By J. Evan Noynaert, Assistant Professor of Computer Science, Missouri Western State University
This was a short week at Techdirt thanks to the Labor Day holiday in the United States. Even though it was a short week, we may eventually see it as a pivotal week in the emerging NSA revelations. We started seeing some push-back against the scope of the snooping when we saw the author of the Patriot Act, Jim Sensenbrenner, and members of the Church Commission tell a court that the NSA had gone too far. Even more surprising is that they did it in support of an ACLU lawsuit (and Sensenbrenner’s brief was with the EFF); the NSA/FISA scandal is making strange bedfellows. The government continues to face push-back from other sources. Some of these were symbolic, such as the Brazilian President’s threat to cancel a US visit over NSA spying. She also backed it up with a threat to cancel four billion dollars worth of contracts with US companies. That is just the sort of thing that tends to get real attention in Washington these days.
And apparently the scandal is getting some attention in the Obama administration as well as in the NSA itself. The NSA review board is now accepting comments on aspects of the scandal that the rest of the NSA won’t even acknowledge. The White House CIO seemed to be refuting the claims that we shouldn’t worry because “just metadata was collected” He gave a great explanation about how much can be revealed by “just metadata,” especially if you collect vast quantities of it. Even President Obama got in on the act by wavering ever so slightly. True, he is still in denial about many aspects of the situation, but the acknowledgment that we may need some changes is at least a glimmer of hope. So the administration as a whole seems to be entering the schizophrenic phase of policy development. It is going to be interesting in the coming weeks to see how they resolve the issue. We can hope that they come down on the side of openness, but there is still a great danger that they will manage to gag the dissenters and go back to stonewalling.
I had a real dilemma when Mike asked me to write this week’s favorites. I didn’t have a favorite post for my “Favorite Posts” post. Then I awoke to my salvation. Mike published “Online Security isn’t Over; It’s Just Beginning.” It is the call to arms that we need. Mike quoted Micah Lee:
Giving up and deciding that privacy is dead is counterproductive. We need to stop using commercial crypto. We need to make sure that free software crypto gets serious security and usability audits.
If we do this right we can still have privacy in the 21st century. If we give up on security because of this we will definitely lose.
The NSA scandal should be a wake-up call to everyone involved in technology (basically everyone). There are things we can do now. We should probably start by assuming that every commercial cryptography product has been compromised. Every commercial operating system is suspect. The NSA seems to have gotten backdoors introduced into just about every major commercial security product including many that are not US based companies. We have to assume that if NSA can get in, then so can others. Apparently one of the NSA’s surprises when they bugged the UN was that the Chinese were already there. Perhaps the most troubling thing about the NSA’s methods is that they preferred to have backdoors installed in the software. An NSA backdoor makes life simple for the NSA. But backdoors almost always compromise the security of the software overall. Backdoors can often be opened by others; they are one more lock that can be picked by an intruder. Backdoors also tend to be patches on existing security systems. Given the fine-tuning that goes on in the design of security systems, tacking on a backdoor often involves some sloppy methods that give attackers additional soft spots that can be exploited.
If people start turning their backs on commercial security solutions they will probably have to embrace some of the excellent open source security solutions. It is much harder if not impossible to build backdoors into software that the open source community obsesses over as it goes line-by-line through the code. But that’s not to say that open source is fully safe. I will admit to being one of the conspiracy nuts who has been concerned that the NSA has influenced the development of some protocols and has managed to sneak in some subtle tells and weaknesses. The open source community needs to revisit all of its software systems and look for hidden weaknesses and vulnerabilities. Techdirt has been calling for rebuilding the Internet since at least 2003. This brings me to my penultimate favorite article of the week, “The US Government Has Betrayed the Internet; It’s Time to Fix That Now.” The title aptly sums up our current situation. The US Government has betrayed the Internet as well as the Constitution, the Bill of Rights, American Citizens, and our allies. The easiest to repair of all those betrayals is the Internet. As technology leaders we can start that process now. Ironically, the NSA has served up the perfect opportunity to make it very difficult to spy on the Internet.
So it will be interesting to see what will come in the week ahead. One thing that surprised me as I looked back through the week’s posts, we hadn’t heard from Team Prenda, and it felt like we really needed that kind of comic relief. Thankfully, just as I was finishing this post, Team Prenda delivered.