Edward Snowden: 'The NSA set fire to the internet. You are the firefighters'

Snowden tells a packed audience that SXSW’s technologists are the people who can fix the deficiencies in the internet to protect standards

http://www.theguardian.com/technology/2014/mar/11/edward-snowden-sxsw-nsa-internet

Edward Snowden speaks via Google Hangouts at SxSW in Austin, Texas

Edward Snowden chose to make his first public appearance since his spectacular ex-filtration of thousands of secret NSA documents to an audience of technology people at the annual SXSW Interactive festival in Austin, Texas on Monday.

It’s been a decade since I last spoke at SXSW, and the past 10 years have seen the conference swell an unbelievable (and at times, unmanageable) size, spilling out into the conference rooms of nearby hotels and venues. The exact cause of this spectacular growth is hard to put your on. In part, it may just be an instance of the network-effect phenomenon that has caused other counter-culture/tech events like Comic-Con and Burning Man to grow to bursting – but it’s clear that many of the bright young geeks in attendance are here because they’re chasing the legendary SXSW break-out effect that is credited with bringing Airbnb, Twitter and Foursquare to global prominence.

Everybody would like to talk to Snowden, from politicians (he provided a testimony to an EU committee examining mass surveillance last week) to book agents (he is a crisp and engaging writer with a flair for writing that is memorable without being showy) to movie people. But Snowden chose to talk to nerds.

Snowden was beamed into the packed ballroom – as well as several satellite rooms and as many as a million viewers on a livestream – by means of a Google Hangout video-chat, his image and voice thoroughly glitched-out by a journey through seven proxies. He appeared as a jittery, semi-frozen Max Headroom bust against a chromakeyed background of the First Amendment, his voice an inconsistent gargle.

This was not an easy technical feat. Washington Post journalist Barton Gellman and I were Snowden’s opening act, and there was a lot of nervous backstage joking before we went on as ACLU technologist Christopher Soghoian wrestled with the Snowden link. Soghoian and the ACLU’s Ben Wizner took the stage after Gellman and I stepped down, vamping for a few minutes while the bugs were ironed out, and then Snowden appeared, to thunderous applause.

Snowden quickly explained why he’d opted to speak to this audience: SXSW’s technologists were “the people who can really fix” the deficiencies in the internet and its applications “to enforce our rights and protect standards, even though Congress hasn’t gotten to the point of doing that.” Spies have treated the internet as “an adversarial global freefire scenario, and we need to protect people against it. The NSA has advanced policies that erode Fourth Amendment protections through the proactive seizure of communications. This demands a policy response, but we need a technical response from makers. The NSA is setting fire to the future of the internet and you guys are the firefighters.”

And we were off.

Serious security tools are notoriously hard to use

The mainstream debate over internet surveillance has focused on privacy breaches. At last, the privacy advocates who’ve spent decades trying to get internet users exercised about their privacy, Snowden’s revelations have prompted 86% of American internet users to take a step toward protecting their privacy. Alas, almost everything that a nontechnical person might do to make his internet experience more private will be useless.

That’s because all the serious security tools are notoriously hard to use. Snowden and Soghoian called on toolmakers to make their products “secure out of the box.” They both emphasised the need to make the security features of common internet technologies easier, with Snowden singling out Moxie Marlinspike’s startup Whisper for praise for its work in improving the user experience and user interface for cryptographic tools.

But as Soghoian pointed out, the majority of internet users will not download a program to replace the defaults that come with their devices, nor will they change the default configurations of those apps. However, when internet giants can be convinced to switch on cryptographic protection for the link to their users’ browsers, millions can benefit without ever having to take any action. And if the giants can’t be convinced, they can be shamed – as Yahoo was when Barton Gellman and Ashkan Soltani splashed the news of their laxness on the front page of the Washington Post last October, resulting, finally, in the company going to more secure defaults in January 2014.

Soghoian pointed out that everyone had something to worry about when it came to mass surveillance: “The government has collected a massive database of everyone’s private communications: everyone who’s called abortion clinic, everyone who’s called Alcoholics Anonymous, everyone who’s called a gay bookstore. Many Americans don’t want this stored. Whatever your politics, you know that your call to a church or gun store is not the government’s business. The person who sits in the Oval Office changes every few years and the person who sits there next may not be someone who you like.”

But privacy is only the surface of the NSA leaks. For cryptographers and many civil libertarians, the real worry is the integrity of the internet itself. All three speakers railed against the NSA’s programme of sabotaging security standards as well as the security of networks and networked devices.

Snowden described the unique recklessness of an American intelligence agency undermining internet security. “Our country’s economic success is based on our intellectual property – our ability to create, share, communicate and compete. Since 9/11, former NSA director Michael Hayden and current NSA director Keith Alexander have elevated offense at the expense of defense of our communications. They’ve eroded protection of our communications at the expense of defense of our communications.

“This is a problem because America has more to lose than anyone else when every attack can succeed. When you’re the country whose vault is more full than anyone else’s in the world it doesn’t make sense to attack all day without defending. It doesn’t make sense to weaken standards on vaults worldwide to create a back door that anyone can walk into. This weakens our national security and everyone else’s because we all rely on the same standards.

“Without security, we have nothing. Our economy can’t succeed.”

Soghoian made sure that the commercial implications of this were not lost on the entrepreneurial types in the audience, those who’d come to SXSW hoping to win the tech lottery. “Google, Yahoo and other internet companies want to sit between the conversations you have with your friends and add value. They want to mine your information, tell you about restaurants and suggest things that help you. That business model is incompatible with your security, with your having a secure, end-to-end connection to your friends.

“The irony of the fact that we’re using Google Hangouts to talk to Edward Snowden isn’t lost on me. End-to-end secure video conferencing tools aren’t polished. They’re not good enough to bounce traffic through seven proxies. In many cases, you have to choose between tools that are easy, reliable and polished and tools that are secure, but hard to use.

“Big companies have hundreds of developers to put on to user interface design. That’s not try of companies that are optimised for security. Those tend to be made by geeks, for geeks. But small developers can play a role. The next Twitter or WhatsApp should be both encrypted end-to-end and usable.

“Remember, adding security is easier for new companies than it is for the big incumbents. The big guys can’t deliver security to their users, because they’re hampered by their business-models. You can tell customers that if they give you $5 a month for encrypted communications, no one will be able to watch them. Many people will be willing to pay for that.”

But end-to-end security isn’t just good for privacy: it’s also a way of nudging spies and police toward proportionate surveillance. Snowden pointed out that suspects who use end-to-end security aren’t immune to spying, but they can only be surveilled through targeted, intensive attacks against their computers and phones. The expense of these attacks ensure that spies target people specifically in a way that is “more constitutional and more overseen,” since each event will be more visible to judges and oversight committees.

“Mass surveillance isn’t effective,” Snowden said. “We spied on everyone and found it didn’t work.” But contractors like Snowden’s former employer Booz Allen found mass surveillance contracts to be so lucrative that they lobbied for its continuation. As a result, surveillance resources were deployed without regard to real threats, meaning that specific, repeated warnings about Umar Farouk Abdulmutallab (the underwear bomber) and the Tsarnaev brothers (the Boston Marathon bombers) fell through the cracks.
‘We had an oversight model that could have worked’

Web inventor Tim Berners-Lee had the honour of asking the first question, asking Snowden how he’d change the web to make it more accountable, given the reality that spies will always try to collect information.

Snowden acknowledged that this was a complex problem, with lots of moving parts, made more complex by the secret nature of spy agencies. Still: “We had an oversight model that could have worked” – meaning the Congressional and judicial oversight systems for the NSA – “But the overseers weren’t interested in oversight – the Senate and House intelligence committees championed surveillance. James Clapper lied, and the congressmen who knew he’d lied allowed Americans to believe he’d told the truth.”

He went on to condemn the secret Foreign Intelligence Service Act Court, “a secret rubber-stamp court” to approve spying warrants. He said that the court was secret because the government had an interest in not tipping off suspects, but that a court shouldn’t interpret the constitution with only the NSA’s lawyers present to present arguments. He called for public advocates, “trusted public figures, civil rights champions to advocate for us. To tell us, these guys are lying to you. Otherwise how can we vote? Without information we can’t consent.”

For the remainder of the questions and remarks, Snowden and his co-panelists returned to technical questions, emphasising the fact that technology is the first line of defense for internet users.

Snowden reminded the technologists in the room that “Crypto works. It’s not an arcane black art. It is a basic protection, the Defense Against the Dark Arts for the digital world. We must implement it, actively research it,” going on to ask the audience to take on “a moral, philosophical and technical commitment to enforce and defend our liberties.”

Soghoian contrasted the importance of cryptography with the risk that internet users were exposed to by the NSA and GCHQ’s programmes of security sabotage. He was withering on the subject the NSA’s undermining of the US National Institute for Standards in Technology’s cryptography projects, saying it had “radicalised mild-mannered cryptographers. Consumers don’t choose their cryptographic algorithms, the people who choose them are the cryptographers. Those people are
really pissed and they should be mad.

“But they can make a difference. It’s a good sign that they’re mad. The tools that come out in a year or two will be more secure, because the tech community feels it was lied to.”

Snowden addressed the global audience, reiterating that the US has more to lose form being hacked, but “every citizen, every country has something to lose form unwarranted, unjustified surveillance of our private lives. If we don’t resolve these issues, if the NSA isn’t restrained, every government will treat their actions as a green light to do the same.

“Governments have stopped talking about the ‘public interest’ and started talking about the ‘national interest’. When these diverge, something is wrong.

“Would I do this again? Absolutely yes. No matter what happens to me. I took an oath to support and defend constitution and I saw it was being violated on a mass scale. The interpretation of constitution had been changed in secret from ‘no unreasonable search and seizure’ to ‘any seizure is fine, just don’t search it.’ That’s something the public had the right to know.”

Snowden’s video feed winked out to a standing ovation.