Schneier on Security
A blog covering security and security technology.
« The NSA's Cryptographic Capabilities |
| Another Interview »
September 6, 2013
Conspiracy Theories and the NSA
I've recently seen two articles speculating on the NSA's capability, and practice, of spying on members of Congress and other elected officials. The evidence is all circumstantial and smacks of conspiracy thinking -- and I have no idea whether any of it is true or not -- but it's a good illustration of what happens when trust in a public institution fails.
The NSA has repeatedly lied about the extent of its spying program. James R. Clapper, the director of national intelligence, has lied about it to Congress. Top-secret documents provided by Edward Snowden, and reported on by the Guardian and other newspapers, repeatedly show that the NSA's surveillance systems are monitoring the communications of American citizens. The DEA has used this information to apprehend drug smugglers, then lied about it in court. The IRS has used this information to find tax cheats, then lied about it. It's even been used to arrest a copyright violator. It seems that every time there is an allegation against the NSA, no matter how outlandish, it turns out to be true.
Guardian reporter Glenn Greenwald has been playing this well, dribbling the information out one scandal at a time. It's looking more and more as if the NSA doesn't know what Snowden took. It's hard for someone to lie convincingly if he doesn't know what the opposition actually knows.
All of this denying and lying results in us not trusting anything the NSA says, anything the president says about the NSA, or anything companies say about their involvement with the NSA. We know secrecy corrupts, and we see that corruption. There's simply no credibility, and -- the real problem -- no way for us to verify anything these people might say.
It's a perfect environment for conspiracy theories to take root: no trust, assuming the worst, no way to verify the facts. Think JFK assassination theories. Think 9/11 conspiracies. Think UFOs. For all we know, the NSA might be spying on elected officials. Edward Snowden said that he had the ability to spy on anyone in the U.S., in real time, from his desk. His remarks were belittled, but it turns out he was right.
This is not going to improve anytime soon. Greenwald and other reporters are still poring over Snowden's documents, and will continue to report stories about NSA overreach, lawbreaking, abuses, and privacy violations well into next year. The "independent" review that Obama promised of these surveillance programs will not help, because it will lack both the power to discover everything the NSA is doing and the ability to relay that information to the public.
It's time to start cleaning up this mess. We need a special prosecutor, one not tied to the military, the corporations complicit in these programs, or the current political leadership, whether Democrat or Republican. This prosecutor needs free rein to go through the NSA's files and discover the full extent of what the agency is doing, as well as enough technical staff who have the capability to understand it. He needs the power to subpoena government officials and take their sworn testimony. He needs the ability to bring criminal indictments where appropriate. And, of course, he needs the requisite security clearance to see it all.
We also need something like South Africa's Truth and Reconciliation Commission, where both government and corporate employees can come forward and tell their stories about NSA eavesdropping without fear of reprisal.
Yes, this will overturn the paradigm of keeping everything the NSA does secret, but Snowden and the reporters he's shared documents with have already done that. The secrets are going to come out, and the journalists doing the outing are not going to be sympathetic to the NSA. If the agency were smart, it'd realize that the best thing it could do would be to get ahead of the leaks.
The result needs to be a public report about the NSA's abuses, detailed enough that public watchdog groups can be convinced that everything is known. Only then can our country go about cleaning up the mess: shutting down programs, reforming the Foreign Intelligence Surveillance Act system, and reforming surveillance law to make it absolutely clear that even the NSA cannot eavesdrop on Americans without a warrant.
Comparisons are springing up between today's NSA and the FBI of the 1950s and 1960s, and between NSA Director Keith Alexander and J. Edgar Hoover. We never managed to rein in Hoover's FBI -- it took his death for change to occur. I don't think we'll get so lucky with the NSA. While Alexander has enormous personal power, much of his power comes from the institution he leads. When he is replaced, that institution will remain.
Trust is essential for society to function. Without it, conspiracy theories naturally take hold. Even worse, without it we fail as a country and as a culture. It's time to reinstitute the ideals of democracy: The government works for the people, open government is the best way to protect against government abuse, and a government keeping secrets from its people is a rare exception, not the norm.
This essay originally appeared on TheAtlantic.com.
Posted on September 6, 2013 at 11:08 AM
• 79 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Thanks Bruce for all the great work you do.
Curious, have you read Sheldon Wolin's Democracy Inc., Managed Democracy and the Specter of Inverted Totalitarianism?
Bruce, you know there is too much at stake for an independent inquiry to ever happen. No one and I mean not even one person exists who would not be swayed by those with vested interests. That is the problem. What we are all discussing here is not some open sourced project but a military industry built upon protecting intellectual properties. We sold the world planes and tanks until there's nothing left on earth undefended but IP. That's the new model. Like IBM... get out of hardware and into services!
The NSA has no long range future in detecting terrorists but it does in thwarting breaches of holdings/rights. This is about patented and trademarked ideas, concepts and all other creatives much more so than who might be looking to get on a plane with firecrackers in their shoes. This is DRM on steroids and it is not a theory. Do you expect Microsoft to say no to free global policing of it's patents? Or Google? Or Yahoo? Or BMI, ASCAP, Time/Warner, GE etc etc etc?
Trying to fight this in any way under the light of day is beyond irrational. The people who are now outwardly acting like "OMG, we need released from these NSL's" are drooling at recouping the 10-20% they're currently losing to theft and the 50-75% they're predicted to lose over the next 10 years. This is sewn up. The very existence of their revenue depends on it. The only way to dent it is a complete boycott of existing service providers... literally people backing away from the internet in mass. The rest is an excursion in Pollyannaville.
At this point, this would be rather like asking the Politburo to appoint a special commission to rein in the KGB. Why would the shadow empire voluntarily cut off its own ears? What modern government has ever stood a chance against its own secret police, who have unlimited dirt on everyone in a position of any influence, as well as 'direct action' capabilities (unlimited license not only to deceive, but to torture and kill) ?
Anyone who becomes a credible threat to business-as-usual will meet with a 'tragic accident.' The concept of 'rule of law' has never been anything other than a sad joke on the sheeple. The only genuine law is that the apex predator does whatever he wishes.
NSa broke out of VMs too.
Although I agree with this analysis, I think it's missing 1 point: does the NSA need to care about its reputation? Throughout all of this they have gotten a black eye but have no less funding, no less power, and no less autonomy. In theory, lawmakers can pull their funding. In practice, nothing has changed. Why would they change anything?
"If the agency were smart, it'd realize that the best thing it could do would be to get ahead of the leaks."
That's the best thing for us, but not the best thing for the NSA. And probably not the best thing for the White House, the DoD or the DoJ/FBI. Those are the only organizations I see having the practical capability to confront the NSA at the moment (the CIA at a stretch, but that would be *ugly* albeit would make good cinema).
Congress could pass laws constraining the NSA and the executive, but it's clear that such laws have been broken before without Congress ever finding out about it, even assuming the President doesn't veto to "protect our counter-terrorism abilities". There's nobody with power to enforce any law on the NSA other than its own chain of command, or the DoJ treating it as a criminal organization.
Given enough time, it will become more clear to the people and to Congress that the best interests of the NSA aren't aligned with their best interests. That's a necessary precondition to defeat authoritarianism -- the people have to feel that the group in authority is self-serving. They also have to feel it worth the risk of action. Taking on the military is a scary business.
As with the Stasi, or any competent secret military/paramilitary police, it's going to take quite a long time before people stand up in large numbers. I agree with what you're advocating, but I think you're years ahead of your time.
The only way to dent it is a complete boycott of existing service providers... literally people backing away from the internet in mass.
--There it is, the biggest most helpful source of information ever; is going to be further shunned. Turned into a surveillance state delivering malware to all that touch it. I don't use a smartphone, no social media accts, barely use email (my school's email provider is google...). I really like seeing other projects people have made but I think we need to put this information on paper, bring back mega libraries and book sharing, and read books knowing there's no meta data slipping around and you can have a peace of mind...well the camera peeping your shoulder can't attack the paper and distort the information.
Humans haven't evolved enough for the internet to work and we're seeing yet again what happens w/ centralization of gov't and information aka a mafia w/ blackmail; it's horrifying.
There's a huge difference between this and UFOs and 9/11 conspiracy theories.
In this case we know the activity is going on. The NSA is eavesdropping on a wide range of people. There are agents who are engaging in "LOVEINT" targets against ex-wives and lovers. Its actually a very small step to assume that members of congress would also be targeted. It does not require believing in little green men are visting the planet, or a vast conspiracy where everyone who investigated 9/11 produced fake results pointing the wrong direction but a few people who watched the video tape and have a flimsy grasp on physics understand the truth.
The real problem here is the complete plausibility that NSA is spying on congress.
The only evidence that we have that they don't spy on congress is their denials, and we have a mountain of evidence that everyone agrees upon that they have the means and the opportunity to do so. I assume they have the motive because human politics is a pretty universal motive. So, I'd be willing to bet real money that the NSA is spying on congress. I would not take such a bet on UFOs or 9/11 truthers...
Sort of OT but I think relevant is Robert Pirsig's discussion about superorganisms in Lila.
The NSA, like the government it cooperates with, is a superorganism. No one person can choose its course and it will not cut off its own food supply of $. I'm not saying that systemic change is impossible. But without more transparency to allow review by experts and, to an extent, the electorate as Bruce suggests, the organism is going to defend itself in ways that the mere people who make up its cellular structure cannot envision.
Already it's treating Ed Snowden as a cancer as it will any of its cells that are not exactly serving its purposes. This 'cancer' of honourable behaviour is probably the only way the organism can be stopped and, sadly, I don't think it will come from the main mass of people of the IC because their game is based on lies, deception and lawbreaking.
I no more expect anyone to be held responsible for the NSA than for the fraudulent (sometimes empty) Mortgage Backed Securities, crashing the economy, and the rest. They were bailed out by the taxpayer and paid themselves bonuses. #Occupy documented the abuses.
When the telecoms were caught violating FISA, Congress gave them immunity.
When the Bush administration was caught torturing, rendering (think the 20 CIA agents found guilty in absentia in Italy), nothing happened. Clinton had Whitewater and his scandals.
The supreme court finds the abstruse mandatory binding arbitration clause on page 47 of the EULA you must agree to for your phone or computer to work to be binding. They find that something specifically repudiated as a tax is a tax. Corporations are people too so a corporation can exist for 15 minutes - just enough to write a check to Romney or Obama.
Trust and credibility are on a continuum and can go negative.
I don't think most of the American public would have doubted the NSA WOULD be doing these things, but only never knew they COULD do them.
The NSA scandal occurs in an environment where we already have the 1% ruling oligarchy who are above the law (Greenwald's book - with Justice for Some might be a good companion to Liars and Outliers). And the 99% who are serfs or slaves. (Also see the books by David Cay Johnston). William Black referred fro prosecution thousands from the small S&L crisis. The fraud from the 2008 crash was far worse - can you name 3 people prosecuted? Even recently John Corzine of MFGlobal that raided customer accounts. William Black has his book - he calls it a Criminogenic environment.
Even if there was a commission that did everything you propose, with the "right" people, why should I believe it?
No one in the 1% ever gets investigated, much less indicted, much less convicted or pleading guilty and serving prison time. This has been true for a decade of more on every other issue including many very serious issues.
I would rather trust that my bank or brokerage account was sacrosanct over my email, but it isn't - it clearly isn't. A home with a payed up mortgage gets robo-signed (fraud!) and foreclosed upon - yes, this happens. The SEC watches porn instead of enforcing anything.
Tell me if you expect any of this to change, if so why, and either way how can the NSA scandal be any different than all the rest of these abuses?
nsa is a rogue military organization running the country as it sees fit .. there will be no investigation unless for pr purposes
Can Truecrypt, a company registered in the USA, be trusted?
p a s t e b i n (dot) com/7LNQUsrA
Ever since the Snowden leaks began the entire hacker community I know has been shocked and apathetic. No one had any good idea what to do.
This is the first substantial contribution on the question "Where are we going from here?" without silly political claims of outrage or even revenge against officials and companies.
"We know secrecy corrupts, and we see that corruption."
I think that is backwards or perhaps not a complete statement. It is corruption that drives people to secrecy. It is a lack of trust that drives people to secrecy. The NSA doesn't trust anyone because they believe that's their job; that only by trusting no one can they protect the greater good. People do not trust such a broad writ of power because power corrupts. So they engage in secrecy to defeat the NSA. Then it's a vicious cycle. The NSA demands ever more power in order to protect the people and the people strive for ever more secrecy to defeat the NSA.
The tragedy is that everyone is a loser under this system. But it is the corner we painted ourselves into. I'm not as easily convinced that trust is so easily regained as a "truth commission". I wouldn't call South Africa a model of trust today and even then to get as far as its got SA required a complete overthrow of the social order. I do not see any impetuses for that in the USA today.
@ Bruce Schneier
All great points and recommendations. The kicker, as one commenter noted, is how will lawmakers appoint an essentially incorruptible person if they're under control of those to be investigated? And would agencies with a history of taking "direct action" even allow that guy to live?
Let me give myself as a personal example. Let's just say I have these traits: I can't be bought, I work toward strong privacy/security tech, I work against oppression/surveillance, and I'll make reasonable tradeoffs (e.g. lawful intercept issues). I also know, and can hire people who know, how to cut through their bullshit and get some truth out of them.
Nevertheless, here's what they can do to a truly independent investigation team:
1. They feed us disinformation that makes them look bad, but not so bad.
2. They ensure my analysts are their analysts somehow.
3. They compromise our information systems in a way that looks like the Chinese did it, then play up both that I can't manage the security and full open access is a risk to national security.
4. They set up fall guys for the programs, allow us to terminate them, and the real sneaky bastards continue doing stuff under new programs.
5. They use the many laws and legal precedents about protecting classified information to deny me access.
6. They move the illegal ops into unacknowledged special access programs (USAP's) where most of Congress doesn't know about them, I can't get even their name, they have plenty OPSEC funding, and program members are allowed by law to lie to me.
7. They have me (and any other honest member) prosecuted for some bogus felony charge. FBI, IRS, or DEA would help them.
8. They'll pressure federal judges to rule against my investigation for national security or another bogus reason.
9. They'll use their legal and technical information gathering to get all dirt they can on me, then get media's support portraying me in ways that will ensure the public or courts won't trust anything I find.
10. I die in a car wreck, a mugging gone wrong, or a suicide from work stresses. I mean, they have a huge covert action budget and plenty of personnel. Use your imagination on that angle.
Bruce, this whole thing really reminds me of the old Programming Satan's Computer metaphor. You're trying to create a desired state or outcome from within a system that is evil at every level and can ruin you from any level.
Congress, the President, the Supreme Court, state governments, the major US media, LEO's, the military, NSA, secret courts, and federal courts are mostly together on this stuff. They so far have each other's back. If the bad guys control/influence every level of government, then what *legal* approach can be used to fight them or change the situation? (Esp when it's an vocal minority rather than public majority, who don't care enough.) Maybe this is why situations like this in the world's history often resulted in government overthrows, civil wars and such. They had no legal options from within a corrupt government.
Your thoughts on any of these points? Or potential solutions?
If the NSA wanted to gain popularity, it could use its knowledge of all phone calls made to assist in the imprisonment of the robodialers ("card services" and their ilk). Then at least the public would see some direct benefit.
One thing Bruce and all other commentators are missing is the international side of the trust-coin: the NSA has extensively spied one some of the closest allies of the US. Do you think the damage to international relations can be undone?
I've recently seen two articles speculating on the NSA's capability, and practice, of spying on members of Congress and other elected officials. The evidence is all circumstantial and smacks of conspiracy thinking
Edward Snowden said that he had the ability to spy on anyone in the U.S., in real time, from his desk. His remarks were belittled, but it turns out he was right.
Have you forgotten that there have been NSA whistle blowers besides Snowden?
RUSSELL TICE: This was in 2002-2003 time frame. The NSA were targeting individuals. In that case, they were judges like the Supreme Court. I held in my hand Judge Alito's targeting information for his phones and his staff and his family.
Suddenly the evidence doesn't all seem so circumstantial... and just what does conspiracy thinking smack of?
Merriam-Webster defines "conspiracy theory" as:
a theory that explains an event or set of circumstances as the result of a secret plot by usually powerful conspirators
Unless you are withholding from us some firsthand knowledge of secret operations performed by powerful state security apparatuses, it would appear that you have been engaged in a good bit of "conspiracy thinking"...
(OK, OK, I concede! I do realize that judges are appointed rather than elected.)
Bruce, I might be reading too much into it, but your remarks seem imply that Congress should be treated better than their constituents with respect to NSA spying.
Since Congress is the most clear and present danger to America, spying on them actually seems justifiable.
The spying on allies is likely a reciprocal thing. Since the US isn't legally allowed to spy on its own people it lets the other Five-eyes members do it, probably using NSA equipment and hookups, and then pass on the intel. In return the NSA spies on any 'allied' pals to give them the info.
The pollies have to express outrage even though they must have had some idea this would be happening. They're steering for re-election and, since I think most here would agree that any dirt on a pollie is essentially a string to pull, the pollies are no longer their own masters.
People good in tech & crypto, with enough political idealism and time.. young single men.
If NSA were any smart they would use porn stars and humour to boost NSA popularity.
To add to your list, whistleblower Sibel Edmonds has claimed that prospective federal judge appointees have their background investigated. If the candidate is absolutely clean, there is no appointment.
That's not going to happen. The NSA provides technical support and/or intelligence to all America's clandestine operations, many of which are illegal. Laws legalizing the NSA's domestic surveillance programs were only enacted when the nature and extent of those programs were revealed. America needs to scrap FISA and CALEA, but that's not going to happen either and, if it did, the NSA would just go back to operating illegally.
No "conspiracy thinking" is necessary. It's a fact that when you give government officials an opportunity for abuse, they WILL commit abuse. And there's nothing better than pervasive secrecy to encourage and promote abuse (along with waste and incompetence).
The men who founded this country knew this fact very well, from their own experiences with His Majesty's Government. That's why they built checks and balances into the constitution. When two successive administrations secretly decide that fighting the Global War on Terror requires measures incompatible with the constitution, and then create a massive classified apparatus specifically to circumvent constitutional constraints, checks, and balances, it's a red flag embroidered with "ABUSE" in glowing letters.
It's unfortunate that we need lawbreakers like Snowden to bring these questionable activities to public attention, (hopefully) to force the necessary debate about what sort of country we are. There doesn't seem to be any alternative within the law, since the Executive Branch seems to have done everything it can to preclude legitimate avenues of recourse.
The terrorist threat may indeed require a more authoritarian direction to ensure the very existence of the United States. But in a country that still claims to be a democratic republic, issues like that should be decided in open debate through the legislative process where all sides can be heard. Not unilaterally by the Executive behind closed doors through lawyers' classified memorandums, or by the classified rulings of a secret kangaroo court of hand-picked ideologue judges that hear only the agency's side.
Bush and Obama may have valid (classified) reasons to believe that the only way to protect America is to preemptively destroy what makes America uniquely worth protecting. But I, for one, refuse to believe that, or to trust them to make any such determination.
Snowden and his associates are indeed employing the right strategy by continually dripping out increasingly horrifying disclosures. Otherwise, Obama could easily avail himself of the public's short attention span with distractions (Syria, perhaps?) that make the embarrassment conveniently disappear.
I'll agree that an independent oversight committee is necessary, as a first step to evaluating the potential and actual abuse behind the curtain of secrecy. But Congress needs to overcome their fear of being labeled "soft on terrorism," and assert their proper constitutional role as a check and balance against an Executive branch intent on creating a Stasi-style surveillance state. Unfortunately, the only way that will happen is if Snowden continues to leak a steady drip of horrifying disclosures.
Absolute power corrupts absolutely..................The entirety of the US federal government from the White House down to the janitorial staff of any US governmental institution is corrupt. Our political system no longer exists for the citizens, it operates for powerful special interests. The NSA is the hidden tool that ensures special interests take priority within our political system. Unfortunately what we're seeing is Democracy as an ideal that is on the road to a timely death. We've given up so many rights and privacy's as citizens because our elected leaders have continually lied to us and used FUD to manipulate on behalf of their agendas. Yes, trust in the government is declining rapidly.
A few years ago there were also reports of Jane Harman being caught in an NSA wiretap while lobbying for Israel.
"The by Jeff Stein of Congressional Quarterly — that an NSA wiretap picked up Rep. Jane Harman (D-CA) telling a suspected Israeli agent that she would lobby the Justice Department to reduce espionage charges against two officials of American Israeli Public Affairs Committee (AIPAC) in exchange for the agent's agreement to lobby Nancy Pelosi to name Harman chair of the House Intelligence Committee — is spreading like wildfire on the Internets."
It seems, earlier, she was helping to keep NSA reporting out of the press:
"The New York Times confirmed late Monday that a top Democratic congresswoman called the paper in 2004 and tried to keep it from publishing an article exposing the Bush Administration’s warrantless wiretapping program -- possibly helping to sway the balance in the 2004 presidential election."
It's even been used to arrest a copyright violator.
That should say "alleged"; I haven't seen any strong evidence that DotCom did violate copyright, and the trial hasn't gone anywhere so far.
By the way, I don't see "trust" as a good term to use here. People seem to assume it's always a positive term. I trust the NSA as I've trusted them since finding out about Echelon—I trust that they'll spy on as many people as possible and try to hide it, that they'll convince companies (like Crypto AG) to add backdoors, etc. And of course, a "trusted system" is one that can break your security.
[...] and reforming surveillance law to make it absolutely clear that even the NSA cannot eavesdrop on Americans without a warrant.
Imagine France was the nation with most of and the biggest cloud computing companies in the world and the French intelligence service had wire taps on most of the American internet traffic. Because there is so much French software used everywhere where encryption matters and the French intelligence service coerced the software manufactures to install backdoors everywhere even if you only use American service providers you basically hand your data to the French government. Also recall that they have previously used their surveillance systems for industrial espionage when the former political reason ceased to exist (Echolon).
Now how happy would you be if they publicly state "from now on we will only spy on Frenchmen with a warrant, everyone else will continue to get our full attention" ?
This is how it feels like to be a European when Americans complain that the NSA is spying on American citizens.
The only way to deal with this is to model the NSA and the US as an ATP, and hence an enemy. If they manage, at some indeterminate time in the future, to get their rogue intelligence community back under control, then that can be re-thought. But before that happens, not China or others that have been accused of spying are the most serious threat, the US is.
What scares me though is the cowardly and timid reaction of the German government to the recent announcements. I can only attribute that to the NSA having significant dirt on all of them.
to make it absolutely clear that even the NSA cannot eavesdrop on Americans without a warrant.
so the rest of the world is still fair game for human rights violations?
Bruce I have tremendous respect for you, and am happy to see you are more and more coming around to the realization of how it all really works, but this is one instance where it seems your commenters have a better handle on the reality than you do.
As nice as this whole piece sounds, it's just so naive it's rendered essentially useless.
It still surprises me how you can be so attentive, with such a good head on your shoulders, and with such depth of knowledge of the facts...and yet still be fooled into thinking some government commission is the solution to government abuse.
It's just mind boggling.
"If the agency were smart, it'd realize that the best thing it could do would be to get ahead of the leaks."
You don't need to tell them that, why do you think the Brits stole all of David Miranda's stuff? They're clearly actively trying to get ahead of the leaks by abusing whatever laws they need to.
You can have a trust-free society. It's possible. But only between equal humans, without any form of institution or moral person to obfuscate who does what, or to justify coercion.
You "just" need to surveillance everything and publish it openly and freely.
The trade-off is your privacy in exchange for seven billion others'. It's fair.
Anyway, reality is open. Deploy enough sensors and you can watch everything yourself. So there is no natural secret anymore, not with the tech we have.
I don't fear the time when technology becomes the mirror screaming THIS IS WHAT YOU ARE in the face of humanity. Proving that laws have as much impact on humans as they have on the tide. The abolition of all that is useless in morality. Good times. I hope I'll live to see that happen.
The Snowden-leaks are a sad story, because they severely damaged the interests of the United States and it's western allies (we shouldn't forget Canada, the UK, Australia and New Zealand, and also the 3rd party allies). Of course these governments aren't perfect, but they are much better than most regimes elsewhere in the world. Everything the NSA is doing, is also done by government and military agencies of countries like Russia and China, only much worse and whithout any control. That's what should worry us.
If there was a Snowden who leaked this kind of information about how Russian or Chinese agencies are abusing their power, then that would be a real whistleblower, and even a hero. What Snowden, Greenwald and some others are now doing might be interesting for the public, but is hardly in the public interest. It weakens the West and strengthens the position of regimes that really do ugly things with their people.
Until now, the disclosed documents about activities of NSA only show that they are doing what they are supposed to do: gathering information to protect the country against foreign threats. Like in all other big organizations things go wrong now and then, but the documents show that these things were discovered and corrected and that the FISC is closely watching what NSA is doing (an oversight which is far better than there is for intelligence agencies in Europe, for example).
Allthough some more minor things went wrong and NSA is sometimes operating on the edge, everything they do is within the existing legal framework. The leaks also didn't show significant abuse of power or deliberate illegal spying - contrary to what the media fed the people. The only one who did had almost unlimited and oncontrolled access and who deliberately abused that, was Edward Snowden.
"Allthough some more minor things went wrong and NSA is sometimes operating on the edge, everything they do is within the existing legal framework. The leaks also didn't show significant abuse of power or deliberate illegal spying - contrary to what the media fed the people. The only one who did had almost unlimited and oncontrolled access and who deliberately abused that, was Edward Snowden."
Although "some more minor things went wrong" everything the slaveowners did was "within the existing legal framework." The historical record didn't show deliberate illegal activity on their part. They were simply exercising their property rights over semi-people ("3/5 of a man") for business reasons. Our slave owners practices were "better than most regimes elsewhere in the world" doing similar things. Revealing this only "damaged the interests" of slaveowners and their business allies. The only people who "deliberately abused" the law were the people who fought to free them, often "stealing" plantation owners' "property."
Because if it's "legal" or "other regimes" do it worse, then it's The Right Thing for a Republic To Do. (trademark symbol here)
... the NSA cannot eavesdrop on Americans without a warrant.
But spying on the rest of us is ok then, is it?
I wonder how Bruce reached the conclusion that Snowden was right in insisting he could have wiretapped anyone in the US at any time. The Guardian claims Snowden was right, but if their source is Snowden, then that is circular reasoning. None of the documents the Guardian published indicate that any of the NSA databases had such a capability. If the Guardian has such documents, why don't they make them public? Even if such a database existed, that still doesn't prove Snowden would have had access to it.
@NotAnAmerican: You are absolutely right. Even mr. Schneier here seems to be concerned only about his fellow citizens.
I am sure I am not the only one from outside the US who are looking for alternatives to all kinds of IT products and services coming from this country.
I am also pretty sure the Snowden revelations will have a direct impact on the economy of the US IT business. Any company outside of the US who has been considering using cloud based technologies will now think again.
One could argue that storing your data in the cloud is not a great idea to begin with, but now where storing data in the cloud also means leaving all data wide open for the US to pry and spy in, it is not really an option at all.
@Enigmatic: I have asked myself about truecrypt too, and I do not trust it. I even find it kind of ridiculous I've been sitting there moving the mouse around to generate huge random numbers. OMG I am such a sucker.
Can we conclude that no balance whatsoever can be made between privacy and security?
Is an open government one that does not conduct intelligence gathering? Since having to share it with everyone in the world would make it cease to be intelligence.
"But spying on the rest of us is ok then, is it?"
Of course not. But I'm afraid you need to take your complaints to China and Russia, as well as any other big nation state. This thing call trust between nations doesn't really exist like we would like to think it does. (Not that I doubt you think it exists.)
I think that the NSA won't be able to pull itself out of this mess. Rather the key to success here is going after those who have lied on record. If you take an oath to make a truthful statement and it turns out that you lied, the law needs to be enforced. Right now it isn't. People are getting away with lying on an epic scale and that promotes more lies and deceit. Drag those people in to court. Name and shame them. Serve them the prison sentences they deserve.
That will serve a clear message to those that take over: you lie in public, you go to prison. That in turn will allow for things to get fixed properly because it results in a generation of leaders that will be more careful with their public statements and that will act such that they won't end up in a position where they have to lie about it.
This problem goes way beyond the NSA BTW. The culture of lying now pervades most of the US government, which is why approval rates are at an all time low because nobody trusts them anymore. Homeland security accelerated this trend and that resulted in a massive bureaucracy that employs well over a million people that operates largely beyond normal democratic control. That bureaucracy is in desperate need of some transparency because frankly, as an outsider, it looks to me that things are getting very embarrassing. The level of incompetence on display lately is monumental.
I wonder how all this surveillance affects the privacy of medical information? Hospital employees are routinely and summarily fired if they look up their relatives' or local celebrities' records to satisfy their curiosity. The ARRA 2009 law in the US extends the HIPAA law to pierce the corporate veil and hold individuals personally liable for negligence that causes data breaches.
Is using ordinary TLS to secure the transmission of a public figure's electrocardiogram to a server in the "cloud" now considered negligent?
The use of telephone calls and faxes has long been considered safe for patient confidentiality, because a search warrant used to be required to get the call detail records or eavesdrop on the content. Is it now unsafe?
I'm asking questions of law, not fact. Are people like ekg techs and physicians' billing assistants at risk? Or are they protected somehow?
@Jillles van Gurp - "People are getting away with lying on an epic scale and that promotes more lies and deceit...That bureaucracy is in desperate need of some transparency..."
The core problems with the NSA situation are (1) the absence of transparency and (2) the pervasive lying this engenders among public servants. Together these pervert the notion of a trustworthy government, and that's obviously very dangerous to a free society.
Free societies need to have a frank, public, and open discussion about how to police this new (~20 year) virtual world called The Internet. And let's start by agreeing that the NSA is NOT the organization to be doing that policing.
In the physical world we encourage the public presence of police - under color of law - to monitor public activities and to protect us from bad actors (think of the beat policeman and his relationship with a neighborhood). Does the Internet need a similar function? I would argue yes.
But in free societies in the physical world, we most explicitly DO NOT allow the police to promiscuously monitor our transactions, conversations, reading, and other activities on the off chance that we may be doing something wrong, now or in the future.
Surely there has to be a policing function on the Internet. Someone has to do it to protect society from bad actors of all types, and to enforce the laws that already exist in the physical world.
So let's start by agreeing that the NSA - which by definition operates in total secrecy and under military guidelines - is not the organization to be doing that, for most of the same reasons that we do not allow the military to perform the domestic police function on the streets of America (or Europe).
There clearly needs to be a discussion about who polices the Internet, how they can do it, and how they must adhere to the Constitution and to existing law.
With all of that said, Jilles (and Bruce) are absolutely correct that the non-transparency, the breaches of trust and the ongoing lying are extremely dangerous to civil society.
Or all it takes is one federal prosecutor - an AUSA - with a RICO indictment in hand, and the whole conspiracy comes down on itself:
We know how to deal with corrupt organization, even if they are heavily armed and cash-rich. We have "laws" to deal with them - prisons in which to detain those responsible. "Kingpin" sentencing enhancements, courts, to hold trials... it's all sitting right there, every single piece. We pay people to enforce those laws, to bring cases against people who break those laws, and to imprison them if they're found guilty by a jury of their peers.
Why isn't there a RICO case against the NSA? They're breaking the law, they're doing so in a systematic and intentional way, they're engaging in an "ongoing criminal conspiracy" under the laws passed by the U.S. Congress and signed into law by the President.
Just one prosecutor... and the whole thing comes crashing down. Who will it be?
Such special prosecutor would also need the power to force declassification of anything but the most extremely sensitive data, since overclassification is one of the first refuges of those being investigated.
History has a tendency of repeating itself. I am surprised no one here has remembered all of the spying that J. Edgar Hoover and the FBI performed in the name of undermining subversives back in the 1950s, 1960s and early 1970s. They compiled vast and detailed records on individuals considered to be threats and used them to keep himself empowered and to further his values and agenda.
Now we have another organization waving the flag in our faces screaming terrorism, fabricating stories about saving us from 50 terrorist attacks since 9/11 (but providing no details), and using this as an excuse to violate the Constitution over and over in a similar fashion, but using a different medium, and on the broadest scale possible. Conspiracy aside, I think what Bruce is suggesting regarding an independent commission is a good first step, but are we brave enough as a nation, to take that step and have we elected leadership with the integrity to take that step?
Great article as always.
Seeing how US Intelligence agencies collude with practically every secret service in the western world (cold war term I know), to undermine basic human rights, european and US civil rights and probably stuff I've never heard of before, when exactly does it reach the point where a conspiracy theory becomes an actual conspiracy? How much (more) proof is needed?
This government thrives on conspiracy theories. It allows them to belittle anyone who questions what they are doing. Example: Obama's "Long Form" birth certificate. Why publish a "scanned" PDF instead of passing around a copy at a press conference? Or maybe order a few extra, authentic copies from Hawaii and give them to a few select correspondents for analysis? It would be so easy to completely dispel the conspiracy theories, yet they chose to continue to obfuscate.
They love conspiracy theories. They lie when the truth would serve them better. It's in their culture. It's in their DNA. It's who they are.
If a plan or program does not increase government power and influence, it is summarily discarded.
Ever since Edward Snowden blew the whistle on NSA surveillance programs, I have been wondering about an event a few months prior to that.
How exactly does the CIA director, presumably knowledgeable about ongoing US data collection practices, imagine that a clandestine affair could remain undiscovered when discussed and planned online?
And how again was the Petraeus scandal divulged? The accepted version seems to be the FBI discovered the affair after a complaint, the Attorney General sat on the news for two months and only told the NSA after the election.
In light of subsequent events it seems likely the NSA discovered evidence of the affair before or at least in cooperation with the FBI. So how much of the Petraeus scandal public information was altered to hide NSA surveillance programs? And was this an example of a non-terrorist related surveillance leaked for potential political gain?
The fact that the administration and the NSA don't seem to try to preempt the continuing revelations suggests not only that they don't have a clue how much and specifically what Snowden took, to me it strongly suggests there is LOT more than we've seen so far.
If there were only a few minor scandels left unpublished, they would probably admit it and minimize the impact. The fact that they don't seem to do this suggests there are some major things left, and they are scared they fess up the wrong ones, that Snowden doesn't have any material about.
I can't imagine Snowden really got more than an tiny fraction of all the documents the NSA has, even if we would ignore the astronomical amount of data they have collected in recent years. Still, it seems to be such a massive amount of documents that it would seem plausible they have only been able to read a small fraction, so even Snowden and the reporters of the Guardian don't know everything they have.
Frankly I'm not really surprised we keep seeing the "spying on US citizens" rethoric; the rest of the world is apparently considered inferior anyway, and we probably envy them so much we must all be plotting against them.
Although it would rather suck for the vast majority of the population, I think, in the long term, the best thing that could happen to the US would be complete economic collapse.
@cryptostorm_darknet: "Just one prosecutor... and the whole thing comes crashing down. Who will it be?"
Nope. The trial gets classified, nobody outside the courtroom sees anything of substance, and it's all a whitewash.
Just think Gitmo. Or maybe Gitmo to the Gitmo power.
But just you wait. . . when Rand Paul is President. . .
Can there be effective oversight in this case? You are speaking about organizations with tens of thousands employees. no matter what you do, there is going to be some department that is doing its own thing.
The most worrying aspect is sharing of information with prosecution,IRS and other agencies; here they will counter that intelligence failures are often due to inadequate sharing of information among gov. agencies - who is supposed to draw the line of what is appropriate and not? Insiders? Outsiders won't be allowed access - otherwise they turn into insiders.
On the whole the NSA did a good job; they managed to get huge amount of resources and delivered results.
These intelligence capabilities are like a gene that got out of the bottle; nobody in his right mind is going to give up on the capabilities, but it is also impossible to handle them in a way that does not destroy democracy.
There already is an Open Resource AI being developed which will eventually dissolve all governments and replace law and money. Jewish developers need not apply.
Why do USans put their hands over their eyes like five year olds and pretend that the US Empire does not exist and that they don't know anything about its murderousness? "I can't see it. I can't see it. Aaaaggghhhh !!!"
Five year olds would be ashamed to be so gutless.
Yes there is a US Republic where the delightfully logical solution that Schneier proposes might work.
But there is also a US Empire that is a fascist enterprise that daily uses the methods of the Nazis - illegal war, murder, torture-to-death and genocide - and has done for sixty years.
The US Empire will ensure that the US Republic remains toothless and powerless, until that US Empire disappears into the dustbin of history. Or until its hubris destroys it. Or until its predicted end by 2020 comes true - predicted by the revered father of peace studies, Norwegian Johan Galtung.
Whichever comes soonest.
Ten years earlier due to the actions of Our Dear Leader, Comrade Cheney, says Johan Galtung. Who must be an Iranian Sleeper agent, parachuted into Wyoming when Richard Cheney was just a boy to take his place and destroy the Empire from within. How else to explain such cretinous anti-American treason, posing as stupidity, asks John Dolan of The Exiled.
You do know that Peter Dale Scott has pointed out that Cheney implemented Continuity of Government after 9/11 and renewed it every year after that. As did Obama. What is it? What does it entail? The US Congress and Senate intelligence committees were told that they didn't have the necessary (Cheney Mickey Mouse) Security clearances to know. No change there, then, you might think. ; )
A verifiable theory about Neo-Con conspiracies against the US Republic - aka politics as usual. - versus the tinfoil hat brigade, aka 'conspiracy theories'. Search for 'Continuity of Government' at Peter Dale Scott's politics page.
Yes, Virginia, there really is a US Empire -
Johan Galtung - the US empire has murdered 12m or 16m in forty years. "The difference is between overt murders and including covert murders by the US." In illegal wars and genocides. -
'How would we know that the Empire is dead?" - Johan Galtung -
More - see "GAWD BLESS YOU MR. … PUTIN ?" - a comment, and replies, to "Text of Draft Legislation Submitted by President Obama to Congress Seeking Support For An Attack On Syria," September 2nd, 2013 - ICH -
So I suspect this may be the cause of the SSL break. If you have a PRISM, you know how many connections and the time of each connection. Using that knowledge, after enough time, you can reasonable guess what's in the pool and thus PRNG values. Certainly using 15 acres of computers you can.
Each and every SSL accept in the OpenSSL source code adds the current time to the entropy pool as the first call. There's no other running source of entropy that I can see, unless the HTTPD application is doing it.
Also, it's quite handy that Linux restores the system PRNG seed after every reboot and in some distributions, the SSH random seed also.
So basically, having a super-great source of randomness may be useless because we fill the pool with highly guessable entropy over time.
# grep openssl-1.0.1e/ssl RAND_add *
Just checked the HTTPD source code... it does add more randomness, but the method for mod_ssl's builtin has rather low entropy.
It uses time, the PID, and an uninitialized variable (unsigned char stackdata), with some funky-ass ssl_rand_choosenum function that's strange. The stack can likely be guessed, as HTTPD is basically a very repetitive process. I wouldn't be surprised if it was the same every time actually. It doesn't use the HTTP worker table as described in the docs either.
So unless you are using mod_ssl with a configuration like below, then entropy may not be very good.
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
So there you go, the mod_ssl builtin configuration is a poor choice, and one that is commonly used for performance reasons.
If openness and transparency is the order of the day... perhaps you might elaborate - as BT Chief Security Technology Officer and Director of BT Managed Security Solutions - about mass surveillance by BT/Phorm affair or BT's involvement in furnishing private/confidential communications data to the GCHQ/Tempora program?
The trust issue doesn't stop at the NSA/GCHQ leadership. It includes Government leaders, and it includes corporates leadership (BT Chief Security Technology Officers in particular) too.
This was all organised when the intelligence communities were all brought under the one umbrella organisation and is now the body that adheres to the underlying skull and crossbones of American sub-culture.
In order to re-establish founding values and principles of American culture and the position of respect that the U.S. *used* to have in the world, all of that has to be seized, in the dead of night, shoved into a vat of acid, battened down and shoved into a crypt that will never see the light of day again.
This 'Five Eyes' rubbish has to disappear also, along with its extended modern day manifestations. There never has been a need for it other than one of a manufactured variety.
Any 'enquiry' is never going to get close to the instigators of the 'conspiracists' anyway.
When money owns politics the people's requirements don't run second or third.
They're a lot further down the track than that.
I think everybody knows what the problem is in the U.S., but only the people can take back what's there's and they have to do it before the police get to be any more militarised than they are now or there's going to be a lot more blood in the streets than necessary.
Bruce, do you really believe LHO shot JFK, all alone ?
Do you really believe history is just one humongous
RNG, where nothing ever happens because somebody wants it to happen ?
Just a comment on conspiracies - read Phillip K. Dick, Valis, and Radio Free Albemuth; and The Strugatski Brothers, Beetle In An Anthill, and Snail On A Slope.
We're dealing with a conspiracy of governments. Snail On A Slope is a satire on Khrushchev's ascent to power; it says that nobody in government knows what's going on, and so things stay the same (entropy is constant). Radio Free Albemuth is a satire on the madness that afflicted the US during the collapse of the Tricky Dicky Nixon Administration.
And the Illuminatus Trilogy is a satire on such satires; it says nobody ever knows what's going on, and entropy is absolute: it makes Elric of Melnibone look kinda tame.
The XKeyscore proof makes me worry that Scientists and Engineers for 9/11 Truth are NOT conspiracy theorists.
If Edward releases the documents showing WTC7 was demo'd and that 47 story buildings don't just fall down by themselves due to an office fire, that will be an erosion of trust I am not sure even the U.S. government could withstand.
Forget about the government taking over. Think about the opposite.
Why is the U.S. so intent on getting involved in Syria right now? Or at least trying to give that impression?
A conspiracy theorist might think they are trying to distract from recent huge revelations about the NSA.
A conspiracy theorist might think they are willing to bomb entire countries full of brown people if it will help distract their own population from their domestic abuses.
Special prosecutor? Comparisons to the FBI under Hoover?
Bruce, can you cite any attorneys or legal experts who are able to point to any crimes revealed by Snowden's documents? Can you point to any instance in which the NSA has collected blackmail material on domestic dissident groups?
I am an attorney. I have yet to see any criminal actions revealed by Snowden's leaks, much less anything remotely approaching the abuses committed by the FBI during the 1960s. This is the kind of rhetoric I'd expect to see from Glenn Greenwald.
Nothing in these documents approaches the level of criminal conduct.
Companies cooperating with the NSA by allowing the NSA, when authorized by law, to use company products to eavesdrop on targeted persons? They are free to do so. If these companies enable the NSA to conduct surveillance of international terrorist groups and foreign intelligence targets, then good for those companies.
I have put in time, professionally and personally, in defense of civil liberties. I understand that sometimes the cause of liberty requires breaking the law.
However, exposing the Bullrun program without evidence of wrongdoing or abuse, is just wrong. It does not protect any civil liberties. It does not advance the cause of liberty anywhere. Its sole effect is to weaken the technical capability of US and allied signals intelligence, and the beneficiaries will not be dissidents in the United States.
Frankly, until I see evidence of abuse by the NSA - and not accidental collection or the actions of a few rogue analysts - my considered response is to congratulate those at the NSA on their achievements, to thank them for their service, and to hope that they continue to strengthen a country that is more important to the cause of freedom than any other.
I'm on the side of the NSA.
Some may see it as a necessary evil, but in the end it isn't evil at all; just necessary.
There are many like me who remain silent because expressing our views is unnecessary. If you don't see the vital necessity of all that has been done and will be done, you're not paying attention.
The Snowdens and Mannings, and those who aid and abet them, are naive, immature, ignorant fools shooting themselves and everyone else in the foot.
But you'll lose. You always have lost and always will because you're not being realistic. Reality, as you may have noticed, is that which doesn't go away when you stop believing in it. A point of view and policy that doesn't take into account the unfortunate reality of what the human being, at this evolutionary stage, as a species is, loses. Reality always wins.
Ultimately I believe in a bright future for humanity, not just now, not any time soon, not when things are set up this way, not when we are what we are.
(No, I am not a troll.)
Clearly, the NSA are the good guys. What have you been ingesting/haling? Folks, these professionals know what they're doing and they're doing their job so that you can keep on getting entertained. Cheers!
If openness and transparency is the order of the day... perhaps you might elaborate - as BT Chief Security Technology Officer and Director of BT Managed Security Solutions ...
There's a thin line between bravery and outright stupidity. Have you ever played chess ?
Bruce, can you cite any attorneys or legal experts who are able to point to any crimes revealed by Snowden's documents?
You may wish to Google "lawsuits against the NSA". A growing number of organisations seem to be having some minor issues with what the Snowden docs have revealed.
Obviously people here want to ban intelligence, or implement a transparent intelligence agency, where they inform everyone what they're doing.
Wait, what's the difference?
I think that is an oversimplification. For a period, certainly immediately after the Cold War, western intelligence agencies paid attention to the importance of the rule of law, the boundaries between intelligence and policy, and what could and could not be justified in the defence of the state.
Michael Herman (sometime Director of GCHQ and later Chairman of the Joint Intelligence Committee, which prepares reports for the British Prime Minister and Cabinet) wrote: "Intelligence Power in Peace and War" (1996), which I recommend.
The Battlestar Galactica wasn't networked.
> Guardian reporter Glenn Greenwald has been playing this well, dribbling the information out one scandal at a time.
I wonder what's the next scandal is going to be... maybe the integrity of their spying system can no more be guarantied...
Some interesting comments dropped into the thread.
For you NSA fluffers... what limits will you admit re: the scope and extent of compromising Americans' privacy and the integrity of our security, banking transactions, etc?
Odd in a country where one's library checkouts and book purchases have judicial protection that we see folks saying that warrantless bulk capture of electronic communications is somehow Okey dokey....
@Jillles van Gurp
It's more than lying goes unpunished. It's that lying goes unpunished, while telling the truth results in an international manhunt complete with violating the rights of the President of Bolivia. Eric Snowden, if he returned to the US, would be severely punished, not for lying but for honesty.
There won't be any investigation - the proposal could never get enough political support. Also note that Congress tried several times to stop the same sort of program, and each time, NSA et al. just renamed it and carried on in a new form.
But prosecuting all the bad actors isn't necessary to stop the pernicious wiretapping-dragnet. All that's necessary is for the law to be changed to abolish the secret orders outside the normal warrant process, and clarify that server operators don't have to subvert their own services, lie to the public or keep silent about the wiretapping.
And the law should clarify that providing strong encryption, where the service operator doesn't have the ability to spy on users, is not illegal and does not have to be shut down.
Sure, it may be an oversimplification. But to what extent can you be transparent if you're such an organization without harming your sources?
There is no intent on giving these organizations any slack for what they may or may not have done with respect to violation of their citizens' civil liberties. However, just as people tend to only see the plane wrecks and not the accident-free flights, what good does come out of any of these organizations (good you say? *scoff*), goes unnoticed, and given the above statement, more than likely can only go unnoticed. I may be wrong of course.
Intelligence Power in Peace and War, sounds like an interesting read. Thanks.
The ONLY feasible way to curb the NSA is to curb its power, pretty much abolish it. Schneier's political stripes are very obvious - we need "the right people," especially "that right person." That is a very bureaucratic way of thinking, and history is flush with telling us the right people RARELY, pretty much never, come along.
So, the only way to curb its power is to cut its spending. Currently, for every dollar a US resident produces, roughly 40-44 cents is supposedly spent on their behalf. Is this a "libertarian," position? yes. But it is really a classical liberal position, all the "liberals" today are social democrats or democratic socialists.
Afterwards, the "NSA" will have to be restarted under a new charter, with enumerated powers. This is bureaucratic in itself, but the threat of budget cuts may have the intended effect and pre empt abolishment. This threat comes from one of the power dispersions not explicitly written in the Constitution as a dispersion (executive, legislative, judicial, state, county, local), the threat of elections.
I never understand how anyone can give the NSA either the benefit of the doubt or credit on any issue at any time. Once a government agency trashes the constitution and civil liberties I conclude that they can be guilty of any crime they are charged with. That's why you need oversight and the enforcement of enumerated powers.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.