The best answer to PRISM’s abuses is strong cryptography in the hands of the public

Trying to make sense of the official pronouncements about the National Security Agency’s PRISM program is like trying to nail Jello to a wall.

First, a quick primer.  PRISM is a highly classified NSA program whereby the computer servers of nine Internet companies, including Microsoft, Yahoo, Google, Facebook, Skype and YouTube, are tapped by the US government. We now know that the disclosure of PRISM’s existence came from disgruntled NSA contractor Edward Snowden.

Now back to the confusion that is the official response to PRISM going public:

  • Snowden, we are to believe, is a terrible person: dishonest, disloyal and a traitor to boot. But we can nevertheless have absolute confidence in the NSA wiretap program, the honesty and integrity of the people who run it, and the safeguards that would prevent anyone abusing that trust.
  • The administration welcomes the debate on PRISM, but is committed to making sure that the person who made that debate possible spends the rest of his life behind bars.
  • Congress is outraged that the administration would make use of the powers granted by Congress in the PATRIOT act of 2001, and the subsequent renewal in 2011.

Easier to make sense of than the evasions, are the outright lies:

In March, at an open congressional hearing, Sen. Ron Wyden (D-Ore.) asked Director of National Intelligence James Clapper a simple question: “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?” Clapper said the NSA does no such thing. We’ve now seen pretty obvious evidence to the contrary.

When NBC’s Andrea Mitchell asked Clapper over the weekend about the exchange, he said the question was “not answerable necessarily by a simple yes or no,” so he “responded in what I thought was the most truthful, or least untruthful, manner by saying, ‘No.’ “

And then there is Rep. Peter King, who only last month was calling for Holder to resign for merely obtaining a court order to get the telephone records of a reporter who had published leaked intelligence. Yet, this week King is calling for Greenwald to be prosecuted for reporting the Snowden leaks.

Greenwald’s response is classic, pointing out that King lied when he accused Greenwald of threatening to leak the names of CIA agents, and that he was not going to take lessons in National Security from a supporter of the IRA.

The Rosetta Stone in the British Museum (photo by Hans Hillewaert)

The Rosetta Stone in the British Museum (photo by Hans Hillewaert)

While these phenomena may appear to be contradictory and inconsistent, they are all explained by a simple model: Whenever a bureaucrat talks about ‘damage to national security,’ they actually mean ‘inconveniently revealing truths that embarras us’. And congressmen like King simply say whatever they think will make them popular at that moment, regardless of consistency with their earlier statement,s or whether it is true.

I don’t hold a security clearance, and I have never been on the NSA payroll as either a contractor or an employee. But I work in information security, and it is impossible to work in the field at a high level without interacting with the NSA at some point.

One of the biggest myths being peddled regarding PRISM is the notion that the NSA only spies on bad people. Anyone saying that is either ignorant of what they are talking about, a liar or both. Intelligence agencies exist to gather information, and to get information you spy on people who you think might have the information you want.

During the 1990s, the civil field of information cryptography was engaged in a long struggle with the NSA and FBI to enable the use of strong cryptography in network applications such as the Web browser you are using to read this post. These events are known in the field as ‘the cryptowars’. They began when a Federal grand jury began hearing evidence that Phil Zimmerman had violated the export control act by publishing PGP on the Internet, and ended with the launch of Windows 2000, that contained strong cryptography without a back door access mechanism.

During the cryptowars we were attacked in the same terms that Snowden is being attacked today: You are helping terrorists, organized crime, and pedophiles.

Zimmerman spent three years under threat of imminent prosecution. Twenty years later that same strong cryptography is the reason we can shop on the Web and bank online at home. And while President Obama is asking for targets to cyber-attack, my focus is on working out ways to defend critical infrastructure at home. Without water, sewer and electricity, New York City would become a major public health hazard in days. We live in an awfully big cyber-house to start throwing cyber0stones. Even the NSA now agrees that strong cryptography is essential to our cyber-defense.

The NSA was founded on the belief that control of information was vital to national security. The NSA has a dual role, to help the US government protect its own information and to learn as much as possible from everyone else. The Web is founded on the exact opposite principle: To put people in control of their own information. I first got involved in the Web in 1992 because I didn’t think that Rupert Murdoch, a conservative Australian press baron, should be the person deciding who governs Britain. Securing the Web means putting users, not governments, in control of who sees their data.

We don’t yet know how much of a threat PRISM is to civil liberties, and it is quite likely we will never know. According to one report, PRISM is a highly targeted lawful intercept program in which Google, Facebook et. al., release information in response to a court order by means of a Secure FTP connection. According to another, PRISM is a covert program that has established direct connections to the Internet exchanges into which the major data centers connect.

It is quite possible that both reports are correct, and two programs were given the same code name to confuse the issue in case of discovery. If people really want to chase white rabbits, perhaps the whole scheme is a cunning 11th dimensional chess plan devised by Obama to trick the GOP into repealing the PATRIOT act out of spite.

As a result of all of this, progressives will press for repeal of the PATRIOT act.  And even though the next extension in 2015 is almost certain to be approved, it will certainly be a more costly process for the administration than the last renewal.

But even if PATRIOT is modified or repealed, what one Congress does can be undone by the next. And the George W. Bush has proved that an administration can still wiretap without warrants, and even commit torture with impunity.

Repeal of PATRIOT is highly desirable, but the solution is to put strong cryptography into everyone’s hands in a form that draws the fangs of the NSA for good.

Share This Post

  • http://open.salon.com/blog/bill_michtom michtom

    Since these surveillance programs are justified because they supposedly protect us against terrorists, the answer should be to change the US policy that creates terrorists: attacking and invading Muslim countries, supporting dictatorships in Muslim countries.

    This was realized by the Pentagon nine years ago http://www.fas.org/irp/agency/dod/dsb/commun.pdf
    “American direct intervention in the Muslim World has paradoxically elevated the stature of and support for radical Islamists, while diminishing support for the United States to single-digits in some Arab societies.”

    Everything else is bullshit.

  • perljammer

    The invulerability of a one-time pad, of course, depends on using each pad ONE TIME. That’s why they’re called ONE-TIME pads. The Russians screwed up by re-using pads. Even with that colossal screwup, only about one percent of the intercepted messages were even partially decrypted.

    No one has ever “broken” properly executed one-time pad encryption. Not ever.

  • Dr. Evil

    Do a web search for VENONA. The Russians were using one-time pads to encrypt espionage during the Cold War. They found out the hard way how hard it is to run one-time pads. Our friends at NSA were routinely reading their one-time pad traffic because they are REALLY hard to manage.

    One time pads were invented in 1917 by AT&T Labs and were broken in 1925 by NSA’s ancestor.

  • Dr. Evil

    There is a much simpler way to deal with this issue: chaff. Generate TONS of truly random information (this is easily done with true noise sources like reverse biased diodes or clock jitter), then send messages around the network with this random content. If enough people do this (think Seti at Home), the volume of useless traffic will be so large, the real information will be hidden in the weeds. The codebreakers will have to spend their efforts looking at the gibberish, because good Crypto is indistinguishable from a random bit stream.

  • http://www.booksbyoliver.com/ MountainHome

    We can encrypt all we want, but the NSA computers will easily decrypt any software if not the company selling you the encryption software hasn’t already sold it to NSA. The solution is for American to come together and demand their privacy back from the govt.

  • perljammer

    Clearly not “pretty well impossible”, as one-time pads had been in use for many, many years before computers even came along. Perhaps you’re confusing “impossible” with “inconvenient”. As to cypher keys as long as your cleartext message — in this day and age, generating a sequence of random numbers of any length borders on the trivial.

  • KNotere6488

    Strong cryptography is merely a
    fresh challenge to a younger generation of hackers. Privacy is best
    protected by not posting it. Now tell me this, how can 1.4 million
    Americans with security clearances be keeping anything secret? That’s
    just another smoke screen. There is no security, let alone any real
    chance of privacy. If it’s a secret, don’t tell it. Certainly not on
    line! Goodness sakes! And what’s more, Snowden was not an NSA
    contractor, he was a subcontractor to a contractor, for accuracy sake.
    The fault lies not in the stars nor in the public nor even in the
    hateful Patriot Act but in the astonishing laziness of the hiring system
    that put Snowden in an information-sensitive job in the first place.

  • MyrddinWilt

    They have been trying for 20 years without success.

    Strong crypto is too widely spread for control to be viable. And the banking industry depends upon strong crypto for its infrastructure.

  • MyrddinWilt

    Yeah, emphasis on ‘proper’.

    Problem with a one time pad is it is pretty well impossible to use in any practical situation as you have to work out a way to securely transmit your cipher key and that is as long as your plaintext.

  • MyrddinWilt

    That is not quite correct because of an effect called ‘exponential work factor’.

    If we have a symmetric cipher with a 64 bit key then it is at the edge of what is currently crackable using existing hardware.

    Let us imagine for the sake of argument that we change the encryption algorithm to use a 65 bit key. That represents a negligible increase in work factor for the party doing the encryption but we have doubled the work factor for the attacker.

    Lets go to a 72 bit key, the attacker’s work factor has gone up 256 times. That is over a decade worth of Moore’s law. Commercial crypto starts at 128 bits which is 16 billion, billion times harder to break but only takes the defender twice as much effort as 64 bit encryption. And if you need more you can go up to 256 bits without difficulty.

  • trinu

    Hacking and code-breaking are different. Cryptography does not have backdoors. Codes can be broken of course, but even the NSA probably doesn’t have the resources to break 256 bit AES on a large scale, so if say a 3rd of the country were to begin encrypting our email, they’d probably be forced to focus their efforts on people who are actually suspicious, and not everyone on the internet.

  • Indigo

    Strong cryptography is merely a fresh challenge to a younger generation of hackers. Privacy is best protected by not posting it. Now tell me this, how can 1.4 million Americans with security clearances be keeping anything secret? That’s just another smoke screen. There is no security, let alone any real chance of privacy. If it’s a secret, don’t tell it. Certainly not on line! Goodness sakes! And what’s more, Snowden was not NSA contractor, he was a subcontractor to a contractor, for accuracy sake. The fault lies not in the stars nor in the public nor even in the hateful Patriot Act but in the astonishing laziness of the hiring system that put Snowden in an information-sensitive job in the first place.

  • http://adgitadiaries.com/ karmanot

    yep

  • http://adgitadiaries.com/ karmanot

    Thanks

  • Dave

    Encryption in the hands of the general public will be illegal in the not too distant future.

  • Naja pallida

    Just when we thought the surveillance state wasn’t bad enough, now they’re trying to hide provisions for it in the new immigration bill, without even bothering to consider the wide-sweeping consequences.

  • perljammer

    You don’t need a math degree or, really, any specialized knowledge. If you can reliably add and subtract two numbers between 1 and 26, you’re good to go. There are lots of books on the subject; heck, there’s even a youtube video (http://www.youtube.com/watch?v=FlIG3TvQCBQ).

  • Whitewitch

    “11th dimensional chess plan devised by Obama to trick the GOP into repealing the PATRIOT act out of spite”

    If only this were true! I would take back every mean thing I said about the President and label him the Spock of our time.

  • nicho

    As the corporate saying goes, “We don’t have to spend all our money. We just have to make them spend all theirs.” That’s how they win — over and over and over.

  • jixter

    OK, Myrddin; are you going to continue by cluing us in on what to do next and how, exactly, to do it or are you going to leave us hanging? Many of us have heard about the Tor Project and some of us may have actually downloaded and tried it but how is anyone to trust that it – and others like it – aren’t run by our government?

    Good post! I apologize for the seeming paranoia, but you just never know anymore …

  • http://adgitadiaries.com/ karmanot

    Some years back we had exactly the same thing happen out here in wine country, where fiber optics had yet been installed to handle the enormous volume of business calls. Our little company had to shop around for a carrier and AT&T was it. Our $200.00 monthly bill went up to $1400.00 one month and half the bills were originated from South America and Mexico. We were never able to understand or get an explanation why. We fought that bill for two years all the way to the State level, and became part of State hearing on abusive tela practices and fraud. With AT&T we hit a glass ceiling of liability and simply were not able to hit the big bucks legal. There about a dozen of us who were impacted and AT&T trampled us under.

  • http://adgitadiaries.com/ karmanot

    How do the common lot of us figure out how to do that pj?

  • http://adgitadiaries.com/ karmanot

    If history shows us anything, it’s that these secret surveillance powers only grow and become oppressive in time and are antithetical to democracy. America seems to be in the stages of its own Stasi . It doesn’t take much for me to imagine it starting with Teabag kooks spying and reporting their neighbors, kids against parents, employees against management and so on. All this was started by tTuman and put on steroids by Bush/Cheney/Obama. If it isn’t stopped and I doubt it can be now, democracy has finally drowned in the bathtub for which the Republicans have openly wished.

  • bejammin075

    I bet the NSA can also hack into and turn on just about any listening device and just “listen” to what’s going on, when they desire to do so. Like any microphone on any internet connected computer, or any cell phone. With a cell phone, besides the old-fashioned type of wire tap that listens to a call, they can just listen, even when you are not making a call. Same goes for cameras on phones and computers.

  • perljammer

    This is patently false. Proper one-time pad encryption is literally impossible to crack.

  • nevilleross

    All that can be done by most U.S. citizens is to vote out both parties in the next election, and to put in the Greens or the Socialists (maybe not as POTUS, but at the level enough to block things in the House and the Senate like PATRIOT and this PRISM program.) And when I say ‘vote’ I don’t mean just that only; you all have to work at getting these parties into the House and Senate, not just doing what the American left usually does (protest, protest, protest) since all that does is just get you manhandled by cops and regarded is ‘dirty Commies’ anyway.

  • S1AMER

    Uh, any code or encryption scheme devised by human, even very smart humans with very powerful computers, can be undone by other very smart humans with very powerful computers.

  • trinu

    The metadata limitation is for phone calls. For internet communications like email, they’re looking at the actual content. At any rate, you can encrypt portions of the header, although obviously things like the email address and you IP address would be in plaintext.

  • goulo

    Cryptography is indeed useful and good, but unfortunately not a full solution to privacy abuses and violations. E.g. as more and more people photograph and put photos online, for example – especially if Google Glass becomes popular and automatic facial recognition improves- organizations like the NSA have many ways of tracking people and gathering useful information about their travels and visits without directly reading the people’s email and listening to their phone calls.

  • nicho

    I’m not sure that encryption is the answer — or at least the whole answer. What the NSA is collecting is “metadata.” They say they don’t have the content of your phone call, but they know what number you called from, what number you called, and how long you talked on which date. For email, again they say they don’t have the content (ha!) but they do have the IP address, the make and model of your computer, all of the headers of the email, etc. For Facebook, they have everything there you make public. And so on and so on.

    Let me explain — with a true story — how this could be dangerous. Back in the ’90s up to the spring of 2001, I had AT&T as my long distance carrier (remember those?). In the spring of 2001, I moved across country. Before I left, I settled up with AT&T (or so I thought), canceled my service (or so I thought), and gave them my forwarding address (again, so I thought). Then, I thought no more of it.

    Five years later, out of the blue, I got a bill from AT&T for $700 or $800. At this point I had a different long-distance carrier. I looked at the bill, realized that the first three or four calls were to numbers I would have called and were all prior to my move. The rest of the calls, all subsequent to the move, were to Pakistan and some of them were quite lengthy.

    Why did it take AT&T so long to send me this bill. Because I moved and never left them a forwarding address, they claimed. I never closed the account, they claimed. I owed them a lot of money, they claimed.

    It took me forever to convince AT&T that I didn’t make those calls. They insisted I did. I had to escalate it level after level before they agreed that the calls weren’t mine. In the end, I think I just wore them down and they didn’t really believe I didn’t make the calls — even though they were made from a phone 2,500 miles away. “Maybe you went over and made the calls one day and forgot about it,” one of them suggested. Oh yeah, I jumped in the car, drove 2,500 miles, made a 45-minute call, and drove 2,500 miles back — and it slipped my mind.

    Now, suppose the numbers in Pakistan that were being called belonged to a terrorist. Under the hysteria of the moment, I could have been scooped up and bundled off to Gitmo without anyone even knowing where I was. I wouldn’t have had access to a lawyer. I probably could have been tortured and, being the wuss that I am, would have told them whatever they wanted me to tell them. AT&T — again succumbing to the hysteria — would have continued to insist that I made the calls. I could very well be on a hunger strike right now in Gitmo — all because of some entry-level data clerk at AT&T and the massive spying by the NSA.

© 2014 AMERICAblog News. All rights reserved. · Entries RSS