Taking back the Internet
Christopher Soghoian believes the industry will take on the forces of government surveillance, and win.
Although government surveillance holds an overwhelming advantage against privacy advocates, there is a glimmer of hope. Privacy advocate Christopher Soghoian predicts Internet companies will evolve to keep unwarranted surveillance at bay, strengthening privacy without compromising the essential requirements of law enforcement or intelligence.
The security engineers at Facebook, Google, Microsoft, Twitter... They're really upset.Christopher Soghoian
At a time when many feel helpless against state surveillance, Soghoian is surprisingly upbeat. He predicts the industry will undergo - is already undergoing - a rapid evolution, to emerge stronger and healthier than ever. His is a contrary stance. A defeatist air hangs over many security professionals: they've been beaten and they know it. After years of fighting rear-guard actions against insiders, hackers and organised criminals, they finally know they face an adversary beyond their means: their own governments. Last month, Charlie Miller, himself an ex-NSA analyst, told Brainstorm bluntly: "If the NSA wants to hack into my computer, there's nothing I could do about it and there's no way I would even know."
But the industry is angry, Soghoian says, and gearing up to defend itself. The public outrage over Prism et al will fade, but the engineers are taking on the fight with gusto.
"Regular people don't choose their secure communications technologies. They just sign up for Facebook. So it doesn't matter if the man on the street hasn't been keeping up to date, because the engineers at these companies are furious. The security engineers at Facebook, Google, Microsoft, Twitter...they're really, really upset. They're upset that the NSA and its partners have been exploiting vulnerabilities in their products. They're upset that things they thought were off-limits to the government have apparently been targeted. And they're not going to just sit there; they're doing something about it. And what they're doing is improving the security of their products, locking them down and making them safer. And that means that the hundreds of millions of people who rely on Facebook and WhatsApp and Twitter automatically get a more secure communications experience without having to lift a finger."
However, there may be profound changes to come in the way services are delivered, he warns. "The problem is that the business model employed by these companies is one of free services in exchange for ads. So they have an incentive to collect and retain as much data about their customers as possible so they can serve ads more effectively. In the US, where most of these companies are based, we actually don't have a law requiring companies to retain data. They can retain as much or as little as they like. But anything they do retain, they can be forced to give to the government.
"So there's a symbiotic relationship between the surveillance agencies and the companies: their business model makes surveillance easier. I think that's something companies haven't been comfortable acknowledging, but it raises two questions: is it financially sustainable and is it politically sustainable? I think consumers are willing to pay, say, $2 a month for e-mail." WhatsApp, recently acquired by Facebook, has been a notable example of a company that adamantly refused to rely on advertising, instead charging a tiny annual fee across its massive global userbase. "So I do think there's a business model to charge for cloud services," he adds," but companies have been loath to disrupt their existing businesses. There's no way to pay for Facebook right now, even if you wanted to."
Change is inevitable, and simply a factor of basic economics, he says. "Fixing some of these problems takes engineering time, it takes money. And ultimately the purse strings are controlled by executives, not engineers. But I think after having the names of Google and Facebook and Microsoft put on front pages of newspapers after Prism was revealed, with the slide showing the assistance of these companies, I think the chequebooks have come out and the security teams basically now have a blank cheque to improve security. I don't think the executive team at Google, for example, cares how much it costs to be able to tell their customers that they're doing everything in their power to secure their products."
Indeed, many of the companies Soghoian mentions have been taking active measures already. Major cloud hosts including Google and Microsoft have taken steps to encrypt their inter-datacentre traffic to thwart interception. Many internet services have moved to using more expensive encrypted connections by default, or switching off unencrypted options entirely. Even if the public outcry around interception dies down, Soghoian believes the engineering momentum within the major firms will continue.
Meanwhile, there are legitimate reasons for intelligence services to operate the way they do, and for law enforcement agencies to intercept communications. Soghoian stresses that stronger security will not change that. "Governments have existing legal channels to approach companies, and they can continue to do that. But they have additionally been secretly taking advantage of and exploiting basic security flaws to harvest even more data without the knowledge or consent of the companies. Legal teams will continue to sign off on case-by-case surveillance, but the bulk exploitation is what's got them pissed, and that's what's being fixed. And the NSA won't go blind - they'll continue to attack legitimate targets. They will hack phones and laptops and break into houses: the things spies do, the things they've always done. But blanket surveillance of innocent people can become a thing of the past."
First published in the May 2014 issue of ITWeb Brainstorm magazine.