to U.S. government authority. Snowden-leaked documents indicate that Skype's security model was secretly changed, allowing the NSA to monitor Skype communications.

"We don't know if Microsoft fought this," Soghoian said. "What is clear is that someone from the government visited Skype's offices and said: 'You need to do this. You need to make your security weaker.'"

"The end result," he added, "was that the government won."

To prevent future Lavabits and Skypes, Soghoian said, companies that use Internet encryption need to change their development models.

"Spread the code and the risk around," he recommended. "Put developers in other countries. Put people in France or Germany, so that if requests for information are received, the legal processes can take years to resolve."

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 0 Hide
    HEXiT , February 24, 2014 7:19 PM
    there would be absolutely no need for this if the government wasnt over reaching in its spying. they seem to be looking for a needle in a haystack but insist on adding more hay every day.this is not how intelligence is gathered. they need a small group of people on the ground doing what spy's do. gathering intel on legitimate targets. then when they have the intel on a possible target then get permission to tap his coms... you dont tap every 1s just because they may be a threat at some point down the line... thats not how a democracy works but rather a dictator ship...yes its quite possible there is a dictatorship in america, there the 1s buying politicians and judges that are allowing these laws to be passed.
  • 0 Hide
    AmericanPrivacy , February 27, 2014 1:09 PM
    Americans Right to Privacy has solutions and I am anxious to share them with you. We offer secure, encrypted email, a Virtual Private Network (VPN) which secures your computer's internet connection, to guarantee that all of the data you're sending and receiving is encrypted and secured from prying eyes. Switzerland, a country known for its strict data privacy laws, has no back door access to encryption for any government agency, not even Switzerland itself.www.americansrighttoprivacy.com
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS