Yochai Benkler on the NSA

Excellent essay:

We have learned that in pursuit of its bureaucratic mission to obtain signals intelligence in a pervasively networked world, the NSA has mounted a systematic campaign against the foundations of American power: constitutional checks and balances, technological leadership, and market entrepreneurship. The NSA scandal is no longer about privacy, or a particular violation of constitutional or legislative obligations. The American body politic is suffering a severe case of auto-immune disease: our defense system is attacking other critical systems of our body.

Tags: national security policy, NSA, privacy, surveillance

Posted on September 18, 2013 at 7:06 AM • 59 Comments

Comments

James • September 18, 2013 7:12 AM

I really hope people grow angry and not tired over everything the NSA is doing.

Craig • September 18, 2013 7:30 AM

Are you kidding? This is America, man. People get vaguely annoyed about something as long CNN keeps talking about it, but then they get distracted by a celebrity sex tape or Miley Cyrus shaking her ass at the VMAs and forget all about it. In a way even Benkler is wrong; the real problem is the ignorance, apathy, greed, and uneducable stupidity of the American public.

Mike B • September 18, 2013 7:52 AM

It’s funny that the guy who is all about proper risk analysis is suddenly going off the deep end when his notion of “privacy” is threatened. The NSA is no more a “threat to our democracy” than terrorists or communists or the Tea Party. It is far easier to stay below anybody’s radar today than it was even 20 years ago, but the intelligence community’s rational steps to keep up with evolving technology is somehow the first step to living in the United States of East Germany.

When you are already giving data to third parties which in turn sell it to fourth and fifth parties you don’t have a reasonable expectation of privacy. The reason that the public isn’t all up in arms is because it doesn’t affect their lives at all wherein their social media footprint is being used for employment screenings and credit ratings which do. As much as people don’t want to believe it our government works more for us than any corporation.

An Australian • September 18, 2013 8:10 AM

So, the NSA can’t spy on us citizens, though it kinda does. And the Australian equivalent isn’t supposed to spy on Australians either. But they share raw data with each other, so… Rendering, anyone?

stevelaudig • September 18, 2013 8:11 AM

Once a real external enemy was gone the parasite had to turn on the host. Hence the desperate attempts to gin up a Muslim foe and next a Chinese foe. The USG is following the path of the Soviets who followed the path of the Nazis who followed the path of the Monarchists.

Stasi • September 18, 2013 8:13 AM

@Mike b

A rogue spy agency that is no longer accountable to anybody who wields tremendous power is a major threat to democracy. Run for office on a platform to shut them down and see what kind of political blackmail happens to you.

maxCohen • September 18, 2013 8:17 AM

This map says it all.

z • September 18, 2013 8:20 AM

@Craig

I agree, but this is only true to a point. Political attitudes of the public, both in general and towards certain issues, generally remain constant until a drastic event happens that causes them to shift. They will then remain the same until it happens again.

Examples: In the 1920’s, nobody would have accepted the massive government spending and control that FDR brought with him, but the Great Depression was one such critical event that changed the public’s attitudes.

The isolationism following WWI is another good example. Nobody wanted to intervene in foreign wars, but Pearl Harbor caused a massive shift in that attitude that we still see to this day. Many more people now accept the idea of intervention than they did right after WWI (though this is slowly ebbing).

9/11 changed attitudes about domestic spying and government’s ability to operate outside the Constitution as long as it “just used on the bad guys”. It would have been unthinkable for the public to accept the Patriot Act prior to 9/11–this is why it had been shelved for an opportune time after it was composed. The same is true of the TSA, DHS, and the actions done by the NSA.

It’s too early to tell if the revelations of what the NSA is doing will be one of these events. My concern is that it will be limited to the people who already care about it (such as those of us who follow Bruce’s blog), but will slowly lose the public’s attention as the media ignores it, or waters it down to seem less problematic than it is. When we look at the actions taken by the DOJ against AP and Fox journalists, as well as the UK authorities against Greenwald and his partner, I think that it intimidates reporters into avoiding these stories.

The solution is to approach this as a multifaceted problem and educate the public as to why it matters. Traditionally, revelations about the NSA’s activites were thought of as a technological problem only, and the security community has not been successful in explaining their implications.

It’s a history problem: History provides plenty of examples of government surveillance being used to suppress dissent and facilitate authoritarian regimes. Yet no nation in history has ever had the capabilities that exist now. It is a critical error to think that people such as Hitler, Stalin, Mao, and others can’t exist in the United States. We have systems in place to control the government because they do. We can’t assume we are immune.

It’s a legal problem: Besides the various legal specifics, we have to look at the totality of the situation–if all three branches of the government are willing to flat-out ignore the Constitutional provisions that prohibit this, how many other Constitutional rights are they willing to violate? Usurpation of rights is an addictive disease. When one gets away with it in one area, it’s easier to justify it in the next. Most people don’t care about Constitutional rights they don’t see themselves using. How many non gun owners care about the 2nd Amendment? Yet when encroachments of the 2nd become easier and easier, we see them happen with the 1st and others. We need to make people aware of this; all rights are important.

It’s a psychological problem: The 1st Amendment allows for free speech, expression, religion, etc., but surveillance attacks that, even if it is remains observation only and no action is taken. Why? Studies have shown that people who know they are under surveillance act in more mainstream ways. Simply being aware that you are being monitored causes us to behave in ways we deem more socially acceptable–a clear limitation on the freedoms the 1st Amendment provides.

Most importantly, it’s a political problem: How much control over our government do we actually have left? Why should we accept its disappearance? We have to face the fact that the separation of powers is under attack, the Constitution is ignored, and the framework of our nation is being eroded in the name of “security”. We have to support candidates for office who will change that, put pressure on those in office to change it, and oppose the ones who support it. Most critically, we can’t let this become a Democrat vs Republican issue. That will spell the end for any hope of success.

The whole point of this is just to show that public attitudes can be changed, but it will require a different approach than simply explaining the technological underpinnings of the problem. My background is in political science, not IT, so I can’t really comment on those anyway, though I enjoy reading about such subjects. We have to look at every aspect of the problem in order to fix it.

Alex • September 18, 2013 9:00 AM

In my conversations with non-technical people, I’ve had trouble convincing them that the attacks on our ability to trust our technical infrastructure is a big deal that’s going to create major economic effects. We have to get this across to people.

The Petrobras story is really important. It means that foreign companies can’t trust US IT.

The immediate effect of this is muted, because the US tech has such pervasive lock in that no one can jump in the short term. But I think we’re going to see the start of an important realignment of the tectonic plates over the next several years. The damage this is going to do to the US economy is staggering.

A couple of posts back, there’s a discussion about random number generators in Intel’s chips. The fact that we’re having that conversation has a corollary — “Don’t use Intel chips.” That’s a really big deal.

These guys have deliberately infected us with a disease that might end up killing one of our most significant industries, and no one seems to care, or even to be aware that it’s happening.

One of the things you said earlier, about a truth and reconciliation process, is probably what’s needed. We should be doing everything we can to re-establish trust in our tech industry before the world abandons it. The only way we can do that is with disclosure and a new transparency that allows customers to verify what they’re getting.

But if you look at things from outside of a tech perspective, it’s just not going to happen. No one understands what’s going on.

The thing they might have killed is so beautiful, too. The economic power of the industry, the visceral joy of seeing so many good ideas pouring out of so many smart people, the fun of building amazing things.

Aspie • September 18, 2013 9:06 AM

To reiterate – and expand – an earlier comment about mithridatism.

Innoculation is a close cousin of the technique; to immunise against poison by self-aministering small doses to build up a resistance.

I believe the agency is using the negative publicity in the sense that numbing of public opinion by drawing out the pain in smaller measures helps the agency develop a kind of media chitin through which, if enough fog of explanation and tiresome reiteration of unsupportable “facts” being reborn as true (Mao) the agency becomes less assailable through the most commonly used media.

Play this against the gradually decreasing clamour of the voices of discord and we become “trained” to accept their role and their mandate as “necessary”. It’s a waiting game, who will tire first?

If there are no blatantly seditious results that can be traced to their power base within 12 months then their position will be so much more agglomerated. The consolidation this provides will give them a foothold to push harder into fresh territory.

It’s almost biological. Watch how a parasite invades a host. The best don’t kill the host, they subvert it. They feed on its energy and gain more power.

I’m only making an observation, not offering any form of treatment. Unless there is some form of chemotherapy for nation states that escapes me.

Nick P • September 18, 2013 9:25 AM

I like how he worded this:

“The American body politic is suffering a severe case of auto-immune disease: our defense system is attacking other critical systems of our body.”

JeffH • September 18, 2013 9:48 AM

@Aspie “If there are no blatantly seditious results that can be traced to their power base within 12 months then their position will be so much more agglomerated. The consolidation this provides will give them a foothold to push harder into fresh territory.”

It’s hard not to be cynical and argue that this has already happened countless times in countless scandals, and each time little has truly changed. Usually a scapegoat of some form is offered up to assuage the public, and in the meantime it’s business as usual.

Consider how rare it is for groups of people to genuinely stand up and not only say ‘this has gone too far; it’s time for change’ but act on it. It took more than one hundred years from the establishment of the British colonies in America to the Declaration of Independence, and like any wholesale change, the reasons for it did not occur overnight, but over a protracted period beforehand. It took events like the end of WW2 or the removal of the Berlin Wall to end various pieces of legislation that were later considered injustices.

Inaction is always easier, and if you’re not personally affected by what others protest about, you’re not very likely to care or get involved..

For all the articles written, all the media time spent on this subject, it will be a distant memory for most in a few years’ time. “Oh yeah, I remember that stuff about the NSA – didn’t they vote about it or something? – I’m sure it’s ok now that X is in the White House” (or some other arbitrary change that coincides with that person’s political beliefs).

If the Americans want this to be taken seriously, make it a cornerstone of the next set of elections’ discussions. Bet it won’t happen.

Snarki, child of Loki • September 18, 2013 10:04 AM

@JeffH: “If the Americans want this to be taken seriously, make it a cornerstone of the next set of elections’ discussions. Bet it won’t happen.”

If you want Americans to take the NSA scandals SERIOUSLY, then someone better publicize some evidence that the NSA has used their Sekrit Mad Hax0R skillz to penetrate and subvert the voting in American Idol, in favor of some of the “most inexplicably ‘popular’, yet horribly bad” contestants.

THEN you’ll see America rise up from its Barcalounger, and rage with the white-hot heat of 10,000 exploding suns.

Not before.

kike • September 18, 2013 10:55 AM

So we are sufering from Leucemia? Biopolitical approach stints

Get it together • September 18, 2013 11:07 AM

We are atomized. The technology and civil liberty groups are great but we need a LARGE organization to begin to address this. The NRA has their org and the Internet needs theirs. You can do anything without money and organization. This about creating power and leverage to overcome what is attacking us.

Daniel • September 18, 2013 11:11 AM

It is worth repeating.

Nor is this revelation new. It is always worth while to reread Ben Franklin’s speech to the constitutional convention.

http://www.usconstitution.net/franklin.html

“because I think a general Government necessary for us, and there is no form of Government but what may be a blessing to the people if well administered, and believe farther that this is likely to be well administered for a course of years, and can only end in Despotism, as other forms have done before it, when the people shall become so corrupted as to need despotic Government, being incapable of any other.”

The question must be asked: are we at that point today. Is American culture capable of anything other than a despotic NSA?

Individual Rights • September 18, 2013 11:20 AM

@Nick P

“The American body politic is suffering a severe case of auto-immune disease: our defense system is attacking other critical systems of our body.”

A colorful analogy, but it smuggles in the statist premise regarding the nature of individuals in a state.

By implication, individuals are merely expendable cells in the “body politic”. This is the organic state concept.

The essential issue is whether individuals rights are protected by the state or violated by the state.

Rockford • September 18, 2013 11:35 AM

The only way you get Americans to attack NSA is by:
1) moving its offices to some Middle East country and
2) then telling Americans that the evil muslims in that country are backward evil doers that need to be rescued for their own selves (muslim cultures are sufficiently different so somehow that seems believable to folks here).

And that idea of “making this a key point in next election”…haha and ha and LOL etc…Obama was already elected on a platform of change and marketed himself as someone to address some pain-points…and what happened…

It would not surprise me if the fact is that US actually does have a shadow government that wields the real power.

Petréa Mitchell • September 18, 2013 11:37 AM

A cleverly worded diagnosis, but I can’t agree with the treatment:

Insiders, beginning at the very top, need to be removed and excluded from the restructuring process. Their expertise led to this mess, and would be a hindrance, not a help, in cleaning it up. We need a forceful, truly independent outsider, with strong, direct congressional support, who would recruit former insider-dissenters like Thomas Drake or William Binney to reveal where the bodies are buried.

The unstated premise is that the NSA abuses are the result of inherently bad people being in charge, and thus putting inherently good people in charge will prevent future abuses. This flies in the face of everything we have learned about human behavior starting from the Milgram experiments. Subject a bunch of new people to the same pressures, deny them access to the experience of people who’ve been through it before, and the same behavior will develop all over again, much, much faster than you might expect.

To move forward, what’s needed is a clear and detailed understanding of how things came to be done the way they were done. Insiders need to be debriefed to uncover what choices they thought they had, and why they chose what they did. They need to be interviewed by people who understand how to get good information out of the interviews. “Forceful” is about the last adjective I’d want to see here.

Daniel • September 18, 2013 11:59 AM

Petrea.

It’s both. It is wrong to hope for a “white knight,” the Lone Ranger, etc to ride to the rescue for exactly the reasons you outlined. If nothing else on only has to look to Obama to see how being in power is very different from being out of power.

Yet at the same time people matter. One can’t have a standards-based society without giving people room for discretion. And when you give people room for discretion you give them room to express their own personal strengths and weaknesses.

This gets back to the question of where the NSA is filled with “bad men” or whether it has simply been given too large a Congressional remit.

It’s both.

phred14 • September 18, 2013 12:28 PM

Like NickP, I like the immune system analogy.

As the cries of “abolish the NSA” start up, it’s a good idea to remember how well anyone or anything functions without an immune system. Perhaps if you could fit yourself into a bubble it would go OK, but that’s even less practical for nations than it is for people.

The problem is not only worse than we thought, it’s harder to solve than we’ve even started considering. After all, there really are people out there who are out to destroy us and working actively on doing so.

The other side of the problem here is Trust. The USA has survived a long time based on people trusting that the government was at least trying to do the right thing, even if they weren’t always the best at doing so, and even if there were sometimes corrupt people in there. That trust is being eroded by the NSA problems. Even if we were to grow a pair and declare the current NSA leadership treasonous and take appropriate action, there might still be a nagging shadow of doubt that the “shadow-NSA” had arranged all of this and was still intact, behind the scenes pulling all of the strings, just the way they like it.

Conspiracy theories have no limit on nesting depth.

winter • September 18, 2013 12:29 PM

I somewhere read a comparison between institutions and fortresse:

A strong fortress must be defended by good people. If the fortress is weak it will fall even with good defenders. If the defenders are corrupt or ignorant, even the strongest bastion will fall.

The NSA was badly organized, even with deplorable opsec. It also hired the wrong people.

Josh • September 18, 2013 12:50 PM

In response to the first post hoping that people get angry and not tired of the NSA stories…

People are already angry. People are angry for a whole host of reasons. Almost 30 years of declining wages accompanied by rising prices being the primary cause.

If anything will make people tired of this it will be the shrill voices of the reddit/hacker news types that keep grinding away on blog posts and stories about technology that they don’t understand while saying that there is no political solution because they are too lazy to participate. (How many “super secure messaging” apps that do encryption in JavaScript have you seen posted to github lately? 100? 1000? OK…it’s an awful lot though…)

The solution to this is almost entirely political. People like Bruce do have some serious engineering questions to debate and decipher. Most people are better off getting involved politically than technologically. There energy is much more efficiently used contacting their representatives or local political part office.

JeffH • September 18, 2013 1:32 PM

@Rockford “It would not surprise me if the fact is that US actually does have a shadow government that wields the real power.”

I thought that was common knowledge. It’s not a startling coincidence that when Hollywood wanted SOPA passing, the legislature bent over backwards, both major parties all nodding in unison, whereas on pifflingly trifles like, oh, say, the US budget, they’d happily spend years arguing unproductively rather than hammer out agreements that solve problems.

I don’t think conspiracy theories are required – plain and simple ‘who has the money/political support and who will give it to me’.

As an earlier article mentioned, the NSA & General Alexander have been caught out hugely, and yet still remain relatively unchallenged; a testament to the political power wielded there.

Gweihir • September 18, 2013 3:02 PM

Very insightful article, that brings it all together, especially the angle of a bureaucracy caring about nothing except its own growth of power. While the author stops short of saying “sabotage” with regard to the damage done, you can literally feel how that was a later change.

And I completely agree, this monster cannot reform itself. It is by now a state-in-the-state, with its own laws and leadership and no real loyalty or allegiance to what it is supposed to serve anymore. For how dangerous such things are, look for example at the Prussian military or the fusion of all German police forces under the leadership of the SS.

name.withheld.for.obvious.reasons • September 18, 2013 5:40 PM

Here’s my opinion of the FISA Court opinion on the order under section 215.

From what I can gather, Judges assigned to the FISA court were victims of a crime. Evidently the university in which the FISA judges received their degree(s) lacked the proper accreditation to properly issue lawful diplomas for a degree in law . Quite possibly the unnamed universities, can’t reveal sources and methods, failed to properly tenure professors in law. Or the university course curriculum was designed by mathematicians and conducted wholly by two elves and a reindeer–my suspicion–is an ass. I hope the judge didn’t take out a student loan to pay for such an insufficient education. Maybe there’s a chance at getting a refund, it’s clear that the judge has suffered frmo the experience–both intellectually and financially.

The “Courts” rendition of the facts in argument for the constitutionality of the government orders for bulk phone records, section 215 of the Patriot Act, is as idiotic as they come..,

1,) In using Smith regarding expectation of privacy (a. pen test case, b. individual), there is no corollary to the parties in this case–I don’t see how it is relevant; and,

2.) as Smith is the way in, thus all other arguments supporting the “Court’s” claim are vacated.

Three is not necessary since the judgment in my opinion would be vacated.

3.) Where is the authority for the “Court” to render constitutional opinions with respect to any “government” request. The 4th amendment does not apply to the government–as such the government has no standing. Therefore, the judge could not possibly rule on a case where there is a.) only a plaintiff or defendant; and, b.) due to the scope of the order, it would be impossible to contravene the supposed defendant as an individual. As this issue is between the government, and as in the Smith case, an individual injured by the government, precludes the governments “expectation of propriety”.

I leave this with you to ponder…

MingoV • September 18, 2013 6:33 PM

The analogy is poor: the NSA is not like antibodies attacking our bodies.

The NSA targets communications systems. The analogous system in our bodies is the nervous system. The NSA does not damage our nervous systems (eg: the internet still functions). Instead, the NSA runs continual brain and nerve scans using hard-to-detect intrusive agents that have no direct effects on our nervous systems or our bodies. The indirect effects are significant: anxiety, changes in thought patterns (self-censoring of what you send and receive), changes in type and frequency of sexual activity, suppression of the urge to nuke all NSA buildings, etc.

The NSA abuse of its charter could be ended instantly by requiring that all NSA-gathered data on its high level administrators be made public.

Dirk Praet • September 18, 2013 8:03 PM

The American body politic is suffering a severe case of auto-immune disease: our defense system is attacking other critical systems of our body.

Really cool analogy between the NSA and a disease like lupus, but just like @z I believe the problem is much bigger in the sense that the disease has not been contracted by accident (it is unknown what causes lupus), but instead has been deliberately inflicted upon the patient.

A perhaps better analogy is that of contracting AIDS, beit not by a promiscuous life style with lots of unsafe sex, but by a trusted partner who never told you that he was HIV-positive. Another one that comes to mind is the Umbrella Corporation in “Resident Evil” developing the T-virus in its quest to build a superhuman, but which goes horribly wrong.

Anyway, as long as all three branches of government maintain that both the powers and the activities of the NSA are perfectly legal and under control, the NSA is not the problem, but the government is. In which case all we are learning today is either nothing more than the project for the new American century at work, or a government apparatus in complete denial over the threat their out-of-control SIGINT agency is posing not only to the very foundations the US was built upon, but also to the nation’s perception by the rest of the world.

If terrorism was the original problem, then today’s NSA is living proof that some cures are indeed worse than the disease, and history will judge harshly over those that were responsible for it.

@ Mike B

The reason that the public isn’t all up in arms is because it doesn’t affect their lives …

I think a subtile nuance is in order here. Not only does the general public have the foggiest idea to which extent their every move is being tracked, it is also completely clueless as to the many ways these data can be used and abused, and by whom. Most people will only realise that the day it jumps up and bites them in the ass, and that goes for both corporate and state tracking.

When you are already giving data to third parties which in turn sell it to fourth and fifth parties you don’t have a reasonable expectation of privacy.

Which again begs the question in how far the “giving away of personal data” by the average PC/tablet/smartphone user is an informed decision or merely an unintended side-effect of using said devices, and which they are only vaguely aware of. If the former, than that’s their choice. If the latter, it is just as deceitful as the small print in sales contracts or T&C’s which no one is reading anyway, and those who do in general don’t understand.

If you don’t have a problem with this and consider ubiquitous surveillance as inevitable as death and taxes, then that’s fine with me. You cannot, however, expect everyone else to feel the same about it. Over here in Europe, privacy is considered a fundamental right, and one which I care a lot about, especially when it is being targeted by foreign corporations and state actors.

Consequently, I am always trying to minimise my digital trail using a wide array of tools and techniques, avoiding like the plague any product or service whose primary business model is based on data mining its users. Not because I have something to hide, but because, frankly, what I am doing is no one’s business except those I voluntarily and knowingly choose to share it with or until such a time that I am being presented with a warrant based on probable cause that I am doing something illegal. Your mileage may vary.

Nick P • September 18, 2013 9:14 PM

@ Individual Rights

“By implication, individuals are merely expendable cells in the “body politic”. This is the organic state concept.

The essential issue is whether individuals rights are protected by the state or violated by the state.”

It depends on how you view the metaphor. The body might be the country as a whole and all its constitutionally approved parts, including protection of civil rights. The immune system are intelligence, LEO and military. Immune is attacking other parts. Yeah, it works. Just not perfectly.

Yet, it’s irrelevant as our system isn’t about protecting our rights anymore. Most evidence points toward it being a pyramid or power establishment at the highest levels. This has been the case for a long time. In such a scheme, the goal would be to protect them, not us. We would be to them a necessary evil. It’s why the solution will be political.

@ phred

“Conspiracy theories have no limit on nesting depth.”

Very true and I like that wording too. Haha.

Greg Jaxon • September 18, 2013 9:18 PM

You quoted one of Mr. Benkler’s best paragraphs, but I also liked hearing

The “serious people” are appealing to our faith that national security is critical, in order to demand that we accept the particular organization of the Intelligence Church. Demand for blind faith adherence is unacceptable.

And yet, this seems unavoidable if we regard Secret Agency as constitutional.
There are two sources of authority for government “by the People”:

informed consent and
blind faith.

The Constitution generally specifies a government that should thrive on the first.
It contains an amendment that prevents the government from Establishing any Faith
as a requirement for citizenship. Of course faith in our leaders is a typical shortcut.
But the promise behind the Constitution was that through checks and balances of power
no action would be entirely unaccountable. To contravene that principle is to Establish a
belief-requirement as condition for legal citizenship – i.e. to establish a religion.

Alain from Switzerland • September 18, 2013 10:18 PM

@Craig
When I type “snowden” into a Google search bar, and then type a space, Google makes a few suggestions, the second one is “NSA”, the first one is “girlfriend”. That’s a mirror of current times, no matter how this came to be…

z • September 18, 2013 10:32 PM

@Get it together

The atomization you are noting is true, and I think I might have an explanation for it, if not a solution. I said earlier that public opinion will usually remain constant about an issue until Something Big happens to change their attitudes. But that something has to be tangible. The public is generally not motivated to action by ideology alone, even if it plays a part in the process.

It wasn’t a rejection of libertarian economics that led to FDR’s expansion of government control and spending; it was the fact that people were hungry.

It wasn’t a repudiation of the notion of isolationism that led to the US being more active in world affairs during and after WWII; it was the threat of nuclear war that made people support the Truman doctrine.

The public’s attitudes towards domestic spying as a construct didn’t change because people thought it over and decided that it was a good idea; they were motivated to accept it by the 9/11 attacks and the horrible destruction they caused.

Because people don’t see a need for action until they detect that something real, tangible, and imminent presents a threat to them, or until after they have been harmed by it, activist groups are usually highly specialized and limited to people who would have something to gain or lose with regards to that issue. The public at large seems to be uninterested in defending rights unless they are rights they exercise frequently. It’s the reason why non gun owners don’t join the NRA, non smokers don’t protest public smoking bans, etc.

The problem with the NSA issue is that it is a highly abstract threat to most people. The “Well, I have nothing to hide” people rear their heads and say that it does not matter to them. Others say that such power will only be used for “the bad guys”, forgetting that they could be labeled as such. Nobody is starving from the NSA scandal, gas is still at stable prices, and Jersey Shore is still on; until something tangible happens, people aren’t going to go beyond a little surface disgust at the whole thing before moving on and forgetting it. There isn’t enough to mobilize people and that may be why we aren’t seeing the kind of large, organized movement against it.

As a related aside to this post, I once met a Holocaust survivor and asked her how her family could have seen what was going on around them in Germany and not realize the threat to them until it was too late. She said “We thought, ‘Why would they come after us?’ We were Germans, after all”. Scary to think about.

Anon • September 18, 2013 10:46 PM

It’s strange that William Binney is considered the solution. Some of the statements he made before the Snowden releases are directly contradicted by some of the Snowden documents. If you actually believe all the Snowden documents, then Binney is a liar.

z • September 18, 2013 10:47 PM

@ Petrea Mitchell and Daniel

Intersting thoughts. I don’t think that the NSA is filled with evil men bent on some plan to wield power. The more likely scenario is an issue of culture. When an organization has a culture of bending the rules, it will inevitably morph into a culture of breaking them. When new members are added to it, they may see what is going on and reject it. But over time, peer pressure from others who were in their shoes sets in, and they quietly comply. Maybe they even actively support it. Exceptions are made. “We’re only doing it to these people in these circumstances” becomes “We’re only doing it to these people.”.

Eventually, you’re not only doing it to these people, but to those people as well, and then everyone. It is possible to make so many exceptions to the rules that the rules themselves look like exceptions. As new people become assimilated, it is these exceptions that make them accept things they didn’t want to. It’s easier to live with violations of the Constitution if you see them being used to catch real terrorists. Lines such as “We couldn’t do our job without this” and “The public wouldn’t understand” become commonplace.

Adding to the pressure on new members is the fact that they may lose their jobs or credibility if they oppose what they find to be unfavourable. The result is that the organization becomes filled with relatively normal people who find themselves doing things they never would have thought they would do when they started because they have been assimilated by the culture of that organization.

In the end, institutional culture is like a train with no brakes. As standards of conduct become looser, people become more tolerant of wrongdoing, and eventually nobody can remember how it all started.

Clive Robinson • September 19, 2013 3:19 AM

@ Anon,

Not of necescity both Binney and Snowden have different view points into the organisation which in some respects are highly compartmentalised.

So do not rule out ilinformed and misinformed when considering the disparity.

We know from the documents Ed Snowden has released that there are “levels of lies” that the NSA managment hand down to those “not on their pay grade” and likewise (No “need to know”) across any pay grade. In such a matrix there exists “vacuums of information” and as the old saying has it “nature hates a vacuum” and thus humans “fill in the blanks”.

Also as anyone who has worked with far east companies will tell you, there is an ethos of “knowledge is power” and used to forge aliances of self promoting groups. This in turn leads to a layered system of patronage where small pieces of information are handed out as rewards. However those receving such rewards know not due to the culture if what they are being told is true or false, they have no way to verify a statment from a single person. Thus false knowledge can get handed down through several layers and in the process several people at a lower level will know this false knowledge. But if they try to verify they will find several people have this false knowledge and thus become unknown false verifiers thus what is false becomes truth to those at that level…

We see this sort of things in cults in the west and also in bueracratic cultures where ridgid pay scales and the supposed requirment for confidentiality make “secret knowledge” the coin of success.

Thus even openness will not lance this boil you need to have a real system of reward, punishment and progression to keep people honest otherwise the boil will just reform.

But such a system will not happen if those at senior levels know that the risk/reward/punish can be subverted in some manner. The problem is even in open organisations in the commercial sector we see Bruce’s “outliers” subverting the system, and we appear to have no way to stamp out “office politics” that works…

Curious • September 19, 2013 5:13 AM

@Greg Jaxon

“And yet, this seems unavoidable if we regard Secret Agency as constitutional.” (Greg Jaxon)

Right off, I am weirded out by this suggestion of you saying that there is something “constitutional” about so called secret agency.

Knowing what is quoted by Greg from Benkler; it is said that a “demand for blind faith adherence is unacceptable”; this sounds very odd to me as it confound the qualifiers I have for defining things being ‘fascistic’ and things being ‘idiotic’ (fascists wouldn’t say “trust us” nor would they demand ‘blind faith’; a demand and/or belief in obediance is what is fascistic, not idiocy nor having so called faith as such); which to me would make a discussion about some peoples “adherence” on the basis of purported faith issues, into some kind of absurd understanding of reality, in which use of concomitant adjectives is supposed to be a substitute for facts or reason. It seems all too clear that there is no real argument there at all and no clear idea as such (conceptualized understanding), for thinking that there is an appeal to peoples faith as especially as if that had anything to do with national security. If anything, it would be an appeal towards peoples capacity for being or becoming idiots, and so this notion of anyones regard for having a ‘secret agency’ is not and was never an issue.

From what I can tell, Benkler simply alludes to how people end up becoming idiots, and off that there is no case for discussing anyones “belief” because unfortunatly he is not really referring to anyones real belief/faith.

The sentence “a demand for blind faith adherence is unacceptable” is understandable in the context of someone thought to expect obedience, but it is the idiocy part (blind faith) that is unacceptable there, and so to try referring back to an idea about SOMEONE thought to demand acts of blind faith as it that was the same thing as being an idiot should not be possible.

So, for this notion of: “Demand for blind faith adherence is unacceptable.” Either this notion of “demand” is not something real, or the “blind faith” part is not something real.

“Blind faith” is not really an “authority” for anything, it is pure idiocy I have to say.

Michael Moser • September 19, 2013 8:40 AM

http://www.youtube.com/watch?v=ejJNX_BUzL0
This Soviet animation film from 1967 : “Mountain of Dinosaurs” (translation in subtitles);

Here the dinosaurs are dying out because the protective shell of the dinosaur eggs is adding more layers and is growing more and more thick;

Dinosaur: Hey shell, its time to hatch, why won’t you crack open? I must see the sun!
Shell: I’m protecting you; I must do my duty. I must do my duty.

Amazingly anti-soviet film that is describing this situation perfectly.

Skeptical • September 19, 2013 9:43 AM

On technical subjects in here, I usually just shut up and read, since I’m not an expert and it’s a pleasure to learn from those who are.

But on subjects closer to law and politics, I’m knowledgeable enough to weigh in.

The essay in question wasn’t very good on the merits of its arguments.

For example:

The essay claims that the NSA is bloated, gorging itself on billions of dollars, with tens of thousands of employees, for little return.

As evidence, the essay notes that a FISC order stated that the Court was unimpressed with the “three preliminary investigations” caused by the program at issue in that order.

The problem is that the telephone metadata program to which the Court was referring is small from a resources vantage. Few analysts are trained and allowed to use it, and it’s essentially a repository for business records collected by telecoms.

This just isn’t good analysis. The telephone metadata program may not be worthwhile, but’s hardly evidence that the NSA as a whole is bloated.

Now, if you already agree with the author, perhaps you felt like cheering him on as you read him. We all do that when we encounter an agreeable opinion. But if you take a step back and ask yourself, in a skeptical, scientific spirit, what evidence he offers for his assertions, you don’t find much to hold on to.

Let me give another example. The essay points to the defeat of the Amash-Conyers Amendment in August that would have specifically limited Section 215 of the Patriot Act from allowing database collection.

But the author doesn’t realize how deadly this defeat is to his overall argument. The House of Representatives, in defeating that Amendment, essentially voted to agree with the FISC in its interpretation of Section 215. In other words, the vote strongly indicates that the NSA did NOT break the law, and that the FISC did not adopt an unreasonable interpretation of the law.

Finally, despite the ambitious rhetoric of the essay (“the NSA mounted a systematic campaign against…constitutional checks and balances…”), we don’t see any examples of actual abuse by the NSA. In the example the essay gives of the FISC scolding the NSA, the essay fails to mention that the NSA voluntarily disclosed its mistake to the Court, submitting itself to any further action the Court wanted to take (after insisting on an extensive review, by the way, the Court in a later decision obviously decided to allow the program to continue – but the essay declines to mention that fact). Examples of dissidents being suppressed by the NSA? Not found. Collection of blackmail material on politicians in Washington? Not found.

How about just some information from those who actually had to use intelligence produced by the NSA, and who are in the best position to judge whether the NSA is bloated or not? In the essay, not found.

If someone wrote an essay like that on a technical topic, I suspect he’d face some harder questions. For some reason, it’s easier to get away with questionable reasoning in political analysis.

Doug Coulter • September 19, 2013 2:26 PM

@z – you’re describing what the CS Lewis book “That hideous strength” was all about – how individuals who start out as “good” people are subverted to doing evil, perhaps while still feeling they are not doing something wrong. It was a hard book to read the first time for me, because it was happening to me at the time (and I was working in “the community” myself).

@Skeptical – nicely phrased but…
We already know the LEO’s including the DEA get info from NSA, then are instructed to re-create evidence so as not to have to admit the source. Sure, not in this essay – is that all you’ve ever read?

How would you know if the NSA had collected info on the most blackmailable group of people on earth – congress, and was just giving that little tap on the shoulder if they get out of line? As long as it works – and it can work for a long time – you’ll never know. I imagine a few congress-critters have gotten that tap on the shoulder “do you want to have X revealed?” – where X might be “you with little boys, porn, campaign contributions vs votes” or almost anything.

Thank heavens I left that business when all this was mostly just a twinkle in their eye. The corporate culture there makes Snowden’s revelations quite believable if you’ve been there.

Kevin an Auditor • September 19, 2013 2:35 PM

@ Skeptical
Skepticism is my profession, and I find your arguments decidedly inferential and unconvincing. To Wit:
” the defeat of the Amash-Conyers Amendment in August that would have specifically limited Section 215 of the Patriot Act..” “the author doesn’t realize how deadly this defeat is to his overall argument”.

Senates, Parliaments, Dumas, Diets and Congresses globally and throughout history have enacted legislation that denies rights (however defined), to individuals and minority interests. The very concept of the electoral college and the election of Senators in the US is recognition of this fact. Flawed founding in the concept of three fifths of a person does negate the principle of individual liberty – (it argues for the extension instead…an other argument for another day).

The individual or minority interest cannot, must not, rely on “democracy” but on those “unalienable rights” endowed by their Creator. However one wishes to view that origin subtracts nothing.

And;
Thank You – for not being a troll ( throwing out insults etc..)

John • September 19, 2013 4:26 PM

I won’t argue with the notion that what the NSA is
doing undermines the foundations of American power: I too wonder what the US founding fathers would have thought about a government agency that bulk-monitors communications. But the NSA is doing what it’s been mandated to do: monitor (non-domestic) communications. If those communications are on the Internet, the NSA needs to find a way to monitor them if it’s going to do its job. If there’s a fundamental problem with this, it seems to me the issue is with the mandate itself, and it’s that mandate that needs to be looked at.

ECI • September 19, 2013 4:39 PM

Part of me agrees with many others here in that NSA is a rogue organization beyond the reach of lawmakers that needs to be reigned in by some serious reforms. However, the other half of me is more practical and less conspiratorial and realizes that the functions it serves are most certainly vital to national security. Ask any intelligence expert and they will tell you that SIGINT is, by far, the most reliable form of intelligence. This is likely why the NSA’s budget has surpassed the CIA’s (HUMINT) in recent years.

Just look at Obama for a moment. During his campaign in 2007-2008, he was just as much of a critic of Bush’s “unwarranted wiretaps” as anyone in the media. He said (and lied) that he would vote against telecom immunity. His opinions on the matter and his criticisms of NSA pretty much mirrored what people like Bruce are saying now.

Then he gets elected and his entire opinion on the matter apparently changes overnight. So, what happened? It’s simple really: as candidate Obama he was not “in the know,” but once he got into office and started hearing all of these classified briefings he had an “oh shit, so that’s how things really are” moment. He has even said as much publicly. For instance, when he was in Sweden after the Snowden story broke, various European reporters asked him about the NSA “scandal.” Obama basically said “If you knew what I knew, you would support these programs too.”

The problem I think we have in today’s world is that technology is no longer partitioned. During the 70’s, 80’s, and 90’s, for example, NSA ran the same type of sabotage programs against various crypto implementations. However, back then they could target specific crypto “machines” without having to worry too much about infringing on the privacy of Americans or citizens of closely allied nations.

Crypto AG is probably the best example of this. It was one of NSA’s most classified projects and led to a treasure trove of intelligence all throughout the 80’s. NSA (along with Germany’s BND) had rigged the machines so that when the ciphertext was transmitted, it also transmitted the key along with it. The only reason these backdoors were ever made public is because certain people in Congress couldn’t keep their mouths shut and told the media about various intelligence that was gleaned from this operation. Foreign governments (specifically Iran) put two and two together and realized that the information being reported in the press had to have come from their encrypted communications which led them to the obvious conclusion that their machines had been compromised. The Iranians even kidnapped a Crypto AG employee and held him for ransom. Fascinating reporting about this whole incident here: http://www.meta-religion.com/Secret_societies/Conspiracies/CIA/crypto_ag.htm

Now I think most of us here today would say “good job, NSA, you were able to tap the communications of some of America’s biggest threats.” The difference today is there aren’t really any more specific crypto machines — everyone everywhere uses the same technology (namely the Internet). So what is the NSA to do? In a perfect world they would backdoor everyone’s communications except that of Americans and its close allies. The problem is everyone, everywhere (both good and bad) uses the same crypto implementations on the Internet. NSA is left with no choice but to backdoor us all. It is technically impossible just to tap “part” of the Internet or to break SSL just for the Iranians or North Koreans and not American citizens. It just doesn’t work that way, as I am sure all of you here understand.

So, what would you suggest? NSA stop collecting intelligence? If not, then how do you propose they only “tap” part of the Internet? How do you propose they only break the crypto of the enemy whilst keeping American crypto strong? Remember, export laws wont work in today’s Internet age — once something “strong” is out there, the enemy will immediately have access to it. So, if any of you have any ideas, I am sure NSA’s thousands of engineers, scientists, and cryptologists would like to hear your brilliant analysis of how to achieve perfect secrecy for American communications whilst also being able to tap foreign communications.

This is why none of these NSA leaks come as a surprise to me. As James Clapper said “The fact NSA works to break cryptography is not news.” It’s common sense really. If NIST releases strong crypto standards, the enemy is going to be using them too. There is simply no way to restrict this technology and keep it confined. This is why I have always been highly skeptical as to the strength of publicly “accepted” standards that are pushed on us by NIST (a front for NSA). The only question is which of these standards are still strong, which have been backdoored, and how was it done? Is it a flaw with the ciphers, a flaw with the protocols, a flaw somewhere else? Is it a backdoor in Windows, a backdoor in Intel? Sadly, the answer is likely “all of the above.”

So, if I worked for NSA, I would do precisely what they are doing. I can’t blame them — they are, after all, in the business of gathering as much intelligence as possible. If anyone is to be blamed it should be Congress and/or the FISA court. The problem is even the “oversight” is highly classified and thus we in the public are forced to merely “trust” those in the know to conduct the proper checks and balances. NSA spying is not going to go away — we have to accept that. The only thing we can ask for is more transparency from the oversight process. But that in itself is a double-edged sword. If you allow too much transparency, then no doubt someone somewhere is going to leak classified information.

Now, it’s tin-foil-hat time:

One thing that has always made me somewhat suspicious about the NIST “open” competitions is how both the AES cipher and SHA-3 hash function were created by the same people (Joan Daemen was on both teams). Even though Daemen is Belgian, if you look at where he works (STMicroelectronics), you will see that its headquarters are in, you guessed it, Switzerland. The same Switzerland that was home to Crypto AG and the same Switzerland that has a secret agreement with America to only “pretend” to be neutral (goes back to a deal signed when Truman was in office).

And if you look at what other cryptographers have said about AES specifically, you will see that they are suspicious of its security (though none deny that its performance is exceptional). Bruce said he had reservations about Rijndael in his 2003 book “Practical Cryptography.” Even though he thinks AES is not breakable in any practical sense, he has reasons to be a bit suspicious of its theoretical security. Others have said the same thing, especially the XSL people who have described Rijndael’s exceptionally simple algebraic structure. I really do think they are onto something with this, even though people like Coppersmith (a former IBM cryptographer who knew about “differential cryptanalysis” back in the 70’s and chose to keep it secret at the request of NSA) have tried to downplay it. Others have remarked on its very questionable key-schedule.

Does NSA know something about AES’s potential weaknesses that the public doesn’t? I would place a pretty large bet that they do. They have been at the crypto game longer, have more people studying these problems full-time, and have techniques for cryptanalysis that are classified. Does this mean they have some marvelous technique to quickly recover plaintext via a ciphertext-only attack (COA)? Maybe not. Or maybe that’s exactly the “breakthrough” Bamford was talking about it his Wired article last year and perhaps it’s the same “breakthrough” Clapper was talking about in his budget requests to Congress (as leaked by Snowden). Bamford’s undisclosed sources seem to corroborate the Snowden leaks.

My bet is still on the notion they have broken public-keys somehow, though.

*tin-foil-hat removed**

In any case, it shouldn’t matter what they have or haven’t broken from cryptanalysis as it is pretty clear from the documents that they have rigged the game from the start, just as they did with Crypto AG.

Muddy Road • September 19, 2013 5:00 PM

American children need to be taught early about the concepts of privacy and security. Many simply and literally don’t know what they are doing when they dump personal data on the net and everywhere, many times of family and friends while they are at it.

A few years ago the clerk at the hardware store asked me for my phone number when I bought a $3 part for cash. I asked why and was told it was a way to track the purchase if I should want a refund some day. Of course that was the idiotic story she was told to parrot.

Depending on my mood these days I now give one of several fake numbers I have memorized or simply say I don’t have a phone. What are they going to do, refuse to sell me the light bulbs?

I am trying to say we all need to approach the internet with a whole new mindset. “THEY” want to know everything about us to gain POWER and if possible some of our MONEY.

We see now THEY are willing to use any lie or method to get our data.

I figure we should play be the same rule to keep it from THEM.

Don’t you?

kingsnake • September 19, 2013 6:30 PM

Muddy Road: They also often ask for zip codes. I don’t bother with saying no, I just out right lie.

Btw, where’s Bruce been today? Was he disappeared into the Gulag?

NonPlayer • September 19, 2013 6:39 PM

@Muddy Road,
When “the clerk at the hardware store ask[s] me for my phone number ” I tell him/her it’s none of his/her business – and walk out of the shop if they insist they need it. If we really want people to start taking privacy seriously we should stop playing the game (eg by giving a false phone number or pretending not to have a phone) and make it clear that we object to people collecting our data.

Buck • September 19, 2013 6:58 PM

@kingsnake

Bruce is probably busy complying with an NSL.
We’ll know for sure tomorrow if he comes back and doesn’t mention anything about it! 😛

Bauke Jan Douma • September 19, 2013 7:24 PM

Here’s a powerful article too, by Tom Engelhardt:

http://www.michaelmoore.com/words/mike-friends-blog/letter-unknown-whistleblower-how-security-states-mania-secrecy-will-create-you

bjd

Dirk Praet • September 19, 2013 7:25 PM

@ Skeptical

In other words, the vote strongly indicates that the NSA did NOT break the law, and that the FISC did not adopt an unreasonable interpretation of the law.

The Amash-Conyers Amendment would have

de-authorised the USG from holding a pool of metadata on every phone call of every American under PA Section 215.
forced the USG to comply with the intent of Congress when it passed Section 215, i.e. only acquiring business records and other “tangible things” that are actually related to an authorized counterterrorism investigation.
imposed more robust judicial oversight of NSA’s surveillance.

It was not in any way a vote on the legality of the NSA’s activities or the FISC’s interpretation of the law. Congress can’t even vote on such proposals, because the US Constitution has two clauses that explicitly prohibit ex post facto law, i.e. Art 1, § 9 and Art. 1 § 10.

The amendment was defeated by a very narrow margin of only 12 votes (205-217), so was all but a strong indication of support. It would probably even have passed if it hadn’t been for the frantic campaigning against it by POTUS, House minority leader Nancy Pelosi (D) and House Speaker John Boehner (R). In the wake of the vote, Pelosi sent a letter to POTUS, signed by 150+ members of Congress, which basically read as “we have stopped this for now but we need to do something or the next vote may turn out entirely different”.

@ Skeptical, @ ECI

Just like you, I very much believe that a (well-controlled) SIGINT agency performs a crucial task in national security. But as a stupid foreigner from a small country in Europe, I would very much like to know what your opinion is on the outright disgusting scale of criminal NSA operations outside the US.

You may have heard that Brazilian president Dilma Rousseff has just canceled a state visit to Washington as a result of the ongoing revelations about massive NSA spying in her country, even on her own email. Over here, we have learned that the NSA has pwned/introduced APT’s at EU Institutions, the Society for Worldwide Interbank Financial Telecommunication (SWIFT), our largest telco/ISP Belgacom and the ministeries of Foreign Affairs and Foreign Trade, all of these in the Brussels area, a region well-known for harbouring thousands of potential terrorists. In this context, I would like to draw your attention to a less known Snowden document about the NSA’s International Security Issues (ISI) Build-out dated May 17th 2006. Quoting the Global Capabilities Manager:
The Western Europe and Partnerships Division primarily focuses on foreign policy and trade activities of Belgium, France, Germany, Italy and Spain as well as Brazil, Japan and Mexico. The division reporting also provides some key intelligence on military and intelligence activities in some of these countries. Some really fine ally the US makes.

Do tell me that all of this is perfectly OK because that’s what the NSA’s mission is, that we just have to suck it up because you are the good guys and that the US really can’t be bothered with silly international law such as:

Article 12 of the the UN Universal Declaration of Human Rights, (to which the US is a signatory): “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.“
Article 27 of the Vienna Convention on Diplomatic Relations: “The official correspondence of the mission shall be inviolable. Official correspondence means all correspondence relating to the mission and its functions…“
Article 38 of the Statute of the International Court of Justice (which the US doesn’t even recognise)

Ultimately, I leave it to the people of the US and its three branches of government whether or not the NSA’s domestic activities are constitutional under your 4th Amendment. But using the same argument against the rest of the world is not just insufficient but downright offensive. Carry on like this and pretty soon the US will have no friends left anywhere, except for the UK which for all practical purposes seems to have become a US colony.

Filby • September 19, 2013 8:16 PM

Linus Torvalds Admits He Was Approached By US Government To Insert Backdoor Into Linux — Or Does He?
[snip]
At the LinuxCon meeting in New Orleans, Linus Torvalds was asked if he had ever been approached by the US government to insert a backdoor into the Linux kernel. Here’s his characteristic answer:

Torvalds responded “no” while shaking his head “yes,” as the audience broke into spontaneous laughter.

Obviously, it’s hard to tell from that whether he really meant “yes” or “no”. But the question does touch on an important issue: whether open source might be less vulnerable than traditional applications to tampering by the NSA or other intelligence organizations.
[/snip]

Linus' Law • September 19, 2013 8:51 PM

Filby,

I believe Torvalds is now a U.S. citizen (even though he was born and educated in Finland). Keep that in mind.

So we can take his very odd response in one of two ways:

1) He was joking.

2) He has received an NSL and that was his clever way of revealing it. After all, if anyone involved in Linux kernel development were to be provided with an NSL, it would be Torvalds. He has complete control of every line of code that is allowed in the kernel. This would make it very simple for NSA — they would only need one person to be “in the know” about this.

Now let’s assume Torvalds is clean and has no knowledge of any kernel subversion. It still doesn’t mean there isn’t any. Remember that the vast majority of kernel code is submitted by employees of corporations largely based in the U.S.– Redhat, Intel, Oracle, Google as well as by foreign corporations (Novell for instance). Even Microsoft provided some virtualization code to the kernel. There are even some binary blobs in the kernel now (some companies would not release drivers unless they were binary). There is no possible way Torvalds himself has audited all of this code — he is just like everyone else, he is relying on trusting people he thinks are trustworthy.

The notion that Linux is somehow coded completely by libertarian cypherpunks is no longer true — it has become just as corporate as MS and Apple. The only difference between Linux and MS is that Torvalds publishes all sourcecode. However, that by no means guarantees Linux has no malicious code. I read a story once by a kernel developer who said he was sent kernel code (hidden inside a driver or something) that inserted a backdoor and gave the attacker root access to any and every machine. Luckily this particular kernel developer spotted the malicious code and promptly blacklisted this person from ever contributing code. One has to wonder how many such bits of code have been missed in the past.

On top of that, the kernel devs use Git (designed by Torvalds) as their revision control system. I have serious concerns over how secure Git is. When a developer pushes his updates, it travels over SSL which we all used to assume was secure. Now it seems highly probable that NSA would be able to MITM any such code submissions and change them as they saw fit. Git is distributed, which is it’s one security strength (as Torvalds mentions a lot) meaning an attacker would need to subvert all the code that is mirrored on various machines around the world without someone noticing.

I still don’t trust it — too many people have access to kernel code and this, to me, is a liability. But, I still find it infinitely better than the closed-source “trust us we’re clean we swear” model. I am a big proponent of open-source and I use Linux every day, it’s just I find open development to have its problems where security is concerned.

ECI • September 19, 2013 10:13 PM

@ Drik Praet

None of that comes as any surprise. To think that allies don’t spy on allies is to be naive. It happens, has always happened, and will always happen. For instance, the Snowden documents seem to indicate that NSA doesn’t trust Israel, even though they are supposedly a close ally.

I don’t know about you, but I am not too concerned if NSA is spying on Brazil’s government. As I said, this sort of thing has always gone on, even between allies. And America is not the only nation to engage in it — you can be sure other “allied” nations spy on America where possible. China, while not a strict ally, is well-known to conduct massive espionage campaigns not just against American businesses, but against military contractors. China has stolen vast amounts of intellectual property as well as military secrets.

The main concern would be if an agency like NSA uses such intelligence for some sort of corporate espionage (as China does) as was suspected with the Airbus contract in Saudi Arabia (though Airbus was acting illegally too). Or if political insiders use NSA intelligence for insider trading. I agree both of these things are concerning and the only way to minimize that risk is to severely limit how many people have access to the intelligence data.

When it comes to foreign intelligence services spying on the average citizen, I think we all have to be aware of it. As an American, I worry that China might have pwned my machine before I ever bought it. NSA seems pretty confident that Huweai has backdoored its products and this is the reason Huwaei lost a major contract in Australia. As a European I would be worried that NSA is scooping up all of my data and sifting through it. As an American I worry that GCHQ or one of the other “5 eyes” intelligence services are spying on me on behalf of the U.S. (this is an old trick — NSA uses allies to spy on Americans).

My point is that this isn’t just an “American” thing, it’s just that America has the “good fortune” of having the best spying apparatus right now. If other nations were as advanced in this area, you can bet they would be doing the same thing (many already are). Actually, the “5 eyes” nations are all about equally advanced as they all share information, technology, and “sources and methods” with one another. Do you think GCHQ, for instance, doesn’t spy on British citizens? Do you think BND doesn’t spy on German citizens?

No country or its citizens are immune from spying (and not just American spying). The only difference is here in America (as opposed to many nations) we have strict protections against government intrusions without a warrant. That is the crux of the controversy here. I don’t think anyone is surprised that NSA is spying, it’s just the extent of domestic spying that has people angry. And if other citizens of other nations have the same concerns about their own governments spying on them, I definitely can sympathize. The problem is most other countries have no constitutional protections against government spying in the first place, so they probably have no legal ground to stand on.

RJD • September 19, 2013 11:59 PM

Please. Now the NSA threatens “entrepreneurship”, the most over used word in corporate-speak? You forget to say it threatens “synergy” too. Other than the disgusting take down of lavabit.com, just where are those creative ideas being suppressed? Perhaps the NSA causes miscarriages and warts too.

This what I most intensely hate about the entire field of computer security. It is either greeted with indifference until something happens, or somethings happens and freak out results in demands for perfection. Schneier is rapidly undoing any respect I had for his analytical ability. Beside mathematical proofs, he is rapidly approaching the point of no longer deserving attention. Except maybe for squids if he can avoid freaking out over sperm whales, those ruthless accomplices of the NSA.

aaaa • September 20, 2013 3:22 AM

@ECI China does it too is not particularly strong argument. China spies, china tortures, china routinely lies, china a very corrupt, china is not a country I would like to use as benchmark of what is good enough.

Now, Germany and France and Iceland and Finland and other Western Countries bugged presidential office would be stronger argument.

I strongly doubt that Americans would be cool if it would be revealed that Brazilia listens Obamas phone cools. There would be huge outrage and possible threats to Brazilia.

Also, this attitude that only Americans deserve rights and protections is seriously troubling. Somehow, torture, spying, long detention and what not are wrong only if done to Americans. The more you listen Americans talk about these issues, the more it feel like foreigners does not count as full humans.

Mike the goat • September 20, 2013 6:17 AM

@aaaa: the party line that because other countries spy on their citizens then the US is justified in what it’s doing is very weak. It reminds me of the childhood cry of “but that’s not fair! Tommy at school does it”. If a parent could have a dollar for every time they have heard that logic and responded with something equally pathetic like “if Tommy jumped off a cliff would you do it too?” 😉

America pumps out its propaganda that it occupies a moral pedestal and is home of the free, brave and given the actions of those in power clearly it’s home of the stupid too. The reality is so far removed from their party line – unlawful search and seizure, fingerprint collection by state bodies like the DMV, universal surveillance, wide ranging legislature like the PATRIOT Act, FEMA, the militant TSA harassing airline passengers, checkpoints, warrantless stop and frisk in NYC.

I do not think the founding fathers had any of this in mind when they framed the constitution, which it appears was thrown out the window post 9/11. Like their use of a shooting tragedy to promote their gun control agenda the powers that be don’t hesitate to milk an event to their advantage. The mainstream media seems to be more interested in Britney’s latest breakdown or Miley Cyrus twerking than actually pushing real, unbiased news and the vast majority of the populace is too stupid to notice and would probably switch over to Here Comes Honey Boo Book if we were to ever have a half honest news broadcast.

It amuses me that Americans heavily criticized the Soviet Union for many of the things that they are doing themselves through the aforementioned NSA surveillance program. If you had asked an average Joe if they thought an NSL gag order, secret court rooms and infinite detention without charge pre-9/11 was ever justifiable then you would have received an adamant answer in the negative. Now it seems all the government need do is mention the bogeyman that is terrorism and they can do whatever they please with impunity.

Much of our talk has revolved around how best to protect ourselves from dragnet surveillance without anyone stepping up and demanding that we needn’t worry about protecting ourselves as the surveillance should not exist.

I am disgusted in the way this country has conducted itself in the past decade or so. Of course some of this nonsense started a long time ago with the so called “war on drugs” (they seem to like declaring war on concepts or inanimate objects).

Looking at the NSA revelations from a purely financial point of view it is abundantly clear that US IT companies including but not limited to colocation and virtual server providers, email service providers, software developers etc will be adversely affected. This could jeaprodize the US dominance in internet tech as international companies flock offshore to other jurisdictions with robust privacy and data protection laws.

The government responds to all this not with an admission of guilt and the announcement of a senate inquiry but with inane quips that this is somehow justified and that it is whistleblowers like Snowden who have jeaprodized national interest.

Perhaps I haven’t consumed enough fluoride (j/k) but this does not fly. I, like most of us am maddened by the US government. They should fear the wrath of WE the people but they know that the average American is too inept and lazy to rise up and give them the impetus for change.

Mike the goat • September 20, 2013 6:46 AM

Filby: I commented on this in one of the other blog posts a few hours back. Perhaps he didn’t want to overtly defy a NSL and figured that people could draw their own conclusions. Of course we know Linus’ sense of humor and it is highly likely this was just a joke. It feels like deja vu. Seems like it was only a few years back we were all talking about OpenBSD’s IPSEC stack and Theo de Raadt’s post onto the mailing list airing allegations that the government (through a contributor) subverted their IPSEC implementation. A variety of disparate people audited the code and while they did find some bugs there was nothing major found at the time.

Unfortunately with these NSA revelations being so vague we don’t know what to trust. Uh, now excuse me while I line my ceiling, walls and floor in copper cladding so I can install 386BSD on a 486DX in my homemade Faraday cage. 😉

ECI • September 20, 2013 7:11 AM

@aaaaa

Now, Germany and France and Iceland and Finland and other Western Countries bugged presidential office would be stronger argument.
I strongly doubt that Americans would be cool if it would be revealed that Brazilia listens Obamas phone cools. There would be huge outrage and possible threats to Brazilia.

I wouldn’t really care if Brazil spied on American politicians. I would look at it as a lapse in their security and a problem for them to fix. I think any rational person knows that most everyone spies on everyone (if they have the resources). Governments have always done this and it’s nothing new. The difference now is how easy it is not just to monitor foreign governments but average citizens. And the surveillance of average citizens is what most people here are concerned about.

Also, this attitude that only Americans deserve rights and protections is seriously troubling.

I never said anything of the sort. All I said is that the 4th amendment only applies to American citizens — NSA doesn’t have to obtain a warrant to spy abroad. And I seriously doubt foreign intelligence services need a warrant to spy on Americans. It works both ways here.

And I agree that the people being held by the USG on suspected terrorism charges should have long ago either had a trial or released.

Nick P • September 20, 2013 11:16 AM

@ Linus’s Law

Good points. Yeah, the complexity and kernel-mode nature of the code alone makes it easier to slip in a disguised backdoor. When I tried to learn Git, I was reminded of the security vs usability debates where we learned terrible interfaces can cause users to shoot themselves in the foot. Git is like that. It’s just way too complicated. Fortunately, we can always set up our own repository with the Linux code if we choose to eliminate some of that risk.

A nice breakdown of S.C.M. security by Wheeler
http://www.dwheeler.com/essays/scm-security.html

I recall from digging into his analyses that OpenCM and Aegis paid good attention to security in their feature set. Yet, there are big gripes that can be made with either. So, this is an unsolved problem in general. My solution in the past was to just combine a regular CVS with a front end that only accepted signed submissions, checked them against a security policy, and optionally ran certain tests. I no longer have that software but I mentioned it b/c a reader wanting to build a solution might be able to build that before he or she could build a full secure SCM.

SCM isn’t a toy project…

Wesley Parish • September 21, 2013 12:09 AM

@Mike the goat

I read some time ago about the PRC justifying their historic patterns of repressive behaviour because the US had adapted such behaviour after 9/11.

Dirk Praet • September 22, 2013 5:27 PM

@ ECI

My point is that this isn’t just an “American” thing

Just because everybody is doing it – or at least those with the resources to do so – does not make for a legal or moral justification. One does not escape a conviction for tax fraud defending himself with the argument that everybody is doing it and correctly filing tax returns would put him at an unfair disadvantage. You will not take things more lightly when your adulterous wife tells you that all of her friends were doing the same. Or dodge a bullet at some far west saloon being caught cheating at a friendly game of poker because “you just happened to be very good at it”.

Without discarding the everyday reality of the business, the main issue from a legal perspective is that specific international law governing spying activities is virtually unstated, especially in the field of industrial and other forms of economic espionage. Herein lies an interesting challenge for the international community, but we should probably not kid ourselves that any of the top spying nations – accidentally also permanent Security Council members – would ever voluntarily give up the competitive edge their capabilities are giving them over other nations. It’s just way more convenient to settle such uncomforting issues as they happen, and in the dark rooms of international diplomacy.

Which however does not mean that there are no consequences. Just like “the five eyes” banning Lenovo from secure infrastructures and Huawei being in equally bad papers, all companies exposed as Prism collaborators – and by extension any US based company – are now looking at serious problems to maintain their foothold in both public and private environments worldwide where confidentiality of data and communications is of the issue.

But just as no one should be surprised that everyone is spying on everyone, neither should US citizens delude themselves that they are protected by their 4th amendment or that their government is not engaging in industrial espionage. The Snowden revelations have clearly shown that the former has been extensively worked around with only minimal checks and balances in place, whereas the Belgacom and Petrobras affairs as of late have sufficiently debunked the myth of the latter. Economic espionage is not about stealing intellectual property only.

In the end, every relation is built upon trust and respect. The day I find out that my girlfriend for whatever reason has me tailed by a PI, that relation is going to be over or at a minimum seriously damaged, irrespective of her motives or applicable law. I understand your arguments – however flawed – but there is no denying that, especially in the spying business, when you get caught, all bets are off. And that’s something every spook knows only too well.

Yochai Benkler on the NSA

Comments

Leave a comment Cancel reply