I have some sympathy for our fellow hackers who work as contractors or in big companies, many of them with security clearance. Database engineers, software developers, data experts - the five eyes intelligence agencies directly and indirectly fund many of you readers of HN.
They might be becoming increasingly disillusioned with their chosen life and/or unable to change course. Perhaps the money is too good, perhaps their contracts too restrictive. They might have inside knowledge and believe that the NSA is in the right, but they would not be able to voice that belief to us, their friends and colleagues. Unable or unwilling to change course if they believe their country is in the wrong and unable or unwilling to speak up in defence if they think it is in the right. I'd certainly like to talk (in private) to those I knew who at the start of the Snowden affair openly said that he was a traitor and hear what they now think.
Why sympathize with them? They either decided in bad faith that working on an interesting problem was more important to them than acting ethically, or they are saying "I'm just doing my job" also in bad faith. These philosophical decisions are simply malicious relative to the rest of us.
There is also the possibility that they have been deluded by nationalism or propaganda in order to believe that a panopticon is acceptable in a democracy, but there isn't much we can do to help these people connect the dots between the panopticon they are helping to build and Orwellian thoughtcrime-- we simply don't have access to them that we could use to be persuasive, as you mentioned. I think this population of people is actually pretty large among the government contractors.
Finally, though you are correct that NSA employees would probably mention this, for the purposes of agencies operating in the public interest in a democracy, the concept of "insider knowledge" is not permissible. I say this not to suggest that we make all the operations of our clandestine groups transparent, but rather to suggest that the complete ignorance the American public has found itself to be in is a byproduct of intentional grooming along the lines of "national security secrets" which really are intentionally crafted backdoors to the process of informed democracy. The citizens not involved in agency day-to-day have a firm need to know the methods and rationales used, and they need to have direct and powerful oversight.
Why sympathize with them? Because you would undoubtedly appreciate me second-guessing decisions you made in complex, nuanced situations to which I was not a party, just as much as they likely appreciate the way you've reduced their dilemma to a ridiculously over-simplified, cut-and-dry model of reality that is no more fair than it is accurate. That's why. Don't excoriate these people based on your assumptions.
Do we currently have the ideal balance between the need to protect our citizens and national interests, and the need to protect the rights of our citizens that our Constitution guarantees? Hell no, we obviously don't have it. Is that something most NSA employees have control over? No. You may be the one who is deluded if you think someone can just raise their hand at the NSA and say, what?, "I think we should re-think how we're doing business, because we might be infringing on the rights of everyday Americans." It's a bureaucracy. To address these issues, we need to be suggesting solutions instead of perpetually yelling at each other like opposing fans at a football game.
I don't want to live in a panopticon anymore than you do. My point is that we don't live in a perfect world, and that none of us are perfect (I hold myself up as a prime example). We need to recognize the difficult situation we've put the people who serve our country through the intelligence community; we've asked them to protect us from our enemies, but we expect them to accomplish their mission without encroaching on our privacy or violating our rights. And WE SHOULD expect them to do both; that's the nature of the job. I'm just pointing out that we should recognize and acknowledge the position this puts them in and stop demonizing them. It's counter-productive at best.
I do not accept that all of the communications of every American must be surveilled and stored in order to accomplish the mission. We need to find the right balance between security and citizens' rights. But that's not something that can be accomplished by software engineers at the NSA, nor even by the head of the NSA. We need to elect political leaders who we trust to work towards finding that balance. And we need to recognize that not only will it be an uphill battle, but a long one: we will always struggle to find the right balance between privacy and security. It's been going on since the Declaration of Independence, and I'd bet my money it'll still be going on at the quinticentennial.
>I don't want to live in a panopticon anymore than you do.
Probably best to stop showing up to work at the panopticon then, you know, if you actually believe what you write. Lots of scientists fled Nazi Germany, the Manhattan project may not have happened without such people leaving.
Now lawyers argue about 'law' and due process and separation of powers yet the US government lies, spies, tortures, and murders without conscience.
I have no problem voicing my beliefs publicly. I'm always more than willing to explain the policies of the NSA, and happy to denounce the actions of Edward Snowden. I don't think he was a traitor, by definition, but what he did was wrong. It isn't necessary to divulge confidential information, the situation is pretty clear. I don't see any point in re-litigating the whole thing on this particular thread though, it would be off topic.
I just wanted to say that people who support the NSA aren't hiding in fear. Only a small minority of people who work for the government, directly or as contractors, are ashamed of their employer or having a crisis of conscience. In general, nothing polarizes people and brings them together like an external threat. If everyone is shouting that you're bad, the most basic human instinct is to shout back even louder.
This whole thing has been a delight for management in the intelligence services. Some employees and contractors are much more motivated now. And many of those who support Snowden are still indifferent about the issues that he raised. It's either "go team!" or "eh, a job's a job." Only a minority are racked with self-doubt because of what's being posted about their employer on hackernews and reddit. Most will gladly tell you what they think, openly or in private, with no fear of criticism or backlash.
- Even if someone abuses it they would never just get a slap on the wrist (maybe just fired, and security clearance revoked) rather than criminal charges.
- The disincentive for abuse is "patriotism" and no one has ever decided not to be a "patriot"... ever.
- Absolutely zero people in government seek out power, or have weird ideas about controlling what other people can do or think.
- No one in the intelligence "community" would ever abuse surveillance to (e.g.) blackmail politicians for funding/votes/more power. Because every single one of them always make 100% perfect moral choices.
- It's only used for "threats to national security"... except when it isn't, but the winning the "War on Drugs"/spying on animal rights activists/making sure US companies win bids for foreign contracts/making sure that the correct politicians are re-elected really all fall under the umbrella of "National Security" if you think about it...
Don't you think that your observations could be naturally distorted by survivorship bias? I mean, it would be very hard for people to have a conflict between beliefs and their job duties for a prolonged time; something gotta give. Those who stay, change their beliefs (or articulate their loyalty at least to themselves and, perhaps, become "more motivated" as you describe) and those who keep their beliefs just quit and you no longer see them around.
So we live in a country where members of the government can brazenly talk about how they conspired to commit felonies against citizens with no fear of criticism or backlash. Great.
> I just wanted to say that people who support the NSA aren't hiding in fear.
Unfortunately, that doesn't appear to be backed by evidence. Every single lawsuit challenging mass surveillance has been resisted by the Executive on the basis of state secrets and lack of standing. The Executive is using a judicial tactic to avoid having to answer the question of whether these programs are constitutional. When that question is asked, it usually ends in the programs being illegal[1][2][3].
So if you're not afraid, would you mind answering some questions? One of the biggest problems I have right now is that your side simply stonewalls or deflects core questions thrown by my side. I would love to be convinced that what you're doing is right.
1) How are broad secret court[4] and non-court[5] orders
constitutional? The 4th Amendment appears to only allow targeted warrants, so from where does the government draw this broad surveillance power? So far, the only legal defense been invoking the state secrets privilege[6], which prevents the core question from being addressed.
2) How is the DEA's parallel construction program[7] constitutional? This seems as if the DEA is not allowing a fair trail by withholding evidence from the defendant.
3) If you think the above are unconstitutional, why should they be allowed to exist? How can the rule of law persist with unclear or secret exceptions? Are there things that are more important than the rule of law? What possible impacts does this prioritization have?
I thought we should strive to live under a rule-of-law, and I feel like the Executive and their workers (including you) don't mind having a rule-of-man system. Please convince me otherwise.
I think you're focusing on the wrong thing. It doesn't really matter if it's legal or constitutional, because if it's not then they'll change the laws or reinterpret them in a new way or write a new Patriot Act.
What we should focus on is whether a government should be allowed to operate in secrecy, without any public oversight or knowledge, and whether the government can be morally justified in surveilling citizens without probable cause.
"What we should focus on is whether a government should be allowed to operate in secrecy, without any public oversight or knowledge, and whether the government can be morally justified in surveilling citizens without probable cause."
Actually, it is the problem for precisely that reason. What it boils down to is the Rule of Law. If the people at the top can do anything they want and never face any sort of prosecution, it not only sets precedent for the rest of the big wigs to act the same way (banking crisis anyone?) but it also reveals the farce in a more public way than has been true in the past.
The rule of law has never been perfect, and certainly so in America, but I feel like before the internet only the most egregious violations came to light, whereas now the farcical nature of the system is being revealed across the board. When there is an undermining of the rule of law, people will begin to completely disrespect it, and society will actually become more lawless (in the sense that people break laws willingly).
This is beyond the three felonies a day rhetoric. I think the inner city is a perfect microcosm of this.
Clapper lied to congress bluntly. He should be facing prosecution. Why isn't he? Because DOJ or whatever DA doesn't have the balls. Why don't they have the balls? Good ol boy system? Corruption? Blackmail? (you know NSA has the dirt on the entire SCOTUS and DOJ) Take your pick, the point is that the branches of government are compromised. (including the fourth estate).
If you want things to change, the very first thing that we need to do is prosecute and jail those who are undermining the Constitution and doing so in blatantly illegal ways.
Really the problem is the people we are electing. The voting public has the effectiveness of their vote diminished by a forced two party system and lack of campaign reform. We also have a large voting base that are single issue voters and don't care about anything except a single social issue like reproductive rights or marriage equality. Getting the right people in office would solve this problem but Americans aren't informed or interested enough to make this happen.
> What if the law says that secret courts can decide using secret proceedings?
Then at least it's on the books as a choice our society has made. OP's issue is there's currently no clear legal chain of certain programs back to a democratic decision.
>Then at least it's on the books as a choice our society has made.
A handful of elites handing responsibility to a handful of FISA judges in closed/secret court is far, far a choice "society" has made.
From the norms and practices of the USG, I imagine almost everything the NSA does is perfectly legal. SCOTUS will respect the Executive in terms of its state secrets argument and Congress's leadership in handing responsibility to managing these things to FISA will also be deemed lawful.
> 1) How are broad secret court[4] and non-court[5] orders constitutional?
There are two broad concepts these rest on.
First, is that many of the NSA's activities do not require court oversight in the first place, because they rest on the executive's broad powers in foreign affairs. By and large, the Constitution does not apply on foreign soil, and so the NSA does not need a court order to spy on e.g. Angela Merkel. The crucial thing to understand about the FISA Court is that it's not an attempt to take something that previously required a warrant from a regular court and make it a secret proceeding. That would be unconstitutional. Instead, its an attempt to take a process that Constitutionally requires no court oversight and inject some court oversight to ensure that the NSA stays within its foreign mission.
The second broad principle is Smith v. Maryland plus the broad subpoena power. Smith v. Maryland says that information you put in the hands of a third party is not protected by the 4th amendment. The subpoena power says that you can always be compelled to turn over information pursuant to a valid investigation. The subpoena power is very old. It predates the Constitution by hundreds of years.
The anti-NSA side generally misunderstands the context of the 4th and 5th amendments. The background rule is that the government is entitled to evidence relevant to an investigation. Heck, even private litigants are so entitled. If you're suing a company, you can serve a subpoena on a third party obligating them to turn over documents relevant to the lawsuit. The 4th and 5th amendments are exceptions to those broad powers. And in an age where everyone's information is floating around in the "cloud" where third parties have access to it, Smith v. Maryland gives the NSA a very wide latitude in which they can operate and still in good faith say their programs are legal.
Thanks for the reply! Just so I understand, the third party doctrine and pen register precedents are what these programs rely on? If so, why haven't they been defended on such grounds?
The EFF, ACLU, and now Wikipedia have a whole bunch of lawyers who strongly disagree with your assessment, but they have been unable to argue these points in an adversarial court because the Executive has resisted even addressing the question. If the Executive's opinions are backed in strong legal precedent, it would save everyone a whole lot of time if they just got to those points.
As usual, rayiner has answered these questions better than I can. Here is my take anyway:
1) The short version is that there is a difference between collecting information and looking at it. The NSA doesn't look at or act upon any metadata it collects without first obtaining a warrant from a judge. It just sits there on a server until government lawyers can convince a judge that evidence shows that the data is relevant to a time sensitive security matter. You may not personally believe the government when they say that, or trust that they will always get a warrant to look at information that's already in their possession. But, that's the process. As of right now, the judicial system takes them at their word. That's why the 4th amendment isn't being violated. They still need a warrant.
2) Evidence collected via parallel construction is not withheld from the defendant, just the method of obtaining it. If the DEA says "We have a tape of the accused discussing drug trafficking", that defense will be notified of that tape's existence during discovery and will be able to hear it and prepare for it before trial. It's just that the DEA won't have to say exactly how they got the tape, as not to reveal the full extent of surveillance programs. This may or may not be an unfair advantage for the prosecution, depending on the details of the case. That's why we have judges, who are in fact specialists at deciding what's fair or not fair to present as evidence during a trial.
3) The Executive, Legislative and Judicial branches of government have all weighed in on these programs and approved them in some form. That's the bottom line. You may disagree vehemently with their judgement, but this is how the American system of government works. If all three branches of the government agree that something is legal, then it's legal. Everyone is allowed to interpret the language of the constitution in their own way, but that has nothing to do with the rule of law. If you have a different interpretation than the government, vote as many of them out of office as you can and encourage others to do so as well.
I don't agree with you, but I fully support your use of the democratic process to change public policy to suit your beliefs.
First, thanks very much for replying. This the first time I've been able to get direct answers to these questions. I really appreciate that you took the time to reply.
That being said, we do seem to have a significantly different interpretation of the Fourth and Sixth Amendments. Hooray! We've identified a big root cause of our disagreement! It's a start.
Additionally, I do not agree that the Legislative has been sufficiently informed of mass surveillance programs, and sometimes they have even been knowingly misinformed[1][2][3].
Finally, I do not agree that the Judiciary have signed off on these programs. For the public-facing Judiciary, they haven't even been able to get to the point where they can address the legality of these programs because the Executive have always blocked with standing and state secrets claims[4][5][6]. For the secret Judiciary, it seems that the Executive has also misled them[7][8]. Also, these courts are not adversarial, which opens them up to severe bias and capture[9][10].
Thanks again for your response. Would mind giving some citations to support your positions? I've tried to cite evidence for all of my positions.
Normally, the next step is to try to think of a set of criteria that would settle the differences. Here's mine:
1. The Supreme Court rules that mass collection of domestic information by the Executive does not require a warrant (thus confirming your interpretation of the Fourth Amendment).
2. The Supreme Court rules that parallel construction is constitutional (thus confirming you interpretation of the Sixth Amendment).
What are yours? What criteria would change your position?
Marbury v Madison says that the Supreme Court has the final authority to interpret the Constitution. Whatever they say about the Fourth and Sixth Amendments is the law of the land. I might change my mind based on the actual arguments used and the logic in the written decisions, rather than the ruling itself. It seems like you would be open to change as well, which is indeed a good sign.
rayiner is the one to go to for citations and case law. If you think that something in particular that I've said is factually incorrect, then I will gladly stand corrected. After going through your citations, there seems to be a lot of differing opinion and blame shifting regarding who said what and when. I'm not surprised that politicians and judges would say "The NSA never told me about X or Y" if the programs appear to be unpopular. If the Legislative branch is really unhappy with the NSA, they can propose a budget that cuts their funding. The Executive can threaten to veto a budget unless NSA funding is reduced. The Supreme Court can take up any number of cases, including Wikimedia's, at any time.
I'm glad that we were able to exchange ideas, but the decision is ultimately up to the political process. We'll see how it turns out.
1) I see nothing in the constitution that requires all court business to be done in public. The sixth grants a person the right to a public trial. As far as I know the secret court has never held trials, they have only granted warrants and other bits of due process that are not required to be public.
2) Seems to be a clear violation of the sixth amendment to me.
3) You seem to be a little to black and white to me. It is possible to think that they have done the wrong thing in some cases and need to be brought back in to line but not think that we need to completely destroy the government's ability to function.
>> If everyone is shouting that you're bad, the most basic human instinct is to shout back even louder.
Citation needed. Even if this is the case, then it is lucky that we developed cognitive tools that allow us to reflect on our actions and try to comprehend why those people are shouting at us in a civilised society.
Well this is basically part of how you try to convince someone of your opinion. If you only shout "you are bad", you are going to get shouts back.
It's all about the way how to have a decent discussion. If you first acknowledge that the other party has some good points (for example, acknowledge the need for the government to acquire intelligence), and use that as a basis for further discussion, you have a much better chance to get rid of that instinct and have a reasonable discussion.
Right now, as we did/do with the people of wallstreet, it's a kind of "you are either with us, or against us" discussion. No good ever comes from that.
If it gets to the point where someone is hacking into my personal communications I no longer am interested in conversing that person. Our differences are too fundamental for a conversation to be productive. My interests at this point are seeing that this person is stripped of power and brought to justice (the knowledgeable members of the NSA should be put in jail, just as any other group conspiring to commit a felony would be). No conversation is going to result in them agreeing that they should be stripped of power and jailed, so discussion is pointless.
The discussions I'm having are not with members of the NSA, they're with other people who might potentially be able to help at least prevent further criminal activity by the NSA.
> Right now, as we did/do with the people of wallstreet, it's a kind of "you are either with us, or against us" discussion. No good ever comes from that.
It also doesn't help that most anti-Wall Street rhetoric has much in common, either intentionally or unintentionally, with antisemitic dogwhistles.
Enough of Wall Street's population is Jewish that they recognize the dogwhistling and tune out.
I work in the solar industry, and utilities are increasingly losing talent to the solar industry (my co-founder is one of them). The main reason people are switching is because they see themselves as having a more successful career in the solar industry.
How can we make it so security talent has a better career working somewhere else? It could be multi-pronged. A combination of increasing private sector jobs and pay, decreasing public sector funding, and a healthy dose of public shaming might drain spying organizations of some more talent. Other thoughts?
> How can we make it so security talent has a better career working somewhere else? It could be multi-pronged. A combination of increasing private sector jobs and pay, decreasing public sector funding, and a healthy dose of public shaming might drain spying organizations of some more talent. Other thoughts?
You're never going to get open publishing / access to NSA research / infrastructure. So it's always going to be an interesting place to work.
Of the options, I think public shaming is the most viable. It's ridiculous IETF / IEEE / {insert org here} doesn't throw people out (to my knowledge?).
They might have inside knowledge and believe that the NSA is in the right, but they would not be able to voice that belief to us, their friends and colleagues.
Given the way classified work is compartmentalized, I think any such belief would be either very narrow and heavily qualified or - more likely - mostly a matter of faith, emotion, and ego.
If you would like to put words in my mouth, please at least put the right ones in there for me. Otherwise, I'll take that $75 billion you are referring to and let you say whatever you want on my behalf.
In all seriousness, you can support the Federal Government and still have constructive debates.
EDIT: My point is no person is getting $75 billion just to shut up and have their opinion swayed. Being loyal to the Federal Government does not bar you from using its processes to improve its processes.
His point is that the military industrial complex is a serious issue - its not just the NSA. Even if we get rid of the NSA today, there's still going to be a billion dollar industry around making the world a nastier place to be.
Good luck. That $75 Billion is only going up. It stops when we can't afford it. Until then everyone can keep debating all they want.
This script has already played out in the sphere of Nuclear Disarmament.
The day I take the defense and intelligence communities opinions seriously is the day they drastically change their goalposts. Spend the same amounts on world peace or just take the cash and prey on people's fear of the next ISIS or Boston bomber. Everybody knows what the easy choice is.
The EFF is surprisingly absent from this coalition. The other organizations listed as participating are:
The National Association of Criminal Defense Lawyers, Human Rights Watch, Amnesty International USA, Pen American Center, Global Fund for Women, The Nation Magazine, The Rutherford Institute, and Washington Office on Latin America.
> Maybe they are prepping to do something on their own.
As listed above, it's probably because they're already in the middle of their own[0] (assuming that they will appeal, which I'd imagine is almost certain assuming they can fund it).
The EFF has been fighting this battle long before the Snowden revelations, so it's certainly not for lack of interest that they're not a claimant in the Wikimedia case.
I am a Wikipedian, a contributor of free content to Wikipedia. (I contribute in Chinese, in German, and in some other languages too.) I read the Wikimedia Foundation blog kindly submitted here by an early Wikipedian and read all the comments here posted before mine before writing this reply. In the last two weeks, I've renewed acquaintance with quite a few local Wikipedians at two Wikipedia Edit-a-Thons that occurred in my town.
I see the Wikimedia Foundation has a rationale for its suit based partly on United States law. It writes, "Our aim in filing this suit is to end this mass surveillance program in order to protect the rights of our users around the world." Because I edit Wikipedia in languages other than English, crucially including Chinese, I am painfully aware that there are a lot of restrictions of the rights of users of Wikipedia all over the world, evidently some of them not within the reach of the United States legal system. There seems to be no prospect, for example, of the Wikimedia Foundation suing the Russian or Chinese central governments (not even to mention north Korea's regime or the ISIS self-styled regime) to protect the rights of users of Wikipedia. That's too bad. If the NSA surveillance programs ceased later today, there would still be a lot of places around the world where Wikipedia would be inaccessible or Wikipedia users would be harassed by agents of other governments.
In German law, there is the principle of "Es gibt keine Gleichheit im Unrecht" which means that it is not admissable to break the law if some other person does it.
The land of the free should be ashamed of its mass surveillance no matter what. Even if Russia and China and whatnot continue to do it. And, the USA has much more grip on critical internet infrastructure. Therefore it makes a difference if they care.
Well put. Another comment ITT[0] also pointed out the global surveillance arms race and the futility of pressuring the US to unilaterally disarm. This is particularly true in light of the many legitimate global threats to freedom mentioned in your comment.
Knowing how unpopular this opinion is here, I still feel the need to share... Lawsuits like these strike me as either incredibly naive or a cynical public relations stunt. I don't enjoy my donations supporting either kind of effort and unfortunately, will likely cease future contributions.
The NSA does not surveil domestic communications without a court ordered warrant and I have heard no arguments to convince me that this is not a legitimate use of authority. If there was a single change to the NSA that I could advocate, it would be stronger and harsher mandatory minimums for anyone found in violation of the existing prohibitions on domestic surveillance.
> The NSA does not surveil domestic communications without a court ordered warrant and I have heard no arguments to convince me that this is not a legitimate use of authority.
Oh what faith you have...
<snowden> How are things over there?
<poitras> I'm at the Guardian. They’re publishing TEMPORA today.
They are very nervous about an injunction.
<snowden> The NSA love that program.
<poitras> Why?
<snowden> Because they aren't allowed to do it in the US.
The UK lets us query it all day long.
The solution should be technical: You don't want to NSA to read your communications: encrypt them (eg: HTTPS everywhere, encryption built-in everywhere). And that's us, builders of technologies, that need to make that happen.
Basically securing against the NSA is the same as securing against hackers, it should be treated as a security threat like any other.
It's not one or the other, and the NSA has demonstrated that it will use all the resources at its disposal to circumvent any technical protection.
The NSA also holds a trump card: the law and the US government. I assume at some point that Congress will pass laws, or the secret court will authorize, compelling every American company to essentially open itself to unfettered access and surveillance. US companies already are subject to NSLs, and the Law of Boiling Frogs suggests that it's only a matter of time until surveillance is openly and explicitly compulsory.
The only long term effective way to cut this off is to cut off the NSA's budget and scale back their efforts. But I also believe that will not happen until the first ski resort opens in hell.
This is why I am increasingly convinced that GPL(v3) is going to become a bastion of hope for privacy. The major problem is that companies want to make money off the software, close it up and proprietize it, and then the gov comes along with a NSL or blackbox or other comprimise and backdoors/weakens the system, and all of a sudden all the customers of the company are vulnerable. FOSS and in particular GPL, is the way around this. Software companies should be selling support, not the software (IMHO).
Software can always be disassembled. I'm much more concerned about proprietary firmware and hardware backdoors. You should be too. Another thing also, is that the NSA have been shown to be weakening crypto standards like RNGs and, possibly, ECC. The problem with this is other standards like TLS and such ultimately use this infrastructure and that affects all software, FOSS included.
I agree with you about firmware, but you will notice a very important overlap between the firmware and the software sectors here, in that it tends to be true that you end up with closed software to match the closed hardware (cellphone radio modems having DMA to the same address space as the CPU all under proprietary firmware and software blobs is a good example). I very much agree that we need open hardware, but it doesn't seem to be much of a priority for any of the big players that I am aware of.
Regarding the weakening of crypto standards, this is why I think everyone is wrong when they tell you not to roll your own. Even William Binney (NSA whistleblower) has been saying so recently.
One of the problems is that certain countries block HTTPS (e.g. China), should wikimedia effectively block all chinese users from free knowledge that wikimedia aims to provide? https://en.wikipedia.org/wiki/Censorship_of_Wikipedia
I agree that the technical solution is the most important one, but it is a) not a solution we have ready right now, and b) one that will never be 100% effective.
HTTPS everywhere is a good start, but it it does a poor job of defending against the NSA. Certificate authorities are fundamentally broken and users don't have the background knowledge to understand certs or why they are necessary.
Even technical people don't understand this. The last time I saw a post about certificate authorities on hacker news, the top comment was about how most people don't want authentication, they just want encryption. You can't have encryption without authentication: unauthenticated encryption is fundamentally broken. But the user who posted the comment was ignorant of this, and enough other people were ignorant of this that they upvoted his comment to the top.
The solutions proposed also don't address the problem that popular centralized services are bound to be compromised. Even if you're sure you're connecting to Google or Facebook services over a secure connection, Google and Facebook are such high-value targets that they will be compromised by an entity with as much money as the NSA. The defense against this is also technical, but it requires a fundamental shift from centralized to decentralized technologies, and I don't think that's easy or at all ready.
> Basically securing against the NSA is the same as securing against hackers, it should be treated as a security threat like any other.
This drastically understates the attacking power of the NSA.
The problem is how to have fundamental security. We already know or highly suspect the US Fed has backdoors at the hardware level. We cannot see the designs of our hardware because they are proprietary, so we cannot trust them. We start at a disadvantage.
Even discounting that, you cannot trust your firmware, because very few people are running libreboot or equivalently free firmware. Again, backdoors galore for state agencies.
But you solve those and then you need to trust your operating system. Firstly, the vast majority of people use proprietary operating systems. Secondly, even if you use a free operating system (and I mean pathologically free like Trisquel or Parabola) you get a set of security keys included you are meant to be able to trust.
The problem is that the international governmental muscle and influence of the US Fed means it is unlikely you can protect any of these private keys. They are all held by sufficiently large organizations that the US can strongarm them into giving them up, without even resorting to immediate violence.
But I'd feel more comfortable trusting the Arch master keys or the Debian councils keys, because both organizations are multinational collaborations of individuals where the majority can blacklist a compromised member. It sure beats key management by one vulnerable company. So that might work.
It is like how people talk about all this security mumbo-jumbo but all it takes is five minutes with some brass knuckles to get you to spill every password you have ever made. With the knowledge we have and the technology at our disposal the best I can at least do is pray that my OTR conversations over XMPP are secure, given that I have tried to minimize my attack surface on all these fronts, but there is no one solution that I can say "this machine guarantees me my security" because how can I know that the proprietary firmware on my hard drive is not somehow circumventing my dm-crypt layer (it would need some kind of collaboration with the chipset, though, since the keys never touch the disk raw)? I certainly know I cannot trust any hardware encryption at the least, but I don't see anything stopping proprietary motherboards from caching the keys used during hardware SIMD encryption routines (most Intel cpus support hardware accelerated AES 128, for example) in some unseen ROM the user never touches so the NSA can crack the hard drive.
Offense and defense are asymmetric in computer security just as they are in physical security. Offense has the advantage since defense is a thin skin around complex entropy waiting to pop.
I think that the relevant essay is George Orwell, "You and the Atomic Bomb." Just as the 2nd amendment is obsolete due to modern military hardware, privacy is dead if an APT wants in.
That is because you have framed offense and defense in that way. If a resourceful attacker's only goal in life is to get access to a particular file on your network connected laptop, the attacker will win. Generally this is not the case, the attacker often wants to:
1. remain undetected over a long period of time,
2. in the face of detection they wish to preserve their anonymity,
3. not be fooled by misinformation,
4. not reveal anything of greater value to them than the value of the file,
5. not open themselves up to reprisals.
This is much harder. While the defender doesn't win short term, a resourceful defender can make the costs to the attacker high enough that future attacks are deterred, the attacker loses, or even that the defender gains more from the attack than they lose. For instance Google in responding to Chinese penetrations via technical, economic, governmental and diplomatic avenues has increased Google's credible deterrence, punished some of the people responsible and increased Google's reputation in the realm of security.
Do you not remember the Prism program that really got the anti-NSA sentiment running? In that case, they weren't listening for communication. They were compelling private companies to hand it over.
If we go all HTTPS, the NSA will just step up its pressure. Because the warrants can come with gag orders, we'll never know who's giving our data up. Hardware makers, SSL providers, data carriers, and destination servers can all be compelled by the U.S. as long as we allow it to operate as a legitimate authority over our personal data.
Technological solutions can't fix the political problem of fascism. I agree that we need to make their life as hard as possible by protecting ourselves, but it isn't enough.
They're always going to have more resources until we rip up the roots they use-- government funding provided by a heavily-surveilled and terrified of blackmail political body.
Firstly - you compare securing against the NSA to securing against "hackers". This massively underestimates the reach and resources of the NSA (or any nation-state actor).
You can, to a point, keep out all but the most determined and skilled individuals.
You almost certainly cannot keep out the NSA if they really want to target you. Even a physical airgap may not be enough (see: stuxnet).
Your example mentioned HTTPS specifically - how does this help if they can force/compromise the host to give up their TLS keys and MiTM your connection?
Secondly - all this does is encrypt the contents of your communication - it doesn't hide who you are, it doesn't hide who you're talking to, and other metadata besides this (yes, I know metadata is at this point a painfully overused term - sadly I can't think of a good synonym right now).
You significantly undervalue how important it is to hide this information from an adversary.
Right now, if a major nation state targets you specifically, you have almost no chance. You'd need perfect operational security to anonymise yourself, encryption that can't be broken by forcing a local entity to surrender the key, and to implement this every time without making a mistake. Some people have managed this, but not very many.
If you're just looking to avoid dragnet surveillance, you're in a bad place too. The information we have suggests that it's the metadata, not the content of the communications, that is stored - and very little of that is hidden by using HTTPS rather than HTTP.
None of that should suggest that HTTPS isn't worthwhile - it very much is. And there's little reason not use use HTTPS everywhere these days. But it won't on it's own protect you very much from the NSA - that's why court cases like this are being raised (though I doubt it'll achieve anything in practice).
Ok, so the solution is technical. Let's say we already have super-strong, super-easy to use and implement crypto-systems.
All we have to do is convince people to use them, keeping in mind 95 percent of users use IMs such as Skype, Hangouts, iMessage, Whatsapp and Facebook Chat. Now all we have to do is get those companies to implement that encryption right? Oh wait, doing that for those companies would be illegal because the law wouldn't be on our side. Now what? Do we go back to convincing people to use obscure "darknet/used by criminals" tools that the government will do its best to denigrate? How much of a chance do you think we have to make those tools used by 80 percent of the population within 5-10 years?
HTTP/2 could have mandated that it would only be used under a encrypted connection. It could have added opportunistic encryption.
The builders of technologies decided not to go that route. I wish they did, but we can't put all our eggs on the assumption that they will fix the situation for us.
There are only two security levels, Mossad and non-Mossad. You cannot win against Mossad. Period. It may be exciting to talk about but you have no chance. Zero. HTTPS everywhere and encryption are only a tiny part of the threat surface.
I agree that we need encyption everywhere, although I think the current apporoach of implementing it in client software is not fit for purpose. You constantly see apps making mistakes in how they implement encryption that leave the user vulnerable. Because the data is encypted it is very difficult to validate and moniter.
It wasn't simply a matter of disrespectful law, but of the risks posed to both her and her informants.
PJ also refused on principle (AFAIU) to use PGP or other encryption on the basis that those made her (and her informants) more likely to be surveilled. I don't agree with her reasoning on this point.
Despite what they say in the article, I really don't think they have standing. But I would love to hear why they do from someone familiar with the legal argument.
I thought that too at first. But the NYT op-ed does a better job of explaining.[1]
Basically, they think that the NSA has the ability to index anonymous readers with pages visited, and anonymous editors with pages changed. Then if the NSA is sending that data to a bunch of governments around the word (Egypt, Israel, the Five Eyes, whoever else), dissidents around the world are at risk of being caught for browsing/editing Wikipedia for the crime of being opposed to the government in power.
I've been thinking about surveillance lately and have come to the conclusion that it's simply here to stay.
I really doubt any legal action will change anything what the NSA does. The future is digital, they cannot and will not step down while other countries, basically everyone that is capable to do it, will do it. It's such a big power factor that it cannot be ignored.
The arms race in cyberspace has begun long ago, and there's just no way it will simply stop.
All we can do is decide how we handle it personally and whom we trust to keep our data safe. And if we really need to create certain kinds of data in the first place (with many kinds we have no choice).
On NSA stories, the top HN comment is always "too bad. whatever. let the NSA do its thing." NO.
This is not about you. This is not about your data. This is about our society's collective ability to think and act for itself. Blanket acceptance of surveillance is a dangerous attitude and shockingly common.
Political efforts, technological efforts, societal changes are all required to keep democracy alive. And that's what's at stake here, not your personal files. Nobody cares if you can keep those safe - I want my democracy to be safe, please.
>This is not about you. This is not about your data. This is about our society's collective ability to think and act for itself. Blanket acceptance of surveillance is a dangerous attitude and shockingly common.
It's also about the future of our society, that which our children have to grow up in and deal with.
I don't know how we'll be able to turn to our children in the coming decades and tell them "the government is monitoring everything you say through voice and text on your phone, every keystroke you make on your tablet or computer, every purchase you make on your phone or through your card in this inevitably cashless society, every connection you make on a connected device, everywhere your devices check in, connect to GPS or triangulate... oh and every camera you see out and about is recording you and facial recognition software is tagging it as you" with the justification for their complete lack of privacy being "there were some guys in the middle east riding around in pickup trucks with AK47s so we needed this to protect us".
We're at a pivotal point now and it's very much up to us which way it goes. Our governments are supposed to serve us but instead we live in a society where we are very much ruled, where our rulers are the elite and their ruling mechanism is the complete charade of representative democracy.
We'll all be dead before it gets too bad, thankfully, but our apathy will condemn our children and their descendants to a life under tyranny which we ushered in through theatrical politics, fear mongering and a bizarrely held belief of There Is No Alternative.
I also imagine that the parent's mentality is one people only have after the fact. I imagine if you hypothetically described a US government with its current surveillance powers before Snowden's leaks, people would have said they wouldn't want such a thing. They would have said it was equivalent to 1984.
But after Snowden's leaks? It's simply something we have to accept.
Amongst the anti-surveillance faction, I think that a major gripe is that the feedback loops put in place to prevent a tyranny of the majority situation are being subverted, if not in the letter of the law, then in the spirit of the law.
How can elected officials have an even discussion regarding state surveillance when imperfect information abounds, and they themselves are kept in the dark from what is actually happening? That is to say nothing about the general population having a more direct say on what their government does on their behalf.
Well as you're seeing with gay marriage bans being overturned, just because the majority want to strip the minority of their rights, they shouldn't be allowed to.
I know that. It was a general point. In a pure democracy, 51% has complet power.
Also while the US is a formal republic, it does often emulate a democracy. Based on common belives the constitution is reinterpreted, or simply ignored. This has been well documented by legal scholars such as Richard Epstein.
> This is not about you. This is not about your data
Democracy means that your fellow citizens get a vote too. If you and those that agree with you can't craft a message that appeals to them and their day-to-day concerns, the grandparent comment will continue to be quite correct.
Just to be clear, there was never any kind of vote on any of these spying programs.
The citizens never asked for this intrusion and would likely have resisted if they had been, so it was executed in secret, and would have remained a complete secret if not for Snowden.
Nobody has even tried to "craft a message that appeals to the public" until AFTER the fact, when their overreach had been exposed.
A democracy generally works by citizens' issue A going to politicians B and being passed after debate to agency C which effects action D; in our situation currently the NSA has decided that it is in the best interest of itself to effect surveillance. It isn't democracy in action no matter how you attempt to spin it.
they cannot and will not step down while other
countries, basically everyone that is capable
to do it, will do it
It's true that even if the NSA stopped tapping undersea cables, that wouldn't stop China doing it.
But there are plenty of other things they could do. Instead of weakening encryption standards, they could work to strengthen them. Instead of trying to get software vendors to install backdoors, they could get them to use deterministic builds with release checksum transparency. Instead of developing hardware backdoors, they could develop inspection systems to find them.
It also prevents the enemy from hurting your economy. The United States has a lot more to lose from compromising information security than to gain from it. Before 9/11, most of the time the NSA would help make security better for the private sector. Now, the private sector is actively working against the NSA.
What enemy is that? Would it really be that horrible if everyone had access to strong encryption regardless of their beliefs.
With sufficient know-how and sophistication you can keep your messages private anyways no? If that's the case, then isn't it really just the average joe using off the shelf tech that's screwed?
Edit: That sounded combative, but it wasn't meant to be.
The "cyberwar" which you're undoubtedly referring to is one thing. Mass surveillance of the world's population is something else.
Yes, the future is digital. And yes, there will be dangers from several global parties. But why does the NSA chose to effectively weaken public communication by discovering and using security issues in known protocols instead of making sure those get fixed (if the NSA can find it, who's to say no one else can?).
With their proven effort to make everyone's communication interceptable (and effectively weakening crypto systems in all possible manners) they aren't protecting anyone, but instead putting US companies, US citizens and all global users of the web at an even higher risk.
I haven't even started on the effects on civil rights and freedom of speech of a global surveillance apparatus that is acting in secret and not under democratic control.
If it would be about an arms race, why not enforce secure crypto standards and help the industry in that regard? Clearly it's not about having more "cyber power" than China, North Korea and what have you. Instead, it's about having power on individuals, no matter where they're from.
I think there are parallels both in times and geography. In the west - Cold War / 60's Red Witch-hunts and in the east at roughly the same time - East Germany, KGB etc.
Different technologies, but the actions changed and were addressed via politics mainly. Technologies might be here to stay, but we shouldn't expect that the way we use them as societies stay the same.
There's no need to give up on the offensive tactic (legal action) because we will implement a defensive tactic (encryption). Inevitable or not, we can do both.
>> The future is digital, they cannot and will not step down while other countries, basically everyone that is capable to do it, will do it.
I can't disagree more. Just a few centuries ago slavery was not only ubiquitous but it was widely regarded as a god given right. Free man power was also a massive boost to economy but we abolished that just fine.
You're right that stopping it politically is hard:
If you look at the historical record of surveillance structures, you have never, we’ve never seen a modern state without going through a revolution or something similar, roll back deployed and operational and technical capabilities.
You can though tweak the economic cost (and I'd guess that legal process is part of that, technical measures are too):
The economics of spying is the structure that controls whether or not spying is done. The notion of return of investment is very germane here. How much intelligence product are you going to get for a given investment. That is what determines which intelligence methods are used.
I can't understand how you can ignore for your personal analysis that the majority of people /disapprove/ of the current surveillance practices[1]. People on this thread keep alluding to the majority not caring, but even if there's apathy in actions, I'm optimistic that at least most people viscerally know it's not right.
If you think in terms of technology, most issues affecting average US citizens come from a somewhat "undeveloped" technology. If they had a better ML architecture and more computing capabilities, "average Joes" would more likely not be harassed.
As people become increasingly inured to the trickle of revelations, I do think that lawsuits are important. If Wikimedia doesn't have anything more than a logo on a slide, however, this will be tossed for lack of standing, like several cases before it.
I have a new idea for government lawyers, if anyone _does_ show lack of standing, claim that the evidence of harm is a state secret, try and jail them for spying before hearing the case, claim they must serve the first sentence before it will hear the original case.
My argument has many parallels with existing statements by the Supreme Court that lawyers representing terror suspects could they themselves be tried under the 'material support' law for simply filing paperwork with the state to clear their client.
wish I had more time to search for it right now, but is there a link where people can donate specifically for this cause? (if not a general donation will have to suffice)
Not that I know of. But I do know that charities find tied donations a goddamn PITA - if you trust someone to do good work, just giving them the money for the general pool is the right thing in almost all cases.
But they do love to know what inspired a particular donation. So I would suggest dropping a few bucks to the ACLU and WMF's general contribution addresses, but including a note that this is why :-)
I'll be interested to see how the rulings on standing go. That seems like the crux of the matter to me, because the issue is not just "was your name mentioned," but also "were you harmed?"
4th Amendment cases are usually litigated in the context of a criminal appeal; obviously a defendant is facing real jeopardy in a prosecution, and therefore has standing.
Civil lawsuits exist to make plaintiffs whole after suffering a harm. But the court might find that being surveilled, alone and by itself, is not harm. The court could say that nothing has been removed, destroyed, prevented, or altered in Wikimedia's servers, so they have no harm to make whole.
The court could say that merely copying data does no harm to the original data creator or holder. (This argument might sound familiar here on HN, as it is sometimes used to argue that file sharing does no legal harm to publishers.)
Is no one targeting the 12333 Executive Order? Isn't that the one that causes the most mass spying abuses. It's great to see the FISA "warrants" targeted as well, as most just seem to look at the Patrio Act's 215 section, but I think they should look at the 12333 EO, too.
Almost all of our communication protocols and technologies are built on trust on those who run various services. So as long as that is the case, imho there is no way to stop surveillance.
It would be great to start from scratch and build things without the expectation of any trustability from anyone, but I don't see that happening ever!
Sad to see that the people elected by other people like us to do good for all the people tend to do everything other than that.
It is a fact that the internet - designed to be de-centralised - is becoming more and more centralised, evolving around service providers.
> Almost all of our communication protocols and technologies are built on trust on those who run various services.
That is why we need to build and use de-centralized systems like Bitcoin, Tor and physical mesh networks to share and communicate. These evolve around people, not service providers. Of course, there's a huge difference between trusting people and trusting corporations.
> It would be great to start from scratch and build things without the expectation of any trustability from anyone, but I don't see that happening ever!
Too bad that you're not too bright about the future. A lot of people are working on fixing it. Maybe these links will inspire you to think about it differently?
> Too bad that you're not too bright about the future. A lot of people are working on fixing it. Maybe these links will inspire you to think about it differently?
I have come across these things that you have pointed out and yes they are steps in the right direction. But if you ask me if any of those will become the mainstream de-facto thing that everyone will use some time in the future? Based on the evidence available at the moment, I would still stick to what I said and maintain that it is highly unlikely given the current state of affairs. Yes, I would be very glad to be proven wrong but not enough atm to feel optimism. :)
Wikimedia's evidence that it was targeted was due to a leaked slide. What's going to stop the court from dismissing that key piece of evidence due to it being a "state secret"/"matter of national security" that was not meant to be publicly disclosed?
SSL in the casual case relies on all CAs being uncompromised. I understand this is not the case.
In any case, both technical and legal approaches are appropriate. And you know as well as I do that everyone at WMF desperately wants SSL for everything, and that this is a thing they are specifically working toward (but it turns out to be a bit more complicated than just switching everyone to SSL) - there is no way in which the legal approach precludes the technical approach.
I mean, you're right, this has been a problem for ages and you personally yelled really loudly and quite appropriately at them for it, and I really wish WMF had moved forward sooner. But if yesterday was the best day to act, then today is the next-best day.
> SSL in the casual case relies on all CAs being uncompromised.
Not really, -- it pushes the monitoring into active interception, which is much more costly (and thus does not work as well to hoover up everyone's data) and it is incredibly risky because it is detectable and if detected leaves cryptographic proof of the attack (and which CA was compromised or complicit with it.)
I'm all for other tools as well, which can provide protections that SSL cannot; but shuffling all the readers through Tor isn't practical today while HTTPS _is_ (as demonstrated by most of the other large web properties) and provides pretty decent protection against pervasive surveillance.
> In any case, both technical and legal approaches are appropriate.
Sure. I wanted to litigate about this in the past as well. But I am concerned that the complete failure to take the issue seriously historically weakens the claim of damages here.
> And you know as well as I do that everyone at WMF desperately wants SSL for everything
I don't know what to believe on that front anymore.
There is a simple clear metric for "want" in an institution, whats the funding level? This project has not been raised to a level of importance where its receiving line item disclosed funding, as far as I can tell. There was a plan for deployment in 2013 which hasn't been completed, https://blog.wikimedia.org/2013/08/01/future-https-wikimedia... ... and in the time since then Wikimedia has received another hundred million in funding from the public-- with fundraising running something like 17% ahead of expenditures.
> but it turns out to be a bit more complicated
Yes, it's complicated. Don't forget that I contributed to making it possible too. I'm not waxing away the technical details.
> But if yesterday was the best day to act, then today is the next-best day.
Similar things were said when I raised a similar complaint when Wikimedia posted denying providing any assistance to prism in 2013. (A position that I consider to be a lie by omission)
Continuing to deny that there is a problem here will not result in the problem being resolved.
Simply by obtaining private keys for Google/Facebook/YouTube/Yahoo/Baidu, the NSA can passively decrypt a HUGE percentage of the world's traffic. Any server encrypting for Google will need to have these keys so it's quite difficult to keep all these servers secure, and given the keys' values, the NSA would have no trouble budgeting infiltrating companies to get them.
They might be becoming increasingly disillusioned with their chosen life and/or unable to change course. Perhaps the money is too good, perhaps their contracts too restrictive. They might have inside knowledge and believe that the NSA is in the right, but they would not be able to voice that belief to us, their friends and colleagues. Unable or unwilling to change course if they believe their country is in the wrong and unable or unwilling to speak up in defence if they think it is in the right. I'd certainly like to talk (in private) to those I knew who at the start of the Snowden affair openly said that he was a traitor and hear what they now think.