If you attended the WHD.global 2015 keynote with former NSA contractor and whistleblower Edward Snowden on Wednesday morning, it is very likely that you were being watched.
“Unfortunately in many ways I am the X,” Snowden told the packed conference room at WHD.global. “I expect and accept that at this point I’m going to be scrutinized by every government and every bad actor in the world.”
“In a real way it’s interesting because it means that there are records that are being made right now of you, the people who are here. Not because you’re a target, but because you are associated.”
Snowden spoke to an audience of cloud and hosting service providers via a live video stream, and was interviewed by Wikileaks journalist Sarah Harrison, who attended the event in-person. Harrison escorted Snowden to safety in Russia two years ago. She currently lives in Berlin.
Speaking from her experience as a journalist, Harrison started the presentation by discussing how journalists’ attitudes towards security have changed in the wake of Snowden’s revelations.
“Unlike most other media, one of the first things I learned when I joined my job [at WikiLeaks] was security,” she said.
Prior to 2013, when Snowden’s first revelations about the mass surveillance governments came out, Harrison said journalists were not comfortable using encryption, and often told her that she must be hiding something illegal, like child porn, if she was using TOR. Things have come a long way since then.
“I can’t tell you how annoying it was to tell journalists that encryption was necessary, especially in the West…there has been quite a drastic change,” Harrison said.
That drastic change hasn’t just applied to journalists, as online users and technology companies around the world have had to face an entirely new security landscape brought forth by Snowden’s revelations about mass surveillance.
“When we talk about journalists and progress we kind of zoom out from that 2013 moment. The NSA revelations changed the fabric of the Internet,” Snowden said.
Use of Encryption is Growing
Snowden said that the amount of encrypted traffic has more than doubled since 2013, and a lot of work on encryption is happening in academics and technology companies.
The type of security actions a person or organization might take “ultimately depends on what security specialists call a threat model,” Snowden said. “You need to think what the likely vectors are for attack.”
When Harrison mentioned that more journalists were clearing their browser histories, Snowden said that “as a basic practice, clearing your browser history is great…however that’s not really how surveillance works.”
“You have routes across the Internet between them, that is where the majority of surveillance happens online today,” he said. “Your cookies can flag you, however your IP address, your email address, all of that is visible when it crosses the wire, particularly when it’s not encrypted.”
So, can we trust encryption? Snowden said that one of the biggest and most important steps is removing the NSA from the standards process since as it stands they are given the ability to influence the existing standards.
“We need to have community standards that are internationally selected,” he said.
For service providers who rely on open source standards, they should be setting aside some of their budget to help fund those projects that their infrastructure relies on.
“The problem is this is developed by volunteers, while it is open and it can be reviewed, if we are not funding review will miss critical issues,” Snowden said.
“We need greater adoption, but we also need companies to look at where they are relying, where we can kick them some tiny amount of money each year,” he said. “It’s a positive PR hit and is just common sense when you’re relying on this common infrastructure.”
Cloud Service Providers and the Reputation Risk
Protecting users’ privacy is not just the right thing to do, it is also a smart business move.
“The most important thing that you need to think about are the promises you’ve made to your users and how they would expect you to operate,” Snowden said. Making headlines for being a company that has been the target of NSA attacks has a negative effect on a service providers business.
“You want to be the guy that the users, that the customers trust,” Snowden said. “You have the opportunity today to have the trusted service provider relationship with your customers simply by changing your policies”, and only retaining information necessary to your business, he said.
“So when people come knocking, people are reminded that investigations are their job, not yours.”
Companies like Gemalto or Cisco, who have been targeted by GCHQ and NSA, respectively, “do have a legal cause of action here” but haven’t moved on it because “they’re trying to stay out of headlines.”
Service providers that make it clear to their customers that they will protect their interests, even if it means taking legal action, are “the ones that are going to be successful.”
“Make a commitment to your users when they say, ‘if it is shown that someone has attacked our networks, particularly government, we will litigate this’,” Snowden said.
In the case of Cisco, which Snowden elaborated on, he said the company could create methods for verifying that upon receipt of shipment the same code is received as was sent. It could set up a trace, physically on hardware or on software, that indicates a change has been made. These methods don’t have to cost a lot of money either, he said.
Snowden said that service providers who take trust in their brand “out of the equation” and instead design their systems and products in such a way that even their “worst, most cutthroat competitors will trust” will see real success and be thought-leaders in security and privacy.
Can Service Providers Stand Up to the US Government?
“What do you do when the most powerful government in the world shows up at your doorstep and tells you to change your business process?” Snowden asked.
He said that service providers should cooperate with the government, but make it clear that they will not change their operations entirely to comply with their requests.
Snowden’s own email provider, Lavabit, went out of business after it refused to comply with the US government’s request. “The FBI demanded that [Lavabit] provide access to Snowden’s personal email, and everyone within their service,” he said. He called this a “teachable moment” for service providers.
He said companies could also set up a global presence in order to house data through wholly owned subsidiaries. He likens the approach to “the incredible extent that some enterprises have gone to avoid tax liability.”
With multiple subsidiaries, service providers will be able to better protect themselves through being under different jurisdictions.
“When you limit your liability, you’re limiting your vulnerability. For business, that’s really important,” Snowden said.
Snowden’s Take on Cloud Security
The cloud is vulnerable to a number of different security issues, but the “idea here is you want to have a number of options and make use of all of them,” Snowden said.
“We have companies like Dropbox who you can’t trust, because they are actively hiring people that worked on warrantless wiretaps,” he said.
Being aware of the low hanging fruit and the weaknesses in your network can lead to higher security. Still, “we don’t want the technical community to be dictating the way society works,” Snowden said. “When we think about free and open liberal democracies” we think about debate and participatory government.
Technology companies should be spending some of their budgets on lobbying changes to existing legal frameworks.
“Just because the NSA can find their way in your smartphone doesn’t mean we should throw our hands up or give up entirely,” Snowden said. “We don’t want to lock law enforcement agencies out of everyone’s computers around the world entirely – but at the same time we don’t want them to be able to look at everybody for no cause.”