Instead Soghoian emphasized that we need to focus on technologies that already exist and to discuss them in a non-threatening (he said boring) manner. Even the privacy and civil liberties arguments do not have any real effect. Most law makers are ok with giving up a few civil liberties or privacy in the name of national security and protection. Maintaining the privacy line simply gets our voice removed from the conversation. However, when you start to attack the systems that groups like the NSA, FBI and others want to put in place by showing how they can be used to attack systems or steal data it changes the playing field.
Suddenly you are speaking in terms they have been trained to look for. Yup, I said trained to look for. You see almost every day someone (typically a former Washington personality) will come by to tell them the latest doom and gloom stories about why Cyber is bad and how Congress must enact laws to allow law enforcement more surveillance powers. Because of talks like this they see the Cyber threat as the biggest threat to national security in… well forever. To make things worse, it is not just the defense contractors and the NSA that are pushing this agenda. As we have said (far too many times), copyright and patent holders are also pushing this agenda claiming that only through monitoring and data capture can we really keep our (the US’ ) intellectual property safe. When they are bombarded from two sides like this they incorrectly come to the conclusion that this must be real.
So how do we go about putting the NSA “on a diet” (as Soghoian says)? Well we start by pushing simple encryption to all traffic on the internet. By getting people to push SSL (https) connections and StartTLS for mail services we make the job of the NSA much harder. This is not as easy as it sounds though. In 2009 Google was pushing the claim that SSL slowed down your email and had no real benefit. This shows that most companies really did not want to put encryption on their systems and if they did have the option is was discouraged.
It was not until very recently (after Snowden released information on NSA spying) that companies began to change their policies. Much of this was to prevent the loss of customers and some was actually because they wanted to do the right thing. But there are still sites out there that are not using encryption either on the front end or between servers. This means that a lot of data will be sent in the clear over the internet and capturing that information is fairly simple for groups like the NSA.
So how do we get everyone to use SSL by default? Well there are a few interesting methods that work very well. One is called naming and shaming. This is where transparency reports show what services are using encryption for access and for email services. By “outing” companies that do not use encryption they may make the change or risk losing revenue from customers that move to more secure services.
Another is to make is something of a game. In much the same way that companies look to get a good rating with the BBB or other tracking services, companies will take the extra time to get a good grade for encryption and data protection. The last, is bribery. Soghoian joked that he once offered whiskey to a large site if they would make SSL their default. The site in question did switch to SSL and even referenced the offer of whiskey. From there he has received other emails asking about the same deal. Google has also offered to boost the search rankings of sites that use SSL. It is slow, but the message is getting out.
Lastly to get this going the message sent to Washington needs to change. The talk of privacy and civil liberties needs to be dropped even though we all know that this is what it is really about. The talk of “NSA-Proof” devices and software needs to stop as well. For one thing, there really is no such thing as NSA-Proof and for another that type of talk makes law makers very nervous. They see that type of technology as a threat and something that would only be used by criminals.
Soghoian says that our laws about search and seizure was primarily based on cases involving drug dealers and pedophiles. This means that if you are trying to hide something, you must be a criminal. Even per file or folder encryption has been listed as a bad thing as was having two cell phones. Yes we know that last one is very ridiculous, but it actually happened in a case.
So you can see why the message needs to be changed to one of security instead of privacy or NSA proof. It also needs to be related (in some way) to the Cyber threat. If you push a law that protects privacy but has the potential to let criminals get away with something it is going to be unpopular with the majority of law makers. Who would vote for a bill that could be viewed as strengthening protection for criminals?
So instead make it about security and protecting data. If you propose the use of encryption as a means to secure US interested law makers will line up behind that.
Technologies like TOR, Silent Circle, and others need to be recast as cyber security technology to make them friendlier. By doing these simple things we can create an internet where mass data collection becomes much more difficult and complex. It will never be impossible, but we can make it not worth the effort to try and collect on everything. We also all need to continue the push for everyone to use SSL. We have plans to move back to SSL in the next couple of months for both our main site and the form. No, not for a bottle of whiskey or anything like that, but because it is the right thing to do.
In our opinion, if anyone deserves a bottle of whiskey it is Chris Soghoian, after all he and other people at the ACLU are helping to push back on the train that is mass surveillance. I think that deserves a drink or two form the rest of us don’t you?
Tell us what you think in our Forum