“Encryption is defense against the Dark Arts,” National Security Agency leaker Edward Snowden said via Google Hangout to an audience at South by Southwest in Austin, Texas, on Monday. Snowden and the second panelist, Chris Soghoian, as well as moderator Ben Wizner (both from the ACLU), each began the discussion with the same assumption: that mass surveillance is inherently bad.
Why, Wizner asked, had Snowden chosen to make his first public remarks since fleeing the U.S. to a tech festival, rather than, say, a policy community in Washington D.C.? Snowden responded, “There is a policy response that needs to occur. There is also a technical response that needs to occur.”
Here, I’ll break down the SXSW panel’s technological solutions to the problem of mass surveillance. You can read more about the policy recommendations here and here.
Change how companies store data
“South by Southwest and the technology community, the people in the room right now, are the people that can fix our technical standards,” Snowden said during the panel. “The people in this room, you are all the firefighters.” The fire in question is mass surveillance, and Snowden’s immediate solution to the government appropriation of private information collected by technology companies is to change how companies store their information and relay it between users.
The obvious solution, put forth by Wizner, Snowden, and Soghoian, is more and better encryption—to securely send information only from point A to point B without anyone reading it along the way. The problem is that for companies like Google, which make money through advertising, there is incredible value to reading the content of that email. Gmail, simple and straightforward as it is, comes at the price of some privacy.
This is the general bargain of the internet. Giants like Google, Yahoo, and Facebook provide simple and straightforward services to users in exchange for their information. Users get a simple system they can use, and companies get data they can sell to advertisers. It’s also where mass surveillance starts, as the information is collected in bulk and held in servers belonging to the private companies. When news of the NSA’s PRISM program broke last summer, the scandal wasn’t just the NSA’s collection of data—it was the revelation that companies were handing it over.
The case of Firefox vs Chrome
The panelists acknowledged the irony of using a Google Hangout for a discussion of eroded privacy. Soghoian said people have to “choose between easy to use, reliable and polished, versus tools that are hard to use and very secure. Rational people choose bundled tools because they are easy.”
On its own, Silicon Valley won’t necessarily take steps toward better security.
Soghoian noted that there is a tradeoff between protecting oneself from targeted surveillance and keep one’s personal information private, saying “a privacy-preserving experience might not be the more secure one.” He said he was “constantly torn” between Firefox, which is a more private browser and so better at protecting a person from mass surveillance, and Google Chrome, which is more secure from targeted attacks.
On its own, Silicon Valley won’t necessarily take steps toward better security. Soghoian pointed out that following the PRISM revelations, many online companies (he specifically mentioned Google) started defaulting their services to SSL, which adds a layer of encryption. Previously, users had to find the 13th item at the bottom of a drop-down list in a settings menu; by changing it to the default for Gmail, Google encrypted a lot of communication all at once.
Snowden related a personal experience, from when he reached out to journalist Glenn Greenwald about the information he was willing to leak. About encryption technology, Snowden said: “It has to pass the Greenwald test. Any journalist in the world gets an email from somebody saying, ‘Hey I have something the public might want to know about’—they need to be able to open it.” For people to use cryptography regularly, it must be easy to use, Snowden said. “If you have to go to the command line, people aren’t going to use it. If you have to go three menus deep, people aren’t going to use it. It has to be out there. It has to happen automatically. It has to happen seamlessly.”
Beyond the Gmail/SSL example, and an exhortation to the technologists present to design with encryption in mind from Snowden, neither Soghoian or Snowden really advocated a way to make communication through cryptography the default on the internet, especially when privacy runs up against those companies’ interest in advertising dollars.
Watch the full panel below, and read the transcript here.