Sep 062013

So the NSA and their counterparts elsewhere, including Canada and the UK, are spying on us. I wish I could say the news shocked me, but it didn’t.

The level of secrecy is a cause for concern of course. It is one thing for these agencies not to disclose specific sources and methods, it is another to keep the existence of entire programs secret, especially when these programs are designed to collect data wholesale.

But my biggest concern is that the programs themselves represent a huge security threat for all of us.

First, the NSA apparently relies on its ability to compromise the security of encryption products and technologies or on backdoors built into these products. An unspoken assumption is that only the NSA would be able to exploit these weaknesses. But how do we know that this is the case? How do we know that the same weaknesses and backdoors used by the NSA to decrypt our communications are not discovered and then exploited by foreign intelligence agencies, industrial spies, or criminal organizations?

As an illustrative example, imagine purchasing a very secure lock for your front door. Now imagine that the manufacturer does not tell you that the locks are designed such that there exists a master key that opens them all. Maybe the only officially sanctioned master key is deposited in a safe place, but what are the guarantees that it does not get stolen? Copied? Or that the lock is not reverse engineered?

My other worry is about how the NSA either directly collects, or compels service providers to collect, and store, large amounts of data (e.g., raw Internet traffic). Once again, the unspoken assumption is that only authorized personnel are able to access the data that was collected. But what are the guarantees for that? How do we know that these databases are not compromised and that our private data will not fall into hands not bound by laws and legislative oversight?

These are not groundless concerns. As Edward Snowden’s case demonstrates, the NSA was unable to control unauthorized access even by its own contract employees working in what was supposedly a highly structured, extremely secure work environment. (How on Earth was Snowden able to copy data from a top secret system to a portable device? That violates just about every security rule in the book.)

So even if the NSA and friends play entirely above board and never act in an unlawful manner, these serious concerns remain.

I do not believe we, as citizens, should grant the authority to any state security apparatus to collect data wholesale, or to compromise the cryptographic security of our digital infrastructure. Even if it makes it harder to catch bad guys.

So, our message to the NSA, the CSE, the GCHQ and their friends elsewhere in the free world should be simply this: back off, guys. Or else, risk undermining the very thing you purportedly protect, our basic security.

 Posted by at 1:50 pm