
More Encryption Is Not the Solution - astaire
http://queue.acm.org/detail.cfm?id=2508864
======
fab13n
Encryption can be circumvented. It's hard, but doable for a state, when it
targets one high-value suspect. But if everything is encrypted, they can't go
"big data" on it and collect everything about everyone: if proper encryption
is generalized, spying doesn't scale anymore.

Big companies' ability to break the encryption between them an you is
irrelevant: if they're the legitimate receiver of the communication, they can
offer the plain text directly to governments.

The ability for a third party to break the secrecy between two individuals has
a pretty good solution though, and that solution is local encryption + open
source. It makes it very difficult for states to compromise the scheme, and
every time they use this ability, they're at risk of having their exploit
discovered, and going blind again. They'd only use information gathered that
way for legitimate national security reasons, and will never show it in a
court for instance. A discovered 0-day exploit in OpenSSL or GPG isn't as
easily replaced as one in Flash player.

The biggest potential impact of Snowden's revelations is that now, any
security scheme relying on trusting a third party companies _has to_ be
considered unacceptably weak, at least if you mind governments--or companies
sponsoring politicians--reading everything you exchange.

TL;DR: encryption isn't the absolute weapon against illegal spying by
governments, but it helps making it extremely difficult, expensive and
unscalable. Which is good enough a reason to promote it in addition to
political action.

~~~
Nrsolis
I think the take-away from this article is that the political/legal
environment is part of implementation detail you need to consider when
considering a "private" communication mechanism.

No crypto-system is truly secure unless BOTH sides can be trusted. If either
one is even remotely possible to compromise, then that _will_ _happen_. In the
case where one of those parties is well-known and has something to lose, you
can be certain that the powers-that-be will focus their attention on that
party. (nb: Skype)

SO yeah, crypto _en masse_ will make casual collection harder, but it's not
even halfway towards what is needed. There has to be an awareness of the
downside to reduced privacy that can be tangibly grasped by the populace
otherwise we're all pissing in the wind. Any crypto-system that requires
anything approaching trade-craft on the part of the user is probably going to
fail miserably.

I was fresh out of the military when the USG was proposing the widespread
deployment of the "Clipper" chip that included key-escrow as a fundamental
feature for LEA access to keys. That failed, but I would not be surprised to
hear that we got it anyway through quiet "arrangements" with major crypto-
system equipment/software providers.

Have YOU inspected your CPU/Firmware/OS/Applications for backdoors? Even with
the full source code?

It's a hard problem and requires a lot more than just neat technology to
solve. In fact, it probably can't be solved with technology at all.

~~~
conformal
> Have YOU inspected your CPU/Firmware/OS/Applications for backdoors? Even
> with the full source code?

this is absolutely spot on, especially the firmware. nobody talks about it and
the attack surface is huge.

just to be explicit, hardware backdoors exist as well :)

~~~
cantankerous
Completely agree. Anybody recall the TPM? Security is pretty much turtles all
the way down.

Encryption isn't going to help stop a guy with a stick from beating the
information out of you. A functional state, however, can help prevent such
things from happening.

------
Homunculiheaded
"if a nation-state decides that somebody should not have privacy, then it will
use whatever means available to prevent that privacy."

One thing a lot of these discussions miss is that the entire point of doing
privacy and anonymity correctly is that _you_ are never on a list of people
that any particular nation state wants to deny privacy to. That your True Name
(to borrow the idea from Vinge’s story of the same name) is never the target,
is never even interesting.

I personally don't advocate a world where everything I do is encrypted and
anonymized, I think that that is as unachievable and sacrificing as living an
entirely private life. Use gmail, skype, facebook, twitter, send non-encrypted
messages about christmas to your friends and family, etc.

But what we do need is an online equivalent of a private life as well. And
people need to be educated in the tools and techniques that can make this
possible when necessary. Use tor, hidden services, pgp, i2p etc Use completely
different online identities, ways of speaking and never login to a HN account
associated with your real identity from that private space. Create and
participate in hidden online communities, but don’t center those communities
around your real life family and friends (ie facebook-esque hidden service
would be a very bad idea).

The idea is not to challenge, fight or oppose nation states with surveillance
capabilities, that's a losing proposition; the idea is to create a space away
from them.

~~~
visarga
It's like hygiene. A few hundred years back people weren't washing their hands
and health was very bad. As soon as we understood the germ theory of disease,
we learned hygiene and now we are much better.

With encryption and privacy it will be the same. People will need to learn new
skills.

Unfortunately, what we need to do is as cumbersome as a surgeon prepping for
operation - it takes too much care to make sure you don't mix things up. You
never login into your Gmail on Tor, don't refer to your reddit user name on
Gmail, etc.

Unless you already did, in which case you're toast. They already have years of
data on your views and interests.

Could we make a browser extension that would compare all you do and force
privacy for you? For example, if you mistakenly mention your _anonymous_
identity in your official mail, to catch it before sending. It should have a
list of forbidden things - keywords, user names, etc - and send watch people
not to mix the pots. Take care to separate cookies between anonymous mode and
public mode. I am sure such an extension would go 99% of the way to making
your private online life private again.

I envision a whole suite of apps - browser, mail, messaging, file sharing -
written with this goal in mind - to separately manage identities - private and
public - based on the content of communication. Like spam filters, but applied
to all our data leaks.

~~~
a3n
And if there's a backdoor on your hardware then they have access to all your
plaintext before encryption ...

I can imagine a day when face to face communication gets really popular, even
critical for some people.

~~~
cinquemb
I wonder if one day, 3d printing will be cheap enough so that one could go to
the local hackerspace, Print print out chips, assemble the board/internal
devices and be sure to be free from hardware backdoors?

~~~
cavilling_elite
This is feasible today. Although it takes a decent skill set. Open source
communities like OpenCore.org have enough FPGA architecture to build your own
RISC computer from scratch. I suspect as FPGA's become more popular and speeds
improve the hacker community will move towards one-off computers they made
themselves.

This coupled with your idea of 3d printing for casing is interesting.

~~~
gpcz
Doesn't that just offload the backdoor potential to the FPGA rather than a
CPU?

~~~
russellsprouts
I think it would be impossible, from a computer science standpoint, to create
a backdoor in an FPGA that could compromise your own OS, in a general case.
Perhaps, the computer that you use to program the chip could be compromised,
to change the code that is put on the FPGA.

~~~
gpcz
When I wrote that, I was under the assumption that people would use open-
source CPU designs from OpenCore for convenience. With a little help from
Xilinx and Altera, it wouldn't be too hard for a government to have the
synthesizer detect when an OpenCore design is being used and surreptitiously
put a backdoor in. I admit that it would be hard to write software to
simultaneously detect a completely unique CPU design is being synthesized,
figure out its instruction set and weaknesses, and finally create a hardware
backdoor that could circumvent any software written for that device.

As always, there's a tradeoff between cost and security. How many hardware
hackers are good enough (or motivated enough) to design their own brand new
ISA and CPU design, then bootstrap a compiler and OS for their homemade CPU?
Maybe 0.001% of the population, if that.

~~~
cinquemb
Well, I'd be down to try at somepoint, if I knew where to start. I feel like
moving forward from now, in general, the future will require these skills in
order to maintain some sovernty over onself.

------
peterwaller
Because we are technical people, it's very tempting to think of a technical
solution to the problem. This author is right on the money though. Against a
state level actor there is little hope of securing your own person and
effects, and thus, your technical solution.

~~~
akie
I agree that a political solution is strongly preferable, but I'm not sure if
that's ever going to happen. The only reason that the NSA can listen in on
your Facebook, Google, Skype (etc) activity is because:

1\. These communication tools are operated by a company under American
jurisdiction, that can therefore be strong-armed into cooperation

2\. These communication tools store your data unencrypted

3\. The world outside that company has no way of figuring out what is
happening inside (i.e. no transparency)

I am therefore of the opinion that the only viable _technical_ solution to
Prism has to be

a. Completely decentralized

b. Fully (end-to-end) encrypted

c. Open source

If our communication tools were decentralized, encrypted and open source, then
the NSA would have had a much harder job listening in. What needs to happen is
that we need to build those systems, and basically divorce Facebook the
company from Facebook the tool.

We need to change the playing field, and remove the capability to listen in on
our communications. The internet is an amazing tool, but it's still in its
infancy. It could very well be that, decades from now, we will look back at
this period and wonder how it was even possible that the NSA was listening in
on every single person in the world. We're not there yet, but it's not
impossible.

~~~
bigiain
That's mostly true - but in the Facebook example (and Twitter, and to a much
lesser extent gmail and Skype) - the whole purpose of using the service for
most people is to be at least partially "public". Facebook wouldn't work if
every message was encrypted - at least not unless it was encrypted in such a
way that a large number of nodes on your social graph can all decrypt them. If
my ~250 Facebook friends or ~500 Twitter followers can't read what I write
there, the services would be useless. I'd _prefer_ the marketers and the NSA
didn't also have access to my personal and professional interactions on
Twitter/Facebook, but they're fundamentally "public". (I know there's
"privacy" control for both services, but they only cut things down from
"everybody sees what I post" to "all or perhaps just some of my contacts see
what I post", not actually "private")

And the fundamental problem is, out of those 500 or 600 "contacts" I've got on
Twitter/Facebook, I've got maybe 2 dozen PGP keys matching them. By far the
greatest portion of any email I send is going to have to arrive in
friends/colleages/clients mailboxes as cleartext, and I strongly suspect there
are people who's PGP keys I do have, who'll decrypt mail I send them and store
the cleartext somewhere vulnerable to NSA snooping anyway. Same with just
about every other "technical solution", until everybody has properly managed
and secured keypairs - most communication is going to have weakest-link
vulnerabilities that are trivially defeat-able to a "globally present network
embedded adversary". Having said that, it's still worth doing, from the point
of view of increasing the level of difficulty for a ubiquiously surveilling
adversary. (with the probably downside of drawing attention to myself by
asserting my ethical "right to privacy", which is no doubt interpreted as
"doing something suspicious" by the opponent)

~~~
akie
You make two good points, but only the first one is structural. How do you
keep information secure if it's meant to be semi-public? That's a rather
fundamental question, and I don't have an answer to it. There must be a better
way than storing everything in plain text in a centralized database, though.

Just think about it: the current communication tools store all the world's
communication in plain text databases on American soil. No wonder the NSA
engineered access to it - it is a prize too good to be true. I think we can
and should at least try to change that.

Regarding the availability and use of PGP key pairs and related technology:
you're right. Almost no one uses them, save for security enthusiasts. They're
difficult to use, overly technical, make you feel like a paranoid conspiracy
theorist and are frankly a pain. Those are all issues that could be overcome,
though. There are no real, actual, structural reasons why good security has to
be difficult to use.

But what I'm really wondering about is the best way forward. Like I said, I
would strongly prefer a political solution, but I'm skeptical if that will
ever pan out. I've been mulling this for a while, and if we would really want
decentralized, encrypted, open source means of communications, shouldn't we
take a structural approach to this?

~~~
bigiain
The Diaspora guys had some ideas – but they were either not good enough ideas
or too difficult to execute on to gain much traction, from what I can see.

It's an interesting question – who's going to fund writing the software that
effectively needs to replace Facebook while making it impossible to monetise
in the ways Facebook can?

(Random half-baked ideas: what about something built on top of BitTorrentSync?
A distributed encrypted file storage repo with sufficient storage/bandwidth on
every users machine to store many encrypted blobs, some of which are encrypted
using your public key. A client-side app that gives you a personal view of
that data showing only the stuff meant for you. Work backwards from there to a
Facebook or Twitter like service, with a whole bunch of strong crypto using
PGP keypairs and self-signed TLS certs authenticated with your social graph's
web of trust. It's almost certainly more difficult than that though - I feel
like like this guy: [http://xkcd.com/793/](http://xkcd.com/793/) – and we're
now back at the "everyone just needs a PGP keypair" showstopper…)

------
rtf1
I have seen more bad things happening from politics than from encryption.
Politics, in just about any nation, is the never ending cancer of "making
deals". The never-ending tit for tat, the compromise. We need NO compromise.
I'm in my 60's now, and have seen the internet been born. Actually I
contributed to that birth while working at Arpa. Privacy, no matter how I look
at it, is ABSOLUTE. Also for criminals, and yes, even for terrorists. Humans
have the natural expectation of privacy. That's probably difficult to absorb
for many reading this medium. Every human being has the ultimate right to be
in charge of his or her own mind. Politics conflicts with privacy, all the
time. Politics established the rule of law, and, did so by and at the
convenience of those with the loudest noise and the toughest axes. Since none
of us is capable, willing or able to put the politicians out of (our)
business, we can only find resolve in taking care ourselves, and thus deploy
encryption. And we do have good quality crypto. And it is even free. Can it be
broken? Over time, yes. But complexity, volume and speed can make that a
fairly long trajectory. Can it be broken by quantum-cryptanalysis? Probably
yes, but even that is more than 30 years away to be in infant stage. The real
problem is the endpoint security. Well, work on it, make it better, improve
it. Don't just stand there and accept God knows who to run away with YOUR
thoughts, ideas, inventions, preferences or problems. And by all means, please
do NOT think that government, any government, is the only one looking at your
data. There is an entire commercial world busy with your stuff without you
knowing about it. ---RTF PS: and yes, this is anonymous. My students would
probably scaffold that I'm a weakling :)

------
tsahyt
More Encryption is not the _final_ solution to the problem. I fully agree
here. However, encryption should be the default for all communication. It
provides a certain degree of privacy after all. Yes, there are weaknesses in
some of the tools used. That can always happen. As the technical crowd, we
should fix those weaknesses instead of screaming "encryption is useless".

I for one don't feel like making it easy for the NSA, a foreign agency in my
case, to spy on me. I owe it to my privacy to at least try and protect it.

The political change that is necessary is out of my reach in the case of
PRISM, as I am not from the US. I can only hope that the American public will
realize how bad this really is and act accordingly. After all, this is still a
democracy and it will be until all privacy has been taken away completely.

------
microcolonel
This silly defeatism is killing you guys.

Just use bloody SIP or any other cryptographically-sound protocol; maintain
trust with people and their personal endpoints, rather than companies which
are obviously under enormous state pressure(the threat of violence and
imprisonment, and the rape included with that, for life) to give up the
goodies.

We have other issues, including the pervasive use of proprietary software
trading convenience over the pragmatic requirement of not having industrial or
governmental espionage committed against you.

Intel is under grave pressure to inject these bugs into their CPUs, and even a
well-audited system such as OpenBSD is not modular enough to prevent remote
exploitation through network stacks(see the last two remote vulnerabilities),
but laziness leaves them on monolithic kernels.

Even if the systems worked correctly, proprietary firmware in PCIe devices
like network cards and graphics cards allows them to directly access memory on
the bus, generally with very little protection, and often enough with none at
all.

You guys are buying all of this crap, supporting the people who subjugate and
bend.

You paid them knowingly to do all of this crap(in addition to raping, killing,
and enslaving hundreds of millions or billions in other countries), and you
continue to today.

If you want this stuff to stop happening, you need to simply stop knowingly
supporting these things, and playing dumb when you learn the specifics.

------
qnr
This viewpoint became very popular recently and it strikes me as odd. Does the
author always leave his house unlocked because there is a law against theft?
"Your" nation state over which you presumably have some degree of political
control is absolutely not the only adversary. There are foreign states, there
are cybercrime gangs etc.

Also, while politics sometimes trumps cryptography, the opposite happens just
as often. All the police force is useless if they don't know where to point
their guns (see Silk Road)

~~~
tribaal
On top of that, increasing encryption definitely helps for _mass surveillance_
\- it's impractical to break all the keys for all the messages all the time.

Maybe they will still be able to spy on a select few individuals (just like
they can order a locksmith to open a safe, or just blowtorch through). But
then again, there are much cheaper and old school ways to spy on a select few
individuals

------
visarga
Encryption is not absolutely safe because it relies on trusting in who's at
the other end, but it surely is much better than using clear net. We can still
trust a few entities, right? We need to collectively scrutinize and make
informed guesses about who to trust.

At the moment I set up TOR and use Starpage.COM instead of Google. Auto-delete
cookies after closing the tabs and actively remove ads and tracking JS from
web pages with the help of a few browser extensions. It's not perfect, but
it's above average for the moment.

You know how we could become anonymous? Just pipe the traffic of 1000 people
through the same box, mix their searches and pages loaded in the same stream.
Then send them on the clear net - they can't trace back who requested what.
Hiding in the crowd, in plain sight.

~~~
koralatov
That's a good idea, but it falls down the first time someone in the crowd
starts downloading cp. Instead of having one, or a few, people being traced to
their IP and investigated for cp, you now have 1,000 people under suspicion.
You can protect users by ensuring that the box doesn't log _any_ information
about them, but then the box's admin is the one being held responsible.

~~~
ISL
'cp' above apparently means child porn.

I read it wondering 'If at first they come for cp, what about mv? rm?'

------
qwerta
> POLITICS, NOT ENCRYPTION, IS THE ANSWER

And how would author convince Russia or China not to spy? Or some people who
are not government at all? (terrorists, scam...). Also NSA lied several times
and said it would lie again.

Lets just treat it as any other security issue. Banning XSS in parliament is
ridiculous.

~~~
salmonellaeater
The difference is the country in which the hardware or the business resides
has many more tools for getting at private data. They can just hit you with a
wrench until you give up your secrets.

[http://xkcd.com/538/](http://xkcd.com/538/)

------
mtgx
I agree that if the privacy laws are strong, and anyone from any agency breaks
those laws, he should be severely punished. In such a society and such an
environment, you'd still be free to use services however you want.

Unfortunately, the current environment lets even the intelligence chief get
away with blatantly lying to Congress about who's he spying on and why. I
agree that a policy solution is definitely preferable in the long run, but for
now we should protect ourselves however we can, until we get to turn the
"surveillance state" into a "privacy state".

------
acqq
In general, the points are OK. Small detail which the author got wrong:
According to the now famous Prism slides, Skype was a part of that program
before it was sold to Microsoft. It seems that MSFT engineers didn't need to
change the architecture just for that feature.

That also proves that the end users can't assume that they can get any idea
when some company starts to be the part of such a program, even if now
everybody likes to feel smart and more secure in his abilities to spot the
difference: "look it was the architecture change."

------
Spooky23
I think the author is spot on, but not for the technical reasons given. As
individuals, we don't share a need or desire for the type of operational
discipline required to operate securely.

The US DoD/DISA publishes some of their documentation for how to operate iOS
devices that access unclassified DoD networks (google for "ios stig"). It's
inflexible -- no app store (except for internal, whitelisted app store), no
music/etc, no iMessage, etc. They have a need to operate that way because even
simple things like the physical location of personnel are potentially
meaningful to adversaries. They also have the budget to do so.

I think that you need to scale up your security measures to meet your _needs_.
If I were a political candidate running for a significant office, I'd demand a
level of operational discipline to ensure that communication with key people
was secure. Ditto if I were personally involved in some sort of extended
litigation for attorney-client email.

Beyond that, what's the point? I _could_ send pictures of my one-year old's
birthday party to my mom with GPG. But why? And how would I expect my mom to
handle that picture afterwards? Secrets (encrypted or not) are as strong as
their weakest link -- I think that we all learned that lesson in high school.

------
jingo
Inconvenient Fact #4 about Privacy:

The US government was already tracking every citizen's postal mail, and
storing a copy of the contents for potential later use, for many years before
networked computers, "email" and the "world wide web".

Further, anyone working at a government security contractor could at their own
discretion inspect any such postal mail.

I would hope you're now thinking "Wait a second. That would be quite difficult
to do." Truthfully, I have no idea whether postal mail was tracked and stored;
I am only trying to make a point.

My point is that one reason we're seeing a mass scale dragnet now is because
_it is so easy to accomplish_.

phk seems to ignore this inconvenient fact.

I see no reason for him to try to persuade citizens to choose politics _over_
use of technology as a means to preserve their right to privacy. Why does his
frame of reference need to be binary: that it's either one or the other? Is
there a rationale for this?

Maybe citizens should pursue _both_?

If citizens routinely through their choice of technology make surveillance of
their communications _ridiculously easy_, then how will they be perceived when
they come forth and demand greater privacy? Who would take them seriously?

If citizens are to persuade their representatives that the privacy of their
communications is important to protect, then I would argue they must practice
what they advocate. They should not be communicating by megaphone. Or plain
text.

------
bhaak
Encryption is not the silver bullet, I agree with that.

All the points he makes are possible scenarios. After Snowden, almost nothing
that can be done seems unlikely to have been done. Heck, even the movie "The
Net" looks like prophecy come true now.

It's weird to think that encryption is not as secure as we all believed but it
still makes it more difficult for the Big Brother to watch over all of use.

In the end, encryption is only completely useless if each and every provider
reports to the government. It's a shame and disgrace for the western world
that we even assume that this could become a reality.

------
spellboots
> Several nation-states, most notably the United Kingdom, have enacted laws
> that allow the police to jail suspects until they reveal the cryptographic
> keys to unlock their computers. Such laws open a host of due process and
> civil rights issues that we do not need to dwell on here. For now it is
> enough to note that such laws can be enacted and enforced.

Doesn't steganography mitigate this issue if used properly?

------
nodefortytwo
The main issue is governments can't be trusted, a technical solution (which
may not be encryption) is that only option we have.

~~~
coldtea
When a government couldn't be trusted by the general population in the past,
you got revolution.

Or if it couldn't be trusted by a part of the population (e.g blacks) you got
civil rights activism.

Only a very lazy and apolitical society would say that technology is the only
recourse.

~~~
TeMPOraL
> * When a government couldn't be trusted by the general population in the
> past, you got revolution.*

To get a revolution the government would have to start to starve people. I
don't think there was any period in history of organized nation-states when
people trusted those in power.

> _Only a very lazy and apolitical society would say that technology is the
> only recourse._

Technology is a force multiplier. Moreover, technology shapes the environment
we live in. We can all see that groups of people behave like water. They do
what they have always done (i.e. move down the potential gradient). You can
try and do politics all you want, but this tend to be as pointless as arguing
with water to start flowing upstream. What you can do is to change the
potential gradient, and let the people achieve your goals by doing what they
were always doing.

That's why I think technological solutions _are_ important, and probably we
should focus mainly on them.

~~~
coldtea
> _To get a revolution the government would have to start to starve people._

That's like the naive marxist notion that it's all about the economy. People
have revolted without being starved and people have starved without revolting.
Culture, patriotism, hummiliation, religion, and tons of other factors come
into play.

> _Technology is a force multiplier._

Yes, and if the government is allowed to have 10 times the force of regular
citizens, then the government ends with 10 _multipler power using technology,
where the people with just 1_ multiplier. That's why technology is not a
solution.

> _Moreover, technology shapes the environment we live in. We can all see that
> groups of people behave like water. They do what they have always done_

The last 3000 years of history show great shifts of power, strikes, revolts,
changes in government and culture etc. And the 2400 of them (e.g 1600 AD and
before) are not even related with any great changes in technology.

Of course if people are convinced that they "behave like water", they will
behave like water.

But that's not what history shows they did (and do).

------
chmike
He made a point saying the privacy problem will not be solved with more
encryption. The problem is that there is no way to stop a terrorist plot or
illegal activity without the ability to know of it's existence.

The author says the solution can only be on the politics side, but frankly I
see a dilemma and don't see how to solve it.

The author makes an interresting parallel with the privacy loss we have at
work and we accept. But I know I accept it because there are rules and higher
authority that can punish abuse. The problem is that this doesn't exist with
states spying.

If there was an authority who could punish states who abuse the information
gathered for surveillance, then I beleive we could reconcile the need of
surveilance for collective security interest and trust in privacy.

We may need some more decades to reach such evolution stage.

------
DanBC
One worrying thing about more encryption is that there is a sudden flurry of
more bad encryption. Many products are trivially easy to break. (If I can
break them any idiot can break them.)

The combinations[1] mean that many people are not protected, and do not know
that they are not protected.

I think that I tend to avoid paranoia. But
([https://news.ycombinator.com/item?id=6132613](https://news.ycombinator.com/item?id=6132613))
and the Debian rng bug
([https://www.schneier.com/blog/archives/2008/05/random_number...](https://www.schneier.com/blog/archives/2008/05/random_number_b.html))
are scary.

[1] Good products used carefully; good products used carelessly; bad products
used carefully; bad products used carelessly.

------
Millennium
The point of ubiquitous encryption isn't to make all communications
unbreakable. That would be nice, but it's not a practical goal.

But it doesn't have to be unbreakable, either. It only has to be more of a
hassle than getting a warrant.

------
skylan_q
What a bunch of establishment hacks... technological workarounds to political
problems _is_ politics. The current regime put this here, they're not going to
remove it because we ask politely. That's a childish hope.

------
yalogin
Politics is the answer yes in an ideal world. But politics does not scale,
encryption does. What I mean is its very tough for just one country to respect
privacy in their laws. So if we want the world to do so will be impractical.

------
thufry
This author reaches pretty far. The NSA paid Microsoft to acquire Skype? You
can't just materialize multiple billions of dollars on a public company's
income statement.

~~~
RyanZAG
You can indeed. The figures are very large and you cannot view item level
detail in the financials, only general concepts. The NSA may be propping up
the Azure division or one of countless others through backroom deals over this
type of thing.

~~~
silvestrov
In addition to selling extra-high priced items to NSA/Military/Government, the
Government could allow the company tax breaks it wouldn't get otherwise.

Tax rules for a company of the size of Microsoft are not simple. It's not
impossible to hide stuff.

------
andrewcooke
i realise that this doesn't affect the main point of the article, but the
example on non-random symmetric keys in https is wrong, isn't it? the key is
chosen by the client, not the server.
[http://stackoverflow.com/questions/3936071/how-does-
browser-...](http://stackoverflow.com/questions/3936071/how-does-browser-
generate-symmetric-key-during-ssl-handshake)

------
a3n
"The only surefire way to gain back our privacy is also the least likely: the
citizens of all nation- states must empower politicians who will defund and
dismantle the espionage machinery and instead rely on international
cooperation to expose and prevent terrorist activity."

~~~
skylan_q
The most surefire way isn't in trusting those who betrayed the trust. It's in
making their efforts to spy on us futile.

~~~
coldtea
TFA just explained why this is not a "surefire" way.

Not to mention that the last 40 years not much progress has been made in this
direction (if any).

Also: the other proposition also helps putting a better government in place.
The "technological" solution, even if it worked, it would only solve the very
specific problem of privacy. Not the much more important problem of a
government that betrayed the trust of the people.

~~~
skylan_q
_Not the much more important problem of a government that betrayed the trust
of the people._

We've built a system that makes sure liars and demagogues get into office.
Until people are on board with putting an end to such a system of elections,
the only way to change the political landscape will be to circumvent it.

------
rurounijones
More encryption is not the best solution I agree.

However, given the situation, it is the only one available to us.

------
gillianseed
I think the obvious answer is: both

------
erikb
In general I agree, but I think encryption is still also an answer. You
"simply" need to reduce the number of people you trust in, i.e. don't use
Skype, write your own chat program.

------
Zigurd
This is an easy argument to reject. It is a false dichotomy.

The answer involves more encryption. We need it, anyway, to secure us against
crooks.

But we also need to control governments. We need to do both.

------
jingo
He has a conspiracy theory about Ebay's purchase of Skype.

