Snowden: Mass surveillance is a problem for the masses
Surveillance should be harder, not easier, and should only ever be deployed in the least intrusive manner necessary to achieve the objective.
That is the opinion of the man responsible for revealing the extent of mass surveillance in the world, former CIA employee and NSA contractor Edward Snowden.
Speaking by video link from exile in Russia to International Cyber Threat Task Force president Paul C Dwyer at the Cyber Threat Summit 2017, Snowden spoke about the extent of mass surveillance, the disregard for privacy by governments and the possibility of technical means to protect privacy, irrespective of borders.
Dwyer asked Snowden about making people aware of the “weaponisation” of the Internet as a mass surveillance medium, and how to make people aware of it.
“That is a difficult question to address,” said Snowden.
“The government is entitling itself to powers largely, that the public never granted—we never had a debate about them, we never voted on this, it happened in secret without our consent, because they knew it was better to ask forgiveness than for permission”
“When you look at this fundamentally, there are two things to look at: is law the right mechanism for redressing these grievances or enforcing our rights in an increasingly globalised world, and particularly with a global network.”
“Yes, we in the west have the Teresa May problem and the Donald Trump problem, even the Barrack Obama problem, where he was being predominantly seen as a progressive, very liberal president who would be respecting rights, campaigned on ending warrantless surveillance and he, in fact, extended it.”
“This is just recognising political realities,” he stated.
Snowden said there is an issue currently with leaders who seem to have a vested interest in portraying the terrorism issue as worse than ever before, and therefore justified in taking unprecedented actions, such as mass surveillance.
“Everyone in politics is more afraid of being smeared as soft on terror than they are of actual terrorists. If you look at the number of lives that are lost in Western Europe due to terrorism, which is a serious problem, it is far less today than it was in the 60s, 70s or 80s, when there were a lot of domestic conflicts.”
“The question here is, does it feel like that, or do our political times seem to indicate to a lot of people, that terrorism is actually a greater problem now than what it was back then.”
“A lot of this is because of the media and how we talk, how every bad thing that happens in the world has made it to every living room by the end of the evening. The question is, if politics and law are become increasingly unreliable, even in what we would consider to be open society, free jurisdictions, how do we enforce the same human rights protections in places like Russia, and places like China, particularly when you see Russia is passing new and extremely aggressive, abusive surveillance laws that just last year Russians were calling the ‘Big Brother’ law—and if the Russians are calling something the ‘Big Brother’ law, you know it’s pretty bad—but these things are increasingly modelled after the laws of the United States and the United Kingdom.”
“China passed a new counter-terrorism law and they explicitly said we are just catching up with the United States—that’s a problem,” he warned.
Snowden suggested that there are other ways, beyond legislation and governments, to achieve a degree of privacy and protection.
“What if, we could use technical means to enforce technical protections of our communications, of our lives, of our private records, without regard to jurisdictions and borders? We commonly, publicly, whether we are talking about the universal declaration of human rights, whether we are talking about different constitutions of the member states of the EU, have common agreements about peoples’ right to be free from unreasonable search and seizures of their private effects, of their homes and their persons, violations of their dignity, and yet we have precious few mechanisms for actually enforcing these.”
“It is hard enough for us to do domestically,” Snowden observed, “much less internationally, where we lose those mechanisms, particularly in societies that are more closed and have state controlled media. The question is, can people think not about how to make surveillance easier, but to make it harder because that’s actually of benefit to society. In an increasingly safe though still dangerous world, when the primary threats, we were talking specifically in the context of digital rights and privacy, are increasingly state-sponsored.”
Dwyer asked Snowden about the volatility of world leaders, including President Trump, and the potential, under such, for the development of the ‘deep state’.
Snowden’s answer was that “you can’t bubblewrap the president”.
Government and law
“This is where we start thinking about what can law do. And, really, law is predominantly normative. People like to think of the law as establishing how governments work. But the law only has that effect insofar as the government abides by the law.”
“When I came forward, the reason this had so much resonant impact around the world was because the government was violating laws in the United States, the UK was violating its laws and this is why they all sort of tried to rush through ways to legalise what they had been doing in a post chapter manner. What we need to think about is not, ‘do we trust this president?’ Because, of course, we don’t and we shouldn’t, but a better question is, ‘should we trust anyone?’ Any powerful institution, any powerful authority? And of course, anybody who works in the security space will tell you that trust is always a vulnerability. Trust should not be necessary in a design, if it is well designed.”
“This is the way we think about design for laws. When you hear about the way these things are debated in the newspaper, these things sound worrisome, but you think ‘I’m a good citizen, I think the people in my government are good citizens’, we’ll at least presume the best, and because of this, even though it makes me a little uncomfortable, even though I see how this could be used, I trust it won’t.
“This is the wrong paradigm for looking at what laws should be doing,” Snowden warned.
“We need to be thinking about the North Korea test.”
The North Korea test
“If precisely the same law were being passed in North Korea, would you think that would be a good or a bad thing for the people?” he asked.
“This is the kind of dynamic that ensures that governments are always required to use the least intrusive means necessary to achieve their investigative purpose, and this is what they have largely departed from. When we think about all of the problems in the surveillance and security landscape, when talk about lawful hacking is starting to cause these disastrous ransomware waves, around the world, we want to think about the fact that they said because these new capabilities for surveillance had been opened, and they are cheap and easy and they scale very well, we should maybe adopt them, embrace them and extend them—use them and abuse them. This is a mistake.”
“The government is entitling itself to powers largely, that the public never granted—we never had a debate about them, we never voted on this, it happened in secret without our consent, because they knew it was better to ask forgiveness than for permission.
Once they start doing something, and say it is necessary to keep you safe, even though there are no numbers that establish that that is the case, you will be much more reluctant to doubt them. Because they will say if you doubt us incorrectly, you are all going to die, and that is, regardless of whether we like it or not, a very persuasive argument for a large proportion of the population.”
Dwyer asked about the increasing levels of state-sponsored actions, and even inter-state actions, and asked if we have seen the opening shots of cyberwarfare?
“This is an area where hyperbole doesn’t help,” said Snowden.
“I don’t think the cyberwar framing is particularly persuasive.”
Snowden said what was needed is to “bound expectations”.
While “zero-day attacks are quite sexy,” he said, “they are also quite rare”.
Highlighting what has happened to companies like Equifax, he warned that a risk based approach is far more likely to provide effective protection.
“If you are the highest of high value targets, you need to think about these things. But you also need to think what are the realistic worst cases.”
Dwyer asked about the mass surveillance Snowden had seen first-hand, and if Ireland was included.
Snowden said that while Ireland was “not on a specific target basis when I was with the CIA,” but he added “the idea to understand here is mass surveillance is specifically untargeted, it is collecting data, not just from Ireland, but from the UK, Australia, Canada, New Zealand.”
“Anything that passes through those five countries gets dumped in a common bucket, and you just run some basic IP categorisation filters that go through a bunch of public databases and private databases that the NSA maintains that asks where are these IP addresses registered, what is their transit number on the network, their ASs, and based on this you can staple a little flag, next to each entry.”
“You would see Irish packets, just like you would see Chinese packets or Russian packets. And if you wanted to see them, all you did was click on them.”
Dwyer went on to ask if Snowden was aware of state surveillance here, and the recent report by former chief justice John Murray in particular.
“This is a very interesting story,” said Snowden, “and I did read of it, where we have a former chief justice, who was appointed to look into the mass surveillance policies, and he said this is unconstitutional. According to Irish law, and according to EU law, this is impermissible.”
“We have the Irish government collecting, in full, the communication records of everybody, regardless of whether they are suspected of a crime or not, you have phone calls, you have internet connections, and web sites, all of these things are just being stored and aggregated in bulk. And they used, in abusive ways, locating who was calling who, who journalists were interacting with. This is a means of identifying their sources and other things.”
“Now, it was recommended that this be ended and the current minister for justice, correct me if I’m wrong, is a guy named Flanagan, and he goes ‘oh, no, we will pass a new law, but this is not strictly unconstitutional’.
Snowden said it was disingenuous for a current minister of justice to discredit a former chief justice, suggesting he had misinterpreted or misunderstood in some way. However, he went on to say it highlighted a further issue with surveillance, the law and elected officials.
A teaching moment
“This should actually be a teaching moment, about where the flaws are in the mechanics of our systems of governance. People who are currently holding office are very much concerned about appearances, about image, about popular support because they live political lives and they worried about what is going to happen next. Whereas, when you have people who have left the system, they say things that are directly contradicting people who are currently holding those offices, even though they held them in the recent past.”
“The fundamental problem that we have is that there should be no surveillance that is occurring today that is happening in bulk. Traditionally, surveillance has always been a targeting problem, or a selection problem, if you will.”
“The police say we think this person or that person is a criminal and they are up to no good or they are a terrorist. They go to a court, they show their evidence for thinking this to a judge and the judge says this is reasonable grounds, and they authorise them to being spying as much as they want on this particular person. And they do that and put taps on their phone at home and in the office, they put bugs in their house when the person is at work—whatever they want, they have extraordinary powers. But that has changed with the progress of technology,” he warned.
Selection versus ranking
“Anyone in the room with even a small amount of technical capacity can understand how this works. Every digital communication involves signals. You have a transmitter and a receiver—even if it is not transmitting wirelessly—a source and a destination. And in order to route these things from one point to the other in the fastest most efficient way without intentionally trying to hide the origins and destinations, anybody in that network path is going to see where it came from and where it went to. So governments around the world and corporations increasingly, groups like Facebook, and even internet service providers, are starting to go ‘why don’t we start keeping records of everything that passes our network so that we can either sell them to the service’, or re-order the way that society works for the preferences of these abusive law enforcement agencies.”
“What this ultimately results in is changing surveillance from a selection problem to a ranking problem. We used to joke about ending up on the ‘the list’—now we are all on ‘the list’ because the list is everyone, it’s just a question of how high up you are.”