If you’re looking for silver linings among the Snowden leaks and the breadth of the NSA’s surveillance activities, they could be found in two things: 1) the math upholding encryption technology is, as far as we know, solid; and 2) Tor apparently drives the U.S. spy agency batty.
“I’m surprised,” said Matt Blaze, cryptographer and professor at the University of Pennsylvania, “at how few of the NSA’s secrets relate to how to break cryptography.”
Aside from that—and recent revelations that the NSA has had relatively little success monitoring individuals who communicate and move online using the Tor network, going to far as to create a top-secret internal presentation called “Tor Stinks,”—there doesn’t seem to be much making technologists smile these days.
Blaze was one of five experts on a technology panel Wednesday during a daylong Cato Institute program on NSA surveillance. The panel, which included Karen Reilly of the Tor Project, David Dahl of SpiderOak, Jim Burrows of Silent Circle, and Chris Soghoian of the ACLU, cast technical scrutiny on the NSA’s activities and its impact on trust in technology and the Internet’s ability to securely support communication and ecommerce.
Senator Ron Wyden, D-Oregon, beat the economic drum early in the day with a passionate keynote drumming up support for his bipartisan bill he hopes will end bulk collection of Americans’ phone records by the NSA as well as bring about surveillance reform. Wyden also pointed out that he’s had conversations with major business leaders concerned about the economic impact of the NSA’s alleged subversion of security technologies and the relationships it has with large telecommunications and Internet companies in terms of long-term access to customer data.
“Policy makers who sign off on overly broad surveillance programs should be thinking about the impact on American jobs and trust,” Wyden said. “Trust is so important for American companies to have around the world. They don’t have this trust by osmosis, but it was earned over the years through solid business practices.”
Soghoian pointed out that companies such as SpiderOak, which provides a secure backup service, and Silent Circle, which provides a secure phone service, are in a unique position because they are differentiated by the security and privacy features in their products. Silent Circle recently shuttered its email service rather than someday be compelled to hand over customer data to the government; its decision came on the heels of Lavabit’s decision to close its doors. Lavabit was a secure email provider as well; it was used by Edward Snowden, and rather than turn over private keys to decrypt the whistleblower’s emails, it decided to close its doors permanently.
“The U.S. is a leader in small businesses providing secure communications services,” Soghoian said. “When the U.S. government compels a Lavabit to comply, it’s a death sentence. Comply, and your reputation is destroyed. Secure communication services are under threat. We should want this part of the economy to grow.”
The NSA is accused of subverting encryption standards, injecting themselves into the development of such standards by participating and contributing to the National Institute of Standards and Technology (NIST) and then weakening standards deliberately, or going so far as to inject backdoors in order to access communication later on. It has also been accused to similar activity with security software and hardware, planting backdoors in code and hardware in order to maintain perpetual access and surveillance to those products.
Soghoian implored journalists with access to the Snowden documents to reveal secrets that have so far been redacted, likely done in cooperation with the government.
“The things we need to see are the sources journalists need to keep secret—the names of the algorithms that have been subverted. The names of the companies the NSA has subverted and sabotaged products,” Soghoian said. “We need to know this to protect the public.”
Soghoian said top secret slide presentations released to the public by the Guardian redacted the names of two VPN chip manufacturers that had been backdoored by the NSA and GCHQ.
“We want to know which are backdoored in order to protect people,” Soghoian said. “Those are things journalists feel they must protect.”
Tor, meanwhile, is standing up as a reliable medium. Being open source, Reilly said, forces users to trust the code rather than the people behind it. She stressed that the premise behind how Tor operates remains sound despite the modest success the NSA revealed it had in tracking a small number of users.
“We will add more cryptography between relays soon, but I’m confident the distributed trust model will continue to work and be adopted by more technologies,” Reilly said.
Burrows, meanwhile, said he took great joy in the NSA’s struggles with Tor.
“Yes they have methods for getting at certain people occasionally, but even they say Tor works and it’s held up,” Burrows said. “And that it’s held up to them pleased me more than anything else.”