Christopher Soghoian: Governments subvert trust
The US government believes it can go to any tech company, and demand information that would ultimately destroy the company, for example if the company had promised its customers security and encryption. This is really chilling, regardless of your view on surveillance, or the NSA.
So said Christopher Soghoian, principal technologist and policy analyst with the American Civil Liberties Union, at the ITWeb Security Summit 2014 this morning.
He said that prior to 2010, it was easy for the NSA to passively intercept Internet communications because few companies bothered to encrypt data sent to and from their servers. "Governments gorged themselves on the never ending buffet of people's most personal information."
However, in January 2010, Google adopted https, and began to encrypt its Gmail communications using Secure Sockets Layer (SSL) protocol, with other companies such as Twitter, Facebook, Microsoft and others slowly following suit.
This meant that the government had to work a little harder. However, he said that only following whistle-blower Edward Snowden's revelations of the extent to which the NSA had been collecting information, did many of the larger Web service providers, such as Yahoo and LinkedIn, begin encrypting their Web communications with users.
"Encryption is commonplace now, Soghoian added, largely because of Snowden. Whatever you think of him, patriot or traitor, there is no question that the Internet is more secure today than it was before his revelations. Snowden has pushed the tech companies to improve their security. What is clear, over the last year, Silicon Valley companies have tightened things up a bit."
He warned that shrinking opportunities to collect data from users will only lead to government agencies putting greater pressure on technology businesses to hand over their customers' data.
Encryption is commonplace now, largely because of Snowden. Whatever you think of him, patriot or traitor, there is no question that the Internet is more secure today than it was before his revelations.Christopher Soghoian
"Google receives thousands of surveillance requests a year, and Microsoft, Yahoo, Google, FB, PalTalk, YouTube, Skype, AOL and Apple have all had data collected from them by PRISM, the NSA's covert mass electronic surveillance data mining program.
Snowden has pushed the tech companies to improve their security. What is clear, over the last year, Silicon Valley companies have tightened things up a bit.Christopher Soghoian
He added that tech companies want to be the sole source through which the community and law enforcement can get their users' information. "They don't want the state going through Verizon or other network providers, for example. It would seem that the tech companies are ok with targeted, non-dragnet surveillance. The government can come through the front door, but they are not crazy about them using the back door.
"Why aren't Google's mails encrypted," he asked. "Turning on https didn't cost it anything, it could still mine all our data. It is, after all, a marketing company. Methods that would actually protect our information from Google, the company would never allow."
He says this is a problem, because as a business, the only thing you are selling is trust, and the state can subvert that trust.
Soghoian cited Lavabit as an example. The company was in business to offer e-mail, but received an order to release its encryption keys to the government. It had 400 000 users, and the government was looking for information on only one. Lavabit shut down its service rather than comply. However, for many companies, shutting down is not an option."
"It should be terrifying that the government can actually do this to a company," Soghoian concluded.