‘Our Threat Model Has Changed’

PUNTA CANA–The golden era of bulk surveillance through the acquisition of phone records and other data from telecommunications companies may already be fading, but the larger threat to privacy and security is just beginning to emerge: the use of legal tools and coercion to get around encryption and other safeguards.

One of the main results of the NSA revelations has been that many of the major Web companies–including Google, Yahoo and others–have begun turning on encryption by default on their main properties. This has been a long time coming and it has happened mainly after a lot of public pressure from privacy advocates. But these efforts have been accelerated in the wake of revelations that the NSA has been gathering unencrypted communications between data centers owned by major tech companies.

Chris Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union, has been one of the loudest voices pushing for more encryption on the Web and pressuring companies to roll out SSL by default on their Web properties.

“The say that Google turned on SSL by default was probably a pretty bad day for the NSA,” he said. “But until we have end-to-end encryption, the FBI can still go to Google [and demand user data].”

The use of encrypted links for email services such as Gmail helps protect large swaths of communications, but Soghoian said that it only goes so far.

“If you take these companies at their word, they don’t provide bulk data. They don’t provide data on a million people at once, which is something that the backbone providers do,” he said during a talk at the Kaspersky Security Analyst Summit here Monday. “If you take them at their word, a world in which our communications are encrypted to and from Google is a world in which the government can’t do wholesale surveillance. That may be an end for now to bulk surveillance, but governments are going to have to respond.”

That response has already begun, in fact. One portion of it is the use of court orders and other legal methods to gain access to users’ data, whether at a service provider or elsewhere. This has been happening for years, long before Edward Snowden had ever leaked a single document. But Soghoian said that the government is changing the way it uses these tools and how often.

“Our threat model has changed. The APT powers of my government and your government and the Chinese government are not the biggest power. The most powerful tool the Department of Justice has is not the ability to hack but the ability to coerce,” Soghoian said. “You can fix the hack but you can’t patch away the coercion.”

As an example, Soghoian pointed to the Lavabit case. The company was a secure email provider used by Edward Snowden and its founder Ladar Levison refused to comply with an FBI order to turn over the SSL keys for his company to aid the FBI’s investigation into Snowden’s actions. He ended up shuttering the company and is fighting in the courts more requests that he hand the FBI the keys that would decrypt all of the Lavabit users’ emails, not just Snowden’s. Soghoian said the fact that the government is willing to go that far to get the emails of one user is concerning.

“We should assume the powers the government is seeking in the Lavabit case will be used elsewhere,” he said. “The precedent that the government can go to a private company and demand the keys to the kingdom to get at one user’s data threatens the entire Internet.”

To address the new threat model, Soghoian urged developers and engineers and security teams to build surveillance-resistant systems.

“We have to design our software and systems so that they can be resistant to this kind of coercion,” he said. “The software we built ten years ago, the software we built two years ago, was not built with this threat in mind.”

Suggested articles