How the Tech Industry Can Fight the NSA

SAN FRANCISCO — The technology industry needs to change the way it does business in order to prevent further spying by the National Security Agency, a prominent privacy advocate said here today.

Christopher Soghoian, principal technologist and policy analyst with the American Civil Liberties Union, told the audience at the B-Sides SF security conference that the government's pursuit of encrypted data should raise alarms across the technology sector.

MORE: Aviator: Hands-On With the Most Secure Web Browser

"Our threat model has changed," Soghoian said. "In the post-Snowden world, where we know governments will lie, bribe, steal and cheat to get access to information, we need to design new systems."

Soghoian cited the case of Lavabit, a small provider of secure email that happened to have NSA leaker Edward Snowden as a client.

Last summer, a federal judge ordered Lavabit to give the FBI all its encryption keys so that it could track whom Snowden communicated with — an order which would have exposed all Lavabit's clients and destroyed its business. Rather than comply, Lavabit shut down.

"It should be terrifying that the government can do this to a company," Soghoian said,

He added that the order set a precedent ensuring that similar court orders could be imposed on any American firm that uses encrypted data as part of its normal business.

"Every company that runs an app store or pushes out signed software updates should be worried about the Lavabit case," Soghoian said.

Making it harder to spy

Soghoian explained that before 2010, it was easy for the NSA and other communications-intelligence agencies to passively intercept Internet communications because few companies bothered to encrypt data sent to and from their servers.

"The NSA's methods of interception have largely relied on other people's laziness," he said.

But in January 2010, Google began to encrypt all Gmail communications using the Secure Sockets Layer (SSL) protocol. Over the next three years, Facebook, Microsoft and others followed suit.

"Suddenly, hundreds of millions of people were protected against passive government surveillance," Soghoian said.

The lockdown of Internet communications only accelerated after documents leaked by Snowden revealed the extent to which the NSA and other Western intelligence agencies had been collecting unencrypted data.

By the end of 2013, most of the largest Web services, including Yahoo and LinkedIn, were encrypting their Web communications with users.

"SSL everywhere now," Soghoian said, "and part of that is because of Edward Snowden. Whatever you think of him and his motives, there shouold be no debate that the Internet is more secure today than it was a year ago."

The full force of the law

However, Soghoian warned, the narrowing of opportunities to collect data from users will lead to greater government pressure on technology companies to hand over data.

"How will governments respond to mass deployment of cryptography?" he asked. "They're not going to be happy that your new $600 smartphone has encryption turned on by default. There's going to be a response from Washington, D.C., and it's not going to be particularly pretty."

MORE: How to Encrypt Your Files and Folders

As an example, Soghoian pointed out that the Internet-telephone service Skype had once claimed it was completely secure, and even provided evidence of it.

When Microsoft bought Estonia-based Skype in 2011, the service became subject to U.S. government authority. Snowden-leaked documents indicate that Skype's security model was secretly changed, allowing the NSA to monitor Skype communications.

"We don't know if Microsoft fought this," Soghoian said. "What is clear is that someone from the government visited Skype's offices and said: 'You need to do this. You need to make your security weaker.'"

"The end result," he added, "was that the government won."

To prevent future Lavabits and Skypes, Soghoian said, companies that use Internet encryption need to change their development models.

"Spread the code and the risk around," he recommended. "Put developers in other countries. Put people in France or Germany, so that if requests for information are received, the legal processes can take years to resolve."

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Online Security
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
Victims of Identity Theft
FTC says Americans lost $12 billion to scams last year and these were the worst ones — here's how to stay safe
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
Google Chromecast
Google has a fix for broken Chromecasts as long as you didn't factory reset
NYTimes Connections
NYT Connections today hints and answers — Friday, March 14 (#642)
Intel CPU
Intel's Panther Lake appears in public for the first time — what we know about the new chip
OnePlus Pad 2 with keyboard
OnePlus Pad 2 Pro specs leak — this tablet is a beast
Josh Hartnett in Trap
Netflix top 10 movies — here’s the 3 worth watching right now
Gemini logo on smartphone
Google is giving away Gemini's best paid features for free — here's the tools you can try now
  • HEXiT
    there would be absolutely no need for this if the government wasnt over reaching in its spying. they seem to be looking for a needle in a haystack but insist on adding more hay every day.this is not how intelligence is gathered. they need a small group of people on the ground doing what spy's do. gathering intel on legitimate targets. then when they have the intel on a possible target then get permission to tap his coms... you dont tap every 1s just because they may be a threat at some point down the line... thats not how a democracy works but rather a dictator ship...yes its quite possible there is a dictatorship in america, there the 1s buying politicians and judges that are allowing these laws to be passed.
    Reply
  • AmericanPrivacy
    Americans Right to Privacy has solutions and I am anxious to share them with you. We offer secure, encrypted email, a Virtual Private Network (VPN) which secures your computer's internet connection, to guarantee that all of the data you're sending and receiving is encrypted and secured from prying eyes. Switzerland, a country known for its strict data privacy laws, has no back door access to encryption for any government agency, not even Switzerland itself.www.americansrighttoprivacy.com
    Reply