How the Tech Industry Can Fight the NSA
SAN FRANCISCO — The technology industry needs to change the way it does business in order to prevent further spying by the National Security Agency, a prominent privacy advocate said here today.
Christopher Soghoian, principal technologist and policy analyst with the American Civil Liberties Union, told the audience at the B-Sides SF security conference that the government's pursuit of encrypted data should raise alarms across the technology sector.
"Our threat model has changed," Soghoian said. "In the post-Snowden world, where we know governments will lie, bribe, steal and cheat to get access to information, we need to design new systems."
Soghoian cited the case of Lavabit, a small provider of secure email that happened to have NSA leaker Edward Snowden as a client.
Last summer, a federal judge ordered Lavabit to give the FBI all its encryption keys so that it could track whom Snowden communicated with — an order which would have exposed all Lavabit's clients and destroyed its business. Rather than comply, Lavabit shut down.
"It should be terrifying that the government can do this to a company," Soghoian said,
He added that the order set a precedent ensuring that similar court orders could be imposed on any American firm that uses encrypted data as part of its normal business.
"Every company that runs an app store or pushes out signed software updates should be worried about the Lavabit case," Soghoian said.
Making it harder to spy
Soghoian explained that before 2010, it was easy for the NSA and other communications-intelligence agencies to passively intercept Internet communications because few companies bothered to encrypt data sent to and from their servers.
"The NSA's methods of interception have largely relied on other people's laziness," he said.
But in January 2010, Google began to encrypt all Gmail communications using the Secure Sockets Layer (SSL) protocol. Over the next three years, Facebook, Microsoft and others followed suit.
"Suddenly, hundreds of millions of people were protected against passive government surveillance," Soghoian said.
The lockdown of Internet communications only accelerated after documents leaked by Snowden revealed the extent to which the NSA and other Western intelligence agencies had been collecting unencrypted data.
By the end of 2013, most of the largest Web services, including Yahoo and LinkedIn, were encrypting their Web communications with users.
"SSL everywhere now," Soghoian said, "and part of that is because of Edward Snowden. Whatever you think of him and his motives, there shouold be no debate that the Internet is more secure today than it was a year ago."
The full force of the law
However, Soghoian warned, the narrowing of opportunities to collect data from users will lead to greater government pressure on technology companies to hand over data.
"How will governments respond to mass deployment of cryptography?" he asked. "They're not going to be happy that your new $600 smartphone has encryption turned on by default. There's going to be a response from Washington, D.C., and it's not going to be particularly pretty."
As an example, Soghoian pointed out that the Internet-telephone service Skype had once claimed it was completely secure, and even provided evidence of it.
When Microsoft bought Estonia-based Skype in 2011, the service became subject to U.S. government authority. Snowden-leaked documents indicate that Skype's security model was secretly changed, allowing the NSA to monitor Skype communications.
"We don't know if Microsoft fought this," Soghoian said. "What is clear is that someone from the government visited Skype's offices and said: 'You need to do this. You need to make your security weaker.'"
"The end result," he added, "was that the government won."
To prevent future Lavabits and Skypes, Soghoian said, companies that use Internet encryption need to change their development models.
"Spread the code and the risk around," he recommended. "Put developers in other countries. Put people in France or Germany, so that if requests for information are received, the legal processes can take years to resolve."