U.S. District Court Judge Richard Leon has found that an NSA program collecting telephone ‘meta-data’ is unconstitutional.
Although the ruling is stayed pending inevitable appeal, the impact on the debate on the US dirty war of drone strikes, imprisonment without trial and mass surveillance is likely to be profound.
For years, we have been assured that the NSA surveillance programs are ‘unquestionably legal’. Which of course was technically true in the sense that nobody was able to challenge the programs in court because the NSA denied they existed.
Judge Leon’s ruling strips away the cloak of legality from the NSA operations, for a time at least. It will be many months before an appeals court hears the case, and many more months before there is a ruling. The Senate will have to hold hearings on replacement directors of the NSA and national intelligence first.
It is likely that the 2016 presidential primaries will be in full swing before an appeals court ruling is handed down. The NSA programs are unpopular with the base of both parties. Even Republicans hate police state powers when there is a Democrat in the White House. It is hard to see any candidate winning the nomination after leaping to the defense of the wiretap programs. However much they might want to exercise those powers if elected, they will have to oppose them first.
Morale at the NSA has collapsed. Job applications are down by a third, and retention has suffered too. Having worked for the NSA is no longer quite the capstone to a resume that it was before the Snowden leaks. As Jim Bidzos, the founder of RSA Laboratories and now CEO of VeriSign Inc. once said to me, “There is no such thing as an ex-NSA employee.”
The Snowden leaks are a triple whammy for the NSA. First, the targets of the programs are deploying countermeasures. Second, other governments are rapidly expanding programs against US targets to match perceived NSA capabilities. Third, the agency needs to figure out how they were rolled by a 29 year old system administrator using basic techniques that a competent agency would have detected.
Until the Snowden leaks, my chief cyber-warfare fear was that the US generals, the Russian generals and the Chinese generals would find a way to start a cyber arms race. Not content with spending 600 billion dollars a year to fight on sea, land and air, the military would bleed another 200 billion a year from the country to fight in cyberspace as well. That is going to be a much harder sell for the militarists now, post Snowden’s leaks.
The dirty little secret of cyber security is that it costs much less to defend than attack, and that robust strong defenses are entirely practical. The reason that current computer systems are vulnerable to attack is that they are badly engineered and strong cryptography is too hard to use.
Most of my customers spend tens of millions of dollars on ‘quick fix’ security products like firewalls and anti-virus systems, but they still run Windows XP despite knowing that it is insecure and long past its original planned life. In the federal government the situation is even worse, many government systems still run Windows NT 4.0.
Running up-to-date applications on an up-to-date operating system provides protection against the vast majority of malware and penetration attacks, but does not provide protection against network interception. The only way to protect against such attacks is to use strong cryptography.
One of the consequences of the Snowden leaks is a renewed interest in putting strong cryptography in the hands of ordinary Internet users, and raising the bar for security in Internet and Application Service Providers. The IETF and World Wide Web Consortium, two bodies that set standards for the Internet and the Web, are working on proposals to achieve this goal. This is the work I am currently spending most of my time on.
But one cloud that has hovered over these efforts has been the possibility that the government would attempt to disrupt these attempts with the same bullying legal tactics that were used to discourage distribution of PGP in the early 1990s. When I first met PGP creator Phil Zimmerman, he was under a federal indictment for an alleged breach of the arms export control act by distributing PGP outside the US.
The NSA and FBI lost that fight, at least as far as the public record is concerned. The US government has even supported projects to bring strong cryptography to the masses. But in the months since Snowden, I have been hearing once again that offering products with strong cryptography that do not provide a backdoor for ‘Lawful Intercept’ is illegal. One very well known open source guru even accused me of ‘treason’.
For the next few years at least, Judge Leon’s ruling is going to give a lot of cover for those of us who believe that providing people with strong cryptography is legal and necessary, and that it is the activities of the NSA and the government that are unconstitutional and therefore illegal.