Ben Wizner: Not a lot of applause for us.
Chris Saghoian: I know. Ben Wizner: Are they ready?
Chris Saghoian: I think so. Ben Wizner: Ok, I think we’ll get started.
Thank you all so much for being here. There wasn’t a lot of applause when we came on stage
so I guess you’re here to see somebody else.
(( Applause )) My name is Ben Wizner; I’m joined by my colleague
Chris Saghoian from the ACLU. Maybe we can bring up on screen the main attraction. Edward Snowden: Hello.
Ben Wizner: With his very clever green screen.
Please bear with us today, the technology may have some kinks. The video may be a little
bit choppy. Our friend is appearing through 7 proxies so if the video is a little slow. You’re joining us for the event that one member of congress from the great state of Kansas hoped would not occur. He wrote to the organizers or SXSW urging them rescind the invitation
to Mr. Snowden. The letter included this very curious line, “The ACLU would surely concede
that freedom expression for Mr. Snowden has declined since he departed American soil”.
No one disputes that freedom of expression is stronger here than there but if there’s
one person for whom that’s not true, it’s Ed Snowden. If he were here in the United
States he would be in a solitary cell, subject probably to special administrative measures
that would prevent him from being able to communicate to the public and participate
in the historic debate that he helped launch. We’re really delighted to be here.
One more bit of housekeeping. As I’m sure most of you know, you can ask questions for
Mr. Snowden on twitter using the hash tag AskSnowden. Some group of people backstage
will decide which of those questions we see here. We’ll try to leave at least 20 minutes
or so for those questions. As I said, Ed Snowden’s revelations and the courageous journalism
of people like Bart Gellman who you just heard, Glenn Greenwald, Laura Poitras, and others
has really launched an extraordinary global debate. You might think of that debate as
occurring over 2 tracks. There is a debate in Washington in the halls of power about
law and policy about what democratic controls we need to reign in NSA spying that takes
place in courts that are considering the legality, the constitutionality of these programs in
the legislature, considering legislation. There’s a very different conversation that
you here in conference rooms in technology companies, particularly among people working
on security issues. Those people are talking less about the warrant requirement for meta
data and more about why the hell the NSA is systematically undermining common encryption
standards that we all use. Why is the NSA targeting telecommunication companies, internet
companies, hacking them to try to steal their customer data, basically manufacturing vulnerabilities
to poke holes in the communication systems that we all rely on? We’re hoping to mostly
focus on that latter conversation here. With that in mind, Ed if you’re with us, maybe
you could say a few words about why you chose for some of your first public remarks to speak
to the technology community rather than say the policy community in Washington.
Edward Snowden: Well thank you for the introduction. I will say SXSW and the technology community,
the people who are in the room at Austin right now, they’re the folks who can really fix
things. Who can enforce our rights through technical standards even when congress hasn’t
yet gotten to the point of creating legislation to protect our rights in the same manner?
When we think about what’s happened with the NSA in the last decade, in the post 9/11 era…
the result has been an adversarial internet, a sort of global free fire zone for governments
that’s nothing that we ever asked for. It’s not what we wanted. It’s something we need
to protect against. When we think about the policies that have
been advanced… sort of erosion of fourth amendment protections, the proactive seizure
of communications, there’s a policy of response that needs to occur. There’s also a technical
response that needs to occur. It’s the makers, it’s the thinkers, it’s the development community
that can really craft those solutions and make sure we are safe.
The NSA… the sort of global mass surveillance that’s prying at all of these countries not
just the US, and it’s important to remember that this is a global issue, they’re setting
fire to the future of the internet. The people who are in this room now, you guys are all
the firefighters. We need you to help us fix this.
Ben Wizner: So Chris, you heard Ed say that the NSA offensive mass surveillance programs,
the sort of manufacturing of vulnerabilities, is setting fire to the future of the internet.
Do you want to comment on that? Chris Saghoian: Sure. Many of the communications
tools that we all rely on are not as secure as they could be. Particularly for the apps
and services that are made by small companies and small groups of developers, security is
often an afterthought if it’s a thought at all. What that’s done is enable global passive
surveillance by the US but other governments too.
What I think has been the most lasting impression for me from the last 8 months is the fact
that the real technical problems that the NSA seems to have are not, “How do we get
people’s communications” but, “How do we deal with the massive amounts of communication
data that we’re collecting?” The actual collection problem doesn’t seem to be a bottleneck for
the NSA. That’s because so many of the services that we’re all relying on are not secure by
default. I really think for this audience, one of the
things that we should be thinking about and hopefully taking home is the fact that we
need to lock things down. We need to make services secure out of the box. That’s going
to require a rethink by developers. It’s going to require the developers start to think about
security early on rather than later on down the road.
Ben Wizner: Let me pick up on that. Ed, you submitted written testimony last week to the
European parliament. I want to quote a very short part of that and have you elaborate
on it. You said, “In connection with mass surveillance, the good news is that there
are solutions. The weakness of mass surveillance is that it can very easily be made much more
expensive through changes in technical standards”. What kind of changes were you talking about
and how can we ensure that we make mass surveillance more expensive and less practical?
Edward Snowden: The primary challenge that mass surveillance faces from any agency, any
government of the world, is not just how do you collect to communications as they cross
the wires, as they sort of find their way through the global network, but how do you
interpret them? How do you understand them? How do you direct them back out and analyze
them? [inaudible 00:08:35] at least on the easiest, the simplest, most cost effective
basis by encryption. There are 2 methods of encryption that are
generally used, one which is deeply problematic. One of those is what’s called key escrow.
It’s sort of what we’re using with Google type services, Skype type services, right
now where I encrypt a video chat and I send it to Google. Google decrypts it and then
re-encrypts it to you guys and we have it. End-to-end encryption, where it’s from my
computer directly to your computer, makes mass surveillance impossible at the network
level without a crypto break. They are incredibly rare and they normally don’t work. They’re
very expensive. By doing end-to-end encryption, you force what are called threat model global
passive adversaries to go through the end heads, that is the individual computers.
The result of that is a more constitutional, more carefully overseen sort of intelligence
gathering model, law enforcement model, where if they want to gather somebody’s communications,
they’d have to target them specifically. They can’t just target everybody all the time and
then when they want to read your stuff, they go back in a time machine and they say, “What
did they say in 2006?” They can’t pitch exploits in every computer
in the world without getting caught. That’s the value of end-to-end encryption and that’s
what we need to be thinking about. We need to go, “How can we enforce these protections
in a simple, cheap, and effective way that’s invisible to [users 00:10:17]. I think that’s
the way to do it. Ben Wizner: So Chris, one of the obstacles
to widespread end-to-end encryption is that many of us get our e-mail service from advertising
companies that need to be able to read the e-mails in order to serve us targeted ads.
What are steps that even a company like Google that’s an advertising company or companies
like that can do to make mass surveillance more difficult? Are there things or do we
really need new business models to accomplish what Ed is talking about?
Chris Saghoian: In the last 8 months, the big Silicon Valley technology companies have
really improved their security in a way that was surprising to many of us who have been
urging them for years to do so. Yahoo was kicking and screaming the whole way but they
finally turned on SSL encryption in January of this year after Bart Gellman and Ashkan
Soltani shamed them on the front page of the Washington Post.
The companies have locked things down, but only in a certain way. They’ve secured the
connection between your computer and Google’s server or Yahoo’s server or Facebook’s server
which means that governments have to now go through Google or Facebook or Microsoft to
get your data instead of getting it with AT&T’s help or Verizon’s help or Comcast or any party
that watches the data as it goes over the network.
I think it’s going to be difficult for these companies to offer truly end-to-end encrypted
service simply because it conflicts with their business model. Google wants to sit between
you and everyone you interact with and provide some kind of added value whether that added
value is advertising or some kind of information mining, improved experience, telling you when
there are restaurants nearby, where you can meet your friends. They want to be in that
connection with you. That makes it difficult to secure those connections.
Ben Wizner: Is this the right time for a shout out to Google that is in this conversation
with us right now? Chris Saghoian: The irony that we’re using
Google hangouts to talk to Ed Snowden has not been lost on me or our team here. I should
be clear; we’re not getting any advertising support from Google here. The fact is that
the tools that exist to enable secure end-to-end encrypted video conferencing are not very
polished. Particularly when you’re having a conversation with someone who’s in Russia
and who’s bouncing his connection through several proxies, the secure communications
tools tend to break. This I think reflects the state of play with
many services. You have to choose between a service that’s easy to use and reliable
and polished or a tool that is highly secure and impossible for the average person to use.
I think that reflects the fact that the services that are developed by large companies with
the resources to put 100 developers on the user interface, those are the ones that are
optimized for security. The tools that are designed with security as the first goal are
typically made by independent developers, activists, and hobbyists. They’re typically
tools made by geeks for geeks. What that means is the world… the regular
users have to pick. They have to pick between a service they cannot figure out how to use
or a service that is bundled with their phone or bundled with their laptop and works out
of the box. Of course rational people choose the insecure tools because they’re the ones
that come with the devices they buy and work and are easy for people to figure out.
Ben Wizner: Let’s bring Ed back into this. In a way, this whole affair began with Glenn
Greenwald not being able to use PGP which is somewhat of a joke in the tech community
but really not outside the tech community. PGP is not easy to install and it’s not easy
to use. Using Tor, using Tails… I feel like I need new IT support in my office just to
be able to do this work. You’re addressing an audience that includes a lot of young technologists.
Is there a call to arms for people to make this stuff more usable so that not only technologists
can use it? Edward Snowden: There is. I think we’re actually
seeing a lot of progress being made here. Whisper Systems, the sort of Moxie Marlinspike
of the world, are focusing on new user experiences, new UIs. Basically ways for us to interact
with cryptographic tools which is the way it should be, where it happens invisible to
the user, where it happens by default. We want secure services that aren’t [opt in 00:14:46].
It’s got to pass the Glenn Greenwald test. If any journalist in the world gets an e-mail
from somebody saying, “Hey, I have something that the public might want to know about”
they need to be able to open it. They need to be able to access that information. They
need to be able to have those communications whether they’re a journalist, an activist,
or it could be your grandma. This is something that people have to be able to access.
The way we interact with it right now is not good. If you have to go to command log, people
aren’t going to use it. If you have to go 3 menus deep, people aren’t going to use it.
It has to be out there. It has to have it automatically. It has to happen seamlessly.
That’s [inaudible 15:27]. Ben Wizner: So who are we talking to, Chris?
Are we talking now to technology companies? Are we talking to foundations to support the
development of more usable security? Are we talking just to developers? Who’s the audience
for this call to arms? Chris Saghoian: I think the audience is everyone.
We should understand that most regular people are not going to go out and download an obscure
encryption app. Most regular people are going to use the tools that they already have. That
means they’re going to be using Facebook or Google or Skype. A lot of our work goes into
pressuring those companies to protect their users.
In January of 2010, Google turned on SSL, the lock icon on your web browser. They turned
it on by default for Gmail. It had previously been available but it had been available through
an obscure setting, the 13th of 13 configuration options. Of course, no one turned it on. When
Google turned that option on, suddenly they made passive bulk surveillance of their users’
communications far more difficult for intelligence agencies.
They did so without requiring that their users take any steps. One day their users logged
into their mail and it was secure. That’s what we need. We need services to be building
security in by default an enabled without any advanced configuration. That doesn’t mean
that small developers cannot play a role. There are going to be hot new communications
tools. WhatsApp basically came out of nowhere a few
years ago. What I want is for the next WhatsApp or the next Twitter to be using encrypted
end-to-end communication. This can be made easy to use. This can be made useable. You
need to put a team of user experience developers on this. You need to optimize. You need to
make it easy for the average person. If you’re a startup and you’re working on
something, bear in mind that it’s going to be more difficult for the incumbents to deliver
secure communications to their users because their business models are built around advertising
supported services. You can more effectively and more easily deploy these services than
they can. If you’re looking for an angle here, we’re slowly getting to the point where telling
your customers, “Hey, 5 dollars a month for encrypted communications. No one can watch
you” I think that’s something many consumers might be willing to pay for.
Edward Snowden: If I could actually take you back on that real quick, one of the things
that I want to say is for the larger company, it’s not that you can’t collect any data.
It’s that you should only collect the data and hold it for as long as necessary for the
operation of the business. Recently EC-Council, one of the security certification providers
intact, they actually spilled my passport, a copy of my passport and my registration,
and posted them to the internet when they defaced the site.
I submitted those forms back in 2010. Why was that still [inaudible 00:18:20]? Was it
still necessary for the business? That’s a good example of why these things need to age
[off 00:18:26]. Whether you’re Google or Facebook, you can do these things in a responsible way.
You can still get the value out of these that you need to run your business [inaudible 00:18:38]
without [inaudible 00:18:40] Ben Wizner: We didn’t have great audio here
that response but what Ed was saying is that even companies whose business model relies
on them to collect and aggregate data don’t need to store it indefinitely once its primary
use has been accomplished. His example was that some company was hacked and they found
some of his data from 4 years ago that clearly there was no business reason for them still
to be holding on to. Let’s switch gears a little bit. Last week
General Keith Alexander who heads the NSA testified that the disclosures of the last
8 months have weakened the country’s cyber defenses. Some people might think there’s
a pot in the kettle problem coming from him but what was your response to that testimony?
Edward Snowden: It’s very interesting to see officials like Keith Alexander talking about
damage that’s been done to the defense of our communications. More than anything, there
have been 2 officials in America who have harmed our internet security and actually
our national security because so much of our country’ economic success is based on our
intellectual property. It’s based on our ability to create, share, communicate, and compete.
Those two Officials are Michael Hayden and Keith Alexander, two directors of the National
Security Agency in the post 9/11 era who made a very specific change. That is they elevated
offensive operations, that is attacking, over the defense of our communications. They began
eroding the protections of our communications in order to get an attacking advantage.
This is a problem for 1 primary reason. America has more to lose than anyone else when every
attack succeeds. When you are the one country in the world that has a vault that’s more
full than anyone else’s, it doesn’t make sense for you to be attacking all day and never
defending your full vault. It makes even less sense when you set standards for vaults worldwide
to have a big back door that anybody can walk into.
That’s what we’re running into today. When he says these things have weakened national
security… these are improving our national security. These are improving the communications
not just of Americans but everyone in the world. When you rely on the same standard,
we rely on the ability to trust our communications. Without that, we don’t have anything. Our
economy cannot succeed. Ben Wizner: So Chris, Richard Clarke testified
a few weeks back that it’s more important for us to be able to defend ourselves against
attacks from China than to be able to attack China using our cyber tools. I don’t think
everybody understands that there is any tension whatsoever between those 2 goals. Why are
they in opposition to each other? Chris Saghoian: As a country, we have public
officials testifying in Washington saying that cyber security is the greatest threat
this country now faces, greater than terrorism. We’ve had both the director of the FBI and
the director of National Intelligence say this in testimony to congress. I think it’s
probably true that we do in fact face some kind of cyber security threat. Our systems
are not as safe as they could be and we are all vulnerable to compromise in one way or
another. What should be clear is that this government
isn’t really doing anything to keep us secure and safe. This is a government that has prioritized
for offense rather than defense. If there were 100% increase in murders in Baltimore
next year, the Chief of Police of Baltimore would be fired. If there was 100% increase
in fishing attacks, successful fishing attacks where people’s credit card numbers get stolen,
no one gets fired. As a country, we have basically been left
to ourselves. Every individual person is left to defend themselves online. The government
has been hoarding information about information security vulnerabilities. In some cases, there
was a disclosure in the New York Times last fall revealing the NSA has been partnering
with US technology companies to intentionally weaken the security of the software that we
all use and rely on. The government has really been prioritizing
its efforts on information collection. There is this fundamental conflict. There’s a tension
which is that a system that is secure is difficult to surveil and a system that is designed to
be surveiled is a target waiting to be attacked. Our networks have been designed with surveillance
in mind. We need to prioritize cyber security. That’s going to mean making surveillance more
difficult. Of course the NSA and their partners in the intelligence world are not crazy about
us going down that path. Ben Wizner: So Ed, if the NSA is willing to
take these steps that actually weaken security, that spread vulnerabilities that make is sometimes
easier not just for us to do surveillance but for others to attack, they must think
there’s an awfully good reason for doing that. Their bulk collection programs that these
activities facilitate, the collected mentality, that it really works. This is a very, very
effective surveillance method in keeping us safe.
You sat on the inside of these systems for longer than people realize. Do these mass
surveillance programs do what our intelligence officials promise to congress that they do?
Are they effective? Edward Snowden: They’re not. That’s actually
something that I’m a little bit sympathetic to because we got to turn back the clock a
little bit and remember that they thought it was a great idea but no one had ever done
it before, at least publically. They went, “Hey, we can spy on everybody in the world
all at once. It’ll be great. We’ll know everything”. The reality is when they did it, they found
out it didn’t work. It was such [inaudible 00:24:58]. It was so successful in securing
funding and so great at getting [inaudible 00:25:02]; it was so great at winning new
contracts that nobody wanted to say no. The reality is now, we have reached a point
where the majority of Americans’ telephone communications are being recorded. We got
all this meta data that’s being stored for years and years and years. Too many White
House investigations have found it has no value at all. It’s never helped us. Beyond
that, we’ve got to think about what are we doing with those resources? What are we getting
out of it? As I said in my European parliament testimony,
we actually had tremendous intelligence failures because we’re monitoring the internet. We’re
monitoring everybody’s communications instead of suspects’ communications. That lack of
focus has caused us to miss leads that we should have had, Tamerlan Tsarnaev of the
Boston bombers. The Russians had warned us about it but we did a very poor effort investigating
[inaudible 00:26:04]. We had people looking at other things. If we hadn’t spent so much
on mass surveillance, if we followed the traditional models, we might have caught that.
Umar Farouk Abdulmutallab, the underwear bomber, same thing. His father walked into a US embassy,
he went to a CIA officer, he said, “My son is dangerous. Don’t let him go to your country.
Get him help”. We didn’t follow up. We didn’t actually investigate this guy. We didn’t dedicate
a team to figure out what was going on because we all this money, we spent all of this time,
hacking into Google and Facebook’s back ends to look at their data center communications.
What did we get out of it? We got nothing and 2 White House investigations that confirmed
that. Ben Wizner: Chris, if as Ed says these bulk
collection programs are not all that effective, that the resources that go into this would
be better directed at targeted surveillance, why are they dangerous?
Chris Saghoian: Because the government has created this massive database of everyone’s
private information. In an NSA building somewhere probably in Maryland, there is a record of
everyone who’s called an abortion clinic, everyone who’s called an alcoholics anonymous
hotline, everyone who’s called a gay bookstore. They tell us, “Don’t worry, we’re not looking
at it” or “We’re not looking at It in that way. We’re not doing those kinds of searches”
but I think many Americans would have good reason to not want that information to exist.
Regardless of which side of the political spectrum you are, you probably don’t want
the government to know that you’re calling an abortion clinic, a church, or a gun store.
You may think quite reasonably that that is none of the government’s business. I think
when you understand that the government can collect this information at this scale, they
can hang onto it and figure out uses for it down the road, I think many Americans are
quite fearful of this slippery slope, this surveillance that happens behind closed doors.
Even if you trust this administration we have right now, the person who sits in the oval
office changes every few years. You may not like the person who’s going to sit there in
a few years with that data that was collected today.
Ben Wizner: Ed we lost you for a moment but can you still hear us?
Edward Snowden: I can hear you. Ben Wizner: Ok. Just before this began, I
got an e-mail from Sir Tim Berners-Lee, the creator of the World Wide Web who asked for
the privilege of the first question to you. I think I’m willing to extend that to him.
He wanted to thank you. He believes that your actions have been profoundly in the public
interest. That was applause if you couldn’t hear it.
He asks if you could design from scratch an accountability system for governments over
national security agencies, what would you do? It’s clear that intelligence agencies
are going to be using the internet to collect information from all of us. Is there any way
that we can make oversight more accountable and improved?
Edward Snowden: That’s a really interesting question. It’s also a very difficult question.
Oversight models, [inaudible 00:29:41] models, these are things that are very complex. They’ve
got a lot of moving parts. When you add in [inaudible 00:29:47], when you add in public
oversight, it gets complex. We’ve got a good starting point and that’s what we have to
remember. We have an oversight model that could work. The problem is when the overseers
aren’t interested in oversight, when we’ve got 7 intelligence committees, house intelligence
committees that are cheerleading for the NSA instead of holding them to account.
When we have James Clapper the Director of National Intelligence in front of them and
he tells a lie that they all know is a lie because they’re briefed on the program because
they got the collections a day in advance and no one says it, allowing all the American
people to believe that this is a true answer, that’s an incredibly dangerous thing. That’s
the biggest [inaudible 00:30:36]. When I would say, “How do we fix our oversight model? How
do we structure an oversight model that works?” the key factor is accountability.
We can’t have officials like James Clapper who can lie to everyone in the country, who
can lie to the congress, and face not even a criticism. Not even a strongly worded letter.
The same thing with courts. In the United States we’ve got open courts that are supposed
to decide [inaudible 00:31:06] constitutional issues to interpret and apply the law.
We also have the FISA court, which is a secret rubber stamped court, but they’re only supposed
to approve warrant applications. These happen in secret because you don’t want people to
know the government wants to surveil. At the same time, a secret court shouldn’t be interpreting
the constitution when only NSA’s lawyers are making the case about how it should be [inaudible
00:31:40]. Those are the 2 primary factors that I think need to change.
The other thing is we need public advocates. We need public representatives. We need public
oversight. Some way for trusted public figures, sort of civil rights champions, to advocate
for us and to protect the structure and make sure it’s been fairly applied. We need a watchdog
that watches congress. Something that can tell us these guys didn’t tell you that you
were just lied to. Otherwise, how do we vote? If we’re not informed, we can’t consent to
these policies. I think that’s damaging. Ben Wizner: For what it’s worth, my answer
to Sir Tim is Ed Snowden. Before these disclosures, all 3 branches of our government had gone
to sleep on oversight. The courts had thrown cases out, as he said. Congress allowed itself
to be lied to. The executive branch did no reviews. Since Ed Snowden and since all of
us have been read in to these programs, we’re actually seeing reinvigorated oversight. It’s
the oversight that the constitution had in mind but sometimes it needs a dusting off.
Ed has been the broom. Chris Saghoian: I just wanted to also note
that without Ed’s disclosures, many of the tech companies would not have improved their
security either at all or at the rate that they did. The prism story, although there
was a lack of clarity initially about what it really said, put the names of billion dollar
American companies on the front page of the newspaper and associated them with bulk surveillance.
You saw the companies doing everything in their power publically to distance themselves
and also show that they were taking security seriously. You saw companies like Google,
Microsoft, and Facebook rushing to encrypt their data centers with data center connections.
You saw companies like Yahoo! finally turning on SSL encryption. Apple fixed a bug in its
address book app that allowed Google users’ address books to be transmitted over networks
in an unencrypted form. Without Ed’s disclosures, there wouldn’t have been as much pressure
for these tech companies to encrypt their information.
There are going to be people in this audience and people who are listening at home who think
that what Ed did is wrong. Let me be clear about one really important thing. His disclosures
have improved internet security. The security improvements we’ve gotten haven’t just protected
us from bulk government surveillance. They’ve protected us from hackers at Starbucks who
are monitoring our Wi-Fi connections; they’ve protected us from stalkers, identity thieves,
and common criminals. These companies should have been encrypting
their communications before and they weren’t. It really took, unfortunately, the largest
and most profound whistle blower in history to get us to this point where these companies
are finally prioritizing the security of their users’ communications between them and the
companies. We all have Ed to thank for this. I cannot emphasize enough. Without him, we
would not have Yahoo! users getting SSL, we would not have this data going over the network
in encrypted form. It shouldn’t have taken that. The companies
should have done it by themselves. There should be regulation or privacy regulators who are
forcing these companies to do this. That isn’t taking place so it took Ed to get us to a
secure place. Ben Wizner: Great. Remember the hash tag is
AskSnowden. We’ll take our first question, please forgive pronunciations, from Max [Zerk-an-tin
00:35:36]. The question for Ed and Chris to, why is it less bad if big corporations get
access to our information instead of the government? Ed, did you hear it?
Edward Snowden: Yes, I did. This is something that’s actually been debated. We see people’s
opinions, people’s responses to this evolving which is good. This is why we need to have
these conversations. We don’t know. Right now my thinking, and I believe the majority’s
thinking, is that the government has the ability to deprive you of rights. Governments around
the world, whether it’s the United Stated Government, whether it’s the Yemeni government,
whether it’s Zaire, any country, they have police powers, they have military powers,
they have intelligence powers. They can literally kill you. They can jail you. They can surveil
you. Companies can surveil you to sell you products,
to sell your information to other companies, and that can be bad but you have legal [inaudible
00:36:41]. First off, it’s typically a voluntary contract. Secondly, you’ve got court challenges
you use. If you challenge the government about these things, and the ACLU itself has actually
challenged some of these cases, the government throws [inaudible 00:36:58] and says, “You
can’t even ask about this”. The courts aren’t allowed to tell us whether this is legal or
not because we’re just going to do it anyway. That’s the difference and it’s something we
need to watch out for. Ben Wizner: Chris do you want to address it
or should we take the next question? Chris Saghoian: Sure, just quickly. I’m not
crazy about the amount of data that Google and Facebook collect. Of course everything
they get, the government can come and ask for too. There’s the collection the government
is doing by itself, and then there’s the data that they can go to Google and Facebook and
force them to hand over. We should remember that the web browser that you’re likely using,
the most popular browser right now is Chrome. The most popular mobile operating system is
now Android. Many of the tools that we’re using, whether web browsers or operating systems
or apps, are made by advertising companies. It’s not a coincidence that Chrome is probably
a less privacy-preserving browser. It’s tweaked to allow data collection by third parties.
The android operating system is designed to facilitate disclosure of data to third parties.
Even if you’re ok with the data that companies are collecting, we should also note that the
tools that we use to browse the web and the tools that ultimately will either permit our
data to be shared or prevent it from being shared are made by advertising companies.
This makes the NSA’s job a lot easier. If the web browsers we were using were locked
down by default, the NSA would have a much tougher time but advertising companies are
not going to give us tools that are privacy preserving by default.
Ben Wizner: Let’s take another question from [Jodi Se-ra-no 00:38:31] to Snowden from Spain.
Do you think the US surveillance systems might encourage other countries to do the same?
Edward Snowden: Yes. This is actually one of the primary dangers not just of the NSA’s
activities but in not addressing and resolving these issues. It’s important to remember that
Americans benefit profoundly on this because again, as we discussed, we’ve got the most
to lose from being hacked. At the same time, every citizen in every country has something
to lose. We all are at risk of unfair, unjustified, unwarranted interference in our private lives.
Through ought history, we’ve seen governments sort of repeat the trend where it increases
and it gets to a point where they crossed the line. If we don’t resolve these issues,
if we allow the NSA to continue unrestrained, every other government, the international
community, will accept that sort of as the green light to do the same. That’s not what
we want. Chris Saghoian: I think there’s a difference
between surveillance performed by the NSA and surveillance performed by most other governments.
It’s not really illegal when it’s more of a technical one and that is the whole world
sends their data to United States. Americans are not sending their e-mail to Spain; Americans
are not sending their photographs to France. This means that the US, because of silicon
valley, because of the density of tech companies in this country, the US enjoys an unparalleled
intelligence advantage that every other government just doesn’t have.
If we want the rest of the world to keep using US tech companies, if we want the rest of
the world to keep trusting their data with the United States, then we need to respect
them. We need to respect their privacy in the way that we protect the privacy of Americans
right now. I think the revelation to the last 8 months have given many people in other countries
a very reasonable reason to question whether they should be trusting their data to United
States companies. I think we can get that trust back through
legal changes but I think tech companies can also do a lot to earn that trust back by employing
encryption and other privacy protecting technologies. The best way to get your user’s trust is to
be able to say when the government comes to you, “Sorry, we don’t have the data” or “Sorry,
we don’t have the data that’s going to be in a form that will be of any use to you.
That’s how you win back the trust of people in Brazil, in Germany, and people around the
world. Ben Wizner: Let me just cut in with a question
here because I do think that a certain degree of perhaps hopelessness may have crept in
to the global public with this constant barrage of stories about the NSA’s capabilities, the
GCHQ’s capabilities and their activities, all the ways that they’re able to get around
defenses. I hear, Chris, you and Ed both coming back to encryption again and again as something
that still works. Maybe we could just take a moment, Ed, after the discussions that we’ve
had about has NSA has worked to weaken encryption. Should people still be confident that the
basic encryption that we user protects us from surveillance or at least mass surveillance?
Edward Snowden: The bottom line, and I’ve repeated this again and again, is that encryption
does work. We need to think about encryption not as this sort of arcane black art but sort
of a basic protection. It’s the defense against the dark arts of the digital world. This is
something we all need to be [inaudible 00:42:21]. Not only implemented, but actively researching
and improving on the academic level. The grad students of today, tomorrow, need to keep
today’s [inaudible 00:43:33] online to inform tomorrow’s.
We need all those brilliant [inaudible 00:43:38] cryptographers to go, “All right, we know
that these encryption algorithms we’re using today work. Typically it’s the random number
generators that are attacked is if they were to be encryption algorithms themselves. How
can we make them [fool proof 00:42:52]? How can we test them? This is [inaudible 00:42:54].
It’s not going to going to go away tomorrow but it’s the steps that we take today, it’s
the moral commitment, the philosophical commitment, the commercial commitment to protect and enforce
our liberties through technical standards that’s going to take us through [tomorrow
00:43:11] and allow us to reclaim the open and trusted [inaudible 00:43:15].
Ben Wizner: Chris very briefly, you hand out with cryptographers. They’re not happy campers
these days. Chris Saghoian: No. Of all the stories that
have come out, the one that has really had the biggest impact in the security community
is the news that the NSA has subverted the design of cryptographic and random number
generator algorithms. I think it’s fair to say that there is a group within the cryptographic
community now who have become radicalized as a result of these disclosures. Cryptographers
actually can be radicals. They’re not just mild mannered people.
We should remember that regular consumers do not pick their own encryption algorithms.
Regular consumers just use the services that are provided to them. The people who pick
the crypto, who pick the particular algorithms, who pick the key sizes; they are the security
engineers at Google and Facebook and Microsoft. The cryptographers who are working with open
source projects, those people are all really pissed. I think that’s good. Those people
should be mad. Those people can make a difference. The fact that these disclosures have so angered
the security community is a really good sign because ultimately the tools that come out
in 6 months or a year or 2 years are going to be far more secure than they were before.
That’s because that part of the tech community feel like they were lied to.
Ben Wizner: Let’s take a couple more questions from Twitter. Melissa [nick sick 00:44:40]
I hope. What steps do you suggest the average person take now to ensure a more secure digital
experience? Is there anything we can do at the individual level to confront the issues
of mass surveillance that we’re talking about today? Ed, it’s ok if the answer is no.
Edward Snowden: There are basic steps. It’s a really complicated subject matter today
and that’s the difficulty. Again, it’s the Glenn Greenwald test. How do you answer this?
[inaudible 00:45:11] For me, there are a couple of key technologies. There’s full disc encryption
to protect your actual physical computer and devices in case they’re seized. There’s network
encryption which are things like SSL but that happens sort of transparently, you can’t help
that. You can install a couple browser plugins,
NoScript to block active exploitation attempts in the browser, Ghostery to block ads and
tracking cookies. But there’s also Tor. Tor, t-o-r, is a mixed routing network which is
very important because it’s encrypted from the user through the ISP to the end of a cloud,
a network of routers that you go through. Because if this, your ISP, your telecommunications
provider can no longer spy on you by default. The way they do now, today, when you go to
any website. By using Tor, you shift their focus to either attacking the Tor cloud itself
which is incredibly difficult, or to try to monitor the exits from the Tor and the entrances
to Tor, and then try to figure out what fits. That’s very difficult. [inaudible 00:46:31]
those basic steps. You encrypt your hardware and you encrypt your network communication.
You’re far, far more hardened than the average user. It becomes very difficult for any sort
of a mass surveillance to be applied to you. You’ll still be vulnerable to some targeted
surveillance. If there’s a warrant against you, if the NSA is after you, they’re still
going to get you. Mass surveillance, this untargeted collect it all approach, you’ll
be much safer. Ben Wizner: When there’s a question about
average users and the answer is Tor, we failed, right?
Chris Saghoian: Yeah, I mean ill just add to what Ed said in saying that a privacy preserving
experience may not be a secure experience and vice versa. I’m constantly torn. I personally
feel like Firefox is the more privacy preserving browser but I know that Chrome is the more
secure browser. I’m stuck with this choice… am I more worried about passive surveillance
of my communications and my web browsing information or am I more worried about being attacked?
I go back and forth on those. I think until we have a browser or a piece
of software that optimizes for both privacy and security, I think users are going to be
stuck with 2 bad choices. I’ll just not that in addition to what Ed said, I really think
that consumers need to rethink their relationship with many of the companies to whom they entrust
their private data. I really think what this comes down to is if you’re getting the service
for free, the customer isn’t going to be optimizing the experience with your best interest in
mind. I’m not going to say if you’re not paying for the product, you are the product because
we pay for our wireless service and those companies still treat us like crap.
If you want a secure online backup service, you’re going to have to pay for it. If you
want a secure voice or video communications product, you’re going to have to pay for it.
That doesn’t mean you have to pay thousands of dollars a year but you need to pay something
so that that company has a sustainable business model that doesn’t revolve around collecting
and monetizing your data. Ben Wizner: We have another question about
encryption from Sean. Isn’t it just a matter of time before NSA can decrypt even the best
encryption? Ed, I’m particularly interested in your answer to this in light of your confidence
that data that you were able to take is secure and has remained secure.
Edward Snowden: Well, let’s put it this way. The Unites States Government has assembled
a massive investigation team into me personally, into my work with the journalists, and they
still have no idea what documents were provided to the journalists, what they have, what they
don’t have because encryption worked. The only way to get around that even over Tor
is either have a computer that’s so massive and so powerful you convert the entire universe
into the energy powering this crypto breaking machine and it’s still might not have enough
to it, or you can break in a computer disc and try to steal the keys and bypass that
encryption. That happens today. That happens every day.
That’s the way around it. There are still ways to protect encrypted data that no one
can break. That’s by making sure the keys are never exposed. The key itself cannot be
observed. They key can’t be stolen. It can’t be captured. The encryption can’t be [inaudible
00:50:13]. Any cryptographer, any mathematician in the world will tell you that the math is
sound. The only way to get through encryption on
a targeted basis, particularly when you start layering encryption, you’re not using one
algorithm, you’re using every algorithm You’re using key splitting, you’re using all kinds
of sort of sophisticated techniques to make sure that no one person, no single point of
failure exists. There’s no way in. There’s no way around it. That’s going to continue
to be the case until our understanding of mathematics and physics changes on a fundamental
level. Actually if I could follow up on that, I would
say the US government’s investigation actually supports that. We’ve had both public and private
acknowledgements that they know at this point neither the Russian government, nor the Chinese
government, nor any other government has possession of any of this information. That would be
easy for them to find out. Remember, these are the guys who are spying on everybody in
the world. They’ve got human intelligence assets embedded
in these governments. They’ve got electronic signals assets in these governments. Suddenly,
if the Chinese government knew everything the NSA was doing, we would notice the changes.
We would notice the chatter. We would see officials communicating and our assets would
tell us, “Hey, suddenly they got a warehouse. They put a thousand of their most skilled
researches in there”. That’s never happened and it’s never going to happen.
Chris Saghoian: I’ll just add that
I think Ed’s right. If the government really wants to get into your computer, if they want
to figure out what you’re saying and who you’re saying it to, they will find a way. That won’t
involve breaking the encryption. That will involve hacking into your device. Whether
your phone or your laptop, they’ll take advantage of either vulnerabilities that haven’t been
patched or vulnerabilities that no one knows about.
Hacking technologies don’t scale. If you are a target of the NSA, it’s going to be game
over no matter what unless you are taking really, really sophisticated steps to protect
yourself but for most people that will be beyond their reach. Encryption makes bulk
surveillance too expensive. The goal here isn’t to blind the NSA. The goal isn’t to
stop the government from going after legitimate surveillance targets. The goal here is to
make it so they cannot spy on innocent people because they can.
Right now so many of our communications, our telephone calls, our e-mails, our text messages,
our instant messages, are just there for the taking. If we start using encrypted communication
services, suddenly it becomes too expensive for the NSA to spy on everyone. Suddenly they’ll
need to actually have a good reason to dedicate those resources to either try and break the
encryption or to try and hack into your device. Encryption technology, even if imperfect,
has the potential to raise the cost of surveillance to the point that it no longer becomes economically
feasible for the government to spy on everyone. Ben Wizner: Can we get another question on
the screen from Twitter? Please? Thanks. Good question from David Meyer. Is it possible
to reap the benefits of big data on a societal level while not opening ourselves to constant
mass surveillance? How do we enjoy the scientific benefits, even some of the commercial benefits
of this without turning ourselves into a dystopian surveillance state? In 2 minutes or less.
Ed? Edward Snowden: This is a really difficult
question. There are a lot of advancements and things like encrypted search that make
it possible for the data to be an unreadable format, until [inaudible 00:54:10] or something.
In general, it’s a difficult problem. The bottom line is data should not be collected
without people’s knowledge and consent. If data is being clandestinely acquired and the
public doesn’t have any way to review it and it’s not legislatively authorized, it’s not
reviewed by courts, it’s not [constant 00:54:33] with our constitution, that’s a problem.
If we want to use that, it needs to be the result of a public debate in which people’s
[inaudible 00:54:43]. Ben Wizner: Chris, do you want to take on
that question? Chris Saghoian: No.
Ben Wizner: We have another question that is about every day users. Maybe you can give
us another one because I think we’ve answered this one. Friends backstage? Ok, from Tim
[Sho-ruck 00:55:04]. Wasn’t NSA mass surveillance the solution… Chris can you read that?
Chris Saghoian: Wasn’t NSA’s mass surveillance solution to the internet driven by privatization
and handling of our signals intelligence analysis to SCIC, Booz Allen so…
Ben Wizner: I don’t understand. Chris Saghoian: Tim is basically saying, “Isn’t
this a result of letting the contractors in to run the show?”
Edward Snowden: The problem is when the NSA gets a pot of money, they don’t typically
develop the solutions themselves. They bring in a bunch of contractors. The Booz Allens,
the SCICs, the [khakis 00:55:42], and they go, “Hey, what can you guys do for us? What
solutions are you working on?” These guys get a gigantic [inaudible 00:55:50] song and
dance. I actually used to do it professionally, I know how it works. The problem is you got
contractors and private companies at that point influencing policy.
It was not uncommon for me at the NSA as a private employee to write the same point papers
and sort of policy suggestions that I did as an official employee of the government
at the CIA. The problem with that is you got people who aren’t accountable, they’ve got
no sort of government recourse against them who are saying, “Let’s do this. Let’s do that.
Let’s put all this money in mass surveillance because it’ll be great. We’ll all get rich”
but it doesn’t serve the public interest. One thing you’ve seen recently is the government’s
gone and changed its talking points. They moved their verbiage away from public interest
into national interest. We should be concerned about that because when the national interest,
talking about the [sake 00:56:51] becomes distinct from the public interest, what benefits
the people, we are at a point where we have to marry those up where it gets harder and
harder to control and we risk losing control of a representative democracy.
Ben Wizner: So Ed, maybe let me ask you what will turn out to be a final question. In your
early interviews with Glenn Greenwald and Laura Poitras, you said that your biggest
fear was that there would be little or no reaction to these disclosures. Where you sit
now, how satisfied are you with the global debate that you helped to launch and do you
feel that it was worth the price that you paid in order to bring us to this moment?
Edward Snowden: One of the things that I told Bart Gellman was when I came public with this,
it wasn’t so I could single handedly change the government, tell them what to do, and
sort of override what the public thinks is [inaudible 00:57:59]. What I wanted to do
was inform the public so they could make a decision, they could provide the consent for
what we should be doing. The results of these revelations, the results of all the incredibly
responsible, careful reporting that by the way has been coordinated with the government.
The government’s never said any single one of these stories have risked a human life.
The result is that the public has benefitted. The government has benefitted. Every society
in the world has benefitted. We live in a more secure place, we have more secure communications,
and we’re going to have a better civic interaction as a result of understanding what’s being
done in our name and what’s being done [inaudible 00:58:52]. When it comes to “Would I do this
again?” the answer is “absolutely yes.” Regardless of what happens to me, this is something we
had a right to. I took an oath to support and defend the constitution and I saw that
the constitution as violated on a massive scale.
The interpretation of the fourth amendment had been changed [inaudible 00:59:14]. Thank
you. The interpretation of the constitution had been changed in secret from no unreasonable
search and seizure to “Any seizure is fine, just don’t search it.” That’s something the
public ought to know about. Ben Wizner: You can see behind Ed is a green
screen of… is that Article 1 of the Constitution? Edward Snowden: That’s correct.
Ben Wizner: “We the people”… There’s also another organization here that is also interested
in the Constitution. I’d be [re-missed 01:00:07] if I didn’t say to all of you that the ACLU
has a table 1144. I promise that it will not be all about surveillance. Please come and
say hi to us. If you’re not members of the ACLU, it’s cheap to sign up. We have ACLU
whistles, we have t-shirts that you can get with membership, you can talk to me and Chris
a little bit more about the other work that we are going and our ACLU colleagues. With
that, I’d like all of us to thank Ed Snowden for choosing this venue for this kind of conversation.
Edward Snowden: Thank you all very much. Thank you Austin